1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 5<link rel='stylesheet' type='text/css' href='postfix-doc.css'> 6<title> Postfix manual - access(5) </title> 7</head> <body> <pre> 8ACCESS(5) ACCESS(5) 9 10<b>NAME</b> 11 access - Postfix SMTP server access table 12 13<b>SYNOPSIS</b> 14 <b>postmap /etc/postfix/access</b> 15 16 <b>postmap -q "</b><i>string</i><b>" /etc/postfix/access</b> 17 18 <b>postmap -q - /etc/postfix/access</b> <<i>inputfile</i> 19 20<b>DESCRIPTION</b> 21 This document describes access control on remote SMTP client informa- 22 tion: host names, network addresses, and envelope sender or recipient 23 addresses; it is implemented by the Postfix SMTP server. See 24 <a href="header_checks.5.html"><b>header_checks</b>(5)</a> or <a href="header_checks.5.html"><b>body_checks</b>(5)</a> for access control on the content of 25 email messages. 26 27 Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file that serves 28 as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The result, an indexed file in <b>dbm</b> 29 or <b>db</b> format, is used for fast searching by the mail system. Execute 30 the command "<b>postmap /etc/postfix/access</b>" to rebuild an indexed file 31 after changing the corresponding text file. 32 33 When the table is provided via other means such as NIS, LDAP or SQL, 34 the same lookups are done as for ordinary indexed files. 35 36 Alternatively, the table can be provided as a regular-expression map 37 where patterns are given as regular expressions, or lookups can be 38 directed to a TCP-based server. In those cases, the lookups are done in 39 a slightly different way as described below under "REGULAR EXPRESSION 40 TABLES" or "TCP-BASED TABLES". 41 42<b>CASE FOLDING</b> 43 The search string is folded to lowercase before database lookup. As of 44 Postfix 2.3, the search string is not case folded with database types 45 such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both upper and 46 lower case. 47 48<b>TABLE FORMAT</b> 49 The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows: 50 51 <i>pattern action</i> 52 When <i>pattern</i> matches a mail address, domain or host address, 53 perform the corresponding <i>action</i>. 54 55 blank lines and comments 56 Empty lines and whitespace-only lines are ignored, as are lines 57 whose first non-whitespace character is a `#'. 58 59 multi-line text 60 A logical line starts with non-whitespace text. A line that 61 starts with whitespace continues a logical line. 62 63<b>EMAIL ADDRESS PATTERNS</b> 64 With lookups from indexed files such as DB or DBM, or from networked 65 tables such as NIS, LDAP or SQL, patterns are tried in the order as 66 listed below: 67 68 <i>user</i>@<i>domain</i> 69 Matches the specified mail address. 70 71 <i>domain.tld</i> 72 Matches <i>domain.tld</i> as the domain part of an email address. 73 74 The pattern <i>domain.tld</i> also matches subdomains, but only when 75 the string <b>smtpd_access_maps</b> is listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 76 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 77 78 <i>.domain.tld</i> 79 Matches subdomains of <i>domain.tld</i>, but only when the string 80 <b>smtpd_access_maps</b> is not listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 81 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 82 83 <i>user</i>@ Matches all mail addresses with the specified user part. 84 85 Note: lookup of the null sender address is not possible with some types 86 of lookup table. By default, Postfix uses <> as the lookup key for such 87 addresses. The value is specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> 88 parameter in the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file. 89 90<b>EMAIL ADDRESS EXTENSION</b> 91 When a mail address localpart contains the optional recipient delimiter 92 (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order becomes: <i>user+foo</i>@<i>domain</i>, 93 <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@, and <i>user</i>@. 94 95<b>HOST NAME/ADDRESS PATTERNS</b> 96 With lookups from indexed files such as DB or DBM, or from networked 97 tables such as NIS, LDAP or SQL, the following lookup patterns are 98 examined in the order as listed: 99 100 <i>domain.tld</i> 101 Matches <i>domain.tld</i>. 102 103 The pattern <i>domain.tld</i> also matches subdomains, but only when 104 the string <b>smtpd_access_maps</b> is listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 105 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 106 107 <i>.domain.tld</i> 108 Matches subdomains of <i>domain.tld</i>, but only when the string 109 <b>smtpd_access_maps</b> is not listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 110 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 111 112 <i>net.work.addr.ess</i> 113 114 <i>net.work.addr</i> 115 116 <i>net.work</i> 117 118 <i>net</i> Matches a remote IPv4 host address or network address range. 119 Specify one to four decimal octets separated by ".". Do not 120 specify "[]" , "/", leading zeros, or hexadecimal forms. 121 122 Network ranges are matched by repeatedly truncating the last 123 ".octet" from a remote IPv4 host address string, until a match 124 is found in the access table, or until further truncation is not 125 possible. 126 127 NOTE: use the <b>cidr</b> lookup table type to specify network/netmask 128 patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details. 129 130 <i>net:work:addr:ess</i> 131 132 <i>net:work:addr</i> 133 134 <i>net:work</i> 135 136 <i>net</i> Matches a remote IPv6 host address or network address range. 137 Specify three to eight hexadecimal octet pairs separated by ":", 138 using the compressed form "::" for a sequence of zero-valued 139 octet pairs. Do not specify "[]", "/", leading zeros, or 140 non-compressed forms. 141 142 A network range is matched by repeatedly truncating the last 143 ":octetpair" from the compressed-form remote IPv6 host address 144 string, until a match is found in the access table, or until 145 further truncation is not possible. 146 147 NOTE: use the <b>cidr</b> lookup table type to specify network/netmask 148 patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details. 149 150 IPv6 support is available in Postfix 2.2 and later. 151 152<b>ACCEPT ACTIONS</b> 153 <b>OK</b> Accept the address etc. that matches the pattern. 154 155 <i>all-numerical</i> 156 An all-numerical result is treated as OK. This format is gener- 157 ated by address-based relay authorization schemes such as 158 pop-before-smtp. 159 160 For other accept actions, see "OTHER ACTIONS" below. 161 162<b>REJECT ACTIONS</b> 163 Postfix version 2.3 and later support enhanced status codes as defined 164 in <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>. When no code is specified at the beginning of the <i>text</i> 165 below, Postfix inserts a default enhanced status code of "5.7.1" in the 166 case of reject actions, and "4.7.1" in the case of defer actions. See 167 "ENHANCED STATUS CODES" below. 168 169 <b>4</b><i>NN text</i> 170 171 <b>5</b><i>NN text</i> 172 Reject the address etc. that matches the pattern, and respond 173 with the numerical three-digit code and text. <b>4</b><i>NN</i> means "try 174 again later", while <b>5</b><i>NN</i> means "do not try again". 175 176 The following responses have special meaning for the Postfix 177 SMTP server: 178 179 <b>421</b> <i>text</i> (Postfix 2.3 and later) 180 181 <b>521</b> <i>text</i> (Postfix 2.6 and later) 182 After responding with the numerical three-digit code and 183 text, disconnect immediately from the SMTP client. This 184 frees up SMTP server resources so that they can be made 185 available to another SMTP client. 186 187 Note: The "521" response should be used only with botnets 188 and other malware where interoperability is of no con- 189 cern. The "send 521 and disconnect" behavior is NOT 190 defined in the SMTP standard. 191 192 <b>REJECT</b> <i>optional text...</i> 193 Reject the address etc. that matches the pattern. Reply with 194 "<b>$<a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a></b> <i>optional text...</i>" when the optional 195 text is specified, otherwise reply with a generic error response 196 message. 197 198 <b>DEFER</b> <i>optional text...</i> 199 Reject the address etc. that matches the pattern. Reply with 200 "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a></b> <i>optional text...</i>" when the optional text 201 is specified, otherwise reply with a generic error response mes- 202 sage. 203 204 This feature is available in Postfix 2.6 and later. 205 206 <b>DEFER_IF_REJECT</b> <i>optional text...</i> 207 Defer the request if some later restriction would result in a 208 REJECT action. Reply with "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> 4.7.1</b> <i>optional</i> 209 <i>text...</i>" when the optional text is specified, otherwise reply 210 with a generic error response message. 211 212 Prior to Postfix 2.6, the SMTP reply code is 450. 213 214 This feature is available in Postfix 2.1 and later. 215 216 <b>DEFER_IF_PERMIT</b> <i>optional text...</i> 217 Defer the request if some later restriction would result in an 218 explicit or implicit PERMIT action. Reply with 219 "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> 4.7.1</b> <i>optional text...</i>" when the 220 optional text is specified, otherwise reply with a generic error 221 response message. 222 223 Prior to Postfix 2.6, the SMTP reply code is 450. 224 225 This feature is available in Postfix 2.1 and later. 226 227 For other reject actions, see "OTHER ACTIONS" below. 228 229<b>OTHER ACTIONS</b> 230 <i>restriction...</i> 231 Apply the named UCE restriction(s) (<b>permit</b>, <b>reject</b>, 232 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>, and so on). 233 234 <b>BCC</b> <i>user@domain</i> 235 Send one copy of the message to the specified recipient. 236 237 If multiple BCC actions are specified within the same SMTP MAIL 238 transaction, with Postfix 3.0 only the last action will be used. 239 240 This feature is available in Postfix 3.0 and later. 241 242 <b>DISCARD</b> <i>optional text...</i> 243 Claim successful delivery and silently discard the message. Log 244 the optional text if specified, otherwise log a generic message. 245 246 Note: this action currently affects all recipients of the mes- 247 sage. To discard only one recipient without discarding the 248 entire message, use the <a href="transport.5.html">transport(5)</a> table to direct mail to the 249 <a href="discard.8.html">discard(8)</a> service. 250 251 This feature is available in Postfix 2.0 and later. 252 253 <b>DUNNO</b> Pretend that the lookup key was not found. This prevents Postfix 254 from trying substrings of the lookup key (such as a subdomain 255 name, or a network address subnetwork). 256 257 This feature is available in Postfix 2.0 and later. 258 259 <b>FILTER</b> <i>transport:destination</i> 260 After the message is queued, send the entire message through the 261 specified external content filter. The <i>transport</i> name specifies 262 the first field of a mail delivery agent definition in <a href="master.5.html">mas- 263 ter.cf</a>; the syntax of the next-hop <i>destination</i> is described in 264 the manual page of the corresponding delivery agent. More 265 information about external content filters is in the Postfix 266 <a href="FILTER_README.html">FILTER_README</a> file. 267 268 Note 1: do not use $<i>number</i> regular expression substitutions for 269 <i>transport</i> or <i>destination</i> unless you know that the information 270 has a trusted origin. 271 272 Note 2: this action overrides the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#content_filter">content_filter</a></b> set- 273 ting, and affects all recipients of the message. In the case 274 that multiple <b>FILTER</b> actions fire, only the last one is exe- 275 cuted. 276 277 Note 3: the purpose of the FILTER command is to override message 278 routing. To override the recipient's <i>transport</i> but not the 279 next-hop <i>destination</i>, specify an empty filter <i>destination</i> (Post- 280 fix 2.7 and later), or specify a <i>transport:destination</i> that 281 delivers through a different Postfix instance (Postfix 2.6 and 282 earlier). Other options are using the recipient-dependent <b><a href="postconf.5.html#transport_maps">trans</a>-</b> 283 <b><a href="postconf.5.html#transport_maps">port_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default-</b> 284 <b>_transport_maps</a></b> features. 285 286 This feature is available in Postfix 2.0 and later. 287 288 <b>HOLD</b> <i>optional text...</i> 289 Place the message on the <b>hold</b> queue, where it will sit until 290 someone either deletes it or releases it for delivery. Log the 291 optional text if specified, otherwise log a generic message. 292 293 Mail that is placed on hold can be examined with the <a href="postcat.1.html"><b>postcat</b>(1)</a> 294 command, and can be destroyed or released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> 295 command. 296 297 Note: use "<b>postsuper -r</b>" to release mail that was kept on hold 298 for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a></b> or 299 <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or longer. Use "<b>postsuper -H</b>" only for 300 mail that will not expire within a few delivery attempts. 301 302 Note: this action currently affects all recipients of the mes- 303 sage. 304 305 This feature is available in Postfix 2.0 and later. 306 307 <b>PREPEND</b> <i>headername: headervalue</i> 308 Prepend the specified message header to the message. When more 309 than one PREPEND action executes, the first prepended header 310 appears before the second etc. prepended header. 311 312 Note: this action must execute before the message content is 313 received; it cannot execute in the context of 314 <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>. 315 316 This feature is available in Postfix 2.1 and later. 317 318 <b>REDIRECT</b> <i>user@domain</i> 319 After the message is queued, send the message to the specified 320 address instead of the intended recipient(s). When multiple <b>RE-</b> 321 <b>DIRECT</b> actions fire, only the last one takes effect. 322 323 Note: this action overrides the FILTER action, and currently 324 overrides all recipients of the message. 325 326 This feature is available in Postfix 2.1 and later. 327 328 <b>INFO</b> <i>optional text...</i> 329 Log an informational record with the optional text, together 330 with client information and if available, with helo, sender, 331 recipient and protocol information. 332 333 This feature is available in Postfix 3.0 and later. 334 335 <b>WARN</b> <i>optional text...</i> 336 Log a warning with the optional text, together with client 337 information and if available, with helo, sender, recipient and 338 protocol information. 339 340 This feature is available in Postfix 2.1 and later. 341 342<b>ENHANCED STATUS CODES</b> 343 Postfix version 2.3 and later support enhanced status codes as defined 344 in <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status code is specified in an access 345 table, it is subject to modification. The following transformations are 346 needed when the same access table is used for client, helo, sender, or 347 recipient access restrictions; they happen regardless of whether Post- 348 fix replies to a MAIL FROM, RCPT TO or other SMTP command. 349 350 <b>o</b> When a sender address matches a REJECT action, the Postfix SMTP 351 server will transform a recipient DSN status (e.g., 4.1.1-4.1.6) 352 into the corresponding sender DSN status, and vice versa. 353 354 <b>o</b> When non-address information matches a REJECT action (such as 355 the HELO command argument or the client hostname/address), the 356 Postfix SMTP server will transform a sender or recipient DSN 357 status into a generic non-address DSN status (e.g., 4.0.0). 358 359<b>REGULAR EXPRESSION TABLES</b> 360 This section describes how the table lookups change when the table is 361 given in the form of regular expressions. For a description of regular 362 expression lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. 363 364 Each pattern is a regular expression that is applied to the entire 365 string being looked up. Depending on the application, that string is an 366 entire client hostname, an entire client IP address, or an entire mail 367 address. Thus, no parent domain or parent network search is done, 368 <i>user@domain</i> mail addresses are not broken up into their <i>user@</i> and 369 <i>domain</i> constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>. 370 371 Patterns are applied in the order as specified in the table, until a 372 pattern is found that matches the search string. 373 374 Actions are the same as with indexed file lookups, with the additional 375 feature that parenthesized substrings from the pattern can be interpo- 376 lated as <b>$1</b>, <b>$2</b> and so on. 377 378<b>TCP-BASED TABLES</b> 379 This section describes how the table lookups change when lookups are 380 directed to a TCP-based server. For a description of the TCP 381 client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not 382 available up to and including Postfix version 2.4. 383 384 Each lookup operation uses the entire query string once. Depending on 385 the application, that string is an entire client hostname, an entire 386 client IP address, or an entire mail address. Thus, no parent domain 387 or parent network search is done, <i>user@domain</i> mail addresses are not 388 broken up into their <i>user@</i> and <i>domain</i> constituent parts, nor is 389 <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>. 390 391 Actions are the same as with indexed file lookups. 392 393<b>EXAMPLE</b> 394 The following example uses an indexed file, so that the order of table 395 entries does not matter. The example permits access by the client at 396 address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of 397 <b>hash</b> lookup tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b> 398 <b>-m</b>" to find out what lookup tables Postfix supports on your system. 399 400 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 401 <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = 402 <a href="postconf.5.html#check_client_access">check_client_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/access 403 404 /etc/postfix/access: 405 1.2.3 REJECT 406 1.2.3.4 OK 407 408 Execute the command "<b>postmap /etc/postfix/access</b>" after editing the 409 file. 410 411<b>BUGS</b> 412 The table format does not understand quoting conventions. 413 414<b>SEE ALSO</b> 415 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager 416 <a href="smtpd.8.html">smtpd(8)</a>, SMTP server 417 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 418 <a href="transport.5.html">transport(5)</a>, transport:nexthop syntax 419 420<b>README FILES</b> 421 <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, built-in SMTP server access control 422 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 423 424<b>LICENSE</b> 425 The Secure Mailer license must be distributed with this software. 426 427<b>AUTHOR(S)</b> 428 Wietse Venema 429 IBM T.J. Watson Research 430 P.O. Box 704 431 Yorktown Heights, NY 10598, USA 432 433 Wietse Venema 434 Google, Inc. 435 111 8th Avenue 436 New York, NY 10011, USA 437 438 ACCESS(5) 439</pre> </body> </html> 440