access.5.html revision 1.1.1.7
1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - access(5) </title> 6</head> <body> <pre> 7ACCESS(5) ACCESS(5) 8 9<b>NAME</b> 10 access - Postfix SMTP server access table 11 12<b>SYNOPSIS</b> 13 <b>postmap /etc/postfix/access</b> 14 15 <b>postmap -q "</b><i>string</i><b>" /etc/postfix/access</b> 16 17 <b>postmap -q - /etc/postfix/access</b> <<i>inputfile</i> 18 19<b>DESCRIPTION</b> 20 This document describes access control on remote SMTP client informa- 21 tion: host names, network addresses, and envelope sender or recipient 22 addresses; it is implemented by the Postfix SMTP server. See 23 <a href="header_checks.5.html"><b>header_checks</b>(5)</a> or <a href="header_checks.5.html"><b>body_checks</b>(5)</a> for access control on the content of 24 email messages. 25 26 Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file that serves 27 as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The result, an indexed file in <b>dbm</b> 28 or <b>db</b> format, is used for fast searching by the mail system. Execute 29 the command "<b>postmap /etc/postfix/access</b>" to rebuild an indexed file 30 after changing the corresponding text file. 31 32 When the table is provided via other means such as NIS, LDAP or SQL, 33 the same lookups are done as for ordinary indexed files. 34 35 Alternatively, the table can be provided as a regular-expression map 36 where patterns are given as regular expressions, or lookups can be 37 directed to TCP-based server. In those cases, the lookups are done in a 38 slightly different way as described below under "REGULAR EXPRESSION 39 TABLES" or "TCP-BASED TABLES". 40 41<b>CASE FOLDING</b> 42 The search string is folded to lowercase before database lookup. As of 43 Postfix 2.3, the search string is not case folded with database types 44 such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both upper and 45 lower case. 46 47<b>TABLE FORMAT</b> 48 The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows: 49 50 <i>pattern action</i> 51 When <i>pattern</i> matches a mail address, domain or host address, 52 perform the corresponding <i>action</i>. 53 54 blank lines and comments 55 Empty lines and whitespace-only lines are ignored, as are lines 56 whose first non-whitespace character is a `#'. 57 58 multi-line text 59 A logical line starts with non-whitespace text. A line that 60 starts with whitespace continues a logical line. 61 62<b>EMAIL ADDRESS PATTERNS</b> 63 With lookups from indexed files such as DB or DBM, or from networked 64 tables such as NIS, LDAP or SQL, patterns are tried in the order as 65 listed below: 66 67 <i>user</i>@<i>domain</i> 68 Matches the specified mail address. 69 70 <i>domain.tld</i> 71 Matches <i>domain.tld</i> as the domain part of an email address. 72 73 The pattern <i>domain.tld</i> also matches subdomains, but only when 74 the string <b>smtpd_access_maps</b> is listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 75 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 76 77 <i>.domain.tld</i> 78 Matches subdomains of <i>domain.tld</i>, but only when the string 79 <b>smtpd_access_maps</b> is not listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 80 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 81 82 <i>user</i>@ Matches all mail addresses with the specified user part. 83 84 Note: lookup of the null sender address is not possible with some types 85 of lookup table. By default, Postfix uses <> as the lookup key for such 86 addresses. The value is specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> 87 parameter in the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file. 88 89<b>EMAIL ADDRESS EXTENSION</b> 90 When a mail address localpart contains the optional recipient delimiter 91 (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order becomes: <i>user+foo</i>@<i>domain</i>, 92 <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@, and <i>user</i>@. 93 94<b>HOST NAME/ADDRESS PATTERNS</b> 95 With lookups from indexed files such as DB or DBM, or from networked 96 tables such as NIS, LDAP or SQL, the following lookup patterns are 97 examined in the order as listed: 98 99 <i>domain.tld</i> 100 Matches <i>domain.tld</i>. 101 102 The pattern <i>domain.tld</i> also matches subdomains, but only when 103 the string <b>smtpd_access_maps</b> is listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 104 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 105 106 <i>.domain.tld</i> 107 Matches subdomains of <i>domain.tld</i>, but only when the string 108 <b>smtpd_access_maps</b> is not listed in the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">par</a>-</b> 109 <b><a href="postconf.5.html#parent_domain_matches_subdomains">ent_domain_matches_subdomains</a></b> configuration setting. 110 111 <i>net.work.addr.ess</i> 112 113 <i>net.work.addr</i> 114 115 <i>net.work</i> 116 117 <i>net</i> Matches a remote IPv4 host address or network address range. 118 Specify one to four decimal octets separated by ".". Do not 119 specify "[]" , "/", leading zeros, or hexadecimal forms. 120 121 Network ranges are matched by repeatedly truncating the last 122 ".octet" from a remote IPv4 host address string, until a match 123 is found in the access table, or until further truncation is not 124 possible. 125 126 NOTE: use the <b>cidr</b> lookup table type to specify network/netmask 127 patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details. 128 129 <i>net:work:addr:ess</i> 130 131 <i>net:work:addr</i> 132 133 <i>net:work</i> 134 135 <i>net</i> Matches a remote IPv6 host address or network address range. 136 Specify three to eight hexadecimal octet pairs separated by ":", 137 using the compressed form "::" for a sequence of zero-valued 138 octet pairs. Do not specify "[]", "/", leading zeros, or 139 non-compressed forms. 140 141 A network range is matched by repeatedly truncating the last 142 ":octetpair" from the compressed-form remote IPv6 host address 143 string, until a match is found in the access table, or until 144 further truncation is not possible. 145 146 NOTE: use the <b>cidr</b> lookup table type to specify network/netmask 147 patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details. 148 149 IPv6 support is available in Postfix 2.2 and later. 150 151<b>ACCEPT ACTIONS</b> 152 <b>OK</b> Accept the address etc. that matches the pattern. 153 154 <i>all-numerical</i> 155 An all-numerical result is treated as OK. This format is gener- 156 ated by address-based relay authorization schemes such as 157 pop-before-smtp. 158 159 For other accept actions, see "OTHER ACTIONS" below. 160 161<b>REJECT ACTIONS</b> 162 Postfix version 2.3 and later support enhanced status codes as defined 163 in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When no code is specified at the beginning of the <i>text</i> 164 below, Postfix inserts a default enhanced status code of "5.7.1" in the 165 case of reject actions, and "4.7.1" in the case of defer actions. See 166 "ENHANCED STATUS CODES" below. 167 168 <b>4</b><i>NN text</i> 169 170 <b>5</b><i>NN text</i> 171 Reject the address etc. that matches the pattern, and respond 172 with the numerical three-digit code and text. <b>4</b><i>NN</i> means "try 173 again later", while <b>5</b><i>NN</i> means "do not try again". 174 175 The following responses have special meaning for the Postfix 176 SMTP server: 177 178 <b>421</b> <i>text</i> (Postfix 2.3 and later) 179 180 <b>521</b> <i>text</i> (Postfix 2.6 and later) 181 After responding with the numerical three-digit code and 182 text, disconnect immediately from the SMTP client. This 183 frees up SMTP server resources so that they can be made 184 available to another SMTP client. 185 186 Note: The "521" response should be used only with botnets 187 and other malware where interoperability is of no con- 188 cern. The "send 521 and disconnect" behavior is NOT 189 defined in the SMTP standard. 190 191 <b>REJECT</b> <i>optional text...</i> 192 Reject the address etc. that matches the pattern. Reply with 193 "<b>$<a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a></b> <i>optional text...</i>" when the optional 194 text is specified, otherwise reply with a generic error response 195 message. 196 197 <b>DEFER</b> <i>optional text...</i> 198 Reject the address etc. that matches the pattern. Reply with 199 "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a></b> <i>optional text...</i>" when the optional text 200 is specified, otherwise reply with a generic error response mes- 201 sage. 202 203 This feature is available in Postfix 2.6 and later. 204 205 <b>DEFER_IF_REJECT</b> <i>optional text...</i> 206 Defer the request if some later restriction would result in a 207 REJECT action. Reply with "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> 4.7.1</b> <i>optional</i> 208 <i>text...</i>" when the optional text is specified, otherwise reply 209 with a generic error response message. 210 211 Prior to Postfix 2.6, the SMTP reply code is 450. 212 213 This feature is available in Postfix 2.1 and later. 214 215 <b>DEFER_IF_PERMIT</b> <i>optional text...</i> 216 Defer the request if some later restriction would result in a an 217 explicit or implicit PERMIT action. Reply with 218 "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> 4.7.1</b> <i>optional text...</i>" when the 219 optional text is specified, otherwise reply with a generic error 220 response message. 221 222 Prior to Postfix 2.6, the SMTP reply code is 450. 223 224 This feature is available in Postfix 2.1 and later. 225 226 For other reject actions, see "OTHER ACTIONS" below. 227 228<b>OTHER ACTIONS</b> 229 <i>restriction...</i> 230 Apply the named UCE restriction(s) (<b>permit</b>, <b>reject</b>, 231 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>, and so on). 232 233 <b>BCC</b> <i>user@domain</i> 234 Send one copy of the message to the specified recipient. 235 236 If multiple BCC actions are specified within the same SMTP MAIL 237 transaction, with Postfix 3.0 only the last action will be used. 238 239 This feature is available in Postfix 3.0 and later. 240 241 <b>DISCARD</b> <i>optional text...</i> 242 Claim successful delivery and silently discard the message. Log 243 the optional text if specified, otherwise log a generic message. 244 245 Note: this action currently affects all recipients of the mes- 246 sage. To discard only one recipient without discarding the 247 entire message, use the <a href="transport.5.html">transport(5)</a> table to direct mail to the 248 <a href="discard.8.html">discard(8)</a> service. 249 250 This feature is available in Postfix 2.0 and later. 251 252 <b>DUNNO</b> Pretend that the lookup key was not found. This prevents Postfix 253 from trying substrings of the lookup key (such as a subdomain 254 name, or a network address subnetwork). 255 256 This feature is available in Postfix 2.0 and later. 257 258 <b>FILTER</b> <i>transport:destination</i> 259 After the message is queued, send the entire message through the 260 specified external content filter. The <i>transport</i> name specifies 261 the first field of a mail delivery agent definition in <a href="master.5.html">mas- 262 ter.cf</a>; the syntax of the next-hop <i>destination</i> is described in 263 the manual page of the corresponding delivery agent. More 264 information about external content filters is in the Postfix 265 <a href="FILTER_README.html">FILTER_README</a> file. 266 267 Note 1: do not use $<i>number</i> regular expression substitutions for 268 <i>transport</i> or <i>destination</i> unless you know that the information 269 has a trusted origin. 270 271 Note 2: this action overrides the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#content_filter">content_filter</a></b> set- 272 ting, and affects all recipients of the message. In the case 273 that multiple <b>FILTER</b> actions fire, only the last one is exe- 274 cuted. 275 276 Note 3: the purpose of the FILTER command is to override message 277 routing. To override the recipient's <i>transport</i> but not the 278 next-hop <i>destination</i>, specify an empty filter <i>destination</i> (Post- 279 fix 2.7 and later), or specify a <i>transport:destination</i> that 280 delivers through a different Postfix instance (Postfix 2.6 and 281 earlier). Other options are using the recipient-dependent <b><a href="postconf.5.html#transport_maps">trans</a>-</b> 282 <b><a href="postconf.5.html#transport_maps">port_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default-</b> 283 <b>_transport_maps</a></b> features. 284 285 This feature is available in Postfix 2.0 and later. 286 287 <b>HOLD</b> <i>optional text...</i> 288 Place the message on the <b>hold</b> queue, where it will sit until 289 someone either deletes it or releases it for delivery. Log the 290 optional text if specified, otherwise log a generic message. 291 292 Mail that is placed on hold can be examined with the <a href="postcat.1.html"><b>postcat</b>(1)</a> 293 command, and can be destroyed or released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> 294 command. 295 296 Note: use "<b>postsuper -r</b>" to release mail that was kept on hold 297 for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a></b> or 298 <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or longer. Use "<b>postsuper -H</b>" only for 299 mail that will not expire within a few delivery attempts. 300 301 Note: this action currently affects all recipients of the mes- 302 sage. 303 304 This feature is available in Postfix 2.0 and later. 305 306 <b>PREPEND</b> <i>headername: headervalue</i> 307 Prepend the specified message header to the message. When more 308 than one PREPEND action executes, the first prepended header 309 appears before the second etc. prepended header. 310 311 Note: this action must execute before the message content is 312 received; it cannot execute in the context of 313 <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>. 314 315 This feature is available in Postfix 2.1 and later. 316 317 <b>REDIRECT</b> <i>user@domain</i> 318 After the message is queued, send the message to the specified 319 address instead of the intended recipient(s). When multiple <b>RE-</b> 320 <b>DIRECT</b> actions fire, only the last one takes effect. 321 322 Note: this action overrides the FILTER action, and currently 323 overrides all recipients of the message. 324 325 This feature is available in Postfix 2.1 and later. 326 327 <b>INFO</b> <i>optional text...</i> 328 Log an informational record with the optional text, together 329 with client information and if available, with helo, sender, 330 recipient and protocol information. 331 332 This feature is available in Postfix 3.0 and later. 333 334 <b>WARN</b> <i>optional text...</i> 335 Log a warning with the optional text, together with client 336 information and if available, with helo, sender, recipient and 337 protocol information. 338 339 This feature is available in Postfix 2.1 and later. 340 341<b>ENHANCED STATUS CODES</b> 342 Postfix version 2.3 and later support enhanced status codes as defined 343 in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status code is specified in an access 344 table, it is subject to modification. The following transformations are 345 needed when the same access table is used for client, helo, sender, or 346 recipient access restrictions; they happen regardless of whether Post- 347 fix replies to a MAIL FROM, RCPT TO or other SMTP command. 348 349 <b>o</b> When a sender address matches a REJECT action, the Postfix SMTP 350 server will transform a recipient DSN status (e.g., 4.1.1-4.1.6) 351 into the corresponding sender DSN status, and vice versa. 352 353 <b>o</b> When non-address information matches a REJECT action (such as 354 the HELO command argument or the client hostname/address), the 355 Postfix SMTP server will transform a sender or recipient DSN 356 status into a generic non-address DSN status (e.g., 4.0.0). 357 358<b>REGULAR EXPRESSION TABLES</b> 359 This section describes how the table lookups change when the table is 360 given in the form of regular expressions. For a description of regular 361 expression lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. 362 363 Each pattern is a regular expression that is applied to the entire 364 string being looked up. Depending on the application, that string is an 365 entire client hostname, an entire client IP address, or an entire mail 366 address. Thus, no parent domain or parent network search is done, 367 <i>user@domain</i> mail addresses are not broken up into their <i>user@</i> and 368 <i>domain</i> constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>. 369 370 Patterns are applied in the order as specified in the table, until a 371 pattern is found that matches the search string. 372 373 Actions are the same as with indexed file lookups, with the additional 374 feature that parenthesized substrings from the pattern can be interpo- 375 lated as <b>$1</b>, <b>$2</b> and so on. 376 377<b>TCP-BASED TABLES</b> 378 This section describes how the table lookups change when lookups are 379 directed to a TCP-based server. For a description of the TCP 380 client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not 381 available up to and including Postfix version 2.4. 382 383 Each lookup operation uses the entire query string once. Depending on 384 the application, that string is an entire client hostname, an entire 385 client IP address, or an entire mail address. Thus, no parent domain 386 or parent network search is done, <i>user@domain</i> mail addresses are not 387 broken up into their <i>user@</i> and <i>domain</i> constituent parts, nor is 388 <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>. 389 390 Actions are the same as with indexed file lookups. 391 392<b>EXAMPLE</b> 393 The following example uses an indexed file, so that the order of table 394 entries does not matter. The example permits access by the client at 395 address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of 396 <b>hash</b> lookup tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b> 397 <b>-m</b>" to find out what lookup tables Postfix supports on your system. 398 399 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 400 <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = 401 <a href="postconf.5.html#check_client_access">check_client_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/access 402 403 /etc/postfix/access: 404 1.2.3 REJECT 405 1.2.3.4 OK 406 407 Execute the command "<b>postmap /etc/postfix/access</b>" after editing the 408 file. 409 410<b>BUGS</b> 411 The table format does not understand quoting conventions. 412 413<b>SEE ALSO</b> 414 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager 415 <a href="smtpd.8.html">smtpd(8)</a>, SMTP server 416 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 417 <a href="transport.5.html">transport(5)</a>, transport:nexthop syntax 418 419<b>README FILES</b> 420 <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, built-in SMTP server access control 421 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 422 423<b>LICENSE</b> 424 The Secure Mailer license must be distributed with this software. 425 426<b>AUTHOR(S)</b> 427 Wietse Venema 428 IBM T.J. Watson Research 429 P.O. Box 704 430 Yorktown Heights, NY 10598, USA 431 432 Wietse Venema 433 Google, Inc. 434 111 8th Avenue 435 New York, NY 10011, USA 436 437 ACCESS(5) 438</pre> </body> </html> 439