xref: /netbsd-src/external/ibm-public/postfix/dist/proto/header_checks (revision f3bc92a4f25066883a5d85d66df30605583c883c)

#++
# NAME
#	header_checks 5
# SUMMARY
#	Postfix built-in content inspection
# SYNOPSIS
# .nf
#	\fBheader_checks = pcre:/etc/postfix/header_checks\fR
#	\fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
#	\fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
#	\fBbody_checks = pcre:/etc/postfix/body_checks\fR
# .sp
#	\fBmilter_header_checks = pcre:/etc/postfix/milter_header_checks\fR
# .sp
#	\fBsmtp_header_checks = pcre:/etc/postfix/smtp_header_checks\fR
#	\fBsmtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks\fR
#	\fBsmtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks\fR
#	\fBsmtp_body_checks = pcre:/etc/postfix/smtp_body_checks\fR
# .sp
#	\fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
#	\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
# .fi
# DESCRIPTION
#	This document describes access control on the content of
#	message headers and message body lines; it is implemented
#	by the Postfix \fBcleanup\fR(8) server before mail is queued.
#	See \fBaccess\fR(5) for access control on remote SMTP client
#	information.
#
#	Each message header or message body line is compared against
#	a list of patterns.
#	When a match is found the corresponding action is executed, and
#	the matching process is repeated for the next message header or
#	message body line.
#
#	Note: message headers are examined one logical header at a time,
#	even when a message header spans multiple lines. Body lines are
#	always examined one line at a time.
#
#	For examples, see the EXAMPLES section at the end of this
#	manual page.
#
#	Postfix header or body_checks are designed to stop a flood of mail
#	from worms or viruses; they do not decode attachments, and they do
#	not unzip archives. See the documents referenced below in the README
#	FILES section if you need more sophisticated content analysis.
# FILTERS WHILE RECEIVING MAIL
# .ad
# .fi
#	Postfix implements the following four built-in content
#	inspection classes while receiving mail:
# .IP "\fBheader_checks\fR (default: empty)"
#	These are applied to initial message headers (except for
#	the headers that are processed with \fBmime_header_checks\fR).
# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)"
#	These are applied to MIME related message headers only.
# .sp
#	This feature is available in Postfix 2.0 and later.
# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)"
#	These are applied to message headers of attached email
#	messages (except for the headers that are processed with
#	\fBmime_header_checks\fR).
# .sp
#	This feature is available in Postfix 2.0 and later.
# .IP \fBbody_checks\fR
#	These are applied to all other content, including multi-part
#	message boundaries.
# .sp
#	With Postfix versions before 2.0, all content after the initial
#	message headers is treated as body content.
# FILTERS AFTER RECEIVING MAIL
# .ad
# .fi
#	Postfix supports a subset of the built-in content inspection
#	classes after the message is received:
# .IP "\fBmilter_header_checks\fR (default: empty)"
#	These are applied to headers that are added with Milter
#	applications.
# .sp
#	This feature is available in Postfix 2.7 and later.
# FILTERS WHILE DELIVERING MAIL
# .ad
# .fi
#	Postfix supports all four content inspection classes while
#	delivering mail via SMTP.
# .IP "\fBsmtp_header_checks\fR (default: empty)"
# .IP "\fBsmtp_mime_header_checks\fR (default: empty)"
# .IP "\fBsmtp_nested_header_checks\fR (default: empty)"
# .IP "\fBsmtp_body_checks\fR (default: empty)"
#	These features are available in Postfix 2.5 and later.
# COMPATIBILITY
# .ad
# .fi
#	With Postfix version 2.2 and earlier specify "\fBpostmap
#	-fq\fR" to query a table that contains case sensitive
#	patterns. By default, regexp: and pcre: patterns are case
#	insensitive.
# TABLE FORMAT
# .ad
# .fi
#	This document assumes that header and body_checks rules are specified
#	in the form of Postfix regular expression lookup tables. Usually the
#	best performance is obtained with \fBpcre\fR (Perl Compatible Regular
#	Expression) tables. The \fBregexp\fR (POSIX regular
#	expressions) tables are usually slower, but more widely
#	available.
#	Use the command "\fBpostconf -m\fR" to find out what lookup table
#	types your Postfix system supports.
#
#	The general format of Postfix regular expression tables is
#	given below.
#	For a discussion of specific pattern or flags syntax,
#	see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively.
# .IP "\fB/\fIpattern\fB/\fIflags action\fR"
#	When /\fIpattern\fR/ matches the input string, execute
#	the corresponding \fIaction\fR. See below for a list
#	of possible actions.
# .IP "\fB!/\fIpattern\fB/\fIflags action\fR"
#	When /\fIpattern\fR/ does \fBnot\fR match the input string,
#	execute the corresponding \fIaction\fR.
# .IP "\fBif /\fIpattern\fB/\fIflags\fR"
# .IP "\fBendif\fR"
#	If the input string matches /\fIpattern\fR/, then match that
#	input string against the patterns between \fBif\fR and
#	\fBendif\fR.  The \fBif\fR..\fBendif\fR can nest.
# .sp
#	Note: do not prepend whitespace to patterns inside
#	\fBif\fR..\fBendif\fR.
# .IP "\fBif !/\fIpattern\fB/\fIflags\fR"
# .IP "\fBendif\fR"
#	If the input string does not match /\fIpattern\fR/, then
#	match that input string against the patterns between \fBif\fR
#	and \fBendif\fR. The \fBif\fR..\fBendif\fR can nest.
# .IP "blank lines and comments"
#	Empty lines and whitespace-only lines are ignored, as
#	are lines whose first non-whitespace character is a `#'.
# .IP "multi-line text"
#	A pattern/action line starts with non-whitespace text. A line that
#	starts with whitespace continues a logical line.
# TABLE SEARCH ORDER
# .ad
# .fi
#	For each line of message input, the patterns are applied in the
#	order as specified in the table. When a pattern is found that matches
#	the input line, the corresponding action is executed and then the
#	next input line is inspected.
# TEXT SUBSTITUTION
# .ad
# .fi
#	Substitution of substrings from the matched expression into the
#	\fIaction\fR
#	string is possible using the conventional Perl syntax
#	(\fB$1\fR, \fB$2\fR, etc.).
#	The macros in the result string may need to be written as \fB${n}\fR
#	or \fB$(n)\fR if they aren't followed by whitespace.
#
#	Note: since negated patterns (those preceded by \fB!\fR) return a
#	result when the expression does not match, substitutions are not
#	available for negated patterns.
# ACTIONS
# .ad
# .fi
#	Action names are case insensitive. They are shown in upper case
#	for consistency with other Postfix documentation.
# .IP "\fBBCC \fIuser@domain\fR"
#	Add the specified address as a BCC recipient, and inspect
#	the next input line. The address
#	must have a local part and domain part. The number of BCC
#	addresses that can be added is limited only by the amount
#	of available storage space.
#
#	Note 1: the BCC address is added as if it was specified with
#	NOTIFY=NONE. The sender will not be notified when the BCC
#	address is undeliverable, as long as all down-stream software
#	implements RFC 3461.
#
#	Note 2: this ignores duplicate addresses (with the same
#	delivery status notification options).
# .sp
#	This feature is available in Postfix 3.0 and later.
# .sp
#	This feature is not supported with smtp header/body checks.
# \" .IP "\fBDELAY \fItime\fR"
# \"	Place the message into the deferred queue, and delay the
# \"	initial delivery attempt by \fItime\fR. The time value may
# \"	be followed by a one-character suffix that specifies the
# \"	time unit: s (seconds), m (minutes), h (hours), d (days),
# \"	w (weeks).  The default time unit is s (seconds).
# \" .sp
# \"	Limitations:
# \" .RS
# \" .IP \(bu
# \"	This action affects all the recipients of the message.
# \" .IP \(bu
# \"	The delay value has no effect with remote file systems that
# \"	don't correctly emulate UNIX local file system semantics.
# \"	In that case, the delay will be half of $queue_run_delay
# \"	on average.
# \" .IP \(bu
# \"	Mail will still be delivered with "sendmail -q", "postfix
# \"	flush" or "postqueue -f".
# \" .IP \(bu
# \"	Delayed mail increases the amount of disk I/O during deferred
# \"	queue scans. When large amounts of mail are queued for
# \"	delayed delivery it may be preferable to use the HOLD feature
# \"	instead.
# \" .RE
# \" .IP
# \"	This feature is available in Postfix 2.3 and later.
# .IP "\fBDISCARD \fIoptional text...\fR"
#	Claim successful delivery and silently discard the message.
#	Do not inspect the remainder of the input message.
#	Log the optional text if specified, otherwise log a generic
#	message.
# .sp
#	Note: this action disables further header or body_checks inspection
#	of the current message and affects all recipients.
#	To discard only one recipient without discarding the entire message,
#	use the transport(5) table to direct mail to the discard(8) service.
# .sp
#	This feature is available in Postfix 2.0 and later.
# .sp
#	This feature is not supported with smtp header/body checks.
# .IP \fBDUNNO\fR
#	Pretend that the input line did not match any pattern, and inspect the
#	next input line. This action can be used to shorten the table search.
# .sp
#	For backwards compatibility reasons, Postfix also accepts
#	\fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR.
# .sp
#	This feature is available in Postfix 2.1 and later.
# .IP "\fBFILTER \fItransport:destination\fR"
#	Override the content_filter parameter setting, and inspect
#	the next input line.
#	After the message is queued, send the entire message through
#	the specified external content filter. The \fItransport\fR
#	name specifies the first field of a mail delivery agent
#	definition in master.cf; the syntax of the next-hop
#	\fIdestination\fR is described in the manual page of the
#	corresponding delivery agent.  More information about
#	external content filters is in the Postfix FILTER_README
#	file.
# .sp
#	Note 1: do not use $\fInumber\fR regular expression
#	substitutions for \fItransport\fR or \fIdestination\fR
#	unless you know that the information has a trusted origin.
# .sp
#	Note 2: this action overrides the main.cf \fBcontent_filter\fR
#	setting, and affects all recipients of the message. In the
#	case that multiple \fBFILTER\fR actions fire, only the last
#	one is executed.
# .sp
#	Note 3: the purpose of the FILTER command is to override
#	message routing.  To override the recipient's \fItransport\fR
#	but not the next-hop \fIdestination\fR, specify an empty
#	filter \fIdestination\fR (Postfix 2.7 and later), or specify
#	a \fItransport:destination\fR that delivers through a
#	different Postfix instance (Postfix 2.6 and earlier). Other
#	options are using the recipient-dependent \fBtrans\%port\%_maps\fR
#	or the sen\%der-dependent
#	\fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR
#	features.
# .sp
#	This feature is available in Postfix 2.0 and later.
# .sp
#	This feature is not supported with smtp header/body checks.
# .IP "\fBHOLD \fIoptional text...\fR"
#	Arrange for the message to be placed on the \fBhold\fR queue,
#	and inspect the next input line.  The message remains on \fBhold\fR
#	until someone either deletes it or releases it for delivery.
#	Log the optional text if specified, otherwise log a generic
#	message.
#
#	Mail that is placed on hold can be examined with the
#	\fBpostcat\fR(1) command, and can be destroyed or released with
#	the \fBpostsuper\fR(1) command.
# .sp
#	Note: use "\fBpostsuper -r\fR" to release mail that was kept on
#	hold for a significant fraction of \fB$maximal_queue_lifetime\fR
#	or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
#	only for mail that will not expire within a few delivery attempts.
# .sp
#	Note: this action affects all recipients of the message.
# .sp
#	This feature is available in Postfix 2.0 and later.
# .sp
#	This feature is not supported with smtp header/body checks.
# .IP \fBIGNORE\fR
#	Delete the current line from the input, and inspect
#	the next input line. See \fBSTRIP\fR for an alternative
#	that logs the action.
# .IP "\fBINFO \fIoptional text...\fR
#	Log an "info:" record with the \fIoptional text...\fR (or
#	log a generic text), and inspect the next input line. This
#	action is useful for routine logging or for debugging.
# .sp
#	This feature is available in Postfix 2.8 and later.
# .IP "\fBPASS \fIoptional text...\fR"
#	Log a "pass:" record with the \fIoptional text...\fR (or
#	log a generic text), and turn off header, body, and Milter
#	inspection for the remainder of this message.
# .sp
#	Note: this feature relies on trust in information that is
#	easy to forge.
# .sp
#	This feature is available in Postfix 3.2 and later.
# .sp
#	This feature is not supported with smtp header/body checks.
# .IP "\fBPREPEND \fItext...\fR"
#	Prepend one line with the specified text, and inspect the next
#	input line.
# .sp
#	Notes:
# .RS
# .IP \(bu
#	The prepended text is output on a separate line, immediately
#	before the input that triggered the \fBPREPEND\fR action.
# .IP \(bu
#	The prepended text is not considered part of the input
#	stream: it is not subject to header/body checks or address
#	rewriting, and it does not affect the way that Postfix adds
#	missing message headers.
# .IP \(bu
#	When prepending text before a message header line, the prepended
#	text must begin with a valid message header label.
# .IP \(bu
#	This action cannot be used to prepend multi-line text.
# .RE
# .IP
#	This feature is available in Postfix 2.1 and later.
# .sp
#	This feature is not supported with milter_header_checks.
# .IP "\fBREDIRECT \fIuser@domain\fR"
#	Write a message redirection request to the queue file, and
#	inspect the next input line. After the message is queued,
#	it will be sent to the specified address instead of the
#	intended recipient(s).
# .sp
#	Note: this action overrides the \fBFILTER\fR action, and affects
#	all recipients of the message. If multiple \fBREDIRECT\fR actions
#	fire, only the last one is executed.
# .sp
#	This feature is available in Postfix 2.1 and later.
# .sp
#	This feature is not supported with smtp header/body checks.
# .IP "\fBREPLACE \fItext...\fR"
#	Replace the current line with the specified text, and inspect the next
#	input line.
# .sp
#	This feature is available in Postfix 2.2 and later. The
#	description below applies to Postfix 2.2.2 and later.
# .sp
#	Notes:
# .RS
# .IP \(bu
#	When replacing a message header line, the replacement text
#	must begin with a valid header label.
# .IP \(bu
#	The replaced text remains part of the input stream. Unlike
#	the result from the \fBPREPEND\fR action, a replaced message
#	header may be subject to address rewriting and may affect
#	the way that Postfix adds missing message headers.
# .RE
# .IP "\fBREJECT \fIoptional text...\fR
#	Reject the entire message. Do not inspect the remainder of
#	the input message.  Reply with \fIoptional text...\fR when
#	the optional text is specified, otherwise reply with a
#	generic error message.
# .sp
#	Note: this action disables further header or body_checks inspection
#	of the current message and affects all recipients.
# .sp
#	Postfix version 2.3 and later support enhanced status codes.
#	When no code is specified at the beginning of \fIoptional
#	text...\fR, Postfix inserts a default enhanced status code of
#	"5.7.1".
# .sp
#	This feature is not supported with smtp header/body checks.
# .IP "\fBSTRIP \fIoptional text...\fR"
#	Log a "strip:" record with the \fIoptional text...\fR (or
#	log a generic text), delete the input line from the input,
#	and inspect the next input line. See \fBIGNORE\fR for a
#	silent alternative.
# .sp
#	This feature is available in Postfix 3.2 and later.
# .IP "\fBWARN \fIoptional text...\fR
#	Log a "warning:" record with the \fIoptional text...\fR (or
#	log a generic text), and inspect the next input line. This
#	action is useful for debugging and for testing a pattern
#	before applying more drastic actions.
# BUGS
#	Empty lines never match, because some map types mis-behave
#	when given a zero-length search string.  This limitation may
#	be removed for regular expression tables in a future release.
#
#	Many people overlook the main limitations of header and body_checks
#	rules.
# .IP \(bu
#	These rules operate on one logical message header or one body
#	line at a time. A decision made for one line is not carried over
#	to the next line.
# .IP \(bu
#	If text in the message body is encoded
#	(RFC 2045) then the rules need to be specified for the encoded
#	form.
# .IP \(bu
#	Likewise, when message headers are encoded (RFC
#	2047) then the rules need to be specified for the encoded
#	form.
# .PP
#	Message headers added by the \fBcleanup\fR(8) daemon itself
#	are excluded from inspection. Examples of such message headers
#	are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR.
#
#	Message headers deleted by the \fBcleanup\fR(8) daemon will
#	be examined before they are deleted. Examples are: \fBBcc:\fR,
#	\fBContent-Length:\fR, \fBReturn-Path:\fR.
# CONFIGURATION PARAMETERS
# .ad
# .fi
# .IP \fBbody_checks\fR
#	Lookup tables with content filter rules for message body lines.
#	These filters see one physical line at a time, in chunks of
#	at most \fB$line_length_limit\fR bytes.
# .IP \fBbody_checks_size_limit\fP
#	The amount of content per message body segment (attachment) that is
#	subjected to \fB$body_checks\fR filtering.
# .IP \fBheader_checks\fR
# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)"
# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)"
#	Lookup tables with content filter rules for message header lines:
#	respectively, these are applied to the initial message headers
#	(not including MIME headers), to the MIME headers anywhere in
#	the message, and to the initial headers of attached messages.
# .sp
#	Note: these filters see one logical message header at a time, even
#	when a message header spans multiple lines. Message headers that
#	are longer than \fB$header_size_limit\fR characters are truncated.
# .IP \fBdisable_mime_input_processing\fR
#	While receiving mail, give no special treatment to MIME related
#	message headers; all text after the initial message headers is
#	considered to be part of the message body. This means that
#	\fBheader_checks\fR is applied to all the initial message headers,
#	and that \fBbody_checks\fR is applied to the remainder of the
#	message.
# .sp
#	Note: when used in this manner, \fBbody_checks\fR will process
#	a multi-line message header one line at a time.
# EXAMPLES
# .ad
# .fi
#	Header pattern to block attachments with bad file name
#	extensions.  For convenience, the PCRE /x flag is specified,
#	so that there is no need to collapse the pattern into a
#	single line of text.  The purpose of the [[:xdigit:]]
#	sub-expressions is to recognize Windows CLSID strings.
#
# .na
# .nf
#	/etc/postfix/main.cf:
#	    header_checks = pcre:/etc/postfix/header_checks.pcre
#
#	/etc/postfix/header_checks.pcre:
#	    /^Content-(Disposition|Type).*name\es*=\es*"?([^;]*(\e.|=2E)(
#	      ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
#	      hlp|ht[at]|
#	      inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
#	      \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}|
#	      ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
#	      vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x
#	        REJECT Attachment name "$2" may not end with ".$4"
# .ad
# .fi
#
#	Body pattern to stop a specific HTML browser vulnerability exploit.
#
# .na
# .nf
#	/etc/postfix/main.cf:
#	    body_checks = regexp:/etc/postfix/body_checks
#
#	/etc/postfix/body_checks:
#	    /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
#	        REJECT IFRAME vulnerability exploit
# SEE ALSO
#	cleanup(8), canonicalize and enqueue Postfix message
#	pcre_table(5), format of PCRE lookup tables
#	regexp_table(5), format of POSIX regular expression tables
#	postconf(1), Postfix configuration utility
#	postmap(1), Postfix lookup table management
#	postsuper(1), Postfix janitor
#	postcat(1), show Postfix queue file contents
#	RFC 2045, base64 and quoted-printable encoding rules
#	RFC 2047, message header encoding for non-ASCII text
# README FILES
# .ad
# .fi
#	Use "\fBpostconf readme_directory\fR" or
#	"\fBpostconf html_directory\fR" to locate this information.
# .na
# .nf
#	DATABASE_README, Postfix lookup table overview
#	CONTENT_INSPECTION_README, Postfix content inspection overview
#	BUILTIN_FILTER_README, Postfix built-in content inspection
#	BACKSCATTER_README, blocking returned forged mail
# LICENSE
# .ad
# .fi
#	The Secure Mailer license must be distributed with this software.
# AUTHOR(S)
#	Wietse Venema
#	IBM T.J. Watson Research
#	P.O. Box 704
#	Yorktown Heights, NY 10598, USA
#
#	Wietse Venema
#	Google, Inc.
#	111 8th Avenue
#	New York, NY 10011, USA
#--