ACCESS(5) ACCESS(5)
NAME
access - format of Postfix access table
SYNOPSIS
postmap /usr/local/etc/postfix/access
postmap -q "string" /usr/local/etc/postfix/access
postmap -q - /usr/local/etc/postfix/access <inputfile
DESCRIPTION
The optional access table directs the Postfix SMTP server
to selectively reject or accept mail. Access can be
allowed or denied for specific host names, domain names,
networks, host network addresses or mail addresses.
Normally, the access table is specified as a text file
that serves as input to the postmap(1) command. The
result, an indexed file in dbm or db format, is used for
fast searching by the mail system. Execute the command
postmap /usr/local/etc/postfix/access in order to rebuild the
indexed file after changing the access table.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
indexed files.
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions, or lookups can be directed to TCP-based server. In
that case, the lookups are done in a slightly different
way as described below under "REGULAR EXPRESSION TABLES"
and "TCP-BASED TABLES".
TABLE FORMAT
The input format for the postmap(1) command is as follows:
pattern action
When pattern matches a mail address, domain or host
address, perform the corresponding action.
blank lines and comments
Empty lines and whitespace-only lines are ignored,
as are lines whose first non-whitespace character
is a `#'.
multi-line text
A logical line starts with non-whitespace text. A
line that starts with whitespace continues a logi-
cal line.
EMAIL ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from
networked tables such as NIS, LDAP or SQL, patterns are
tried in the order as listed below:
user@domain
Matches the specified mail address.
domain.tld
Matches domain.tld as the domain part of an email
address.
The pattern domain.tld also matches subdomains, but
only when the string smtpd_access_maps is listed in
the Postfix parent_domain_matches_subdomains con-
figuration setting (note that this is the default
for some versions of Postfix). Otherwise, specify
.domain.tld (note the initial dot) in order to
match subdomains.
user@ Matches all mail addresses with the specified user
part.
Note: lookup of the null sender address is not possible
with some types of lookup table. By default, Postfix uses
<> as the lookup key for such addresses. The value is
specified with the smtpd_null_access_lookup_key parameter
in the Postfix main.cf file.
EMAIL ADDRESS EXTENSION
When a mail address localpart contains the optional recip-
ient delimiter (e.g., user+foo@domain), the lookup order
becomes: user+foo@domain, user@domain, domain, user+foo@,
and user@.
HOST NAME/ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from
networked tables such as NIS, LDAP or SQL, the following
lookup patterns are examined in the order as listed:
domain.tld
Matches domain.tld.
The pattern domain.tld also matches subdomains, but
only when the string smtpd_access_maps is listed in
the Postfix parent_domain_matches_subdomains con-
figuration setting. Otherwise, specify .domain.tld
(note the initial dot) in order to match subdo-
mains.
net.work.addr.ess
net.work.addr
net.work
net Matches any host address in the specified network.
A network address is a sequence of one or more
octets separated by ".".
NOTE: use the cidr lookup table type to specify
network/netmask patterns. See cidr_table(5) for
details.
ACTIONS
[45]NN text
Reject the address etc. that matches the pattern,
and respond with the numerical code and text.
REJECT optional text...
Reject the address etc. that matches the pattern.
Reply with $reject_code optional text... when the
optional text is specified, otherwise reply with a
generic error response message.
DEFER_IF_REJECT optional text...
Defer the request if some later restriction would
result in a REJECT action. Reply with "450 optional
text... when the optional text is specified, other-
wise reply with a generic error response message.
DEFER_IF_PERMIT optional text...
Defer the request if some later restriction would
result in a an explicit or implicit PERMIT action.
Reply with "450 optional text... when the optional
text is specified, otherwise reply with a generic
error response message.
OK Accept the address etc. that matches the pattern.
all-numerical
An all-numerical result is treated as OK. This for-
mat is generated by address-based relay authoriza-
tion schemes.
DUNNO Pretend that the lookup key was not found. This
prevents Postfix from trying substrings of the
lookup key (such as a subdomain name, or a network
address subnetwork).
PREPEND headername: headervalue
Prepend the specified message header to the mes-
sage. When this action is used multiple times, the
first prepended header appears before the second
etc. prepended header.
Note: this action does not support multi-line mes-
sage headers.
HOLD optional text...
Place the message on the hold queue, where it will
sit until someone either deletes it or releases it
for delivery. Log the optional text if specified,
otherwise log a generic message.
Mail that is placed on hold can be examined with
the postcat(1) command, and can be destroyed or
released with the postsuper(1) command.
Note: this action currently affects all recipients
of the message.
DISCARD optional text...
Claim successful delivery and silently discard the
message. Log the optional text if specified, oth-
erwise log a generic message.
Note: this action currently affects all recipients
of the message.
FILTER transport:destination
After the message is queued, send the entire mes-
sage through the specified external content filter.
More information about external content filters is
in the Postfix FILTER_README file.
Note: this action overrides the main.cf con-
tent_filter setting, and currently affects all
recipients of the message.
REDIRECT user@domain
After the message is queued, send the message to
the specified address instead of the intended
recipient(s).
Note: this action overrides the FILTER action, and
currently affects all recipients of the message.
restriction...
Apply the named UCE restriction(s) (permit, reject,
reject_unauth_destination, and so on).
REGULAR EXPRESSION TABLES
This section describes how the table lookups change when
the table is given in the form of regular expressions. For
a description of regular expression lookup table syntax,
see regexp_table(5) or pcre_table(5).
Each pattern is a regular expression that is applied to
the entire string being looked up. Depending on the appli-
cation, that string is an entire client hostname, an
entire client IP address, or an entire mail address. Thus,
no parent domain or parent network search is done,
user@domain mail addresses are not broken up into their
user@ and domain constituent parts, nor is user+foo broken
up into user and foo.
Patterns are applied in the order as specified in the
table, until a pattern is found that matches the search
string.
Actions are the same as with indexed file lookups, with
the additional feature that parenthesized substrings from
the pattern can be interpolated as $1, $2 and so on.
TCP-BASED TABLES
This section describes how the table lookups change when
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see
tcp_table(5).
Each lookup operation uses the entire query string once.
Depending on the application, that string is an entire
client hostname, an entire client IP address, or an entire
mail address. Thus, no parent domain or parent network
search is done, user@domain mail addresses are not broken
up into their user@ and domain constituent parts, nor is
user+foo broken up into user and foo.
Actions are the same as with indexed file lookups.
BUGS
The table format does not understand quoting conventions.
SEE ALSO
postmap(1) create lookup table
smtpd(8) smtp server
cidr_table(5) format of CIDR tables
pcre_table(5) format of PCRE tables
regexp_table(5) format of POSIX regular expression tables
tcp_table(5) TCP client/server table lookup protocol
LICENSE
The Secure Mailer license must be distributed with this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ACCESS(5)