1#++ 2# NAME 3# header_checks 5 4# SUMMARY 5# Postfix built-in content inspection 6# SYNOPSIS 7# .nf 8# \fBheader_checks = pcre:/etc/postfix/header_checks\fR 9# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR 10# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR 11# \fBbody_checks = pcre:/etc/postfix/body_checks\fR 12# .sp 13# \fBmilter_header_checks = pcre:/etc/postfix/milter_header_checks\fR 14# .sp 15# \fBsmtp_header_checks = pcre:/etc/postfix/smtp_header_checks\fR 16# \fBsmtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks\fR 17# \fBsmtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks\fR 18# \fBsmtp_body_checks = pcre:/etc/postfix/smtp_body_checks\fR 19# .sp 20# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR 21# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR 22# .fi 23# DESCRIPTION 24# This document describes access control on the content of 25# message headers and message body lines; it is implemented 26# by the Postfix \fBcleanup\fR(8) server before mail is queued. 27# See \fBaccess\fR(5) for access control on remote SMTP client 28# information. 29# 30# Each message header or message body line is compared against 31# a list of patterns. 32# When a match is found the corresponding action is executed, and 33# the matching process is repeated for the next message header or 34# message body line. 35# 36# Note: message headers are examined one logical header at a time, 37# even when a message header spans multiple lines. Body lines are 38# always examined one line at a time. 39# 40# For examples, see the EXAMPLES section at the end of this 41# manual page. 42# 43# Postfix header or body_checks are designed to stop a flood of mail 44# from worms or viruses; they do not decode attachments, and they do 45# not unzip archives. See the documents referenced below in the README 46# FILES section if you need more sophisticated content analysis. 47# FILTERS WHILE RECEIVING MAIL 48# .ad 49# .fi 50# Postfix implements the following four built-in content 51# inspection classes while receiving mail: 52# .IP "\fBheader_checks\fR (default: empty)" 53# These are applied to initial message headers (except for 54# the headers that are processed with \fBmime_header_checks\fR). 55# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 56# These are applied to MIME related message headers only. 57# .sp 58# This feature is available in Postfix 2.0 and later. 59# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 60# These are applied to message headers of attached email 61# messages (except for the headers that are processed with 62# \fBmime_header_checks\fR). 63# .sp 64# This feature is available in Postfix 2.0 and later. 65# .IP \fBbody_checks\fR 66# These are applied to all other content, including multi-part 67# message boundaries. 68# .sp 69# With Postfix versions before 2.0, all content after the initial 70# message headers is treated as body content. 71# FILTERS AFTER RECEIVING MAIL 72# .ad 73# .fi 74# Postfix supports a subset of the built-in content inspection 75# classes after the message is received: 76# .IP "\fBmilter_header_checks\fR (default: empty)" 77# These are applied to headers that are added with Milter 78# applications. 79# .sp 80# This feature is available in Postfix 2.7 and later. 81# FILTERS WHILE DELIVERING MAIL 82# .ad 83# .fi 84# Postfix supports all four content inspection classes while 85# delivering mail via SMTP. 86# .IP "\fBsmtp_header_checks\fR (default: empty)" 87# .IP "\fBsmtp_mime_header_checks\fR (default: empty)" 88# .IP "\fBsmtp_nested_header_checks\fR (default: empty)" 89# .IP "\fBsmtp_body_checks\fR (default: empty)" 90# These features are available in Postfix 2.5 and later. 91# COMPATIBILITY 92# .ad 93# .fi 94# With Postfix version 2.2 and earlier specify "\fBpostmap 95# -fq\fR" to query a table that contains case sensitive 96# patterns. By default, regexp: and pcre: patterns are case 97# insensitive. 98# TABLE FORMAT 99# .ad 100# .fi 101# This document assumes that header and body_checks rules are specified 102# in the form of Postfix regular expression lookup tables. Usually the 103# best performance is obtained with \fBpcre\fR (Perl Compatible Regular 104# Expression) tables. The \fBregexp\fR (POSIX regular 105# expressions) tables are usually slower, but more widely 106# available. 107# Use the command "\fBpostconf -m\fR" to find out what lookup table 108# types your Postfix system supports. 109# 110# The general format of Postfix regular expression tables is 111# given below. 112# For a discussion of specific pattern or flags syntax, 113# see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively. 114# .IP "\fB/\fIpattern\fB/\fIflags action\fR" 115# When /\fIpattern\fR/ matches the input string, execute 116# the corresponding \fIaction\fR. See below for a list 117# of possible actions. 118# .IP "\fB!/\fIpattern\fB/\fIflags action\fR" 119# When /\fIpattern\fR/ does \fBnot\fR match the input string, 120# execute the corresponding \fIaction\fR. 121# .IP "\fBif /\fIpattern\fB/\fIflags\fR" 122# .IP "\fBendif\fR" 123# Match the input string against the patterns between \fBif\fR 124# and \fBendif\fR, if and only if the same input string also 125# matches /\fIpattern\fR/. The \fBif\fR..\fBendif\fR can nest. 126# .sp 127# Note: do not prepend whitespace to patterns inside 128# \fBif\fR..\fBendif\fR. 129# .IP "\fBif !/\fIpattern\fB/\fIflags\fR" 130# .IP "\fBendif\fR" 131# Match the input string against the patterns between \fBif\fR 132# and \fBendif\fR, if and only if the same input string does 133# \fBnot\fR match /\fIpattern\fR/. The \fBif\fR..\fBendif\fR 134# can nest. 135# .IP "blank lines and comments" 136# Empty lines and whitespace-only lines are ignored, as 137# are lines whose first non-whitespace character is a `#'. 138# .IP "multi-line text" 139# A pattern/action line starts with non-whitespace text. A line that 140# starts with whitespace continues a logical line. 141# TABLE SEARCH ORDER 142# .ad 143# .fi 144# For each line of message input, the patterns are applied in the 145# order as specified in the table. When a pattern is found that matches 146# the input line, the corresponding action is executed and then the 147# next input line is inspected. 148# TEXT SUBSTITUTION 149# .ad 150# .fi 151# Substitution of substrings from the matched expression into the 152# \fIaction\fR 153# string is possible using the conventional Perl syntax 154# (\fB$1\fR, \fB$2\fR, etc.). 155# The macros in the result string may need to be written as \fB${n}\fR 156# or \fB$(n)\fR if they aren't followed by whitespace. 157# 158# Note: since negated patterns (those preceded by \fB!\fR) return a 159# result when the expression does not match, substitutions are not 160# available for negated patterns. 161# ACTIONS 162# .ad 163# .fi 164# Action names are case insensitive. They are shown in upper case 165# for consistency with other Postfix documentation. 166# \" .IP "\fBDELAY \fItime\fR" 167# \" Place the message into the deferred queue, and delay the 168# \" initial delivery attempt by \fItime\fR. The time value may 169# \" be followed by a one-character suffix that specifies the 170# \" time unit: s (seconds), m (minutes), h (hours), d (days), 171# \" w (weeks). The default time unit is s (seconds). 172# \" .sp 173# \" Limitations: 174# \" .RS 175# \" .IP \(bu 176# \" This action affects all the recipients of the message. 177# \" .IP \(bu 178# \" The delay value has no effect with remote file systems that 179# \" don't correctly emulate UNIX local file system semantics. 180# \" In that case, the delay will be half of $queue_run_delay 181# \" on average. 182# \" .IP \(bu 183# \" Mail will still be delivered with "sendmail -q", "postfix 184# \" flush" or "postqueue -f". 185# \" .IP \(bu 186# \" Delayed mail increases the amount of disk I/O during deferred 187# \" queue scans. When large amounts of mail are queued for 188# \" delayed delivery it may be preferable to use the HOLD feature 189# \" instead. 190# \" .RE 191# \" .IP 192# \" This feature is available in Postfix 2.3 and later. 193# .IP "\fBDISCARD \fIoptional text...\fR" 194# Claim successful delivery and silently discard the message. 195# Log the optional text if specified, otherwise log a generic 196# message. 197# .sp 198# Note: this action disables further header or body_checks inspection 199# of the current message and affects all recipients. 200# To discard only one recipient without discarding the entire message, 201# use the transport(5) table to direct mail to the discard(8) service. 202# .sp 203# This feature is available in Postfix 2.0 and later. 204# .sp 205# This feature is not supported with smtp header/body checks. 206# .IP \fBDUNNO\fR 207# Pretend that the input line did not match any pattern, and inspect the 208# next input line. This action can be used to shorten the table search. 209# .sp 210# For backwards compatibility reasons, Postfix also accepts 211# \fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR. 212# .sp 213# This feature is available in Postfix 2.1 and later. 214# .IP "\fBFILTER \fItransport:destination\fR" 215# After the message is queued, send the entire message through 216# the specified external content filter. The \fItransport\fR 217# name specifies the first field of a mail delivery agent 218# definition in master.cf; the syntax of the next-hop 219# \fIdestination\fR is described in the manual page of the 220# corresponding delivery agent. More information about 221# external content filters is in the Postfix FILTER_README 222# file. 223# .sp 224# Note 1: do not use $\fInumber\fR regular expression 225# substitutions for \fItransport\fR or \fIdestination\fR 226# unless you know that the information has a trusted origin. 227# .sp 228# Note 2: this action overrides the main.cf \fBcontent_filter\fR 229# setting, and affects all recipients of the message. In the 230# case that multiple \fBFILTER\fR actions fire, only the last 231# one is executed. 232# .sp 233# Note 3: the purpose of the FILTER command is to override 234# message routing. To override the recipient's \fItransport\fR 235# but not the next-hop \fIdestination\fR, specify an empty 236# filter \fIdestination\fR (Postfix 2.7 and later), or specify 237# a \fItransport:destination\fR that delivers through a 238# different Postfix instance (Postfix 2.6 and earlier). Other 239# options are using the recipient-dependent \fBtrans\%port\%_maps\fR 240# or the sen\%der-dependent 241# \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR 242# features. 243# .sp 244# This feature is available in Postfix 2.0 and later. 245# .sp 246# This feature is not supported with smtp header/body checks. 247# .IP "\fBHOLD \fIoptional text...\fR" 248# Arrange for the message to be placed on the \fBhold\fR queue, 249# and inspect the next input line. The message remains on \fBhold\fR 250# until someone either deletes it or releases it for delivery. 251# Log the optional text if specified, otherwise log a generic 252# message. 253# 254# Mail that is placed on hold can be examined with the 255# \fBpostcat\fR(1) command, and can be destroyed or released with 256# the \fBpostsuper\fR(1) command. 257# .sp 258# Note: use "\fBpostsuper -r\fR" to release mail that was kept on 259# hold for a significant fraction of \fB$maximal_queue_lifetime\fR 260# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR" 261# only for mail that will not expire within a few delivery attempts. 262# .sp 263# Note: this action affects all recipients of the message. 264# .sp 265# This feature is available in Postfix 2.0 and later. 266# .sp 267# This feature is not supported with smtp header/body checks. 268# .IP \fBIGNORE\fR 269# Delete the current line from the input, and inspect 270# the next input line. 271# .IP "\fBINFO \fIoptional text...\fR 272# Log an "info:" record with the \fIoptional text...\fR (or 273# log a generic text), and inspect the next input line. This 274# action is useful for routine logging or for debugging. 275# .sp 276# This feature is available in Postfix 2.8 and later. 277# .IP "\fBPREPEND \fItext...\fR" 278# Prepend one line with the specified text, and inspect the next 279# input line. 280# .sp 281# Notes: 282# .RS 283# .IP \(bu 284# The prepended text is output on a separate line, immediately 285# before the input that triggered the \fBPREPEND\fR action. 286# .IP \(bu 287# The prepended text is not considered part of the input 288# stream: it is not subject to header/body checks or address 289# rewriting, and it does not affect the way that Postfix adds 290# missing message headers. 291# .IP \(bu 292# When prepending text before a message header line, the prepended 293# text must begin with a valid message header label. 294# .IP \(bu 295# This action cannot be used to prepend multi-line text. 296# .RE 297# .IP 298# This feature is available in Postfix 2.1 and later. 299# .sp 300# This feature is not supported with milter_header_checks. 301# .IP "\fBREDIRECT \fIuser@domain\fR" 302# Write a message redirection request to the queue file, and 303# inspect the next input line. After the message is queued, 304# it will be sent to the specified address instead of the 305# intended recipient(s). 306# .sp 307# Note: this action overrides the \fBFILTER\fR action, and affects 308# all recipients of the message. If multiple \fBREDIRECT\fR actions 309# fire, only the last one is executed. 310# .sp 311# This feature is available in Postfix 2.1 and later. 312# .sp 313# This feature is not supported with smtp header/body checks. 314# .IP "\fBREPLACE \fItext...\fR" 315# Replace the current line with the specified text, and inspect the next 316# input line. 317# .sp 318# This feature is available in Postfix 2.2 and later. The 319# description below applies to Postfix 2.2.2 and later. 320# .sp 321# Notes: 322# .RS 323# .IP \(bu 324# When replacing a message header line, the replacement text 325# must begin with a valid header label. 326# .IP \(bu 327# The replaced text remains part of the input stream. Unlike 328# the result from the \fBPREPEND\fR action, a replaced message 329# header may be subject to address rewriting and may affect 330# the way that Postfix adds missing message headers. 331# .RE 332# .IP "\fBREJECT \fIoptional text...\fR 333# Reject the entire message. Reply with \fIoptional text...\fR when 334# the optional text is specified, otherwise reply with a generic error 335# message. 336# .sp 337# Note: this action disables further header or body_checks inspection 338# of the current message and affects all recipients. 339# .sp 340# Postfix version 2.3 and later support enhanced status codes. 341# When no code is specified at the beginning of \fIoptional 342# text...\fR, Postfix inserts a default enhanced status code of 343# "5.7.1". 344# .sp 345# This feature is not supported with smtp header/body checks. 346# .IP "\fBWARN \fIoptional text...\fR 347# Log a "warning:" record with the \fIoptional text...\fR (or 348# log a generic text), and inspect the next input line. This 349# action is useful for debugging and for testing a pattern 350# before applying more drastic actions. 351# BUGS 352# Empty lines never match, because some map types mis-behave 353# when given a zero-length search string. This limitation may 354# be removed for regular expression tables in a future release. 355# 356# Many people overlook the main limitations of header and body_checks 357# rules. 358# .IP \(bu 359# These rules operate on one logical message header or one body 360# line at a time. A decision made for one line is not carried over 361# to the next line. 362# .IP \(bu 363# If text in the message body is encoded 364# (RFC 2045) then the rules need to be specified for the encoded 365# form. 366# .IP \(bu 367# Likewise, when message headers are encoded (RFC 368# 2047) then the rules need to be specified for the encoded 369# form. 370# .PP 371# Message headers added by the \fBcleanup\fR(8) daemon itself 372# are excluded from inspection. Examples of such message headers 373# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. 374# 375# Message headers deleted by the \fBcleanup\fR(8) daemon will 376# be examined before they are deleted. Examples are: \fBBcc:\fR, 377# \fBContent-Length:\fR, \fBReturn-Path:\fR. 378# CONFIGURATION PARAMETERS 379# .ad 380# .fi 381# .IP \fBbody_checks\fR 382# Lookup tables with content filter rules for message body lines. 383# These filters see one physical line at a time, in chunks of 384# at most \fB$line_length_limit\fR bytes. 385# .IP \fBbody_checks_size_limit\fP 386# The amount of content per message body segment (attachment) that is 387# subjected to \fB$body_checks\fR filtering. 388# .IP \fBheader_checks\fR 389# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 390# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 391# Lookup tables with content filter rules for message header lines: 392# respectively, these are applied to the initial message headers 393# (not including MIME headers), to the MIME headers anywhere in 394# the message, and to the initial headers of attached messages. 395# .sp 396# Note: these filters see one logical message header at a time, even 397# when a message header spans multiple lines. Message headers that 398# are longer than \fB$header_size_limit\fR characters are truncated. 399# .IP \fBdisable_mime_input_processing\fR 400# While receiving mail, give no special treatment to MIME related 401# message headers; all text after the initial message headers is 402# considered to be part of the message body. This means that 403# \fBheader_checks\fR is applied to all the initial message headers, 404# and that \fBbody_checks\fR is applied to the remainder of the 405# message. 406# .sp 407# Note: when used in this manner, \fBbody_checks\fR will process 408# a multi-line message header one line at a time. 409# EXAMPLES 410# .ad 411# .fi 412# Header pattern to block attachments with bad file name 413# extensions. For convenience, the PCRE /x flag is specified, 414# so that there is no need to collapse the pattern into a 415# single line of text. The purpose of the [[:xdigit:]] 416# sub-expressions is to recognize Windows CLSID strings. 417# 418# .na 419# .nf 420# /etc/postfix/main.cf: 421# header_checks = pcre:/etc/postfix/header_checks.pcre 422# 423# /etc/postfix/header_checks.pcre: 424# /^Content-(Disposition|Type).*name\es*=\es*"?(.*(\e.|=2E)( 425# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 426# hlp|ht[at]| 427# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 428# \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}| 429# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 430# vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x 431# REJECT Attachment name "$2" may not end with ".$4" 432# .ad 433# .fi 434# 435# Body pattern to stop a specific HTML browser vulnerability exploit. 436# 437# .na 438# .nf 439# /etc/postfix/main.cf: 440# body_checks = regexp:/etc/postfix/body_checks 441# 442# /etc/postfix/body_checks: 443# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 444# REJECT IFRAME vulnerability exploit 445# SEE ALSO 446# cleanup(8), canonicalize and enqueue Postfix message 447# pcre_table(5), format of PCRE lookup tables 448# regexp_table(5), format of POSIX regular expression tables 449# postconf(1), Postfix configuration utility 450# postmap(1), Postfix lookup table management 451# postsuper(1), Postfix janitor 452# postcat(1), show Postfix queue file contents 453# RFC 2045, base64 and quoted-printable encoding rules 454# RFC 2047, message header encoding for non-ASCII text 455# README FILES 456# .ad 457# .fi 458# Use "\fBpostconf readme_directory\fR" or 459# "\fBpostconf html_directory\fR" to locate this information. 460# .na 461# .nf 462# DATABASE_README, Postfix lookup table overview 463# CONTENT_INSPECTION_README, Postfix content inspection overview 464# BUILTIN_FILTER_README, Postfix built-in content inspection 465# BACKSCATTER_README, blocking returned forged mail 466# LICENSE 467# .ad 468# .fi 469# The Secure Mailer license must be distributed with this software. 470# AUTHOR(S) 471# Wietse Venema 472# IBM T.J. Watson Research 473# P.O. Box 704 474# Yorktown Heights, NY 10598, USA 475#-- 476