4
# access - format of Postfix access table
7
# postmap /etc/postfix/access
9
# postmap -q "string" /etc/postfix/access
11
# postmap -q - /etc/postfix/access <inputfile
14
# The optional access table directs the Postfix SMTP server
15
# to selectively reject or accept mail. Access can be
16
# allowed or denied for specific host names, domain names,
17
# networks, host network addresses or mail addresses.
19
# For an example, see the EXAMPLE section at the end of this
22
# Normally, the access table is specified as a text file
23
# that serves as input to the postmap(1) command. The
24
# result, an indexed file in dbm or db format, is used for
25
# fast searching by the mail system. Execute the command
26
# postmap /etc/postfix/access in order to rebuild the
27
# indexed file after changing the access table.
29
# When the table is provided via other means such as NIS,
30
# LDAP or SQL, the same lookups are done as for ordinary
33
# Alternatively, the table can be provided as a regular-
34
# expression map where patterns are given as regular expres-
35
# sions, or lookups can be directed to TCP-based server. In
36
# that case, the lookups are done in a slightly different
37
# way as described below under "REGULAR EXPRESSION TABLES"
38
# and "TCP-BASED TABLES".
41
# The input format for the postmap(1) command is as follows:
44
# When pattern matches a mail address, domain or host
45
# address, perform the corresponding action.
47
# blank lines and comments
48
# Empty lines and whitespace-only lines are ignored,
49
# as are lines whose first non-whitespace character
53
# A logical line starts with non-whitespace text. A
54
# line that starts with whitespace continues a logi-
57
# EMAIL ADDRESS PATTERNS
58
# With lookups from indexed files such as DB or DBM, or from
59
# networked tables such as NIS, LDAP or SQL, patterns are
60
# tried in the order as listed below:
63
# Matches the specified mail address.
66
# Matches domain.tld as the domain part of an email
69
# The pattern domain.tld also matches subdomains, but
70
# only when the string smtpd_access_maps is listed in
71
# the Postfix parent_domain_matches_subdomains con-
72
# figuration setting (note that this is the default
73
# for some versions of Postfix). Otherwise, specify
74
# .domain.tld (note the initial dot) in order to
77
# user@ Matches all mail addresses with the specified user
80
# Note: lookup of the null sender address is not possible
81
# with some types of lookup table. By default, Postfix uses
82
# <> as the lookup key for such addresses. The value is
83
# specified with the smtpd_null_access_lookup_key parameter
84
# in the Postfix main.cf file.
86
# EMAIL ADDRESS EXTENSION
87
# When a mail address localpart contains the optional recip-
88
# ient delimiter (e.g., user+foo@domain), the lookup order
89
# becomes: user+foo@domain, user@domain, domain, user+foo@,
92
# HOST NAME/ADDRESS PATTERNS
93
# With lookups from indexed files such as DB or DBM, or from
94
# networked tables such as NIS, LDAP or SQL, the following
95
# lookup patterns are examined in the order as listed:
100
# The pattern domain.tld also matches subdomains, but
101
# only when the string smtpd_access_maps is listed in
102
# the Postfix parent_domain_matches_subdomains con-
103
# figuration setting. Otherwise, specify .domain.tld
104
# (note the initial dot) in order to match subdo-
113
# net Matches any host address in the specified network.
114
# A network address is a sequence of one or more
115
# octets separated by ".".
117
# NOTE: use the cidr lookup table type to specify
118
# network/netmask patterns. See cidr_table(5) for
122
# OK Accept the address etc. that matches the pattern.
125
# An all-numerical result is treated as OK. This for-
126
# mat is generated by address-based relay authoriza-
133
# Reject the address etc. that matches the pattern,
134
# and respond with the numerical three-digit code and
135
# text. 4NN means "try again later", while 5NN means
136
# "do not try again".
138
# REJECT optional text...
139
# Reject the address etc. that matches the pattern.
140
# Reply with $reject_code optional text... when the
141
# optional text is specified, otherwise reply with a
142
# generic error response message.
144
# DEFER_IF_REJECT optional text...
145
# Defer the request if some later restriction would
146
# result in a REJECT action. Reply with "450 optional
147
# text... when the optional text is specified, other-
148
# wise reply with a generic error response message.
150
# This feature is available in Postfix 2.1 and later.
152
# DEFER_IF_PERMIT optional text...
153
# Defer the request if some later restriction would
154
# result in a an explicit or implicit PERMIT action.
155
# Reply with "450 optional text... when the optional
156
# text is specified, otherwise reply with a generic
157
# error response message.
159
# This feature is available in Postfix 2.1 and later.
163
# Apply the named UCE restriction(s) (permit, reject,
164
# reject_unauth_destination, and so on).
166
# DISCARD optional text...
167
# Claim successful delivery and silently discard the
168
# message. Log the optional text if specified, oth-
169
# erwise log a generic message.
171
# Note: this action currently affects all recipients
174
# This feature is available in Postfix 2.0 and later.
176
# DUNNO Pretend that the lookup key was not found. This
177
# prevents Postfix from trying substrings of the
178
# lookup key (such as a subdomain name, or a network
179
# address subnetwork).
181
# This feature is available in Postfix 2.0 and later.
183
# FILTER transport:destination
184
# After the message is queued, send the entire mes-
185
# sage through the specified external content filter.
186
# The transport:destination syntax is described in
187
# the transport(5) manual page. More information
188
# about external content filters is in the Postfix
189
# FILTER_README file.
191
# Note: this action overrides the main.cf con-
192
# tent_filter setting, and currently affects all
193
# recipients of the message.
195
# This feature is available in Postfix 2.0 and later.
197
# HOLD optional text...
198
# Place the message on the hold queue, where it will
199
# sit until someone either deletes it or releases it
200
# for delivery. Log the optional text if specified,
201
# otherwise log a generic message.
203
# Mail that is placed on hold can be examined with
204
# the postcat(1) command, and can be destroyed or
205
# released with the postsuper(1) command.
207
# Note: this action currently affects all recipients
210
# This feature is available in Postfix 2.0 and later.
212
# PREPEND headername: headervalue
213
# Prepend the specified message header to the mes-
214
# sage. When this action is used multiple times, the
215
# first prepended header appears before the second
216
# etc. prepended header.
218
# Note: this action does not support multi-line mes-
221
# This feature is available in Postfix 2.1 and later.
223
# REDIRECT user@domain
224
# After the message is queued, send the message to
225
# the specified address instead of the intended
228
# Note: this action overrides the FILTER action, and
229
# currently affects all recipients of the message.
231
# This feature is available in Postfix 2.1 and later.
233
# WARN optional text...
234
# Log a warning with the optional text, together with
235
# client information and if available, with helo,
236
# sender, recipient and protocol information.
238
# This feature is available in Postfix 2.1 and later.
240
# REGULAR EXPRESSION TABLES
241
# This section describes how the table lookups change when
242
# the table is given in the form of regular expressions. For
243
# a description of regular expression lookup table syntax,
244
# see regexp_table(5) or pcre_table(5).
246
# Each pattern is a regular expression that is applied to
247
# the entire string being looked up. Depending on the appli-
248
# cation, that string is an entire client hostname, an
249
# entire client IP address, or an entire mail address. Thus,
250
# no parent domain or parent network search is done,
251
# user@domain mail addresses are not broken up into their
252
# user@ and domain constituent parts, nor is user+foo broken
253
# up into user and foo.
255
# Patterns are applied in the order as specified in the
256
# table, until a pattern is found that matches the search
259
# Actions are the same as with indexed file lookups, with
260
# the additional feature that parenthesized substrings from
261
# the pattern can be interpolated as $1, $2 and so on.
264
# This section describes how the table lookups change when
265
# lookups are directed to a TCP-based server. For a descrip-
266
# tion of the TCP client/server lookup protocol, see
267
# tcp_table(5). This feature is not available in Postfix
270
# Each lookup operation uses the entire query string once.
271
# Depending on the application, that string is an entire
272
# client hostname, an entire client IP address, or an entire
273
# mail address. Thus, no parent domain or parent network
274
# search is done, user@domain mail addresses are not broken
275
# up into their user@ and domain constituent parts, nor is
276
# user+foo broken up into user and foo.
278
# Actions are the same as with indexed file lookups.
281
# The following example uses an indexed file, so that the
282
# order of table entries does not matter. The example per-
283
# mits access by the client at address 1.2.3.4 but rejects
284
# all other clients in 1.2.3.0/24. Instead of "hash" lookup
285
# tables, some systems use "dbm". Use the command "postconf
286
# -m" to find out what lookup tables Postfix supports on
289
# /etc/postfix/main.cf:
290
# smtpd_client_restrictions =
291
# check_client_access hash:/etc/postfix/access
293
# /etc/postfix/access:
297
# Execute the command "postmap /etc/postfix/access" after
301
# The table format does not understand quoting conventions.
304
# postmap(1), Postfix lookup table manager
305
# smtpd(8), SMTP server
306
# postconf(5), configuration parameters
307
# transport(5), transport:nexthop syntax
310
# Use "postconf readme_directory" or "postconf html_direc-
311
# tory" to locate this information.
312
# SMTPD_ACCESS_README, built-in SMTP server access control
313
# DATABASE_README, Postfix lookup table overview
316
# The Secure Mailer license must be distributed with this
321
# IBM T.J. Watson Research
323
# Yorktown Heights, NY 10598, USA