1HEADER_CHECKS(5)              File Formats Manual             HEADER_CHECKS(5)
2
3
4

NAME

6       header_checks - Postfix built-in content inspection
7

SYNOPSIS

9       header_checks = pcre:/etc/postfix/header_checks
10       mime_header_checks = pcre:/etc/postfix/mime_header_checks
11       nested_header_checks = pcre:/etc/postfix/nested_header_checks
12       body_checks = pcre:/etc/postfix/body_checks
13
14       postmap -q "string" pcre:/etc/postfix/filename
15       postmap -q - pcre:/etc/postfix/filename <inputfile
16

DESCRIPTION

18       This  document describes access control on the content of message head‐
19       ers and message body lines; it is implemented by the Postfix cleanup(8)
20       server  before  mail  is  queued.   See access(5) for access control on
21       remote SMTP client information.
22
23       Each message header or message body line is compared against a list  of
24       patterns.   When a match is found the corresponding action is executed,
25       and the matching process is repeated for the  next  message  header  or
26       message body line.
27
28       For examples, see the EXAMPLES section at the end of this manual page.
29
30       Postfix header or body_checks are designed to stop a flood of mail from
31       worms or viruses; they do not decode attachments, and they do not unzip
32       archives.  See  the documents referenced below in the README FILES sec‐
33       tion if you need more sophisticated content analysis.
34
35       Postfix supports four built-in content inspection classes:
36
37       header_checks
38              These are applied to initial message  headers  (except  for  the
39              headers that are processed with mime_header_checks).
40
41       mime_header_checks (default: $header_checks)
42              These are applied to MIME related message headers only.
43
44              This feature is available in Postfix 2.0 and later.
45
46       nested_header_checks (default: $header_checks)
47              These  are applied to message headers of attached email messages
48              (except   for   the   headers   that    are    processed    with
49              mime_header_checks).
50
51              This feature is available in Postfix 2.0 and later.
52
53       body_checks
54              These  are  applied  to  all other content, including multi-part
55              message boundaries.
56
57              With Postfix versions before 2.0, all content after the  initial
58              message headers is treated as body content.
59
60       Note:  message  headers are examined one logical header at a time, even
61       when a message header spans multiple lines. Body lines are always exam‐
62       ined one line at a time.
63

COMPATIBILITY

65       With  Postfix  version 2.2 and earlier specify "postmap -fq" to query a
66       table that contains case sensitive patterns. By  default,  regexp:  and
67       pcre: patterns are case insensitive.
68

TABLE FORMAT

70       This  document  assumes that header and body_checks rules are specified
71       in the form of Postfix regular expression lookup  tables.  Usually  the
72       best performance is obtained with pcre (Perl Compatible Regular Expres‐
73       sion) tables, but the slower regexp (POSIX regular expressions) support
74       is  more  widely  available.  Use the command "postconf -m" to find out
75       what lookup table types your Postfix system supports.
76
77       The general format of Postfix regular expression tables is given below.
78       For a discussion of specific pattern or flags syntax, see pcre_table(5)
79       or regexp_table(5), respectively.
80
81       /pattern/flags action
82              When /pattern/ matches the input string, execute the correspond‐
83              ing action. See below for a list of possible actions.
84
85       !/pattern/flags action
86              When /pattern/ does not match the input string, execute the cor‐
87              responding action.
88
89       if /pattern/flags
90
91       endif  Match the input string  against  the  patterns  between  if  and
92              endif,  if  and only if the same input string also matches /pat‐
93              tern/. The if..endif can nest.
94
95              Note: do not prepend whitespace to patterns inside if..endif.
96
97       if !/pattern/flags
98
99       endif  Match the input string  against  the  patterns  between  if  and
100              endif, if and only if the same input string does not match /pat‐
101              tern/. The if..endif can nest.
102
103       blank lines and comments
104              Empty lines and whitespace-only lines are ignored, as are  lines
105              whose first non-whitespace character is a `#'.
106
107       multi-line text
108              A  pattern/action  line  starts with non-whitespace text. A line
109              that starts with whitespace continues a logical line.
110

TABLE SEARCH ORDER

112       For each line of message input, the patterns are applied in  the  order
113       as  specified  in  the  table. When a pattern is found that matches the
114       input line, the corresponding action is  executed  and  then  the  next
115       input line is inspected.
116

TEXT SUBSTITUTION

118       Substitution  of substrings from the matched expression into the action
119       string is possible using the conventional Perl syntax ($1,  $2,  etc.).
120       The  macros in the result string may need to be written as ${n} or $(n)
121       if they aren't followed by whitespace.
122
123       Note: since negated patterns (those preceded by !) return a result when
124       the  expression  does  not  match,  substitutions are not available for
125       negated patterns.
126

ACTIONS

128       Action names are case insensitive. They are shown  in  upper  case  for
129       consistency with other Postfix documentation.
130
131       DISCARD optional text...
132              Claim successful delivery and silently discard the message.  Log
133              the optional text if specified, otherwise log a generic message.
134
135              Note: this action disables further header or body_checks inspec‐
136              tion of the current message and affects all recipients.  To dis‐
137              card only one recipient without discarding the  entire  message,
138              use the transport(5) table to direct mail to the discard(8) ser‐
139              vice.
140
141              This feature is available in Postfix 2.0 and later.
142
143       DUNNO  Pretend that the input line  did  not  match  any  pattern,  and
144              inspect  the next input line. This action can be used to shorten
145              the table search.
146
147              For backwards compatibility reasons, Postfix also accepts OK but
148              it is (and always has been) treated as DUNNO.
149
150              This feature is available in Postfix 2.1 and later.
151
152       FILTER transport:destination
153              Write  a  content  filter request to the queue file, and inspect
154              the next input line.  After the complete message is received  it
155              will  be  sent  through  the  specified external content filter.
156              More information about external content filters is in the  Post‐
157              fix FILTER_README file.
158
159              Note:  this  action  overrides  the  content_filter setting, and
160              affects all recipients of the message. In the case that multiple
161              FILTER actions fire, only the last one is executed.
162
163              This feature is available in Postfix 2.0 and later.
164
165       HOLD optional text...
166              Arrange  for  the  message  to  be placed on the hold queue, and
167              inspect the next input line.  The message remains on hold  until
168              someone  either deletes it or releases it for delivery.  Log the
169              optional text if specified, otherwise log a generic message.
170
171              Mail that is placed on hold can be examined with the  postcat(1)
172              command,  and can be destroyed or released with the postsuper(1)
173              command.
174
175              Note: use "postsuper -r" to release mail that was kept  on  hold
176              for   a   significant  fraction  of  $maximal_queue_lifetime  or
177              $bounce_queue_lifetime, or longer. Use "postsuper -H"  only  for
178              mail that will not expire within a few delivery attempts.
179
180              Note: this action affects all recipients of the message.
181
182              This feature is available in Postfix 2.0 and later.
183
184       IGNORE Delete  the  current  line  from the input, and inspect the next
185              input line.
186
187       PREPEND text...
188              Prepend one line with the specified text, and inspect  the  next
189              input line.
190
191              Notes:
192
193              ·      The  prepended text is output on a separate line, immedi‐
194                     ately before the input that triggered the PREPEND action.
195
196              ·      The prepended text is not considered part  of  the  input
197                     stream:  it  is  not  subject  to  header/body  checks or
198                     address rewriting, and it does not affect  the  way  that
199                     Postfix adds missing message headers.
200
201              ·      When  prepending  text  before a message header line, the
202                     prepended text must begin with  a  valid  message  header
203                     label.
204
205              ·      This action cannot be used to prepend multi-line text.
206
207              This feature is available in Postfix 2.1 and later.
208
209       REDIRECT user@domain
210              Write  a  message  redirection  request  to  the queue file, and
211              inspect the next input line. After the  message  is  queued,  it
212              will  be  sent  to the specified address instead of the intended
213              recipient(s).
214
215              Note: this action overrides the FILTER action, and  affects  all
216              recipients  of  the  message. If multiple REDIRECT actions fire,
217              only the last one is executed.
218
219              This feature is available in Postfix 2.1 and later.
220
221       REPLACE text...
222              Replace the current line with the specified  text,  and  inspect
223              the next input line.
224
225              This feature is available in Postfix 2.2 and later. The descrip‐
226              tion below applies to Postfix 2.2.2 and later.
227
228              Notes:
229
230              ·      When replacing a message  header  line,  the  replacement
231                     text must begin with a valid header label.
232
233              ·      The  replaced  text  remains  part  of  the input stream.
234                     Unlike the result from the  PREPEND  action,  a  replaced
235                     message  header  may  be subject to address rewriting and
236                     may affect the way  that  Postfix  adds  missing  message
237                     headers.
238
239       REJECT optional text...
240              Reject  the entire message. Reply with optional text... when the
241              optional text is specified, otherwise reply with a generic error
242              message.
243
244              Note: this action disables further header or body_checks inspec‐
245              tion of the current message and affects all recipients.
246
247              Postfix version 2.3 and later  support  enhanced  status  codes.
248              When  no code is specified at the beginning of optional text...,
249              Postfix inserts a default enhanced status code of "5.7.1".
250
251       WARN optional text...
252              Log a warning with the optional text... (or log a  generic  mes‐
253              sage),  and  inspect  the next input line. This action is useful
254              for debugging and for testing a  pattern  before  applying  more
255              drastic actions.
256

BUGS

258       Empty lines never match, because some map types mis-behave when given a
259       zero-length search string.  This limitation may be removed for  regular
260       expression tables in a future release.
261
262       Many  people  overlook  the  main limitations of header and body_checks
263       rules.
264
265       ·      These rules operate on one logical message header  or  one  body
266              line at a time. A decision made for one line is not carried over
267              to the next line.
268
269       ·      If text in the message body is encoded (RFC 2045) then the rules
270              need to be specified for the encoded form.
271
272       ·      Likewise,  when  message headers are encoded (RFC 2047) then the
273              rules need to be specified for the encoded form.
274
275       Message headers added by the cleanup(8) daemon itself are excluded from
276       inspection.  Examples  of such message headers are From:, To:, Message-
277       ID:, Date:.
278
279       Message headers deleted by  the  cleanup(8)  daemon  will  be  examined
280       before  they  are deleted. Examples are: Bcc:, Content-Length:, Return-
281       Path:.
282

CONFIGURATION PARAMETERS

284       body_checks
285              Lookup tables with content filter rules for message body  lines.
286              These  filters  see one physical line at a time, in chunks of at
287              most $line_length_limit bytes.
288
289       body_checks_size_limit
290              The amount of content per message body segment (attachment) that
291              is subjected to $body_checks filtering.
292
293       header_checks
294
295       mime_header_checks (default: $header_checks)
296
297       nested_header_checks (default: $header_checks)
298              Lookup  tables  with  content  filter  rules  for message header
299              lines: respectively, these are applied to  the  initial  message
300              headers  (not  including MIME headers), to the MIME headers any‐
301              where in the message, and to the  initial  headers  of  attached
302              messages.
303
304              Note:  these  filters  see one logical message header at a time,
305              even when a message header spans multiple lines. Message headers
306              that  are  longer  than  $header_size_limit characters are trun‐
307              cated.
308
309       disable_mime_input_processing
310              While receiving mail, give no special treatment to MIME  related
311              message  headers;  all text after the initial message headers is
312              considered to be part of  the  message  body.  This  means  that
313              header_checks is applied to all the initial message headers, and
314              that body_checks is applied to the remainder of the message.
315
316              Note: when used in  this  manner,  body_checks  will  process  a
317              multi-line message header one line at a time.
318

EXAMPLES

320       Header pattern to block attachments with bad file name extensions.  For
321       convenience, the PCRE /x flag is specified, so that there is no need to
322       collapse  the  pattern  into a single line of text.  The purpose of the
323       [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.
324
325       /etc/postfix/main.cf:
326           header_checks = pcre:/etc/postfix/header_checks.pcre
327
328       /etc/postfix/header_checks.pcre:
329           /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
330             ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
331             hlp|ht[at]|
332             inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
333             \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
334             ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
335             vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
336               REJECT Attachment name "$2" may not end with ".$4"
337
338       Body pattern to stop a specific HTML browser vulnerability exploit.
339
340       /etc/postfix/main.cf:
341           body_checks = regexp:/etc/postfix/body_checks
342
343       /etc/postfix/body_checks:
344           /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
345               REJECT IFRAME vulnerability exploit
346

SEE ALSO

348       cleanup(8), canonicalize and enqueue Postfix message
349       pcre_table(5), format of PCRE lookup tables
350       regexp_table(5), format of POSIX regular expression tables
351       postconf(1), Postfix configuration utility
352       postmap(1), Postfix lookup table management
353       postsuper(1), Postfix janitor
354       postcat(1), show Postfix queue file contents
355       RFC 2045, base64 and quoted-printable encoding rules
356       RFC 2047, message header encoding for non-ASCII text
357

README FILES

359       Use "postconf readme_directory" or "postconf html_directory" to  locate
360       this information.
361       DATABASE_README, Postfix lookup table overview
362       CONTENT_INSPECTION_README, Postfix content inspection overview
363       BUILTIN_FILTER_README, Postfix built-in content inspection
364       BACKSCATTER_README, blocking returned forged mail
365

LICENSE

367       The Secure Mailer license must be distributed with this software.
368

AUTHOR(S)

370       Wietse Venema
371       IBM T.J. Watson Research
372       P.O. Box 704
373       Yorktown Heights, NY 10598, USA
374
375
376
377                                                              HEADER_CHECKS(5)
Impressum