#++
# NAME
#       access 5
# SUMMARY
#       Postfix SMTP server access table
# SYNOPSIS
#       \fBpostmap /etc/postfix/access\fR
#
#       \fBpostmap -q "\fIstring\fB" /etc/postfix/access\fR
#
#       \fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
# DESCRIPTION
#       This document describes access control on remote SMTP client
#       information: host names, network addresses, and envelope
#       sender or recipient addresses; it is implemented by the
#       Postfix SMTP server.  See \fBheader_checks\fR(5) or
#       \fBbody_checks\fR(5) for access control on the content of
#       email messages.
#
#       Normally, the \fBaccess\fR(5) table is specified as a text file
#       that serves as input to the \fBpostmap\fR(1) command.
#       The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
#       is used for fast searching by the mail system. Execute the
#       command "\fBpostmap /etc/postfix/access\fR" to rebuild an
#       indexed file after changing the corresponding text file.
#
#       When the table is provided via other means such as NIS, LDAP
#       or SQL, the same lookups are done as for ordinary indexed files.
#
#       Alternatively, the table can be provided as a regular-expression
#       map where patterns are given as regular expressions, or lookups
#       can be directed to a TCP-based server. In those cases, the lookups
#       are done in a slightly different way as described below under
#       "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
# CASE FOLDING
# .ad
# .fi
#       The search string is folded to lowercase before database
#       lookup. As of Postfix 2.3, the search string is not case
#       folded with database types such as regexp: or pcre: whose
#       lookup fields can match both upper and lower case.
# TABLE FORMAT
# .ad
# .fi
#       The input format for the \fBpostmap\fR(1) command is as follows:
# .IP "\fIpattern action\fR"
#       When \fIpattern\fR matches a mail address, domain or host address,
#       perform the corresponding \fIaction\fR.
# .IP "blank lines and comments"
#       Empty lines and whitespace-only lines are ignored, as
#       are lines whose first non-whitespace character is a `#'.
# .IP "multi-line text"
#       A logical line starts with non-whitespace text. A line that
#       starts with whitespace continues a logical line.
# EMAIL ADDRESS PATTERNS IN INDEXED TABLES
# .ad
# .fi
#       With lookups from indexed files such as DB or DBM, or from networked
#       tables such as NIS, LDAP or SQL, patterns are tried in the order as
#       listed below:
# .IP \fIuser\fR@\fIdomain\fR
#       Matches the specified mail address.
# .IP \fIdomain.tld\fR
#       Matches \fIdomain.tld\fR as the domain part of an email address.
# .sp
#       The pattern \fIdomain.tld\fR also matches subdomains, but only
#       when the string \fBsmtpd_access_maps\fR is listed in the Postfix
#       \fBparent_domain_matches_subdomains\fR configuration setting.
# .IP \fI.domain.tld\fR
#       Matches subdomains of \fIdomain.tld\fR, but only when the
#       string \fBsmtpd_access_maps\fR is not listed in the Postfix
#       \fBparent_domain_matches_subdomains\fR configuration setting.
# .IP \fIuser\fR@
#       Matches all mail addresses with the specified user part.
# .PP
#       Note: lookup of the null sender address is not possible with
#       some types of lookup table. By default, Postfix uses \fB<>\fR
#       as the lookup key for such addresses. The value is specified with
#       the \fBsmtpd_null_access_lookup_key\fR parameter in the Postfix
#       \fBmain.cf\fR file.
# EMAIL ADDRESS EXTENSION
# .fi
# .ad
#       When a mail address localpart contains the optional recipient delimiter
#       (e.g., \fIuser+foo\fR@\fIdomain\fR), the lookup order becomes:
#       \fIuser+foo\fR@\fIdomain\fR, \fIuser\fR@\fIdomain\fR, \fIdomain\fR,
#       \fIuser+foo\fR@, and \fIuser\fR@.
# HOST NAME/ADDRESS PATTERNS IN INDEXED TABLES
# .ad
# .fi
#       With lookups from indexed files such as DB or DBM, or from networked
#       tables such as NIS, LDAP or SQL, the following lookup patterns are
#       examined in the order as listed:
# .IP \fIdomain.tld\fR
#       Matches \fIdomain.tld\fR.
# .sp
#       The pattern \fIdomain.tld\fR also matches subdomains, but only
#       when the string \fBsmtpd_access_maps\fR is listed in the Postfix
#       \fBparent_domain_matches_subdomains\fR configuration setting.
# .IP \fI.domain.tld\fR
#       Matches subdomains of \fIdomain.tld\fR, but only when the
#       string \fBsmtpd_access_maps\fR is not listed in the Postfix
#       \fBparent_domain_matches_subdomains\fR configuration setting.
# .IP \fInet.work.addr.ess\fR
# .IP \fInet.work.addr\fR
# .IP \fInet.work\fR
# .IP \fInet\fR
#       Matches a remote IPv4 host address or network address range.
#       Specify one to four decimal octets separated by ".". Do not
#       specify "[]" , "/", leading zeros, or hexadecimal forms.
#
#       Network ranges are matched by repeatedly truncating the last
#       ".octet" from a remote IPv4 host address string, until a
#       match is found in the access table, or until further
#       truncation is not possible.
#
#       NOTE: use the \fBcidr\fR lookup table type to specify
#       network/netmask patterns. See \fBcidr_table\fR(5) for details.
# .IP \fInet:work:addr:ess\fR
# .IP \fInet:work:addr\fR
# .IP \fInet:work\fR
# .IP \fInet\fR
#       Matches a remote IPv6 host address or network address range.
#       Specify three to eight hexadecimal octet pairs separated
#       by ":", using the compressed form "::" for a sequence of
#       zero-valued octet pairs. Do not specify "[]", "/", leading
#       zeros, or non-compressed forms.
#
#       A network range is matched by repeatedly truncating the
#       last ":octetpair" from the compressed-form remote IPv6 host
#       address string, until a match is found in the access table,
#       or until further truncation is not possible.
#
#       NOTE: use the \fBcidr\fR lookup table type to specify
#       network/netmask patterns. See \fBcidr_table\fR(5) for details.
#
#       IPv6 support is available in Postfix 2.2 and later.
# ACCEPT ACTIONS
# .ad
# .fi
# .IP \fBOK\fR
#       Accept the address etc. that matches the pattern.
# .IP \fIall-numerical\fR
#       An all-numerical result is treated as OK. This format is
#       generated by address-based relay authorization schemes
#       such as pop-before-smtp.
# .PP
#       For other accept actions, see "OTHER ACTIONS" below.
# REJECT ACTIONS
# .ad
# .fi
#       Postfix version 2.3 and later support enhanced status codes
#       as defined in RFC 3463.
#       When no code is specified at the beginning of the \fItext\fR
#       below, Postfix inserts a default enhanced status code of "5.7.1"
#       in the case of reject actions, and "4.7.1" in the case of
#       defer actions. See "ENHANCED STATUS CODES" below.
# .IP "\fB4\fINN text\fR"
# .IP "\fB5\fINN text\fR"
#       Reject the address etc. that matches the pattern, and respond with
#       the numerical three-digit code and text. \fB4\fINN\fR means "try
#       again later", while \fB5\fINN\fR means "do not try again".
#
#       The following responses have special meaning for the Postfix
#       SMTP server:
# .RS
# .IP "\fB421 \fItext\fR (Postfix 2.3 and later)"
# .IP "\fB521 \fItext\fR (Postfix 2.6 and later)"
#       After responding with the numerical three-digit code and
#       text, disconnect immediately from the SMTP client.  This
#       frees up SMTP server resources so that they can be made
#       available to another SMTP client.
# .IP
#       Note: The "521" response should be used only with botnets
#       and other malware where interoperability is of no concern.
#       The "send 521 and disconnect" behavior is NOT defined in
#       the SMTP standard.
# .RE
# .IP "\fBREJECT \fIoptional text...\fR
#       Reject the address etc. that matches the pattern. Reply with
#       "\fB$access_map_reject_code \fIoptional text...\fR" when the
#       optional text is
#       specified, otherwise reply with a generic error response message.
# .IP "\fBDEFER \fIoptional text...\fR
#       Reject the address etc. that matches the pattern. Reply with
#       "\fB$access_map_defer_code \fIoptional text...\fR" when the
#       optional text is
#       specified, otherwise reply with a generic error response message.
# .sp
#       This feature is available in Postfix 2.6 and later.
# .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
#       Defer the request if some later restriction would result in a
#       REJECT action. Reply with "\fB$access_map_defer_code 4.7.1
#       \fIoptional text...\fR" when the
#       optional text is specified, otherwise reply with a generic error
#       response message.
# .sp
#       Prior to Postfix 2.6, the SMTP reply code is 450.
# .sp
#       This feature is available in Postfix 2.1 and later.
# .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
#       Defer the request if some later restriction would result in
#       an explicit or implicit PERMIT action.
#       Reply with "\fB$access_map_defer_code 4.7.1 \fI optional
#       text...\fR" when the
#       optional text is specified, otherwise reply with a generic error
#       response message.
# .sp
#       Prior to Postfix 2.6, the SMTP reply code is 450.
# .sp
#       This feature is available in Postfix 2.1 and later.
# .PP
#       For other reject actions, see "OTHER ACTIONS" below.
# OTHER ACTIONS
# .ad
# .fi
# .IP \fIrestriction...\fR
#       Apply the named UCE restriction(s) (\fBpermit\fR, \fBreject\fR,
#       \fBreject_unauth_destination\fR, and so on).
# .IP "\fBBCC \fIuser@domain\fR"
#       Send one copy of the message to the specified recipient.
# .sp
#       If multiple BCC actions are specified within the same SMTP
#       MAIL transaction, with Postfix 3.0 only the last action
#       will be used.
# .sp
#       This feature is available in Postfix 3.0 and later.
# \" .IP "\fBDELAY \fItime\fR"
# \"    Place the message into the deferred queue, and delay the
# \"    initial delivery attempt by \fItime\fR. The time value may
# \"    be followed by a one-character suffix that specifies the
# \"    time unit: s (seconds), m (minutes), h (hours), d (days),
# \"    w (weeks).  The default time unit is s (seconds).
# \" .sp
# \"    Limitations:
# \" .RS
# \" .IP \(bu
# \"    This action affects all the recipients of the message.
# \" .IP \(bu
# \"    The delay value has no effect with remote file systems that
# \"    don't correctly emulate UNIX local file system semantics.
# \"    In that case, the delay will be half of $queue_run_delay
# \"    on average.
# \" .IP \(bu
# \"    Mail will still be delivered with "sendmail -q", "postfix
# \"    flush" or "postqueue -f".
# \" .IP \(bu
# \"    Delayed mail increases the amount of disk I/O during deferred
# \"    queue scans. When large amounts of mail are queued for
# \"    delayed delivery it may be preferable to use the HOLD feature
# \"    instead.
# \" .RE
# \" .IP
# \"    This feature is available in Postfix 2.3 and later.
# .IP "\fBDISCARD \fIoptional text...\fR
#       Claim successful delivery and silently discard the message.
#       Log the optional text if specified, otherwise log a generic
#       message.
# .sp
#       Note: this action currently affects all recipients of the message.
#       To discard only one recipient without discarding the entire message,
#       use the transport(5) table to direct mail to the discard(8) service.
# .sp
#       This feature is available in Postfix 2.0 and later.
# .IP \fBDUNNO\fR
#       Pretend that the lookup key was not found. This
#       prevents Postfix from trying substrings of the lookup key
#       (such as a subdomain name, or a network address subnetwork).
# .sp
#       This feature is available in Postfix 2.0 and later.
# .IP "\fBFILTER \fItransport:destination\fR"
#       After the message is queued, send the entire message through
#       the specified external content filter. The \fItransport\fR
#       name specifies the first field of a mail delivery agent
#       definition in master.cf; the syntax of the next-hop
#       \fIdestination\fR is described in the manual page of the
#       corresponding delivery agent.  More information about
#       external content filters is in the Postfix FILTER_README
#       file.
# .sp
#       Note 1: do not use $\fInumber\fR regular expression
#       substitutions for \fItransport\fR or \fIdestination\fR
#       unless you know that the information has a trusted origin.
# .sp
#       Note 2: this action overrides the main.cf \fBcontent_filter\fR
#       setting, and affects all recipients of the message. In the
#       case that multiple \fBFILTER\fR actions fire, only the last
#       one is executed.
# .sp
#       Note 3: the purpose of the FILTER command is to override
#       message routing.  To override the recipient's \fItransport\fR
#       but not the next-hop \fIdestination\fR, specify an empty
#       filter \fIdestination\fR (Postfix 2.7 and later), or specify
#       a \fItransport:destination\fR that delivers through a
#       different Postfix instance (Postfix 2.6 and earlier). Other
#       options are using the recipient-dependent \fBtrans\%port\%_maps\fR
#       or the sen\%der-dependent
#       \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR
#       features.
# .sp
#       This feature is available in Postfix 2.0 and later.
# .IP "\fBHOLD \fIoptional text...\fR"
#       Place the message on the \fBhold\fR queue, where it will
#       sit until someone either deletes it or releases it for
#       delivery.
#       Log the optional text if specified, otherwise log a generic
#       message.
#
#       Mail that is placed on hold can be examined with the
#       \fBpostcat\fR(1) command, and can be destroyed or released with
#       the \fBpostsuper\fR(1) command.
# .sp
#       Note: use "\fBpostsuper -r\fR" to release mail that was kept on
#       hold for a significant fraction of \fB$maximal_queue_lifetime\fR
#       or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
#       only for mail that will not expire within a few delivery attempts.
# .sp
#       Note: this action currently affects all recipients of the message.
# .sp
#       This feature is available in Postfix 2.0 and later.
# .IP "\fBPREPEND \fIheadername: headervalue\fR"
#       Prepend the specified message header to the message.
#       When more than one PREPEND action executes, the first
#       prepended header appears before the second etc. prepended
#       header.
# .sp
#       Note: this action must execute before the message content
#       is received; it cannot execute in the context of
#       \fBsmtpd_end_of_data_restrictions\fR.
# .sp
#       This feature is available in Postfix 2.1 and later.
# .IP "\fBREDIRECT \fIuser@domain\fR"
#       After the message is queued, send the message to the specified
#       address instead of the intended recipient(s).  When multiple
#       \fBREDIRECT\fR actions fire, only the last one takes effect.
# .sp
#       Note 1: this action overrides the FILTER action, and currently
#       overrides all recipients of the message.
# .sp
#       Note 2: a REDIRECT address is subject to canonicalization
#       (add missing domain) but NOT subject to canonical, masquerade,
#       bcc, or virtual alias mapping.
# .sp
#       This feature is available in Postfix 2.1 and later.
# .IP "\fBINFO \fIoptional text...\fR
#       Log an informational record with the optional text, together
#       with client information and if available, with helo, sender,
#       recipient and protocol information.
# .sp
#       This feature is available in Postfix 3.0 and later.
# .IP "\fBWARN \fIoptional text...\fR
#       Log a warning with the optional text, together with client information
#       and if available, with helo, sender, recipient and protocol information.
# .sp
#       This feature is available in Postfix 2.1 and later.
# ENHANCED STATUS CODES
# .ad
# .fi
#       Postfix version 2.3 and later support enhanced status codes
#       as defined in RFC 3463.
#       When an enhanced status code is specified in an access
#       table, it is subject to modification. The following
#       transformations are needed when the same access table is
#       used for client, helo, sender, or recipient access restrictions;
#       they happen regardless of whether Postfix replies to a MAIL
#       FROM, RCPT TO or other SMTP command.
# .IP \(bu
#       When a sender address matches a REJECT action, the Postfix
#       SMTP server will transform a recipient DSN status (e.g.,
#       4.1.1-4.1.6) into the corresponding sender DSN status, and
#       vice versa.
# .IP \(bu
#       When non-address information matches a REJECT action (such
#       as the HELO command argument or the client hostname/address),
#       the Postfix SMTP server will transform a sender or recipient
#       DSN status into a generic non-address DSN status (e.g.,
#       4.0.0).
# REGULAR EXPRESSION TABLES
# .ad
# .fi
#       This section describes how the table lookups change when the table
#       is given in the form of regular expressions. For a description of
#       regular expression lookup table syntax, see \fBregexp_table\fR(5)
#       or \fBpcre_table\fR(5).
#
#       Each pattern is a regular expression that is applied to the entire
#       string being looked up. Depending on the application, that string
#       is an entire client hostname, an entire client IP address, or an
#       entire mail address. Thus, no parent domain or parent network search
#       is done, \fIuser@domain\fR mail addresses are not broken up into
#       their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
#       \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
#
#       Patterns are applied in the order as specified in the table, until a
#       pattern is found that matches the search string.
#
#       Actions are the same as with indexed file lookups, with
#       the additional feature that parenthesized substrings from the
#       pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
# TCP-BASED TABLES
# .ad
# .fi
#       This section describes how the table lookups change when lookups
#       are directed to a TCP-based server. For a description of the TCP
#       client/server lookup protocol, see \fBtcp_table\fR(5).
#       This feature is not available up to and including Postfix version 2.4.
#
#       Each lookup operation uses the entire query string once.
#       Depending on the application, that string is an entire client
#       hostname, an entire client IP address, or an entire mail address.
#       Thus, no parent domain or parent network search is done,
#       \fIuser@domain\fR mail addresses are not broken up into
#       their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
#       \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
#
#       Actions are the same as with indexed file lookups.
# EXAMPLE
# .ad
# .fi
#       The following example uses an indexed file, so that the
#       order of table entries does not matter. The example permits
#       access by the client at address 1.2.3.4 but rejects all
#       other clients in 1.2.3.0/24. Instead of \fBhash\fR lookup
#       tables, some systems use \fBdbm\fR.  Use the command
#       "\fBpostconf -m\fR" to find out what lookup tables Postfix
#       supports on your system.
#
# .nf
# .na
#       /etc/postfix/main.cf:
#           smtpd_client_restrictions =
#               check_client_access hash:/etc/postfix/access
#
#       /etc/postfix/access:
#           1.2.3   REJECT
#           1.2.3.4 OK
# .fi
# .ad
#
#       Execute the command "\fBpostmap /etc/postfix/access\fR" after
#       editing the file.
# BUGS
#       The table format does not understand quoting conventions.
# SEE ALSO
#       postmap(1), Postfix lookup table manager
#       smtpd(8), SMTP server
#       postconf(5), configuration parameters
#       transport(5), transport:nexthop syntax
# README FILES
# .ad
# .fi
#       Use "\fBpostconf readme_directory\fR" or
#       "\fBpostconf html_directory\fR" to locate this information.
# .na
# .nf
#       SMTPD_ACCESS_README, built-in SMTP server access control
#       DATABASE_README, Postfix lookup table overview
# LICENSE
# .ad
# .fi
#       The Secure Mailer license must be distributed with this software.
# AUTHOR(S)
#       Wietse Venema
#       IBM T.J. Watson Research
#       P.O. Box 704
#       Yorktown Heights, NY 10598, USA
#
#       Wietse Venema
#       Google, Inc.
#       111 8th Avenue
#       New York, NY 10011, USA
#--

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.