1HEADER_CHECKS(5) File Formats Manual HEADER_CHECKS(5)
2
6 header_checks - Postfix built-in content inspection
7
9 header_checks = pcre:/etc/postfix/header_checks
10 mime_header_checks = pcre:/etc/postfix/mime_header_checks
11 nested_header_checks = pcre:/etc/postfix/nested_header_checks
12 body_checks = pcre:/etc/postfix/body_checks
13 postmap -q "string" pcre:/etc/postfix/filename
15 postmap -q - pcre:/etc/postfix/filename <inputfile
16
18 This document describes access control on the content of message head‐
19 ers and message body lines; it is implemented by the Postfix cleanup(8)
20 server before mail is queued. See access(5) for access control on
21 remote SMTP client information.
22 Each message header or message body line is compared against a list of
24 patterns. When a match is found the corresponding action is executed,
25 and the matching process is repeated for the next message header or
26 message body line.
27 For examples, see the EXAMPLES section at the end of this manual page.
29 Postfix header or body_checks are designed to stop a flood of mail from
31 worms or viruses; they do not decode attachments, and they do not unzip
32 archives. See the documents referenced below in the README FILES sec‐
33 tion if you need more sophisticated content analysis.
34 Postfix supports four built-in content inspection classes:
36 header_checks
38 These are applied to initial message headers (except for the
39 headers that are processed with mime_header_checks).
40 mime_header_checks (default: $header_checks)
42 These are applied to MIME related message headers only.
43 This feature is available in Postfix 2.0 and later.
45 nested_header_checks (default: $header_checks)
47 These are applied to message headers of attached email messages
48 (except for the headers that are processed with
49 mime_header_checks).
50 This feature is available in Postfix 2.0 and later.
52 body_checks
54 These are applied to all other content, including multi-part
55 message boundaries.
56 With Postfix versions before 2.0, all content after the initial
58 message headers is treated as body content.
59 Note: message headers are examined one logical header at a time, even
61 when a message header spans multiple lines. Body lines are always exam‐
62 ined one line at a time.
63
65 With Postfix version 2.2 and earlier specify "postmap -fq" to query a
66 table that contains case sensitive patterns. By default, regexp: and
67 pcre: patterns are case insensitive.
68
70 This document assumes that header and body_checks rules are specified
71 in the form of Postfix regular expression lookup tables. Usually the
72 best performance is obtained with pcre (Perl Compatible Regular Expres‐
73 sion) tables, but the slower regexp (POSIX regular expressions) support
74 is more widely available. Use the command "postconf -m" to find out
75 what lookup table types your Postfix system supports.
76 The general format of Postfix regular expression tables is given below.
78 For a discussion of specific pattern or flags syntax, see pcre_table(5)
79 or regexp_table(5), respectively.
80 /pattern/flags action
82 When /pattern/ matches the input string, execute the correspond‐
83 ing action. See below for a list of possible actions.
84 !/pattern/flags action
86 When /pattern/ does not match the input string, execute the cor‐
87 responding action.
88 if /pattern/flags
90 endif Match the input string against the patterns between if and
92 endif, if and only if the same input string also matches /pat‐
93 tern/. The if..endif can nest.
94 Note: do not prepend whitespace to patterns inside if..endif.
96 if !/pattern/flags
98 endif Match the input string against the patterns between if and
100 endif, if and only if the same input string does not match /pat‐
101 tern/. The if..endif can nest.
102 blank lines and comments
104 Empty lines and whitespace-only lines are ignored, as are lines
105 whose first non-whitespace character is a `#'.
106 multi-line text
108 A pattern/action line starts with non-whitespace text. A line
109 that starts with whitespace continues a logical line.
110
112 For each line of message input, the patterns are applied in the order
113 as specified in the table. When a pattern is found that matches the
114 input line, the corresponding action is executed and then the next
115 input line is inspected.
116
118 Substitution of substrings from the matched expression into the action
119 string is possible using the conventional Perl syntax ($1, $2, etc.).
120 The macros in the result string may need to be written as ${n} or $(n)
121 if they aren't followed by whitespace.
122 Note: since negated patterns (those preceded by !) return a result when
124 the expression does not match, substitutions are not available for
125 negated patterns.
126
128 Action names are case insensitive. They are shown in upper case for
129 consistency with other Postfix documentation.
130 DISCARD optional text...
132 Claim successful delivery and silently discard the message. Log
133 the optional text if specified, otherwise log a generic message.
134 Note: this action disables further header or body_checks inspec‐
136 tion of the current message and affects all recipients. To dis‐
137 card only one recipient without discarding the entire message,
138 use the transport(5) table to direct mail to the discard(8) ser‐
139 vice.
140 This feature is available in Postfix 2.0 and later.
142 DUNNO Pretend that the input line did not match any pattern, and
144 inspect the next input line. This action can be used to shorten
145 the table search.
146 For backwards compatibility reasons, Postfix also accepts OK but
148 it is (and always has been) treated as DUNNO.
149 This feature is available in Postfix 2.1 and later.
151 FILTER transport:destination
153 Write a content filter request to the queue file, and inspect
154 the next input line. After the complete message is received it
155 will be sent through the specified external content filter.
156 More information about external content filters is in the Post‐
157 fix FILTER_README file.
158 Note: this action overrides the content_filter setting, and
160 affects all recipients of the message. In the case that multiple
161 FILTER actions fire, only the last one is executed.
162 This feature is available in Postfix 2.0 and later.
164 HOLD optional text...
166 Arrange for the message to be placed on the hold queue, and
167 inspect the next input line. The message remains on hold until
168 someone either deletes it or releases it for delivery. Log the
169 optional text if specified, otherwise log a generic message.
170 Mail that is placed on hold can be examined with the postcat(1)
172 command, and can be destroyed or released with the postsuper(1)
173 command.
174 Note: use "postsuper -r" to release mail that was kept on hold
176 for a significant fraction of $maximal_queue_lifetime or
177 $bounce_queue_lifetime, or longer. Use "postsuper -H" only for
178 mail that will not expire within a few delivery attempts.
179 Note: this action affects all recipients of the message.
181 This feature is available in Postfix 2.0 and later.
183 IGNORE Delete the current line from the input, and inspect the next
185 input line.
186 PREPEND text...
188 Prepend one line with the specified text, and inspect the next
189 input line.
190 Notes:
192 · The prepended text is output on a separate line, immedi‐
194 ately before the input that triggered the PREPEND action.
195 · The prepended text is not considered part of the input
197 stream: it is not subject to header/body checks or
198 address rewriting, and it does not affect the way that
199 Postfix adds missing message headers.
200 · When prepending text before a message header line, the
202 prepended text must begin with a valid message header
203 label.
204 · This action cannot be used to prepend multi-line text.
206 This feature is available in Postfix 2.1 and later.
208 REDIRECT user@domain
210 Write a message redirection request to the queue file, and
211 inspect the next input line. After the message is queued, it
212 will be sent to the specified address instead of the intended
213 recipient(s).
214 Note: this action overrides the FILTER action, and affects all
216 recipients of the message. If multiple REDIRECT actions fire,
217 only the last one is executed.
218 This feature is available in Postfix 2.1 and later.
220 REPLACE text...
222 Replace the current line with the specified text, and inspect
223 the next input line.
224 This feature is available in Postfix 2.2 and later. The descrip‐
226 tion below applies to Postfix 2.2.2 and later.
227 Notes:
229 · When replacing a message header line, the replacement
231 text must begin with a valid header label.
232 · The replaced text remains part of the input stream.
234 Unlike the result from the PREPEND action, a replaced
235 message header may be subject to address rewriting and
236 may affect the way that Postfix adds missing message
237 headers.
238 REJECT optional text...
240 Reject the entire message. Reply with optional text... when the
241 optional text is specified, otherwise reply with a generic error
242 message.
243 Note: this action disables further header or body_checks inspec‐
245 tion of the current message and affects all recipients.
246 Postfix version 2.3 and later support enhanced status codes.
248 When no code is specified at the beginning of optional text...,
249 Postfix inserts a default enhanced status code of "5.7.1".
250 WARN optional text...
252 Log a warning with the optional text... (or log a generic mes‐
253 sage), and inspect the next input line. This action is useful
254 for debugging and for testing a pattern before applying more
255 drastic actions.
256
258 Empty lines never match, because some map types mis-behave when given a
259 zero-length search string. This limitation may be removed for regular
260 expression tables in a future release.
261 Many people overlook the main limitations of header and body_checks
263 rules.
264 · These rules operate on one logical message header or one body
266 line at a time. A decision made for one line is not carried over
267 to the next line.
268 · If text in the message body is encoded (RFC 2045) then the rules
270 need to be specified for the encoded form.
271 · Likewise, when message headers are encoded (RFC 2047) then the
273 rules need to be specified for the encoded form.
274 Message headers added by the cleanup(8) daemon itself are excluded from
276 inspection. Examples of such message headers are From:, To:, Message-
277 ID:, Date:.
278 Message headers deleted by the cleanup(8) daemon will be examined
280 before they are deleted. Examples are: Bcc:, Content-Length:, Return-
281 Path:.
282
284 body_checks
285 Lookup tables with content filter rules for message body lines.
286 These filters see one physical line at a time, in chunks of at
287 most $line_length_limit bytes.
288 body_checks_size_limit
290 The amount of content per message body segment (attachment) that
291 is subjected to $body_checks filtering.
292 header_checks
294 mime_header_checks (default: $header_checks)
296 nested_header_checks (default: $header_checks)
298 Lookup tables with content filter rules for message header
299 lines: respectively, these are applied to the initial message
300 headers (not including MIME headers), to the MIME headers any‐
301 where in the message, and to the initial headers of attached
302 messages.
303 Note: these filters see one logical message header at a time,
305 even when a message header spans multiple lines. Message headers
306 that are longer than $header_size_limit characters are trun‐
307 cated.
308 disable_mime_input_processing
310 While receiving mail, give no special treatment to MIME related
311 message headers; all text after the initial message headers is
312 considered to be part of the message body. This means that
313 header_checks is applied to all the initial message headers, and
314 that body_checks is applied to the remainder of the message.
315 Note: when used in this manner, body_checks will process a
317 multi-line message header one line at a time.
318
320 Header pattern to block attachments with bad file name extensions. For
321 convenience, the PCRE /x flag is specified, so that there is no need to
322 collapse the pattern into a single line of text. The purpose of the
323 [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.
324 /etc/postfix/main.cf:
326 header_checks = pcre:/etc/postfix/header_checks.pcre
327 /etc/postfix/header_checks.pcre:
329 /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
330 ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
331 hlp|ht[at]|
332 inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
333 \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
334 ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
335 vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
336 REJECT Attachment name "$2" may not end with ".$4"
337 Body pattern to stop a specific HTML browser vulnerability exploit.
339 /etc/postfix/main.cf:
341 body_checks = regexp:/etc/postfix/body_checks
342 /etc/postfix/body_checks:
344 /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
345 REJECT IFRAME vulnerability exploit
346
348 cleanup(8), canonicalize and enqueue Postfix message
349 pcre_table(5), format of PCRE lookup tables
350 regexp_table(5), format of POSIX regular expression tables
351 postconf(1), Postfix configuration utility
352 postmap(1), Postfix lookup table management
353 postsuper(1), Postfix janitor
354 postcat(1), show Postfix queue file contents
355 RFC 2045, base64 and quoted-printable encoding rules
356 RFC 2047, message header encoding for non-ASCII text
357
359 Use "postconf readme_directory" or "postconf html_directory" to locate
360 this information.
361 DATABASE_README, Postfix lookup table overview
362 CONTENT_INSPECTION_README, Postfix content inspection overview
363 BUILTIN_FILTER_README, Postfix built-in content inspection
364 BACKSCATTER_README, blocking returned forged mail
365
367 The Secure Mailer license must be distributed with this software.
368
370 Wietse Venema
371 IBM T.J. Watson Research
372 P.O. Box 704
373 Yorktown Heights, NY 10598, USA
374 HEADER_CHECKS(5)