1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - header_checks(5) </title> 6</head> <body> <pre> 7HEADER_CHECKS(5) HEADER_CHECKS(5) 8 9<b>NAME</b> 10 <a href="postconf.5.html#header_checks">header_checks</a> - Postfix built-in content inspection 11 12<b>SYNOPSIS</b> 13 <b><a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks</b> 14 <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/mime_header_checks</b> 15 <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/nested_header_checks</b> 16 <b><a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks</b> 17 18 <b><a href="postconf.5.html#milter_header_checks">milter_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/<a href="postconf.5.html#milter_header_checks">milter_header_checks</a></b> 19 20 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/smtp_header_checks</b> 21 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/smtp_mime_header_checks</b> 22 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/smtp_nested_header_checks</b> 23 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/smtp_body_checks</b> 24 25 <b>postmap -q "</b><i>string</i><b>" <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> 26 <b>postmap -q - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> 27 28<b>DESCRIPTION</b> 29 This document describes access control on the content of message head- 30 ers and message body lines; it is implemented by the Postfix <a href="cleanup.8.html"><b>cleanup</b>(8)</a> 31 server before mail is queued. See <a href="access.5.html"><b>access</b>(5)</a> for access control on 32 remote SMTP client information. 33 34 Each message header or message body line is compared against a list of 35 patterns. When a match is found the corresponding action is executed, 36 and the matching process is repeated for the next message header or 37 message body line. 38 39 Note: message headers are examined one logical header at a time, even 40 when a message header spans multiple lines. Body lines are always exam- 41 ined one line at a time. 42 43 For examples, see the EXAMPLES section at the end of this manual page. 44 45 Postfix header or <a href="postconf.5.html#body_checks">body_checks</a> are designed to stop a flood of mail from 46 worms or viruses; they do not decode attachments, and they do not unzip 47 archives. See the documents referenced below in the README FILES sec- 48 tion if you need more sophisticated content analysis. 49 50<b>FILTERS WHILE RECEIVING MAIL</b> 51 Postfix implements the following four built-in content inspection 52 classes while receiving mail: 53 54 <b><a href="postconf.5.html#header_checks">header_checks</a></b> (default: empty) 55 These are applied to initial message headers (except for the 56 headers that are processed with <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>). 57 58 <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>) 59 These are applied to MIME related message headers only. 60 61 This feature is available in Postfix 2.0 and later. 62 63 <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>) 64 These are applied to message headers of attached email messages 65 (except for the headers that are processed with 66 <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>). 67 68 This feature is available in Postfix 2.0 and later. 69 70 <b><a href="postconf.5.html#body_checks">body_checks</a></b> 71 These are applied to all other content, including multi-part 72 message boundaries. 73 74 With Postfix versions before 2.0, all content after the initial 75 message headers is treated as body content. 76 77<b>FILTERS AFTER RECEIVING MAIL</b> 78 Postfix supports a subset of the built-in content inspection classes 79 after the message is received: 80 81 <b><a href="postconf.5.html#milter_header_checks">milter_header_checks</a></b> (default: empty) 82 These are applied to headers that are added with Milter applica- 83 tions. 84 85 This feature is available in Postfix 2.7 and later. 86 87<b>FILTERS WHILE DELIVERING MAIL</b> 88 Postfix supports all four content inspection classes while delivering 89 mail via SMTP. 90 91 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a></b> (default: empty) 92 93 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a></b> (default: empty) 94 95 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a></b> (default: empty) 96 97 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a></b> (default: empty) 98 These features are available in Postfix 2.5 and later. 99 100<b>COMPATIBILITY</b> 101 With Postfix version 2.2 and earlier specify "<b>postmap -fq</b>" to query a 102 table that contains case sensitive patterns. By default, <a href="regexp_table.5.html">regexp</a>: and 103 <a href="pcre_table.5.html">pcre</a>: patterns are case insensitive. 104 105<b>TABLE FORMAT</b> 106 This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules are specified 107 in the form of Postfix regular expression lookup tables. Usually the 108 best performance is obtained with <b>pcre</b> (Perl Compatible Regular Expres- 109 sion) tables. The <b>regexp</b> (POSIX regular expressions) tables are usually 110 slower, but more widely available. Use the command "<b>postconf -m</b>" to 111 find out what lookup table types your Postfix system supports. 112 113 The general format of Postfix regular expression tables is given below. 114 For a discussion of specific pattern or flags syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> 115 or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>, respectively. 116 117 <b>/</b><i>pattern</i><b>/</b><i>flags action</i> 118 When /<i>pattern</i>/ matches the input string, execute the correspond- 119 ing <i>action</i>. See below for a list of possible actions. 120 121 <b>!/</b><i>pattern</i><b>/</b><i>flags action</i> 122 When /<i>pattern</i>/ does <b>not</b> match the input string, execute the cor- 123 responding <i>action</i>. 124 125 <b>if /</b><i>pattern</i><b>/</b><i>flags</i> 126 127 <b>endif</b> If the input string matches /<i>pattern</i>/, then match that input 128 string against the patterns between <b>if</b> and <b>endif</b>. The <b>if</b>..<b>endif</b> 129 can nest. 130 131 Note: do not prepend whitespace to patterns inside <b>if</b>..<b>endif</b>. 132 133 <b>if !/</b><i>pattern</i><b>/</b><i>flags</i> 134 135 <b>endif</b> If the input string does not match /<i>pattern</i>/, then match that 136 input string against the patterns between <b>if</b> and <b>endif</b>. The 137 <b>if</b>..<b>endif</b> can nest. 138 139 blank lines and comments 140 Empty lines and whitespace-only lines are ignored, as are lines 141 whose first non-whitespace character is a `#'. 142 143 multi-line text 144 A pattern/action line starts with non-whitespace text. A line 145 that starts with whitespace continues a logical line. 146 147<b>TABLE SEARCH ORDER</b> 148 For each line of message input, the patterns are applied in the order 149 as specified in the table. When a pattern is found that matches the 150 input line, the corresponding action is executed and then the next 151 input line is inspected. 152 153<b>TEXT SUBSTITUTION</b> 154 Substitution of substrings from the matched expression into the <i>action</i> 155 string is possible using the conventional Perl syntax (<b>$1</b>, <b>$2</b>, etc.). 156 The macros in the result string may need to be written as <b>${n}</b> or <b>$(n)</b> 157 if they aren't followed by whitespace. 158 159 Note: since negated patterns (those preceded by <b>!</b>) return a result when 160 the expression does not match, substitutions are not available for 161 negated patterns. 162 163<b>ACTIONS</b> 164 Action names are case insensitive. They are shown in upper case for 165 consistency with other Postfix documentation. 166 167 <b>BCC</b> <i>user@domain</i> 168 Add the specified address as a BCC recipient, and inspect the 169 next input line. The address must have a local part and domain 170 part. The number of BCC addresses that can be added is limited 171 only by the amount of available storage space. 172 173 Note 1: the BCC address is added as if it was specified with 174 NOTIFY=NONE. The sender will not be notified when the BCC 175 address is undeliverable, as long as all down-stream software 176 implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>. 177 178 Note 2: this ignores duplicate addresses (with the same delivery 179 status notification options). 180 181 This feature is available in Postfix 3.0 and later. 182 183 This feature is not supported with smtp header/body checks. 184 185 <b>DISCARD</b> <i>optional text...</i> 186 Claim successful delivery and silently discard the message. Do 187 not inspect the remainder of the input message. Log the 188 optional text if specified, otherwise log a generic message. 189 190 Note: this action disables further header or <a href="postconf.5.html#body_checks">body_checks</a> inspec- 191 tion of the current message and affects all recipients. To dis- 192 card only one recipient without discarding the entire message, 193 use the <a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a> ser- 194 vice. 195 196 This feature is available in Postfix 2.0 and later. 197 198 This feature is not supported with smtp header/body checks. 199 200 <b>DUNNO</b> Pretend that the input line did not match any pattern, and 201 inspect the next input line. This action can be used to shorten 202 the table search. 203 204 For backwards compatibility reasons, Postfix also accepts <b>OK</b> but 205 it is (and always has been) treated as <b>DUNNO</b>. 206 207 This feature is available in Postfix 2.1 and later. 208 209 <b>FILTER</b> <i>transport:destination</i> 210 Override the <a href="postconf.5.html#content_filter">content_filter</a> parameter setting, and inspect the 211 next input line. After the message is queued, send the entire 212 message through the specified external content filter. The 213 <i>transport</i> name specifies the first field of a mail delivery 214 agent definition in <a href="master.5.html">master.cf</a>; the syntax of the next-hop <i>desti-</i> 215 <i>nation</i> is described in the manual page of the corresponding 216 delivery agent. More information about external content filters 217 is in the Postfix <a href="FILTER_README.html">FILTER_README</a> file. 218 219 Note 1: do not use $<i>number</i> regular expression substitutions for 220 <i>transport</i> or <i>destination</i> unless you know that the information 221 has a trusted origin. 222 223 Note 2: this action overrides the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#content_filter">content_filter</a></b> set- 224 ting, and affects all recipients of the message. In the case 225 that multiple <b>FILTER</b> actions fire, only the last one is exe- 226 cuted. 227 228 Note 3: the purpose of the FILTER command is to override message 229 routing. To override the recipient's <i>transport</i> but not the 230 next-hop <i>destination</i>, specify an empty filter <i>destination</i> (Post- 231 fix 2.7 and later), or specify a <i>transport:destination</i> that 232 delivers through a different Postfix instance (Postfix 2.6 and 233 earlier). Other options are using the recipient-dependent <b><a href="postconf.5.html#transport_maps">trans</a>-</b> 234 <b><a href="postconf.5.html#transport_maps">port_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default-</b> 235 <b>_transport_maps</a></b> features. 236 237 This feature is available in Postfix 2.0 and later. 238 239 This feature is not supported with smtp header/body checks. 240 241 <b>HOLD</b> <i>optional text...</i> 242 Arrange for the message to be placed on the <b>hold</b> queue, and 243 inspect the next input line. The message remains on <b>hold</b> until 244 someone either deletes it or releases it for delivery. Log the 245 optional text if specified, otherwise log a generic message. 246 247 Mail that is placed on hold can be examined with the <a href="postcat.1.html"><b>postcat</b>(1)</a> 248 command, and can be destroyed or released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> 249 command. 250 251 Note: use "<b>postsuper -r</b>" to release mail that was kept on hold 252 for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a></b> or 253 <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or longer. Use "<b>postsuper -H</b>" only for 254 mail that will not expire within a few delivery attempts. 255 256 Note: this action affects all recipients of the message. 257 258 This feature is available in Postfix 2.0 and later. 259 260 This feature is not supported with smtp header/body checks. 261 262 <b>IGNORE</b> Delete the current line from the input, and inspect the next 263 input line. 264 265 <b>INFO</b> <i>optional text...</i> 266 Log an "info:" record with the <i>optional text...</i> (or log a 267 generic text), and inspect the next input line. This action is 268 useful for routine logging or for debugging. 269 270 This feature is available in Postfix 2.8 and later. 271 272 <b>PREPEND</b> <i>text...</i> 273 Prepend one line with the specified text, and inspect the next 274 input line. 275 276 Notes: 277 278 <b>o</b> The prepended text is output on a separate line, immedi- 279 ately before the input that triggered the <b>PREPEND</b> action. 280 281 <b>o</b> The prepended text is not considered part of the input 282 stream: it is not subject to header/body checks or 283 address rewriting, and it does not affect the way that 284 Postfix adds missing message headers. 285 286 <b>o</b> When prepending text before a message header line, the 287 prepended text must begin with a valid message header 288 label. 289 290 <b>o</b> This action cannot be used to prepend multi-line text. 291 292 This feature is available in Postfix 2.1 and later. 293 294 This feature is not supported with <a href="postconf.5.html#milter_header_checks">milter_header_checks</a>. 295 296 <b>REDIRECT</b> <i>user@domain</i> 297 Write a message redirection request to the queue file, and 298 inspect the next input line. After the message is queued, it 299 will be sent to the specified address instead of the intended 300 recipient(s). 301 302 Note: this action overrides the <b>FILTER</b> action, and affects all 303 recipients of the message. If multiple <b>REDIRECT</b> actions fire, 304 only the last one is executed. 305 306 This feature is available in Postfix 2.1 and later. 307 308 This feature is not supported with smtp header/body checks. 309 310 <b>REPLACE</b> <i>text...</i> 311 Replace the current line with the specified text, and inspect 312 the next input line. 313 314 This feature is available in Postfix 2.2 and later. The descrip- 315 tion below applies to Postfix 2.2.2 and later. 316 317 Notes: 318 319 <b>o</b> When replacing a message header line, the replacement 320 text must begin with a valid header label. 321 322 <b>o</b> The replaced text remains part of the input stream. 323 Unlike the result from the <b>PREPEND</b> action, a replaced 324 message header may be subject to address rewriting and 325 may affect the way that Postfix adds missing message 326 headers. 327 328 <b>REJECT</b> <i>optional text...</i> 329 Reject the entire message. Do not inspect the remainder of the 330 input message. Reply with <i>optional text...</i> when the optional 331 text is specified, otherwise reply with a generic error message. 332 333 Note: this action disables further header or <a href="postconf.5.html#body_checks">body_checks</a> inspec- 334 tion of the current message and affects all recipients. 335 336 Postfix version 2.3 and later support enhanced status codes. 337 When no code is specified at the beginning of <i>optional text...</i>, 338 Postfix inserts a default enhanced status code of "5.7.1". 339 340 This feature is not supported with smtp header/body checks. 341 342 <b>WARN</b> <i>optional text...</i> 343 Log a "warning:" record with the <i>optional text...</i> (or log a 344 generic text), and inspect the next input line. This action is 345 useful for debugging and for testing a pattern before applying 346 more drastic actions. 347 348<b>BUGS</b> 349 Empty lines never match, because some map types mis-behave when given a 350 zero-length search string. This limitation may be removed for regular 351 expression tables in a future release. 352 353 Many people overlook the main limitations of header and <a href="postconf.5.html#body_checks">body_checks</a> 354 rules. 355 356 <b>o</b> These rules operate on one logical message header or one body 357 line at a time. A decision made for one line is not carried over 358 to the next line. 359 360 <b>o</b> If text in the message body is encoded (<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>) then the rules 361 need to be specified for the encoded form. 362 363 <b>o</b> Likewise, when message headers are encoded (<a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>) then the 364 rules need to be specified for the encoded form. 365 366 Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are excluded from 367 inspection. Examples of such message headers are <b>From:</b>, <b>To:</b>, <b>Mes-</b> 368 <b>sage-ID:</b>, <b>Date:</b>. 369 370 Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be examined 371 before they are deleted. Examples are: <b>Bcc:</b>, <b>Content-Length:</b>, 372 <b>Return-Path:</b>. 373 374<b>CONFIGURATION PARAMETERS</b> 375 <b><a href="postconf.5.html#body_checks">body_checks</a></b> 376 Lookup tables with content filter rules for message body lines. 377 These filters see one physical line at a time, in chunks of at 378 most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b> bytes. 379 380 <b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a></b> 381 The amount of content per message body segment (attachment) that 382 is subjected to <b>$<a href="postconf.5.html#body_checks">body_checks</a></b> filtering. 383 384 <b><a href="postconf.5.html#header_checks">header_checks</a></b> 385 386 <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>) 387 388 <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>) 389 Lookup tables with content filter rules for message header 390 lines: respectively, these are applied to the initial message 391 headers (not including MIME headers), to the MIME headers any- 392 where in the message, and to the initial headers of attached 393 messages. 394 395 Note: these filters see one logical message header at a time, 396 even when a message header spans multiple lines. Message headers 397 that are longer than <b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are trun- 398 cated. 399 400 <b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a></b> 401 While receiving mail, give no special treatment to MIME related 402 message headers; all text after the initial message headers is 403 considered to be part of the message body. This means that 404 <b><a href="postconf.5.html#header_checks">header_checks</a></b> is applied to all the initial message headers, and 405 that <b><a href="postconf.5.html#body_checks">body_checks</a></b> is applied to the remainder of the message. 406 407 Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will process a 408 multi-line message header one line at a time. 409 410<b>EXAMPLES</b> 411 Header pattern to block attachments with bad file name extensions. For 412 convenience, the PCRE /x flag is specified, so that there is no need to 413 collapse the pattern into a single line of text. The purpose of the 414 [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings. 415 416 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 417 <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks.pcre 418 419 /etc/postfix/header_checks.<a href="pcre_table.5.html">pcre</a>: 420 /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( 421 ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 422 hlp|ht[at]| 423 inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 424 \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| 425 ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 426 vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x 427 REJECT Attachment name "$2" may not end with ".$4" 428 429 Body pattern to stop a specific HTML browser vulnerability exploit. 430 431 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 432 <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks 433 434 /etc/postfix/body_checks: 435 /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 436 REJECT IFRAME vulnerability exploit 437 438<b>SEE ALSO</b> 439 <a href="cleanup.8.html">cleanup(8)</a>, canonicalize and enqueue Postfix message 440 <a href="pcre_table.5.html">pcre_table(5)</a>, format of PCRE lookup tables 441 <a href="regexp_table.5.html">regexp_table(5)</a>, format of POSIX regular expression tables 442 <a href="postconf.1.html">postconf(1)</a>, Postfix configuration utility 443 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table management 444 <a href="postsuper.1.html">postsuper(1)</a>, Postfix janitor 445 <a href="postcat.1.html">postcat(1)</a>, show Postfix queue file contents 446 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a>, base64 and quoted-printable encoding rules 447 <a href="http://tools.ietf.org/html/rfc2047">RFC 2047</a>, message header encoding for non-ASCII text 448 449<b>README FILES</b> 450 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview 451 <a href="CONTENT_INSPECTION_README.html">CONTENT_INSPECTION_README</a>, Postfix content inspection overview 452 <a href="BUILTIN_FILTER_README.html">BUILTIN_FILTER_README</a>, Postfix built-in content inspection 453 <a href="BACKSCATTER_README.html">BACKSCATTER_README</a>, blocking returned forged mail 454 455<b>LICENSE</b> 456 The Secure Mailer license must be distributed with this software. 457 458<b>AUTHOR(S)</b> 459 Wietse Venema 460 IBM T.J. Watson Research 461 P.O. Box 704 462 Yorktown Heights, NY 10598, USA 463 464 Wietse Venema 465 Google, Inc. 466 111 8th Avenue 467 New York, NY 10011, USA 468 469 HEADER_CHECKS(5) 470</pre> </body> </html> 471