1# HEADER_CHECKS(5) HEADER_CHECKS(5) 2# 3# NAME 4# header_checks - Postfix built-in content inspection 5# 6# SYNOPSIS 7# header_checks = pcre:/etc/postfix/header_checks 8# mime_header_checks = pcre:/etc/postfix/mime_header_checks 9# nested_header_checks = pcre:/etc/postfix/nested_header_checks 10# body_checks = pcre:/etc/postfix/body_checks 11# 12# milter_header_checks = pcre:/etc/postfix/milter_header_checks 13# 14# smtp_header_checks = pcre:/etc/postfix/smtp_header_checks 15# smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks 16# smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks 17# smtp_body_checks = pcre:/etc/postfix/smtp_body_checks 18# 19# postmap -q "string" pcre:/etc/postfix/filename 20# postmap -q - pcre:/etc/postfix/filename <inputfile 21# 22# DESCRIPTION 23# This document describes access control on the content of 24# message headers and message body lines; it is implemented 25# by the Postfix cleanup(8) server before mail is queued. 26# See access(5) for access control on remote SMTP client 27# information. 28# 29# Each message header or message body line is compared 30# against a list of patterns. When a match is found the 31# corresponding action is executed, and the matching process 32# is repeated for the next message header or message body 33# line. 34# 35# Note: message headers are examined one logical header at a 36# time, even when a message header spans multiple lines. 37# Body lines are always examined one line at a time. 38# 39# For examples, see the EXAMPLES section at the end of this 40# manual page. 41# 42# Postfix header or body_checks are designed to stop a flood 43# of mail from worms or viruses; they do not decode attach- 44# ments, and they do not unzip archives. See the documents 45# referenced below in the README FILES section if you need 46# more sophisticated content analysis. 47# 48# FILTERS WHILE RECEIVING MAIL 49# Postfix implements the following four built-in content 50# inspection classes while receiving mail: 51# 52# header_checks (default: empty) 53# These are applied to initial message headers 54# (except for the headers that are processed with 55# mime_header_checks). 56# 57# mime_header_checks (default: $header_checks) 58# These are applied to MIME related message headers 59# only. 60# 61# This feature is available in Postfix 2.0 and later. 62# 63# nested_header_checks (default: $header_checks) 64# These are applied to message headers of attached 65# email messages (except for the headers that are 66# processed with mime_header_checks). 67# 68# This feature is available in Postfix 2.0 and later. 69# 70# body_checks 71# These are applied to all other content, including 72# multi-part message boundaries. 73# 74# With Postfix versions before 2.0, all content after 75# the initial message headers is treated as body con- 76# tent. 77# 78# FILTERS AFTER RECEIVING MAIL 79# Postfix supports a subset of the built-in content inspec- 80# tion classes after the message is received: 81# 82# milter_header_checks (default: empty) 83# These are applied to headers that are added with 84# Milter applications. 85# 86# This feature is available in Postfix 2.7 and later. 87# 88# FILTERS WHILE DELIVERING MAIL 89# Postfix supports all four content inspection classes while 90# delivering mail via SMTP. 91# 92# smtp_header_checks (default: empty) 93# 94# smtp_mime_header_checks (default: empty) 95# 96# smtp_nested_header_checks (default: empty) 97# 98# smtp_body_checks (default: empty) 99# These features are available in Postfix 2.5 and 100# later. 101# 102# COMPATIBILITY 103# With Postfix version 2.2 and earlier specify "postmap -fq" 104# to query a table that contains case sensitive patterns. By 105# default, regexp: and pcre: patterns are case insensitive. 106# 107# TABLE FORMAT 108# This document assumes that header and body_checks rules 109# are specified in the form of Postfix regular expression 110# lookup tables. Usually the best performance is obtained 111# with pcre (Perl Compatible Regular Expression) tables. The 112# regexp (POSIX regular expressions) tables are usually 113# slower, but more widely available. Use the command "post- 114# conf -m" to find out what lookup table types your Postfix 115# system supports. 116# 117# The general format of Postfix regular expression tables is 118# given below. For a discussion of specific pattern or 119# flags syntax, see pcre_table(5) or regexp_table(5), 120# respectively. 121# 122# /pattern/flags action 123# When /pattern/ matches the input string, execute 124# the corresponding action. See below for a list of 125# possible actions. 126# 127# !/pattern/flags action 128# When /pattern/ does not match the input string, 129# execute the corresponding action. 130# 131# if /pattern/flags 132# 133# endif If the input string matches /pattern/, then match 134# that input string against the patterns between if 135# and endif. The if..endif can nest. 136# 137# Note: do not prepend whitespace to patterns inside 138# if..endif. 139# 140# if !/pattern/flags 141# 142# endif If the input string does not match /pattern/, then 143# match that input string against the patterns 144# between if and endif. The if..endif can nest. 145# 146# blank lines and comments 147# Empty lines and whitespace-only lines are ignored, 148# as are lines whose first non-whitespace character 149# is a `#'. 150# 151# multi-line text 152# A pattern/action line starts with non-whitespace 153# text. A line that starts with whitespace continues 154# a logical line. 155# 156# TABLE SEARCH ORDER 157# For each line of message input, the patterns are applied 158# in the order as specified in the table. When a pattern is 159# found that matches the input line, the corresponding 160# action is executed and then the next input line is 161# inspected. 162# 163# TEXT SUBSTITUTION 164# Substitution of substrings from the matched expression 165# into the action string is possible using the conventional 166# Perl syntax ($1, $2, etc.). The macros in the result 167# string may need to be written as ${n} or $(n) if they 168# aren't followed by whitespace. 169# 170# Note: since negated patterns (those preceded by !) return 171# a result when the expression does not match, substitutions 172# are not available for negated patterns. 173# 174# ACTIONS 175# Action names are case insensitive. They are shown in upper 176# case for consistency with other Postfix documentation. 177# 178# BCC user@domain 179# Add the specified address as a BCC recipient, and 180# inspect the next input line. The address must have 181# a local part and domain part. The number of BCC 182# addresses that can be added is limited only by the 183# amount of available storage space. 184# 185# Note 1: the BCC address is added as if it was spec- 186# ified with NOTIFY=NONE. The sender will not be 187# notified when the BCC address is undeliverable, as 188# long as all down-stream software implements RFC 189# 3461. 190# 191# Note 2: this ignores duplicate addresses (with the 192# same delivery status notification options). 193# 194# This feature is available in Postfix 3.0 and later. 195# 196# This feature is not supported with smtp header/body 197# checks. 198# 199# DISCARD optional text... 200# Claim successful delivery and silently discard the 201# message. Do not inspect the remainder of the input 202# message. Log the optional text if specified, oth- 203# erwise log a generic message. 204# 205# Note: this action disables further header or 206# body_checks inspection of the current message and 207# affects all recipients. To discard only one recip- 208# ient without discarding the entire message, use the 209# transport(5) table to direct mail to the discard(8) 210# service. 211# 212# This feature is available in Postfix 2.0 and later. 213# 214# This feature is not supported with smtp header/body 215# checks. 216# 217# DUNNO Pretend that the input line did not match any pat- 218# tern, and inspect the next input line. This action 219# can be used to shorten the table search. 220# 221# For backwards compatibility reasons, Postfix also 222# accepts OK but it is (and always has been) treated 223# as DUNNO. 224# 225# This feature is available in Postfix 2.1 and later. 226# 227# FILTER transport:destination 228# Override the content_filter parameter setting, and 229# inspect the next input line. After the message is 230# queued, send the entire message through the speci- 231# fied external content filter. The transport name 232# specifies the first field of a mail delivery agent 233# definition in master.cf; the syntax of the next-hop 234# destination is described in the manual page of the 235# corresponding delivery agent. More information 236# about external content filters is in the Postfix 237# FILTER_README file. 238# 239# Note 1: do not use $number regular expression sub- 240# stitutions for transport or destination unless you 241# know that the information has a trusted origin. 242# 243# Note 2: this action overrides the main.cf con- 244# tent_filter setting, and affects all recipients of 245# the message. In the case that multiple FILTER 246# actions fire, only the last one is executed. 247# 248# Note 3: the purpose of the FILTER command is to 249# override message routing. To override the recipi- 250# ent's transport but not the next-hop destination, 251# specify an empty filter destination (Postfix 2.7 252# and later), or specify a transport:destination that 253# delivers through a different Postfix instance 254# (Postfix 2.6 and earlier). Other options are using 255# the recipient-dependent transport_maps or the sen- 256# der-dependent sender_dependent_default_transport- 257# _maps features. 258# 259# This feature is available in Postfix 2.0 and later. 260# 261# This feature is not supported with smtp header/body 262# checks. 263# 264# HOLD optional text... 265# Arrange for the message to be placed on the hold 266# queue, and inspect the next input line. The mes- 267# sage remains on hold until someone either deletes 268# it or releases it for delivery. Log the optional 269# text if specified, otherwise log a generic message. 270# 271# Mail that is placed on hold can be examined with 272# the postcat(1) command, and can be destroyed or 273# released with the postsuper(1) command. 274# 275# Note: use "postsuper -r" to release mail that was 276# kept on hold for a significant fraction of $maxi- 277# mal_queue_lifetime or $bounce_queue_lifetime, or 278# longer. Use "postsuper -H" only for mail that will 279# not expire within a few delivery attempts. 280# 281# Note: this action affects all recipients of the 282# message. 283# 284# This feature is available in Postfix 2.0 and later. 285# 286# This feature is not supported with smtp header/body 287# checks. 288# 289# IGNORE Delete the current line from the input, and inspect 290# the next input line. See STRIP for an alternative 291# that logs the action. 292# 293# INFO optional text... 294# Log an "info:" record with the optional text... (or 295# log a generic text), and inspect the next input 296# line. This action is useful for routine logging or 297# for debugging. 298# 299# This feature is available in Postfix 2.8 and later. 300# 301# PASS optional text... 302# Log a "pass:" record with the optional text... (or 303# log a generic text), and turn off header, body, and 304# Milter inspection for the remainder of this mes- 305# sage. 306# 307# Note: this feature relies on trust in information 308# that is easy to forge. 309# 310# This feature is available in Postfix 3.2 and later. 311# 312# This feature is not supported with smtp header/body 313# checks. 314# 315# PREPEND text... 316# Prepend one line with the specified text, and 317# inspect the next input line. 318# 319# Notes: 320# 321# o The prepended text is output on a separate 322# line, immediately before the input that 323# triggered the PREPEND action. 324# 325# o The prepended text is not considered part of 326# the input stream: it is not subject to 327# header/body checks or address rewriting, and 328# it does not affect the way that Postfix adds 329# missing message headers. 330# 331# o When prepending text before a message header 332# line, the prepended text must begin with a 333# valid message header label. 334# 335# o This action cannot be used to prepend 336# multi-line text. 337# 338# This feature is available in Postfix 2.1 and later. 339# 340# This feature is not supported with mil- 341# ter_header_checks. 342# 343# REDIRECT user@domain 344# Write a message redirection request to the queue 345# file, and inspect the next input line. After the 346# message is queued, it will be sent to the specified 347# address instead of the intended recipient(s). 348# 349# Note: this action overrides the FILTER action, and 350# affects all recipients of the message. If multiple 351# REDIRECT actions fire, only the last one is exe- 352# cuted. 353# 354# This feature is available in Postfix 2.1 and later. 355# 356# This feature is not supported with smtp header/body 357# checks. 358# 359# REPLACE text... 360# Replace the current line with the specified text, 361# and inspect the next input line. 362# 363# This feature is available in Postfix 2.2 and later. 364# The description below applies to Postfix 2.2.2 and 365# later. 366# 367# Notes: 368# 369# o When replacing a message header line, the 370# replacement text must begin with a valid 371# header label. 372# 373# o The replaced text remains part of the input 374# stream. Unlike the result from the PREPEND 375# action, a replaced message header may be 376# subject to address rewriting and may affect 377# the way that Postfix adds missing message 378# headers. 379# 380# REJECT optional text... 381# Reject the entire message. Do not inspect the 382# remainder of the input message. Reply with 383# optional text... when the optional text is speci- 384# fied, otherwise reply with a generic error message. 385# 386# Note: this action disables further header or 387# body_checks inspection of the current message and 388# affects all recipients. 389# 390# Postfix version 2.3 and later support enhanced sta- 391# tus codes. When no code is specified at the begin- 392# ning of optional text..., Postfix inserts a default 393# enhanced status code of "5.7.1". 394# 395# This feature is not supported with smtp header/body 396# checks. 397# 398# STRIP optional text... 399# Log a "strip:" record with the optional text... (or 400# log a generic text), delete the input line from the 401# input, and inspect the next input line. See IGNORE 402# for a silent alternative. 403# 404# This feature is available in Postfix 3.2 and later. 405# 406# WARN optional text... 407# Log a "warning:" record with the optional text... 408# (or log a generic text), and inspect the next input 409# line. This action is useful for debugging and for 410# testing a pattern before applying more drastic 411# actions. 412# 413# BUGS 414# Empty lines never match, because some map types mis-behave 415# when given a zero-length search string. This limitation 416# may be removed for regular expression tables in a future 417# release. 418# 419# Many people overlook the main limitations of header and 420# body_checks rules. 421# 422# o These rules operate on one logical message header 423# or one body line at a time. A decision made for one 424# line is not carried over to the next line. 425# 426# o If text in the message body is encoded (RFC 2045) 427# then the rules need to be specified for the encoded 428# form. 429# 430# o Likewise, when message headers are encoded (RFC 431# 2047) then the rules need to be specified for the 432# encoded form. 433# 434# Message headers added by the cleanup(8) daemon itself are 435# excluded from inspection. Examples of such message headers 436# are From:, To:, Message-ID:, Date:. 437# 438# Message headers deleted by the cleanup(8) daemon will be 439# examined before they are deleted. Examples are: Bcc:, Con- 440# tent-Length:, Return-Path:. 441# 442# CONFIGURATION PARAMETERS 443# body_checks 444# Lookup tables with content filter rules for message 445# body lines. These filters see one physical line at 446# a time, in chunks of at most $line_length_limit 447# bytes. 448# 449# body_checks_size_limit 450# The amount of content per message body segment 451# (attachment) that is subjected to $body_checks fil- 452# tering. 453# 454# header_checks 455# 456# mime_header_checks (default: $header_checks) 457# 458# nested_header_checks (default: $header_checks) 459# Lookup tables with content filter rules for message 460# header lines: respectively, these are applied to 461# the initial message headers (not including MIME 462# headers), to the MIME headers anywhere in the mes- 463# sage, and to the initial headers of attached mes- 464# sages. 465# 466# Note: these filters see one logical message header 467# at a time, even when a message header spans multi- 468# ple lines. Message headers that are longer than 469# $header_size_limit characters are truncated. 470# 471# disable_mime_input_processing 472# While receiving mail, give no special treatment to 473# MIME related message headers; all text after the 474# initial message headers is considered to be part of 475# the message body. This means that header_checks is 476# applied to all the initial message headers, and 477# that body_checks is applied to the remainder of the 478# message. 479# 480# Note: when used in this manner, body_checks will 481# process a multi-line message header one line at a 482# time. 483# 484# EXAMPLES 485# Header pattern to block attachments with bad file name 486# extensions. For convenience, the PCRE /x flag is speci- 487# fied, so that there is no need to collapse the pattern 488# into a single line of text. The purpose of the 489# [[:xdigit:]] sub-expressions is to recognize Windows CLSID 490# strings. 491# 492# /etc/postfix/main.cf: 493# header_checks = pcre:/etc/postfix/header_checks.pcre 494# 495# /etc/postfix/header_checks.pcre: 496# /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( 497# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 498# hlp|ht[at]| 499# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 500# \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| 501# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 502# vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x 503# REJECT Attachment name "$2" may not end with ".$4" 504# 505# Body pattern to stop a specific HTML browser vulnerability 506# exploit. 507# 508# /etc/postfix/main.cf: 509# body_checks = regexp:/etc/postfix/body_checks 510# 511# /etc/postfix/body_checks: 512# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 513# REJECT IFRAME vulnerability exploit 514# 515# SEE ALSO 516# cleanup(8), canonicalize and enqueue Postfix message 517# pcre_table(5), format of PCRE lookup tables 518# regexp_table(5), format of POSIX regular expression tables 519# postconf(1), Postfix configuration utility 520# postmap(1), Postfix lookup table management 521# postsuper(1), Postfix janitor 522# postcat(1), show Postfix queue file contents 523# RFC 2045, base64 and quoted-printable encoding rules 524# RFC 2047, message header encoding for non-ASCII text 525# 526# README FILES 527# Use "postconf readme_directory" or "postconf html_direc- 528# tory" to locate this information. 529# DATABASE_README, Postfix lookup table overview 530# CONTENT_INSPECTION_README, Postfix content inspection overview 531# BUILTIN_FILTER_README, Postfix built-in content inspection 532# BACKSCATTER_README, blocking returned forged mail 533# 534# LICENSE 535# The Secure Mailer license must be distributed with this 536# software. 537# 538# AUTHOR(S) 539# Wietse Venema 540# IBM T.J. Watson Research 541# P.O. Box 704 542# Yorktown Heights, NY 10598, USA 543# 544# Wietse Venema 545# Google, Inc. 546# 111 8th Avenue 547# New York, NY 10011, USA 548# 549# HEADER_CHECKS(5) 550