Postfix snapshot 20091008 includes an updated version of the
postscreen daemon. This means it is no longer limited to the
non-production releases.
To make postscreen safe to deploy, it has a permanent whitelist
(default: $mynetworks) that avoids running SMTP protocol tests on
broken network appliances. It also has a permanent blacklist for
networks that you never want to talk to.
In the default "observation" mode, postscreen logs bad client
information but does not drop connections, and can be used to
"pre-fetch" DNSBL information in parallel.
In the non-default "enforcement mode", postscreen drops "bad"
clients, and thus off-loads the SMTP daemons. To make it generally
usable I still have to add the dummy SMTP protocol engine that logs
the senders and recipients of rejected connections. Hopefully that
will be in place later in the Postfix 2.7 development cycle.
Wietse
HISTORY file entries:
20090918
Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
turned off, there was no automatic flush-before-read on
the smtpd-to-milter stream, because the read was done on
the cleanup-to-milter stream. Problem reported by Stephen
Warren. File: milter/milter8.c.
20091005
Bugfix: core dump while printing error message for malformed
%<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
File: global/db_common.c. Fix by Victor Duchovni.
20091006
Feature: "postscreen_whitelist_networks = $mynetworks" (the
default) to avoid problems with buggy SMTP implementations
in network appliances. Note: this feature never uses the
remote SMTP client hostname. Files: global/addr_match_list.[hc],
postscreen/postscreen.c.
Feature: postscreen_blacklist_networks (default: empty) to
permanently blacklist hosts or networks. Address syntax is
as with mynetworks. Note: this feature never uses the remote
SMTP client hostname. File: postscreen/postscreen.c.
Feature: postscreen_blacklist_action (default: continue)
to control what happens with a permanently blacklisted
client.
20091007
Feature: hostname-based check_client_{mx,ns}_access,
check_reverse_client_hostname_{mx,ns}_access (the client
IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c,
global/mail_params.h, proto/postconf.proto, mantools/postlink.
20091008
Documentation: restructured the postscreen(8) manpage as
a sequence of tests. File: postscreen/postscreen.c.
