407 lines
16 KiB
Plaintext
407 lines
16 KiB
Plaintext
#++
|
|
# NAME
|
|
# access 5
|
|
# SUMMARY
|
|
# Postfix access table format
|
|
# SYNOPSIS
|
|
# \fBpostmap /etc/postfix/access\fR
|
|
#
|
|
# \fBpostmap -q "\fIstring\fB" /etc/postfix/access\fR
|
|
#
|
|
# \fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
|
|
# DESCRIPTION
|
|
# The optional \fBaccess\fR(5) table directs the Postfix SMTP server
|
|
# to selectively reject or accept mail. Access can be allowed or
|
|
# denied for specific host names, domain names, networks, host
|
|
# addresses or mail addresses.
|
|
#
|
|
# For an example, see the EXAMPLE section at the end of this
|
|
# manual page.
|
|
#
|
|
# Normally, the \fBaccess\fR(5) table is specified as a text file
|
|
# that serves as input to the \fBpostmap\fR(1) command.
|
|
# The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
|
|
# is used for fast searching by the mail system. Execute the command
|
|
# "\fBpostmap /etc/postfix/access\fR" in order to rebuild the indexed
|
|
# file after changing the access table.
|
|
#
|
|
# When the table is provided via other means such as NIS, LDAP
|
|
# or SQL, the same lookups are done as for ordinary indexed files.
|
|
#
|
|
# Alternatively, the table can be provided as a regular-expression
|
|
# map where patterns are given as regular expressions, or lookups
|
|
# can be directed to TCP-based server. In that case, the lookups are
|
|
# done in a slightly different way as described below under
|
|
# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
|
|
# CASE FOLDING
|
|
# .ad
|
|
# .fi
|
|
# The search string is folded to lowercase before database
|
|
# lookup. As of Postfix 2.3, the search string is not case
|
|
# folded with database types such as regexp: or pcre: whose
|
|
# lookup fields can match both upper and lower case.
|
|
# TABLE FORMAT
|
|
# .ad
|
|
# .fi
|
|
# The input format for the \fBpostmap\fR(1) command is as follows:
|
|
# .IP "\fIpattern action\fR"
|
|
# When \fIpattern\fR matches a mail address, domain or host address,
|
|
# perform the corresponding \fIaction\fR.
|
|
# .IP "blank lines and comments"
|
|
# Empty lines and whitespace-only lines are ignored, as
|
|
# are lines whose first non-whitespace character is a `#'.
|
|
# .IP "multi-line text"
|
|
# A logical line starts with non-whitespace text. A line that
|
|
# starts with whitespace continues a logical line.
|
|
# EMAIL ADDRESS PATTERNS
|
|
# .ad
|
|
# .fi
|
|
# With lookups from indexed files such as DB or DBM, or from networked
|
|
# tables such as NIS, LDAP or SQL, patterns are tried in the order as
|
|
# listed below:
|
|
# .IP \fIuser\fR@\fIdomain\fR
|
|
# Matches the specified mail address.
|
|
# .IP \fIdomain.tld\fR
|
|
# Matches \fIdomain.tld\fR as the domain part of an email address.
|
|
# .sp
|
|
# The pattern \fIdomain.tld\fR also matches subdomains, but only
|
|
# when the string \fBsmtpd_access_maps\fR is listed in the Postfix
|
|
# \fBparent_domain_matches_subdomains\fR configuration setting
|
|
# (note that this is the default for some versions of Postfix).
|
|
# Otherwise, specify \fI.domain.tld\fR (note the initial dot) in
|
|
# order to match subdomains.
|
|
# .IP \fIuser\fR@
|
|
# Matches all mail addresses with the specified user part.
|
|
# .PP
|
|
# Note: lookup of the null sender address is not possible with
|
|
# some types of lookup table. By default, Postfix uses \fB<>\fR
|
|
# as the lookup key for such addresses. The value is specified with
|
|
# the \fBsmtpd_null_access_lookup_key\fR parameter in the Postfix
|
|
# \fBmain.cf\fR file.
|
|
# EMAIL ADDRESS EXTENSION
|
|
# .fi
|
|
# .ad
|
|
# When a mail address localpart contains the optional recipient delimiter
|
|
# (e.g., \fIuser+foo\fR@\fIdomain\fR), the lookup order becomes:
|
|
# \fIuser+foo\fR@\fIdomain\fR, \fIuser\fR@\fIdomain\fR, \fIdomain\fR,
|
|
# \fIuser+foo\fR@, and \fIuser\fR@.
|
|
# HOST NAME/ADDRESS PATTERNS
|
|
# .ad
|
|
# .fi
|
|
# With lookups from indexed files such as DB or DBM, or from networked
|
|
# tables such as NIS, LDAP or SQL, the following lookup patterns are
|
|
# examined in the order as listed:
|
|
# .IP \fIdomain.tld\fR
|
|
# Matches \fIdomain.tld\fR.
|
|
# .sp
|
|
# The pattern \fIdomain.tld\fR also matches subdomains, but only
|
|
# when the string \fBsmtpd_access_maps\fR is listed in the Postfix
|
|
# \fBparent_domain_matches_subdomains\fR configuration setting.
|
|
# Otherwise, specify \fI.domain.tld\fR (note the initial dot) in
|
|
# order to match subdomains.
|
|
# .IP \fInet.work.addr.ess\fR
|
|
# .IP \fInet.work.addr\fR
|
|
# .IP \fInet.work\fR
|
|
# .IP \fInet\fR
|
|
# Matches the specified IPv4 host address or subnetwork. An
|
|
# IPv4 host address is a sequence of four decimal octets
|
|
# separated by ".".
|
|
#
|
|
# Subnetworks are matched by repeatedly truncating the last
|
|
# ".octet" from the remote IPv4 host address string until a
|
|
# match is found in the access table, or until further
|
|
# truncation is not possible.
|
|
#
|
|
# NOTE 1: The information in the access map should be in
|
|
# canonical form, with unnecessary null characters eliminated.
|
|
# Address information must not be enclosed with "[]" characters.
|
|
#
|
|
# NOTE 2: use the \fBcidr\fR lookup table type to specify
|
|
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
|
|
# .IP \fInet:work:addr:ess\fR
|
|
# .IP \fInet:work:addr\fR
|
|
# .IP \fInet:work\fR
|
|
# .IP \fInet\fR
|
|
# Matches the specified IPv6 host address or subnetwork. An
|
|
# IPv6 host address is a sequence of three to eight hexadecimal
|
|
# octet pairs separated by ":".
|
|
#
|
|
# Subnetworks are matched by repeatedly truncating the last
|
|
# ":octetpair" from the remote IPv6 host address string until
|
|
# a match is found in the access table, or until further
|
|
# truncation is not possible.
|
|
#
|
|
# NOTE 1: the truncation and comparison are done with the
|
|
# string representation of the IPv6 host address. Thus, not
|
|
# all the ":" subnetworks will be tried.
|
|
#
|
|
# NOTE 2: The information in the access map should be in
|
|
# canonical form, with unnecessary null characters eliminated.
|
|
# Address information must not be enclosed with "[]" characters.
|
|
#
|
|
# NOTE 3: use the \fBcidr\fR lookup table type to specify
|
|
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
|
|
#
|
|
# IPv6 support is available in Postfix 2.2 and later.
|
|
# ACCEPT ACTIONS
|
|
# .ad
|
|
# .fi
|
|
# .IP \fBOK\fR
|
|
# Accept the address etc. that matches the pattern.
|
|
# .IP \fIall-numerical\fR
|
|
# An all-numerical result is treated as OK. This format is
|
|
# generated by address-based relay authorization schemes
|
|
# such as pop-before-smtp.
|
|
# REJECT ACTIONS
|
|
# .ad
|
|
# .fi
|
|
# Postfix version 2.3 and later support enhanced status codes
|
|
# as defined in RFC 3463.
|
|
# When no code is specified at the beginning of the \fItext\fR
|
|
# below, Postfix inserts a default enhanced status code of "5.7.1"
|
|
# in the case of reject actions, and "4.7.1" in the case of
|
|
# defer actions. See "ENHANCED STATUS CODES" below.
|
|
# .IP "\fB4\fINN text\fR"
|
|
# .IP "\fB5\fINN text\fR"
|
|
# Reject the address etc. that matches the pattern, and respond with
|
|
# the numerical three-digit code and text. \fB4\fINN\fR means "try
|
|
# again later", while \fB5\fINN\fR means "do not try again".
|
|
# .IP
|
|
# The reply code "421" causes Postfix to disconnect immediately
|
|
# (Postfix version 2.3 and later).
|
|
# .IP "\fBREJECT \fIoptional text...\fR
|
|
# Reject the address etc. that matches the pattern. Reply with
|
|
# \fI$reject_code optional text...\fR when the optional text is
|
|
# specified, otherwise reply with a generic error response message.
|
|
# .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
|
|
# Defer the request if some later restriction would result in a
|
|
# REJECT action. Reply with "\fB450\fI optional text...\fR when the
|
|
# optional text is specified, otherwise reply with a generic error
|
|
# response message.
|
|
# .sp
|
|
# This feature is available in Postfix 2.1 and later.
|
|
# .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
|
|
# Defer the request if some later restriction would result in a
|
|
# an explicit or implicit PERMIT action.
|
|
# Reply with "\fB450\fI optional text...\fR when the
|
|
# optional text is specified, otherwise reply with a generic error
|
|
# response message.
|
|
# .sp
|
|
# This feature is available in Postfix 2.1 and later.
|
|
# OTHER ACTIONS
|
|
# .ad
|
|
# .fi
|
|
# .IP \fIrestriction...\fR
|
|
# Apply the named UCE restriction(s) (\fBpermit\fR, \fBreject\fR,
|
|
# \fBreject_unauth_destination\fR, and so on).
|
|
# \" .IP "\fBDELAY \fItime\fR"
|
|
# \" Place the message into the deferred queue, and delay the
|
|
# \" initial delivery attempt by \fItime\fR. The time value may
|
|
# \" be followed by a one-character suffix that specifies the
|
|
# \" time unit: s (seconds), m (minutes), h (hours), d (days),
|
|
# \" w (weeks). The default time unit is s (seconds).
|
|
# \" .sp
|
|
# \" Limitations:
|
|
# \" .RS
|
|
# \" .IP \(bu
|
|
# \" This action affects all the recipients of the message.
|
|
# \" .IP \(bu
|
|
# \" The delay value has no effect with remote file systems that
|
|
# \" don't correctly emulate UNIX local file system semantics.
|
|
# \" In that case, the delay will be half of $queue_run_delay
|
|
# \" on average.
|
|
# \" .IP \(bu
|
|
# \" Mail will still be delivered with "sendmail -q", "postfix
|
|
# \" flush" or "postqueue -f".
|
|
# \" .IP \(bu
|
|
# \" Delayed mail increases the amount of disk I/O during deferred
|
|
# \" queue scans. When large amounts of mail are queued for
|
|
# \" delayed delivery it may be preferable to use the HOLD feature
|
|
# \" instead.
|
|
# \" .RE
|
|
# \" .IP
|
|
# \" This feature is available in Postfix 2.3 and later.
|
|
# .IP "\fBDISCARD \fIoptional text...\fR
|
|
# Claim successful delivery and silently discard the message.
|
|
# Log the optional text if specified, otherwise log a generic
|
|
# message.
|
|
# .sp
|
|
# Note: this action currently affects all recipients of the message.
|
|
# To discard only one recipient without discarding the entire message,
|
|
# use the transport(5) table to direct mail to the discard(8) service.
|
|
# .sp
|
|
# This feature is available in Postfix 2.0 and later.
|
|
# .IP \fBDUNNO\fR
|
|
# Pretend that the lookup key was not found. This
|
|
# prevents Postfix from trying substrings of the lookup key
|
|
# (such as a subdomain name, or a network address subnetwork).
|
|
# .sp
|
|
# This feature is available in Postfix 2.0 and later.
|
|
# .IP "\fBFILTER \fItransport:destination\fR"
|
|
# After the message is queued, send the entire message through
|
|
# the specified external content filter. The \fItransport:destination\fR
|
|
# syntax is described in the \fBtransport\fR(5) manual page.
|
|
# More information
|
|
# about external content filters is in the Postfix FILTER_README file.
|
|
# .sp
|
|
# Note: this action overrides the \fBmain.cf content_filter\fR setting,
|
|
# and currently affects all recipients of the message.
|
|
# .sp
|
|
# This feature is available in Postfix 2.0 and later.
|
|
# .IP "\fBHOLD \fIoptional text...\fR"
|
|
# Place the message on the \fBhold\fR queue, where it will sit
|
|
# until someone either deletes it or releases it for delivery.
|
|
# Log the optional text if specified, otherwise log a generic
|
|
# message.
|
|
#
|
|
# Mail that is placed on hold can be examined with the
|
|
# \fBpostcat\fR(1) command, and can be destroyed or released with
|
|
# the \fBpostsuper\fR(1) command.
|
|
# .sp
|
|
# Note: use "\fBpostsuper -r\fR" to release mail that was kept on
|
|
# hold for a significant fraction of \fB$maximal_queue_lifetime\fR
|
|
# or \fB$bounce_queue_lifetime\fR, or longer.
|
|
# .sp
|
|
# Note: this action currently affects all recipients of the message.
|
|
# .sp
|
|
# This feature is available in Postfix 2.0 and later.
|
|
# .IP "\fBPREPEND \fIheadername: headervalue\fR"
|
|
# Prepend the specified message header to the message.
|
|
# When this action is used multiple times, the first prepended
|
|
# header appears before the second etc. prepended header.
|
|
# .sp
|
|
# Note: this action does not support multi-line message headers.
|
|
# .sp
|
|
# Note: this action must be used before the message content
|
|
# is received; it cannot be used in \fBsmtpd_end_of_data_restrictions\fR.
|
|
# .sp
|
|
# This feature is available in Postfix 2.1 and later.
|
|
# .IP "\fBREDIRECT \fIuser@domain\fR"
|
|
# After the message is queued, send the message to the specified
|
|
# address instead of the intended recipient(s).
|
|
# .sp
|
|
# Note: this action overrides the FILTER action, and currently affects
|
|
# all recipients of the message.
|
|
# .sp
|
|
# This feature is available in Postfix 2.1 and later.
|
|
# .IP "\fBWARN \fIoptional text...\fR
|
|
# Log a warning with the optional text, together with client information
|
|
# and if available, with helo, sender, recipient and protocol information.
|
|
# .sp
|
|
# This feature is available in Postfix 2.1 and later.
|
|
# ENHANCED STATUS CODES
|
|
# .ad
|
|
# .fi
|
|
# Postfix version 2.3 and later support enhanced status codes
|
|
# as defined in RFC 3463.
|
|
# When an enhanced status code is specified in an access
|
|
# table, it is subject to modification. The following
|
|
# transformations are needed when the same access table is
|
|
# used for client, helo, sender, or recipient access restrictions;
|
|
# they happen regardless of whether Postfix replies to a MAIL
|
|
# FROM, RCPT TO or other SMTP command.
|
|
# .IP \(bu
|
|
# When a sender address matches a REJECT action, the Postfix
|
|
# SMTP server will transform a recipient DSN status (e.g.,
|
|
# 4.1.1-4.1.6) into the corresponding sender DSN status, and
|
|
# vice versa.
|
|
# .IP \(bu
|
|
# When non-address information matches a REJECT action (such
|
|
# as the HELO command argument or the client hostname/address),
|
|
# the Postfix SMTP server will transform a sender or recipient
|
|
# DSN status into a generic non-address DSN status (e.g.,
|
|
# 4.0.0).
|
|
# REGULAR EXPRESSION TABLES
|
|
# .ad
|
|
# .fi
|
|
# This section describes how the table lookups change when the table
|
|
# is given in the form of regular expressions. For a description of
|
|
# regular expression lookup table syntax, see \fBregexp_table\fR(5)
|
|
# or \fBpcre_table\fR(5).
|
|
#
|
|
# Each pattern is a regular expression that is applied to the entire
|
|
# string being looked up. Depending on the application, that string
|
|
# is an entire client hostname, an entire client IP address, or an
|
|
# entire mail address. Thus, no parent domain or parent network search
|
|
# is done, \fIuser@domain\fR mail addresses are not broken up into
|
|
# their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
|
|
# \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
|
|
#
|
|
# Patterns are applied in the order as specified in the table, until a
|
|
# pattern is found that matches the search string.
|
|
#
|
|
# Actions are the same as with indexed file lookups, with
|
|
# the additional feature that parenthesized substrings from the
|
|
# pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
|
|
# TCP-BASED TABLES
|
|
# .ad
|
|
# .fi
|
|
# This section describes how the table lookups change when lookups
|
|
# are directed to a TCP-based server. For a description of the TCP
|
|
# client/server lookup protocol, see \fBtcp_table\fR(5).
|
|
# This feature is not available up to and including Postfix version 2.3.
|
|
#
|
|
# Each lookup operation uses the entire query string once.
|
|
# Depending on the application, that string is an entire client
|
|
# hostname, an entire client IP address, or an entire mail address.
|
|
# Thus, no parent domain or parent network search is done,
|
|
# \fIuser@domain\fR mail addresses are not broken up into
|
|
# their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
|
|
# \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
|
|
#
|
|
# Actions are the same as with indexed file lookups.
|
|
# EXAMPLE
|
|
# .ad
|
|
# .fi
|
|
# The following example uses an indexed file, so that the
|
|
# order of table entries does not matter. The example permits
|
|
# access by the client at address 1.2.3.4 but rejects all
|
|
# other clients in 1.2.3.0/24. Instead of \fBhash\fR lookup
|
|
# tables, some systems use \fBdbm\fR. Use the command
|
|
# "\fBpostconf -m\fR" to find out what lookup tables Postfix
|
|
# supports on your system.
|
|
#
|
|
# .na
|
|
# .nf
|
|
# /etc/postfix/main.cf:
|
|
# .in +4
|
|
# smtpd_client_restrictions =
|
|
# .in +4
|
|
# check_client_access hash:/etc/postfix/access
|
|
#
|
|
# .in -8
|
|
# /etc/postfix/access:
|
|
# .in +4
|
|
# 1.2.3 REJECT
|
|
# 1.2.3.4 OK
|
|
# .in -4
|
|
#
|
|
# Execute the command "\fBpostmap /etc/postfix/access\fR" after
|
|
# editing the file.
|
|
# BUGS
|
|
# The table format does not understand quoting conventions.
|
|
# SEE ALSO
|
|
# postmap(1), Postfix lookup table manager
|
|
# smtpd(8), SMTP server
|
|
# postconf(5), configuration parameters
|
|
# transport(5), transport:nexthop syntax
|
|
# README FILES
|
|
# .ad
|
|
# .fi
|
|
# Use "\fBpostconf readme_directory\fR" or
|
|
# "\fBpostconf html_directory\fR" to locate this information.
|
|
# .na
|
|
# .nf
|
|
# SMTPD_ACCESS_README, built-in SMTP server access control
|
|
# DATABASE_README, Postfix lookup table overview
|
|
# LICENSE
|
|
# .ad
|
|
# .fi
|
|
# The Secure Mailer license must be distributed with this software.
|
|
# AUTHOR(S)
|
|
# Wietse Venema
|
|
# IBM T.J. Watson Research
|
|
# P.O. Box 704
|
|
# Yorktown Heights, NY 10598, USA
|
|
#--
|