17
17
<b>postmap -q - /etc/postfix/access</b> <<i>inputfile</i>
20
The optional <a href="access.5.html"><b>access</b>(5)</a> table directs the Postfix SMTP
21
server to selectively reject or accept mail. Access can be
22
allowed or denied for specific host names, domain names,
23
networks, host addresses or mail addresses.
25
For an example, see the EXAMPLE section at the end of this
28
Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
29
that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
30
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
31
fast searching by the mail system. Execute the command
32
"<b>postmap /etc/postfix/access</b>" in order to rebuild the
33
indexed file after changing the access table.
35
When the table is provided via other means such as NIS,
36
LDAP or SQL, the same lookups are done as for ordinary
20
This document describes access control on remote SMTP
21
client information: host names, network addresses, and
22
envelope sender or recipient addresses; it is implemented
23
by the Postfix SMTP server. See <b><a href="postconf.5.html#header_checks">header_checks</a></b>(5) or
24
<b><a href="postconf.5.html#body_checks">body_checks</a></b>(5) for access control on the content of email
27
Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
28
that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
29
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
30
fast searching by the mail system. Execute the command
31
"<b>postmap /etc/postfix/access</b>" to rebuild an indexed file
32
after changing the corresponding text file.
34
When the table is provided via other means such as NIS,
35
LDAP or SQL, the same lookups are done as for ordinary
39
Alternatively, the table can be provided as a regular-
38
Alternatively, the table can be provided as a regular-
40
39
expression map where patterns are given as regular expres-
41
sions, or lookups can be directed to TCP-based server. In
42
that case, the lookups are done in a slightly different
43
way as described below under "REGULAR EXPRESSION TABLES"
44
and "TCP-BASED TABLES".
40
sions, or lookups can be directed to TCP-based server. In
41
those cases, the lookups are done in a slightly different
42
way as described below under "REGULAR EXPRESSION TABLES"
43
or "TCP-BASED TABLES".
46
45
<b>CASE FOLDING</b>
47
The search string is folded to lowercase before database
48
lookup. As of Postfix 2.3, the search string is not case
49
folded with database types such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose
46
The search string is folded to lowercase before database
47
lookup. As of Postfix 2.3, the search string is not case
48
folded with database types such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose
50
49
lookup fields can match both upper and lower case.
52
51
<b>TABLE FORMAT</b>
57
56
address, perform the corresponding <i>action</i>.
59
58
blank lines and comments
60
Empty lines and whitespace-only lines are ignored,
61
as are lines whose first non-whitespace character
59
Empty lines and whitespace-only lines are ignored,
60
as are lines whose first non-whitespace character
65
A logical line starts with non-whitespace text. A
66
line that starts with whitespace continues a logi-
64
A logical line starts with non-whitespace text. A
65
line that starts with whitespace continues a logi-
69
68
<b>EMAIL ADDRESS PATTERNS</b>
70
69
With lookups from indexed files such as DB or DBM, or from
71
networked tables such as NIS, LDAP or SQL, patterns are
70
networked tables such as NIS, LDAP or SQL, patterns are
72
71
tried in the order as listed below:
74
73
<i>user</i>@<i>domain</i>
75
74
Matches the specified mail address.
78
Matches <i>domain.tld</i> as the domain part of an email
77
Matches <i>domain.tld</i> as the domain part of an email
81
80
The pattern <i>domain.tld</i> also matches subdomains, but
82
81
only when the string <b>smtpd_access_maps</b> is listed in
83
the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
84
figuration setting (note that this is the default
85
for some versions of Postfix). Otherwise, specify
86
<i>.domain.tld</i> (note the initial dot) in order to
82
the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
83
figuration setting (note that this is the default
84
for some versions of Postfix). Otherwise, specify
85
<i>.domain.tld</i> (note the initial dot) in order to
89
<i>user</i>@ Matches all mail addresses with the specified user
88
<i>user</i>@ Matches all mail addresses with the specified user
92
Note: lookup of the null sender address is not possible
93
with some types of lookup table. By default, Postfix uses
94
<> as the lookup key for such addresses. The value is
95
specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> parameter
91
Note: lookup of the null sender address is not possible
92
with some types of lookup table. By default, Postfix uses
93
<> as the lookup key for such addresses. The value is
94
specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> parameter
96
95
in the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file.
98
97
<b>EMAIL ADDRESS EXTENSION</b>
99
98
When a mail address localpart contains the optional recip-
100
ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
101
becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
99
ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
100
becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
102
101
and <i>user</i>@.
104
103
<b>HOST NAME/ADDRESS PATTERNS</b>
105
104
With lookups from indexed files such as DB or DBM, or from
106
networked tables such as NIS, LDAP or SQL, the following
105
networked tables such as NIS, LDAP or SQL, the following
107
106
lookup patterns are examined in the order as listed:
109
108
<i>domain.tld</i>
125
<i>net</i> Matches the specified IPv4 host address or subnet-
126
work. An IPv4 host address is a sequence of four
124
<i>net</i> Matches the specified IPv4 host address or subnet-
125
work. An IPv4 host address is a sequence of four
127
126
decimal octets separated by ".".
129
Subnetworks are matched by repeatedly truncating
128
Subnetworks are matched by repeatedly truncating
130
129
the last ".octet" from the remote IPv4 host address
131
string until a match is found in the access table,
130
string until a match is found in the access table,
132
131
or until further truncation is not possible.
134
NOTE 1: The information in the access map should be
135
in canonical form, with unnecessary null characters
136
eliminated. Address information must not be
137
enclosed with "[]" characters.
133
NOTE 1: The access map lookup key must be in canon-
134
ical form: do not specify unnecessary null charac-
135
ters, and do not enclose network address informa-
136
tion with "[]" characters.
139
NOTE 2: use the <b>cidr</b> lookup table type to specify
138
NOTE 2: use the <b>cidr</b> lookup table type to specify
140
139
network/netmask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for
149
<i>net</i> Matches the specified IPv6 host address or subnet-
150
work. An IPv6 host address is a sequence of three
151
to eight hexadecimal octet pairs separated by ":".
148
<i>net</i> Matches the specified IPv6 host address or subnet-
149
work. An IPv6 host address is a sequence of three
150
to eight hexadecimal octet pairs separated by ":".
153
Subnetworks are matched by repeatedly truncating
154
the last ":octetpair" from the remote IPv6 host
152
Subnetworks are matched by repeatedly truncating
153
the last ":octetpair" from the remote IPv6 host
155
154
address string until a match is found in the access
156
155
table, or until further truncation is not possible.
159
158
the string representation of the IPv6 host address.
160
159
Thus, not all the ":" subnetworks will be tried.
162
NOTE 2: The information in the access map should be
163
in canonical form, with unnecessary null characters
164
eliminated. Address information must not be
165
enclosed with "[]" characters.
161
NOTE 2: The access map lookup key must be in canon-
162
ical form: do not specify unnecessary null charac-
163
ters, and do not enclose network address informa-
164
tion with "[]" characters.
167
NOTE 3: use the <b>cidr</b> lookup table type to specify
166
NOTE 3: use the <b>cidr</b> lookup table type to specify
168
167
network/netmask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for
176
175
<i>all-numerical</i>
177
176
An all-numerical result is treated as OK. This for-
178
mat is generated by address-based relay authoriza-
177
mat is generated by address-based relay authoriza-
179
178
tion schemes such as pop-before-smtp.
181
180
<b>REJECT ACTIONS</b>
182
Postfix version 2.3 and later support enhanced status
183
codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When no code is specified
184
at the beginning of the <i>text</i> below, Postfix inserts a
185
default enhanced status code of "5.7.1" in the case of
186
reject actions, and "4.7.1" in the case of defer actions.
181
Postfix version 2.3 and later support enhanced status
182
codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When no code is specified
183
at the beginning of the <i>text</i> below, Postfix inserts a
184
default enhanced status code of "5.7.1" in the case of
185
reject actions, and "4.7.1" in the case of defer actions.
187
186
See "ENHANCED STATUS CODES" below.
189
188
<b>4</b><i>NN text</i>
191
190
<b>5</b><i>NN text</i>
192
Reject the address etc. that matches the pattern,
191
Reject the address etc. that matches the pattern,
193
192
and respond with the numerical three-digit code and
194
text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
193
text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
195
194
"do not try again".
197
The reply code "421" causes Postfix to disconnect
196
The reply code "421" causes Postfix to disconnect
198
197
immediately (Postfix version 2.3 and later).
200
199
<b>REJECT</b> <i>optional text...</i>
201
Reject the address etc. that matches the pattern.
202
Reply with <i>$reject</i><b>_</b><i>code optional text...</i> when the
203
optional text is specified, otherwise reply with a
200
Reject the address etc. that matches the pattern.
201
Reply with <i>$reject</i><b>_</b><i>code optional text...</i> when the
202
optional text is specified, otherwise reply with a
204
203
generic error response message.
206
205
<b>DEFER_IF_REJECT</b> <i>optional text...</i>
207
Defer the request if some later restriction would
208
result in a REJECT action. Reply with "<b>450</b> <i>optional</i>
209
<i>text...</i> when the optional text is specified, other-
210
wise reply with a generic error response message.
206
Defer the request if some later restriction would
207
result in a REJECT action. Reply with "<b>450 4.7.1</b>
208
<i>optional text...</i> when the optional text is speci-
209
fied, otherwise reply with a generic error response
212
212
This feature is available in Postfix 2.1 and later.
214
214
<b>DEFER_IF_PERMIT</b> <i>optional text...</i>
215
215
Defer the request if some later restriction would
216
216
result in a an explicit or implicit PERMIT action.
217
Reply with "<b>450</b> <i>optional text...</i> when the optional
218
text is specified, otherwise reply with a generic
219
error response message.
217
Reply with "<b>450 4.7.1</b> <i>optional text...</i> when the
218
optional text is specified, otherwise reply with a
219
generic error response message.
221
221
This feature is available in Postfix 2.1 and later.
272
272
Note: use "<b>postsuper -r</b>" to release mail that was
273
273
kept on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
274
274
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
275
longer. Use "<b>postsuper -H</b>" only for mail that will
276
not expire within a few delivery attempts.
277
Note: this action currently affects all recipients
278
Note: this action currently affects all recipients
280
281
This feature is available in Postfix 2.0 and later.
282
283
<b>PREPEND</b> <i>headername: headervalue</i>
283
Prepend the specified message header to the mes-
284
sage. When this action is used multiple times, the
285
first prepended header appears before the second
286
etc. prepended header.
288
Note: this action does not support multi-line mes-
291
Note: this action must be used before the message
292
content is received; it cannot be used in
293
<b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
284
Prepend the specified message header to the mes-
285
sage. When more than one PREPEND action executes,
286
the first prepended header appears before the sec-
287
ond etc. prepended header.
289
Note: this action must execute before the message
290
content is received; it cannot execute in the con-
291
text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
295
293
This feature is available in Postfix 2.1 and later.