NetBSD/gnu/dist/postfix/html/uce.html

<html>

<head>

<title> Postfix Configuration - UCE Controls</title>

</head>

<body>

<h1><a href="big-picture.html"><img src="small-picture.gif" width="115" height="45"></a>
Postfix Configuration - UCE Controls</h1>

<hr>

<a href="index.html">Up one level</a> | <a href="basic.html">Basic
Configuration</a> | UCE Controls | <a href="rate.html">Rate
Controls</a> | <a href="resource.html">Resource Controls</a> | <a
href="rewrite.html">Address Manipulation </a>

<h2> Introduction</h2>

Postfix offers a variety of parameters that limit the delivery of
unsolicited commercial email (UCE).

<p>

By default, the Postfix <a href="smtpd.8.html">SMTP server</a> will
accept mail only from or to the local network or domain, or to
domains that are hosted by Postfix, so that your system can't be
used as a mail relay to forward bulk mail from random strangers.

<p>

The text in this document describes how you can set up more detailed
anti-UCE policies that prevent delivery of unwanted email altogether,
for example with sendmail-style <b>access</b> lists or with <b>RBL</b>
(real-time blackhole list) name servers.

<p> Unless indicated otherwise, all parameters described here are
in the <b>main.cf</b> file. If you change parameters of a running
Postfix system, don't forget to issue a <b>postfix reload</b>
command.

<ul>

<li> <a href="#header_checks">Header filtering</a>

<p>

<li> <a href="#smtpd_client_restrictions">Client hostname/address
restrictions</a>

<p>

<li> <a href="#smtpd_helo_required">Require HELO (EHLO) command </a>

<p>

<li> <a href="#smtpd_helo_restrictions">HELO (EHLO) hostname
restrictions</a>

<p>

<li> <a href="#strict_rfc821_envelopes">Require strict RFC 821-style
envelope addresses </a>

<p>

<li> <a href="#smtpd_sender_restrictions">Sender address restrictions
</a>

<p>

<li> <a href="#smtpd_recipient_restrictions">Recipient address
restrictions</a>

<p>

<li> <a href="#smtpd_etrn_restrictions">ETRN command restrictions</a>

<p>

<li> <a href="#generic">Generic restrictions</a>

<p>

<li> <a href="#additional">Additional UCE control parameters</a>

</ul>

<a name="header_checks">

<h2> Header filtering</h2>

The <b>header_checks</b> parameter restricts what
is allowed in message headers.

<p>

<dl>

<dt>Default:

<dd>Allow anything in message headers.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more lookup tables. Whenever a header
matches a table, a REJECT result means reject the message. 

<p>

<i>At present, specifying a header pattern with OK serves no useful
purpose. A rule ending in OK affects only the header being matched.
The next header may still result in a REJECT match, causing the
mail still to be rejected.</i>

</dl>

<p>

<dt>Examples (main.cf):

<dd> <b>header_checks = regexp:/etc/postfix/header_checks</b>

<dd> <b>header_checks = pcre:/etc/postfix/header_checks</b>

<p>

<dt>Example (header_checks):

<dd> /^to: *friend@public\.com$/ REJECT

<p>

<a name="smtpd_client_restrictions">

<h2> Client hostname/address restrictions</h2>

The <b>smtpd_client_restrictions</b> parameter restricts what
clients this system accepts SMTP connections from.

<p>

<dl>

<dt>Default:

<dd><b>smtpd_client_restrictions =</b>

<p>

<dd>Allow SMTP connections from any client.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

<dt>Examples:

<dd> <b>smtpd_client_restrictions = hash:/etc/postfix/access,
reject_maps_rbl</b>

<dd> <b>smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client</b>

<p>

<dt> Restrictions:

<p>

<dl>

<a name="reject_unknown_client">

<dt> <b>reject_unknown_client</b> <dd> Reject the request when the
client IP address has no PTR record in the DNS.  The
<b>unknown_client_reject_code</b> parameter specifies the response
code to rejected requests (default:  <b>450</b>).

<p>

<a name="permit_mynetworks">

<dt> <b>permit_mynetworks</b> <dd> Permit the request when the
client IP address matches any network listed in <a
href="basic.html#mynetworks"> $mynetworks</a>.

<p>

<a name="check_client_access">

<dt> <b>check_client_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the client hostname, parent
domains, client IP address, or networks obtained by stripping least
significant octets.  Reject the request if the result is <b>REJECT</b>
or "[<b>45</b>]<i>XX text</i>". Permit the request if the result
is <b>OK</b> or <b>RELAY</b> or all-numerical. Otherwise, treat the
result as another list of UCE restrictions.  The
<b>access_map_reject_code</b> parameter specifies the response code for
<b>REJECT</b> results (default:  <b>554</b>).

<p>

<a name="reject_maps_rbl">

<dt> <b>reject_maps_rbl</b> <dd> Reject the request when the client
network address is listed under any of the domains listed in <a
href="#maps_rbl_domains">$maps_rbl_domains</a>. The <b>
maps_rbl_reject_code</b> parameter specifies the response code for
rejected requests (default: <b>554</b>).

<p>

<dt> <b><a href="#permit">permit</a></b>

<dt> <b><a href="#reject">reject</a></b>

<dt> <b><a href="#reject_unauth_pipelining">reject_unauth_pipelining</a></b>

<dd> See generic restrictions.

</dl>

</dl>

<a name="smtpd_helo_required">

<h2> Require HELO (EHLO) command</h2>

The <b>smtpd_helo_required</b> parameter determines if clients must
send a <b>HELO</b> (or <b>EHLO</b>) command at the beginning of an
SMTP session.  Requiring this will stop some UCE software.

<p>

<dl>

<dt>Default:

<dd><b>smtpd_helo_required = no</b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
does not require the use of <b>HELO</b> (<b>EHLO</b>).

<p>

<dt>Syntax:

<dd>Specify <b>yes</b> or <b>no</b>.

<p>

<dt>Example:

<dd> <b>smtpd_helo_required = yes</b>

</dl>

<a name="smtpd_helo_restrictions">

<h2> HELO (EHLO) hostname restrictions</h2>

The <b>smtpd_helo_restrictions</b> parameter restricts what hostnames
clients may send with the <b>HELO</b> (<b>EHLO</b>) command.  Some
UCE software can be stopped by being strict here.

<dl>

<dt>Default:

<dd><b>smtpd_helo_restrictions =</b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
accepts any garbage in the <b>HELO</b> (<b>EHLO</b>) command. There
is a lot of broken or misconfigured software on the Internet.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas.  Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

In addition to restrictions that are specific to HELO (EHLO)
command parameters, you can also specify restrictions based
on the client hostname or network address.

<p>

<dt>Example:

<dd> <b>smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname</b>

<p>

<dt> Restrictions:

<p>

<dl>

<a name="reject_invalid_hostname">

<dt> <b>reject_invalid_hostname</b> <dd> Reject the request when
the client HELO or EHLO parameter has a bad hostname syntax. The
<b>invalid_hostname_reject_code</b> specifies the response code to
rejected requests (default:  501).

<p>

<a name="permit_naked_ip_address">

<dt> <b>permit_naked_ip_address</b> <dd> Permit the request when
the client HELO (EHLO) command contains a naked IP address without
the enclosing <b>[]</b> brackets that the RFC requires. Unfortunately,
some popular PC mail clients send <b>HELO</b> greetings in this
manner.

<p>

<a name="reject_unknown_hostname">

<dt> <b>reject_unknown_hostname</b> <dd> Reject the request when
the hostname in the client HELO (EHLO) command has no DNS A or MX
record. The <b>unknown_hostname_reject_code</b> specifies the
response code to rejected requests (default:  <b>450</b>).

<p>

<a name="reject_non_fqdn_hostname">

<dt> <b>reject_non_fqdn_hostname</b> <dd> Reject the request when
the hostname in the client HELO (EHLO) command is not in fully-qualified
domain form, as required by the RFC. The <b>non_fqdn_reject_code</b>
specifies the response code to rejected requests (default:
<b>504</b>).

<p>

<a name="check_helo_access">

<dt> <b>check_helo_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the <b>HELO</b> hostname
or parent domains in the specified table.  Reject the request if
the result is <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit
the request when the result is <b>OK</b> or <b>RELAY</b> or
all-numerical. Otherwise, treat the result as another list of UCE
restrictions.  The <b>access_map_reject_code </b> parameter specifies
the response code for <b>REJECT</b> results (default:  <b>554</b>).

<p>

<dt> <b><a href="#reject_maps_rbl">reject_maps_rbl</a></b>

<dt> <b><a href="#reject_unknown_client">reject_unknown_client</a></b>

<dt> <b><a href="#permit_mynetworks">permit_mynetworks</a></b>

<dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See client hostname/address restrictions.

<p>

<dt> <b><a href="#permit">permit</a></b>

<dt> <b><a href="#reject">reject</a></b>

<dt> <b><a href="#reject_unauth_pipelining">reject_unauth_pipelining</a></b>

<dd> See generic restrictions.

</dl>

</dl>

<a name="strict_rfc821_envelopes">

<h2> Require strict RFC 821-style envelope addresses </h2>

The <b>strict_rfc821_envelopes</b> parameter controls how tolerant
Postfix is with respect to addresses given in MAIL FROM or RCPT TO
commands. Unfortunately, the widely-used Sendmail program tolerates
lots of non-standard behavior, so a lot of software expects to get
away with it.  Being strict to the RFC not only stops unwanted
mail, it also blocks legitimate mail from poorly-written mail
applications.

<p>

<dl>

<dt> Default:

<dd><b>strict_rfc821_envelopes = no</b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
accepts any address form that it can make sense of, including
address forms that contain RFC 822-style comments, or addresses
not enclosed in &lt;&gt;. There is a lot of broken or misconfigured
software out there on the Internet.

<p>

<dt> Example:

<dd><b>strict_rfc821_envelopes = yes</b>

</dl>

<a name="smtpd_sender_restrictions">

<h2> Sender address restrictions</h2>

The <b>smtpd_sender_restrictions</b> parameter restricts what sender
addresses this system accepts in MAIL FROM commands.

<p>

<dl>

<dt> Default:

<dd><b>smtpd_sender_restrictions =</b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
accepts any sender address.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

In addition to restrictions that are specific to sender mail
addresses, you can also specify restrictions based on the information
passed with the HELO/EHLO command, and on the client hostname or
network address.

<p>

<dt> Example:

<dd> <b>smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain</b>

<p>

<dt> Restrictions:

<dl compact>

<a name="reject_unknown_sender_domain">

<dt> <b>reject_unknown_sender_domain</b> <dd> Reject the request
when the sender mail address has no DNS A or MX record. The
<b>unknown_address_reject_code </b> parameter specifies the response
code for rejected requests (default:  <b>450</b>).  The response
is always <b>450</b> in case of a temporary DNS error.

<p>

<a name="check_sender_access">

<dt> <b>check_sender_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the sender mail address,
parent domain, or <i>localpart</i>@. Reject the request if the
result is <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>". Permit the
request if the result is <b>OK</b> or <b>RELAY</b> or all-numerical.
Otherwise, treat the result as another list of UCE restrictions.  The
<b>access_map_reject_code </b> parameter specifies the result code for
rejected requests (default: <b>554</b>).

<p>

<a name="reject_non_fqdn_sender">

<dt> <b>reject_non_fqdn_sender</b> <dd> Reject the request when
the address in the client MAIL FROM command is not in fully-qualified
domain form. The <b>non_fqdn_reject_code</b> specifies the
response code to rejected requests (default:  <b>504</b>).

<p>

<dt> <b><a href="#permit_naked_ip_address">permit_naked_ip_address</a></b>

<dt> <b><a href="#reject_invalid_hostname">reject_invalid_hostname</a></b>

<dt> <b><a href="#reject_unknown_hostname">reject_unknown_hostname</a></b>

<dt> <b><a href="#reject_non_fqdn_hostname">reject_non_fqdn_hostname</a></b>

<dt> <b><a href="#check_helo_access">check_helo_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See HELO (EHLO) hostname restrictions.

<p>

<dt> <b><a href="#reject_maps_rbl">reject_maps_rbl</a></b>

<dt> <b><a href="#reject_unknown_client">reject_unknown_client</a></b>

<dt> <b><a href="#permit_mynetworks">permit_mynetworks</a></b>

<dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See client hostname/address restrictions.

<p>

<dt> <b><a href="#permit">permit</a></b>

<dt> <b><a href="#reject">reject</a></b>

<dt> <b><a href="#reject_unauth_pipelining">reject_unauth_pipelining</a></b>

<dd> See generic restrictions.

</dl>

</dl>

<a name="smtpd_recipient_restrictions">

<h2> Recipient address restrictions</h2>

The <b>smtpd_recipient_restrictions</b> parameter restricts what
recipient addresses this system accepts in RCPT TO commands.

<dl>

<dt>Default: 

<dd><b>smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains</b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
relays mail:

<p>

<ul>

<li>from trusted clients whose IP address matches <a
href="basic.html#mynetworks">$mynetworks</a>,

<li>from trusted clients whose hostname matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,

<li>from untrusted clients to destinations that match <a
href="#relay_domains"> $relay_domains</a> or a subdomain thereof,
except for addresses that contain sender-specified routing
(<i>user@elsewhere@domain</i>).

</ul>

<p>

In addition to the above, the Postfix <a href="smtpd.8.html">SMTP
server</a> by default accepts mail for which Postfix is the final
destination:

<p>

<ul>

<li>to destinations that match <a
href="basic.html#inet_interfaces">$inet_interfaces</a>,

<li>to destinations that match <a
href="basic.html#mydestination">$mydestination</a>,

<li>to destinations that match <a href="virtual.5.html">$virtual_maps</a>.

</ul>

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

In addition to restrictions that are specific to recipient mail
addresses, you can also specify restrictions based on the sender mail
address, on the information passed with the HELO/EHLO command, and
on the client hostname or network address.

<p>

<dt> Example:

<dd> <b>smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination</b>

<p>

<dd><i>Note: you must specify at least one of the following
restrictions: </i><b>reject</b>, <b>check_relay_domains</b> <i>or</i>
<b>reject_unauth_destination</b>. <i>Postfix will refuse to receive
mail otherwise. </i>

<p>

<dt> Restrictions:

<dl>

<a name="check_relay_domains">

<dt> <b>check_relay_domains</b> <dd> Permit the request when 
one of the following is true:

<ul>

<li>the client hostname matches <a href="#relay_domains">$relay_domains</a>
or a subdomain thereof,

<li>the resolved destination address matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
and the address contains no sender-specified routing
(<i>user@elsewhere@domain</i>),

<li>Postfix is the final destination:  any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
href="basic.html#inet_interfaces">$inet_interfaces</a> or <a
href="virtual.5.html">$virtual_maps</a>.

</ul>

Otherwise reject the request.  The <b>relay_domains_reject_code</b>
parameter specifies the response code for rejected requests (default:
<b>554</b>).

<p>

<a name="permit_auth_destination">

<dt> <b>permit_auth_destination</b> <dd> Ignore the client hostname.
Permit the request when one of the following is true:

<ul>

<li>the resolved destination address matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
and the address contains no sender-specified routing
(<i>user@elsewhere@domain</i>),

<li>Postfix is the final destination:  any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
href="basic.html#inet_interfaces">$inet_interfaces</a> or <a
href="virtual.5.html">$virtual_maps</a>.

</ul>

Otherwise proceed with the next restriction. 

<p>

<a name="reject_unauth_destination">

<dt> <b>reject_unauth_destination</b> <dd> Ignore the client
hostname.  Reject the request unless one of the following is true:

<ul>

<li>the resolved destination address matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
and the address contains no sender-specified routing
(<i>user@elsewhere@domain</i>),

<li>Postfix is the final destination:  any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
href="basic.html#inet_interfaces">$inet_interfaces</a> or <a
href="virtual.5.html">$virtual_maps</a>.

</ul>

The <b>relay_domains_reject_code</b> parameter specifies the response
code for rejected requests (default:  <b>554</b>).

<p>

<a name="permit_mx_backup">

<dt> <b>permit_mx_backup</b> <dd> Permit the request when the local
mail system is MX host for the resolved destination. This includes
the case that the local mail system is the final destination.
However, the SMTP server will not forward mail with addresses that
have sender-specified routing information (example:
<i>user@elsewhere@domain</i>),

<p>

Relevant configuration parameters:  <a href="basic.html#mydestination">
$mydestination</a>, <a href="basic.html#inet_interfaces">
$inet_interfaces</a>.

<p>

<dt> <b>check_recipient_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the resolved destination
address, parent domain, or <i>localpart</i>@. Reject the request if the
result is <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>".  Permit the
request if the result is <b>OK</b> or <b>RELAY</b> or all-numerical.
Otherwise, treat the result as another list of UCE restrictions.  The
<b>access_map_reject_code </b> parameter specifies the result code for
rejected requests (default: <b>554</b>).

<p>

<a name="reject_unknown_recipient_domain">

<dt> <b>reject_unknown_recipient_domain</b> <dd> Reject the request
when the recipient mail address has no DNS A or MX record. The
<b>unknown_address_reject_code </b> parameter specifies the response
code for rejected requests (default:  <b>450</b>).  The response
is always <b>450</b> in case of a temporary DNS error.

<p>

<a name="reject_non_fqdn_recipient">

<dt> <b>reject_non_fqdn_recipient</b> <dd> Reject the request when
the address in the client RCPT TO command is not in fully-qualified
domain form. The <b>non_fqdn_reject_code</b> specifies the
response code to rejected requests (default:  <b>504</b>).

<p>

<dt> <b><a href="#reject_unknown_sender_domain">reject_unknown_sender_domain</a></b>

<dt> <b><a href="#reject_non_fqdn_sender">reject_non_fqdn_sender</a></b>

<dt> <b><a href="#check_sender_access">check_sender_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See sender address restrictions.

<p>

<dt> <b><a href="#permit_naked_ip_address">permit_naked_ip_address</a></b>

<dt> <b><a href="#reject_invalid_hostname">reject_invalid_hostname</a></b>

<dt> <b><a href="#reject_unknown_hostname">reject_unknown_hostname</a></b>

<dt> <b><a href="#reject_non_fqdn_hostname">reject_non_fqdn_hostname</a></b>

<dt> <b><a href="#check_helo_access">check_helo_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See HELO (EHLO) hostname restrictions.

<p>

<dt> <b><a href="#reject_maps_rbl">reject_maps_rbl</a></b>

<dt> <b><a href="#reject_unknown_client">reject_unknown_client</a></b>

<dt> <b><a href="#permit_mynetworks">permit_mynetworks</a></b>

<dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See client hostname/address restrictions.

<p>

<dt> <b><a href="#permit">permit</a></b>

<dt> <b><a href="#reject">reject</a></b>

<dt> <b><a href="#reject_unauth_pipelining">reject_unauth_pipelining</a></b>

<dd> See generic restrictions.

</dl>

</dl>

<a name="smtpd_etrn_restrictions">

<h2> ETRN command restrictions</h2>

Not really an UCE restriction, the <b>smtpd_etrn_restrictions</b>
parameter restricts what domains can be specified in ETRN commands,
and what clients can issue ETRN commands.

<dl>

<dt>Default:

<dd><b>smtpd_etrn_restrictions =</b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
accepts any ETRN command from any client.

<p>

<dt>Syntax:

<dd>Specify a list of zero or more restrictions, separated by
whitespace or commas. Restrictions are applied in the order as
specified; the first restriction that matches wins.

<p>

In addition to restrictions that are specific to ETRN domain names,
you can also specify restrictions based on the information passed
with the HELO/EHLO command, and on the client hostname or network
address.

<p>

<dt> Example:

<dd> <b>smtpd_etrn_restrictions = permit_mynetworks,
hash:/etc/postfix/etrn_access, reject</b>

<p>

<dt> Restrictions:

<dl>

<a name="check_etrn_access">

<dt> <b>check_etrn_access</b> <i>maptype</i>:<i>mapname</i>

<dt> <i>maptype</i>:<i>mapname</i> <dd> Search the named <a
href="access.5.html">access database</a> for the domain specified
in the ETRN command, or its parent domains. Reject the request if
the result is <b>REJECT</b> or "[<b>45</b>]<i>XX text</i>".  Permit
the request if the result is <b>OK</b> or <b>RELAY</b> or
all-numerical. Otherwise, treat the result as another list of UCE
restrictions.  The <b>access_map_reject_code </b> parameter specifies
the result code for rejected requests (default: <b>554</b>).

<p>

<dt> <b><a href="#permit_naked_ip_address">permit_naked_ip_address</a></b>

<dt> <b><a href="#reject_invalid_hostname">reject_invalid_hostname</a></b>

<dt> <b><a href="#reject_unknown_hostname">reject_unknown_hostname</a></b>

<dt> <b><a href="#check_helo_access">check_helo_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See HELO (EHLO) hostname restrictions.

<p>

<dt> <b><a href="#reject_maps_rbl">reject_maps_rbl</a></b>

<dt> <b><a href="#reject_unknown_client">reject_unknown_client</a></b>

<dt> <b><a href="#permit_mynetworks">permit_mynetworks</a></b>

<dt> <b><a href="#check_client_access">check_client_access</a></b> <i>maptype</i>:<i>mapname</i>

<dd> See client hostname/address restrictions.

<p>

<dt> <b><a href="#permit">permit</a></b>

<dt> <b><a href="#reject">reject</a></b>

<dt> <b><a href="#reject_unauth_pipelining">reject_unauth_pipelining</a></b>

<dd> See generic restrictions.

</dl>

</dl>

<a name="generic">

<h2> Generic restrictions</h2>

The following restrictions can use used for client hostnames or
addresses, for HELO (EHLO) hostnames, for sender mail addresses
and for recipient mail addresses.

<dl>

Restrictions:

<p>

<dl>

<a name="permit">

<dt> <b>permit</b> <dd> Permit the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. 

<p>

<a name="reject">

<dt> <b>reject</b> <dd> Reject the request. This restriction
is useful at the end of a restriction list, to make the default
policy explicit. The <b>reject_code</b> configuration parameter
specifies the response code to rejected requests (default:
<b>554</b>).

<p>

<a name="reject_unauth_pipelining">

<dt> <b>reject_unauth_pipelining</b> <dd> Reject the request when
the client sends SMTP commands ahead of time without knowing that
Postfix actually supports SMTP command pipelining.  This stops mail
from bulk mail software that improperly uses SMTP command pipelining
to speed up deliveries.

</dl>

</dl>

<a name="additional">

<h2> Additional UCE control parameters</h2>

<dl>

<a name="maps_rbl_domains">

<dt> <b>maps_rbl_domains</b>

<dd>This parameter controls the behavior of the <a
href="#reject_maps_rbl">reject_maps_rbl</a> restriction that can
appear as part of a client hostname/address restriction list.

<p>

<dl>

<dt>Default:

<dd><b>maps_rbl_domains = rbl.maps.vix.com, dul.maps.vix.com</b>

<p>

Note: RBL lookups are disabled by default.

<p>

<dt>Syntax:

<dd> Zero or more DNS domains that blacklist client IP addresses.  A
host is blacklisted when its reversed IP address is listed as a
subdomain under any of the domains listed in <b>$maps_rbl_domains.</b>

</dl>

<p>

<a name="relay_domains">

<dt> <b>relay_domains</b>

<dd> This parameter controls the behavior of the <a
href="#check_relay_domains"> check_relay_domains</a>, <a
href="#reject_unauth_destination"> reject_unauth_destination</a>
and <a href="#permit_auth_destination"> permit_auth_destination</a>
restrictions that can appear as part of a recipient address
restriction list.

<p>

<dl>

<dt>Default:

<dd><b>relay_domains = <a href="basic.html#mydestination">
$mydestination</a></b>

<p>

<dd>By default, the Postfix <a href="smtpd.8.html">SMTP server</a>
relays mail:

<p>

<ul>

<li>from trusted clients whose IP address matches <a
href="basic.html#mynetworks">$mynetworks</a>,

<li>from trusted clients whose hostname matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,

<li>from untrusted clients to destinations that match <a
href="#relay_domains"> $relay_domains</a> or a subdomain thereof,
except for addresses that contain sender-specified routing
(<i>user@elsewhere@domain</i>).

</ul>

<p>

<dt>Syntax:

<dd> Specify zero or more domain names, <i>/file/name</i> patterns
and/or <i>type</i>:<i>name</i> lookup tables, separated by whitespace
and/or commas.  A <i>/file/name</i> is replaced by its contents;
<i>type</i>:<i>name</i> requests that table lookup is done instead
of string comparison.

</dl>

<p>

A host or destination address matches <b>$relay_domains</b> when
its name or parent domain matches any of the names, files or lookup
tables listed in <b>$relay_domains.</b>

</dl>

<hr>

<a href="index.html">Up one level</a> | <a href="basic.html">Basic
Configuration</a> | UCE Controls | <a href="rate.html">Rate
Controls</a> | <a href="resource.html">Resource Controls</a> | <a
href="rewrite.html">Address Manipulation </a>

</body>

</html>