#++ # NAME # access 5 # SUMMARY # format of Postfix access table # SYNOPSIS # \fBpostmap /etc/postfix/access\fR # # \fBpostmap -q "\fIstring\fB" /etc/postfix/access\fR # # \fBpostmap -q - /etc/postfix/access <\fIinputfile\fR # DESCRIPTION # The optional \fBaccess\fR table directs the Postfix SMTP server # to selectively reject or accept mail. Access can be allowed or # denied for specific host names, domain names, networks, host # network addresses or mail addresses. # # For an example, see the EXAMPLE section at the end of this # manual page. # # Normally, the \fBaccess\fR table is specified as a text file # that serves as input to the \fBpostmap\fR(1) command. # The result, an indexed file in \fBdbm\fR or \fBdb\fR format, # is used for fast searching by the mail system. Execute the command # \fBpostmap /etc/postfix/access\fR in order to rebuild the indexed # file after changing the access table. # # When the table is provided via other means such as NIS, LDAP # or SQL, the same lookups are done as for ordinary indexed files. # # Alternatively, the table can be provided as a regular-expression # map where patterns are given as regular expressions, or lookups # can be directed to TCP-based server. In that case, the lookups are # done in a slightly different way as described below under # "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES". # TABLE FORMAT # .ad # .fi # The input format for the \fBpostmap\fR(1) command is as follows: # .IP "\fIpattern action\fR" # When \fIpattern\fR matches a mail address, domain or host address, # perform the corresponding \fIaction\fR. # .IP "blank lines and comments" # Empty lines and whitespace-only lines are ignored, as # are lines whose first non-whitespace character is a `#'. # .IP "multi-line text" # A logical line starts with non-whitespace text. A line that # starts with whitespace continues a logical line. # EMAIL ADDRESS PATTERNS # .ad # .fi # With lookups from indexed files such as DB or DBM, or from networked # tables such as NIS, LDAP or SQL, patterns are tried in the order as # listed below: # .IP \fIuser\fR@\fIdomain\fR # Matches the specified mail address. # .IP \fIdomain.tld\fR # Matches \fIdomain.tld\fR as the domain part of an email address. # .sp # The pattern \fIdomain.tld\fR also matches subdomains, but only # when the string \fBsmtpd_access_maps\fR is listed in the Postfix # \fBparent_domain_matches_subdomains\fR configuration setting # (note that this is the default for some versions of Postfix). # Otherwise, specify \fI.domain.tld\fR (note the initial dot) in # order to match subdomains. # .IP \fIuser\fR@ # Matches all mail addresses with the specified user part. # .PP # Note: lookup of the null sender address is not possible with # some types of lookup table. By default, Postfix uses \fB<>\fR # as the lookup key for such addresses. The value is specified with # the \fBsmtpd_null_access_lookup_key\fR parameter in the Postfix # \fBmain.cf\fR file. # EMAIL ADDRESS EXTENSION # .fi # .ad # When a mail address localpart contains the optional recipient delimiter # (e.g., \fIuser+foo\fR@\fIdomain\fR), the lookup order becomes: # \fIuser+foo\fR@\fIdomain\fR, \fIuser\fR@\fIdomain\fR, \fIdomain\fR, # \fIuser+foo\fR@, and \fIuser\fR@. # HOST NAME/ADDRESS PATTERNS # .ad # .fi # With lookups from indexed files such as DB or DBM, or from networked # tables such as NIS, LDAP or SQL, the following lookup patterns are # examined in the order as listed: # .IP \fIdomain.tld\fR # Matches \fIdomain.tld\fR. # .sp # The pattern \fIdomain.tld\fR also matches subdomains, but only # when the string \fBsmtpd_access_maps\fR is listed in the Postfix # \fBparent_domain_matches_subdomains\fR configuration setting. # Otherwise, specify \fI.domain.tld\fR (note the initial dot) in # order to match subdomains. # .IP \fInet.work.addr.ess\fR # .IP \fInet.work.addr\fR # .IP \fInet.work\fR # .IP \fInet\fR # Matches any host address in the specified network. A network # address is a sequence of one or more octets separated by ".". # # NOTE: use the \fBcidr\fR lookup table type to specify # network/netmask patterns. See cidr_table(5) for details. # ACCEPT ACTIONS # .ad # .fi # .IP \fBOK\fR # Accept the address etc. that matches the pattern. # .IP \fIall-numerical\fR # An all-numerical result is treated as OK. This format is # generated by address-based relay authorization schemes. # REJECT ACTIONS # .ad # .fi # .IP "\fB4\fINN text\fR" # .IP "\fB5\fINN text\fR" # Reject the address etc. that matches the pattern, and respond with # the numerical three-digit code and text. \fB4\fINN\fR means "try # again later", while \fB5\fINN\fR means "do not try again". # .IP "\fBREJECT \fIoptional text...\fR # Reject the address etc. that matches the pattern. Reply with # \fI$reject_code optional text...\fR when the optional text is # specified, otherwise reply with a generic error response message. # .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR # Defer the request if some later restriction would result in a # REJECT action. Reply with "\fB450\fI optional text...\fR when the # optional text is specified, otherwise reply with a generic error # response message. # .sp # This feature is available in Postfix 2.1 and later. # .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR # Defer the request if some later restriction would result in a # an explicit or implicit PERMIT action. # Reply with "\fB450\fI optional text...\fR when the # optional text is specified, otherwise reply with a generic error # response message. # .sp # This feature is available in Postfix 2.1 and later. # OTHER ACTIONS # .ad # .fi # .IP \fIrestriction...\fR # Apply the named UCE restriction(s) (\fBpermit\fR, \fBreject\fR, # \fBreject_unauth_destination\fR, and so on). # .IP "\fBDISCARD \fIoptional text...\fR # Claim successful delivery and silently discard the message. # Log the optional text if specified, otherwise log a generic # message. # .sp # Note: this action currently affects all recipients of the message. # .sp # This feature is available in Postfix 2.0 and later. # .IP \fBDUNNO\fR # Pretend that the lookup key was not found. This # prevents Postfix from trying substrings of the lookup key # (such as a subdomain name, or a network address subnetwork). # .sp # This feature is available in Postfix 2.0 and later. # .IP "\fBFILTER \fItransport:destination\fR" # After the message is queued, send the entire message through # the specified external content filter. The \fItransport:destination\fR # syntax is described in the transport(5) manual page. More information # about external content filters is in the Postfix FILTER_README file. # .sp # Note: this action overrides the \fBmain.cf content_filter\fR setting, # and currently affects all recipients of the message. # .sp # This feature is available in Postfix 2.0 and later. # .IP "\fBHOLD \fIoptional text...\fR" # Place the message on the \fBhold\fR queue, where it will sit # until someone either deletes it or releases it for delivery. # Log the optional text if specified, otherwise log a generic # message. # # Mail that is placed on hold can be examined with the # \fBpostcat\fR(1) command, and can be destroyed or released with # the \fBpostsuper\fR(1) command. # .sp # Note: this action currently affects all recipients of the message. # .sp # This feature is available in Postfix 2.0 and later. # .IP "\fBPREPEND \fIheadername: headervalue\fR" # Prepend the specified message header to the message. # When this action is used multiple times, the first prepended # header appears before the second etc. prepended header. # .sp # Note: this action does not support multi-line message headers. # .sp # This feature is available in Postfix 2.1 and later. # .IP "\fBREDIRECT \fIuser@domain\fR" # After the message is queued, send the message to the specified # address instead of the intended recipient(s). # .sp # Note: this action overrides the FILTER action, and currently affects # all recipients of the message. # .sp # This feature is available in Postfix 2.1 and later. # .IP "\fBWARN \fIoptional text...\fR # Log a warning with the optional text, together with client information # and if available, with helo, sender, recipient and protocol information. # .sp # This feature is available in Postfix 2.1 and later. # REGULAR EXPRESSION TABLES # .ad # .fi # This section describes how the table lookups change when the table # is given in the form of regular expressions. For a description of # regular expression lookup table syntax, see \fBregexp_table\fR(5) # or \fBpcre_table\fR(5). # # Each pattern is a regular expression that is applied to the entire # string being looked up. Depending on the application, that string # is an entire client hostname, an entire client IP address, or an # entire mail address. Thus, no parent domain or parent network search # is done, \fIuser@domain\fR mail addresses are not broken up into # their \fIuser@\fR and \fIdomain\fR constituent parts, nor is # \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR. # # Patterns are applied in the order as specified in the table, until a # pattern is found that matches the search string. # # Actions are the same as with indexed file lookups, with # the additional feature that parenthesized substrings from the # pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on. # TCP-BASED TABLES # .ad # .fi # This section describes how the table lookups change when lookups # are directed to a TCP-based server. For a description of the TCP # client/server lookup protocol, see \fBtcp_table\fR(5). # This feature is not available in Postfix version 2.1. # # Each lookup operation uses the entire query string once. # Depending on the application, that string is an entire client # hostname, an entire client IP address, or an entire mail address. # Thus, no parent domain or parent network search is done, # \fIuser@domain\fR mail addresses are not broken up into # their \fIuser@\fR and \fIdomain\fR constituent parts, nor is # \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR. # # Actions are the same as with indexed file lookups. # EXAMPLE # .ad # .fi # The following example uses an indexed file, so that the # order of table entries does not matter. The example permits # access by the client at address 1.2.3.4 but rejects all # other clients in 1.2.3.0/24. Instead of "\fBhash\fR" lookup # tables, some systems use "\fBdbm\fR". Use the command # "\fBpostconf -m\fR" to find out what lookup tables Postfix # supports on your system. # # .na # .nf # /etc/postfix/main.cf: # .in +4 # smtpd_client_restrictions = # .in +4 # check_client_access hash:/etc/postfix/access # # .in -8 # /etc/postfix/access: # .in +4 # 1.2.3 REJECT # 1.2.3.4 OK # .in -4 # # Execute the command "\fBpostmap /etc/postfix/access\fR" after # editing the file. # BUGS # The table format does not understand quoting conventions. # SEE ALSO # postmap(1), Postfix lookup table manager # smtpd(8), SMTP server # postconf(5), configuration parameters # transport(5), transport:nexthop syntax # README FILES # .ad # .fi # Use "\fBpostconf readme_directory\fR" or # "\fBpostconf html_directory\fR" to locate this information. # .na # .nf # SMTPD_ACCESS_README, built-in SMTP server access control # DATABASE_README, Postfix lookup table overview # LICENSE # .ad # .fi # The Secure Mailer license must be distributed with this software. # AUTHOR(S) # Wietse Venema # IBM T.J. Watson Research # P.O. Box 704 # Yorktown Heights, NY 10598, USA #--