1#++ 2# NAME 3# header_checks 5 4# SUMMARY 5# Postfix built-in content inspection 6# SYNOPSIS 7# .nf 8# \fBheader_checks = pcre:/etc/postfix/header_checks\fR 9# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR 10# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR 11# \fBbody_checks = pcre:/etc/postfix/body_checks\fR 12# .sp 13# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR 14# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR 15# .fi 16# DESCRIPTION 17# This document describes access control on the content of 18# message headers and message body lines; it is implemented 19# by the Postfix \fBcleanup\fR(8) server before mail is queued. 20# See \fBaccess\fR(5) for access control on remote SMTP client 21# information. 22# 23# Each message header or message body line is compared against 24# a list of patterns. 25# When a match is found the corresponding action is executed, and 26# the matching process is repeated for the next message header or 27# message body line. 28# 29# For examples, see the EXAMPLES section at the end of this 30# manual page. 31# 32# Postfix header or body_checks are designed to stop a flood of mail 33# from worms or viruses; they do not decode attachments, and they do 34# not unzip archives. See the documents referenced below in the README 35# FILES section if you need more sophisticated content analysis. 36# 37# Postfix supports four built-in content inspection classes: 38# .IP \fBheader_checks\fR 39# These are applied to initial message headers (except for 40# the headers that are processed with \fBmime_header_checks\fR). 41# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 42# These are applied to MIME related message headers only. 43# .sp 44# This feature is available in Postfix 2.0 and later. 45# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 46# These are applied to message headers of attached email 47# messages (except for the headers that are processed with 48# \fBmime_header_checks\fR). 49# .sp 50# This feature is available in Postfix 2.0 and later. 51# .IP \fBbody_checks\fR 52# These are applied to all other content, including multi-part 53# message boundaries. 54# .sp 55# With Postfix versions before 2.0, all content after the initial 56# message headers is treated as body content. 57# .PP 58# Note: message headers are examined one logical header at a time, 59# even when a message header spans multiple lines. Body lines are 60# always examined one line at a time. 61# COMPATIBILITY 62# .ad 63# .fi 64# With Postfix version 2.2 and earlier specify "\fBpostmap 65# -fq\fR" to query a table that contains case sensitive 66# patterns. By default, regexp: and pcre: patterns are case 67# insensitive. 68# TABLE FORMAT 69# .ad 70# .fi 71# This document assumes that header and body_checks rules are specified 72# in the form of Postfix regular expression lookup tables. Usually the 73# best performance is obtained with \fBpcre\fR (Perl Compatible Regular 74# Expression) tables, but the slower \fBregexp\fR (POSIX regular 75# expressions) support is more widely available. 76# Use the command "\fBpostconf -m\fR" to find out what lookup table 77# types your Postfix system supports. 78# 79# The general format of Postfix regular expression tables is 80# given below. 81# For a discussion of specific pattern or flags syntax, 82# see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively. 83# .IP "\fB/\fIpattern\fB/\fIflags action\fR" 84# When /\fIpattern\fR/ matches the input string, execute 85# the corresponding \fIaction\fR. See below for a list 86# of possible actions. 87# .IP "\fB!/\fIpattern\fB/\fIflags action\fR" 88# When /\fIpattern\fR/ does \fBnot\fR match the input string, 89# execute the corresponding \fIaction\fR. 90# .IP "\fBif /\fIpattern\fB/\fIflags\fR" 91# .IP "\fBendif\fR" 92# Match the input string against the patterns between \fBif\fR 93# and \fBendif\fR, if and only if the same input string also 94# matches /\fIpattern\fR/. The \fBif\fR..\fBendif\fR can nest. 95# .sp 96# Note: do not prepend whitespace to patterns inside 97# \fBif\fR..\fBendif\fR. 98# .IP "\fBif !/\fIpattern\fB/\fIflags\fR" 99# .IP "\fBendif\fR" 100# Match the input string against the patterns between \fBif\fR 101# and \fBendif\fR, if and only if the same input string does 102# \fBnot\fR match /\fIpattern\fR/. The \fBif\fR..\fBendif\fR 103# can nest. 104# .IP "blank lines and comments" 105# Empty lines and whitespace-only lines are ignored, as 106# are lines whose first non-whitespace character is a `#'. 107# .IP "multi-line text" 108# A pattern/action line starts with non-whitespace text. A line that 109# starts with whitespace continues a logical line. 110# TABLE SEARCH ORDER 111# .ad 112# .fi 113# For each line of message input, the patterns are applied in the 114# order as specified in the table. When a pattern is found that matches 115# the input line, the corresponding action is executed and then the 116# next input line is inspected. 117# TEXT SUBSTITUTION 118# .ad 119# .fi 120# Substitution of substrings from the matched expression into the 121# \fIaction\fR 122# string is possible using the conventional Perl syntax 123# (\fB$1\fR, \fB$2\fR, etc.). 124# The macros in the result string may need to be written as \fB${n}\fR 125# or \fB$(n)\fR if they aren't followed by whitespace. 126# 127# Note: since negated patterns (those preceded by \fB!\fR) return a 128# result when the expression does not match, substitutions are not 129# available for negated patterns. 130# ACTIONS 131# .ad 132# .fi 133# Action names are case insensitive. They are shown in upper case 134# for consistency with other Postfix documentation. 135# \" .IP "\fBDELAY \fItime\fR" 136# \" Place the message into the deferred queue, and delay the 137# \" initial delivery attempt by \fItime\fR. The time value may 138# \" be followed by a one-character suffix that specifies the 139# \" time unit: s (seconds), m (minutes), h (hours), d (days), 140# \" w (weeks). The default time unit is s (seconds). 141# \" .sp 142# \" Limitations: 143# \" .RS 144# \" .IP \(bu 145# \" This action affects all the recipients of the message. 146# \" .IP \(bu 147# \" The delay value has no effect with remote file systems that 148# \" don't correctly emulate UNIX local file system semantics. 149# \" In that case, the delay will be half of $queue_run_delay 150# \" on average. 151# \" .IP \(bu 152# \" Mail will still be delivered with "sendmail -q", "postfix 153# \" flush" or "postqueue -f". 154# \" .IP \(bu 155# \" Delayed mail increases the amount of disk I/O during deferred 156# \" queue scans. When large amounts of mail are queued for 157# \" delayed delivery it may be preferable to use the HOLD feature 158# \" instead. 159# \" .RE 160# \" .IP 161# \" This feature is available in Postfix 2.3 and later. 162# .IP "\fBDISCARD \fIoptional text...\fR" 163# Claim successful delivery and silently discard the message. 164# Log the optional text if specified, otherwise log a generic 165# message. 166# .sp 167# Note: this action disables further header or body_checks inspection 168# of the current message and affects all recipients. 169# To discard only one recipient without discarding the entire message, 170# use the transport(5) table to direct mail to the discard(8) service. 171# .sp 172# This feature is available in Postfix 2.0 and later. 173# .IP \fBDUNNO\fR 174# Pretend that the input line did not match any pattern, and inspect the 175# next input line. This action can be used to shorten the table search. 176# .sp 177# For backwards compatibility reasons, Postfix also accepts 178# \fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR. 179# .sp 180# This feature is available in Postfix 2.1 and later. 181# .IP "\fBFILTER \fItransport:destination\fR" 182# Write a content filter request to the queue file, and 183# inspect the next input line. 184# After the complete message is received it will be sent through 185# the specified external content filter. More information about 186# external content filters is in the Postfix FILTER_README file. 187# .sp 188# Note: this action overrides the \fBcontent_filter\fR setting, 189# and affects all recipients of the message. In the case that multiple 190# \fBFILTER\fR actions fire, only the last one is executed. 191# .sp 192# This feature is available in Postfix 2.0 and later. 193# .IP "\fBHOLD \fIoptional text...\fR" 194# Arrange for the message to be placed on the \fBhold\fR queue, 195# and inspect the next input line. The message remains on \fBhold\fR 196# until someone either deletes it or releases it for delivery. 197# Log the optional text if specified, otherwise log a generic 198# message. 199# 200# Mail that is placed on hold can be examined with the 201# \fBpostcat\fR(1) command, and can be destroyed or released with 202# the \fBpostsuper\fR(1) command. 203# .sp 204# Note: use "\fBpostsuper -r\fR" to release mail that was kept on 205# hold for a significant fraction of \fB$maximal_queue_lifetime\fR 206# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR" 207# only for mail that will not expire within a few delivery attempts. 208# .sp 209# Note: this action affects all recipients of the message. 210# .sp 211# This feature is available in Postfix 2.0 and later. 212# .IP \fBIGNORE\fR 213# Delete the current line from the input, and inspect 214# the next input line. 215# .IP "\fBPREPEND \fItext...\fR" 216# Prepend one line with the specified text, and inspect the next 217# input line. 218# .sp 219# Notes: 220# .RS 221# .IP \(bu 222# The prepended text is output on a separate line, immediately 223# before the input that triggered the \fBPREPEND\fR action. 224# .IP \(bu 225# The prepended text is not considered part of the input 226# stream: it is not subject to header/body checks or address 227# rewriting, and it does not affect the way that Postfix adds 228# missing message headers. 229# .IP \(bu 230# When prepending text before a message header line, the prepended 231# text must begin with a valid message header label. 232# .IP \(bu 233# This action cannot be used to prepend multi-line text. 234# .RE 235# .IP 236# This feature is available in Postfix 2.1 and later. 237# .IP "\fBREDIRECT \fIuser@domain\fR" 238# Write a message redirection request to the queue file, and 239# inspect the next input line. After the message is queued, 240# it will be sent to the specified address instead of the 241# intended recipient(s). 242# .sp 243# Note: this action overrides the \fBFILTER\fR action, and affects 244# all recipients of the message. If multiple \fBREDIRECT\fR actions 245# fire, only the last one is executed. 246# .sp 247# This feature is available in Postfix 2.1 and later. 248# .IP "\fBREPLACE \fItext...\fR" 249# Replace the current line with the specified text, and inspect the next 250# input line. 251# .sp 252# This feature is available in Postfix 2.2 and later. The 253# description below applies to Postfix 2.2.2 and later. 254# .sp 255# Notes: 256# .RS 257# .IP \(bu 258# When replacing a message header line, the replacement text 259# must begin with a valid header label. 260# .IP \(bu 261# The replaced text remains part of the input stream. Unlike 262# the result from the \fBPREPEND\fR action, a replaced message 263# header may be subject to address rewriting and may affect 264# the way that Postfix adds missing message headers. 265# .RE 266# .IP "\fBREJECT \fIoptional text...\fR 267# Reject the entire message. Reply with \fIoptional text...\fR when 268# the optional text is specified, otherwise reply with a generic error 269# message. 270# .sp 271# Note: this action disables further header or body_checks inspection 272# of the current message and affects all recipients. 273# .sp 274# Postfix version 2.3 and later support enhanced status codes. 275# When no code is specified at the beginning of \fIoptional 276# text...\fR, Postfix inserts a default enhanced status code of 277# "5.7.1". 278# .IP "\fBWARN \fIoptional text...\fR 279# Log a warning with the \fIoptional text...\fR (or log a 280# generic message), and inspect the next input line. This 281# action is useful for debugging and for testing a pattern 282# before applying more drastic actions. 283# BUGS 284# Empty lines never match, because some map types mis-behave 285# when given a zero-length search string. This limitation may 286# be removed for regular expression tables in a future release. 287# 288# Many people overlook the main limitations of header and body_checks 289# rules. 290# .IP \(bu 291# These rules operate on one logical message header or one body 292# line at a time. A decision made for one line is not carried over 293# to the next line. 294# .IP \(bu 295# If text in the message body is encoded 296# (RFC 2045) then the rules need to be specified for the encoded 297# form. 298# .IP \(bu 299# Likewise, when message headers are encoded (RFC 300# 2047) then the rules need to be specified for the encoded 301# form. 302# .PP 303# Message headers added by the \fBcleanup\fR(8) daemon itself 304# are excluded from inspection. Examples of such message headers 305# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. 306# 307# Message headers deleted by the \fBcleanup\fR(8) daemon will 308# be examined before they are deleted. Examples are: \fBBcc:\fr, 309# \fBContent-Length:\fR, \fBReturn-Path:\fR. 310# CONFIGURATION PARAMETERS 311# .ad 312# .fi 313# .IP \fBbody_checks\fR 314# Lookup tables with content filter rules for message body lines. 315# These filters see one physical line at a time, in chunks of 316# at most \fB$line_length_limit\fR bytes. 317# .IP \fBbody_checks_size_limit\fP 318# The amount of content per message body segment (attachment) that is 319# subjected to \fB$body_checks\fR filtering. 320# .IP \fBheader_checks\fR 321# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" 322# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" 323# Lookup tables with content filter rules for message header lines: 324# respectively, these are applied to the initial message headers 325# (not including MIME headers), to the MIME headers anywhere in 326# the message, and to the initial headers of attached messages. 327# .sp 328# Note: these filters see one logical message header at a time, even 329# when a message header spans multiple lines. Message headers that 330# are longer than \fB$header_size_limit\fR characters are truncated. 331# .IP \fBdisable_mime_input_processing\fR 332# While receiving mail, give no special treatment to MIME related 333# message headers; all text after the initial message headers is 334# considered to be part of the message body. This means that 335# \fBheader_checks\fR is applied to all the initial message headers, 336# and that \fBbody_checks\fR is applied to the remainder of the 337# message. 338# .sp 339# Note: when used in this manner, \fBbody_checks\fR will process 340# a multi-line message header one line at a time. 341# EXAMPLES 342# .ad 343# .fi 344# Header pattern to block attachments with bad file name 345# extensions. For convenience, the PCRE /x flag is specified, 346# so that there is no need to collapse the pattern into a 347# single line of text. The purpose of the [[:xdigit:]] 348# sub-expressions is to recognize Windows CLSID strings. 349# 350# .na 351# .nf 352# /etc/postfix/main.cf: 353# header_checks = pcre:/etc/postfix/header_checks.pcre 354# 355# /etc/postfix/header_checks.pcre: 356# /^Content-(Disposition|Type).*name\es*=\es*"?(.*(\e.|=2E)( 357# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 358# hlp|ht[at]| 359# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 360# \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}| 361# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 362# vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x 363# REJECT Attachment name "$2" may not end with ".$4" 364# .ad 365# .fi 366# 367# Body pattern to stop a specific HTML browser vulnerability exploit. 368# 369# .na 370# .nf 371# /etc/postfix/main.cf: 372# body_checks = regexp:/etc/postfix/body_checks 373# 374# /etc/postfix/body_checks: 375# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 376# REJECT IFRAME vulnerability exploit 377# SEE ALSO 378# cleanup(8), canonicalize and enqueue Postfix message 379# pcre_table(5), format of PCRE lookup tables 380# regexp_table(5), format of POSIX regular expression tables 381# postconf(1), Postfix configuration utility 382# postmap(1), Postfix lookup table management 383# postsuper(1), Postfix janitor 384# postcat(1), show Postfix queue file contents 385# RFC 2045, base64 and quoted-printable encoding rules 386# RFC 2047, message header encoding for non-ASCII text 387# README FILES 388# .ad 389# .fi 390# Use "\fBpostconf readme_directory\fR" or 391# "\fBpostconf html_directory\fR" to locate this information. 392# .na 393# .nf 394# DATABASE_README, Postfix lookup table overview 395# CONTENT_INSPECTION_README, Postfix content inspection overview 396# BUILTIN_FILTER_README, Postfix built-in content inspection 397# BACKSCATTER_README, blocking returned forged mail 398# LICENSE 399# .ad 400# .fi 401# The Secure Mailer license must be distributed with this software. 402# AUTHOR(S) 403# Wietse Venema 404# IBM T.J. Watson Research 405# P.O. Box 704 406# Yorktown Heights, NY 10598, USA 407#-- 408