1HEADER_CHECKS(5) File Formats Manual HEADER_CHECKS(5)
2
6 header_checks - Postfix built-in content inspection
7
9 header_checks = pcre:/etc/postfix/header_checks
10 mime_header_checks = pcre:/etc/postfix/mime_header_checks
11 nested_header_checks = pcre:/etc/postfix/nested_header_checks
12 body_checks = pcre:/etc/postfix/body_checks
13 postmap -q "string" pcre:/etc/postfix/filename
15 postmap -q - pcre:/etc/postfix/filename <inputfile
16
18 This document describes access control on the content of message head‐
19 ers and message body lines; it is implemented by the Postfix cleanup(8)
20 server before mail is queued. See access(5) for access control on
21 remote SMTP client information.
22 Each message header or message body line is compared against a list of
24 patterns. When a match is found the corresponding action is executed,
25 and the matching process is repeated for the next message header or
26 message body line.
27 For examples, see the EXAMPLES section at the end of this manual page.
29 Postfix header or body_checks are designed to stop a flood of mail from
31 worms or viruses; they do not decode attachments, and they do not unzip
32 archives. See the documents referenced below in the README FILES sec‐
33 tion if you need more sophisticated content analysis.
34 Postfix supports four built-in content inspection classes:
36 header_checks
38 These are applied to initial message headers (except for the
39 headers that are processed with mime_header_checks).
40 mime_header_checks (default: $header_checks)
42 These are applied to MIME related message headers only.
43 This feature is available in Postfix 2.0 and later.
45 nested_header_checks (default: $header_checks)
47 These are applied to message headers of attached email messages
48 (except for the headers that are processed with
49 mime_header_checks).
50 This feature is available in Postfix 2.0 and later.
52 body_checks
54 These are applied to all other content, including multi-part
55 message boundaries.
56 With Postfix versions before 2.0, all content after the initial
58 message headers is treated as body content.
59 Note: message headers are examined one logical header at a time, even
61 when a message header spans multiple lines. Body lines are always exam‐
62 ined one line at a time.
63
65 With Postfix version 2.2 and earlier specify "postmap -fq" to query a
66 table that contains case sensitive patterns. By default, regexp: and
67 pcre: patterns are case insensitive.
68
70 This document assumes that header and body_checks rules are specified
71 in the form of Postfix regular expression lookup tables. Usually the
72 best performance is obtained with pcre (Perl Compatible Regular Expres‐
73 sion) tables, but the slower regexp (POSIX regular expressions) support
74 is more widely available. Use the command "postconf -m" to find out
75 what lookup table types your Postfix system supports.
76 The general format of Postfix regular expression tables is given below.
78 For a discussion of specific pattern or flags syntax, see pcre_table(5)
79 or regexp_table(5), respectively.
80 /pattern/flags action
82 When /pattern/ matches the input string, execute the correspond‐
83 ing action. See below for a list of possible actions.
84 !/pattern/flags action
86 When /pattern/ does not match the input string, execute the cor‐
87 responding action.
88 if /pattern/flags
90 endif Match the input string against the patterns between if and
92 endif, if and only if the same input string also matches /pat‐
93 tern/. The if..endif can nest.
94 Note: do not prepend whitespace to patterns inside if..endif.
96 if !/pattern/flags
98 endif Match the input string against the patterns between if and
100 endif, if and only if the same input string does not match /pat‐
101 tern/. The if..endif can nest.
102 blank lines and comments
104 Empty lines and whitespace-only lines are ignored, as are lines
105 whose first non-whitespace character is a `#'.
106 multi-line text
108 A pattern/action line starts with non-whitespace text. A line
109 that starts with whitespace continues a logical line.
110
112 For each line of message input, the patterns are applied in the order
113 as specified in the table. When a pattern is found that matches the
114 input line, the corresponding action is executed and then the next
115 input line is inspected.
116
118 Substitution of substrings from the matched expression into the action
119 string is possible using the conventional Perl syntax ($1, $2, etc.).
120 The macros in the result string may need to be written as ${n} or $(n)
121 if they aren't followed by whitespace.
122 Note: since negated patterns (those preceded by !) return a result when
124 the expression does not match, substitutions are not available for
125 negated patterns.
126
128 Action names are case insensitive. They are shown in upper case for
129 consistency with other Postfix documentation.
130 DISCARD optional text...
132 Claim successful delivery and silently discard the message. Log
133 the optional text if specified, otherwise log a generic message.
134 Note: this action disables further header or body_checks inspec‐
136 tion of the current message and affects all recipients. To dis‐
137 card only one recipient without discarding the entire message,
138 use the transport(5) table to direct mail to the discard(8) ser‐
139 vice.
140 This feature is available in Postfix 2.0 and later.
142 DUNNO Pretend that the input line did not match any pattern, and
144 inspect the next input line. This action can be used to shorten
145 the table search.
146 For backwards compatibility reasons, Postfix also accepts OK but
148 it is (and always has been) treated as DUNNO.
149 This feature is available in Postfix 2.1 and later.
151 FILTER transport:destination
153 After the message is queued, send the entire message through the
154 specified external content filter. The transport name specifies
155 the first field of a mail delivery agent definition in mas‐
156 ter.cf; the syntax of the next-hop destination is described in
157 the manual page of the corresponding delivery agent. More
158 information about external content filters is in the Postfix
159 FILTER_README file.
160 Note 1: do not use $number regular expression substitutions for
162 transport or destination unless you know that the information
163 has a trusted origin.
164 Note 2: this action overrides the main.cf content_filter set‐
166 ting, and affects all recipients of the message. In the case
167 that multiple FILTER actions fire, only the last one is exe‐
168 cuted.
169 Note 3: the purpose of the FILTER command is to override message
171 routing. To override the recipient's transport but not the
172 next-hop destination, specify an empty filter destination (Post‐
173 fix 2.7 and later), or specify a transport:destination that
174 delivers through a different Postfix instance (Postfix 2.6 and
175 earlier). Other options are using the recipient-dependent trans‐
176 port_maps or the sender-dependent sender_dependent_default‐
177 _transport_maps features.
178 This feature is available in Postfix 2.0 and later.
180 HOLD optional text...
182 Arrange for the message to be placed on the hold queue, and
183 inspect the next input line. The message remains on hold until
184 someone either deletes it or releases it for delivery. Log the
185 optional text if specified, otherwise log a generic message.
186 Mail that is placed on hold can be examined with the postcat(1)
188 command, and can be destroyed or released with the postsuper(1)
189 command.
190 Note: use "postsuper -r" to release mail that was kept on hold
192 for a significant fraction of $maximal_queue_lifetime or
193 $bounce_queue_lifetime, or longer. Use "postsuper -H" only for
194 mail that will not expire within a few delivery attempts.
195 Note: this action affects all recipients of the message.
197 This feature is available in Postfix 2.0 and later.
199 IGNORE Delete the current line from the input, and inspect the next
201 input line.
202 PREPEND text...
204 Prepend one line with the specified text, and inspect the next
205 input line.
206 Notes:
208 · The prepended text is output on a separate line, immedi‐
210 ately before the input that triggered the PREPEND action.
211 · The prepended text is not considered part of the input
213 stream: it is not subject to header/body checks or
214 address rewriting, and it does not affect the way that
215 Postfix adds missing message headers.
216 · When prepending text before a message header line, the
218 prepended text must begin with a valid message header
219 label.
220 · This action cannot be used to prepend multi-line text.
222 This feature is available in Postfix 2.1 and later.
224 REDIRECT user@domain
226 Write a message redirection request to the queue file, and
227 inspect the next input line. After the message is queued, it
228 will be sent to the specified address instead of the intended
229 recipient(s).
230 Note: this action overrides the FILTER action, and affects all
232 recipients of the message. If multiple REDIRECT actions fire,
233 only the last one is executed.
234 This feature is available in Postfix 2.1 and later.
236 REPLACE text...
238 Replace the current line with the specified text, and inspect
239 the next input line.
240 This feature is available in Postfix 2.2 and later. The descrip‐
242 tion below applies to Postfix 2.2.2 and later.
243 Notes:
245 · When replacing a message header line, the replacement
247 text must begin with a valid header label.
248 · The replaced text remains part of the input stream.
250 Unlike the result from the PREPEND action, a replaced
251 message header may be subject to address rewriting and
252 may affect the way that Postfix adds missing message
253 headers.
254 REJECT optional text...
256 Reject the entire message. Reply with optional text... when the
257 optional text is specified, otherwise reply with a generic error
258 message.
259 Note: this action disables further header or body_checks inspec‐
261 tion of the current message and affects all recipients.
262 Postfix version 2.3 and later support enhanced status codes.
264 When no code is specified at the beginning of optional text...,
265 Postfix inserts a default enhanced status code of "5.7.1".
266 WARN optional text...
268 Log a warning with the optional text... (or log a generic mes‐
269 sage), and inspect the next input line. This action is useful
270 for debugging and for testing a pattern before applying more
271 drastic actions.
272
274 Empty lines never match, because some map types mis-behave when given a
275 zero-length search string. This limitation may be removed for regular
276 expression tables in a future release.
277 Many people overlook the main limitations of header and body_checks
279 rules.
280 · These rules operate on one logical message header or one body
282 line at a time. A decision made for one line is not carried over
283 to the next line.
284 · If text in the message body is encoded (RFC 2045) then the rules
286 need to be specified for the encoded form.
287 · Likewise, when message headers are encoded (RFC 2047) then the
289 rules need to be specified for the encoded form.
290 Message headers added by the cleanup(8) daemon itself are excluded from
292 inspection. Examples of such message headers are From:, To:, Message-
293 ID:, Date:.
294 Message headers deleted by the cleanup(8) daemon will be examined
296 before they are deleted. Examples are: Bcc:, Content-Length:, Return-
297 Path:.
298
300 body_checks
301 Lookup tables with content filter rules for message body lines.
302 These filters see one physical line at a time, in chunks of at
303 most $line_length_limit bytes.
304 body_checks_size_limit
306 The amount of content per message body segment (attachment) that
307 is subjected to $body_checks filtering.
308 header_checks
310 mime_header_checks (default: $header_checks)
312 nested_header_checks (default: $header_checks)
314 Lookup tables with content filter rules for message header
315 lines: respectively, these are applied to the initial message
316 headers (not including MIME headers), to the MIME headers any‐
317 where in the message, and to the initial headers of attached
318 messages.
319 Note: these filters see one logical message header at a time,
321 even when a message header spans multiple lines. Message headers
322 that are longer than $header_size_limit characters are trun‐
323 cated.
324 disable_mime_input_processing
326 While receiving mail, give no special treatment to MIME related
327 message headers; all text after the initial message headers is
328 considered to be part of the message body. This means that
329 header_checks is applied to all the initial message headers, and
330 that body_checks is applied to the remainder of the message.
331 Note: when used in this manner, body_checks will process a
333 multi-line message header one line at a time.
334
336 Header pattern to block attachments with bad file name extensions. For
337 convenience, the PCRE /x flag is specified, so that there is no need to
338 collapse the pattern into a single line of text. The purpose of the
339 [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.
340 /etc/postfix/main.cf:
342 header_checks = pcre:/etc/postfix/header_checks.pcre
343 /etc/postfix/header_checks.pcre:
345 /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
346 ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
347 hlp|ht[at]|
348 inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
349 \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
350 ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
351 vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
352 REJECT Attachment name "$2" may not end with ".$4"
353 Body pattern to stop a specific HTML browser vulnerability exploit.
355 /etc/postfix/main.cf:
357 body_checks = regexp:/etc/postfix/body_checks
358 /etc/postfix/body_checks:
360 /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
361 REJECT IFRAME vulnerability exploit
362
364 cleanup(8), canonicalize and enqueue Postfix message
365 pcre_table(5), format of PCRE lookup tables
366 regexp_table(5), format of POSIX regular expression tables
367 postconf(1), Postfix configuration utility
368 postmap(1), Postfix lookup table management
369 postsuper(1), Postfix janitor
370 postcat(1), show Postfix queue file contents
371 RFC 2045, base64 and quoted-printable encoding rules
372 RFC 2047, message header encoding for non-ASCII text
373
375 Use "postconf readme_directory" or "postconf html_directory" to locate
376 this information.
377 DATABASE_README, Postfix lookup table overview
378 CONTENT_INSPECTION_README, Postfix content inspection overview
379 BUILTIN_FILTER_README, Postfix built-in content inspection
380 BACKSCATTER_README, blocking returned forged mail
381
383 The Secure Mailer license must be distributed with this software.
384
386 Wietse Venema
387 IBM T.J. Watson Research
388 P.O. Box 704
389 Yorktown Heights, NY 10598, USA
390 HEADER_CHECKS(5)