NAME

access - Postfix SMTP server access table

SYNOPSIS


ppoossttmmaapp //eettcc//ppoossttffiixx//aacccceessss

ppoossttmmaapp --qq ""_s_t_r_i_n_g"" //eettcc//ppoossttffiixx//aacccceessss

ppoossttmmaapp --qq -- //eettcc//ppoossttffiixx//aacccceessss <<_i_n_p_u_t_f_i_l_e

DESCRIPTION

This document describes access control on remote SMTP client information: host names, network addresses, and envelope sender or recipient addresses; it is implemented by the Postfix SMTP server. See hheeaaddeerr__cchheecckkss(5) or bbooddyy__cchheecckkss(5) for access control on the content of email messages.

Normally, the aacccceessss(5) table is specified as a text file that serves as input to the ppoossttmmaapp(1) command. The result, an indexed file in ddbbmm or ddbb format, is used for fast searching by the mail system. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//aacccceessss" to rebuild an indexed file after changing the corresponding text file.

When the table is provided via other means such as NIS, LDAP or SQL, the same lookups are done as for ordinary indexed files.

Alternatively, the table can be provided as a regular-expression map where patterns are given as regular expressions, or lookups can be directed to TCP-based server. In those cases, the lookups are done in a slightly different way as described below under "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".

CASE FOLDING



The search string is folded to lowercase before database
lookup. As of Postfix 2.3, the search string is not case
folded with database types such as regexp: or pcre: whose
lookup fields can match both upper and lower case.

TABLE FORMAT



The input format for the ppoossttmmaapp(1) command is as follows:
_p_a_t_t_e_r_n _a_c_t_i_o_n When _p_a_t_t_e_r_n matches a mail address, domain or host address,
perform the corresponding _a_c_t_i_o_n.
blank lines and comments Empty lines and whitespace-only lines are ignored, as
are lines whose first non-whitespace character is a `#'.
multi-line text A logical line starts with non-whitespace text. A line that
starts with whitespace continues a logical line.

EMAIL ADDRESS PATTERNS



With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, patterns are tried in the order as
listed below:
_u_s_e_r@_d_o_m_a_i_n Matches the specified mail address.
_d_o_m_a_i_n_._t_l_d Matches _d_o_m_a_i_n_._t_l_d as the domain part of an email address.


The pattern _d_o_m_a_i_n_._t_l_d also matches subdomains, but only when the string ssmmttppdd__aacccceessss__mmaappss is listed in the Postfix ppaarreenntt__ddoommaaiinn__mmaattcchheess__ssuubbddoommaaiinnss configuration setting (note that this is the default for some versions of Postfix). Otherwise, specify _._d_o_m_a_i_n_._t_l_d (note the initial dot) in order to match subdomains.
_u_s_e_r@ Matches all mail addresses with the specified user part.

Note: lookup of the null sender address is not possible with some types of lookup table. By default, Postfix uses <<>> as the lookup key for such addresses. The value is specified with the ssmmttppdd__nnuullll__aacccceessss__llooookkuupp__kkeeyy parameter in the Postfix mmaaiinn..ccff file.

EMAIL ADDRESS EXTENSION



When a mail address localpart contains the optional recipient delimiter
(e.g., _u_s_e_r_+_f_o_o@_d_o_m_a_i_n), the lookup order becomes:
_u_s_e_r_+_f_o_o@_d_o_m_a_i_n, _u_s_e_r@_d_o_m_a_i_n, _d_o_m_a_i_n,
_u_s_e_r_+_f_o_o@, and _u_s_e_r@.

HOST NAME/ADDRESS PATTERNS



With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, the following lookup patterns are
examined in the order as listed:
_d_o_m_a_i_n_._t_l_d Matches _d_o_m_a_i_n_._t_l_d.


The pattern _d_o_m_a_i_n_._t_l_d also matches subdomains, but only when the string ssmmttppdd__aacccceessss__mmaappss is listed in the Postfix ppaarreenntt__ddoommaaiinn__mmaattcchheess__ssuubbddoommaaiinnss configuration setting. Otherwise, specify _._d_o_m_a_i_n_._t_l_d (note the initial dot) in order to match subdomains.
_n_e_t_._w_o_r_k_._a_d_d_r_._e_s_s
_n_e_t_._w_o_r_k_._a_d_d_r
_n_e_t_._w_o_r_k
_n_e_t Matches the specified IPv4 host address or subnetwork. An
IPv4 host address is a sequence of four decimal octets separated by ".".

Subnetworks are matched by repeatedly truncating the last ".octet" from the remote IPv4 host address string until a match is found in the access table, or until further truncation is not possible.

NOTE 1: The access map lookup key must be in canonical form: do not specify unnecessary null characters, and do not enclose network address information with "[]" characters.

NOTE 2: use the cciiddrr lookup table type to specify network/netmask patterns. See cciiddrr__ttaabbllee(5) for details.

_n_e_t_:_w_o_r_k_:_a_d_d_r_:_e_s_s
_n_e_t_:_w_o_r_k_:_a_d_d_r
_n_e_t_:_w_o_r_k
_n_e_t Matches the specified IPv6 host address or subnetwork. An
IPv6 host address is a sequence of three to eight hexadecimal octet pairs separated by ":".

Subnetworks are matched by repeatedly truncating the last ":octetpair" from the remote IPv6 host address string until a match is found in the access table, or until further truncation is not possible.

NOTE 1: the truncation and comparison are done with the string representation of the IPv6 host address. Thus, not all the ":" subnetworks will be tried.

NOTE 2: The access map lookup key must be in canonical form: do not specify unnecessary null characters, and do not enclose network address information with "[]" characters.

NOTE 3: use the cciiddrr lookup table type to specify network/netmask patterns. See cciiddrr__ttaabbllee(5) for details.

IPv6 support is available in Postfix 2.2 and later.

ACCEPT ACTIONS



OOKK Accept the address etc. that matches the pattern.
_a_l_l_-_n_u_m_e_r_i_c_a_l An all-numerical result is treated as OK. This format is
generated by address-based relay authorization schemes such as pop-before-smtp.

REJECT ACTIONS



Postfix version 2.3 and later support enhanced status codes
as defined in RFC 3463.
When no code is specified at the beginning of the _t_e_x_t
below, Postfix inserts a default enhanced status code of "5.7.1"
in the case of reject actions, and "4.7.1" in the case of
defer actions. See "ENHANCED STATUS CODES" below.
44_N_N _t_e_x_t
55_N_N _t_e_x_t Reject the address etc. that matches the pattern, and respond with
the numerical three-digit code and text. 44_N_N means "try again later", while 55_N_N means "do not try again".

The following responses have special meaning for the Postfix SMTP server:

442211 _t_e_x_t (Postfix 2.3 and later)
552211 _t_e_x_t (Postfix 2.6 and later) After responding with the numerical three-digit code and
text, disconnect immediately from the SMTP client. This frees up SMTP server resources so that they can be made available to another SMTP client.
Note: The "521" response should be used only with botnets
and other malware where interoperability is of no concern. The "send 521 and disconnect" behavior is NOT defined in the SMTP standard.
RREEJJEECCTT _o_p_t_i_o_n_a_l _t_e_x_t_._._. Reject the address etc. that matches the pattern. Reply with
"$$aacccceessss__mmaapp__rreejjeecctt__ccooddee _o_p_t_i_o_n_a_l _t_e_x_t_._._." when the optional text is specified, otherwise reply with a generic error response message.
DDEEFFEERR _o_p_t_i_o_n_a_l _t_e_x_t_._._. Reject the address etc. that matches the pattern. Reply with
"$$aacccceessss__mmaapp__ddeeffeerr__ccooddee _o_p_t_i_o_n_a_l _t_e_x_t_._._." when the optional text is specified, otherwise reply with a generic error response message.

This feature is available in Postfix 2.6 and later.
DDEEFFEERR__IIFF__RREEJJEECCTT _o_p_t_i_o_n_a_l _t_e_x_t_._._. Defer the request if some later restriction would result in a
REJECT action. Reply with "$$aacccceessss__mmaapp__ddeeffeerr__ccooddee 44..77..11 _o_p_t_i_o_n_a_l _t_e_x_t_._._." when the optional text is specified, otherwise reply with a generic error response message.

Prior to Postfix 2.6, the SMTP reply code is 450.

This feature is available in Postfix 2.1 and later.
DDEEFFEERR__IIFF__PPEERRMMIITT _o_p_t_i_o_n_a_l _t_e_x_t_._._. Defer the request if some later restriction would result in a
an explicit or implicit PERMIT action. Reply with "$$aacccceessss__mmaapp__ddeeffeerr__ccooddee 44..77..11 _o_p_t_i_o_n_a_l _t_e_x_t_._._." when the optional text is specified, otherwise reply with a generic error response message.

Prior to Postfix 2.6, the SMTP reply code is 450.

This feature is available in Postfix 2.1 and later.

OTHER ACTIONS



_r_e_s_t_r_i_c_t_i_o_n_._._. Apply the named UCE restriction(s) (ppeerrmmiitt, rreejjeecctt,
rreejjeecctt__uunnaauutthh__ddeessttiinnaattiioonn, and so on).
BBCCCC _u_s_e_r_@_d_o_m_a_i_n Send one copy of the message to the specified recipient.


If multiple BCC actions are specified within the same SMTP MAIL transaction, only the last action will be used.

This feature is not part of the stable Postfix release.
DDIISSCCAARRDD _o_p_t_i_o_n_a_l _t_e_x_t_._._. Claim successful delivery and silently discard the message.
Log the optional text if specified, otherwise log a generic message.

Note: this action currently affects all recipients of the message. To discard only one recipient without discarding the entire message, use the transport(5) table to direct mail to the discard(8) service.

This feature is available in Postfix 2.0 and later.
DDUUNNNNOO Pretend that the lookup key was not found. This
prevents Postfix from trying substrings of the lookup key (such as a subdomain name, or a network address subnetwork).

This feature is available in Postfix 2.0 and later.
FFIILLTTEERR _t_r_a_n_s_p_o_r_t_:_d_e_s_t_i_n_a_t_i_o_n After the message is queued, send the entire message through
the specified external content filter. The _t_r_a_n_s_p_o_r_t name specifies the first field of a mail delivery agent definition in master.cf; the syntax of the next-hop _d_e_s_t_i_n_a_t_i_o_n is described in the manual page of the corresponding delivery agent. More information about external content filters is in the Postfix FILTER_README file.

Note 1: do not use $_n_u_m_b_e_r regular expression substitutions for _t_r_a_n_s_p_o_r_t or _d_e_s_t_i_n_a_t_i_o_n unless you know that the information has a trusted origin.

Note 2: this action overrides the main.cf ccoonntteenntt__ffiilltteerr setting, and affects all recipients of the message. In the case that multiple FFIILLTTEERR actions fire, only the last one is executed.

Note 3: the purpose of the FILTER command is to override message routing. To override the recipient's _t_r_a_n_s_p_o_r_t but not the next-hop _d_e_s_t_i_n_a_t_i_o_n, specify an empty filter _d_e_s_t_i_n_a_t_i_o_n (Postfix 2.7 and later), or specify a _t_r_a_n_s_p_o_r_t_:_d_e_s_t_i_n_a_t_i_o_n that delivers through a different Postfix instance (Postfix 2.6 and earlier). Other options are using the recipient-dependent ttrraannssppoorrtt__mmaappss or the sender-dependent sseennddeerr__ddeeppeennddeenntt__ddeeffaauulltt__ttrraannssppoorrtt__mmaappss features.

This feature is available in Postfix 2.0 and later.
HHOOLLDD _o_p_t_i_o_n_a_l _t_e_x_t_._._. Place the message on the hhoolldd queue, where it will
sit until someone either deletes it or releases it for delivery. Log the optional text if specified, otherwise log a generic message.

Mail that is placed on hold can be examined with the ppoossttccaatt(1) command, and can be destroyed or released with the ppoossttssuuppeerr(1) command.

Note: use "ppoossttssuuppeerr --rr" to release mail that was kept on hold for a significant fraction of $$mmaaxxiimmaall__qquueeuuee__lliiffeettiimmee or $$bboouunnccee__qquueeuuee__lliiffeettiimmee, or longer. Use "ppoossttssuuppeerr --HH" only for mail that will not expire within a few delivery attempts.

Note: this action currently affects all recipients of the message.

This feature is available in Postfix 2.0 and later.

PPRREEPPEENNDD _h_e_a_d_e_r_n_a_m_e_: _h_e_a_d_e_r_v_a_l_u_e Prepend the specified message header to the message.
When more than one PREPEND action executes, the first prepended header appears before the second etc. prepended header.

Note: this action must execute before the message content is received; it cannot execute in the context of ssmmttppdd__eenndd__ooff__ddaattaa__rreessttrriiccttiioonnss.

This feature is available in Postfix 2.1 and later.
RREEDDIIRREECCTT _u_s_e_r_@_d_o_m_a_i_n After the message is queued, send the message to the specified
address instead of the intended recipient(s).

Note: this action overrides the FILTER action, and currently affects all recipients of the message.

This feature is available in Postfix 2.1 and later.
WWAARRNN _o_p_t_i_o_n_a_l _t_e_x_t_._._. Log a warning with the optional text, together with client information
and if available, with helo, sender, recipient and protocol information.

This feature is available in Postfix 2.1 and later.

ENHANCED STATUS CODES



Postfix version 2.3 and later support enhanced status codes
as defined in RFC 3463.
When an enhanced status code is specified in an access
table, it is subject to modification. The following
transformations are needed when the same access table is
used for client, helo, sender, or recipient access restrictions;
they happen regardless of whether Postfix replies to a MAIL
FROM, RCPT TO or other SMTP command.
· When a sender address matches a REJECT action, the Postfix
SMTP server will transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding sender DSN status, and vice versa.
· When non-address information matches a REJECT action (such
as the HELO command argument or the client hostname/address), the Postfix SMTP server will transform a sender or recipient DSN status into a generic non-address DSN status (e.g., 4.0.0).

REGULAR EXPRESSION TABLES



This section describes how the table lookups change when the table
is given in the form of regular expressions. For a description of
regular expression lookup table syntax, see rreeggeexxpp__ttaabbllee(5)
or ppccrree__ttaabbllee(5).
        

Each pattern is a regular expression that is applied to the entire string being looked up. Depending on the application, that string is an entire client hostname, an entire client IP address, or an entire mail address. Thus, no parent domain or parent network search is done, _u_s_e_r_@_d_o_m_a_i_n mail addresses are not broken up into their _u_s_e_r_@ and _d_o_m_a_i_n constituent parts, nor is _u_s_e_r_+_f_o_o broken up into _u_s_e_r and _f_o_o.

Patterns are applied in the order as specified in the table, until a pattern is found that matches the search string.

Actions are the same as with indexed file lookups, with the additional feature that parenthesized substrings from the pattern can be interpolated as $$11, $$22 and so on.

TCP-BASED TABLES



This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see ttccpp__ttaabbllee(5).
This feature is not available up to and including Postfix version 2.4.
        

Each lookup operation uses the entire query string once. Depending on the application, that string is an entire client hostname, an entire client IP address, or an entire mail address. Thus, no parent domain or parent network search is done, _u_s_e_r_@_d_o_m_a_i_n mail addresses are not broken up into their _u_s_e_r_@ and _d_o_m_a_i_n constituent parts, nor is _u_s_e_r_+_f_o_o broken up into _u_s_e_r and _f_o_o.

Actions are the same as with indexed file lookups.

EXAMPLE



The following example uses an indexed file, so that the
order of table entries does not matter. The example permits
access by the client at address 1.2.3.4 but rejects all
other clients in 1.2.3.0/24. Instead of hhaasshh lookup
tables, some systems use ddbbmm.  Use the command
"ppoossttccoonnff --mm" to find out what lookup tables Postfix
supports on your system.
        


/etc/postfix/main.cf:
    smtpd_client_restrictions =
        check_client_access hash:/etc/postfix/access

/etc/postfix/access: 1.2.3 REJECT 1.2.3.4 OK

Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//aacccceessss" after editing the file.

BUGS

The table format does not understand quoting conventions.

SEE ALSO


postmap(1), Postfix lookup table manager
smtpd(8), SMTP server
postconf(5), configuration parameters
transport(5), transport:nexthop syntax

README FILES



Use "ppoossttccoonnff rreeaaddmmee__ddiirreeccttoorryy" or
"ppoossttccoonnff hhttmmll__ddiirreeccttoorryy" to locate this information.

SMTPD_ACCESS_README, built-in SMTP server access control
DATABASE_README, Postfix lookup table overview

LICENSE



The Secure Mailer license must be distributed with this software.

AUTHOR(S)


Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA