1# HEADER_CHECKS(5) HEADER_CHECKS(5) 2# 3# NAME 4# header_checks - Postfix built-in content inspection 5# 6# SYNOPSIS 7# header_checks = pcre:/etc/postfix/header_checks 8# mime_header_checks = pcre:/etc/postfix/mime_header_checks 9# nested_header_checks = pcre:/etc/postfix/nested_header_checks 10# body_checks = pcre:/etc/postfix/body_checks 11# 12# postmap -q "string" pcre:/etc/postfix/filename 13# postmap -q - pcre:/etc/postfix/filename <inputfile 14# 15# DESCRIPTION 16# This document describes access control on the content of 17# message headers and message body lines; it is implemented 18# by the Postfix cleanup(8) server before mail is queued. 19# See access(5) for access control on remote SMTP client 20# information. 21# 22# Each message header or message body line is compared 23# against a list of patterns. When a match is found the 24# corresponding action is executed, and the matching process 25# is repeated for the next message header or message body 26# line. 27# 28# For examples, see the EXAMPLES section at the end of this 29# manual page. 30# 31# Postfix header or body_checks are designed to stop a flood 32# of mail from worms or viruses; they do not decode attach- 33# ments, and they do not unzip archives. See the documents 34# referenced below in the README FILES section if you need 35# more sophisticated content analysis. 36# 37# Postfix supports four built-in content inspection classes: 38# 39# header_checks 40# These are applied to initial message headers 41# (except for the headers that are processed with 42# mime_header_checks). 43# 44# mime_header_checks (default: $header_checks) 45# These are applied to MIME related message headers 46# only. 47# 48# This feature is available in Postfix 2.0 and later. 49# 50# nested_header_checks (default: $header_checks) 51# These are applied to message headers of attached 52# email messages (except for the headers that are 53# processed with mime_header_checks). 54# 55# This feature is available in Postfix 2.0 and later. 56# 57# body_checks 58# These are applied to all other content, including 59# multi-part message boundaries. 60# 61# With Postfix versions before 2.0, all content after 62# the initial message headers is treated as body con- 63# tent. 64# 65# Note: message headers are examined one logical header at a 66# time, even when a message header spans multiple lines. 67# Body lines are always examined one line at a time. 68# 69# COMPATIBILITY 70# With Postfix version 2.2 and earlier specify "postmap -fq" 71# to query a table that contains case sensitive patterns. By 72# default, regexp: and pcre: patterns are case insensitive. 73# 74# TABLE FORMAT 75# This document assumes that header and body_checks rules 76# are specified in the form of Postfix regular expression 77# lookup tables. Usually the best performance is obtained 78# with pcre (Perl Compatible Regular Expression) tables, but 79# the slower regexp (POSIX regular expressions) support is 80# more widely available. Use the command "postconf -m" to 81# find out what lookup table types your Postfix system sup- 82# ports. 83# 84# The general format of Postfix regular expression tables is 85# given below. For a discussion of specific pattern or 86# flags syntax, see pcre_table(5) or regexp_table(5), 87# respectively. 88# 89# /pattern/flags action 90# When /pattern/ matches the input string, execute 91# the corresponding action. See below for a list of 92# possible actions. 93# 94# !/pattern/flags action 95# When /pattern/ does not match the input string, 96# execute the corresponding action. 97# 98# if /pattern/flags 99# 100# endif Match the input string against the patterns between 101# if and endif, if and only if the same input string 102# also matches /pattern/. The if..endif can nest. 103# 104# Note: do not prepend whitespace to patterns inside 105# if..endif. 106# 107# if !/pattern/flags 108# 109# endif Match the input string against the patterns between 110# if and endif, if and only if the same input string 111# does not match /pattern/. The if..endif can nest. 112# 113# blank lines and comments 114# Empty lines and whitespace-only lines are ignored, 115# as are lines whose first non-whitespace character 116# is a `#'. 117# 118# multi-line text 119# A pattern/action line starts with non-whitespace 120# text. A line that starts with whitespace continues 121# a logical line. 122# 123# TABLE SEARCH ORDER 124# For each line of message input, the patterns are applied 125# in the order as specified in the table. When a pattern is 126# found that matches the input line, the corresponding 127# action is executed and then the next input line is 128# inspected. 129# 130# TEXT SUBSTITUTION 131# Substitution of substrings from the matched expression 132# into the action string is possible using the conventional 133# Perl syntax ($1, $2, etc.). The macros in the result 134# string may need to be written as ${n} or $(n) if they 135# aren't followed by whitespace. 136# 137# Note: since negated patterns (those preceded by !) return 138# a result when the expression does not match, substitutions 139# are not available for negated patterns. 140# 141# ACTIONS 142# Action names are case insensitive. They are shown in upper 143# case for consistency with other Postfix documentation. 144# 145# DISCARD optional text... 146# Claim successful delivery and silently discard the 147# message. Log the optional text if specified, oth- 148# erwise log a generic message. 149# 150# Note: this action disables further header or 151# body_checks inspection of the current message and 152# affects all recipients. To discard only one recip- 153# ient without discarding the entire message, use the 154# transport(5) table to direct mail to the discard(8) 155# service. 156# 157# This feature is available in Postfix 2.0 and later. 158# 159# DUNNO Pretend that the input line did not match any pat- 160# tern, and inspect the next input line. This action 161# can be used to shorten the table search. 162# 163# For backwards compatibility reasons, Postfix also 164# accepts OK but it is (and always has been) treated 165# as DUNNO. 166# 167# This feature is available in Postfix 2.1 and later. 168# 169# FILTER transport:destination 170# Write a content filter request to the queue file, 171# and inspect the next input line. After the com- 172# plete message is received it will be sent through 173# the specified external content filter. More infor- 174# mation about external content filters is in the 175# Postfix FILTER_README file. 176# 177# Note: this action overrides the content_filter set- 178# ting, and affects all recipients of the message. In 179# the case that multiple FILTER actions fire, only 180# the last one is executed. 181# 182# This feature is available in Postfix 2.0 and later. 183# 184# HOLD optional text... 185# Arrange for the message to be placed on the hold 186# queue, and inspect the next input line. The mes- 187# sage remains on hold until someone either deletes 188# it or releases it for delivery. Log the optional 189# text if specified, otherwise log a generic message. 190# 191# Mail that is placed on hold can be examined with 192# the postcat(1) command, and can be destroyed or 193# released with the postsuper(1) command. 194# 195# Note: use "postsuper -r" to release mail that was 196# kept on hold for a significant fraction of $maxi- 197# mal_queue_lifetime or $bounce_queue_lifetime, or 198# longer. Use "postsuper -H" only for mail that will 199# not expire within a few delivery attempts. 200# 201# Note: this action affects all recipients of the 202# message. 203# 204# This feature is available in Postfix 2.0 and later. 205# 206# IGNORE Delete the current line from the input, and inspect 207# the next input line. 208# 209# PREPEND text... 210# Prepend one line with the specified text, and 211# inspect the next input line. 212# 213# Notes: 214# 215# o The prepended text is output on a separate 216# line, immediately before the input that 217# triggered the PREPEND action. 218# 219# o The prepended text is not considered part of 220# the input stream: it is not subject to 221# header/body checks or address rewriting, and 222# it does not affect the way that Postfix adds 223# missing message headers. 224# 225# o When prepending text before a message header 226# line, the prepended text must begin with a 227# valid message header label. 228# 229# o This action cannot be used to prepend multi- 230# line text. 231# 232# This feature is available in Postfix 2.1 and later. 233# 234# REDIRECT user@domain 235# Write a message redirection request to the queue 236# file, and inspect the next input line. After the 237# message is queued, it will be sent to the specified 238# address instead of the intended recipient(s). 239# 240# Note: this action overrides the FILTER action, and 241# affects all recipients of the message. If multiple 242# REDIRECT actions fire, only the last one is exe- 243# cuted. 244# 245# This feature is available in Postfix 2.1 and later. 246# 247# REPLACE text... 248# Replace the current line with the specified text, 249# and inspect the next input line. 250# 251# This feature is available in Postfix 2.2 and later. 252# The description below applies to Postfix 2.2.2 and 253# later. 254# 255# Notes: 256# 257# o When replacing a message header line, the 258# replacement text must begin with a valid 259# header label. 260# 261# o The replaced text remains part of the input 262# stream. Unlike the result from the PREPEND 263# action, a replaced message header may be 264# subject to address rewriting and may affect 265# the way that Postfix adds missing message 266# headers. 267# 268# REJECT optional text... 269# Reject the entire message. Reply with optional 270# text... when the optional text is specified, other- 271# wise reply with a generic error message. 272# 273# Note: this action disables further header or 274# body_checks inspection of the current message and 275# affects all recipients. 276# 277# Postfix version 2.3 and later support enhanced sta- 278# tus codes. When no code is specified at the begin- 279# ning of optional text..., Postfix inserts a default 280# enhanced status code of "5.7.1". 281# 282# WARN optional text... 283# Log a warning with the optional text... (or log a 284# generic message), and inspect the next input line. 285# This action is useful for debugging and for testing 286# a pattern before applying more drastic actions. 287# 288# BUGS 289# Empty lines never match, because some map types mis-behave 290# when given a zero-length search string. This limitation 291# may be removed for regular expression tables in a future 292# release. 293# 294# Many people overlook the main limitations of header and 295# body_checks rules. 296# 297# o These rules operate on one logical message header 298# or one body line at a time. A decision made for one 299# line is not carried over to the next line. 300# 301# o If text in the message body is encoded (RFC 2045) 302# then the rules need to be specified for the encoded 303# form. 304# 305# o Likewise, when message headers are encoded (RFC 306# 2047) then the rules need to be specified for the 307# encoded form. 308# 309# Message headers added by the cleanup(8) daemon itself are 310# excluded from inspection. Examples of such message headers 311# are From:, To:, Message-ID:, Date:. 312# 313# Message headers deleted by the cleanup(8) daemon will be 314# examined before they are deleted. Examples are: Bcc:, Con- 315# tent-Length:, Return-Path:. 316# 317# CONFIGURATION PARAMETERS 318# body_checks 319# Lookup tables with content filter rules for message 320# body lines. These filters see one physical line at 321# a time, in chunks of at most $line_length_limit 322# bytes. 323# 324# body_checks_size_limit 325# The amount of content per message body segment 326# (attachment) that is subjected to $body_checks fil- 327# tering. 328# 329# header_checks 330# 331# mime_header_checks (default: $header_checks) 332# 333# nested_header_checks (default: $header_checks) 334# Lookup tables with content filter rules for message 335# header lines: respectively, these are applied to 336# the initial message headers (not including MIME 337# headers), to the MIME headers anywhere in the mes- 338# sage, and to the initial headers of attached mes- 339# sages. 340# 341# Note: these filters see one logical message header 342# at a time, even when a message header spans multi- 343# ple lines. Message headers that are longer than 344# $header_size_limit characters are truncated. 345# 346# disable_mime_input_processing 347# While receiving mail, give no special treatment to 348# MIME related message headers; all text after the 349# initial message headers is considered to be part of 350# the message body. This means that header_checks is 351# applied to all the initial message headers, and 352# that body_checks is applied to the remainder of the 353# message. 354# 355# Note: when used in this manner, body_checks will 356# process a multi-line message header one line at a 357# time. 358# 359# EXAMPLES 360# Header pattern to block attachments with bad file name 361# extensions. For convenience, the PCRE /x flag is speci- 362# fied, so that there is no need to collapse the pattern 363# into a single line of text. The purpose of the 364# [[:xdigit:]] sub-expressions is to recognize Windows CLSID 365# strings. 366# 367# /etc/postfix/main.cf: 368# header_checks = pcre:/etc/postfix/header_checks.pcre 369# 370# /etc/postfix/header_checks.pcre: 371# /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( 372# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 373# hlp|ht[at]| 374# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 375# \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| 376# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 377# vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x 378# REJECT Attachment name "$2" may not end with ".$4" 379# 380# Body pattern to stop a specific HTML browser vulnerability 381# exploit. 382# 383# /etc/postfix/main.cf: 384# body_checks = regexp:/etc/postfix/body_checks 385# 386# /etc/postfix/body_checks: 387# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 388# REJECT IFRAME vulnerability exploit 389# 390# SEE ALSO 391# cleanup(8), canonicalize and enqueue Postfix message 392# pcre_table(5), format of PCRE lookup tables 393# regexp_table(5), format of POSIX regular expression tables 394# postconf(1), Postfix configuration utility 395# postmap(1), Postfix lookup table management 396# postsuper(1), Postfix janitor 397# postcat(1), show Postfix queue file contents 398# RFC 2045, base64 and quoted-printable encoding rules 399# RFC 2047, message header encoding for non-ASCII text 400# 401# README FILES 402# Use "postconf readme_directory" or "postconf html_direc- 403# tory" to locate this information. 404# DATABASE_README, Postfix lookup table overview 405# CONTENT_INSPECTION_README, Postfix content inspection overview 406# BUILTIN_FILTER_README, Postfix built-in content inspection 407# BACKSCATTER_README, blocking returned forged mail 408# 409# LICENSE 410# The Secure Mailer license must be distributed with this 411# software. 412# 413# AUTHOR(S) 414# Wietse Venema 415# IBM T.J. Watson Research 416# P.O. Box 704 417# Yorktown Heights, NY 10598, USA 418# 419# HEADER_CHECKS(5) 420