1HEADER_CHECKS(5) File Formats Manual HEADER_CHECKS(5)
2
3
4
6 header_checks - Postfix built-in content inspection
7
9 header_checks = pcre:/etc/postfix/header_checks
10 mime_header_checks = pcre:/etc/postfix/mime_header_checks
11 nested_header_checks = pcre:/etc/postfix/nested_header_checks
12 body_checks = pcre:/etc/postfix/body_checks
13
14 postmap -q "string" pcre:/etc/postfix/filename
15 postmap -q - pcre:/etc/postfix/filename <inputfile
16
18 This document describes access control on the content of message head‐
19 ers and message body lines; it is implemented by the Postfix cleanup(8)
20 server before mail is queued. See access(5) for access control on
21 remote SMTP client information.
22
23 Each message header or message body line is compared against a list of
24 patterns. When a match is found the corresponding action is executed,
25 and the matching process is repeated for the next message header or
26 message body line.
27
28 For examples, see the EXAMPLES section at the end of this manual page.
29
30 Postfix header or body_checks are designed to stop a flood of mail from
31 worms or viruses; they do not decode attachments, and they do not unzip
32 archives. See the documents referenced below in the README FILES sec‐
33 tion if you need more sophisticated content analysis.
34
35 Postfix supports four built-in content inspection classes:
36
37 header_checks
38 These are applied to initial message headers (except for the
39 headers that are processed with mime_header_checks).
40
41 mime_header_checks (default: $header_checks)
42 These are applied to MIME related message headers only.
43
44 This feature is available in Postfix 2.0 and later.
45
46 nested_header_checks (default: $header_checks)
47 These are applied to message headers of attached email messages
48 (except for the headers that are processed with
49 mime_header_checks).
50
51 This feature is available in Postfix 2.0 and later.
52
53 body_checks
54 These are applied to all other content, including multi-part
55 message boundaries.
56
57 With Postfix versions before 2.0, all content after the initial
58 message headers is treated as body content.
59
60 Note: message headers are examined one logical header at a time, even
61 when a message header spans multiple lines. Body lines are always exam‐
62 ined one line at a time.
63
65 With Postfix version 2.2 and earlier specify "postmap -fq" to query a
66 table that contains case sensitive patterns. By default, regexp: and
67 pcre: patterns are case insensitive.
68
70 This document assumes that header and body_checks rules are specified
71 in the form of Postfix regular expression lookup tables. Usually the
72 best performance is obtained with pcre (Perl Compatible Regular Expres‐
73 sion) tables, but the slower regexp (POSIX regular expressions) support
74 is more widely available. Use the command "postconf -m" to find out
75 what lookup table types your Postfix system supports.
76
77 The general format of Postfix regular expression tables is given below.
78 For a discussion of specific pattern or flags syntax, see pcre_table(5)
79 or regexp_table(5), respectively.
80
81 /pattern/flags action
82 When pattern matches the input string, execute the corresponding
83 action. See below for a list of possible actions.
84
85 !/pattern/flags action
86 When pattern does not match the input string, execute the corre‐
87 sponding action.
88
89 if /pattern/flags
90
91 endif Match the input string against the patterns between if and
92 endif, if and only if the same input string also matches pat‐
93 tern. The if..endif can nest.
94
95 Note: do not prepend whitespace to patterns inside if..endif.
96
97 if !/pattern/flags
98
99 endif Match the input string against the patterns between if and
100 endif, if and only if the same input string does not match pat‐
101 tern. The if..endif can nest.
102
103 blank lines and comments
104 Empty lines and whitespace-only lines are ignored, as are lines
105 whose first non-whitespace character is a `#'.
106
107 multi-line text
108 A pattern/action line starts with non-whitespace text. A line
109 that starts with whitespace continues a logical line.
110
112 For each line of message input, the patterns are applied in the order
113 as specified in the table. When a pattern is found that matches the
114 input line, the corresponding action is executed and then the next
115 input line is inspected.
116
118 Substitution of substrings from the matched expression into the action
119 string is possible using the conventional Perl syntax ($1, $2, etc.).
120 The macros in the result string may need to be written as ${n} or $(n)
121 if they aren't followed by whitespace.
122
123 Note: since negated patterns (those preceded by !) return a result when
124 the expression does not match, substitutions are not available for
125 negated patterns.
126
128 Action names are case insensitive. They are shown in upper case for
129 consistency with other Postfix documentation.
130
131 DISCARD optional text...
132 Claim successful delivery and silently discard the message. Log
133 the optional text if specified, otherwise log a generic message.
134
135 Note: this action disables further header or body_checks inspec‐
136 tion of the current message and affects all recipients. To dis‐
137 card only one recipient without discarding the entire message,
138 use the transport(5) table to direct mail to the discard(8) ser‐
139 vice.
140
141 This feature is available in Postfix 2.0 and later.
142
143 DUNNO Pretend that the input line did not match any pattern, and
144 inspect the next input line. This action can be used to shorten
145 the table search.
146
147 For backwards compatibility reasons, Postfix also accepts OK but
148 it is (and always has been) treated as DUNNO.
149
150 This feature is available in Postfix 2.1 and later.
151
152 FILTER transport:destination
153 Write a content filter request to the queue file, and inspect
154 the next input line. After the complete message is received it
155 will be sent through the specified external content filter.
156 More information about external content filters is in the Post‐
157 fix FILTER_README file.
158
159 Note: this action overrides the content_filter setting, and
160 affects all recipients of the message. In the case that multiple
161 FILTER actions fire, only the last one is executed.
162
163 This feature is available in Postfix 2.0 and later.
164
165 HOLD optional text...
166 Arrange for the message to be placed on the hold queue, and
167 inspect the next input line. The message remains on hold until
168 someone either deletes it or releases it for delivery. Log the
169 optional text if specified, otherwise log a generic message.
170
171 Mail that is placed on hold can be examined with the postcat(1)
172 command, and can be destroyed or released with the postsuper(1)
173 command.
174
175 Note: use "postsuper -r" to release mail that was kept on hold
176 for a significant fraction of $maximal_queue_lifetime or
177 $bounce_queue_lifetime, or longer. Use "postsuper -H" only for
178 mail that will not expire within a few delivery attempts.
179
180 Note: this action affects all recipients of the message.
181
182 This feature is available in Postfix 2.0 and later.
183
184 IGNORE Delete the current line from the input, and inspect the next
185 input line.
186
187 PREPEND text...
188 Prepend one line with the specified text, and inspect the next
189 input line.
190
191 Notes:
192
193 · The prepended text is output on a separate line, immedi‐
194 ately before the input that triggered the PREPEND action.
195
196 · The prepended text is not considered part of the input
197 stream: it is not subject to header/body checks or
198 address rewriting, and it does not affect the way that
199 Postfix adds missing message headers.
200
201 · When prepending text before a message header line, the
202 prepended text must begin with a valid message header
203 label.
204
205 · This action cannot be used to prepend multi-line text.
206
207 This feature is available in Postfix 2.1 and later.
208
209 REDIRECT user@domain
210 Write a message redirection request to the queue file, and
211 inspect the next input line. After the message is queued, it
212 will be sent to the specified address instead of the intended
213 recipient(s).
214
215 Note: this action overrides the FILTER action, and affects all
216 recipients of the message. If multiple REDIRECT actions fire,
217 only the last one is executed.
218
219 This feature is available in Postfix 2.1 and later.
220
221 REPLACE text...
222 Replace the current line with the specified text, and inspect
223 the next input line.
224
225 This feature is available in Postfix 2.2 and later. The descrip‐
226 tion below applies to Postfix 2.2.2 and later.
227
228 Notes:
229
230 · When replacing a message header line, the replacement
231 text must begin with a valid header label.
232
233 · The replaced text remains part of the input stream.
234 Unlike the result from the PREPEND action, a replaced
235 message header may be subject to address rewriting and
236 may affect the way that Postfix adds missing message
237 headers.
238
239 REJECT optional text...
240 Reject the entire message. Reply with optional text... when the
241 optional text is specified, otherwise reply with a generic error
242 message.
243
244 Note: this action disables further header or body_checks inspec‐
245 tion of the current message and affects all recipients.
246
247 Postfix version 2.3 and later support enhanced status codes.
248 When no code is specified at the beginning of optional text...,
249 Postfix inserts a default enhanced status code of "5.7.1".
250
251 WARN optional text...
252 Log a warning with the optional text... (or log a generic mes‐
253 sage), and inspect the next input line. This action is useful
254 for debugging and for testing a pattern before applying more
255 drastic actions.
256
258 Many people overlook the main limitations of header and body_checks
259 rules.
260
261 · These rules operate on one logical message header or one body
262 line at a time. A decision made for one line is not carried over
263 to the next line.
264
265 · If text in the message body is encoded (RFC 2045) then the rules
266 need to be specified for the encoded form.
267
268 · Likewise, when message headers are encoded (RFC 2047) then the
269 rules need to be specified for the encoded form.
270
271 Message headers added by the cleanup(8) daemon itself are excluded from
272 inspection. Examples of such message headers are From:, To:, Message-
273 ID:, Date:.
274
275 Message headers deleted by the cleanup(8) daemon will be examined
276 before they are deleted. Examples are: Bcc:, Content-Length:, Return-
277 Path:.
278
280 body_checks
281 Lookup tables with content filter rules for message body lines.
282 These filters see one physical line at a time, in chunks of at
283 most $line_length_limit bytes.
284
285 body_checks_size_limit
286 The amount of content per message body segment (attachment) that
287 is subjected to $body_checks filtering.
288
289 header_checks
290
291 mime_header_checks (default: $header_checks)
292
293 nested_header_checks (default: $header_checks)
294 Lookup tables with content filter rules for message header
295 lines: respectively, these are applied to the initial message
296 headers (not including MIME headers), to the MIME headers any‐
297 where in the message, and to the initial headers of attached
298 messages.
299
300 Note: these filters see one logical message header at a time,
301 even when a message header spans multiple lines. Message headers
302 that are longer than $header_size_limit characters are trun‐
303 cated.
304
305 disable_mime_input_processing
306 While receiving mail, give no special treatment to MIME related
307 message headers; all text after the initial message headers is
308 considered to be part of the message body. This means that
309 header_checks is applied to all the initial message headers, and
310 that body_checks is applied to the remainder of the message.
311
312 Note: when used in this manner, body_checks will process a
313 multi-line message header one line at a time.
314
316 Header pattern to block attachments with bad file name extensions.
317
318 /etc/postfix/main.cf:
319 header_checks = regexp:/etc/postfix/header_checks
320
321 /etc/postfix/header_checks:
322 /^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|vbs)/
323 REJECT Bad attachment file name extension: $2
324
325 Body pattern to stop a specific HTML browser vulnerability exploit.
326
327 /etc/postfix/main.cf:
328 body_checks = regexp:/etc/postfix/body_checks
329
330 /etc/postfix/body_checks:
331 /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
332 REJECT IFRAME vulnerability exploit
333
335 cleanup(8), canonicalize and enqueue Postfix message
336 pcre_table(5), format of PCRE lookup tables
337 regexp_table(5), format of POSIX regular expression tables
338 postconf(1), Postfix configuration utility
339 postmap(1), Postfix lookup table management
340 postsuper(1), Postfix janitor
341 postcat(1), show Postfix queue file contents
342 RFC 2045, base64 and quoted-printable encoding rules
343 RFC 2047, message header encoding for non-ASCII text
344
346 Use "postconf readme_directory" or "postconf html_directory" to locate
347 this information.
348 DATABASE_README, Postfix lookup table overview
349 CONTENT_INSPECTION_README, Postfix content inspection overview
350 BUILTIN_FILTER_README, Postfix built-in content inspection
351 BACKSCATTER_README, blocking returned forged mail
352
354 The Secure Mailer license must be distributed with this software.
355
357 Wietse Venema
358 IBM T.J. Watson Research
359 P.O. Box 704
360 Yorktown Heights, NY 10598, USA
361
362
363
364 HEADER_CHECKS(5)