Workaround: Eric Raymond's man page formatters don't handle
low-level *roff .in or .ti controls. We now use .nf and .fi
instead. Files: many.
-
-Wish list:
-
- Remove defer(8) and trace(8) references and man pages. These
- are services not program names.
-
- Bind all deliveries to the same local delivery process,
- making Postfix perform as poorly as monolithic mailers,
- but giving a possibility to eliminate duplicate deliveries.
-
- Maybe declare loop when resolve_local(mxhost) is true?
-
- Update message content length when adding/removing headers.
-
- Need scache size limit.
-
- Update BACKSCATTER_README to use PCRE because that's what I
- am using now.
-
- Make postcat header/body aware so people can grep headers.
-
- Make postmap header/body aware so people can test multi-line
- header checks.
-
- REDIRECT should override original recipient info, and
- probably override DSN as well.
-
- Find out if with Sendmail, a Milter "add recipient" request
- results in NOTIFY=NONE as Postfix does now.
-
- Update FILTER_README with mailing list suggestions to tag
- with a badness indicator and then filter down-stream.
-
- Either document or remove the internal_mail_filter_classes
- feature (it's disabled by default).
-
- Build a command-line test driver for the cleanup engine.
- This allows us to test it with arbitrary record sequences
- without having to use a live mail queue.
-
- Make null local-part handling configurable: either expand
- into mailer-daemon (current bahavior) or disallow (strict
- behavior, currently implemented only in the SMTP server).
-
- The type of var_message_limit should be changed from int
- to long or better, to take advantage of LP64 architectures.
- This also requires checking all expressions in which
- var_message_limit appears.
-
- Add M flag (enable multi-recipient delivery) to pipe daemon.
-
- The usage of TLScontext->cache_type is unclear. It specifies
- a TLS session cache type (smtpd, smtp, or lmtp), but it is
- sometimes used as an indicator that TLS session caching is
- unavailable. In reality, that decision is made by not
- registering call-back functions for cache maintenance.
-
- Postfix TLS library code should copy any strings that it
- receives from the application, instead of passing them
- around as pointers. TLScontext->cache_type is a case in
- point.
-
- Are transport:nexthop null fields the same as in the case
- of default_transport etc. parameters?
-
- Don't lose bits when converting st_dev into maildir file
- name. It's 64 bits on Linux. Found with the BEAM source
- code analyzer. Is this really a problem, or are they just
- using 64 bits for upwards compatibility with LP64 systems?
-
- Do or don't introduce unknown_reverse_client_reject_code.
-
- Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
- UNIX).
-
- Tempfail when a Milter application wants content access,
- while it is configured in an SMTP server that runs before
- the smtpd_proxy filter.
-
- Log DSN original recipient when rejecting mail.
-
- Keep whitespace between label and ":"?
-
- Make the map case folding/locking options configurable, if
- not at run-time then at least at compile time so we get
- consistent behavior across applications.
-
- Investigate what it would take to eliminate oqmgr, and to
- make the old behavior configurable in a unified queue
- manager. This would shave another 2.7 KLOC from the source
- footprint.
-
- Document the case folding strategy for match_list like
- features.
-
- Eliminate the (incoming,deferred)->active rename operation.
-
- Softbounce fallback-to-ISP for SOHO users. This requires
- playing with the soft_error test in the smtp_trouble.c
- module, and avoiding delivery to backup MX hosts.
-
- In the SMTP server, set a "pipelining detected" flag at the
- start of a session and at protocol synchronization points,
- so that reject_unauth_pipelining can be specified in any
- access rule.
-
- Centralize main.cf parameter input so that defaults work
- consistently. What about parameter names that are prefixed
- with mail delivery transport names?
-
- Fix default time unit handling so that we can have a default
- bounce lifetime of $maximal_queue_lifetime, without causing
- panics when a non-default maximal_queue_lifetime setting
- includes no time unit.
-
- After the 20051222 ISASCII paranoia, lowercase() lowercases
- ASCII text only.
-
- Privacy: remove local command/pathname details from remote
- delivery status reports, and log them via local msg_warn().
-
- Is it safe to cache a connection after it has been used for
- more than some number of address verification probes?
-
- Try to recognize that Resent- headers appear in blocks,
- newest block first. But don't break on incorrect header
- block organization.
-
- Hard limits on cache sizes (anvil, specifically).
-
- Laptop friendliness: make the qmgr remember when the next
- deferred queue scan needs to be done, and have the pickup
- server stat() the maildrop directory before searching it.
-
- Low: replace_sender/replace_recipient actions in access
- maps?
-
- Low: configurable order of local(8) delivery methods.
-
- Med: local and remote source port and IP address for smtpd
- policy hook.
-
- Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
- to limit the total time spent trying to connect.
-
- Med: transform IPv4-in-IPv6 address literals to IPv4 form
- when comparing against local IP addresses?
-
- Med: transform IPv4-in-IPv6 address literals to IPv4 form
- when eliminating MX mailer loops?
-
- Med: Postfix requires [] around IPv6 address information
- in match lists such as mynetworks, debug_peer_list etc.,
- but the [] must not be specified in access(5) maps. Other
- places don't care. For now, this gotcha is documented in
- IPV6_README and in postconf(5) with each feature that may
- use IPv6 address information. The general recommendation
- is not to use [] unless absolutely necessary.
-
- Med: the partial address matching of IPv6 addresses in
- access(5) maps is a bit lame: it repeatedly truncates the
- last ":octetpair" from the printable address representation
- until a match is found or until truncation is no longer
- possible. Since one or more ":" are usually omitted from
- the printable IPv6 address representation, this does not
- really try all the possibilities that one might expect to
- be tried. For now, this gotcha is documented in access(5).
-
- Med: the TLS certificate verification depth parameters never
- worked.
-
- Low: reject HELO with any domain name or IP address that
- this MTA is the final destination for.
-
- Low: should the Delivered-To: test in local(8) be configurable?
-
- Low: make mail_addr_find() lookup configurable.
-
- Low: update events.c so that 1-second timer requests do not
- suffer from rounding errors. This is needed for 1-second
- SMTP session caching time limits. A 1-second interval would
- become arbitrarily short when an event is scheduled just
- before the current second rolls over.
-
- Low: configurable internal/system locking method.
-
- Low: add INSTALL section for pre-existing Postfix systems.
-
- Low: add INSTALL section for pre-existing RPM Postfixes.
-
- Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
-
- Low: noise filter: allow smtp(8) to retry immediately if
- all MXes return a quick ECONNRESET or 4xx reply during the
- initial handshake. Retry once? How many times?
-
- Low: make post-install a "postfix-only script" so it can
- take data from the environment instead of main.cf.
-
- Low: randomize deferred mail backoff.
-
- Med: separate ulimit for delivery to command?
-
- Med: option to open queue file early, after MAIL FROM. This
- would allow correlation of rejected RCPT TO requests with
- accepted requests for the same mail transaction.
-
- Med: postsuper -r should do something with recipients in
- bounce logfiles, to make sure the sender will be notified.
- To be perfectly safe, no process other than the queue manager
- should move a queue file away from the active queue.
-
- This could involve tagging a queue file, and use up another
- permission bit (postsuper tags a "hot" file, qmgr requeues it).
-
- Low: postsuper re-run after renaming files, but only a
- limited number of times.
-
- Low: smtp-source may block when sending large test messages.
-
- Med: find a way to log the sender address when MAIL FROM
- is rejected due to lack of disk space.
-
- Low: revise other local delivery agent duplicate filters.
-
- Low: all table lookups should consistently use internalized
- (unquoted) or externalized (quoted) forms as lookup keys.
- smtpd, qmgr, local, etc. use unquoted address forms as keys.
- cleanup uses quoted forms.
-
- Low: have a configurable list of errno values for mailbox
- or maildir delivery that result in deferral rather than
- bouncing mail. What about "killed by signal" exits?
-
- Low: after reorganizing configuration parameters, add flags
- to all parameters whose value can be read from file.
-
- Medium: need in-process caching for map lookups. LDAP servers
- seem to need this in particular. Need a way to expire cached
- results that are too old.
-
- Low: generic showq protocol, to allow for more intelligent
- processing than just mailq. Maybe marry this with postsuper.
-
- Low: default domain for appending to unqualified recipients,
- so that unqualified names can be delivered locally.
-
- Low: The $process_id_directory setting is not used anywhere
- in Postfix. Problem reported by Michael Smith, texas.net.
- This should be documented, or better, the code should warn
- about attempts to set read-only parameters.
-
- Low: postconf -e edits parameters that postconf won't list.
-
- Low: while converting 8bit text to quoted-printable, perhaps
- use =46rom to avoid having to produce >From when delivering
- to mailbox.
-
- virtual_mailbox_path expression like forward_path, so that
- people can specify prefix and suffix.
O\bOv\bve\ber\brv\bvi\bie\bew\bw
-This document describes features that require Postfix version 2.0 or later.
+This document describes features that require Postfix version 2.0 or later. The
+examples use Perl Compatible Regular Expressions (Postfix pcre: tables), but
+also provide a translation to POSIX regular expressions (Postfix regexp:
+tables). PCRE is preferred primarily because the implementation is often
+faster.
Topics covered in this document:
this:
/etc/postfix/main.cf:
- header_checks = regexp:/etc/postfix/header_checks
- body_checks = regexp:/etc/postfix/body_checks
+ header_checks = pcre:/etc/postfix/header_checks
+ body_checks = pcre:/etc/postfix/body_checks
/etc/postfix/header_checks:
if /^Received:/
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)
(porcupine\.org)\)/
reject forged client name in Received: header: $2
- /^Received:.* +by +(porcupine\.org)[[:>:]]/
+ /^Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^Message-ID:.* <!&!/ DUNNO
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)
(porcupine\.org)\)/
reject forged client name in Received: header: $2
- /^[> ]*Received:.* +by +(porcupine\.org)[[:>:]]/
+ /^[> ]*Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
Notes:
+ * The example uses pcre: tables mainly for speed; with minor modifications,
+ you can use regexp: tables as explained below.
+
* The example is simplified for educational purposes. In reality my patterns
list multiple domain names, as "(domain|domain|...)".
* The "\(" and "\)" match "(" and ")" literally. Without the "\", the "(" and
")" would be grouping operators.
- * The "[[:>:]]" matches the end of a word. On some systems you should specify
- "\>" instead. For details see your system documentation.
+ * The "\b" is used here to match the end of a word. If you use regexp:
+ tables, specify "[[:>:]]" (on some systems you should specify "\>" instead;
+ for details see your system documentation).
* The "if /pattern/" and "endif" eliminate unnecessary matching attempts. DO
NOT indent lines starting with /pattern/ between the "if" and "endif"!
mail is obviously forged and is very easy to stop.
/etc/postfix/main.cf:
- header_checks = regexp:/etc/postfix/header_checks
- body_checks = regexp:/etc/postfix/body_checks
+ header_checks = pcre:/etc/postfix/header_checks
+ body_checks = pcre:/etc/postfix/body_checks
/etc/postfix/header_checks:
- /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+ /^(From|Return-Path):.*\b(user@domain\.tld)\b/
reject forged sender address in $1: header: $2
/etc/postfix/body_checks:
- /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+ /^[> ]*(From|Return-Path):.*\b(user@domain\.tld)\b/
reject forged sender address in $1: header: $2
Notes:
+ * The example uses pcre: tables mainly for speed; with minor modifications,
+ you can use regexp: tables as explained below.
+
* The example is simplified for educational purposes. In reality, my patterns
list multiple email addresses as "(user1@domain1\.tld|user2@domain2\.tld)".
- * The "[[:<:]]" and "[[:>:]]" match the beginning and end of a word,
- respectively. On some systems you should specify "\<" and "\>" instead. For
- details see your system documentation.
+ * The two "\b" as used in "\b(user@domain\.tld)\b" match the beginning and
+ end of a word, respectively. If you use regexp: tables, specify "[[:<:]]
+ and [[:>:]]" (on some systems you should specify "\< and \>" instead; for
+ details see your system documentation).
* The "\." matches "." literally. Without the "\", the "." would match any
character.
Network -> smtpd(8) <-> anvil(8)
- * The bounce(8), defer(8) and trace(8) servers each maintain their own queue
- directory trees with per-message logfiles. This information is used to send
- delivery or non-delivery notifications to the sender.
+ * The bounce(8), defer(8) and trace(8) services each maintain their own queue
+ directory trees with per-message logfiles. Postfix uses this information
+ when sending "failed", "delayed" or "success" delivery status notifications
+ to the sender.
- The trace(8) service implements support for the Postfix "sendmail -bv" and
- "sendmail -v" commands which produce reports about how Postfix delivers
+ The trace(8) service also implements support for the Postfix "sendmail -bv"
+ and "sendmail -v" commands which produce reports about how Postfix delivers
mail, and is available with Postfix version 2.1 and later. See DEBUG_README
for examples.
Major changes - critical
------------------------
+See RELEASE_NOTES-2.3 if you upgrade from Postfix 2.2 or earlier.
+
[Incompat 20070122] To take advantage of the new support for BSD
kqueue, Linux epoll, or Solaris /dev/poll, you must restart (not
reload) Postfix after upgrading from Postfix 2.3.
with GNU POP3D which subverts kernel locking by creating a new
mailbox file and deleting the old one.
-Major changes - milter
-----------------------
+Major changes - Milter support
+------------------------------
[Feature 20070121] The support for Milter header modification
requests was revised. With minimal change in the on-disk representation,
body. Postfix now implements all the header/body modification
requests that are available with Sendmail 8.13.
-Major changes - tls
--------------------
+[Incompat 20070116] A new field is added to the queue file "size"
+record that specifies the message content length. Postfix 2.3 and
+older Postfix 2.4 snapshots will ignore this field, and will report
+the message size as it was before the body was replaced.
+
+Major changes - TLS support
+---------------------------
[Incompat 20061214] The check_smtpd_policy client sends TLS certificate
attributes (client ccert_subject, ccert_issuer) only after successful
operations). These two parameters act as defaults for optional
per-transport settings.
-Major changes - delivery status notification
---------------------------------------------
+Major changes - delivery status notifications
+---------------------------------------------
[Incompat 20061209] Small changes were made to the default bounce
message templates, to prevent HTML-aware software from hiding or
removing the text "<postmaster>", and producing misleading text.
-[Incompat 20060806] [Incompat 20060806] Postfix no longer announces
-its name in delivery status notifications. Users believe that
-Wietse provides a free help desk service that solves all their email
-problems.
+[Incompat 20060806] Postfix no longer announces its name in delivery
+status notifications. Users believe that Wietse provides a free
+help desk service that solves all their email problems.
-Major changes - etrn
---------------------
+Major changes - ETRN support
+----------------------------
[Feature 20061217] More precise queue flushing with the ETRN,
"postqueue -s site", and "sendmail -qRsite" commands, after
minimization of race conditions. New per-queue-file flushing with
"postqueue -i queueid" and "sendmail -qIqueueid".
-Major changes - small office/home office
-----------------------------------------
+Major changes - small office/home office support
+------------------------------------------------
[Incompat 20061217] Postfix no longer requires a domain name. It
uses "localdomain" as the default Internet domain name when no
domain is specified via main.cf or via the machine's hostname.
-Major changes - access control
-------------------------------
+Major changes - SMTP access control
+-----------------------------------
[Incompat 20061214] The check_smtpd_policy client sends TLS certificate
attributes (client ccert_subject, ccert_issuer) only after successful
(default: disable_esmtp, delay_dotcrlf) and smtp_pix_workaround_maps
(workarounds indexed by server IP address). The default settings
are backwards compatible.
-
-Major changes - other
----------------------
-
-[Incompat 20070116] A new field is added to the queue file "size"
-record that specifies the message content length. Postfix 2.3 and
-older Postfix 2.4 versions will ignore this field, and will report
-the message size as it was before the body was replaced.
+++ /dev/null
-What needs to be done before Postfix 2.4.0 is finished:
-
-- Update BACKSCATTER_README with PCRE rules.
-
-- Truncate wish list from HISTORY.
# time, even when a message header spans multiple lines.
# Body lines are always examined one line at a time.
#
+# COMPATIBILITY
+# With Postfix version 2.2 and earlier specify "postmap -fq"
+# to query a table that contains case sensitive patterns. By
+# default, regexp: and pcre: patterns are case insensitive.
+#
# TABLE FORMAT
-# This document assumes that header and body_checks rules
-# are specified in the form of Postfix regular expression
-# lookup tables. Usually the best performance is obtained
+# This document assumes that header and body_checks rules
+# are specified in the form of Postfix regular expression
+# lookup tables. Usually the best performance is obtained
# with pcre (Perl Compatible Regular Expression) tables, but
-# the slower regexp (POSIX regular expressions) support is
-# more widely available. Use the command "postconf -m" to
-# find out what lookup table types your Postfix system sup-
+# the slower regexp (POSIX regular expressions) support is
+# more widely available. Use the command "postconf -m" to
+# find out what lookup table types your Postfix system sup-
# ports.
#
# The general format of Postfix regular expression tables is
-# given below. For a discussion of specific pattern or
-# flags syntax, see pcre_table(5) or regexp_table(5),
+# given below. For a discussion of specific pattern or
+# flags syntax, see pcre_table(5) or regexp_table(5),
# respectively.
#
# /pattern/flags action
-# When pattern matches the input string, execute the
-# corresponding action. See below for a list of pos-
+# When pattern matches the input string, execute the
+# corresponding action. See below for a list of pos-
# sible actions.
#
# !/pattern/flags action
-# When pattern does not match the input string, exe-
+# When pattern does not match the input string, exe-
# cute the corresponding action.
#
# if /pattern/flags
#
# endif Match the input string against the patterns between
-# if and endif, if and only if the same input string
+# if and endif, if and only if the same input string
# also matches pattern. The if..endif can nest.
#
-# Note: do not prepend whitespace to patterns inside
+# Note: do not prepend whitespace to patterns inside
# if..endif.
#
# if !/pattern/flags
#
# endif Match the input string against the patterns between
-# if and endif, if and only if the same input string
+# if and endif, if and only if the same input string
# does not match pattern. The if..endif can nest.
#
# blank lines and comments
-# Empty lines and whitespace-only lines are ignored,
-# as are lines whose first non-whitespace character
+# Empty lines and whitespace-only lines are ignored,
+# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
-# A pattern/action line starts with non-whitespace
-# text. A line that starts with whitespace continues
+# A pattern/action line starts with non-whitespace
+# text. A line that starts with whitespace continues
# a logical line.
#
# TABLE SEARCH ORDER
-# For each line of message input, the patterns are applied
-# in the order as specified in the table. When a pattern is
-# found that matches the input line, the corresponding
-# action is executed and then the next input line is
+# For each line of message input, the patterns are applied
+# in the order as specified in the table. When a pattern is
+# found that matches the input line, the corresponding
+# action is executed and then the next input line is
# inspected.
#
# TEXT SUBSTITUTION
-# Substitution of substrings from the matched expression
-# into the action string is possible using the conventional
-# Perl syntax ($1, $2, etc.). The macros in the result
-# string may need to be written as ${n} or $(n) if they
+# Substitution of substrings from the matched expression
+# into the action string is possible using the conventional
+# Perl syntax ($1, $2, etc.). The macros in the result
+# string may need to be written as ${n} or $(n) if they
# aren't followed by whitespace.
#
-# Note: since negated patterns (those preceded by !) return
+# Note: since negated patterns (those preceded by !) return
# a result when the expression does not match, substitutions
# are not available for negated patterns.
#
# case for consistency with other Postfix documentation.
#
# DISCARD optional text...
-# Claim successful delivery and silently discard the
-# message. Log the optional text if specified, oth-
+# Claim successful delivery and silently discard the
+# message. Log the optional text if specified, oth-
# erwise log a generic message.
#
-# Note: this action disables further header or
-# body_checks inspection of the current message and
+# Note: this action disables further header or
+# body_checks inspection of the current message and
# affects all recipients. To discard only one recip-
# ient without discarding the entire message, use the
# transport(5) table to direct mail to the discard(8)
#
# This feature is available in Postfix 2.0 and later.
#
-# DUNNO Pretend that the input line did not match any pat-
-# tern, and inspect the next input line. This action
+# DUNNO Pretend that the input line did not match any pat-
+# tern, and inspect the next input line. This action
# can be used to shorten the table search.
#
-# For backwards compatibility reasons, Postfix also
-# accepts OK but it is (and always has been) treated
+# For backwards compatibility reasons, Postfix also
+# accepts OK but it is (and always has been) treated
# as DUNNO.
#
# This feature is available in Postfix 2.1 and later.
#
# FILTER transport:destination
-# Write a content filter request to the queue file,
-# and inspect the next input line. After the com-
-# plete message is received it will be sent through
+# Write a content filter request to the queue file,
+# and inspect the next input line. After the com-
+# plete message is received it will be sent through
# the specified external content filter. More infor-
-# mation about external content filters is in the
+# mation about external content filters is in the
# Postfix FILTER_README file.
#
# Note: this action overrides the content_filter set-
# ting, and affects all recipients of the message. In
-# the case that multiple FILTER actions fire, only
+# the case that multiple FILTER actions fire, only
# the last one is executed.
#
# This feature is available in Postfix 2.0 and later.
#
# HOLD optional text...
-# Arrange for the message to be placed on the hold
-# queue, and inspect the next input line. The mes-
-# sage remains on hold until someone either deletes
-# it or releases it for delivery. Log the optional
+# Arrange for the message to be placed on the hold
+# queue, and inspect the next input line. The mes-
+# sage remains on hold until someone either deletes
+# it or releases it for delivery. Log the optional
# text if specified, otherwise log a generic message.
#
-# Mail that is placed on hold can be examined with
-# the postcat(1) command, and can be destroyed or
+# Mail that is placed on hold can be examined with
+# the postcat(1) command, and can be destroyed or
# released with the postsuper(1) command.
#
-# Note: use "postsuper -r" to release mail that was
-# kept on hold for a significant fraction of $maxi-
+# Note: use "postsuper -r" to release mail that was
+# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
-# longer. Use "postsuper -H" only for mail that will
+# longer. Use "postsuper -H" only for mail that will
# not expire within a few delivery attempts.
#
-# Note: this action affects all recipients of the
+# Note: this action affects all recipients of the
# message.
#
# This feature is available in Postfix 2.0 and later.
# the next input line.
#
# PREPEND text...
-# Prepend one line with the specified text, and
+# Prepend one line with the specified text, and
# inspect the next input line.
#
# Notes:
#
-# o The prepended text is output on a separate
+# o The prepended text is output on a separate
# line, immediately before the input that
# triggered the PREPEND action.
#
# o The prepended text is not considered part of
-# the input stream: it is not subject to
+# the input stream: it is not subject to
# header/body checks or address rewriting, and
# it does not affect the way that Postfix adds
# missing message headers.
#
# o When prepending text before a message header
-# line, the prepended text must begin with a
+# line, the prepended text must begin with a
# valid message header label.
#
# o This action cannot be used to prepend multi-
# This feature is available in Postfix 2.1 and later.
#
# REDIRECT user@domain
-# Write a message redirection request to the queue
-# file, and inspect the next input line. After the
+# Write a message redirection request to the queue
+# file, and inspect the next input line. After the
# message is queued, it will be sent to the specified
# address instead of the intended recipient(s).
#
-# Note: this action overrides the FILTER action, and
-# affects all recipients of the message. If multiple
-# REDIRECT actions fire, only the last one is exe-
+# Note: this action overrides the FILTER action, and
+# affects all recipients of the message. If multiple
+# REDIRECT actions fire, only the last one is exe-
# cuted.
#
# This feature is available in Postfix 2.1 and later.
#
# REPLACE text...
-# Replace the current line with the specified text,
+# Replace the current line with the specified text,
# and inspect the next input line.
#
# This feature is available in Postfix 2.2 and later.
-# The description below applies to Postfix 2.2.2 and
+# The description below applies to Postfix 2.2.2 and
# later.
#
# Notes:
#
-# o When replacing a message header line, the
-# replacement text must begin with a valid
+# o When replacing a message header line, the
+# replacement text must begin with a valid
# header label.
#
-# o The replaced text remains part of the input
-# stream. Unlike the result from the PREPEND
-# action, a replaced message header may be
-# subject to address rewriting and may affect
-# the way that Postfix adds missing message
+# o The replaced text remains part of the input
+# stream. Unlike the result from the PREPEND
+# action, a replaced message header may be
+# subject to address rewriting and may affect
+# the way that Postfix adds missing message
# headers.
#
# REJECT optional text...
-# Reject the entire message. Reply with optional
+# Reject the entire message. Reply with optional
# text... when the optional text is specified, other-
# wise reply with a generic error message.
#
-# Note: this action disables further header or
-# body_checks inspection of the current message and
+# Note: this action disables further header or
+# body_checks inspection of the current message and
# affects all recipients.
#
# Postfix version 2.3 and later support enhanced sta-
# enhanced status code of "5.7.1".
#
# WARN optional text...
-# Log a warning with the optional text... (or log a
-# generic message), and inspect the next input line.
+# Log a warning with the optional text... (or log a
+# generic message), and inspect the next input line.
# This action is useful for debugging and for testing
# a pattern before applying more drastic actions.
#
# BUGS
-# Many people overlook the main limitations of header and
+# Many people overlook the main limitations of header and
# body_checks rules.
#
-# o These rules operate on one logical message header
+# o These rules operate on one logical message header
# or one body line at a time. A decision made for one
# line is not carried over to the next line.
#
-# o If text in the message body is encoded (RFC 2045)
-# then the rules have to specified for the encoded
+# o If text in the message body is encoded (RFC 2045)
+# then the rules need to be specified for the encoded
# form.
#
-# o Likewise, when message headers are encoded (RFC
-# 2047) then the rules need to be specified for the
+# o Likewise, when message headers are encoded (RFC
+# 2047) then the rules need to be specified for the
# encoded form.
#
-# Message headers added by the cleanup(8) daemon itself are
+# Message headers added by the cleanup(8) daemon itself are
# excluded from inspection. Examples of such message headers
# are From:, To:, Message-ID:, Date:.
#
-# Message headers deleted by the cleanup(8) daemon will be
+# Message headers deleted by the cleanup(8) daemon will be
# examined before they are deleted. Examples are: Bcc:, Con-
# tent-Length:, Return-Path:.
#
# body_checks
# Lookup tables with content filter rules for message
# body lines. These filters see one physical line at
-# a time, in chunks of at most $line_length_limit
+# a time, in chunks of at most $line_length_limit
# bytes.
#
# body_checks_size_limit
-# The amount of content per message body segment
+# The amount of content per message body segment
# (attachment) that is subjected to $body_checks fil-
# tering.
#
#
# nested_header_checks (default: $header_checks)
# Lookup tables with content filter rules for message
-# header lines: respectively, these are applied to
-# the initial message headers (not including MIME
-# headers), to the MIME headers anywhere in the mes-
-# sage, and to the initial headers of attached mes-
+# header lines: respectively, these are applied to
+# the initial message headers (not including MIME
+# headers), to the MIME headers anywhere in the mes-
+# sage, and to the initial headers of attached mes-
# sages.
#
-# Note: these filters see one logical message header
-# at a time, even when a message header spans multi-
-# ple lines. Message headers that are longer than
+# Note: these filters see one logical message header
+# at a time, even when a message header spans multi-
+# ple lines. Message headers that are longer than
# $header_size_limit characters are truncated.
#
# disable_mime_input_processing
-# While receiving mail, give no special treatment to
-# MIME related message headers; all text after the
+# While receiving mail, give no special treatment to
+# MIME related message headers; all text after the
# initial message headers is considered to be part of
-# the message body. This means that header_checks is
-# applied to all the initial message headers, and
+# the message body. This means that header_checks is
+# applied to all the initial message headers, and
# that body_checks is applied to the remainder of the
# message.
#
-# Note: when used in this manner, body_checks will
-# process a multi-line message header one line at a
+# Note: when used in this manner, body_checks will
+# process a multi-line message header one line at a
# time.
#
# EXAMPLES
-# Header pattern to block attachments with bad file name
+# Header pattern to block attachments with bad file name
# extensions.
#
# /etc/postfix/main.cf:
# RFC 2047, message header encoding for non-ASCII text
#
# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
+# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# DATABASE_README, Postfix lookup table overview
# CONTENT_INSPECTION_README, Postfix content inspection overview
# BACKSCATTER_README, blocking returned forged mail
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
<h2>Overview </h2>
This document describes features that require Postfix version 2.0
-or later.
+or later. The examples use Perl Compatible Regular Expressions
+(Postfix <a href="pcre_table.5.html">pcre</a>: tables), but also provide a translation to POSIX
+regular expressions (Postfix <a href="regexp_table.5.html">regexp</a>: tables). PCRE is preferred
+primarily because the implementation is often faster.</p>
<p> Topics covered in this document: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
- <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
+ <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks
+ <a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks
/etc/postfix/header_checks:
if /^Received:/
reject forged client name in Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
- /^Received:.* +by +(porcupine\.org)[[:>:]]/
+ /^Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^Message-ID:.* <!&!/ DUNNO
reject forged client name in Received: header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
- /^[> ]*Received:.* +by +(porcupine\.org)[[:>:]]/
+ /^[> ]*Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
<ul>
+<li> <p> The example uses <a href="pcre_table.5.html">pcre</a>: tables mainly for speed; with minor
+modifications, you can use <a href="regexp_table.5.html">regexp</a>: tables as explained below. </p>
+
<li> <p> The example is simplified for educational purposes. In
reality my patterns list multiple domain names, as
"<tt>(domain|domain|...)</tt>". </p>
and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
and "<tt>)</tt>" would be grouping operators. </p>
-<li> <p> The "<tt>[[:>:]]</tt>" matches the end of a word. On
-some systems you should specify "<tt>\></tt>" instead. For details
-see your system documentation. </p>
+<li> <p> The "<tt>\b</tt>" is used here to match the end of a word.
+If you use <a href="regexp_table.5.html">regexp</a>: tables, specify "<tt>[[:>:]]</tt>" (on some
+systems you should specify "<tt>\></tt>" instead; for details
+see your system documentation).
<li> <p> The "if /pattern/" and "endif" eliminate unnecessary
matching attempts. DO NOT indent lines starting with /pattern/
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
- <a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
+ <a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks
+ <a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks
/etc/postfix/header_checks:
- /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+ /^(From|Return-Path):.*\b(user@domain\.tld)\b/
reject forged sender address in $1: header: $2
/etc/postfix/body_checks:
- /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+ /^[> ]*(From|Return-Path):.*\b(user@domain\.tld)\b/
reject forged sender address in $1: header: $2
</pre>
</blockquote>
<ul>
+<li> <p> The example uses <a href="pcre_table.5.html">pcre</a>: tables mainly for speed; with minor
+modifications, you can use <a href="regexp_table.5.html">regexp</a>: tables as explained below. </p>
+
<li> <p> The example is simplified for educational purposes. In
reality, my patterns list multiple email addresses as
"<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>". </p>
-<li> <p> The "<tt>[[:<:]]</tt>" and "<tt>[[:>:]]</tt>" match
-the beginning and end of a word, respectively. On some systems you
-should specify "<tt>\<</tt>" and "<tt>\></tt>" instead. For
-details see your system documentation. </p>
+<li> <p> The two "<tt>\b</tt>" as used in "<tt>\b(user@domain\.tld)\b</tt>"
+match the beginning and end of a word, respectively. If you use
+<a href="regexp_table.5.html">regexp</a>: tables, specify "<tt>[[:<:]]</tt> and <tt>[[:>:]]</tt>"
+(on some systems you should specify "<tt>\<</tt> and <tt>\></tt>"
+instead; for details see your system documentation). </p>
<li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
</table>
-<li> <p> The <a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a> and <a href="trace.8.html">trace(8)</a> servers each maintain
-their own queue directory trees with per-message logfiles. This
-information is used to send delivery or non-delivery notifications
-to the sender. </p>
+<li> <p> The <a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a> and <a href="trace.8.html">trace(8)</a> services each maintain
+their own queue directory trees with per-message logfiles. Postfix
+uses this information when sending "failed", "delayed" or "success"
+delivery status notifications to the sender. </p>
-<p> The <a href="trace.8.html">trace(8)</a> service implements support for the Postfix "sendmail
+<p> The <a href="trace.8.html">trace(8)</a> service also implements support for the Postfix
+"sendmail
-bv" and "sendmail -v" commands which produce reports about how
Postfix delivers mail, and is available with Postfix version 2.1
and later. See <a href="DEBUG_README.html#trace_mail"> DEBUG_README
time, even when a message header spans multiple lines.
Body lines are always examined one line at a time.
+<b>COMPATIBILITY</b>
+ With Postfix version 2.2 and earlier specify "<b>postmap -fq</b>"
+ to query a table that contains case sensitive patterns. By
+ default, <a href="regexp_table.5.html">regexp</a>: and <a href="pcre_table.5.html">pcre</a>: patterns are case insensitive.
+
<b>TABLE FORMAT</b>
- This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules
- are specified in the form of Postfix regular expression
- lookup tables. Usually the best performance is obtained
+ This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules
+ are specified in the form of Postfix regular expression
+ lookup tables. Usually the best performance is obtained
with <b>pcre</b> (Perl Compatible Regular Expression) tables, but
- the slower <b>regexp</b> (POSIX regular expressions) support is
- more widely available. Use the command "<b>postconf -m</b>" to
- find out what lookup table types your Postfix system sup-
+ the slower <b>regexp</b> (POSIX regular expressions) support is
+ more widely available. Use the command "<b>postconf -m</b>" to
+ find out what lookup table types your Postfix system sup-
ports.
The general format of Postfix regular expression tables is
- given below. For a discussion of specific pattern or
- flags
syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>,
+ given below. For a discussion of specific pattern or
+ flags
syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>,
respectively.
<b>/</b><i>pattern</i><b>/</b><i>flags action</i>
- When <i>pattern</i> matches the input string, execute the
- corresponding <i>action</i>. See below for a list of pos-
+ When <i>pattern</i> matches the input string, execute the
+ corresponding <i>action</i>. See below for a list of pos-
sible actions.
<b>!/</b><i>pattern</i><b>/</b><i>flags action</i>
- When <i>pattern</i> does <b>not</b> match the input string, exe-
+ When <i>pattern</i> does <b>not</b> match the input string, exe-
cute the corresponding <i>action</i>.
<b>if /</b><i>pattern</i><b>/</b><i>flags</i>
<b>endif</b> Match the input string against the patterns between
- <b>if</b> and <b>endif</b>, if and only if the same input string
+ <b>if</b> and <b>endif</b>, if and only if the same input string
also matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
- Note: do not prepend whitespace to patterns inside
+ Note: do not prepend whitespace to patterns inside
<b>if</b>..<b>endif</b>.
<b>if !/</b><i>pattern</i><b>/</b><i>flags</i>
<b>endif</b> Match the input string against the patterns between
- <b>if</b> and <b>endif</b>, if and only if the same input string
+ <b>if</b> and <b>endif</b>, if and only if the same input string
does <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
blank lines and comments
- Empty lines and whitespace-only lines are ignored,
- as are lines whose first non-whitespace character
+ Empty lines and whitespace-only lines are ignored,
+ as are lines whose first non-whitespace character
is a `#'.
multi-line text
- A pattern/action line starts with non-whitespace
- text. A line that starts with whitespace continues
+ A pattern/action line starts with non-whitespace
+ text. A line that starts with whitespace continues
a logical line.
<b>TABLE SEARCH ORDER</b>
- For each line of message input, the patterns are applied
- in the order as specified in the table. When a pattern is
- found that matches the input line, the corresponding
- action is executed and then the next input line is
+ For each line of message input, the patterns are applied
+ in the order as specified in the table. When a pattern is
+ found that matches the input line, the corresponding
+ action is executed and then the next input line is
inspected.
<b>TEXT SUBSTITUTION</b>
- Substitution of substrings from the matched expression
- into the <i>action</i> string is possible using the conventional
- Perl syntax (<b>$1</b>, <b>$2</b>, etc.). The macros in the result
- string may need to be written as <b>${n}</b> or <b>$(n)</b> if they
+ Substitution of substrings from the matched expression
+ into the <i>action</i> string is possible using the conventional
+ Perl syntax (<b>$1</b>, <b>$2</b>, etc.). The macros in the result
+ string may need to be written as <b>${n}</b> or <b>$(n)</b> if they
aren't followed by whitespace.
- Note: since negated patterns (those preceded by <b>!</b>) return
+ Note: since negated patterns (those preceded by <b>!</b>) return
a result when the expression does not match, substitutions
are not available for negated patterns.
case for consistency with other Postfix documentation.
<b>DISCARD</b> <i>optional text...</i>
- Claim successful delivery and silently discard the
- message. Log the optional text if specified, oth-
+ Claim successful delivery and silently discard the
+ message. Log the optional text if specified, oth-
erwise log a generic message.
- Note: this action disables further header or
- <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
+ Note: this action disables further header or
+ <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
affects all recipients. To discard only one recip-
ient without discarding the entire message, use the
<a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a>
This feature is available in Postfix 2.0 and later.
- <b>DUNNO</b> Pretend that the input line did not match any pat-
- tern, and inspect the next input line. This action
+ <b>DUNNO</b> Pretend that the input line did not match any pat-
+ tern, and inspect the next input line. This action
can be used to shorten the table search.
- For backwards compatibility reasons, Postfix also
- accepts <b>OK</b> but it is (and always has been) treated
+ For backwards compatibility reasons, Postfix also
+ accepts <b>OK</b> but it is (and always has been) treated
as <b>DUNNO</b>.
This feature is available in Postfix 2.1 and later.
<b>FILTER</b> <i>transport:destination</i>
- Write a content filter request to the queue file,
- and inspect the next input line. After the com-
- plete message is received it will be sent through
+ Write a content filter request to the queue file,
+ and inspect the next input line. After the com-
+ plete message is received it will be sent through
the specified external content filter. More infor-
- mation about external content filters is in the
+ mation about external content filters is in the
Postfix <a href="FILTER_README.html">FILTER_README</a> file.
Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
ting, and affects all recipients of the message. In
- the case that multiple <b>FILTER</b> actions fire, only
+ the case that multiple <b>FILTER</b> actions fire, only
the last one is executed.
This feature is available in Postfix 2.0 and later.
<b>HOLD</b> <i>optional text...</i>
- Arrange for the message to be placed on the <b>hold</b>
- queue, and inspect the next input line. The mes-
- sage remains on <b>hold</b> until someone either deletes
- it or releases it for delivery. Log the optional
+ Arrange for the message to be placed on the <b>hold</b>
+ queue, and inspect the next input line. The mes-
+ sage remains on <b>hold</b> until someone either deletes
+ it or releases it for delivery. Log the optional
text if specified, otherwise log a generic message.
- Mail that is placed on hold can be examined with
- the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
+ Mail that is placed on hold can be examined with
+ the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
- Note: use "<b>postsuper -r</b>" to release mail that was
- kept
on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+ Note: use "<b>postsuper -r</b>" to release mail that was
+ kept
on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
- longer. Use "<b>postsuper -H</b>" only for mail that will
+ longer. Use "<b>postsuper -H</b>" only for mail that will
not expire within a few delivery attempts.
- Note: this action affects all recipients of the
+ Note: this action affects all recipients of the
message.
This feature is available in Postfix 2.0 and later.
the next input line.
<b>PREPEND</b> <i>text...</i>
- Prepend one line with the specified text, and
+ Prepend one line with the specified text, and
inspect the next input line.
Notes:
- <b>o</b> The prepended text is output on a separate
+ <b>o</b> The prepended text is output on a separate
line, immediately before the input that
triggered the <b>PREPEND</b> action.
<b>o</b> The prepended text is not considered part of
- the input stream: it is not subject to
+ the input stream: it is not subject to
header/body checks or address rewriting, and
it does not affect the way that Postfix adds
missing message headers.
<b>o</b> When prepending text before a message header
- line, the prepended text must begin with a
+ line, the prepended text must begin with a
valid message header label.
<b>o</b> This action cannot be used to prepend multi-
This feature is available in Postfix 2.1 and later.
<b>REDIRECT</b> <i>user@domain</i>
- Write a message redirection request to the queue
- file, and inspect the next input line. After the
+ Write a message redirection request to the queue
+ file, and inspect the next input line. After the
message is queued, it will be sent to the specified
address instead of the intended recipient(s).
- Note: this action overrides the <b>FILTER</b> action, and
- affects all recipients of the message. If multiple
- <b>REDIRECT</b> actions fire, only the last one is exe-
+ Note: this action overrides the <b>FILTER</b> action, and
+ affects all recipients of the message. If multiple
+ <b>REDIRECT</b> actions fire, only the last one is exe-
cuted.
This feature is available in Postfix 2.1 and later.
<b>REPLACE</b> <i>text...</i>
- Replace the current line with the specified text,
+ Replace the current line with the specified text,
and inspect the next input line.
This feature is available in Postfix 2.2 and later.
- The description below applies to Postfix 2.2.2 and
+ The description below applies to Postfix 2.2.2 and
later.
Notes:
- <b>o</b> When replacing a message header line, the
- replacement text must begin with a valid
+ <b>o</b> When replacing a message header line, the
+ replacement text must begin with a valid
header label.
- <b>o</b> The replaced text remains part of the input
- stream. Unlike the result from the <b>PREPEND</b>
- action, a replaced message header may be
- subject to address rewriting and may affect
- the way that Postfix adds missing message
+ <b>o</b> The replaced text remains part of the input
+ stream. Unlike the result from the <b>PREPEND</b>
+ action, a replaced message header may be
+ subject to address rewriting and may affect
+ the way that Postfix adds missing message
headers.
<b>REJECT</b> <i>optional text...</i>
- Reject the entire message. Reply with <i>optional</i>
+ Reject the entire message. Reply with <i>optional</i>
<i>text...</i> when the optional text is specified, other-
wise reply with a generic error message.
- Note: this action disables further header or
- <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
+ Note: this action disables further header or
+ <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
affects all recipients.
Postfix version 2.3 and later support enhanced sta-
enhanced status code of "5.7.1".
<b>WARN</b> <i>optional text...</i>
- Log a warning with the <i>optional text...</i> (or log a
- generic message), and inspect the next input line.
+ Log a warning with the <i>optional text...</i> (or log a
+ generic message), and inspect the next input line.
This action is useful for debugging and for testing
a pattern before applying more drastic actions.
<b>BUGS</b>
- Many people overlook the main limitations of header and
+ Many people overlook the main limitations of header and
<a href="postconf.5.html#body_checks">body_checks</a> rules.
- <b>o</b> These rules operate on one logical message header
+ <b>o</b> These rules operate on one logical message header
or one body line at a time. A decision made for one
line is not carried over to the next line.
- <b>o</b> If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>)
- then the rules have to specified for the encoded
+ <b>o</b> If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>)
+ then the rules need to be specified for the encoded
form.
- <b>o</b> Likewise,
when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC</a>
- <a href="http://www.faqs.org/rfcs/rfc2047.html">2047</a>) then the rules need to be specified for the
+ <b>o</b> Likewise,
when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC</a>
+ <a href="http://www.faqs.org/rfcs/rfc2047.html">2047</a>) then the rules need to be specified for the
encoded form.
- Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are
+ Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are
excluded from inspection. Examples of such message headers
are <b>From:</b>, <b>To:</b>, <b>Message-ID:</b>, <b>Date:</b>.
- Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be
+ Message headers deleted by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon will be
examined before they are deleted. Examples are: <b>Bcc:, Con-</b>
<b>tent-Length:</b>, <b>Return-Path:</b>.
<b><a href="postconf.5.html#body_checks">body_checks</a></b>
Lookup tables with content filter rules for message
body lines. These filters see one physical line at
- a
time, in chunks of at most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b>
+ a
time, in chunks of at most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b>
bytes.
<b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a></b>
- The amount of content per message body segment
+ The amount of content per message body segment
(attachment) that is subjected to <b>$<a href="postconf.5.html#body_checks">body_checks</a></b> fil-
tering.
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
Lookup tables with content filter rules for message
- header lines: respectively, these are applied to
- the initial message headers (not including MIME
- headers), to the MIME headers anywhere in the mes-
- sage, and to the initial headers of attached mes-
+ header lines: respectively, these are applied to
+ the initial message headers (not including MIME
+ headers), to the MIME headers anywhere in the mes-
+ sage, and to the initial headers of attached mes-
sages.
- Note: these filters see one logical message header
- at a time, even when a message header spans multi-
- ple lines. Message headers that are longer than
+ Note: these filters see one logical message header
+ at a time, even when a message header spans multi-
+ ple lines. Message headers that are longer than
<b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are truncated.
<b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a></b>
- While receiving mail, give no special treatment to
- MIME related message headers; all text after the
+ While receiving mail, give no special treatment to
+ MIME related message headers; all text after the
initial message headers is considered to be part of
- the message body. This means that <b><a href="postconf.5.html#header_checks">header_checks</a></b> is
- applied to all the initial message headers, and
+ the message body. This means that <b><a href="postconf.5.html#header_checks">header_checks</a></b> is
+ applied to all the initial message headers, and
that <b><a href="postconf.5.html#body_checks">body_checks</a></b> is applied to the remainder of the
message.
- Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will
- process a multi-line message header one line at a
+ Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will
+ process a multi-line message header one line at a
time.
<b>EXAMPLES</b>
- Header pattern to block attachments with bad file name
+ Header pattern to block attachments with bad file name
extensions.
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="BACKSCATTER_README.html">BACKSCATTER_README</a>, blocking returned forged mail
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
.SH "SYNOPSIS"
.na
.nf
+.nf
\fBheader_checks = pcre:/etc/postfix/header_checks\fR
-.br
\fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
-.br
\fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
-.br
\fBbody_checks = pcre:/etc/postfix/body_checks\fR
.sp
\fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
-.br
\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+.fi
.SH DESCRIPTION
.ad
.fi
Note: message headers are examined one logical header at a time,
even when a message header spans multiple lines. Body lines are
always examined one line at a time.
+.SH "COMPATIBILITY"
+.na
+.nf
+.ad
+.fi
+With Postfix version 2.2 and earlier specify "\fBpostmap
+-fq\fR" to query a table that contains case sensitive
+patterns. By default, regexp: and pcre: patterns are case
+insensitive.
.SH "TABLE FORMAT"
.na
.nf
to the next line.
.IP \(bu
If text in the message body is encoded
-(RFC 2045) then the rules have to specified for the encoded
+(RFC 2045) then the rules need to be specified for the encoded
form.
.IP \(bu
Likewise, when message headers are encoded (RFC
<h2>Overview </h2>
This document describes features that require Postfix version 2.0
-or later.
+or later. The examples use Perl Compatible Regular Expressions
+(Postfix pcre: tables), but also provide a translation to POSIX
+regular expressions (Postfix regexp: tables). PCRE is preferred
+primarily because the implementation is often faster.</p>
<p> Topics covered in this document: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- header_checks = regexp:/etc/postfix/header_checks
- body_checks = regexp:/etc/postfix/body_checks
+ header_checks = pcre:/etc/postfix/header_checks
+ body_checks = pcre:/etc/postfix/body_checks
/etc/postfix/header_checks:
if /^Received:/
reject forged client name in Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
- /^Received:.* +by +(porcupine\.org)[[:>:]]/
+ /^Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^Message-ID:.* <!&!/ DUNNO
reject forged client name in Received: header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
- /^[> ]*Received:.* +by +(porcupine\.org)[[:>:]]/
+ /^[> ]*Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
<ul>
+<li> <p> The example uses pcre: tables mainly for speed; with minor
+modifications, you can use regexp: tables as explained below. </p>
+
<li> <p> The example is simplified for educational purposes. In
reality my patterns list multiple domain names, as
"<tt>(domain|domain|...)</tt>". </p>
and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
and "<tt>)</tt>" would be grouping operators. </p>
-<li> <p> The "<tt>[[:>:]]</tt>" matches the end of a word. On
-some systems you should specify "<tt>\></tt>" instead. For details
-see your system documentation. </p>
+<li> <p> The "<tt>\b</tt>" is used here to match the end of a word.
+If you use regexp: tables, specify "<tt>[[:>:]]</tt>" (on some
+systems you should specify "<tt>\></tt>" instead; for details
+see your system documentation).
<li> <p> The "if /pattern/" and "endif" eliminate unnecessary
matching attempts. DO NOT indent lines starting with /pattern/
<blockquote>
<pre>
/etc/postfix/main.cf:
- header_checks = regexp:/etc/postfix/header_checks
- body_checks = regexp:/etc/postfix/body_checks
+ header_checks = pcre:/etc/postfix/header_checks
+ body_checks = pcre:/etc/postfix/body_checks
/etc/postfix/header_checks:
- /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+ /^(From|Return-Path):.*\b(user@domain\.tld)\b/
reject forged sender address in $1: header: $2
/etc/postfix/body_checks:
- /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
+ /^[> ]*(From|Return-Path):.*\b(user@domain\.tld)\b/
reject forged sender address in $1: header: $2
</pre>
</blockquote>
<ul>
+<li> <p> The example uses pcre: tables mainly for speed; with minor
+modifications, you can use regexp: tables as explained below. </p>
+
<li> <p> The example is simplified for educational purposes. In
reality, my patterns list multiple email addresses as
"<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>". </p>
-<li> <p> The "<tt>[[:<:]]</tt>" and "<tt>[[:>:]]</tt>" match
-the beginning and end of a word, respectively. On some systems you
-should specify "<tt>\<</tt>" and "<tt>\></tt>" instead. For
-details see your system documentation. </p>
+<li> <p> The two "<tt>\b</tt>" as used in "<tt>\b(user@domain\.tld)\b</tt>"
+match the beginning and end of a word, respectively. If you use
+regexp: tables, specify "<tt>[[:<:]]</tt> and <tt>[[:>:]]</tt>"
+(on some systems you should specify "<tt>\<</tt> and <tt>\></tt>"
+instead; for details see your system documentation). </p>
<li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
</table>
-<li> <p> The bounce(8), defer(8) and trace(8) servers each maintain
-their own queue directory trees with per-message logfiles. This
-information is used to send delivery or non-delivery notifications
-to the sender. </p>
+<li> <p> The bounce(8), defer(8) and trace(8) services each maintain
+their own queue directory trees with per-message logfiles. Postfix
+uses this information when sending "failed", "delayed" or "success"
+delivery status notifications to the sender. </p>
-<p> The trace(8) service implements support for the Postfix "sendmail
+<p> The trace(8) service also implements support for the Postfix
+"sendmail
-bv" and "sendmail -v" commands which produce reports about how
Postfix delivers mail, and is available with Postfix version 2.1
and later. See <a href="DEBUG_README.html#trace_mail"> DEBUG_README
# SUMMARY
# Postfix built-in content inspection
# SYNOPSIS
+# .nf
# \fBheader_checks = pcre:/etc/postfix/header_checks\fR
-# .br
# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
-# .br
# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
-# .br
# \fBbody_checks = pcre:/etc/postfix/body_checks\fR
# .sp
# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
-# .br
# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+# .fi
# DESCRIPTION
# This document describes access control on the content of
# message headers and message body lines; it is implemented
# Note: message headers are examined one logical header at a time,
# even when a message header spans multiple lines. Body lines are
# always examined one line at a time.
+# COMPATIBILITY
+# .ad
+# .fi
+# With Postfix version 2.2 and earlier specify "\fBpostmap
+# -fq\fR" to query a table that contains case sensitive
+# patterns. By default, regexp: and pcre: patterns are case
+# insensitive.
# TABLE FORMAT
# .ad
# .fi
# to the next line.
# .IP \(bu
# If text in the message body is encoded
-# (RFC 2045) then the rules have to specified for the encoded
+# (RFC 2045) then the rules need to be specified for the encoded
# form.
# .IP \(bu
# Likewise, when message headers are encoded (RFC
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20070327"
-#define MAIL_VERSION_NUMBER "2.4.0-RC10"
+#define MAIL_RELEASE_DATE "20070328"
+#define MAIL_VERSION_NUMBER "2.4.0"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
projects / thirdparty / postfix.git / commitdiff
