1# ACCESS(5) ACCESS(5) 2# 3# NAME 4# access - Postfix SMTP server access table 5# 6# SYNOPSIS 7# postmap /etc/postfix/access 8# 9# postmap -q "string" /etc/postfix/access 10# 11# postmap -q - /etc/postfix/access <inputfile 12# 13# DESCRIPTION 14# This document describes access control on remote SMTP 15# client information: host names, network addresses, and 16# envelope sender or recipient addresses; it is implemented 17# by the Postfix SMTP server. See header_checks(5) or 18# body_checks(5) for access control on the content of email 19# messages. 20# 21# Normally, the access(5) table is specified as a text file 22# that serves as input to the postmap(1) command. The 23# result, an indexed file in dbm or db format, is used for 24# fast searching by the mail system. Execute the command 25# "postmap /etc/postfix/access" to rebuild an indexed file 26# after changing the corresponding text file. 27# 28# When the table is provided via other means such as NIS, 29# LDAP or SQL, the same lookups are done as for ordinary 30# indexed files. 31# 32# Alternatively, the table can be provided as a regu- 33# lar-expression map where patterns are given as regular 34# expressions, or lookups can be directed to a TCP-based 35# server. In those cases, the lookups are done in a slightly 36# different way as described below under "REGULAR EXPRESSION 37# TABLES" or "TCP-BASED TABLES". 38# 39# CASE FOLDING 40# The search string is folded to lowercase before database 41# lookup. As of Postfix 2.3, the search string is not case 42# folded with database types such as regexp: or pcre: whose 43# lookup fields can match both upper and lower case. 44# 45# TABLE FORMAT 46# The input format for the postmap(1) command is as follows: 47# 48# pattern action 49# When pattern matches a mail address, domain or host 50# address, perform the corresponding action. 51# 52# blank lines and comments 53# Empty lines and whitespace-only lines are ignored, 54# as are lines whose first non-whitespace character 55# is a `#'. 56# 57# multi-line text 58# A logical line starts with non-whitespace text. A 59# line that starts with whitespace continues a logi- 60# cal line. 61# 62# EMAIL ADDRESS PATTERNS 63# With lookups from indexed files such as DB or DBM, or from 64# networked tables such as NIS, LDAP or SQL, patterns are 65# tried in the order as listed below: 66# 67# user@domain 68# Matches the specified mail address. 69# 70# domain.tld 71# Matches domain.tld as the domain part of an email 72# address. 73# 74# The pattern domain.tld also matches subdomains, but 75# only when the string smtpd_access_maps is listed in 76# the Postfix parent_domain_matches_subdomains con- 77# figuration setting. 78# 79# .domain.tld 80# Matches subdomains of domain.tld, but only when the 81# string smtpd_access_maps is not listed in the Post- 82# fix parent_domain_matches_subdomains configuration 83# setting. 84# 85# user@ Matches all mail addresses with the specified user 86# part. 87# 88# Note: lookup of the null sender address is not possible 89# with some types of lookup table. By default, Postfix uses 90# <> as the lookup key for such addresses. The value is 91# specified with the smtpd_null_access_lookup_key parameter 92# in the Postfix main.cf file. 93# 94# EMAIL ADDRESS EXTENSION 95# When a mail address localpart contains the optional recip- 96# ient delimiter (e.g., user+foo@domain), the lookup order 97# becomes: user+foo@domain, user@domain, domain, user+foo@, 98# and user@. 99# 100# HOST NAME/ADDRESS PATTERNS 101# With lookups from indexed files such as DB or DBM, or from 102# networked tables such as NIS, LDAP or SQL, the following 103# lookup patterns are examined in the order as listed: 104# 105# domain.tld 106# Matches domain.tld. 107# 108# The pattern domain.tld also matches subdomains, but 109# only when the string smtpd_access_maps is listed in 110# the Postfix parent_domain_matches_subdomains con- 111# figuration setting. 112# 113# .domain.tld 114# Matches subdomains of domain.tld, but only when the 115# string smtpd_access_maps is not listed in the Post- 116# fix parent_domain_matches_subdomains configuration 117# setting. 118# 119# net.work.addr.ess 120# 121# net.work.addr 122# 123# net.work 124# 125# net Matches a remote IPv4 host address or network 126# address range. Specify one to four decimal octets 127# separated by ".". Do not specify "[]" , "/", lead- 128# ing zeros, or hexadecimal forms. 129# 130# Network ranges are matched by repeatedly truncating 131# the last ".octet" from a remote IPv4 host address 132# string, until a match is found in the access table, 133# or until further truncation is not possible. 134# 135# NOTE: use the cidr lookup table type to specify 136# network/netmask patterns. See cidr_table(5) for 137# details. 138# 139# net:work:addr:ess 140# 141# net:work:addr 142# 143# net:work 144# 145# net Matches a remote IPv6 host address or network 146# address range. Specify three to eight hexadecimal 147# octet pairs separated by ":", using the compressed 148# form "::" for a sequence of zero-valued octet 149# pairs. Do not specify "[]", "/", leading zeros, or 150# non-compressed forms. 151# 152# A network range is matched by repeatedly truncating 153# the last ":octetpair" from the compressed-form 154# remote IPv6 host address string, until a match is 155# found in the access table, or until further trunca- 156# tion is not possible. 157# 158# NOTE: use the cidr lookup table type to specify 159# network/netmask patterns. See cidr_table(5) for 160# details. 161# 162# IPv6 support is available in Postfix 2.2 and later. 163# 164# ACCEPT ACTIONS 165# OK Accept the address etc. that matches the pattern. 166# 167# all-numerical 168# An all-numerical result is treated as OK. This for- 169# mat is generated by address-based relay authoriza- 170# tion schemes such as pop-before-smtp. 171# 172# For other accept actions, see "OTHER ACTIONS" below. 173# 174# REJECT ACTIONS 175# Postfix version 2.3 and later support enhanced status 176# codes as defined in RFC 3463. When no code is specified 177# at the beginning of the text below, Postfix inserts a 178# default enhanced status code of "5.7.1" in the case of 179# reject actions, and "4.7.1" in the case of defer actions. 180# See "ENHANCED STATUS CODES" below. 181# 182# 4NN text 183# 184# 5NN text 185# Reject the address etc. that matches the pattern, 186# and respond with the numerical three-digit code and 187# text. 4NN means "try again later", while 5NN means 188# "do not try again". 189# 190# The following responses have special meaning for 191# the Postfix SMTP server: 192# 193# 421 text (Postfix 2.3 and later) 194# 195# 521 text (Postfix 2.6 and later) 196# After responding with the numerical 197# three-digit code and text, disconnect imme- 198# diately from the SMTP client. This frees up 199# SMTP server resources so that they can be 200# made available to another SMTP client. 201# 202# Note: The "521" response should be used only 203# with botnets and other malware where inter- 204# operability is of no concern. The "send 521 205# and disconnect" behavior is NOT defined in 206# the SMTP standard. 207# 208# REJECT optional text... 209# Reject the address etc. that matches the pattern. 210# Reply with "$access_map_reject_code optional 211# text..." when the optional text is specified, oth- 212# erwise reply with a generic error response message. 213# 214# DEFER optional text... 215# Reject the address etc. that matches the pattern. 216# Reply with "$access_map_defer_code optional 217# text..." when the optional text is specified, oth- 218# erwise reply with a generic error response message. 219# 220# This feature is available in Postfix 2.6 and later. 221# 222# DEFER_IF_REJECT optional text... 223# Defer the request if some later restriction would 224# result in a REJECT action. Reply with 225# "$access_map_defer_code 4.7.1 optional text..." 226# when the optional text is specified, otherwise 227# reply with a generic error response message. 228# 229# Prior to Postfix 2.6, the SMTP reply code is 450. 230# 231# This feature is available in Postfix 2.1 and later. 232# 233# DEFER_IF_PERMIT optional text... 234# Defer the request if some later restriction would 235# result in an explicit or implicit PERMIT action. 236# Reply with "$access_map_defer_code 4.7.1 optional 237# text..." when the optional text is specified, oth- 238# erwise reply with a generic error response message. 239# 240# Prior to Postfix 2.6, the SMTP reply code is 450. 241# 242# This feature is available in Postfix 2.1 and later. 243# 244# For other reject actions, see "OTHER ACTIONS" below. 245# 246# OTHER ACTIONS 247# restriction... 248# Apply the named UCE restriction(s) (permit, reject, 249# reject_unauth_destination, and so on). 250# 251# BCC user@domain 252# Send one copy of the message to the specified 253# recipient. 254# 255# If multiple BCC actions are specified within the 256# same SMTP MAIL transaction, with Postfix 3.0 only 257# the last action will be used. 258# 259# This feature is available in Postfix 3.0 and later. 260# 261# DISCARD optional text... 262# Claim successful delivery and silently discard the 263# message. Log the optional text if specified, oth- 264# erwise log a generic message. 265# 266# Note: this action currently affects all recipients 267# of the message. To discard only one recipient 268# without discarding the entire message, use the 269# transport(5) table to direct mail to the discard(8) 270# service. 271# 272# This feature is available in Postfix 2.0 and later. 273# 274# DUNNO Pretend that the lookup key was not found. This 275# prevents Postfix from trying substrings of the 276# lookup key (such as a subdomain name, or a network 277# address subnetwork). 278# 279# This feature is available in Postfix 2.0 and later. 280# 281# FILTER transport:destination 282# After the message is queued, send the entire mes- 283# sage through the specified external content filter. 284# The transport name specifies the first field of a 285# mail delivery agent definition in master.cf; the 286# syntax of the next-hop destination is described in 287# the manual page of the corresponding delivery 288# agent. More information about external content 289# filters is in the Postfix FILTER_README file. 290# 291# Note 1: do not use $number regular expression sub- 292# stitutions for transport or destination unless you 293# know that the information has a trusted origin. 294# 295# Note 2: this action overrides the main.cf con- 296# tent_filter setting, and affects all recipients of 297# the message. In the case that multiple FILTER 298# actions fire, only the last one is executed. 299# 300# Note 3: the purpose of the FILTER command is to 301# override message routing. To override the recipi- 302# ent's transport but not the next-hop destination, 303# specify an empty filter destination (Postfix 2.7 304# and later), or specify a transport:destination that 305# delivers through a different Postfix instance 306# (Postfix 2.6 and earlier). Other options are using 307# the recipient-dependent transport_maps or the sen- 308# der-dependent sender_dependent_default_transport- 309# _maps features. 310# 311# This feature is available in Postfix 2.0 and later. 312# 313# HOLD optional text... 314# Place the message on the hold queue, where it will 315# sit until someone either deletes it or releases it 316# for delivery. Log the optional text if specified, 317# otherwise log a generic message. 318# 319# Mail that is placed on hold can be examined with 320# the postcat(1) command, and can be destroyed or 321# released with the postsuper(1) command. 322# 323# Note: use "postsuper -r" to release mail that was 324# kept on hold for a significant fraction of $maxi- 325# mal_queue_lifetime or $bounce_queue_lifetime, or 326# longer. Use "postsuper -H" only for mail that will 327# not expire within a few delivery attempts. 328# 329# Note: this action currently affects all recipients 330# of the message. 331# 332# This feature is available in Postfix 2.0 and later. 333# 334# PREPEND headername: headervalue 335# Prepend the specified message header to the mes- 336# sage. When more than one PREPEND action executes, 337# the first prepended header appears before the sec- 338# ond etc. prepended header. 339# 340# Note: this action must execute before the message 341# content is received; it cannot execute in the con- 342# text of smtpd_end_of_data_restrictions. 343# 344# This feature is available in Postfix 2.1 and later. 345# 346# REDIRECT user@domain 347# After the message is queued, send the message to 348# the specified address instead of the intended 349# recipient(s). When multiple REDIRECT actions fire, 350# only the last one takes effect. 351# 352# Note: this action overrides the FILTER action, and 353# currently overrides all recipients of the message. 354# 355# This feature is available in Postfix 2.1 and later. 356# 357# INFO optional text... 358# Log an informational record with the optional text, 359# together with client information and if available, 360# with helo, sender, recipient and protocol informa- 361# tion. 362# 363# This feature is available in Postfix 3.0 and later. 364# 365# WARN optional text... 366# Log a warning with the optional text, together with 367# client information and if available, with helo, 368# sender, recipient and protocol information. 369# 370# This feature is available in Postfix 2.1 and later. 371# 372# ENHANCED STATUS CODES 373# Postfix version 2.3 and later support enhanced status 374# codes as defined in RFC 3463. When an enhanced status 375# code is specified in an access table, it is subject to 376# modification. The following transformations are needed 377# when the same access table is used for client, helo, 378# sender, or recipient access restrictions; they happen 379# regardless of whether Postfix replies to a MAIL FROM, RCPT 380# TO or other SMTP command. 381# 382# o When a sender address matches a REJECT action, the 383# Postfix SMTP server will transform a recipient DSN 384# status (e.g., 4.1.1-4.1.6) into the corresponding 385# sender DSN status, and vice versa. 386# 387# o When non-address information matches a REJECT 388# action (such as the HELO command argument or the 389# client hostname/address), the Postfix SMTP server 390# will transform a sender or recipient DSN status 391# into a generic non-address DSN status (e.g., 392# 4.0.0). 393# 394# REGULAR EXPRESSION TABLES 395# This section describes how the table lookups change when 396# the table is given in the form of regular expressions. For 397# a description of regular expression lookup table syntax, 398# see regexp_table(5) or pcre_table(5). 399# 400# Each pattern is a regular expression that is applied to 401# the entire string being looked up. Depending on the appli- 402# cation, that string is an entire client hostname, an 403# entire client IP address, or an entire mail address. Thus, 404# no parent domain or parent network search is done, 405# user@domain mail addresses are not broken up into their 406# user@ and domain constituent parts, nor is user+foo broken 407# up into user and foo. 408# 409# Patterns are applied in the order as specified in the ta- 410# ble, until a pattern is found that matches the search 411# string. 412# 413# Actions are the same as with indexed file lookups, with 414# the additional feature that parenthesized substrings from 415# the pattern can be interpolated as $1, $2 and so on. 416# 417# TCP-BASED TABLES 418# This section describes how the table lookups change when 419# lookups are directed to a TCP-based server. For a descrip- 420# tion of the TCP client/server lookup protocol, see tcp_ta- 421# ble(5). This feature is not available up to and including 422# Postfix version 2.4. 423# 424# Each lookup operation uses the entire query string once. 425# Depending on the application, that string is an entire 426# client hostname, an entire client IP address, or an entire 427# mail address. Thus, no parent domain or parent network 428# search is done, user@domain mail addresses are not broken 429# up into their user@ and domain constituent parts, nor is 430# user+foo broken up into user and foo. 431# 432# Actions are the same as with indexed file lookups. 433# 434# EXAMPLE 435# The following example uses an indexed file, so that the 436# order of table entries does not matter. The example per- 437# mits access by the client at address 1.2.3.4 but rejects 438# all other clients in 1.2.3.0/24. Instead of hash lookup 439# tables, some systems use dbm. Use the command "postconf 440# -m" to find out what lookup tables Postfix supports on 441# your system. 442# 443# /etc/postfix/main.cf: 444# smtpd_client_restrictions = 445# check_client_access hash:/etc/postfix/access 446# 447# /etc/postfix/access: 448# 1.2.3 REJECT 449# 1.2.3.4 OK 450# 451# Execute the command "postmap /etc/postfix/access" after 452# editing the file. 453# 454# BUGS 455# The table format does not understand quoting conventions. 456# 457# SEE ALSO 458# postmap(1), Postfix lookup table manager 459# smtpd(8), SMTP server 460# postconf(5), configuration parameters 461# transport(5), transport:nexthop syntax 462# 463# README FILES 464# Use "postconf readme_directory" or "postconf html_direc- 465# tory" to locate this information. 466# SMTPD_ACCESS_README, built-in SMTP server access control 467# DATABASE_README, Postfix lookup table overview 468# 469# LICENSE 470# The Secure Mailer license must be distributed with this 471# software. 472# 473# AUTHOR(S) 474# Wietse Venema 475# IBM T.J. Watson Research 476# P.O. Box 704 477# Yorktown Heights, NY 10598, USA 478# 479# Wietse Venema 480# Google, Inc. 481# 111 8th Avenue 482# New York, NY 10011, USA 483# 484# ACCESS(5) 485