1ACCESS(5) File Formats Manual ACCESS(5)
2
6 access - Postfix SMTP server access table
7
9 postmap /etc/postfix/access
10 postmap -q "string" /etc/postfix/access
12 postmap -q - /etc/postfix/access <inputfile
14
16 This document describes access control on remote SMTP client informa‐
17 tion: host names, network addresses, and envelope sender or recipient
18 addresses; it is implemented by the Postfix SMTP server. See
19 header_checks(5) or body_checks(5) for access control on the content of
20 email messages.
21 Normally, the access(5) table is specified as a text file that serves
23 as input to the postmap(1) command. The result, an indexed file in dbm
24 or db format, is used for fast searching by the mail system. Execute
25 the command "postmap /etc/postfix/access" to rebuild an indexed file
26 after changing the corresponding text file.
27 When the table is provided via other means such as NIS, LDAP or SQL,
29 the same lookups are done as for ordinary indexed files.
30 Alternatively, the table can be provided as a regular-expression map
32 where patterns are given as regular expressions, or lookups can be
33 directed to TCP-based server. In those cases, the lookups are done in a
34 slightly different way as described below under "REGULAR EXPRESSION
35 TABLES" or "TCP-BASED TABLES".
36
38 The search string is folded to lowercase before database lookup. As of
39 Postfix 2.3, the search string is not case folded with database types
40 such as regexp: or pcre: whose lookup fields can match both upper and
41 lower case.
42
44 The input format for the postmap(1) command is as follows:
45 pattern action
47 When pattern matches a mail address, domain or host address,
48 perform the corresponding action.
49 blank lines and comments
51 Empty lines and whitespace-only lines are ignored, as are lines
52 whose first non-whitespace character is a `#'.
53 multi-line text
55 A logical line starts with non-whitespace text. A line that
56 starts with whitespace continues a logical line.
57
59 With lookups from indexed files such as DB or DBM, or from networked
60 tables such as NIS, LDAP or SQL, patterns are tried in the order as
61 listed below:
62 user@domain
64 Matches the specified mail address.
65 domain.tld
67 Matches domain.tld as the domain part of an email address.
68 The pattern domain.tld also matches subdomains, but only when
70 the string smtpd_access_maps is listed in the Postfix par‐
71 ent_domain_matches_subdomains configuration setting (note that
72 this is the default for some versions of Postfix). Otherwise,
73 specify .domain.tld (note the initial dot) in order to match
74 subdomains.
75 user@ Matches all mail addresses with the specified user part.
77 Note: lookup of the null sender address is not possible with some types
79 of lookup table. By default, Postfix uses <> as the lookup key for such
80 addresses. The value is specified with the smtpd_null_access_lookup_key
81 parameter in the Postfix main.cf file.
82
84 When a mail address localpart contains the optional recipient delimiter
85 (e.g., user+foo@domain), the lookup order becomes: user+foo@domain,
86 user@domain, domain, user+foo@, and user@.
87
89 With lookups from indexed files such as DB or DBM, or from networked
90 tables such as NIS, LDAP or SQL, the following lookup patterns are
91 examined in the order as listed:
92 domain.tld
94 Matches domain.tld.
95 The pattern domain.tld also matches subdomains, but only when
97 the string smtpd_access_maps is listed in the Postfix par‐
98 ent_domain_matches_subdomains configuration setting. Otherwise,
99 specify .domain.tld (note the initial dot) in order to match
100 subdomains.
101 net.work.addr.ess
103 net.work.addr
105 net.work
107 net Matches the specified IPv4 host address or subnetwork. An IPv4
109 host address is a sequence of four decimal octets separated by
110 ".".
111 Subnetworks are matched by repeatedly truncating the last
113 ".octet" from the remote IPv4 host address string until a match
114 is found in the access table, or until further truncation is not
115 possible.
116 NOTE 1: The access map lookup key must be in canonical form: do
118 not specify unnecessary null characters, and do not enclose net‐
119 work address information with "[]" characters.
120 NOTE 2: use the cidr lookup table type to specify network/net‐
122 mask patterns. See cidr_table(5) for details.
123 net:work:addr:ess
125 net:work:addr
127 net:work
129 net Matches the specified IPv6 host address or subnetwork. An IPv6
131 host address is a sequence of three to eight hexadecimal octet
132 pairs separated by ":".
133 Subnetworks are matched by repeatedly truncating the last
135 ":octetpair" from the remote IPv6 host address string until a
136 match is found in the access table, or until further truncation
137 is not possible.
138 NOTE 1: the truncation and comparison are done with the string
140 representation of the IPv6 host address. Thus, not all the ":"
141 subnetworks will be tried.
142 NOTE 2: The access map lookup key must be in canonical form: do
144 not specify unnecessary null characters, and do not enclose net‐
145 work address information with "[]" characters.
146 NOTE 3: use the cidr lookup table type to specify network/net‐
148 mask patterns. See cidr_table(5) for details.
149 IPv6 support is available in Postfix 2.2 and later.
151
153 OK Accept the address etc. that matches the pattern.
154 all-numerical
156 An all-numerical result is treated as OK. This format is gener‐
157 ated by address-based relay authorization schemes such as pop-
158 before-smtp.
159
161 Postfix version 2.3 and later support enhanced status codes as defined
162 in RFC 3463. When no code is specified at the beginning of the text
163 below, Postfix inserts a default enhanced status code of "5.7.1" in the
164 case of reject actions, and "4.7.1" in the case of defer actions. See
165 "ENHANCED STATUS CODES" below.
166 4NN text
168 5NN text
170 Reject the address etc. that matches the pattern, and respond
171 with the numerical three-digit code and text. 4NN means "try
172 again later", while 5NN means "do not try again".
173 The following responses have special meaning for the Postfix
175 SMTP server:
176 421 text (Postfix 2.3 and later)
178 521 text (Postfix 2.6 and later)
180 After responding with the numerical three-digit code and
181 text, disconnect immediately from the SMTP client. This
182 frees up SMTP server resources so that they can be made
183 available to another SMTP client.
184 Note: The "521" response should be used only with botnets
186 and other malware where interoperability is of no con‐
187 cern. The "send 521 and disconnect" behavior is NOT
188 defined in the SMTP standard.
189 REJECT optional text...
191 Reject the address etc. that matches the pattern. Reply with
192 "$access_map_reject_code optional text..." when the optional
193 text is specified, otherwise reply with a generic error response
194 message.
195 DEFER optional text...
197 Reject the address etc. that matches the pattern. Reply with
198 "$access_map_defer_code optional text..." when the optional text
199 is specified, otherwise reply with a generic error response mes‐
200 sage.
201 This feature is available in Postfix 2.6 and later.
203 DEFER_IF_REJECT optional text...
205 Defer the request if some later restriction would result in a
206 REJECT action. Reply with "$access_map_defer_code 4.7.1 optional
207 text..." when the optional text is specified, otherwise reply
208 with a generic error response message.
209 Prior to Postfix 2.6, the SMTP reply code is 450.
211 This feature is available in Postfix 2.1 and later.
213 DEFER_IF_PERMIT optional text...
215 Defer the request if some later restriction would result in a an
216 explicit or implicit PERMIT action. Reply with
217 "$access_map_defer_code 4.7.1 optional text..." when the
218 optional text is specified, otherwise reply with a generic error
219 response message.
220 Prior to Postfix 2.6, the SMTP reply code is 450.
222 This feature is available in Postfix 2.1 and later.
224
226 restriction...
227 Apply the named UCE restriction(s) (permit, reject,
228 reject_unauth_destination, and so on).
229 BCC user@domain
231 Send one copy of the message to the specified recipient.
232 If multiple BCC actions are specified within the same SMTP MAIL
234 transaction, only the last action will be used.
235 This feature is not part of the stable Postfix release.
237 DISCARD optional text...
239 Claim successful delivery and silently discard the message. Log
240 the optional text if specified, otherwise log a generic message.
241 Note: this action currently affects all recipients of the mes‐
243 sage. To discard only one recipient without discarding the
244 entire message, use the transport(5) table to direct mail to the
245 discard(8) service.
246 This feature is available in Postfix 2.0 and later.
248 DUNNO Pretend that the lookup key was not found. This prevents Postfix
250 from trying substrings of the lookup key (such as a subdomain
251 name, or a network address subnetwork).
252 This feature is available in Postfix 2.0 and later.
254 FILTER transport:destination
256 After the message is queued, send the entire message through the
257 specified external content filter. The transport:destination
258 syntax is described in the transport(5) manual page. More
259 information about external content filters is in the Postfix
260 FILTER_README file.
261 Note: this action overrides the content_filter setting, and cur‐
263 rently affects all recipients of the message.
264 This feature is available in Postfix 2.0 and later.
266 HOLD optional text...
268 Place the message on the hold queue, where it will sit until
269 someone either deletes it or releases it for delivery. Log the
270 optional text if specified, otherwise log a generic message.
271 Mail that is placed on hold can be examined with the postcat(1)
273 command, and can be destroyed or released with the postsuper(1)
274 command.
275 Note: use "postsuper -r" to release mail that was kept on hold
277 for a significant fraction of $maximal_queue_lifetime or
278 $bounce_queue_lifetime, or longer. Use "postsuper -H" only for
279 mail that will not expire within a few delivery attempts.
280 Note: this action currently affects all recipients of the mes‐
282 sage.
283 This feature is available in Postfix 2.0 and later.
285 PREPEND headername: headervalue
287 Prepend the specified message header to the message. When more
288 than one PREPEND action executes, the first prepended header
289 appears before the second etc. prepended header.
290 Note: this action must execute before the message content is
292 received; it cannot execute in the context of
293 smtpd_end_of_data_restrictions.
294 This feature is available in Postfix 2.1 and later.
296 REDIRECT user@domain
298 After the message is queued, send the message to the specified
299 address instead of the intended recipient(s).
300 Note: this action overrides the FILTER action, and currently
302 affects all recipients of the message.
303 This feature is available in Postfix 2.1 and later.
305 WARN optional text...
307 Log a warning with the optional text, together with client
308 information and if available, with helo, sender, recipient and
309 protocol information.
310 This feature is available in Postfix 2.1 and later.
312
314 Postfix version 2.3 and later support enhanced status codes as defined
315 in RFC 3463. When an enhanced status code is specified in an access
316 table, it is subject to modification. The following transformations are
317 needed when the same access table is used for client, helo, sender, or
318 recipient access restrictions; they happen regardless of whether Post‐
319 fix replies to a MAIL FROM, RCPT TO or other SMTP command.
320 · When a sender address matches a REJECT action, the Postfix SMTP
322 server will transform a recipient DSN status (e.g., 4.1.1-4.1.6)
323 into the corresponding sender DSN status, and vice versa.
324 · When non-address information matches a REJECT action (such as
326 the HELO command argument or the client hostname/address), the
327 Postfix SMTP server will transform a sender or recipient DSN
328 status into a generic non-address DSN status (e.g., 4.0.0).
329
331 This section describes how the table lookups change when the table is
332 given in the form of regular expressions. For a description of regular
333 expression lookup table syntax, see regexp_table(5) or pcre_table(5).
334 Each pattern is a regular expression that is applied to the entire
336 string being looked up. Depending on the application, that string is an
337 entire client hostname, an entire client IP address, or an entire mail
338 address. Thus, no parent domain or parent network search is done,
339 user@domain mail addresses are not broken up into their user@ and
340 domain constituent parts, nor is user+foo broken up into user and foo.
341 Patterns are applied in the order as specified in the table, until a
343 pattern is found that matches the search string.
344 Actions are the same as with indexed file lookups, with the additional
346 feature that parenthesized substrings from the pattern can be interpo‐
347 lated as $1, $2 and so on.
348
350 This section describes how the table lookups change when lookups are
351 directed to a TCP-based server. For a description of the TCP
352 client/server lookup protocol, see tcp_table(5). This feature is not
353 available up to and including Postfix version 2.4.
354 Each lookup operation uses the entire query string once. Depending on
356 the application, that string is an entire client hostname, an entire
357 client IP address, or an entire mail address. Thus, no parent domain
358 or parent network search is done, user@domain mail addresses are not
359 broken up into their user@ and domain constituent parts, nor is
360 user+foo broken up into user and foo.
361 Actions are the same as with indexed file lookups.
363
365 The following example uses an indexed file, so that the order of table
366 entries does not matter. The example permits access by the client at
367 address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of
368 hash lookup tables, some systems use dbm. Use the command "postconf
369 -m" to find out what lookup tables Postfix supports on your system.
370 /etc/postfix/main.cf:
372 smtpd_client_restrictions =
373 check_client_access hash:/etc/postfix/access
374 /etc/postfix/access:
376 1.2.3 REJECT
377 1.2.3.4 OK
378 Execute the command "postmap /etc/postfix/access" after editing the
380 file.
381
383 The table format does not understand quoting conventions.
384
386 postmap(1), Postfix lookup table manager
387 smtpd(8), SMTP server
388 postconf(5), configuration parameters
389 transport(5), transport:nexthop syntax
390
392 Use "postconf readme_directory" or "postconf html_directory" to locate
393 this information.
394 SMTPD_ACCESS_README, built-in SMTP server access control
395 DATABASE_README, Postfix lookup table overview
396
398 The Secure Mailer license must be distributed with this software.
399
401 Wietse Venema
402 IBM T.J. Watson Research
403 P.O. Box 704
404 Yorktown Heights, NY 10598, USA
405 ACCESS(5)