-# ACCESS(5) ACCESS(5)
-#
-# NAME
-# access - Postfix access table format
-#
-# SYNOPSIS
-# postmap /etc/postfix/access
-#
-# postmap -q "string" /etc/postfix/access
-#
-# postmap -q - /etc/postfix/access <inputfile
-#
-# DESCRIPTION
-# The optional access(5) table directs the Postfix SMTP
-# server to selectively reject or accept mail. Access can be
-# allowed or denied for specific host names, domain names,
-# networks, host addresses or mail addresses.
-#
-# For an example, see the EXAMPLE section at the end of this
-# manual page.
-#
-# Normally, the access(5) table is specified as a text file
-# that serves as input to the postmap(1) command. The
-# result, an indexed file in dbm or db format, is used for
-# fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/access" in order to rebuild the
-# indexed file after changing the access table.
-#
-# When the table is provided via other means such as NIS,
-# LDAP or SQL, the same lookups are done as for ordinary
-# indexed files.
-#
-# Alternatively, the table can be provided as a regular-
-# expression map where patterns are given as regular expres-
-# sions, or lookups can be directed to TCP-based server. In
-# that case, the lookups are done in a slightly different
-# way as described below under "REGULAR EXPRESSION TABLES"
-# and "TCP-BASED TABLES".
-#
-# TABLE FORMAT
-# The input format for the postmap(1) command is as follows:
-#
-# pattern action
-# When pattern matches a mail address, domain or host
-# address, perform the corresponding action.
-#
-# blank lines and comments
-# Empty lines and whitespace-only lines are ignored,
-# as are lines whose first non-whitespace character
-# is a `#'.
-#
-# multi-line text
-# A logical line starts with non-whitespace text. A
-# line that starts with whitespace continues a logi-
-# cal line.
-#
-# EMAIL ADDRESS PATTERNS
-# With lookups from indexed files such as DB or DBM, or from
-# networked tables such as NIS, LDAP or SQL, patterns are
-# tried in the order as listed below:
-#
-# user@domain
-# Matches the specified mail address.
-#
-# domain.tld
-# Matches domain.tld as the domain part of an email
-# address.
-#
-# The pattern domain.tld also matches subdomains, but
-# only when the string smtpd_access_maps is listed in
-# the Postfix parent_domain_matches_subdomains con-
-# figuration setting (note that this is the default
-# for some versions of Postfix). Otherwise, specify
-# .domain.tld (note the initial dot) in order to
-# match subdomains.
-#
-# user@ Matches all mail addresses with the specified user
-# part.
-#
-# Note: lookup of the null sender address is not possible
-# with some types of lookup table. By default, Postfix uses
-# <> as the lookup key for such addresses. The value is
-# specified with the smtpd_null_access_lookup_key parameter
-# in the Postfix main.cf file.
-#
-# EMAIL ADDRESS EXTENSION
-# When a mail address localpart contains the optional recip-
-# ient delimiter (e.g., user+foo@domain), the lookup order
-# becomes: user+foo@domain, user@domain, domain, user+foo@,
-# and user@.
-#
-# HOST NAME/ADDRESS PATTERNS
-# With lookups from indexed files such as DB or DBM, or from
-# networked tables such as NIS, LDAP or SQL, the following
-# lookup patterns are examined in the order as listed:
-#
-# domain.tld
-# Matches domain.tld.
-#
-# The pattern domain.tld also matches subdomains, but
-# only when the string smtpd_access_maps is listed in
-# the Postfix parent_domain_matches_subdomains con-
-# figuration setting. Otherwise, specify .domain.tld
-# (note the initial dot) in order to match subdo-
-# mains.
-#
-# net.work.addr.ess
-#
-# net.work.addr
-#
-# net.work
-#
-# net Matches the specified IPv4 host address or subnet-
-# work. An IPv4 host address is a sequence of four
-# decimal octets separated by ".".
-#
-# Subnetworks are matched by repeatedly truncating
-# the last ".octet" from the remote IPv4 host address
-# string until a match is found in the access table,
-# or until further truncation is not possible.
-#
-# NOTE 1: The information in the access map should be
-# in canonical form, with unnecessary null characters
-# eliminated. Address information must not be
-# enclosed with "[]" characters.
-#
-# NOTE 2: use the cidr lookup table type to specify
-# network/netmask patterns. See cidr_table(5) for
-# details.
-#
-# net:work:addr:ess
-#
-# net:work:addr
-#
-# net:work
-#
-# net Matches the specified IPv6 host address or subnet-
-# work. An IPv6 host address is a sequence of three
-# to eight hexadecimal octet pairs separated by ":".
-#
-# Subnetworks are matched by repeatedly truncating
-# the last ":octetpair" from the remote IPv6 host
-# address string until a match is found in the access
-# table, or until further truncation is not possible.
-#
-# NOTE 1: the truncation and comparison are done with
-# the string representation of the IPv6 host address.
-# Thus, not all the ":" subnetworks will be tried.
-#
-# NOTE 2: The information in the access map should be
-# in canonical form, with unnecessary null characters
-# eliminated. Address information must not be
-# enclosed with "[]" characters.
-#
-# NOTE 3: use the cidr lookup table type to specify
-# network/netmask patterns. See cidr_table(5) for
-# details.
-#
-# IPv6 support is available in Postfix 2.2 and later.
-#
-# ACCEPT ACTIONS
-# OK Accept the address etc. that matches the pattern.
-#
-# all-numerical
-# An all-numerical result is treated as OK. This for-
-# mat is generated by address-based relay authoriza-
-# tion schemes.
-#
-# REJECT ACTIONS
-# 4NN text
-#
-# 5NN text
-# Reject the address etc. that matches the pattern,
-# and respond with the numerical three-digit code and
-# text. 4NN means "try again later", while 5NN means
-# "do not try again".
-#
-# REJECT optional text...
-# Reject the address etc. that matches the pattern.
-# Reply with $reject_code optional text... when the
-# optional text is specified, otherwise reply with a
-# generic error response message.
-#
-# DEFER_IF_REJECT optional text...
-# Defer the request if some later restriction would
-# result in a REJECT action. Reply with "450 optional
-# text... when the optional text is specified, other-
-# wise reply with a generic error response message.
-#
-# This feature is available in Postfix 2.1 and later.
-#
-# DEFER_IF_PERMIT optional text...
-# Defer the request if some later restriction would
-# result in a an explicit or implicit PERMIT action.
-# Reply with "450 optional text... when the optional
-# text is specified, otherwise reply with a generic
-# error response message.
-#
-# This feature is available in Postfix 2.1 and later.
-#
-# OTHER ACTIONS
-# restriction...
-# Apply the named UCE restriction(s) (permit, reject,
-# reject_unauth_destination, and so on).
-#
-# DISCARD optional text...
-# Claim successful delivery and silently discard the
-# message. Log the optional text if specified, oth-
-# erwise log a generic message.
-#
-# Note: this action currently affects all recipients
-# of the message.
-#
-# This feature is available in Postfix 2.0 and later.
-#
-# DUNNO Pretend that the lookup key was not found. This
-# prevents Postfix from trying substrings of the
-# lookup key (such as a subdomain name, or a network
-# address subnetwork).
-#
-# This feature is available in Postfix 2.0 and later.
-#
-# FILTER transport:destination
-# After the message is queued, send the entire mes-
-# sage through the specified external content filter.
-# The transport:destination syntax is described in
-# the transport(5) manual page. More information
-# about external content filters is in the Postfix
-# FILTER_README file.
-#
-# Note: this action overrides the main.cf con-
-# tent_filter setting, and currently affects all
-# recipients of the message.
-#
-# This feature is available in Postfix 2.0 and later.
-#
-# HOLD optional text...
-# Place the message on the hold queue, where it will
-# sit until someone either deletes it or releases it
-# for delivery. Log the optional text if specified,
-# otherwise log a generic message.
-#
-# Mail that is placed on hold can be examined with
-# the postcat(1) command, and can be destroyed or
-# released with the postsuper(1) command.
-#
-# Note: use "postsuper -r" to release mail that was
-# kept on hold for a significant fraction of $maxi-
-# mal_queue_lifetime or $bounce_queue_lifetime, or
-# longer.
-#
-# Note: this action currently affects all recipients
-# of the message.
-#
-# This feature is available in Postfix 2.0 and later.
-#
-# PREPEND headername: headervalue
-# Prepend the specified message header to the mes-
-# sage. When this action is used multiple times, the
-# first prepended header appears before the second
-# etc. prepended header.
-#
-# Note: this action does not support multi-line mes-
-# sage headers.
-#
-# Note: this action must be used before the message
-# content is received; it cannot be used in
-# smtpd_end_of_data_restrictions.
-#
-# This feature is available in Postfix 2.1 and later.
-#
-# REDIRECT user@domain
-# After the message is queued, send the message to
-# the specified address instead of the intended
-# recipient(s).
-#
-# Note: this action overrides the FILTER action, and
-# currently affects all recipients of the message.
-#
-# This feature is available in Postfix 2.1 and later.
-#
-# WARN optional text...
-# Log a warning with the optional text, together with
-# client information and if available, with helo,
-# sender, recipient and protocol information.
-#
-# This feature is available in Postfix 2.1 and later.
-#
-# REGULAR EXPRESSION TABLES
-# This section describes how the table lookups change when
-# the table is given in the form of regular expressions. For
-# a description of regular expression lookup table syntax,
-# see regexp_table(5) or pcre_table(5).
-#
-# Each pattern is a regular expression that is applied to
-# the entire string being looked up. Depending on the appli-
-# cation, that string is an entire client hostname, an
-# entire client IP address, or an entire mail address. Thus,
-# no parent domain or parent network search is done,
-# user@domain mail addresses are not broken up into their
-# user@ and domain constituent parts, nor is user+foo broken
-# up into user and foo.
-#
-# Patterns are applied in the order as specified in the ta-
-# ble, until a pattern is found that matches the search
-# string.
-#
-# Actions are the same as with indexed file lookups, with
-# the additional feature that parenthesized substrings from
-# the pattern can be interpolated as $1, $2 and so on.
-#
-# TCP-BASED TABLES
-# This section describes how the table lookups change when
-# lookups are directed to a TCP-based server. For a descrip-
-# tion of the TCP client/server lookup protocol, see tcp_ta-
-# ble(5). This feature is not available up to and including
-# Postfix version 2.2.
-#
-# Each lookup operation uses the entire query string once.
-# Depending on the application, that string is an entire
-# client hostname, an entire client IP address, or an entire
-# mail address. Thus, no parent domain or parent network
-# search is done, user@domain mail addresses are not broken
-# up into their user@ and domain constituent parts, nor is
-# user+foo broken up into user and foo.
-#
-# Actions are the same as with indexed file lookups.
-#
-# EXAMPLE
-# The following example uses an indexed file, so that the
-# order of table entries does not matter. The example per-
-# mits access by the client at address 1.2.3.4 but rejects
-# all other clients in 1.2.3.0/24. Instead of hash lookup
-# tables, some systems use dbm. Use the command "postconf
-# -m" to find out what lookup tables Postfix supports on
-# your system.
-#
-# /etc/postfix/main.cf:
-# smtpd_client_restrictions =
-# check_client_access hash:/etc/postfix/access
-#
-# /etc/postfix/access:
-# 1.2.3 REJECT
-# 1.2.3.4 OK
-#
-# Execute the command "postmap /etc/postfix/access" after
-# editing the file.
-#
-# BUGS
-# The table format does not understand quoting conventions.
-#
-# SEE ALSO
-# postmap(1), Postfix lookup table manager
-# smtpd(8), SMTP server
-# postconf(5), configuration parameters
-# transport(5), transport:nexthop syntax
-#
-# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
-# tory" to locate this information.
-# SMTPD_ACCESS_README, built-in SMTP server access control
-# DATABASE_README, Postfix lookup table overview
-#
-# LICENSE
-# The Secure Mailer license must be distributed with this
-# software.
-#
-# AUTHOR(S)
-# Wietse Venema
-# IBM T.J. Watson Research
-# P.O. Box 704
-# Yorktown Heights, NY 10598, USA
-#
-# ACCESS(5)