Postscreen Attributes Explained

Zimbra Postscreen

Zimbra Postscreen is an anti-bot/dos started in Zimbra 8.7. It tackles mail server overload by keeping spambots away and making more SMTP processes available for legitimate clients. Zimbra Postscreen process handles multiple inbound SMTP connections and deciding which client can talk to a post-fix SMTP server process.

Zimbra Postscreen is enabled by default on Zimbra 8.7 and above. The only thing you need to do is to change its attributes default values to your liking according to your environment.

Zimbra Postscreen Attributes

In order to configure your Zimbra Postscreen, you need to know its attributes which are explained below.

Postscreen Attribute Explanation

zimbraMtaPostscreenAccessList

Postconf postscreen_access_list setting, which is the permanent white/ blacklist for remote SMTP client IP addresses. Postscreen(8) searches this list immediately after a remote SMTP client connects. Specify a comma- or whitespace-separated list of commands (in upper or lower case) or lookup tables. The search stops upon the first command that fires for the client IP address.

zimbraMtaPostscreenBareNewlineAction 

The action that postscreen(8) is to take when a remote SMTP client sends a bare newline character, that is, a newline not preceded by carriage return — as either ignore, enforce, or drop.

zimbraMtaPostscreenBareNewlineEnable 

Enable (yes) or disable (no) “bare newline” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a remote SMTP client must disconnect after it passes the test before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenBareNewlineTTL 

The amount of time allowable for postscreen(8) to use the result of a successful “bare newline” SMTP protocol test. During this time, the client’s IP address is excluded from this test. The default setting is lengthy because a remote SMTP client must disconnect after it passes the test before it can talk to a real Postfix SMTP server.

Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenBlacklistAction 

The action that postscreen(8) is to take when a remote SMTP client is permanently blacklisted with the postscreen_access_list parameter, as either ignore, enforce, or drop.

zimbraMtaPostscreenCacheCleanupInterval 

The amount of time allowable between postscreen(8) cache cleanup runs. Cache cleanup increases the load on the cache database and should therefore not be run frequently. This feature requires that the cache database supports the “delete” and “sequence” operators. Specify a zero interval to disable cache cleanup. After each cache cleanup run, the postscreen(8) daemon logs the number of entries that were retained and dropped. A cleanup run is logged as “partial” when the daemon terminates early after postfix reload, postfix stop, or no requests for $max_idle seconds. Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenCacheRetentionTime 

The amount of time that postscreen(8) is allowed to cache an expired temporary whitelist entry before it is removed. This prevents clients from being logged as “NEW” just because their cache entry expired an hour ago. It also prevents the cache from filling up with clients that passed some deep protocol test once and never came back. Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenCommandCountLimit 

Value to set the limit on the total number of commands per SMTP session for postscreen(8)’s built-in SMTP protocol engine. This SMTP engine defers or rejects all attempts to deliver mail, therefore there is no need to enforce separate limits on the number of junk commands and error commands.

zimbraMtaPostscreenDnsblAction 

The action that postscreen(8) is to take when a remote SMTP client’s combined DNSBL score is equal to or greater than a threshold (as defined with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parameters), as either ignore, enforce, or drop.

zimbraMtaPostscreenDnsblSites

An optional list of DNS white/blacklist domains, filters, and weight factors. When the list is non-empty, the dnsblog(8) daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen(8) will update an SMTP client’s DNSBL score with each non-error reply. When a client’s score is equal to or greater than the threshold specified with postscreen_dnsbl_threshold, postscreen(8) can drop the connection with the remote SMTP client. Specify a list of domain=filter*weight entries, separated by comma or whitespace.

When no =filter is specified, postscreen(8) will use any non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number, or a pattern inside [] that contains one or more “;”-separated numbers or number..number ranges.

When no *weight is specified, postscreen(8) increments the remote SMTP client’s DNSBL score by 1. Otherwise, the weight must be an integral number, and postscreen(8) adds the specified weight to the remote SMTP client’s DNSBL score. Specify a negative number for whitelisting.

When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, postscreen(8) applies the weight at most once.

Examples:

To use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree:

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = example.com*2, example.net, example.org

To filter only DNSBL replies containing 127.0.0.4:

postscreen_dnsbl_sites = example.com=127.0.0.4
zimbraMtaPostscreenDnsblThreshold

Value to define the inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter.

zimbraMtaPostscreenDnsblTTL

The amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenDnsblWhitelistThreshold

Allow a remote SMTP client to skip “before” and “after 220 greeting” protocol tests, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. Specify a negative value to enable this feature. When a client passes the postscreen_dnsbl_whitelist_threshold without having failed other tests, all pending or disabled tests are flagged as completed with a time-to-live value equal to postscreen_dnsbl_ttl. When a test was already completed, its time-to-live value is updated if it was less than postscreen_dnsbl_ttl.

zimbraMtaPostscreenGreetAction

The action that postscreen(8) is to take when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter, as either ignore, enforce, or drop.

zimbraMtaPostscreenGreetTTL

The amount of time allowed for postscreen(8) to use the result from a successful PREGREET test. During this time, the client’s IP address is excluded from this test. The default is relatively short because a good client can immediately talk to a real Postfix SMTP server. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenNonSmtpCommandAction

The action that postscreen(8) takes when a remote SMTP client sends non-SMTP commands as specified with the postscreen_forbidden_ commands parameter, as either ignore, enforce, or drop.

zimbraMtaPostscreenNonSmtpCommandEnable

Enable (yes) or disable (no) “non- SMTP command” tests in the postscreen(8) server. These tests are expensive: a client must disconnect after it passes the test before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenNonSmtpCommandTTL

The amount of time allowable for postscreen(8) to use the result from a successful “non_smtp_command” SMTP protocol test. During this time, the client’s IP address is excluded from this test. The default is long because a client must disconnect after it passes the test before it can talk to a real Postfix SMTP server. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenPipeliningAction

The action that postscreen(8) is to take when a remote SMTP client sends multiple commands instead of sending one command and waiting for the server to respond, as either ignore, enforce, or drop.

zimbraMtaPostscreenPipeliningEnable

Enable (yes) or disable (no) “pipelining” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a good client must disconnect after it passes the test before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenPipeliningTTL

Time allowable for postscreen(8) to use the result from a successful “pipelining” SMTP protocol test. During this time, the client’s IP address is excluded from this test. The default is lengthy because a good client must disconnect after it passes the test before it can talk to a real Postfix SMTP server.

Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenWatchdogTimeout

Time allowable for a postscreen(8) process to respond to a remote SMTP client command, or to perform a cache operation before it is terminated by a built-in watchdog timer. This is a safety mechanism that prevents postscreen(8) from becoming non-responsive due to a bug in Postfix itself or in system software. To avoid false alarms and unnecessary cache corruption this limit cannot be set under 10s. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenWhitelistInterfaces

A list of local postscreen(8) server IP addresses where a non-whitelisted remote SMTP client can obtain postscreen(8)’s temporary whitelist status. This status is required before the client can talk to a Postfix SMTP server process. By default, a client can obtain postscreen(8)’s whitelist status on any local postscreen(8) server IP address. When postscreen(8) listens on both primary and backup MX addresses, the postscreen_whitelist_interfaces parameter can be configured to give the temporary whitelist status only when a client connects to a primary MX address. Once a client is whitelisted it can talk to a Postfix SMTP server on any address. Thus, clients that connect only to backup MX addresses will never become whitelisted, and will never be allowed to talk to a Postfix SMTP server process.

Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. The netmask specifies the number of bits in the network part of a host address. Continue long lines by starting the next line with whitespace. You can also specify /file/name or type:table patterns. A /file/name pattern is replaced by its contents; a type:table lookup table is matched when a table entry matches a lookup string (the lookup result is ignored). The list is matched left to right, and the search stops on the first match. Specify !pattern to exclude an address or network block from the list. IPv6 address information must be specified inside [] in the postscreen_whitelist_interfaces value, and in files specified with /file/name. IP version 6 addresses contain the “:” character, and would otherwise be confused with a type:table pattern.

zimbraMtaPostscreenDnsblMinTTL

The minimum amount of time that postscreen(8) is allowed — resulting from a successful DNS -based reputation test — before a client IP address is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than postscreen_dnsbl_max_ttl.

Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenDnsblMaxTTL

The maximum amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than postscreen_dnsbl_min_ttl. Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

For more information see Postfix Postscreen Page.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How To Use Zimbra Postscreen?
Zimbra Upgrade on Ubuntu LTS