1ACCESS(5) File Formats Manual ACCESS(5)
2
6 access - Postfix SMTP server access table
7
9 postmap /etc/postfix/access
10 postmap -q "string" /etc/postfix/access
12 postmap -q - /etc/postfix/access <inputfile
14
16 This document describes access control on remote SMTP client informa‐
17 tion: host names, network addresses, and envelope sender or recipient
18 addresses; it is implemented by the Postfix SMTP server. See
19 header_checks(5) or body_checks(5) for access control on the content of
20 email messages.
21 Normally, the access(5) table is specified as a text file that serves
23 as input to the postmap(1) command. The result, an indexed file in dbm
24 or db format, is used for fast searching by the mail system. Execute
25 the command "postmap /etc/postfix/access" to rebuild an indexed file
26 after changing the corresponding text file.
27 When the table is provided via other means such as NIS, LDAP or SQL,
29 the same lookups are done as for ordinary indexed files.
30 Alternatively, the table can be provided as a regular-expression map
32 where patterns are given as regular expressions, or lookups can be
33 directed to TCP-based server. In those cases, the lookups are done in a
34 slightly different way as described below under "REGULAR EXPRESSION
35 TABLES" or "TCP-BASED TABLES".
36
38 The search string is folded to lowercase before database lookup. As of
39 Postfix 2.3, the search string is not case folded with database types
40 such as regexp: or pcre: whose lookup fields can match both upper and
41 lower case.
42
44 The input format for the postmap(1) command is as follows:
45 pattern action
47 When pattern matches a mail address, domain or host address,
48 perform the corresponding action.
49 blank lines and comments
51 Empty lines and whitespace-only lines are ignored, as are lines
52 whose first non-whitespace character is a `#'.
53 multi-line text
55 A logical line starts with non-whitespace text. A line that
56 starts with whitespace continues a logical line.
57
59 With lookups from indexed files such as DB or DBM, or from networked
60 tables such as NIS, LDAP or SQL, patterns are tried in the order as
61 listed below:
62 user@domain
64 Matches the specified mail address.
65 domain.tld
67 Matches domain.tld as the domain part of an email address.
68 The pattern domain.tld also matches subdomains, but only when
70 the string smtpd_access_maps is listed in the Postfix par‐
71 ent_domain_matches_subdomains configuration setting.
72 .domain.tld
74 Matches subdomains of domain.tld, but only when the string
75 smtpd_access_maps is not listed in the Postfix par‐
76 ent_domain_matches_subdomains configuration setting.
77 user@ Matches all mail addresses with the specified user part.
79 Note: lookup of the null sender address is not possible with some types
81 of lookup table. By default, Postfix uses <> as the lookup key for such
82 addresses. The value is specified with the smtpd_null_access_lookup_key
83 parameter in the Postfix main.cf file.
84
86 When a mail address localpart contains the optional recipient delimiter
87 (e.g., user+foo@domain), the lookup order becomes: user+foo@domain,
88 user@domain, domain, user+foo@, and user@.
89
91 With lookups from indexed files such as DB or DBM, or from networked
92 tables such as NIS, LDAP or SQL, the following lookup patterns are
93 examined in the order as listed:
94 domain.tld
96 Matches domain.tld.
97 The pattern domain.tld also matches subdomains, but only when
99 the string smtpd_access_maps is listed in the Postfix par‐
100 ent_domain_matches_subdomains configuration setting.
101 .domain.tld
103 Matches subdomains of domain.tld, but only when the string
104 smtpd_access_maps is not listed in the Postfix par‐
105 ent_domain_matches_subdomains configuration setting.
106 net.work.addr.ess
108 net.work.addr
110 net.work
112 net Matches the specified IPv4 host address or subnetwork. An IPv4
114 host address is a sequence of four decimal octets separated by
115 ".".
116 Subnetworks are matched by repeatedly truncating the last
118 ".octet" from the remote IPv4 host address string until a match
119 is found in the access table, or until further truncation is not
120 possible.
121 NOTE 1: The access map lookup key must be in canonical form: do
123 not specify unnecessary null characters, and do not enclose net‐
124 work address information with "[]" characters.
125 NOTE 2: use the cidr lookup table type to specify network/net‐
127 mask patterns. See cidr_table(5) for details.
128 net:work:addr:ess
130 net:work:addr
132 net:work
134 net Matches the specified IPv6 host address or subnetwork. An IPv6
136 host address is a sequence of three to eight hexadecimal octet
137 pairs separated by ":".
138 Subnetworks are matched by repeatedly truncating the last
140 ":octetpair" from the remote IPv6 host address string until a
141 match is found in the access table, or until further truncation
142 is not possible.
143 NOTE 1: the truncation and comparison are done with the string
145 representation of the IPv6 host address. Thus, not all the ":"
146 subnetworks will be tried.
147 NOTE 2: The access map lookup key must be in canonical form: do
149 not specify unnecessary null characters, and do not enclose net‐
150 work address information with "[]" characters.
151 NOTE 3: use the cidr lookup table type to specify network/net‐
153 mask patterns. See cidr_table(5) for details.
154 IPv6 support is available in Postfix 2.2 and later.
156
158 OK Accept the address etc. that matches the pattern.
159 all-numerical
161 An all-numerical result is treated as OK. This format is gener‐
162 ated by address-based relay authorization schemes such as pop-
163 before-smtp.
164
166 Postfix version 2.3 and later support enhanced status codes as defined
167 in RFC 3463. When no code is specified at the beginning of the text
168 below, Postfix inserts a default enhanced status code of "5.7.1" in the
169 case of reject actions, and "4.7.1" in the case of defer actions. See
170 "ENHANCED STATUS CODES" below.
171 4NN text
173 5NN text
175 Reject the address etc. that matches the pattern, and respond
176 with the numerical three-digit code and text. 4NN means "try
177 again later", while 5NN means "do not try again".
178 The following responses have special meaning for the Postfix
180 SMTP server:
181 421 text (Postfix 2.3 and later)
183 521 text (Postfix 2.6 and later)
185 After responding with the numerical three-digit code and
186 text, disconnect immediately from the SMTP client. This
187 frees up SMTP server resources so that they can be made
188 available to another SMTP client.
189 Note: The "521" response should be used only with botnets
191 and other malware where interoperability is of no con‐
192 cern. The "send 521 and disconnect" behavior is NOT
193 defined in the SMTP standard.
194 REJECT optional text...
196 Reject the address etc. that matches the pattern. Reply with
197 "$access_map_reject_code optional text..." when the optional
198 text is specified, otherwise reply with a generic error response
199 message.
200 DEFER optional text...
202 Reject the address etc. that matches the pattern. Reply with
203 "$access_map_defer_code optional text..." when the optional text
204 is specified, otherwise reply with a generic error response mes‐
205 sage.
206 This feature is available in Postfix 2.6 and later.
208 DEFER_IF_REJECT optional text...
210 Defer the request if some later restriction would result in a
211 REJECT action. Reply with "$access_map_defer_code 4.7.1 optional
212 text..." when the optional text is specified, otherwise reply
213 with a generic error response message.
214 Prior to Postfix 2.6, the SMTP reply code is 450.
216 This feature is available in Postfix 2.1 and later.
218 DEFER_IF_PERMIT optional text...
220 Defer the request if some later restriction would result in a an
221 explicit or implicit PERMIT action. Reply with
222 "$access_map_defer_code 4.7.1 optional text..." when the
223 optional text is specified, otherwise reply with a generic error
224 response message.
225 Prior to Postfix 2.6, the SMTP reply code is 450.
227 This feature is available in Postfix 2.1 and later.
229
231 restriction...
232 Apply the named UCE restriction(s) (permit, reject,
233 reject_unauth_destination, and so on).
234 BCC user@domain
236 Send one copy of the message to the specified recipient.
237 If multiple BCC actions are specified within the same SMTP MAIL
239 transaction, only the last action will be used.
240 This feature is not part of the stable Postfix release.
242 DISCARD optional text...
244 Claim successful delivery and silently discard the message. Log
245 the optional text if specified, otherwise log a generic message.
246 Note: this action currently affects all recipients of the mes‐
248 sage. To discard only one recipient without discarding the
249 entire message, use the transport(5) table to direct mail to the
250 discard(8) service.
251 This feature is available in Postfix 2.0 and later.
253 DUNNO Pretend that the lookup key was not found. This prevents Postfix
255 from trying substrings of the lookup key (such as a subdomain
256 name, or a network address subnetwork).
257 This feature is available in Postfix 2.0 and later.
259 FILTER transport:destination
261 After the message is queued, send the entire message through the
262 specified external content filter. The transport name specifies
263 the first field of a mail delivery agent definition in mas‐
264 ter.cf; the syntax of the next-hop destination is described in
265 the manual page of the corresponding delivery agent. More
266 information about external content filters is in the Postfix
267 FILTER_README file.
268 Note 1: do not use $number regular expression substitutions for
270 transport or destination unless you know that the information
271 has a trusted origin.
272 Note 2: this action overrides the main.cf content_filter set‐
274 ting, and affects all recipients of the message. In the case
275 that multiple FILTER actions fire, only the last one is exe‐
276 cuted.
277 Note 3: the purpose of the FILTER command is to override message
279 routing. To override the recipient's transport but not the
280 next-hop destination, specify an empty filter destination (Post‐
281 fix 2.7 and later), or specify a transport:destination that
282 delivers through a different Postfix instance (Postfix 2.6 and
283 earlier). Other options are using the recipient-dependent trans‐
284 port_maps or the sender-dependent sender_dependent_default‐
285 _transport_maps features.
286 This feature is available in Postfix 2.0 and later.
288 HOLD optional text...
290 Place the message on the hold queue, where it will sit until
291 someone either deletes it or releases it for delivery. Log the
292 optional text if specified, otherwise log a generic message.
293 Mail that is placed on hold can be examined with the postcat(1)
295 command, and can be destroyed or released with the postsuper(1)
296 command.
297 Note: use "postsuper -r" to release mail that was kept on hold
299 for a significant fraction of $maximal_queue_lifetime or
300 $bounce_queue_lifetime, or longer. Use "postsuper -H" only for
301 mail that will not expire within a few delivery attempts.
302 Note: this action currently affects all recipients of the mes‐
304 sage.
305 This feature is available in Postfix 2.0 and later.
307 PREPEND headername: headervalue
309 Prepend the specified message header to the message. When more
310 than one PREPEND action executes, the first prepended header
311 appears before the second etc. prepended header.
312 Note: this action must execute before the message content is
314 received; it cannot execute in the context of
315 smtpd_end_of_data_restrictions.
316 This feature is available in Postfix 2.1 and later.
318 REDIRECT user@domain
320 After the message is queued, send the message to the specified
321 address instead of the intended recipient(s).
322 Note: this action overrides the FILTER action, and currently
324 affects all recipients of the message.
325 This feature is available in Postfix 2.1 and later.
327 WARN optional text...
329 Log a warning with the optional text, together with client
330 information and if available, with helo, sender, recipient and
331 protocol information.
332 This feature is available in Postfix 2.1 and later.
334
336 Postfix version 2.3 and later support enhanced status codes as defined
337 in RFC 3463. When an enhanced status code is specified in an access
338 table, it is subject to modification. The following transformations are
339 needed when the same access table is used for client, helo, sender, or
340 recipient access restrictions; they happen regardless of whether Post‐
341 fix replies to a MAIL FROM, RCPT TO or other SMTP command.
342 · When a sender address matches a REJECT action, the Postfix SMTP
344 server will transform a recipient DSN status (e.g., 4.1.1-4.1.6)
345 into the corresponding sender DSN status, and vice versa.
346 · When non-address information matches a REJECT action (such as
348 the HELO command argument or the client hostname/address), the
349 Postfix SMTP server will transform a sender or recipient DSN
350 status into a generic non-address DSN status (e.g., 4.0.0).
351
353 This section describes how the table lookups change when the table is
354 given in the form of regular expressions. For a description of regular
355 expression lookup table syntax, see regexp_table(5) or pcre_table(5).
356 Each pattern is a regular expression that is applied to the entire
358 string being looked up. Depending on the application, that string is an
359 entire client hostname, an entire client IP address, or an entire mail
360 address. Thus, no parent domain or parent network search is done,
361 user@domain mail addresses are not broken up into their user@ and
362 domain constituent parts, nor is user+foo broken up into user and foo.
363 Patterns are applied in the order as specified in the table, until a
365 pattern is found that matches the search string.
366 Actions are the same as with indexed file lookups, with the additional
368 feature that parenthesized substrings from the pattern can be interpo‐
369 lated as $1, $2 and so on.
370
372 This section describes how the table lookups change when lookups are
373 directed to a TCP-based server. For a description of the TCP
374 client/server lookup protocol, see tcp_table(5). This feature is not
375 available up to and including Postfix version 2.4.
376 Each lookup operation uses the entire query string once. Depending on
378 the application, that string is an entire client hostname, an entire
379 client IP address, or an entire mail address. Thus, no parent domain
380 or parent network search is done, user@domain mail addresses are not
381 broken up into their user@ and domain constituent parts, nor is
382 user+foo broken up into user and foo.
383 Actions are the same as with indexed file lookups.
385
387 The following example uses an indexed file, so that the order of table
388 entries does not matter. The example permits access by the client at
389 address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of
390 hash lookup tables, some systems use dbm. Use the command "postconf
391 -m" to find out what lookup tables Postfix supports on your system.
392 /etc/postfix/main.cf:
394 smtpd_client_restrictions =
395 check_client_access hash:/etc/postfix/access
396 /etc/postfix/access:
398 1.2.3 REJECT
399 1.2.3.4 OK
400 Execute the command "postmap /etc/postfix/access" after editing the
402 file.
403
405 The table format does not understand quoting conventions.
406
408 postmap(1), Postfix lookup table manager
409 smtpd(8), SMTP server
410 postconf(5), configuration parameters
411 transport(5), transport:nexthop syntax
412
414 Use "postconf readme_directory" or "postconf html_directory" to locate
415 this information.
416 SMTPD_ACCESS_README, built-in SMTP server access control
417 DATABASE_README, Postfix lookup table overview
418
420 The Secure Mailer license must be distributed with this software.
421
423 Wietse Venema
424 IBM T.J. Watson Research
425 P.O. Box 704
426 Yorktown Heights, NY 10598, USA
427 ACCESS(5)