SYNOPSIS
postmap /etc/postfix/access
postmap -q "string" /etc/postfix/access
postmap -q - /etc/postfix/access <inputfile
DESCRIPTION
The optional access table directs the Postfix SMTP server to selec-
tively reject or accept mail. Access can be allowed or denied for spe-
cific host names, domain names, networks, host network addresses or
mail addresses.
For an example, see the EXAMPLE section at the end of this manual page.
Normally, the access table is specified as a text file that serves as
input to the postmap(1) command. The result, an indexed file in dbm or
db format, is used for fast searching by the mail system. Execute the
command postmap /etc/postfix/access in order to rebuild the indexed
file after changing the access table.
When the table is provided via other means such as NIS, LDAP or SQL,
the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
directed to TCP-based server. In that case, the lookups are done in a
slightly different way as described below under "REGULAR EXPRESSION
TABLES" and "TCP-BASED TABLES".
TABLE FORMAT
The input format for the postmap(1) command is as follows:
pattern action
When pattern matches a mail address, domain or host address,
perform the corresponding action.
blank lines and comments
Empty lines and whitespace-only lines are ignored, as are lines
whose first non-whitespace character is a `#'.
multi-line text
A logical line starts with non-whitespace text. A line that
starts with whitespace continues a logical line.
EMAIL ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, patterns are tried in the order as
listed below:
user@domain
Matches the specified mail address.
of lookup table. By default, Postfix uses <> as the lookup key for such
addresses. The value is specified with the smtpd_null_access_lookup_key
parameter in the Postfix main.cf file.
EMAIL ADDRESS EXTENSION
When a mail address localpart contains the optional recipient delimiter
(e.g., user+foo@domain), the lookup order becomes: user+foo@domain,
user@domain, domain, user+foo@, and user@.
HOST NAME/ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, the following lookup patterns are
examined in the order as listed:
domain.tld
Matches domain.tld.
The pattern domain.tld also matches subdomains, but only when
the string smtpd_access_maps is listed in the Postfix par-
ent_domain_matches_subdomains configuration setting. Otherwise,
specify .domain.tld (note the initial dot) in order to match
subdomains.
net.work.addr.ess
net.work.addr
net.work
net Matches any host address in the specified network. A network
address is a sequence of one or more octets separated by ".".
NOTE: use the cidr lookup table type to specify network/netmask
patterns. See cidr_table(5) for details.
ACCEPT ACTIONS
OK Accept the address etc. that matches the pattern.
all-numerical
An all-numerical result is treated as OK. This format is gener-
ated by address-based relay authorization schemes.
REJECT ACTIONS
4NN text
5NN text
Reject the address etc. that matches the pattern, and respond
with the numerical three-digit code and text. 4NN means "try
again later", while 5NN means "do not try again".
REJECT optional text...
Reject the address etc. that matches the pattern. Reply with
text... when the optional text is specified, otherwise reply
with a generic error response message.
This feature is available in Postfix 2.1 and later.
OTHER ACTIONS
restriction...
Apply the named UCE restriction(s) (permit, reject,
reject_unauth_destination, and so on).
DISCARD optional text...
Claim successful delivery and silently discard the message. Log
the optional text if specified, otherwise log a generic message.
Note: this action currently affects all recipients of the mes-
sage.
This feature is available in Postfix 2.0 and later.
DUNNO Pretend that the lookup key was not found. This prevents Postfix
from trying substrings of the lookup key (such as a subdomain
name, or a network address subnetwork).
This feature is available in Postfix 2.0 and later.
FILTER transport:destination
After the message is queued, send the entire message through the
specified external content filter. The transport:destination
syntax is described in the transport(5) manual page. More
information about external content filters is in the Postfix
FILTER_README file.
Note: this action overrides the main.cf content_filter setting,
and currently affects all recipients of the message.
This feature is available in Postfix 2.0 and later.
HOLD optional text...
Place the message on the hold queue, where it will sit until
someone either deletes it or releases it for delivery. Log the
optional text if specified, otherwise log a generic message.
Mail that is placed on hold can be examined with the postcat(1)
command, and can be destroyed or released with the postsuper(1)
command.
Note: this action currently affects all recipients of the mes-
sage.
This feature is available in Postfix 2.0 and later.
PREPEND headername: headervalue
This feature is available in Postfix 2.1 and later.
WARN optional text...
Log a warning with the optional text, together with client
information and if available, with helo, sender, recipient and
protocol information.
This feature is available in Postfix 2.1 and later.
REGULAR EXPRESSION TABLES
This section describes how the table lookups change when the table is
given in the form of regular expressions. For a description of regular
expression lookup table syntax, see regexp_table(5) or pcre_table(5).
Each pattern is a regular expression that is applied to the entire
string being looked up. Depending on the application, that string is an
entire client hostname, an entire client IP address, or an entire mail
address. Thus, no parent domain or parent network search is done,
user@domain mail addresses are not broken up into their user@ and
domain constituent parts, nor is user+foo broken up into user and foo.
Patterns are applied in the order as specified in the table, until a
pattern is found that matches the search string.
Actions are the same as with indexed file lookups, with the additional
feature that parenthesized substrings from the pattern can be interpo-
lated as $1, $2 and so on.
TCP-BASED TABLES
This section describes how the table lookups change when lookups are
directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see tcp_table(5). This feature is not
available in Postfix version 2.1.
Each lookup operation uses the entire query string once. Depending on
the application, that string is an entire client hostname, an entire
client IP address, or an entire mail address. Thus, no parent domain
or parent network search is done, user@domain mail addresses are not
broken up into their user@ and domain constituent parts, nor is
user+foo broken up into user and foo.
Actions are the same as with indexed file lookups.
EXAMPLE
The following example uses an indexed file, so that the order of table
entries does not matter. The example permits access by the client at
address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of
"hash" lookup tables, some systems use "dbm". Use the command "post-
conf -m" to find out what lookup tables Postfix supports on your sys-
tem.
SEE ALSO
postmap(1), Postfix lookup table manager
smtpd(8), SMTP server
postconf(5), configuration parameters
transport(5), transport:nexthop syntax
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate
this information.
SMTPD_ACCESS_README, built-in SMTP server access control
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ACCESS(5)
Man(1) output converted with
man2html
|