3

I'm trying to get postscreen work. I've followed the man page and it's already running correctly for smtp.

But it I want to use it for smtps as well (adding the same line as smtp in master.cf but with smtps) i receive failure messages in syslog like:

postfix/postscreen[8851]: fatal:
btree:/var/lib/postfix/postscreen_cache: unable to get exclusive lock:
Resource temporarily unavailable

Some say that postscreen can only run once; that's ok. But can I use the same postscreen session for both smtp and smtps? If not, how to enable postscreen for smtps as well?

Any help would be apprecieted!

The parts of the configs:

main.cf postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr

postscreen_dnsbl_threshold = 8
postscreen_dnsbl_sites = dnsbl.ahbl.org*3 dnsbl.njabl.org*3 dnsbl.sorbs.net*3 pbl.spamhaus.org*3 cbl.abuseat.org*3 bl.spamcannibal.org*3 nsbl.inps.de*3 spamrbl.imp.ch*3
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

master.cf (full)

smtpd     pass  -       -       n       -       -       smtpd
smtp      inet  n       -       n       -       1       postscreen
tlsproxy  unix  -       -       n       -       0       tlsproxy
dnsblog   unix  -       -       n       -       0       dnsblog

### the problematic line ###
smtps     inet  n       -       -       -       -       smtpd

pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

dovecot   unix  -       n       n        -      -       pipe
  flags=DRhu user=virtuser:virtuser argv=/usr/bin/spamc -e /usr/lib/dovecot/deliver -d ${recipient} -f {sender}
sebix
  • 4,175
  • 2
  • 25
  • 45
petermolnar
  • 989
  • 1
  • 11
  • 17

1 Answers1

1

It doesn't make sense to enable postscreen for SMTPS.

Postscreen has been invented to stop spambots hitting the real SMTP server. But I've never seen spambots using SMTPS. Only real servers use SMTPS which also bypass the postscreen defense line. So your approach is useless.

mailq
  • 16,882
  • 2
  • 36
  • 66
  • I see your point and it's hard to argue with. But what if bots get configured to use smtps as well? I don't think it would be so hard to implement for them. – petermolnar Mar 23 '12 at 05:21
  • 1
    @petermolnar That's right. I will talk to Wietse when this happens. But so far... – mailq Mar 23 '12 at 20:13
  • 1
    @mailq I guess it was mostly a matter of time.. because I'm seeing an increase of these types of connections. I'm probably just going to disable smtps altogether, but if I could use postscreen that would be a nice option too. – drumfire May 03 '15 at 19:02