1# ACCESS(5) ACCESS(5) 2# 3# NAME 4# access - Postfix SMTP server access table 5# 6# SYNOPSIS 7# postmap /etc/postfix/access 8# 9# postmap -q "string" /etc/postfix/access 10# 11# postmap -q - /etc/postfix/access <inputfile 12# 13# DESCRIPTION 14# This document describes access control on remote SMTP 15# client information: host names, network addresses, and 16# envelope sender or recipient addresses; it is implemented 17# by the Postfix SMTP server. See header_checks(5) or 18# body_checks(5) for access control on the content of email 19# messages. 20# 21# Normally, the access(5) table is specified as a text file 22# that serves as input to the postmap(1) command. The 23# result, an indexed file in dbm or db format, is used for 24# fast searching by the mail system. Execute the command 25# "postmap /etc/postfix/access" to rebuild an indexed file 26# after changing the corresponding text file. 27# 28# When the table is provided via other means such as NIS, 29# LDAP or SQL, the same lookups are done as for ordinary 30# indexed files. 31# 32# Alternatively, the table can be provided as a regu- 33# lar-expression map where patterns are given as regular 34# expressions, or lookups can be directed to TCP-based 35# server. In those cases, the lookups are done in a slightly 36# different way as described below under "REGULAR EXPRESSION 37# TABLES" or "TCP-BASED TABLES". 38# 39# CASE FOLDING 40# The search string is folded to lowercase before database 41# lookup. As of Postfix 2.3, the search string is not case 42# folded with database types such as regexp: or pcre: whose 43# lookup fields can match both upper and lower case. 44# 45# TABLE FORMAT 46# The input format for the postmap(1) command is as follows: 47# 48# pattern action 49# When pattern matches a mail address, domain or host 50# address, perform the corresponding action. 51# 52# blank lines and comments 53# Empty lines and whitespace-only lines are ignored, 54# as are lines whose first non-whitespace character 55# is a `#'. 56# 57# multi-line text 58# A logical line starts with non-whitespace text. A 59# line that starts with whitespace continues a logi- 60# cal line. 61# 62# EMAIL ADDRESS PATTERNS 63# With lookups from indexed files such as DB or DBM, or from 64# networked tables such as NIS, LDAP or SQL, patterns are 65# tried in the order as listed below: 66# 67# user@domain 68# Matches the specified mail address. 69# 70# domain.tld 71# Matches domain.tld as the domain part of an email 72# address. 73# 74# The pattern domain.tld also matches subdomains, but 75# only when the string smtpd_access_maps is listed in 76# the Postfix parent_domain_matches_subdomains con- 77# figuration setting. 78# 79# .domain.tld 80# Matches subdomains of domain.tld, but only when the 81# string smtpd_access_maps is not listed in the Post- 82# fix parent_domain_matches_subdomains configuration 83# setting. 84# 85# user@ Matches all mail addresses with the specified user 86# part. 87# 88# Note: lookup of the null sender address is not possible 89# with some types of lookup table. By default, Postfix uses 90# <> as the lookup key for such addresses. The value is 91# specified with the smtpd_null_access_lookup_key parameter 92# in the Postfix main.cf file. 93# 94# EMAIL ADDRESS EXTENSION 95# When a mail address localpart contains the optional recip- 96# ient delimiter (e.g., user+foo@domain), the lookup order 97# becomes: user+foo@domain, user@domain, domain, user+foo@, 98# and user@. 99# 100# HOST NAME/ADDRESS PATTERNS 101# With lookups from indexed files such as DB or DBM, or from 102# networked tables such as NIS, LDAP or SQL, the following 103# lookup patterns are examined in the order as listed: 104# 105# domain.tld 106# Matches domain.tld. 107# 108# The pattern domain.tld also matches subdomains, but 109# only when the string smtpd_access_maps is listed in 110# the Postfix parent_domain_matches_subdomains con- 111# figuration setting. 112# 113# .domain.tld 114# Matches subdomains of domain.tld, but only when the 115# string smtpd_access_maps is not listed in the Post- 116# fix parent_domain_matches_subdomains configuration 117# setting. 118# 119# net.work.addr.ess 120# 121# net.work.addr 122# 123# net.work 124# 125# net Matches the specified IPv4 host address or subnet- 126# work. An IPv4 host address is a sequence of four 127# decimal octets separated by ".". 128# 129# Subnetworks are matched by repeatedly truncating 130# the last ".octet" from the remote IPv4 host address 131# string until a match is found in the access table, 132# or until further truncation is not possible. 133# 134# NOTE 1: The access map lookup key must be in canon- 135# ical form: do not specify unnecessary null charac- 136# ters, and do not enclose network address informa- 137# tion with "[]" characters. 138# 139# NOTE 2: use the cidr lookup table type to specify 140# network/netmask patterns. See cidr_table(5) for 141# details. 142# 143# net:work:addr:ess 144# 145# net:work:addr 146# 147# net:work 148# 149# net Matches the specified IPv6 host address or subnet- 150# work. An IPv6 host address is a sequence of three 151# to eight hexadecimal octet pairs separated by ":". 152# 153# Subnetworks are matched by repeatedly truncating 154# the last ":octetpair" from the remote IPv6 host 155# address string until a match is found in the access 156# table, or until further truncation is not possible. 157# 158# NOTE 1: the truncation and comparison are done with 159# the string representation of the IPv6 host address. 160# Thus, not all the ":" subnetworks will be tried. 161# 162# NOTE 2: The access map lookup key must be in canon- 163# ical form: do not specify unnecessary null charac- 164# ters, and do not enclose network address informa- 165# tion with "[]" characters. 166# 167# NOTE 3: use the cidr lookup table type to specify 168# network/netmask patterns. See cidr_table(5) for 169# details. 170# 171# IPv6 support is available in Postfix 2.2 and later. 172# 173# ACCEPT ACTIONS 174# OK Accept the address etc. that matches the pattern. 175# 176# all-numerical 177# An all-numerical result is treated as OK. This for- 178# mat is generated by address-based relay authoriza- 179# tion schemes such as pop-before-smtp. 180# 181# For other accept actions, see "OTHER ACTIONS" below. 182# 183# REJECT ACTIONS 184# Postfix version 2.3 and later support enhanced status 185# codes as defined in RFC 3463. When no code is specified 186# at the beginning of the text below, Postfix inserts a 187# default enhanced status code of "5.7.1" in the case of 188# reject actions, and "4.7.1" in the case of defer actions. 189# See "ENHANCED STATUS CODES" below. 190# 191# 4NN text 192# 193# 5NN text 194# Reject the address etc. that matches the pattern, 195# and respond with the numerical three-digit code and 196# text. 4NN means "try again later", while 5NN means 197# "do not try again". 198# 199# The following responses have special meaning for 200# the Postfix SMTP server: 201# 202# 421 text (Postfix 2.3 and later) 203# 204# 521 text (Postfix 2.6 and later) 205# After responding with the numerical 206# three-digit code and text, disconnect imme- 207# diately from the SMTP client. This frees up 208# SMTP server resources so that they can be 209# made available to another SMTP client. 210# 211# Note: The "521" response should be used only 212# with botnets and other malware where inter- 213# operability is of no concern. The "send 521 214# and disconnect" behavior is NOT defined in 215# the SMTP standard. 216# 217# REJECT optional text... 218# Reject the address etc. that matches the pattern. 219# Reply with "$access_map_reject_code optional 220# text..." when the optional text is specified, oth- 221# erwise reply with a generic error response message. 222# 223# DEFER optional text... 224# Reject the address etc. that matches the pattern. 225# Reply with "$access_map_defer_code optional 226# text..." when the optional text is specified, oth- 227# erwise reply with a generic error response message. 228# 229# This feature is available in Postfix 2.6 and later. 230# 231# DEFER_IF_REJECT optional text... 232# Defer the request if some later restriction would 233# result in a REJECT action. Reply with 234# "$access_map_defer_code 4.7.1 optional text..." 235# when the optional text is specified, otherwise 236# reply with a generic error response message. 237# 238# Prior to Postfix 2.6, the SMTP reply code is 450. 239# 240# This feature is available in Postfix 2.1 and later. 241# 242# DEFER_IF_PERMIT optional text... 243# Defer the request if some later restriction would 244# result in a an explicit or implicit PERMIT action. 245# Reply with "$access_map_defer_code 4.7.1 optional 246# text..." when the optional text is specified, oth- 247# erwise reply with a generic error response message. 248# 249# Prior to Postfix 2.6, the SMTP reply code is 450. 250# 251# This feature is available in Postfix 2.1 and later. 252# 253# For other reject actions, see "OTHER ACTIONS" below. 254# 255# OTHER ACTIONS 256# restriction... 257# Apply the named UCE restriction(s) (permit, reject, 258# reject_unauth_destination, and so on). 259# 260# BCC user@domain 261# Send one copy of the message to the specified 262# recipient. 263# 264# If multiple BCC actions are specified within the 265# same SMTP MAIL transaction, only the last action 266# will be used. 267# 268# This feature is available in Postfix 3.0 and later. 269# 270# DISCARD optional text... 271# Claim successful delivery and silently discard the 272# message. Log the optional text if specified, oth- 273# erwise log a generic message. 274# 275# Note: this action currently affects all recipients 276# of the message. To discard only one recipient 277# without discarding the entire message, use the 278# transport(5) table to direct mail to the discard(8) 279# service. 280# 281# This feature is available in Postfix 2.0 and later. 282# 283# DUNNO Pretend that the lookup key was not found. This 284# prevents Postfix from trying substrings of the 285# lookup key (such as a subdomain name, or a network 286# address subnetwork). 287# 288# This feature is available in Postfix 2.0 and later. 289# 290# FILTER transport:destination 291# After the message is queued, send the entire mes- 292# sage through the specified external content filter. 293# The transport name specifies the first field of a 294# mail delivery agent definition in master.cf; the 295# syntax of the next-hop destination is described in 296# the manual page of the corresponding delivery 297# agent. More information about external content 298# filters is in the Postfix FILTER_README file. 299# 300# Note 1: do not use $number regular expression sub- 301# stitutions for transport or destination unless you 302# know that the information has a trusted origin. 303# 304# Note 2: this action overrides the main.cf con- 305# tent_filter setting, and affects all recipients of 306# the message. In the case that multiple FILTER 307# actions fire, only the last one is executed. 308# 309# Note 3: the purpose of the FILTER command is to 310# override message routing. To override the recipi- 311# ent's transport but not the next-hop destination, 312# specify an empty filter destination (Postfix 2.7 313# and later), or specify a transport:destination that 314# delivers through a different Postfix instance 315# (Postfix 2.6 and earlier). Other options are using 316# the recipient-dependent transport_maps or the sen- 317# der-dependent sender_dependent_default_transport- 318# _maps features. 319# 320# This feature is available in Postfix 2.0 and later. 321# 322# HOLD optional text... 323# Place the message on the hold queue, where it will 324# sit until someone either deletes it or releases it 325# for delivery. Log the optional text if specified, 326# otherwise log a generic message. 327# 328# Mail that is placed on hold can be examined with 329# the postcat(1) command, and can be destroyed or 330# released with the postsuper(1) command. 331# 332# Note: use "postsuper -r" to release mail that was 333# kept on hold for a significant fraction of $maxi- 334# mal_queue_lifetime or $bounce_queue_lifetime, or 335# longer. Use "postsuper -H" only for mail that will 336# not expire within a few delivery attempts. 337# 338# Note: this action currently affects all recipients 339# of the message. 340# 341# This feature is available in Postfix 2.0 and later. 342# 343# PREPEND headername: headervalue 344# Prepend the specified message header to the mes- 345# sage. When more than one PREPEND action executes, 346# the first prepended header appears before the sec- 347# ond etc. prepended header. 348# 349# Note: this action must execute before the message 350# content is received; it cannot execute in the con- 351# text of smtpd_end_of_data_restrictions. 352# 353# This feature is available in Postfix 2.1 and later. 354# 355# REDIRECT user@domain 356# After the message is queued, send the message to 357# the specified address instead of the intended 358# recipient(s). When multiple REDIRECT actions fire, 359# only the last one takes effect. 360# 361# Note: this action overrides the FILTER action, and 362# currently overrides all recipients of the message. 363# 364# This feature is available in Postfix 2.1 and later. 365# 366# INFO optional text... 367# Log an informational record with the optional text, 368# together with client information and if available, 369# with helo, sender, recipient and protocol informa- 370# tion. 371# 372# This feature is available in Postfix 3.0 and later. 373# 374# WARN optional text... 375# Log a warning with the optional text, together with 376# client information and if available, with helo, 377# sender, recipient and protocol information. 378# 379# This feature is available in Postfix 2.1 and later. 380# 381# ENHANCED STATUS CODES 382# Postfix version 2.3 and later support enhanced status 383# codes as defined in RFC 3463. When an enhanced status 384# code is specified in an access table, it is subject to 385# modification. The following transformations are needed 386# when the same access table is used for client, helo, 387# sender, or recipient access restrictions; they happen 388# regardless of whether Postfix replies to a MAIL FROM, RCPT 389# TO or other SMTP command. 390# 391# o When a sender address matches a REJECT action, the 392# Postfix SMTP server will transform a recipient DSN 393# status (e.g., 4.1.1-4.1.6) into the corresponding 394# sender DSN status, and vice versa. 395# 396# o When non-address information matches a REJECT 397# action (such as the HELO command argument or the 398# client hostname/address), the Postfix SMTP server 399# will transform a sender or recipient DSN status 400# into a generic non-address DSN status (e.g., 401# 4.0.0). 402# 403# REGULAR EXPRESSION TABLES 404# This section describes how the table lookups change when 405# the table is given in the form of regular expressions. For 406# a description of regular expression lookup table syntax, 407# see regexp_table(5) or pcre_table(5). 408# 409# Each pattern is a regular expression that is applied to 410# the entire string being looked up. Depending on the appli- 411# cation, that string is an entire client hostname, an 412# entire client IP address, or an entire mail address. Thus, 413# no parent domain or parent network search is done, 414# user@domain mail addresses are not broken up into their 415# user@ and domain constituent parts, nor is user+foo broken 416# up into user and foo. 417# 418# Patterns are applied in the order as specified in the ta- 419# ble, until a pattern is found that matches the search 420# string. 421# 422# Actions are the same as with indexed file lookups, with 423# the additional feature that parenthesized substrings from 424# the pattern can be interpolated as $1, $2 and so on. 425# 426# TCP-BASED TABLES 427# This section describes how the table lookups change when 428# lookups are directed to a TCP-based server. For a descrip- 429# tion of the TCP client/server lookup protocol, see tcp_ta- 430# ble(5). This feature is not available up to and including 431# Postfix version 2.4. 432# 433# Each lookup operation uses the entire query string once. 434# Depending on the application, that string is an entire 435# client hostname, an entire client IP address, or an entire 436# mail address. Thus, no parent domain or parent network 437# search is done, user@domain mail addresses are not broken 438# up into their user@ and domain constituent parts, nor is 439# user+foo broken up into user and foo. 440# 441# Actions are the same as with indexed file lookups. 442# 443# EXAMPLE 444# The following example uses an indexed file, so that the 445# order of table entries does not matter. The example per- 446# mits access by the client at address 1.2.3.4 but rejects 447# all other clients in 1.2.3.0/24. Instead of hash lookup 448# tables, some systems use dbm. Use the command "postconf 449# -m" to find out what lookup tables Postfix supports on 450# your system. 451# 452# /etc/postfix/main.cf: 453# smtpd_client_restrictions = 454# check_client_access hash:/etc/postfix/access 455# 456# /etc/postfix/access: 457# 1.2.3 REJECT 458# 1.2.3.4 OK 459# 460# Execute the command "postmap /etc/postfix/access" after 461# editing the file. 462# 463# BUGS 464# The table format does not understand quoting conventions. 465# 466# SEE ALSO 467# postmap(1), Postfix lookup table manager 468# smtpd(8), SMTP server 469# postconf(5), configuration parameters 470# transport(5), transport:nexthop syntax 471# 472# README FILES 473# Use "postconf readme_directory" or "postconf html_direc- 474# tory" to locate this information. 475# SMTPD_ACCESS_README, built-in SMTP server access control 476# DATABASE_README, Postfix lookup table overview 477# 478# LICENSE 479# The Secure Mailer license must be distributed with this 480# software. 481# 482# AUTHOR(S) 483# Wietse Venema 484# IBM T.J. Watson Research 485# P.O. Box 704 486# Yorktown Heights, NY 10598, USA 487# 488# Wietse Venema 489# Google, Inc. 490# 111 8th Avenue 491# New York, NY 10011, USA 492# 493# ACCESS(5) 494