333 lines
11 KiB
Groff
333 lines
11 KiB
Groff
.\" $NetBSD: access.5,v 1.1.1.11 2004/05/31 00:24:16 heas Exp $
|
|
.\"
|
|
.TH ACCESS 5
|
|
.ad
|
|
.fi
|
|
.SH NAME
|
|
access
|
|
\-
|
|
format of Postfix access table
|
|
.SH "SYNOPSIS"
|
|
.na
|
|
.nf
|
|
\fBpostmap /etc/postfix/access\fR
|
|
|
|
\fBpostmap -q "\fIstring\fB" /etc/postfix/access\fR
|
|
|
|
\fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
|
|
.SH DESCRIPTION
|
|
.ad
|
|
.fi
|
|
The optional \fBaccess\fR table directs the Postfix SMTP server
|
|
to selectively reject or accept mail. Access can be allowed or
|
|
denied for specific host names, domain names, networks, host
|
|
network addresses or mail addresses.
|
|
|
|
For an example, see the EXAMPLE section at the end of this
|
|
manual page.
|
|
|
|
Normally, the \fBaccess\fR table is specified as a text file
|
|
that serves as input to the \fBpostmap\fR(1) command.
|
|
The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
|
|
is used for fast searching by the mail system. Execute the command
|
|
\fBpostmap /etc/postfix/access\fR in order to rebuild the indexed
|
|
file after changing the access table.
|
|
|
|
When the table is provided via other means such as NIS, LDAP
|
|
or SQL, the same lookups are done as for ordinary indexed files.
|
|
|
|
Alternatively, the table can be provided as a regular-expression
|
|
map where patterns are given as regular expressions, or lookups
|
|
can be directed to TCP-based server. In that case, the lookups are
|
|
done in a slightly different way as described below under
|
|
"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
|
|
.SH "TABLE FORMAT"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
The input format for the \fBpostmap\fR(1) command is as follows:
|
|
.IP "\fIpattern action\fR"
|
|
When \fIpattern\fR matches a mail address, domain or host address,
|
|
perform the corresponding \fIaction\fR.
|
|
.IP "blank lines and comments"
|
|
Empty lines and whitespace-only lines are ignored, as
|
|
are lines whose first non-whitespace character is a `#'.
|
|
.IP "multi-line text"
|
|
A logical line starts with non-whitespace text. A line that
|
|
starts with whitespace continues a logical line.
|
|
.SH "EMAIL ADDRESS PATTERNS"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
With lookups from indexed files such as DB or DBM, or from networked
|
|
tables such as NIS, LDAP or SQL, patterns are tried in the order as
|
|
listed below:
|
|
.IP \fIuser\fR@\fIdomain\fR
|
|
Matches the specified mail address.
|
|
.IP \fIdomain.tld\fR
|
|
Matches \fIdomain.tld\fR as the domain part of an email address.
|
|
.sp
|
|
The pattern \fIdomain.tld\fR also matches subdomains, but only
|
|
when the string \fBsmtpd_access_maps\fR is listed in the Postfix
|
|
\fBparent_domain_matches_subdomains\fR configuration setting
|
|
(note that this is the default for some versions of Postfix).
|
|
Otherwise, specify \fI.domain.tld\fR (note the initial dot) in
|
|
order to match subdomains.
|
|
.IP \fIuser\fR@
|
|
Matches all mail addresses with the specified user part.
|
|
.PP
|
|
Note: lookup of the null sender address is not possible with
|
|
some types of lookup table. By default, Postfix uses \fB<>\fR
|
|
as the lookup key for such addresses. The value is specified with
|
|
the \fBsmtpd_null_access_lookup_key\fR parameter in the Postfix
|
|
\fBmain.cf\fR file.
|
|
.SH "EMAIL ADDRESS EXTENSION"
|
|
.na
|
|
.nf
|
|
.fi
|
|
.ad
|
|
When a mail address localpart contains the optional recipient delimiter
|
|
(e.g., \fIuser+foo\fR@\fIdomain\fR), the lookup order becomes:
|
|
\fIuser+foo\fR@\fIdomain\fR, \fIuser\fR@\fIdomain\fR, \fIdomain\fR,
|
|
\fIuser+foo\fR@, and \fIuser\fR@.
|
|
.SH "HOST NAME/ADDRESS PATTERNS"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
With lookups from indexed files such as DB or DBM, or from networked
|
|
tables such as NIS, LDAP or SQL, the following lookup patterns are
|
|
examined in the order as listed:
|
|
.IP \fIdomain.tld\fR
|
|
Matches \fIdomain.tld\fR.
|
|
.sp
|
|
The pattern \fIdomain.tld\fR also matches subdomains, but only
|
|
when the string \fBsmtpd_access_maps\fR is listed in the Postfix
|
|
\fBparent_domain_matches_subdomains\fR configuration setting.
|
|
Otherwise, specify \fI.domain.tld\fR (note the initial dot) in
|
|
order to match subdomains.
|
|
.IP \fInet.work.addr.ess\fR
|
|
.IP \fInet.work.addr\fR
|
|
.IP \fInet.work\fR
|
|
.IP \fInet\fR
|
|
Matches any host address in the specified network. A network
|
|
address is a sequence of one or more octets separated by ".".
|
|
|
|
NOTE: use the \fBcidr\fR lookup table type to specify
|
|
network/netmask patterns. See cidr_table(5) for details.
|
|
.SH "ACCEPT ACTIONS"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
.IP \fBOK\fR
|
|
Accept the address etc. that matches the pattern.
|
|
.IP \fIall-numerical\fR
|
|
An all-numerical result is treated as OK. This format is
|
|
generated by address-based relay authorization schemes.
|
|
.SH "REJECT ACTIONS"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
.IP "\fB4\fINN text\fR"
|
|
.IP "\fB5\fINN text\fR"
|
|
Reject the address etc. that matches the pattern, and respond with
|
|
the numerical three-digit code and text. \fB4\fINN\fR means "try
|
|
again later", while \fB5\fINN\fR means "do not try again".
|
|
.IP "\fBREJECT \fIoptional text...\fR
|
|
Reject the address etc. that matches the pattern. Reply with
|
|
\fI$reject_code optional text...\fR when the optional text is
|
|
specified, otherwise reply with a generic error response message.
|
|
.IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
|
|
Defer the request if some later restriction would result in a
|
|
REJECT action. Reply with "\fB450\fI optional text...\fR when the
|
|
optional text is specified, otherwise reply with a generic error
|
|
response message.
|
|
.sp
|
|
This feature is available in Postfix 2.1 and later.
|
|
.IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
|
|
Defer the request if some later restriction would result in a
|
|
an explicit or implicit PERMIT action.
|
|
Reply with "\fB450\fI optional text...\fR when the
|
|
optional text is specified, otherwise reply with a generic error
|
|
response message.
|
|
.sp
|
|
This feature is available in Postfix 2.1 and later.
|
|
.SH "OTHER ACTIONS"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
.IP \fIrestriction...\fR
|
|
Apply the named UCE restriction(s) (\fBpermit\fR, \fBreject\fR,
|
|
\fBreject_unauth_destination\fR, and so on).
|
|
.IP "\fBDISCARD \fIoptional text...\fR
|
|
Claim successful delivery and silently discard the message.
|
|
Log the optional text if specified, otherwise log a generic
|
|
message.
|
|
.sp
|
|
Note: this action currently affects all recipients of the message.
|
|
.sp
|
|
This feature is available in Postfix 2.0 and later.
|
|
.IP \fBDUNNO\fR
|
|
Pretend that the lookup key was not found. This
|
|
prevents Postfix from trying substrings of the lookup key
|
|
(such as a subdomain name, or a network address subnetwork).
|
|
.sp
|
|
This feature is available in Postfix 2.0 and later.
|
|
.IP "\fBFILTER \fItransport:destination\fR"
|
|
After the message is queued, send the entire message through
|
|
the specified external content filter. The \fItransport:destination\fR
|
|
syntax is described in the transport(5) manual page. More information
|
|
about external content filters is in the Postfix FILTER_README file.
|
|
.sp
|
|
Note: this action overrides the \fBmain.cf content_filter\fR setting,
|
|
and currently affects all recipients of the message.
|
|
.sp
|
|
This feature is available in Postfix 2.0 and later.
|
|
.IP "\fBHOLD \fIoptional text...\fR"
|
|
Place the message on the \fBhold\fR queue, where it will sit
|
|
until someone either deletes it or releases it for delivery.
|
|
Log the optional text if specified, otherwise log a generic
|
|
message.
|
|
|
|
Mail that is placed on hold can be examined with the
|
|
\fBpostcat\fR(1) command, and can be destroyed or released with
|
|
the \fBpostsuper\fR(1) command.
|
|
.sp
|
|
Note: this action currently affects all recipients of the message.
|
|
.sp
|
|
This feature is available in Postfix 2.0 and later.
|
|
.IP "\fBPREPEND \fIheadername: headervalue\fR"
|
|
Prepend the specified message header to the message.
|
|
When this action is used multiple times, the first prepended
|
|
header appears before the second etc. prepended header.
|
|
.sp
|
|
Note: this action does not support multi-line message headers.
|
|
.sp
|
|
This feature is available in Postfix 2.1 and later.
|
|
.IP "\fBREDIRECT \fIuser@domain\fR"
|
|
After the message is queued, send the message to the specified
|
|
address instead of the intended recipient(s).
|
|
.sp
|
|
Note: this action overrides the FILTER action, and currently affects
|
|
all recipients of the message.
|
|
.sp
|
|
This feature is available in Postfix 2.1 and later.
|
|
.IP "\fBWARN \fIoptional text...\fR
|
|
Log a warning with the optional text, together with client information
|
|
and if available, with helo, sender, recipient and protocol information.
|
|
.sp
|
|
This feature is available in Postfix 2.1 and later.
|
|
.SH "REGULAR EXPRESSION TABLES"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
This section describes how the table lookups change when the table
|
|
is given in the form of regular expressions. For a description of
|
|
regular expression lookup table syntax, see \fBregexp_table\fR(5)
|
|
or \fBpcre_table\fR(5).
|
|
|
|
Each pattern is a regular expression that is applied to the entire
|
|
string being looked up. Depending on the application, that string
|
|
is an entire client hostname, an entire client IP address, or an
|
|
entire mail address. Thus, no parent domain or parent network search
|
|
is done, \fIuser@domain\fR mail addresses are not broken up into
|
|
their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
|
|
\fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
|
|
|
|
Patterns are applied in the order as specified in the table, until a
|
|
pattern is found that matches the search string.
|
|
|
|
Actions are the same as with indexed file lookups, with
|
|
the additional feature that parenthesized substrings from the
|
|
pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
|
|
.SH "TCP-BASED TABLES"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
This section describes how the table lookups change when lookups
|
|
are directed to a TCP-based server. For a description of the TCP
|
|
client/server lookup protocol, see \fBtcp_table\fR(5).
|
|
This feature is not available in Postfix version 2.1.
|
|
|
|
Each lookup operation uses the entire query string once.
|
|
Depending on the application, that string is an entire client
|
|
hostname, an entire client IP address, or an entire mail address.
|
|
Thus, no parent domain or parent network search is done,
|
|
\fIuser@domain\fR mail addresses are not broken up into
|
|
their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
|
|
\fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
|
|
|
|
Actions are the same as with indexed file lookups.
|
|
.SH "EXAMPLE"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
The following example uses an indexed file, so that the
|
|
order of table entries does not matter. The example permits
|
|
access by the client at address 1.2.3.4 but rejects all
|
|
other clients in 1.2.3.0/24. Instead of "\fBhash\fR" lookup
|
|
tables, some systems use "\fBdbm\fR". Use the command
|
|
"\fBpostconf -m\fR" to find out what lookup tables Postfix
|
|
supports on your system.
|
|
|
|
.na
|
|
.nf
|
|
/etc/postfix/main.cf:
|
|
.in +4
|
|
smtpd_client_restrictions =
|
|
.in +4
|
|
check_client_access hash:/etc/postfix/access
|
|
|
|
.in -8
|
|
/etc/postfix/access:
|
|
.in +4
|
|
1.2.3 REJECT
|
|
1.2.3.4 OK
|
|
.in -4
|
|
|
|
Execute the command "\fBpostmap /etc/postfix/access\fR" after
|
|
editing the file.
|
|
.SH BUGS
|
|
.ad
|
|
.fi
|
|
The table format does not understand quoting conventions.
|
|
.SH "SEE ALSO"
|
|
.na
|
|
.nf
|
|
postmap(1), Postfix lookup table manager
|
|
smtpd(8), SMTP server
|
|
postconf(5), configuration parameters
|
|
transport(5), transport:nexthop syntax
|
|
.SH "README FILES"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
Use "\fBpostconf readme_directory\fR" or
|
|
"\fBpostconf html_directory\fR" to locate this information.
|
|
.na
|
|
.nf
|
|
SMTPD_ACCESS_README, built-in SMTP server access control
|
|
DATABASE_README, Postfix lookup table overview
|
|
.SH "LICENSE"
|
|
.na
|
|
.nf
|
|
.ad
|
|
.fi
|
|
The Secure Mailer license must be distributed with this software.
|
|
.SH "AUTHOR(S)"
|
|
.na
|
|
.nf
|
|
Wietse Venema
|
|
IBM T.J. Watson Research
|
|
P.O. Box 704
|
|
Yorktown Heights, NY 10598, USA
|