1HEADER_CHECKS(5)              File Formats Manual             HEADER_CHECKS(5)
2
3
4

NAME

6       header_checks - Postfix built-in content inspection
7

SYNOPSIS

9       header_checks = pcre:/etc/postfix/header_checks
10       mime_header_checks = pcre:/etc/postfix/mime_header_checks
11       nested_header_checks = pcre:/etc/postfix/nested_header_checks
12       body_checks = pcre:/etc/postfix/body_checks
13
14       postmap -q "string" pcre:/etc/postfix/filename
15       postmap -q - pcre:/etc/postfix/filename <inputfile
16

DESCRIPTION

18       This  document describes access control on the content of message head‐
19       ers and message body lines; it is implemented by the Postfix cleanup(8)
20       server  before  mail  is  queued.   See access(5) for access control on
21       remote SMTP client information.
22
23       Each message header or message body line is compared against a list  of
24       patterns.   When a match is found the corresponding action is executed,
25       and the matching process is repeated for the  next  message  header  or
26       message body line.
27
28       For examples, see the EXAMPLES section at the end of this manual page.
29
30       Postfix header or body_checks are designed to stop a flood of mail from
31       worms or viruses; they do not decode attachments, and they do not unzip
32       archives.  See  the documents referenced below in the README FILES sec‐
33       tion if you need more sophisticated content analysis.
34
35       Postfix supports four built-in content inspection classes:
36
37       header_checks
38              These are applied to initial message  headers  (except  for  the
39              headers that are processed with mime_header_checks).
40
41       mime_header_checks (default: $header_checks)
42              These are applied to MIME related message headers only.
43
44              This feature is available in Postfix 2.0 and later.
45
46       nested_header_checks (default: $header_checks)
47              These  are applied to message headers of attached email messages
48              (except   for   the   headers   that    are    processed    with
49              mime_header_checks).
50
51              This feature is available in Postfix 2.0 and later.
52
53       body_checks
54              These  are  applied  to  all other content, including multi-part
55              message boundaries.
56
57              With Postfix versions before 2.0, all content after the  initial
58              message headers is treated as body content.
59
60       Note:  message  headers are examined one logical header at a time, even
61       when a message header spans multiple lines. Body lines are always exam‐
62       ined one line at a time.
63

COMPATIBILITY

65       With  Postfix  version 2.2 and earlier specify "postmap -fq" to query a
66       table that contains case sensitive patterns. By  default,  regexp:  and
67       pcre: patterns are case insensitive.
68

TABLE FORMAT

70       This  document  assumes that header and body_checks rules are specified
71       in the form of Postfix regular expression lookup  tables.  Usually  the
72       best performance is obtained with pcre (Perl Compatible Regular Expres‐
73       sion) tables, but the slower regexp (POSIX regular expressions) support
74       is  more  widely  available.  Use the command "postconf -m" to find out
75       what lookup table types your Postfix system supports.
76
77       The general format of Postfix regular expression tables is given below.
78       For a discussion of specific pattern or flags syntax, see pcre_table(5)
79       or regexp_table(5), respectively.
80
81       /pattern/flags action
82              When /pattern/ matches the input string, execute the correspond‐
83              ing action. See below for a list of possible actions.
84
85       !/pattern/flags action
86              When /pattern/ does not match the input string, execute the cor‐
87              responding action.
88
89       if /pattern/flags
90
91       endif  Match the input string  against  the  patterns  between  if  and
92              endif,  if  and only if the same input string also matches /pat‐
93              tern/. The if..endif can nest.
94
95              Note: do not prepend whitespace to patterns inside if..endif.
96
97       if !/pattern/flags
98
99       endif  Match the input string  against  the  patterns  between  if  and
100              endif, if and only if the same input string does not match /pat‐
101              tern/. The if..endif can nest.
102
103       blank lines and comments
104              Empty lines and whitespace-only lines are ignored, as are  lines
105              whose first non-whitespace character is a `#'.
106
107       multi-line text
108              A  pattern/action  line  starts with non-whitespace text. A line
109              that starts with whitespace continues a logical line.
110

TABLE SEARCH ORDER

112       For each line of message input, the patterns are applied in  the  order
113       as  specified  in  the  table. When a pattern is found that matches the
114       input line, the corresponding action is  executed  and  then  the  next
115       input line is inspected.
116

TEXT SUBSTITUTION

118       Substitution  of substrings from the matched expression into the action
119       string is possible using the conventional Perl syntax ($1,  $2,  etc.).
120       The  macros in the result string may need to be written as ${n} or $(n)
121       if they aren't followed by whitespace.
122
123       Note: since negated patterns (those preceded by !) return a result when
124       the  expression  does  not  match,  substitutions are not available for
125       negated patterns.
126

ACTIONS

128       Action names are case insensitive. They are shown  in  upper  case  for
129       consistency with other Postfix documentation.
130
131       DISCARD optional text...
132              Claim successful delivery and silently discard the message.  Log
133              the optional text if specified, otherwise log a generic message.
134
135              Note: this action disables further header or body_checks inspec‐
136              tion of the current message and affects all recipients.  To dis‐
137              card only one recipient without discarding the  entire  message,
138              use the transport(5) table to direct mail to the discard(8) ser‐
139              vice.
140
141              This feature is available in Postfix 2.0 and later.
142
143       DUNNO  Pretend that the input line  did  not  match  any  pattern,  and
144              inspect  the next input line. This action can be used to shorten
145              the table search.
146
147              For backwards compatibility reasons, Postfix also accepts OK but
148              it is (and always has been) treated as DUNNO.
149
150              This feature is available in Postfix 2.1 and later.
151
152       FILTER transport:destination
153              After the message is queued, send the entire message through the
154              specified external content filter. The transport name  specifies
155              the  first  field  of  a  mail delivery agent definition in mas‐
156              ter.cf; the syntax of the next-hop destination is  described  in
157              the  manual  page  of  the  corresponding  delivery agent.  More
158              information about external content filters  is  in  the  Postfix
159              FILTER_README file.
160
161              Note  1: do not use $number regular expression substitutions for
162              transport or destination unless you know  that  the  information
163              has a trusted origin.
164
165              Note  2:  this  action overrides the main.cf content_filter set‐
166              ting, and affects all recipients of the  message.  In  the  case
167              that  multiple  FILTER  actions  fire, only the last one is exe‐
168              cuted.
169
170              Note 3: the purpose of the FILTER command is to override message
171              routing.   To  override  the  recipient's  transport but not the
172              next-hop destination, specify an empty filter destination (Post‐
173              fix  2.7  and  later),  or  specify a transport:destination that
174              delivers through a different Postfix instance (Postfix  2.6  and
175              earlier). Other options are using the recipient-dependent trans‐
176              port_maps  or  the  sender-dependent   sender_dependent_default‐
177              _transport_maps features.
178
179              This feature is available in Postfix 2.0 and later.
180
181       HOLD optional text...
182              Arrange  for  the  message  to  be placed on the hold queue, and
183              inspect the next input line.  The message remains on hold  until
184              someone  either deletes it or releases it for delivery.  Log the
185              optional text if specified, otherwise log a generic message.
186
187              Mail that is placed on hold can be examined with the  postcat(1)
188              command,  and can be destroyed or released with the postsuper(1)
189              command.
190
191              Note: use "postsuper -r" to release mail that was kept  on  hold
192              for   a   significant  fraction  of  $maximal_queue_lifetime  or
193              $bounce_queue_lifetime, or longer. Use "postsuper -H"  only  for
194              mail that will not expire within a few delivery attempts.
195
196              Note: this action affects all recipients of the message.
197
198              This feature is available in Postfix 2.0 and later.
199
200       IGNORE Delete  the  current  line  from the input, and inspect the next
201              input line.
202
203       PREPEND text...
204              Prepend one line with the specified text, and inspect  the  next
205              input line.
206
207              Notes:
208
209              ·      The  prepended text is output on a separate line, immedi‐
210                     ately before the input that triggered the PREPEND action.
211
212              ·      The prepended text is not considered part  of  the  input
213                     stream:  it  is  not  subject  to  header/body  checks or
214                     address rewriting, and it does not affect  the  way  that
215                     Postfix adds missing message headers.
216
217              ·      When  prepending  text  before a message header line, the
218                     prepended text must begin with  a  valid  message  header
219                     label.
220
221              ·      This action cannot be used to prepend multi-line text.
222
223              This feature is available in Postfix 2.1 and later.
224
225       REDIRECT user@domain
226              Write  a  message  redirection  request  to  the queue file, and
227              inspect the next input line. After the  message  is  queued,  it
228              will  be  sent  to the specified address instead of the intended
229              recipient(s).
230
231              Note: this action overrides the FILTER action, and  affects  all
232              recipients  of  the  message. If multiple REDIRECT actions fire,
233              only the last one is executed.
234
235              This feature is available in Postfix 2.1 and later.
236
237       REPLACE text...
238              Replace the current line with the specified  text,  and  inspect
239              the next input line.
240
241              This feature is available in Postfix 2.2 and later. The descrip‐
242              tion below applies to Postfix 2.2.2 and later.
243
244              Notes:
245
246              ·      When replacing a message  header  line,  the  replacement
247                     text must begin with a valid header label.
248
249              ·      The  replaced  text  remains  part  of  the input stream.
250                     Unlike the result from the  PREPEND  action,  a  replaced
251                     message  header  may  be subject to address rewriting and
252                     may affect the way  that  Postfix  adds  missing  message
253                     headers.
254
255       REJECT optional text...
256              Reject  the entire message. Reply with optional text... when the
257              optional text is specified, otherwise reply with a generic error
258              message.
259
260              Note: this action disables further header or body_checks inspec‐
261              tion of the current message and affects all recipients.
262
263              Postfix version 2.3 and later  support  enhanced  status  codes.
264              When  no code is specified at the beginning of optional text...,
265              Postfix inserts a default enhanced status code of "5.7.1".
266
267       WARN optional text...
268              Log a warning with the optional text... (or log a  generic  mes‐
269              sage),  and  inspect  the next input line. This action is useful
270              for debugging and for testing a  pattern  before  applying  more
271              drastic actions.
272

BUGS

274       Empty lines never match, because some map types mis-behave when given a
275       zero-length search string.  This limitation may be removed for  regular
276       expression tables in a future release.
277
278       Many  people  overlook  the  main limitations of header and body_checks
279       rules.
280
281       ·      These rules operate on one logical message header  or  one  body
282              line at a time. A decision made for one line is not carried over
283              to the next line.
284
285       ·      If text in the message body is encoded (RFC 2045) then the rules
286              need to be specified for the encoded form.
287
288       ·      Likewise,  when  message headers are encoded (RFC 2047) then the
289              rules need to be specified for the encoded form.
290
291       Message headers added by the cleanup(8) daemon itself are excluded from
292       inspection.  Examples  of such message headers are From:, To:, Message-
293       ID:, Date:.
294
295       Message headers deleted by  the  cleanup(8)  daemon  will  be  examined
296       before  they  are deleted. Examples are: Bcc:, Content-Length:, Return-
297       Path:.
298

CONFIGURATION PARAMETERS

300       body_checks
301              Lookup tables with content filter rules for message body  lines.
302              These  filters  see one physical line at a time, in chunks of at
303              most $line_length_limit bytes.
304
305       body_checks_size_limit
306              The amount of content per message body segment (attachment) that
307              is subjected to $body_checks filtering.
308
309       header_checks
310
311       mime_header_checks (default: $header_checks)
312
313       nested_header_checks (default: $header_checks)
314              Lookup  tables  with  content  filter  rules  for message header
315              lines: respectively, these are applied to  the  initial  message
316              headers  (not  including MIME headers), to the MIME headers any‐
317              where in the message, and to the  initial  headers  of  attached
318              messages.
319
320              Note:  these  filters  see one logical message header at a time,
321              even when a message header spans multiple lines. Message headers
322              that  are  longer  than  $header_size_limit characters are trun‐
323              cated.
324
325       disable_mime_input_processing
326              While receiving mail, give no special treatment to MIME  related
327              message  headers;  all text after the initial message headers is
328              considered to be part of  the  message  body.  This  means  that
329              header_checks is applied to all the initial message headers, and
330              that body_checks is applied to the remainder of the message.
331
332              Note: when used in  this  manner,  body_checks  will  process  a
333              multi-line message header one line at a time.
334

EXAMPLES

336       Header pattern to block attachments with bad file name extensions.  For
337       convenience, the PCRE /x flag is specified, so that there is no need to
338       collapse  the  pattern  into a single line of text.  The purpose of the
339       [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.
340
341       /etc/postfix/main.cf:
342           header_checks = pcre:/etc/postfix/header_checks.pcre
343
344       /etc/postfix/header_checks.pcre:
345           /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
346             ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
347             hlp|ht[at]|
348             inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
349             \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
350             ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
351             vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
352               REJECT Attachment name "$2" may not end with ".$4"
353
354       Body pattern to stop a specific HTML browser vulnerability exploit.
355
356       /etc/postfix/main.cf:
357           body_checks = regexp:/etc/postfix/body_checks
358
359       /etc/postfix/body_checks:
360           /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
361               REJECT IFRAME vulnerability exploit
362

SEE ALSO

364       cleanup(8), canonicalize and enqueue Postfix message
365       pcre_table(5), format of PCRE lookup tables
366       regexp_table(5), format of POSIX regular expression tables
367       postconf(1), Postfix configuration utility
368       postmap(1), Postfix lookup table management
369       postsuper(1), Postfix janitor
370       postcat(1), show Postfix queue file contents
371       RFC 2045, base64 and quoted-printable encoding rules
372       RFC 2047, message header encoding for non-ASCII text
373

README FILES

375       Use "postconf readme_directory" or "postconf html_directory" to  locate
376       this information.
377       DATABASE_README, Postfix lookup table overview
378       CONTENT_INSPECTION_README, Postfix content inspection overview
379       BUILTIN_FILTER_README, Postfix built-in content inspection
380       BACKSCATTER_README, blocking returned forged mail
381

LICENSE

383       The Secure Mailer license must be distributed with this software.
384

AUTHOR(S)

386       Wietse Venema
387       IBM T.J. Watson Research
388       P.O. Box 704
389       Yorktown Heights, NY 10598, USA
390
391
392
393                                                              HEADER_CHECKS(5)
Impressum