]> git.ipfire.org Git - ipfire-2.x.git/blob - config/postfix/access
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
GeƤndert:
[ipfire-2.x.git] / config / postfix / access
1 # ACCESS(5) ACCESS(5)
2 #
3 # NAME
4 # access - Postfix access table format
5 #
6 # SYNOPSIS
7 # postmap /etc/postfix/access
8 #
9 # postmap -q "string" /etc/postfix/access
10 #
11 # postmap -q - /etc/postfix/access <inputfile
12 #
13 # DESCRIPTION
14 # The optional access(5) table directs the Postfix SMTP
15 # server to selectively reject or accept mail. Access can be
16 # allowed or denied for specific host names, domain names,
17 # networks, host addresses or mail addresses.
18 #
19 # For an example, see the EXAMPLE section at the end of this
20 # manual page.
21 #
22 # Normally, the access(5) table is specified as a text file
23 # that serves as input to the postmap(1) command. The
24 # result, an indexed file in dbm or db format, is used for
25 # fast searching by the mail system. Execute the command
26 # "postmap /etc/postfix/access" in order to rebuild the
27 # indexed file after changing the access table.
28 #
29 # When the table is provided via other means such as NIS,
30 # LDAP or SQL, the same lookups are done as for ordinary
31 # indexed files.
32 #
33 # Alternatively, the table can be provided as a regular-
34 # expression map where patterns are given as regular expres-
35 # sions, or lookups can be directed to TCP-based server. In
36 # that case, the lookups are done in a slightly different
37 # way as described below under "REGULAR EXPRESSION TABLES"
38 # and "TCP-BASED TABLES".
39 #
40 # TABLE FORMAT
41 # The input format for the postmap(1) command is as follows:
42 #
43 # pattern action
44 # When pattern matches a mail address, domain or host
45 # address, perform the corresponding action.
46 #
47 # blank lines and comments
48 # Empty lines and whitespace-only lines are ignored,
49 # as are lines whose first non-whitespace character
50 # is a `#'.
51 #
52 # multi-line text
53 # A logical line starts with non-whitespace text. A
54 # line that starts with whitespace continues a logi-
55 # cal line.
56 #
57 # EMAIL ADDRESS PATTERNS
58 # With lookups from indexed files such as DB or DBM, or from
59 # networked tables such as NIS, LDAP or SQL, patterns are
60 # tried in the order as listed below:
61 #
62 # user@domain
63 # Matches the specified mail address.
64 #
65 # domain.tld
66 # Matches domain.tld as the domain part of an email
67 # address.
68 #
69 # The pattern domain.tld also matches subdomains, but
70 # only when the string smtpd_access_maps is listed in
71 # the Postfix parent_domain_matches_subdomains con-
72 # figuration setting (note that this is the default
73 # for some versions of Postfix). Otherwise, specify
74 # .domain.tld (note the initial dot) in order to
75 # match subdomains.
76 #
77 # user@ Matches all mail addresses with the specified user
78 # part.
79 #
80 # Note: lookup of the null sender address is not possible
81 # with some types of lookup table. By default, Postfix uses
82 # <> as the lookup key for such addresses. The value is
83 # specified with the smtpd_null_access_lookup_key parameter
84 # in the Postfix main.cf file.
85 #
86 # EMAIL ADDRESS EXTENSION
87 # When a mail address localpart contains the optional recip-
88 # ient delimiter (e.g., user+foo@domain), the lookup order
89 # becomes: user+foo@domain, user@domain, domain, user+foo@,
90 # and user@.
91 #
92 # HOST NAME/ADDRESS PATTERNS
93 # With lookups from indexed files such as DB or DBM, or from
94 # networked tables such as NIS, LDAP or SQL, the following
95 # lookup patterns are examined in the order as listed:
96 #
97 # domain.tld
98 # Matches domain.tld.
99 #
100 # The pattern domain.tld also matches subdomains, but
101 # only when the string smtpd_access_maps is listed in
102 # the Postfix parent_domain_matches_subdomains con-
103 # figuration setting. Otherwise, specify .domain.tld
104 # (note the initial dot) in order to match subdo-
105 # mains.
106 #
107 # net.work.addr.ess
108 #
109 # net.work.addr
110 #
111 # net.work
112 #
113 # net Matches the specified IPv4 host address or subnet-
114 # work. An IPv4 host address is a sequence of four
115 # decimal octets separated by ".".
116 #
117 # Subnetworks are matched by repeatedly truncating
118 # the last ".octet" from the remote IPv4 host address
119 # string until a match is found in the access table,
120 # or until further truncation is not possible.
121 #
122 # NOTE 1: The information in the access map should be
123 # in canonical form, with unnecessary null characters
124 # eliminated. Address information must not be
125 # enclosed with "[]" characters.
126 #
127 # NOTE 2: use the cidr lookup table type to specify
128 # network/netmask patterns. See cidr_table(5) for
129 # details.
130 #
131 # net:work:addr:ess
132 #
133 # net:work:addr
134 #
135 # net:work
136 #
137 # net Matches the specified IPv6 host address or subnet-
138 # work. An IPv6 host address is a sequence of three
139 # to eight hexadecimal octet pairs separated by ":".
140 #
141 # Subnetworks are matched by repeatedly truncating
142 # the last ":octetpair" from the remote IPv6 host
143 # address string until a match is found in the access
144 # table, or until further truncation is not possible.
145 #
146 # NOTE 1: the truncation and comparison are done with
147 # the string representation of the IPv6 host address.
148 # Thus, not all the ":" subnetworks will be tried.
149 #
150 # NOTE 2: The information in the access map should be
151 # in canonical form, with unnecessary null characters
152 # eliminated. Address information must not be
153 # enclosed with "[]" characters.
154 #
155 # NOTE 3: use the cidr lookup table type to specify
156 # network/netmask patterns. See cidr_table(5) for
157 # details.
158 #
159 # IPv6 support is available in Postfix 2.2 and later.
160 #
161 # ACCEPT ACTIONS
162 # OK Accept the address etc. that matches the pattern.
163 #
164 # all-numerical
165 # An all-numerical result is treated as OK. This for-
166 # mat is generated by address-based relay authoriza-
167 # tion schemes.
168 #
169 # REJECT ACTIONS
170 # 4NN text
171 #
172 # 5NN text
173 # Reject the address etc. that matches the pattern,
174 # and respond with the numerical three-digit code and
175 # text. 4NN means "try again later", while 5NN means
176 # "do not try again".
177 #
178 # REJECT optional text...
179 # Reject the address etc. that matches the pattern.
180 # Reply with $reject_code optional text... when the
181 # optional text is specified, otherwise reply with a
182 # generic error response message.
183 #
184 # DEFER_IF_REJECT optional text...
185 # Defer the request if some later restriction would
186 # result in a REJECT action. Reply with "450 optional
187 # text... when the optional text is specified, other-
188 # wise reply with a generic error response message.
189 #
190 # This feature is available in Postfix 2.1 and later.
191 #
192 # DEFER_IF_PERMIT optional text...
193 # Defer the request if some later restriction would
194 # result in a an explicit or implicit PERMIT action.
195 # Reply with "450 optional text... when the optional
196 # text is specified, otherwise reply with a generic
197 # error response message.
198 #
199 # This feature is available in Postfix 2.1 and later.
200 #
201 # OTHER ACTIONS
202 # restriction...
203 # Apply the named UCE restriction(s) (permit, reject,
204 # reject_unauth_destination, and so on).
205 #
206 # DISCARD optional text...
207 # Claim successful delivery and silently discard the
208 # message. Log the optional text if specified, oth-
209 # erwise log a generic message.
210 #
211 # Note: this action currently affects all recipients
212 # of the message.
213 #
214 # This feature is available in Postfix 2.0 and later.
215 #
216 # DUNNO Pretend that the lookup key was not found. This
217 # prevents Postfix from trying substrings of the
218 # lookup key (such as a subdomain name, or a network
219 # address subnetwork).
220 #
221 # This feature is available in Postfix 2.0 and later.
222 #
223 # FILTER transport:destination
224 # After the message is queued, send the entire mes-
225 # sage through the specified external content filter.
226 # The transport:destination syntax is described in
227 # the transport(5) manual page. More information
228 # about external content filters is in the Postfix
229 # FILTER_README file.
230 #
231 # Note: this action overrides the main.cf con-
232 # tent_filter setting, and currently affects all
233 # recipients of the message.
234 #
235 # This feature is available in Postfix 2.0 and later.
236 #
237 # HOLD optional text...
238 # Place the message on the hold queue, where it will
239 # sit until someone either deletes it or releases it
240 # for delivery. Log the optional text if specified,
241 # otherwise log a generic message.
242 #
243 # Mail that is placed on hold can be examined with
244 # the postcat(1) command, and can be destroyed or
245 # released with the postsuper(1) command.
246 #
247 # Note: use "postsuper -r" to release mail that was
248 # kept on hold for a significant fraction of $maxi-
249 # mal_queue_lifetime or $bounce_queue_lifetime, or
250 # longer.
251 #
252 # Note: this action currently affects all recipients
253 # of the message.
254 #
255 # This feature is available in Postfix 2.0 and later.
256 #
257 # PREPEND headername: headervalue
258 # Prepend the specified message header to the mes-
259 # sage. When this action is used multiple times, the
260 # first prepended header appears before the second
261 # etc. prepended header.
262 #
263 # Note: this action does not support multi-line mes-
264 # sage headers.
265 #
266 # Note: this action must be used before the message
267 # content is received; it cannot be used in
268 # smtpd_end_of_data_restrictions.
269 #
270 # This feature is available in Postfix 2.1 and later.
271 #
272 # REDIRECT user@domain
273 # After the message is queued, send the message to
274 # the specified address instead of the intended
275 # recipient(s).
276 #
277 # Note: this action overrides the FILTER action, and
278 # currently affects all recipients of the message.
279 #
280 # This feature is available in Postfix 2.1 and later.
281 #
282 # WARN optional text...
283 # Log a warning with the optional text, together with
284 # client information and if available, with helo,
285 # sender, recipient and protocol information.
286 #
287 # This feature is available in Postfix 2.1 and later.
288 #
289 # REGULAR EXPRESSION TABLES
290 # This section describes how the table lookups change when
291 # the table is given in the form of regular expressions. For
292 # a description of regular expression lookup table syntax,
293 # see regexp_table(5) or pcre_table(5).
294 #
295 # Each pattern is a regular expression that is applied to
296 # the entire string being looked up. Depending on the appli-
297 # cation, that string is an entire client hostname, an
298 # entire client IP address, or an entire mail address. Thus,
299 # no parent domain or parent network search is done,
300 # user@domain mail addresses are not broken up into their
301 # user@ and domain constituent parts, nor is user+foo broken
302 # up into user and foo.
303 #
304 # Patterns are applied in the order as specified in the ta-
305 # ble, until a pattern is found that matches the search
306 # string.
307 #
308 # Actions are the same as with indexed file lookups, with
309 # the additional feature that parenthesized substrings from
310 # the pattern can be interpolated as $1, $2 and so on.
311 #
312 # TCP-BASED TABLES
313 # This section describes how the table lookups change when
314 # lookups are directed to a TCP-based server. For a descrip-
315 # tion of the TCP client/server lookup protocol, see tcp_ta-
316 # ble(5). This feature is not available up to and including
317 # Postfix version 2.2.
318 #
319 # Each lookup operation uses the entire query string once.
320 # Depending on the application, that string is an entire
321 # client hostname, an entire client IP address, or an entire
322 # mail address. Thus, no parent domain or parent network
323 # search is done, user@domain mail addresses are not broken
324 # up into their user@ and domain constituent parts, nor is
325 # user+foo broken up into user and foo.
326 #
327 # Actions are the same as with indexed file lookups.
328 #
329 # EXAMPLE
330 # The following example uses an indexed file, so that the
331 # order of table entries does not matter. The example per-
332 # mits access by the client at address 1.2.3.4 but rejects
333 # all other clients in 1.2.3.0/24. Instead of hash lookup
334 # tables, some systems use dbm. Use the command "postconf
335 # -m" to find out what lookup tables Postfix supports on
336 # your system.
337 #
338 # /etc/postfix/main.cf:
339 # smtpd_client_restrictions =
340 # check_client_access hash:/etc/postfix/access
341 #
342 # /etc/postfix/access:
343 # 1.2.3 REJECT
344 # 1.2.3.4 OK
345 #
346 # Execute the command "postmap /etc/postfix/access" after
347 # editing the file.
348 #
349 # BUGS
350 # The table format does not understand quoting conventions.
351 #
352 # SEE ALSO
353 # postmap(1), Postfix lookup table manager
354 # smtpd(8), SMTP server
355 # postconf(5), configuration parameters
356 # transport(5), transport:nexthop syntax
357 #
358 # README FILES
359 # Use "postconf readme_directory" or "postconf html_direc-
360 # tory" to locate this information.
361 # SMTPD_ACCESS_README, built-in SMTP server access control
362 # DATABASE_README, Postfix lookup table overview
363 #
364 # LICENSE
365 # The Secure Mailer license must be distributed with this
366 # software.
367 #
368 # AUTHOR(S)
369 # Wietse Venema
370 # IBM T.J. Watson Research
371 # P.O. Box 704
372 # Yorktown Heights, NY 10598, USA
373 #
374 # ACCESS(5)
IPFire 2.x development tree