1CIDR_TABLE(5)                 File Formats Manual                CIDR_TABLE(5)
2
3
4

NAME

6       cidr_table - format of Postfix CIDR tables
7

SYNOPSIS

9       postmap -q "string" cidr:/etc/postfix/filename
10
11       postmap -q - cidr:/etc/postfix/filename <inputfile
12

DESCRIPTION

14       The  Postfix mail system uses optional lookup tables.  These tables are
15       usually in dbm or db format.  Alternatively, lookup tables can be spec‐
16       ified in CIDR (Classless Inter-Domain Routing) form. In this case, each
17       input is compared against a list of patterns. When a  match  is  found,
18       the corresponding result is returned and the search is terminated.
19
20       To  find  out  what types of lookup tables your Postfix system supports
21       use the "postconf -m" command.
22
23       To test lookup tables, use the "postmap -q" command as described in the
24       SYNOPSIS above.
25

TABLE FORMAT

27       The general form of a Postfix CIDR table is:
28
29       pattern     result
30              When a search string matches the specified pattern, use the cor‐
31              responding result value. The pattern must be  in  network/prefix
32              or network_address form (see ADDRESS PATTERN SYNTAX below).
33
34       !pattern     result
35              When  a  search string does not match the specified pattern, use
36              the specified result value. The pattern must be in  network/pre‐
37              fix or network_address form (see ADDRESS PATTERN SYNTAX below).
38
39              This feature is available in Postfix 3.2 and later.
40
41       if pattern
42
43       endif  When  a  search string matches the specified pattern, match that
44              search string against the patterns between if  and  endif.   The
45              pattern  must  be in network/prefix or network_address form (see
46              ADDRESS PATTERN SYNTAX below). The if..endif can nest.
47
48              Note: do not prepend whitespace to text between if..endif.
49
50              This feature is available in Postfix 3.2 and later.
51
52       if !pattern
53
54       endif  When a search string does not match the specified pattern, match
55              that  search  string  against the patterns between if and endif.
56              The pattern must be in network/prefix  or  network_address  form
57              (see ADDRESS PATTERN SYNTAX below). The if..endif can nest.
58
59              Note: do not prepend whitespace to text between if..endif.
60
61              This feature is available in Postfix 3.2 and later.
62
63       blank lines and comments
64              Empty  lines and whitespace-only lines are ignored, as are lines
65              whose first non-whitespace character is a `#'.
66
67       multi-line text
68              A logical line starts with  non-whitespace  text.  A  line  that
69              starts with whitespace continues a logical line.
70

TABLE SEARCH ORDER

72       Patterns  are  applied  in the order as specified in the table, until a
73       pattern is found that matches the search string.
74

ADDRESS PATTERN SYNTAX

76       Postfix CIDR tables are pattern-based.  A  pattern  is  either  a  net‐
77       work_address  which  requires an exact match, or a network_address/pre‐
78       fix_length where the prefix_length part specifies  the  length  of  the
79       network_address prefix that must be matched (the other bits in the net‐
80       work_address part must be zero).
81
82       An IPv4 network address is a sequence of four decimal octets  separated
83       by  ".",  and  an  IPv6 network address is a sequence of three to eight
84       hexadecimal octet pairs separated by ":" or "::", where the  latter  is
85       short-hand for a sequence of one or more all-zero octet pairs. The pat‐
86       tern 0.0.0.0/0 matches every IPv4 address, and ::/0 matches every  IPv6
87       address.  IPv6 support is available in Postfix 2.2 and later.
88
89       Before  comparisons  are  made,  lookup keys and table entries are con‐
90       verted from string to binary. Therefore, IPv6 patterns will be  matched
91       regardless  of  leading  zeros (a leading zero in an IPv4 address octet
92       indicates octal notation).
93
94       Note: address information may be enclosed inside "[]" but this form  is
95       not required.
96

INLINE SPECIFICATION

98       The contents of a table may be specified in the table name (Postfix 3.7
99       and later).  The basic syntax is:
100
101       main.cf:
102           parameter = .. cidr:{ { rule-1 }, { rule-2 } .. } ..
103
104       master.cf:
105           .. -o { parameter = .. cidr:{ { rule-1 }, { rule-2 } .. } .. } ..
106
107       Postfix ignores whitespace after '{' and before '}',  and  writes  each
108       rule as one text line to an in-memory file:
109
110       in-memory file:
111           rule-1
112           rule-2
113           ..
114
115       Postfix parses the result as if it is a file in /etc/postfix.
116
117       Note:  if  a rule contains $, specify $$ to keep Postfix from trying to
118       do $name expansion as it evaluates a parameter value.
119

EXAMPLE SMTPD ACCESS MAP

121       /etc/postfix/main.cf:
122           smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...
123
124       /etc/postfix/client.cidr:
125           # Rule order matters. Put more specific allowlist entries
126           # before more general denylist entries.
127           192.168.1.1             OK
128           192.168.0.0/16          REJECT
129           2001:db8::1             OK
130           2001:db8::/32           REJECT
131

SEE ALSO

133       postmap(1), Postfix lookup table manager
134       regexp_table(5), format of regular expression tables
135       pcre_table(5), format of PCRE tables
136

README FILES

138       Use "postconf readme_directory" or "postconf html_directory" to  locate
139       this information.
140       DATABASE_README, Postfix lookup table overview
141

HISTORY

143       CIDR table support was introduced with Postfix version 2.1.
144

AUTHOR(S)

146       The CIDR table lookup code was originally written by:
147       Jozsef Kadlecsik
148       KFKI Research Institute for Particle and Nuclear Physics
149       POB. 49
150       1525 Budapest, Hungary
151
152       Adopted and adapted by:
153       Wietse Venema
154       IBM T.J. Watson Research
155       P.O. Box 704
156       Yorktown Heights, NY 10598, USA
157
158       Wietse Venema
159       Google, Inc.
160       111 8th Avenue
161       New York, NY 10011, USA
162
163
164
165                                                                 CIDR_TABLE(5)
Impressum