1#++ 2# NAME 3# header_checks 5 4# SUMMARY 5# Postfix built-in content inspection 6# SYNOPSIS 7# .nf 8# \fBheader_checks = pcre:/etc/postfix/header_checks\fR 9# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR 10# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR 11# \fBbody_checks = pcre:/etc/postfix/body_checks\fR 12# .sp 13# \fBmilter_header_checks = pcre:/etc/postfix/milter_header_checks\fR 14# .sp 15# \fBsmtp_header_checks = pcre:/etc/postfix/smtp_header_checks\fR 16# \fBsmtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks\fR 17# \fBsmtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks\fR 18# \fBsmtp_body_checks = pcre:/etc/postfix/smtp_body_checks\fR 19# .sp 20# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR 21# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR 22# .fi 23# DESCRIPTION 24# This document describes access control on the content of 25# message headers and message body lines; it is implemented 26# by the Postfix \fBcleanup\fR(8) server before mail is queued. 27# See \fBaccess\fR(5) for access control on remote SMTP client 28# information. 29# 30# Each message header or message body line is compared against 31# a list of patterns. 32# When a match is found the corresponding action is executed, and 33# the matching process is repeated for the next message header or 34# message body line. 35# 36# Note: message headers are examined one logical header at a time, 37# even when a message header spans multiple lines. Body lines are 38# always examined one line at a time. 39# 40# For examples, see the EXAMPLES section at the end of this 41# manual page. 42# 43# Postfix header or body_checks are designed to stop a flood of mail 44# from worms or viruses; they do not decode attachments, and they do 45# not unzip archives. See the documents referenced below in the README 46# FILES section if you need more sophisticated content analysis. 47# FILTERS WHILE RECEIVING MAIL 48# .ad 49# .fi 50# Postfix implements the following four built-in content 51# inspection classes while receiving mail: 52# .IP "\fBheader_checks\fR (default: empty)" 53# These are applied to initial message headers (except for 54# the headers that are processed with \fBmime_header_checks\fR). 55# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 56# These are applied to MIME related message headers only. 57# .sp 58# This feature is available in Postfix 2.0 and later. 59# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 60# These are applied to message headers of attached email 61# messages (except for the headers that are processed with 62# \fBmime_header_checks\fR). 63# .sp 64# This feature is available in Postfix 2.0 and later. 65# .IP \fBbody_checks\fR 66# These are applied to all other content, including multi-part 67# message boundaries. 68# .sp 69# With Postfix versions before 2.0, all content after the initial 70# message headers is treated as body content. 71# FILTERS AFTER RECEIVING MAIL 72# .ad 73# .fi 74# Postfix supports a subset of the built-in content inspection 75# classes after the message is received: 76# .IP "\fBmilter_header_checks\fR (default: empty)" 77# These are applied to headers that are added with Milter 78# applications. 79# .sp 80# This feature is available in Postfix 2.7 and later. 81# FILTERS WHILE DELIVERING MAIL 82# .ad 83# .fi 84# Postfix supports all four content inspection classes while 85# delivering mail via SMTP. 86# .IP "\fBsmtp_header_checks\fR (default: empty)" 87# .IP "\fBsmtp_mime_header_checks\fR (default: empty)" 88# .IP "\fBsmtp_nested_header_checks\fR (default: empty)" 89# .IP "\fBsmtp_body_checks\fR (default: empty)" 90# These features are available in Postfix 2.5 and later. 91# COMPATIBILITY 92# .ad 93# .fi 94# With Postfix version 2.2 and earlier specify "\fBpostmap 95# -fq\fR" to query a table that contains case sensitive 96# patterns. By default, regexp: and pcre: patterns are case 97# insensitive. 98# TABLE FORMAT 99# .ad 100# .fi 101# This document assumes that header and body_checks rules are specified 102# in the form of Postfix regular expression lookup tables. Usually the 103# best performance is obtained with \fBpcre\fR (Perl Compatible Regular 104# Expression) tables, but the slower \fBregexp\fR (POSIX regular 105# expressions) support is more widely available. 106# Use the command "\fBpostconf -m\fR" to find out what lookup table 107# types your Postfix system supports. 108# 109# The general format of Postfix regular expression tables is 110# given below. 111# For a discussion of specific pattern or flags syntax, 112# see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively. 113# .IP "\fB/\fIpattern\fB/\fIflags action\fR" 114# When /\fIpattern\fR/ matches the input string, execute 115# the corresponding \fIaction\fR. See below for a list 116# of possible actions. 117# .IP "\fB!/\fIpattern\fB/\fIflags action\fR" 118# When /\fIpattern\fR/ does \fBnot\fR match the input string, 119# execute the corresponding \fIaction\fR. 120# .IP "\fBif /\fIpattern\fB/\fIflags\fR" 121# .IP "\fBendif\fR" 122# Match the input string against the patterns between \fBif\fR 123# and \fBendif\fR, if and only if the same input string also 124# matches /\fIpattern\fR/. The \fBif\fR..\fBendif\fR can nest. 125# .sp 126# Note: do not prepend whitespace to patterns inside 127# \fBif\fR..\fBendif\fR. 128# .IP "\fBif !/\fIpattern\fB/\fIflags\fR" 129# .IP "\fBendif\fR" 130# Match the input string against the patterns between \fBif\fR 131# and \fBendif\fR, if and only if the same input string does 132# \fBnot\fR match /\fIpattern\fR/. The \fBif\fR..\fBendif\fR 133# can nest. 134# .IP "blank lines and comments" 135# Empty lines and whitespace-only lines are ignored, as 136# are lines whose first non-whitespace character is a `#'. 137# .IP "multi-line text" 138# A pattern/action line starts with non-whitespace text. A line that 139# starts with whitespace continues a logical line. 140# TABLE SEARCH ORDER 141# .ad 142# .fi 143# For each line of message input, the patterns are applied in the 144# order as specified in the table. When a pattern is found that matches 145# the input line, the corresponding action is executed and then the 146# next input line is inspected. 147# TEXT SUBSTITUTION 148# .ad 149# .fi 150# Substitution of substrings from the matched expression into the 151# \fIaction\fR 152# string is possible using the conventional Perl syntax 153# (\fB$1\fR, \fB$2\fR, etc.). 154# The macros in the result string may need to be written as \fB${n}\fR 155# or \fB$(n)\fR if they aren't followed by whitespace. 156# 157# Note: since negated patterns (those preceded by \fB!\fR) return a 158# result when the expression does not match, substitutions are not 159# available for negated patterns. 160# ACTIONS 161# .ad 162# .fi 163# Action names are case insensitive. They are shown in upper case 164# for consistency with other Postfix documentation. 165# \" .IP "\fBDELAY \fItime\fR" 166# \" Place the message into the deferred queue, and delay the 167# \" initial delivery attempt by \fItime\fR. The time value may 168# \" be followed by a one-character suffix that specifies the 169# \" time unit: s (seconds), m (minutes), h (hours), d (days), 170# \" w (weeks). The default time unit is s (seconds). 171# \" .sp 172# \" Limitations: 173# \" .RS 174# \" .IP \(bu 175# \" This action affects all the recipients of the message. 176# \" .IP \(bu 177# \" The delay value has no effect with remote file systems that 178# \" don't correctly emulate UNIX local file system semantics. 179# \" In that case, the delay will be half of $queue_run_delay 180# \" on average. 181# \" .IP \(bu 182# \" Mail will still be delivered with "sendmail -q", "postfix 183# \" flush" or "postqueue -f". 184# \" .IP \(bu 185# \" Delayed mail increases the amount of disk I/O during deferred 186# \" queue scans. When large amounts of mail are queued for 187# \" delayed delivery it may be preferable to use the HOLD feature 188# \" instead. 189# \" .RE 190# \" .IP 191# \" This feature is available in Postfix 2.3 and later. 192# .IP "\fBDISCARD \fIoptional text...\fR" 193# Claim successful delivery and silently discard the message. 194# Log the optional text if specified, otherwise log a generic 195# message. 196# .sp 197# Note: this action disables further header or body_checks inspection 198# of the current message and affects all recipients. 199# To discard only one recipient without discarding the entire message, 200# use the transport(5) table to direct mail to the discard(8) service. 201# .sp 202# This feature is available in Postfix 2.0 and later. 203# .sp 204# This feature is not supported with smtp header/body checks. 205# .IP \fBDUNNO\fR 206# Pretend that the input line did not match any pattern, and inspect the 207# next input line. This action can be used to shorten the table search. 208# .sp 209# For backwards compatibility reasons, Postfix also accepts 210# \fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR. 211# .sp 212# This feature is available in Postfix 2.1 and later. 213# .IP "\fBFILTER \fItransport:destination\fR" 214# After the message is queued, send the entire message through 215# the specified external content filter. The \fItransport\fR 216# name specifies the first field of a mail delivery agent 217# definition in master.cf; the syntax of the next-hop 218# \fIdestination\fR is described in the manual page of the 219# corresponding delivery agent. More information about 220# external content filters is in the Postfix FILTER_README 221# file. 222# .sp 223# Note 1: do not use $\fInumber\fR regular expression 224# substitutions for \fItransport\fR or \fIdestination\fR 225# unless you know that the information has a trusted origin. 226# .sp 227# Note 2: this action overrides the main.cf \fBcontent_filter\fR 228# setting, and affects all recipients of the message. In the 229# case that multiple \fBFILTER\fR actions fire, only the last 230# one is executed. 231# .sp 232# Note 3: the purpose of the FILTER command is to override 233# message routing. To override the recipient's \fItransport\fR 234# but not the next-hop \fIdestination\fR, specify an empty 235# filter \fIdestination\fR (Postfix 2.7 and later), or specify 236# a \fItransport:destination\fR that delivers through a 237# different Postfix instance (Postfix 2.6 and earlier). Other 238# options are using the recipient-dependent \fBtrans\%port\%_maps\fR 239# or the sen\%der-dependent 240# \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR 241# features. 242# .sp 243# This feature is available in Postfix 2.0 and later. 244# .sp 245# This feature is not supported with smtp header/body checks. 246# .IP "\fBHOLD \fIoptional text...\fR" 247# Arrange for the message to be placed on the \fBhold\fR queue, 248# and inspect the next input line. The message remains on \fBhold\fR 249# until someone either deletes it or releases it for delivery. 250# Log the optional text if specified, otherwise log a generic 251# message. 252# 253# Mail that is placed on hold can be examined with the 254# \fBpostcat\fR(1) command, and can be destroyed or released with 255# the \fBpostsuper\fR(1) command. 256# .sp 257# Note: use "\fBpostsuper -r\fR" to release mail that was kept on 258# hold for a significant fraction of \fB$maximal_queue_lifetime\fR 259# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR" 260# only for mail that will not expire within a few delivery attempts. 261# .sp 262# Note: this action affects all recipients of the message. 263# .sp 264# This feature is available in Postfix 2.0 and later. 265# .sp 266# This feature is not supported with smtp header/body checks. 267# .IP \fBIGNORE\fR 268# Delete the current line from the input, and inspect 269# the next input line. 270# .IP "\fBINFO \fIoptional text...\fR 271# Log an "info:" record with the \fIoptional text...\fR (or 272# log a generic text), and inspect the next input line. This 273# action is useful for routine logging or for debugging. 274# .sp 275# This feature is available in Postfix 2.8 and later. 276# .IP "\fBPREPEND \fItext...\fR" 277# Prepend one line with the specified text, and inspect the next 278# input line. 279# .sp 280# Notes: 281# .RS 282# .IP \(bu 283# The prepended text is output on a separate line, immediately 284# before the input that triggered the \fBPREPEND\fR action. 285# .IP \(bu 286# The prepended text is not considered part of the input 287# stream: it is not subject to header/body checks or address 288# rewriting, and it does not affect the way that Postfix adds 289# missing message headers. 290# .IP \(bu 291# When prepending text before a message header line, the prepended 292# text must begin with a valid message header label. 293# .IP \(bu 294# This action cannot be used to prepend multi-line text. 295# .RE 296# .IP 297# This feature is available in Postfix 2.1 and later. 298# .sp 299# This feature is not supported with milter_header_checks. 300# .IP "\fBREDIRECT \fIuser@domain\fR" 301# Write a message redirection request to the queue file, and 302# inspect the next input line. After the message is queued, 303# it will be sent to the specified address instead of the 304# intended recipient(s). 305# .sp 306# Note: this action overrides the \fBFILTER\fR action, and affects 307# all recipients of the message. If multiple \fBREDIRECT\fR actions 308# fire, only the last one is executed. 309# .sp 310# This feature is available in Postfix 2.1 and later. 311# .sp 312# This feature is not supported with smtp header/body checks. 313# .IP "\fBREPLACE \fItext...\fR" 314# Replace the current line with the specified text, and inspect the next 315# input line. 316# .sp 317# This feature is available in Postfix 2.2 and later. The 318# description below applies to Postfix 2.2.2 and later. 319# .sp 320# Notes: 321# .RS 322# .IP \(bu 323# When replacing a message header line, the replacement text 324# must begin with a valid header label. 325# .IP \(bu 326# The replaced text remains part of the input stream. Unlike 327# the result from the \fBPREPEND\fR action, a replaced message 328# header may be subject to address rewriting and may affect 329# the way that Postfix adds missing message headers. 330# .RE 331# .IP "\fBREJECT \fIoptional text...\fR 332# Reject the entire message. Reply with \fIoptional text...\fR when 333# the optional text is specified, otherwise reply with a generic error 334# message. 335# .sp 336# Note: this action disables further header or body_checks inspection 337# of the current message and affects all recipients. 338# .sp 339# Postfix version 2.3 and later support enhanced status codes. 340# When no code is specified at the beginning of \fIoptional 341# text...\fR, Postfix inserts a default enhanced status code of 342# "5.7.1". 343# .sp 344# This feature is not supported with smtp header/body checks. 345# .IP "\fBWARN \fIoptional text...\fR 346# Log a "warning:" record with the \fIoptional text...\fR (or 347# log a generic text), and inspect the next input line. This 348# action is useful for debugging and for testing a pattern 349# before applying more drastic actions. 350# BUGS 351# Empty lines never match, because some map types mis-behave 352# when given a zero-length search string. This limitation may 353# be removed for regular expression tables in a future release. 354# 355# Many people overlook the main limitations of header and body_checks 356# rules. 357# .IP \(bu 358# These rules operate on one logical message header or one body 359# line at a time. A decision made for one line is not carried over 360# to the next line. 361# .IP \(bu 362# If text in the message body is encoded 363# (RFC 2045) then the rules need to be specified for the encoded 364# form. 365# .IP \(bu 366# Likewise, when message headers are encoded (RFC 367# 2047) then the rules need to be specified for the encoded 368# form. 369# .PP 370# Message headers added by the \fBcleanup\fR(8) daemon itself 371# are excluded from inspection. Examples of such message headers 372# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. 373# 374# Message headers deleted by the \fBcleanup\fR(8) daemon will 375# be examined before they are deleted. Examples are: \fBBcc:\fr, 376# \fBContent-Length:\fR, \fBReturn-Path:\fR. 377# CONFIGURATION PARAMETERS 378# .ad 379# .fi 380# .IP \fBbody_checks\fR 381# Lookup tables with content filter rules for message body lines. 382# These filters see one physical line at a time, in chunks of 383# at most \fB$line_length_limit\fR bytes. 384# .IP \fBbody_checks_size_limit\fP 385# The amount of content per message body segment (attachment) that is 386# subjected to \fB$body_checks\fR filtering. 387# .IP \fBheader_checks\fR 388# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 389# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 390# Lookup tables with content filter rules for message header lines: 391# respectively, these are applied to the initial message headers 392# (not including MIME headers), to the MIME headers anywhere in 393# the message, and to the initial headers of attached messages. 394# .sp 395# Note: these filters see one logical message header at a time, even 396# when a message header spans multiple lines. Message headers that 397# are longer than \fB$header_size_limit\fR characters are truncated. 398# .IP \fBdisable_mime_input_processing\fR 399# While receiving mail, give no special treatment to MIME related 400# message headers; all text after the initial message headers is 401# considered to be part of the message body. This means that 402# \fBheader_checks\fR is applied to all the initial message headers, 403# and that \fBbody_checks\fR is applied to the remainder of the 404# message. 405# .sp 406# Note: when used in this manner, \fBbody_checks\fR will process 407# a multi-line message header one line at a time. 408# EXAMPLES 409# .ad 410# .fi 411# Header pattern to block attachments with bad file name 412# extensions. For convenience, the PCRE /x flag is specified, 413# so that there is no need to collapse the pattern into a 414# single line of text. The purpose of the [[:xdigit:]] 415# sub-expressions is to recognize Windows CLSID strings. 416# 417# .na 418# .nf 419# /etc/postfix/main.cf: 420# header_checks = pcre:/etc/postfix/header_checks.pcre 421# 422# /etc/postfix/header_checks.pcre: 423# /^Content-(Disposition|Type).*name\es*=\es*"?(.*(\e.|=2E)( 424# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 425# hlp|ht[at]| 426# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 427# \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}| 428# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 429# vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x 430# REJECT Attachment name "$2" may not end with ".$4" 431# .ad 432# .fi 433# 434# Body pattern to stop a specific HTML browser vulnerability exploit. 435# 436# .na 437# .nf 438# /etc/postfix/main.cf: 439# body_checks = regexp:/etc/postfix/body_checks 440# 441# /etc/postfix/body_checks: 442# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 443# REJECT IFRAME vulnerability exploit 444# SEE ALSO 445# cleanup(8), canonicalize and enqueue Postfix message 446# pcre_table(5), format of PCRE lookup tables 447# regexp_table(5), format of POSIX regular expression tables 448# postconf(1), Postfix configuration utility 449# postmap(1), Postfix lookup table management 450# postsuper(1), Postfix janitor 451# postcat(1), show Postfix queue file contents 452# RFC 2045, base64 and quoted-printable encoding rules 453# RFC 2047, message header encoding for non-ASCII text 454# README FILES 455# .ad 456# .fi 457# Use "\fBpostconf readme_directory\fR" or 458# "\fBpostconf html_directory\fR" to locate this information. 459# .na 460# .nf 461# DATABASE_README, Postfix lookup table overview 462# CONTENT_INSPECTION_README, Postfix content inspection overview 463# BUILTIN_FILTER_README, Postfix built-in content inspection 464# BACKSCATTER_README, blocking returned forged mail 465# LICENSE 466# .ad 467# .fi 468# The Secure Mailer license must be distributed with this software. 469# AUTHOR(S) 470# Wietse Venema 471# IBM T.J. Watson Research 472# P.O. Box 704 473# Yorktown Heights, NY 10598, USA 474#-- 475