NAME
header_checks
-
Postfix built-in content inspection
SYNOPSIS
hheeaaddeerr__cchheecckkss == ppccrree:://eettcc//ppoossttffiixx//hheeaaddeerr__cchheecckkss
mmiimmee__hheeaaddeerr__cchheecckkss == ppccrree:://eettcc//ppoossttffiixx//mmiimmee__hheeaaddeerr__cchheecckkss
nneesstteedd__hheeaaddeerr__cchheecckkss == ppccrree:://eettcc//ppoossttffiixx//nneesstteedd__hheeaaddeerr__cchheecckkss
bbooddyy__cchheecckkss == ppccrree:://eettcc//ppoossttffiixx//bbooddyy__cchheecckkss
ppoossttmmaapp --qq ""_s_t_r_i_n_g"" ppccrree:://eettcc//ppoossttffiixx//_f_i_l_e_n_a_m_e
ppoossttmmaapp --qq -- ppccrree:://eettcc//ppoossttffiixx//_f_i_l_e_n_a_m_e <_i_n_p_u_t_f_i_l_e
DESCRIPTION
This document describes access control on the content of
message headers and message body lines; it is implemented
by the Postfix cclleeaannuupp(8) server before mail is queued.
See aacccceessss(5) for access control on remote SMTP client
information.
Each message header or message body line is compared against
a list of patterns.
When a match is found the corresponding action is executed, and
the matching process is repeated for the next message header or
message body line.
For examples, see the EXAMPLES section at the end of this
manual page.
Postfix header or body_checks are designed to stop a flood of mail
from worms or viruses; they do not decode attachments, and they do
not unzip archives. See the documents referenced below in the README
FILES section if you need more sophisticated content analysis.
Postfix supports four built-in content inspection classes:
-
hheeaaddeerr__cchheecckkss
These are applied to initial message headers (except for
-
the headers that are processed with mmiimmee__hheeaaddeerr__cchheecckkss).
-
mmiimmee__hheeaaddeerr__cchheecckkss (default: $$hheeaaddeerr__cchheecckkss)
These are applied to MIME related message headers only.
-
This feature is available in Postfix 2.0 and later.
-
nneesstteedd__hheeaaddeerr__cchheecckkss (default: $$hheeaaddeerr__cchheecckkss)
These are applied to message headers of attached email
-
messages (except for the headers that are processed with
mmiimmee__hheeaaddeerr__cchheecckkss).
This feature is available in Postfix 2.0 and later.
-
bbooddyy__cchheecckkss
These are applied to all other content, including multi-part
-
message boundaries.
With Postfix versions before 2.0, all content after the initial
message headers is treated as body content.
Note: message headers are examined one logical header at a time,
even when a message header spans multiple lines. Body lines are
always examined one line at a time.
COMPATIBILITY
With Postfix version 2.2 and earlier specify "ppoossttmmaapp
--ffqq" to query a table that contains case sensitive
patterns. By default, regexp: and pcre: patterns are case
insensitive.
This document assumes that header and body_checks rules are specified
in the form of Postfix regular expression lookup tables. Usually the
best performance is obtained with ppccrree (Perl Compatible Regular
Expression) tables, but the slower rreeggeexxpp (POSIX regular
expressions) support is more widely available.
Use the command "ppoossttccoonnff --mm" to find out what lookup table
types your Postfix system supports.
The general format of Postfix regular expression tables is
given below.
For a discussion of specific pattern or flags syntax,
see ppccrree__ttaabbllee(5) or rreeggeexxpp__ttaabbllee(5), respectively.
-
//_p_a_t_t_e_r_n//_f_l_a_g_s _a_c_t_i_o_n
When /_p_a_t_t_e_r_n/ matches the input string, execute
-
the corresponding _a_c_t_i_o_n. See below for a list
of possible actions.
-
!!//_p_a_t_t_e_r_n//_f_l_a_g_s _a_c_t_i_o_n
When /_p_a_t_t_e_r_n/ does nnoott match the input string,
-
execute the corresponding _a_c_t_i_o_n.
-
iiff //_p_a_t_t_e_r_n//_f_l_a_g_s
-
-
eennddiiff
Match the input string against the patterns between iiff
-
and eennddiiff, if and only if the same input string also
matches /_p_a_t_t_e_r_n/. The iiff..eennddiiff can nest.
Note: do not prepend whitespace to patterns inside
iiff..eennddiiff.
-
iiff !!//_p_a_t_t_e_r_n//_f_l_a_g_s
-
-
eennddiiff
Match the input string against the patterns between iiff
-
and eennddiiff, if and only if the same input string does
nnoott match /_p_a_t_t_e_r_n/. The iiff..eennddiiff
can nest.
-
blank lines and comments
Empty lines and whitespace-only lines are ignored, as
-
are lines whose first non-whitespace character is a `#'.
-
multi-line text
A pattern/action line starts with non-whitespace text. A line that
-
starts with whitespace continues a logical line.
TABLE SEARCH ORDER
For each line of message input, the patterns are applied in the
order as specified in the table. When a pattern is found that matches
the input line, the corresponding action is executed and then the
next input line is inspected.
TEXT SUBSTITUTION
Substitution of substrings from the matched expression into the
_a_c_t_i_o_n
string is possible using the conventional Perl syntax
($$11, $$22, etc.).
The macros in the result string may need to be written as $${{nn}}
or $$((nn)) if they aren't followed by whitespace.
Note: since negated patterns (those preceded by !!) return a
result when the expression does not match, substitutions are not
available for negated patterns.
ACTIONS
Action names are case insensitive. They are shown in upper case
for consistency with other Postfix documentation.
-
DDIISSCCAARRDD _o_p_t_i_o_n_a_l _t_e_x_t_._._.
Claim successful delivery and silently discard the message.
-
Log the optional text if specified, otherwise log a generic
message.
Note: this action disables further header or body_checks inspection
of the current message and affects all recipients.
To discard only one recipient without discarding the entire message,
use the transport(5) table to direct mail to the discard(8) service.
This feature is available in Postfix 2.0 and later.
-
DDUUNNNNOO
Pretend that the input line did not match any pattern, and inspect the
-
next input line. This action can be used to shorten the table search.
For backwards compatibility reasons, Postfix also accepts
OOKK but it is (and always has been) treated as DDUUNNNNOO.
This feature is available in Postfix 2.1 and later.
-
FFIILLTTEERR _t_r_a_n_s_p_o_r_t_:_d_e_s_t_i_n_a_t_i_o_n
Write a content filter request to the queue file, and
-
inspect the next input line.
After the complete message is received it will be sent through
the specified external content filter. More information about
external content filters is in the Postfix FILTER_README file.
Note: this action overrides the ccoonntteenntt__ffiilltteerr setting,
and affects all recipients of the message. In the case that multiple
FFIILLTTEERR actions fire, only the last one is executed.
This feature is available in Postfix 2.0 and later.
-
HHOOLLDD _o_p_t_i_o_n_a_l _t_e_x_t_._._.
Arrange for the message to be placed on the hhoolldd queue,
-
and inspect the next input line. The message remains on hhoolldd
until someone either deletes it or releases it for delivery.
Log the optional text if specified, otherwise log a generic
message.
Mail that is placed on hold can be examined with the
ppoossttccaatt(1) command, and can be destroyed or released with
the ppoossttssuuppeerr(1) command.
Note: use "ppoossttssuuppeerr --rr" to release mail that was kept on
hold for a significant fraction of $$mmaaxxiimmaall__qquueeuuee__lliiffeettiimmee
or $$bboouunnccee__qquueeuuee__lliiffeettiimmee, or longer. Use "ppoossttssuuppeerr --HH"
only for mail that will not expire within a few delivery attempts.
Note: this action affects all recipients of the message.
This feature is available in Postfix 2.0 and later.
-
IIGGNNOORREE
Delete the current line from the input, and inspect
-
the next input line.
-
PPRREEPPEENNDD _t_e_x_t_._._.
Prepend one line with the specified text, and inspect the next
-
input line.
Notes:
-
·
The prepended text is output on a separate line, immediately
-
before the input that triggered the PPRREEPPEENNDD action.
-
·
The prepended text is not considered part of the input
-
stream: it is not subject to header/body checks or address
rewriting, and it does not affect the way that Postfix adds
missing message headers.
-
·
When prepending text before a message header line, the prepended
-
text must begin with a valid message header label.
-
·
This action cannot be used to prepend multi-line text.
-
-
This feature is available in Postfix 2.1 and later.
-
-
RREEDDIIRREECCTT _u_s_e_r_@_d_o_m_a_i_n
Write a message redirection request to the queue file, and
-
inspect the next input line. After the message is queued,
it will be sent to the specified address instead of the
intended recipient(s).
Note: this action overrides the FFIILLTTEERR action, and affects
all recipients of the message. If multiple RREEDDIIRREECCTT actions
fire, only the last one is executed.
This feature is available in Postfix 2.1 and later.
-
RREEPPLLAACCEE _t_e_x_t_._._.
Replace the current line with the specified text, and inspect the next
-
input line.
This feature is available in Postfix 2.2 and later. The
description below applies to Postfix 2.2.2 and later.
Notes:
-
·
When replacing a message header line, the replacement text
-
must begin with a valid header label.
-
·
The replaced text remains part of the input stream. Unlike
-
the result from the PPRREEPPEENNDD action, a replaced message
header may be subject to address rewriting and may affect
the way that Postfix adds missing message headers.
-
RREEJJEECCTT _o_p_t_i_o_n_a_l _t_e_x_t_._._.
Reject the entire message. Reply with _o_p_t_i_o_n_a_l _t_e_x_t_._._. when
-
the optional text is specified, otherwise reply with a generic error
message.
Note: this action disables further header or body_checks inspection
of the current message and affects all recipients.
Postfix version 2.3 and later support enhanced status codes.
When no code is specified at the beginning of _o_p_t_i_o_n_a_l
_t_e_x_t_._._., Postfix inserts a default enhanced status code of
"5.7.1".
-
WWAARRNN _o_p_t_i_o_n_a_l _t_e_x_t_._._.
Log a warning with the _o_p_t_i_o_n_a_l _t_e_x_t_._._. (or log a
-
generic message), and inspect the next input line. This
action is useful for debugging and for testing a pattern
before applying more drastic actions.
BUGS
Empty lines never match, because some map types mis-behave
when given a zero-length search string. This limitation may
be removed for regular expression tables in a future release.
Many people overlook the main limitations of header and body_checks
rules.
-
·
These rules operate on one logical message header or one body
-
line at a time. A decision made for one line is not carried over
to the next line.
-
·
If text in the message body is encoded
-
(RFC 2045) then the rules need to be specified for the encoded
form.
-
·
Likewise, when message headers are encoded (RFC
-
2047) then the rules need to be specified for the encoded
form.
Message headers added by the cclleeaannuupp(8) daemon itself
are excluded from inspection. Examples of such message headers
are FFrroomm::, TToo::, MMeessssaaggee--IIDD::, DDaattee::.
Message headers deleted by the cclleeaannuupp(8) daemon will
be examined before they are deleted. Examples are: BBcccc::,,
CCoonntteenntt--LLeennggtthh::, RReettuurrnn--PPaatthh::.
CONFIGURATION PARAMETERS
-
bbooddyy__cchheecckkss
Lookup tables with content filter rules for message body lines.
-
These filters see one physical line at a time, in chunks of
at most $$lliinnee__lleennggtthh__lliimmiitt bytes.
-
bbooddyy__cchheecckkss__ssiizzee__lliimmiitt
The amount of content per message body segment (attachment) that is
-
subjected to $$bbooddyy__cchheecckkss filtering.
-
hheeaaddeerr__cchheecckkss
-
-
mmiimmee__hheeaaddeerr__cchheecckkss (default: $$hheeaaddeerr__cchheecckkss)
-
-
nneesstteedd__hheeaaddeerr__cchheecckkss (default: $$hheeaaddeerr__cchheecckkss)
Lookup tables with content filter rules for message header lines:
-
respectively, these are applied to the initial message headers
(not including MIME headers), to the MIME headers anywhere in
the message, and to the initial headers of attached messages.
Note: these filters see one logical message header at a time, even
when a message header spans multiple lines. Message headers that
are longer than $$hheeaaddeerr__ssiizzee__lliimmiitt characters are truncated.
-
ddiissaabbllee__mmiimmee__iinnppuutt__pprroocceessssiinngg
While receiving mail, give no special treatment to MIME related
-
message headers; all text after the initial message headers is
considered to be part of the message body. This means that
hheeaaddeerr__cchheecckkss is applied to all the initial message headers,
and that bbooddyy__cchheecckkss is applied to the remainder of the
message.
Note: when used in this manner, bbooddyy__cchheecckkss will process
a multi-line message header one line at a time.
EXAMPLES
Header pattern to block attachments with bad file name
extensions. For convenience, the PCRE /x flag is specified,
so that there is no need to collapse the pattern into a
single line of text. The purpose of the [[:xdigit:]]
sub-expressions is to recognize Windows CLSID strings.
/etc/postfix/main.cf:
header_checks = pcre:/etc/postfix/header_checks.pcre
/etc/postfix/header_checks.pcre:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" may not end with ".$4"
Body pattern to stop a specific HTML browser vulnerability exploit.
/etc/postfix/main.cf:
body_checks = regexp:/etc/postfix/body_checks
/etc/postfix/body_checks:
/^