1HEADER_CHECKS(5)              File Formats Manual             HEADER_CHECKS(5)
2
3
4

NAME

6       header_checks - Postfix built-in content inspection
7

SYNOPSIS

9       header_checks = pcre:/etc/postfix/header_checks
10       mime_header_checks = pcre:/etc/postfix/mime_header_checks
11       nested_header_checks = pcre:/etc/postfix/nested_header_checks
12       body_checks = pcre:/etc/postfix/body_checks
13
14       postmap -q "string" pcre:/etc/postfix/filename
15       postmap -q - pcre:/etc/postfix/filename <inputfile
16

DESCRIPTION

18       This  document describes access control on the content of message head‐
19       ers and message body lines; it is implemented by the Postfix cleanup(8)
20       server  before  mail  is  queued.   See access(5) for access control on
21       remote SMTP client information.
22
23       Each message header or message body line is compared against a list  of
24       patterns.   When a match is found the corresponding action is executed,
25       and the matching process is repeated for the  next  message  header  or
26       message body line.
27
28       For examples, see the EXAMPLES section at the end of this manual page.
29
30       Postfix header or body_checks are designed to stop a flood of mail from
31       worms or viruses; they do not decode attachments, and they do not unzip
32       archives.  See  the documents referenced below in the README FILES sec‐
33       tion if you need more sophisticated content analysis.
34
35       Postfix supports four built-in content inspection classes:
36
37       header_checks
38              These are applied to initial message  headers  (except  for  the
39              headers that are processed with mime_header_checks).
40
41       mime_header_checks (default: $header_checks)
42              These are applied to MIME related message headers only.
43
44              This feature is available in Postfix 2.0 and later.
45
46       nested_header_checks (default: $header_checks)
47              These  are applied to message headers of attached email messages
48              (except   for   the   headers   that    are    processed    with
49              mime_header_checks).
50
51              This feature is available in Postfix 2.0 and later.
52
53       body_checks
54              These  are  applied  to  all other content, including multi-part
55              message boundaries.
56
57              With Postfix versions before 2.0, all content after the  initial
58              message headers is treated as body content.
59
60       Note:  message  headers are examined one logical header at a time, even
61       when a message header spans multiple lines. Body lines are always exam‐
62       ined one line at a time.
63

COMPATIBILITY

65       With  Postfix  version 2.2 and earlier specify "postmap -fq" to query a
66       table that contains case sensitive patterns. By  default,  regexp:  and
67       pcre: patterns are case insensitive.
68

TABLE FORMAT

70       This  document  assumes that header and body_checks rules are specified
71       in the form of Postfix regular expression lookup  tables.  Usually  the
72       best performance is obtained with pcre (Perl Compatible Regular Expres‐
73       sion) tables, but the slower regexp (POSIX regular expressions) support
74       is  more  widely  available.  Use the command "postconf -m" to find out
75       what lookup table types your Postfix system supports.
76
77       The general format of Postfix regular expression tables is given below.
78       For a discussion of specific pattern or flags syntax, see pcre_table(5)
79       or regexp_table(5), respectively.
80
81       /pattern/flags action
82              When pattern matches the input string, execute the corresponding
83              action. See below for a list of possible actions.
84
85       !/pattern/flags action
86              When pattern does not match the input string, execute the corre‐
87              sponding action.
88
89       if /pattern/flags
90
91       endif  Match the input string  against  the  patterns  between  if  and
92              endif,  if  and  only if the same input string also matches pat‐
93              tern. The if..endif can nest.
94
95              Note: do not prepend whitespace to patterns inside if..endif.
96
97       if !/pattern/flags
98
99       endif  Match the input string  against  the  patterns  between  if  and
100              endif,  if and only if the same input string does not match pat‐
101              tern. The if..endif can nest.
102
103       blank lines and comments
104              Empty lines and whitespace-only lines are ignored, as are  lines
105              whose first non-whitespace character is a `#'.
106
107       multi-line text
108              A  pattern/action  line  starts with non-whitespace text. A line
109              that starts with whitespace continues a logical line.
110

TABLE SEARCH ORDER

112       For each line of message input, the patterns are applied in  the  order
113       as  specified  in  the  table. When a pattern is found that matches the
114       input line, the corresponding action is  executed  and  then  the  next
115       input line is inspected.
116

TEXT SUBSTITUTION

118       Substitution  of substrings from the matched expression into the action
119       string is possible using the conventional Perl syntax ($1,  $2,  etc.).
120       The  macros in the result string may need to be written as ${n} or $(n)
121       if they aren't followed by whitespace.
122
123       Note: since negated patterns (those preceded by !) return a result when
124       the  expression  does  not  match,  substitutions are not available for
125       negated patterns.
126

ACTIONS

128       Action names are case insensitive. They are shown  in  upper  case  for
129       consistency with other Postfix documentation.
130
131       DISCARD optional text...
132              Claim successful delivery and silently discard the message.  Log
133              the optional text if specified, otherwise log a generic message.
134
135              Note: this action disables further header or body_checks inspec‐
136              tion of the current message and affects all recipients.  To dis‐
137              card only one recipient without discarding the  entire  message,
138              use the transport(5) table to direct mail to the discard(8) ser‐
139              vice.
140
141              This feature is available in Postfix 2.0 and later.
142
143       DUNNO  Pretend that the input line  did  not  match  any  pattern,  and
144              inspect  the next input line. This action can be used to shorten
145              the table search.
146
147              For backwards compatibility reasons, Postfix also accepts OK but
148              it is (and always has been) treated as DUNNO.
149
150              This feature is available in Postfix 2.1 and later.
151
152       FILTER transport:destination
153              Write  a  content  filter request to the queue file, and inspect
154              the next input line.  After the complete message is received  it
155              will  be  sent  through  the  specified external content filter.
156              More information about external content filters is in the  Post‐
157              fix FILTER_README file.
158
159              Note:  this  action  overrides  the  content_filter setting, and
160              affects all recipients of the message. In the case that multiple
161              FILTER actions fire, only the last one is executed.
162
163              This feature is available in Postfix 2.0 and later.
164
165       HOLD optional text...
166              Arrange  for  the  message  to  be placed on the hold queue, and
167              inspect the next input line.  The message remains on hold  until
168              someone  either deletes it or releases it for delivery.  Log the
169              optional text if specified, otherwise log a generic message.
170
171              Mail that is placed on hold can be examined with the  postcat(1)
172              command,  and can be destroyed or released with the postsuper(1)
173              command.
174
175              Note: use "postsuper -r" to release mail that was kept  on  hold
176              for   a   significant  fraction  of  $maximal_queue_lifetime  or
177              $bounce_queue_lifetime, or longer. Use "postsuper -H"  only  for
178              mail that will not expire within a few delivery attempts.
179
180              Note: this action affects all recipients of the message.
181
182              This feature is available in Postfix 2.0 and later.
183
184       IGNORE Delete  the  current  line  from the input, and inspect the next
185              input line.
186
187       PREPEND text...
188              Prepend one line with the specified text, and inspect  the  next
189              input line.
190
191              Notes:
192
193              ·      The  prepended text is output on a separate line, immedi‐
194                     ately before the input that triggered the PREPEND action.
195
196              ·      The prepended text is not considered part  of  the  input
197                     stream:  it  is  not  subject  to  header/body  checks or
198                     address rewriting, and it does not affect  the  way  that
199                     Postfix adds missing message headers.
200
201              ·      When  prepending  text  before a message header line, the
202                     prepended text must begin with  a  valid  message  header
203                     label.
204
205              ·      This action cannot be used to prepend multi-line text.
206
207              This feature is available in Postfix 2.1 and later.
208
209       REDIRECT user@domain
210              Write  a  message  redirection  request  to  the queue file, and
211              inspect the next input line. After the  message  is  queued,  it
212              will  be  sent  to the specified address instead of the intended
213              recipient(s).
214
215              Note: this action overrides the FILTER action, and  affects  all
216              recipients  of  the  message. If multiple REDIRECT actions fire,
217              only the last one is executed.
218
219              This feature is available in Postfix 2.1 and later.
220
221       REPLACE text...
222              Replace the current line with the specified  text,  and  inspect
223              the next input line.
224
225              This feature is available in Postfix 2.2 and later. The descrip‐
226              tion below applies to Postfix 2.2.2 and later.
227
228              Notes:
229
230              ·      When replacing a message  header  line,  the  replacement
231                     text must begin with a valid header label.
232
233              ·      The  replaced  text  remains  part  of  the input stream.
234                     Unlike the result from the  PREPEND  action,  a  replaced
235                     message  header  may  be subject to address rewriting and
236                     may affect the way  that  Postfix  adds  missing  message
237                     headers.
238
239       REJECT optional text...
240              Reject  the entire message. Reply with optional text... when the
241              optional text is specified, otherwise reply with a generic error
242              message.
243
244              Note: this action disables further header or body_checks inspec‐
245              tion of the current message and affects all recipients.
246
247              Postfix version 2.3 and later  support  enhanced  status  codes.
248              When  no code is specified at the beginning of optional text...,
249              Postfix inserts a default enhanced status code of "5.7.1".
250
251       WARN optional text...
252              Log a warning with the optional text... (or log a  generic  mes‐
253              sage),  and  inspect  the next input line. This action is useful
254              for debugging and for testing a  pattern  before  applying  more
255              drastic actions.
256

BUGS

258       Many  people  overlook  the  main limitations of header and body_checks
259       rules.
260
261       ·      These rules operate on one logical message header  or  one  body
262              line at a time. A decision made for one line is not carried over
263              to the next line.
264
265       ·      If text in the message body is encoded (RFC 2045) then the rules
266              need to be specified for the encoded form.
267
268       ·      Likewise,  when  message headers are encoded (RFC 2047) then the
269              rules need to be specified for the encoded form.
270
271       Message headers added by the cleanup(8) daemon itself are excluded from
272       inspection.  Examples  of such message headers are From:, To:, Message-
273       ID:, Date:.
274
275       Message headers deleted by  the  cleanup(8)  daemon  will  be  examined
276       before  they  are deleted. Examples are: Bcc:, Content-Length:, Return-
277       Path:.
278

CONFIGURATION PARAMETERS

280       body_checks
281              Lookup tables with content filter rules for message body  lines.
282              These  filters  see one physical line at a time, in chunks of at
283              most $line_length_limit bytes.
284
285       body_checks_size_limit
286              The amount of content per message body segment (attachment) that
287              is subjected to $body_checks filtering.
288
289       header_checks
290
291       mime_header_checks (default: $header_checks)
292
293       nested_header_checks (default: $header_checks)
294              Lookup  tables  with  content  filter  rules  for message header
295              lines: respectively, these are applied to  the  initial  message
296              headers  (not  including MIME headers), to the MIME headers any‐
297              where in the message, and to the  initial  headers  of  attached
298              messages.
299
300              Note:  these  filters  see one logical message header at a time,
301              even when a message header spans multiple lines. Message headers
302              that  are  longer  than  $header_size_limit characters are trun‐
303              cated.
304
305       disable_mime_input_processing
306              While receiving mail, give no special treatment to MIME  related
307              message  headers;  all text after the initial message headers is
308              considered to be part of  the  message  body.  This  means  that
309              header_checks is applied to all the initial message headers, and
310              that body_checks is applied to the remainder of the message.
311
312              Note: when used in  this  manner,  body_checks  will  process  a
313              multi-line message header one line at a time.
314

EXAMPLES

316       Header pattern to block attachments with bad file name extensions.
317
318       /etc/postfix/main.cf:
319           header_checks = regexp:/etc/postfix/header_checks
320
321       /etc/postfix/header_checks:
322           /^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|vbs)/
323               REJECT Bad attachment file name extension: $2
324
325       Body pattern to stop a specific HTML browser vulnerability exploit.
326
327       /etc/postfix/main.cf:
328           body_checks = regexp:/etc/postfix/body_checks
329
330       /etc/postfix/body_checks:
331           /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
332               REJECT IFRAME vulnerability exploit
333

SEE ALSO

335       cleanup(8), canonicalize and enqueue Postfix message
336       pcre_table(5), format of PCRE lookup tables
337       regexp_table(5), format of POSIX regular expression tables
338       postconf(1), Postfix configuration utility
339       postmap(1), Postfix lookup table management
340       postsuper(1), Postfix janitor
341       postcat(1), show Postfix queue file contents
342       RFC 2045, base64 and quoted-printable encoding rules
343       RFC 2047, message header encoding for non-ASCII text
344

README FILES

346       Use  "postconf readme_directory" or "postconf html_directory" to locate
347       this information.
348       DATABASE_README, Postfix lookup table overview
349       CONTENT_INSPECTION_README, Postfix content inspection overview
350       BUILTIN_FILTER_README, Postfix built-in content inspection
351       BACKSCATTER_README, blocking returned forged mail
352

LICENSE

354       The Secure Mailer license must be distributed with this software.
355

AUTHOR(S)

357       Wietse Venema
358       IBM T.J. Watson Research
359       P.O. Box 704
360       Yorktown Heights, NY 10598, USA
361
362
363
364                                                              HEADER_CHECKS(5)
Impressum