1#++ 2# NAME 3# header_checks 5 4# SUMMARY 5# Postfix built-in content inspection 6# SYNOPSIS 7# .nf 8# \fBheader_checks = pcre:/etc/postfix/header_checks\fR 9# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR 10# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR 11# \fBbody_checks = pcre:/etc/postfix/body_checks\fR 12# .sp 13# \fBmilter_header_checks = pcre:/etc/postfix/milter_header_checks\fR 14# .sp 15# \fBsmtp_header_checks = pcre:/etc/postfix/smtp_header_checks\fR 16# \fBsmtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks\fR 17# \fBsmtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks\fR 18# \fBsmtp_body_checks = pcre:/etc/postfix/smtp_body_checks\fR 19# .sp 20# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR 21# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR 22# .fi 23# DESCRIPTION 24# This document describes access control on the content of 25# message headers and message body lines; it is implemented 26# by the Postfix \fBcleanup\fR(8) server before mail is queued. 27# See \fBaccess\fR(5) for access control on remote SMTP client 28# information. 29# 30# Each message header or message body line is compared against 31# a list of patterns. 32# When a match is found the corresponding action is executed, and 33# the matching process is repeated for the next message header or 34# message body line. 35# 36# Note: message headers are examined one logical header at a time, 37# even when a message header spans multiple lines. Body lines are 38# always examined one line at a time. 39# 40# For examples, see the EXAMPLES section at the end of this 41# manual page. 42# 43# Postfix header or body_checks are designed to stop a flood of mail 44# from worms or viruses; they do not decode attachments, and they do 45# not unzip archives. See the documents referenced below in the README 46# FILES section if you need more sophisticated content analysis. 47# FILTERS WHILE RECEIVING MAIL 48# .ad 49# .fi 50# Postfix implements the following four built-in content 51# inspection classes while receiving mail: 52# .IP "\fBheader_checks\fR (default: empty)" 53# These are applied to initial message headers (except for 54# the headers that are processed with \fBmime_header_checks\fR). 55# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 56# These are applied to MIME related message headers only. 57# .sp 58# This feature is available in Postfix 2.0 and later. 59# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 60# These are applied to message headers of attached email 61# messages (except for the headers that are processed with 62# \fBmime_header_checks\fR). 63# .sp 64# This feature is available in Postfix 2.0 and later. 65# .IP \fBbody_checks\fR 66# These are applied to all other content, including multi-part 67# message boundaries. 68# .sp 69# With Postfix versions before 2.0, all content after the initial 70# message headers is treated as body content. 71# FILTERS AFTER RECEIVING MAIL 72# .ad 73# .fi 74# Postfix supports a subset of the built-in content inspection 75# classes after the message is received: 76# .IP "\fBmilter_header_checks\fR (default: empty)" 77# These are applied to headers that are added with Milter 78# applications. 79# .sp 80# This feature is available in Postfix 2.7 and later. 81# FILTERS WHILE DELIVERING MAIL 82# .ad 83# .fi 84# Postfix supports all four content inspection classes while 85# delivering mail via SMTP. 86# .IP "\fBsmtp_header_checks\fR (default: empty)" 87# .IP "\fBsmtp_mime_header_checks\fR (default: empty)" 88# .IP "\fBsmtp_nested_header_checks\fR (default: empty)" 89# .IP "\fBsmtp_body_checks\fR (default: empty)" 90# These features are available in Postfix 2.5 and later. 91# COMPATIBILITY 92# .ad 93# .fi 94# With Postfix version 2.2 and earlier specify "\fBpostmap 95# -fq\fR" to query a table that contains case sensitive 96# patterns. By default, regexp: and pcre: patterns are case 97# insensitive. 98# TABLE FORMAT 99# .ad 100# .fi 101# This document assumes that header and body_checks rules are specified 102# in the form of Postfix regular expression lookup tables. Usually the 103# best performance is obtained with \fBpcre\fR (Perl Compatible Regular 104# Expression) tables. The \fBregexp\fR (POSIX regular 105# expressions) tables are usually slower, but more widely 106# available. 107# Use the command "\fBpostconf -m\fR" to find out what lookup table 108# types your Postfix system supports. 109# 110# The general format of Postfix regular expression tables is 111# given below. 112# For a discussion of specific pattern or flags syntax, 113# see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively. 114# .IP "\fB/\fIpattern\fB/\fIflags action\fR" 115# When /\fIpattern\fR/ matches the input string, execute 116# the corresponding \fIaction\fR. See below for a list 117# of possible actions. 118# .IP "\fB!/\fIpattern\fB/\fIflags action\fR" 119# When /\fIpattern\fR/ does \fBnot\fR match the input string, 120# execute the corresponding \fIaction\fR. 121# .IP "\fBif /\fIpattern\fB/\fIflags\fR" 122# .IP "\fBendif\fR" 123# If the input string matches /\fIpattern\fR/, then match that 124# input string against the patterns between \fBif\fR and 125# \fBendif\fR. The \fBif\fR..\fBendif\fR can nest. 126# .sp 127# Note: do not prepend whitespace to patterns inside 128# \fBif\fR..\fBendif\fR. 129# .IP "\fBif !/\fIpattern\fB/\fIflags\fR" 130# .IP "\fBendif\fR" 131# If the input string does not match /\fIpattern\fR/, then 132# match that input string against the patterns between \fBif\fR 133# and \fBendif\fR. The \fBif\fR..\fBendif\fR can nest. 134# .IP "blank lines and comments" 135# Empty lines and whitespace-only lines are ignored, as 136# are lines whose first non-whitespace character is a `#'. 137# .IP "multi-line text" 138# A pattern/action line starts with non-whitespace text. A line that 139# starts with whitespace continues a logical line. 140# TABLE SEARCH ORDER 141# .ad 142# .fi 143# For each line of message input, the patterns are applied in the 144# order as specified in the table. When a pattern is found that matches 145# the input line, the corresponding action is executed and then the 146# next input line is inspected. 147# TEXT SUBSTITUTION 148# .ad 149# .fi 150# Substitution of substrings from the matched expression into the 151# \fIaction\fR 152# string is possible using the conventional Perl syntax 153# (\fB$1\fR, \fB$2\fR, etc.). 154# The macros in the result string may need to be written as \fB${n}\fR 155# or \fB$(n)\fR if they aren't followed by whitespace. 156# 157# Note: since negated patterns (those preceded by \fB!\fR) return a 158# result when the expression does not match, substitutions are not 159# available for negated patterns. 160# ACTIONS 161# .ad 162# .fi 163# Action names are case insensitive. They are shown in upper case 164# for consistency with other Postfix documentation. 165# .IP "\fBBCC \fIuser@domain\fR" 166# Add the specified address as a BCC recipient, and inspect 167# the next input line. The address 168# must have a local part and domain part. The number of BCC 169# addresses that can be added is limited only by the amount 170# of available storage space. 171# 172# Note 1: the BCC address is added as if it was specified with 173# NOTIFY=NONE. The sender will not be notified when the BCC 174# address is undeliverable, as long as all down-stream software 175# implements RFC 3461. 176# 177# Note 2: this ignores duplicate addresses (with the same 178# delivery status notification options). 179# .sp 180# This feature is available in Postfix 3.0 and later. 181# .sp 182# This feature is not supported with smtp header/body checks. 183# \" .IP "\fBDELAY \fItime\fR" 184# \" Place the message into the deferred queue, and delay the 185# \" initial delivery attempt by \fItime\fR. The time value may 186# \" be followed by a one-character suffix that specifies the 187# \" time unit: s (seconds), m (minutes), h (hours), d (days), 188# \" w (weeks). The default time unit is s (seconds). 189# \" .sp 190# \" Limitations: 191# \" .RS 192# \" .IP \(bu 193# \" This action affects all the recipients of the message. 194# \" .IP \(bu 195# \" The delay value has no effect with remote file systems that 196# \" don't correctly emulate UNIX local file system semantics. 197# \" In that case, the delay will be half of $queue_run_delay 198# \" on average. 199# \" .IP \(bu 200# \" Mail will still be delivered with "sendmail -q", "postfix 201# \" flush" or "postqueue -f". 202# \" .IP \(bu 203# \" Delayed mail increases the amount of disk I/O during deferred 204# \" queue scans. When large amounts of mail are queued for 205# \" delayed delivery it may be preferable to use the HOLD feature 206# \" instead. 207# \" .RE 208# \" .IP 209# \" This feature is available in Postfix 2.3 and later. 210# .IP "\fBDISCARD \fIoptional text...\fR" 211# Claim successful delivery and silently discard the message. 212# Do not inspect the remainder of the input message. 213# Log the optional text if specified, otherwise log a generic 214# message. 215# .sp 216# Note: this action disables further header or body_checks inspection 217# of the current message and affects all recipients. 218# To discard only one recipient without discarding the entire message, 219# use the transport(5) table to direct mail to the discard(8) service. 220# .sp 221# This feature is available in Postfix 2.0 and later. 222# .sp 223# This feature is not supported with smtp header/body checks. 224# .IP \fBDUNNO\fR 225# Pretend that the input line did not match any pattern, and inspect the 226# next input line. This action can be used to shorten the table search. 227# .sp 228# For backwards compatibility reasons, Postfix also accepts 229# \fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR. 230# .sp 231# This feature is available in Postfix 2.1 and later. 232# .IP "\fBFILTER \fItransport:destination\fR" 233# Override the content_filter parameter setting, and inspect 234# the next input line. 235# After the message is queued, send the entire message through 236# the specified external content filter. The \fItransport\fR 237# name specifies the first field of a mail delivery agent 238# definition in master.cf; the syntax of the next-hop 239# \fIdestination\fR is described in the manual page of the 240# corresponding delivery agent. More information about 241# external content filters is in the Postfix FILTER_README 242# file. 243# .sp 244# Note 1: do not use $\fInumber\fR regular expression 245# substitutions for \fItransport\fR or \fIdestination\fR 246# unless you know that the information has a trusted origin. 247# .sp 248# Note 2: this action overrides the main.cf \fBcontent_filter\fR 249# setting, and affects all recipients of the message. In the 250# case that multiple \fBFILTER\fR actions fire, only the last 251# one is executed. 252# .sp 253# Note 3: the purpose of the FILTER command is to override 254# message routing. To override the recipient's \fItransport\fR 255# but not the next-hop \fIdestination\fR, specify an empty 256# filter \fIdestination\fR (Postfix 2.7 and later), or specify 257# a \fItransport:destination\fR that delivers through a 258# different Postfix instance (Postfix 2.6 and earlier). Other 259# options are using the recipient-dependent \fBtrans\%port\%_maps\fR 260# or the sen\%der-dependent 261# \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR 262# features. 263# .sp 264# This feature is available in Postfix 2.0 and later. 265# .sp 266# This feature is not supported with smtp header/body checks. 267# .IP "\fBHOLD \fIoptional text...\fR" 268# Arrange for the message to be placed on the \fBhold\fR queue, 269# and inspect the next input line. The message remains on \fBhold\fR 270# until someone either deletes it or releases it for delivery. 271# Log the optional text if specified, otherwise log a generic 272# message. 273# 274# Mail that is placed on hold can be examined with the 275# \fBpostcat\fR(1) command, and can be destroyed or released with 276# the \fBpostsuper\fR(1) command. 277# .sp 278# Note: use "\fBpostsuper -r\fR" to release mail that was kept on 279# hold for a significant fraction of \fB$maximal_queue_lifetime\fR 280# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR" 281# only for mail that will not expire within a few delivery attempts. 282# .sp 283# Note: this action affects all recipients of the message. 284# .sp 285# This feature is available in Postfix 2.0 and later. 286# .sp 287# This feature is not supported with smtp header/body checks. 288# .IP \fBIGNORE\fR 289# Delete the current line from the input, and inspect 290# the next input line. See \fBSTRIP\fR for an alternative 291# that logs the action. 292# .IP "\fBINFO \fIoptional text...\fR 293# Log an "info:" record with the \fIoptional text...\fR (or 294# log a generic text), and inspect the next input line. This 295# action is useful for routine logging or for debugging. 296# .sp 297# This feature is available in Postfix 2.8 and later. 298# .IP "\fBPASS \fIoptional text...\fR" 299# Log a "pass:" record with the \fIoptional text...\fR (or 300# log a generic text), and turn off header, body, and Milter 301# inspection for the remainder of this message. 302# .sp 303# Note: this feature relies on trust in information that is 304# easy to forge. 305# .sp 306# This feature is available in Postfix 3.2 and later. 307# .sp 308# This feature is not supported with smtp header/body checks. 309# .IP "\fBPREPEND \fItext...\fR" 310# Prepend one line with the specified text, and inspect the next 311# input line. 312# .sp 313# Notes: 314# .RS 315# .IP \(bu 316# The prepended text is output on a separate line, immediately 317# before the input that triggered the \fBPREPEND\fR action. 318# .IP \(bu 319# The prepended text is not considered part of the input 320# stream: it is not subject to header/body checks or address 321# rewriting, and it does not affect the way that Postfix adds 322# missing message headers. 323# .IP \(bu 324# When prepending text before a message header line, the prepended 325# text must begin with a valid message header label. 326# .IP \(bu 327# This action cannot be used to prepend multi-line text. 328# .RE 329# .IP 330# This feature is available in Postfix 2.1 and later. 331# .sp 332# This feature is not supported with milter_header_checks. 333# .IP "\fBREDIRECT \fIuser@domain\fR" 334# Write a message redirection request to the queue file, and 335# inspect the next input line. After the message is queued, 336# it will be sent to the specified address instead of the 337# intended recipient(s). 338# .sp 339# Note: this action overrides the \fBFILTER\fR action, and affects 340# all recipients of the message. If multiple \fBREDIRECT\fR actions 341# fire, only the last one is executed. 342# .sp 343# This feature is available in Postfix 2.1 and later. 344# .sp 345# This feature is not supported with smtp header/body checks. 346# .IP "\fBREPLACE \fItext...\fR" 347# Replace the current line with the specified text, and inspect the next 348# input line. 349# .sp 350# This feature is available in Postfix 2.2 and later. The 351# description below applies to Postfix 2.2.2 and later. 352# .sp 353# Notes: 354# .RS 355# .IP \(bu 356# When replacing a message header line, the replacement text 357# must begin with a valid header label. 358# .IP \(bu 359# The replaced text remains part of the input stream. Unlike 360# the result from the \fBPREPEND\fR action, a replaced message 361# header may be subject to address rewriting and may affect 362# the way that Postfix adds missing message headers. 363# .RE 364# .IP "\fBREJECT \fIoptional text...\fR 365# Reject the entire message. Do not inspect the remainder of 366# the input message. Reply with \fIoptional text...\fR when 367# the optional text is specified, otherwise reply with a 368# generic error message. 369# .sp 370# Note: this action disables further header or body_checks inspection 371# of the current message and affects all recipients. 372# .sp 373# Postfix version 2.3 and later support enhanced status codes. 374# When no code is specified at the beginning of \fIoptional 375# text...\fR, Postfix inserts a default enhanced status code of 376# "5.7.1". 377# .sp 378# This feature is not supported with smtp header/body checks. 379# .IP "\fBSTRIP \fIoptional text...\fR" 380# Log a "strip:" record with the \fIoptional text...\fR (or 381# log a generic text), delete the input line from the input, 382# and inspect the next input line. See \fBIGNORE\fR for a 383# silent alternative. 384# .sp 385# This feature is available in Postfix 3.2 and later. 386# .IP "\fBWARN \fIoptional text...\fR 387# Log a "warning:" record with the \fIoptional text...\fR (or 388# log a generic text), and inspect the next input line. This 389# action is useful for debugging and for testing a pattern 390# before applying more drastic actions. 391# BUGS 392# Empty lines never match, because some map types mis-behave 393# when given a zero-length search string. This limitation may 394# be removed for regular expression tables in a future release. 395# 396# Many people overlook the main limitations of header and body_checks 397# rules. 398# .IP \(bu 399# These rules operate on one logical message header or one body 400# line at a time. A decision made for one line is not carried over 401# to the next line. 402# .IP \(bu 403# If text in the message body is encoded 404# (RFC 2045) then the rules need to be specified for the encoded 405# form. 406# .IP \(bu 407# Likewise, when message headers are encoded (RFC 408# 2047) then the rules need to be specified for the encoded 409# form. 410# .PP 411# Message headers added by the \fBcleanup\fR(8) daemon itself 412# are excluded from inspection. Examples of such message headers 413# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. 414# 415# Message headers deleted by the \fBcleanup\fR(8) daemon will 416# be examined before they are deleted. Examples are: \fBBcc:\fR, 417# \fBContent-Length:\fR, \fBReturn-Path:\fR. 418# CONFIGURATION PARAMETERS 419# .ad 420# .fi 421# .IP \fBbody_checks\fR 422# Lookup tables with content filter rules for message body lines. 423# These filters see one physical line at a time, in chunks of 424# at most \fB$line_length_limit\fR bytes. 425# .IP \fBbody_checks_size_limit\fP 426# The amount of content per message body segment (attachment) that is 427# subjected to \fB$body_checks\fR filtering. 428# .IP \fBheader_checks\fR 429# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 430# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 431# Lookup tables with content filter rules for message header lines: 432# respectively, these are applied to the initial message headers 433# (not including MIME headers), to the MIME headers anywhere in 434# the message, and to the initial headers of attached messages. 435# .sp 436# Note: these filters see one logical message header at a time, even 437# when a message header spans multiple lines. Message headers that 438# are longer than \fB$header_size_limit\fR characters are truncated. 439# .IP \fBdisable_mime_input_processing\fR 440# While receiving mail, give no special treatment to MIME related 441# message headers; all text after the initial message headers is 442# considered to be part of the message body. This means that 443# \fBheader_checks\fR is applied to all the initial message headers, 444# and that \fBbody_checks\fR is applied to the remainder of the 445# message. 446# .sp 447# Note: when used in this manner, \fBbody_checks\fR will process 448# a multi-line message header one line at a time. 449# EXAMPLES 450# .ad 451# .fi 452# Header pattern to block attachments with bad file name 453# extensions. For convenience, the PCRE /x flag is specified, 454# so that there is no need to collapse the pattern into a 455# single line of text. The purpose of the [[:xdigit:]] 456# sub-expressions is to recognize Windows CLSID strings. 457# 458# .na 459# .nf 460# /etc/postfix/main.cf: 461# header_checks = pcre:/etc/postfix/header_checks.pcre 462# 463# /etc/postfix/header_checks.pcre: 464# /^Content-(Disposition|Type).*name\es*=\es*"?([^;]*(\e.|=2E)( 465# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 466# hlp|ht[at]| 467# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 468# \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}| 469# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 470# vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x 471# REJECT Attachment name "$2" may not end with ".$4" 472# .ad 473# .fi 474# 475# Body pattern to stop a specific HTML browser vulnerability exploit. 476# 477# .na 478# .nf 479# /etc/postfix/main.cf: 480# body_checks = regexp:/etc/postfix/body_checks 481# 482# /etc/postfix/body_checks: 483# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 484# REJECT IFRAME vulnerability exploit 485# SEE ALSO 486# cleanup(8), canonicalize and enqueue Postfix message 487# pcre_table(5), format of PCRE lookup tables 488# regexp_table(5), format of POSIX regular expression tables 489# postconf(1), Postfix configuration utility 490# postmap(1), Postfix lookup table management 491# postsuper(1), Postfix janitor 492# postcat(1), show Postfix queue file contents 493# RFC 2045, base64 and quoted-printable encoding rules 494# RFC 2047, message header encoding for non-ASCII text 495# README FILES 496# .ad 497# .fi 498# Use "\fBpostconf readme_directory\fR" or 499# "\fBpostconf html_directory\fR" to locate this information. 500# .na 501# .nf 502# DATABASE_README, Postfix lookup table overview 503# CONTENT_INSPECTION_README, Postfix content inspection overview 504# BUILTIN_FILTER_README, Postfix built-in content inspection 505# BACKSCATTER_README, blocking returned forged mail 506# LICENSE 507# .ad 508# .fi 509# The Secure Mailer license must be distributed with this software. 510# AUTHOR(S) 511# Wietse Venema 512# IBM T.J. Watson Research 513# P.O. Box 704 514# Yorktown Heights, NY 10598, USA 515# 516# Wietse Venema 517# Google, Inc. 518# 111 8th Avenue 519# New York, NY 10011, USA 520#-- 521