1 # HEADER_CHECKS(5) HEADER_CHECKS(5) 2 # 3 # NAME 4 # header_checks - Postfix built-in content inspection 5 # 6 # SYNOPSIS 7 # header_checks = pcre:/etc/postfix/header_checks 8 # mime_header_checks = pcre:/etc/postfix/mime_header_checks 9 # nested_header_checks = pcre:/etc/postfix/nested_header_checks 10 # body_checks = pcre:/etc/postfix/body_checks 11 # 12 # milter_header_checks = pcre:/etc/postfix/milter_header_checks 13 # 14 # smtp_header_checks = pcre:/etc/postfix/smtp_header_checks 15 # smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks 16 # smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks 17 # smtp_body_checks = pcre:/etc/postfix/smtp_body_checks 18 # 19 # postmap -q "string" pcre:/etc/postfix/filename 20 # postmap -q - pcre:/etc/postfix/filename <inputfile 21 # 22 # DESCRIPTION 23 # This document describes access control on the content of 24 # message headers and message body lines; it is implemented 25 # by the Postfix cleanup(8) server before mail is queued. 26 # See access(5) for access control on remote SMTP client 27 # information. 28 # 29 # Each message header or message body line is compared 30 # against a list of patterns. When a match is found the 31 # corresponding action is executed, and the matching process 32 # is repeated for the next message header or message body 33 # line. 34 # 35 # Note: message headers are examined one logical header at a 36 # time, even when a message header spans multiple lines. 37 # Body lines are always examined one line at a time. 38 # 39 # For examples, see the EXAMPLES section at the end of this 40 # manual page. 41 # 42 # Postfix header or body_checks are designed to stop a flood 43 # of mail from worms or viruses; they do not decode attach- 44 # ments, and they do not unzip archives. See the documents 45 # referenced below in the README FILES section if you need 46 # more sophisticated content analysis. 47 # 48 # FILTERS WHILE RECEIVING MAIL 49 # Postfix implements the following four built-in content 50 # inspection classes while receiving mail: 51 # 52 # header_checks (default: empty) 53 # These are applied to initial message headers 54 # (except for the headers that are processed with 55 # mime_header_checks). 56 # 57 # mime_header_checks (default: $header_checks) 58 # These are applied to MIME related message headers 59 # only. 60 # 61 # This feature is available in Postfix 2.0 and later. 62 # 63 # nested_header_checks (default: $header_checks) 64 # These are applied to message headers of attached 65 # email messages (except for the headers that are 66 # processed with mime_header_checks). 67 # 68 # This feature is available in Postfix 2.0 and later. 69 # 70 # body_checks 71 # These are applied to all other content, including 72 # multi-part message boundaries. 73 # 74 # With Postfix versions before 2.0, all content after 75 # the initial message headers is treated as body con- 76 # tent. 77 # 78 # FILTERS AFTER RECEIVING MAIL 79 # Postfix supports a subset of the built-in content inspec- 80 # tion classes after the message is received: 81 # 82 # milter_header_checks (default: empty) 83 # These are applied to headers that are added with 84 # Milter applications. 85 # 86 # This feature is available in Postfix 2.7 and later. 87 # 88 # FILTERS WHILE DELIVERING MAIL 89 # Postfix supports all four content inspection classes while 90 # delivering mail via SMTP. 91 # 92 # smtp_header_checks (default: empty) 93 # 94 # smtp_mime_header_checks (default: empty) 95 # 96 # smtp_nested_header_checks (default: empty) 97 # 98 # smtp_body_checks (default: empty) 99 # These features are available in Postfix 2.5 and 100 # later. 101 # 102 # COMPATIBILITY 103 # With Postfix version 2.2 and earlier specify "postmap -fq" 104 # to query a table that contains case sensitive patterns. By 105 # default, regexp: and pcre: patterns are case insensitive. 106 # 107 # TABLE FORMAT 108 # This document assumes that header and body_checks rules 109 # are specified in the form of Postfix regular expression 110 # lookup tables. Usually the best performance is obtained 111 # with pcre (Perl Compatible Regular Expression) tables. The 112 # regexp (POSIX regular expressions) tables are usually 113 # slower, but more widely available. Use the command "post- 114 # conf -m" to find out what lookup table types your Postfix 115 # system supports. 116 # 117 # The general format of Postfix regular expression tables is 118 # given below. For a discussion of specific pattern or 119 # flags syntax, see pcre_table(5) or regexp_table(5), 120 # respectively. 121 # 122 # /pattern/flags action 123 # When /pattern/ matches the input string, execute 124 # the corresponding action. See below for a list of 125 # possible actions. 126 # 127 # !/pattern/flags action 128 # When /pattern/ does not match the input string, 129 # execute the corresponding action. 130 # 131 # if /pattern/flags 132 # 133 # endif If the input string matches /pattern/, then match 134 # that input string against the patterns between if 135 # and endif. The if..endif can nest. 136 # 137 # Note: do not prepend whitespace to patterns inside 138 # if..endif. 139 # 140 # if !/pattern/flags 141 # 142 # endif If the input string does not match /pattern/, then 143 # match that input string against the patterns 144 # between if and endif. The if..endif can nest. 145 # 146 # blank lines and comments 147 # Empty lines and whitespace-only lines are ignored, 148 # as are lines whose first non-whitespace character 149 # is a `#'. 150 # 151 # multi-line text 152 # A pattern/action line starts with non-whitespace 153 # text. A line that starts with whitespace continues 154 # a logical line. 155 # 156 # TABLE SEARCH ORDER 157 # For each line of message input, the patterns are applied 158 # in the order as specified in the table. When a pattern is 159 # found that matches the input line, the corresponding 160 # action is executed and then the next input line is 161 # inspected. 162 # 163 # TEXT SUBSTITUTION 164 # Substitution of substrings from the matched expression 165 # into the action string is possible using the conventional 166 # Perl syntax ($1, $2, etc.). The macros in the result 167 # string may need to be written as ${n} or $(n) if they 168 # aren't followed by whitespace. 169 # 170 # Note: since negated patterns (those preceded by !) return 171 # a result when the expression does not match, substitutions 172 # are not available for negated patterns. 173 # 174 # ACTIONS 175 # Action names are case insensitive. They are shown in upper 176 # case for consistency with other Postfix documentation. 177 # 178 # BCC user@domain 179 # Add the specified address as a BCC recipient, and 180 # inspect the next input line. The address must have 181 # a local part and domain part. The number of BCC 182 # addresses that can be added is limited only by the 183 # amount of available storage space. 184 # 185 # Note 1: the BCC address is added as if it was spec- 186 # ified with NOTIFY=NONE. The sender will not be 187 # notified when the BCC address is undeliverable, as 188 # long as all down-stream software implements RFC 189 # 3461. 190 # 191 # Note 2: this ignores duplicate addresses (with the 192 # same delivery status notification options). 193 # 194 # This feature is available in Postfix 3.0 and later. 195 # 196 # This feature is not supported with smtp header/body 197 # checks. 198 # 199 # DISCARD optional text... 200 # Claim successful delivery and silently discard the 201 # message. Do not inspect the remainder of the input 202 # message. Log the optional text if specified, oth- 203 # erwise log a generic message. 204 # 205 # Note: this action disables further header or 206 # body_checks inspection of the current message and 207 # affects all recipients. To discard only one recip- 208 # ient without discarding the entire message, use the 209 # transport(5) table to direct mail to the discard(8) 210 # service. 211 # 212 # This feature is available in Postfix 2.0 and later. 213 # 214 # This feature is not supported with smtp header/body 215 # checks. 216 # 217 # DUNNO Pretend that the input line did not match any pat- 218 # tern, and inspect the next input line. This action 219 # can be used to shorten the table search. 220 # 221 # For backwards compatibility reasons, Postfix also 222 # accepts OK but it is (and always has been) treated 223 # as DUNNO. 224 # 225 # This feature is available in Postfix 2.1 and later. 226 # 227 # FILTER transport:destination 228 # Override the content_filter parameter setting, and 229 # inspect the next input line. After the message is 230 # queued, send the entire message through the speci- 231 # fied external content filter. The transport name 232 # specifies the first field of a mail delivery agent 233 # definition in master.cf; the syntax of the next-hop 234 # destination is described in the manual page of the 235 # corresponding delivery agent. More information 236 # about external content filters is in the Postfix 237 # FILTER_README file. 238 # 239 # Note 1: do not use $number regular expression sub- 240 # stitutions for transport or destination unless you 241 # know that the information has a trusted origin. 242 # 243 # Note 2: this action overrides the main.cf con- 244 # tent_filter setting, and affects all recipients of 245 # the message. In the case that multiple FILTER 246 # actions fire, only the last one is executed. 247 # 248 # Note 3: the purpose of the FILTER command is to 249 # override message routing. To override the recipi- 250 # ent's transport but not the next-hop destination, 251 # specify an empty filter destination (Postfix 2.7 252 # and later), or specify a transport:destination that 253 # delivers through a different Postfix instance 254 # (Postfix 2.6 and earlier). Other options are using 255 # the recipient-dependent transport_maps or the sen- 256 # der-dependent sender_dependent_default_transport- 257 # _maps features. 258 # 259 # This feature is available in Postfix 2.0 and later. 260 # 261 # This feature is not supported with smtp header/body 262 # checks. 263 # 264 # HOLD optional text... 265 # Arrange for the message to be placed on the hold 266 # queue, and inspect the next input line. The mes- 267 # sage remains on hold until someone either deletes 268 # it or releases it for delivery. Log the optional 269 # text if specified, otherwise log a generic message. 270 # 271 # Mail that is placed on hold can be examined with 272 # the postcat(1) command, and can be destroyed or 273 # released with the postsuper(1) command. 274 # 275 # Note: use "postsuper -r" to release mail that was 276 # kept on hold for a significant fraction of $maxi- 277 # mal_queue_lifetime or $bounce_queue_lifetime, or 278 # longer. Use "postsuper -H" only for mail that will 279 # not expire within a few delivery attempts. 280 # 281 # Note: this action affects all recipients of the 282 # message. 283 # 284 # This feature is available in Postfix 2.0 and later. 285 # 286 # This feature is not supported with smtp header/body 287 # checks. 288 # 289 # IGNORE Delete the current line from the input, and inspect 290 # the next input line. See STRIP for an alternative 291 # that logs the action. 292 # 293 # INFO optional text... 294 # Log an "info:" record with the optional text... (or 295 # log a generic text), and inspect the next input 296 # line. This action is useful for routine logging or 297 # for debugging. 298 # 299 # This feature is available in Postfix 2.8 and later. 300 # 301 # PASS optional text... 302 # Log a "pass:" record with the optional text... (or 303 # log a generic text), and turn off header, body, and 304 # Milter inspection for the remainder of this mes- 305 # sage. 306 # 307 # Note: this feature relies on trust in information 308 # that is easy to forge. 309 # 310 # This feature is available in Postfix 3.2 and later. 311 # 312 # This feature is not supported with smtp header/body 313 # checks. 314 # 315 # PREPEND text... 316 # Prepend one line with the specified text, and 317 # inspect the next input line. 318 # 319 # Notes: 320 # 321 # o The prepended text is output on a separate 322 # line, immediately before the input that 323 # triggered the PREPEND action. 324 # 325 # o The prepended text is not considered part of 326 # the input stream: it is not subject to 327 # header/body checks or address rewriting, and 328 # it does not affect the way that Postfix adds 329 # missing message headers. 330 # 331 # o When prepending text before a message header 332 # line, the prepended text must begin with a 333 # valid message header label. 334 # 335 # o This action cannot be used to prepend 336 # multi-line text. 337 # 338 # This feature is available in Postfix 2.1 and later. 339 # 340 # This feature is not supported with mil- 341 # ter_header_checks. 342 # 343 # REDIRECT user@domain 344 # Write a message redirection request to the queue 345 # file, and inspect the next input line. After the 346 # message is queued, it will be sent to the specified 347 # address instead of the intended recipient(s). 348 # 349 # Note 1: this action overrides the FILTER action, 350 # and affects all recipients of the message. If mul- 351 # tiple REDIRECT actions fire, only the last one is 352 # executed. 353 # 354 # Note 2: a REDIRECT address is subject to canonical- 355 # ization (add missing domain) but NOT subject to 356 # canonical, masquerade, bcc, or virtual alias map- 357 # ping. 358 # 359 # This feature is available in Postfix 2.1 and later. 360 # 361 # This feature is not supported with smtp header/body 362 # checks. 363 # 364 # REPLACE text... 365 # Replace the current line with the specified text, 366 # and inspect the next input line. 367 # 368 # This feature is available in Postfix 2.2 and later. 369 # The description below applies to Postfix 2.2.2 and 370 # later. 371 # 372 # Notes: 373 # 374 # o When replacing a message header line, the 375 # replacement text must begin with a valid 376 # header label. 377 # 378 # o The replaced text remains part of the input 379 # stream. Unlike the result from the PREPEND 380 # action, a replaced message header may be 381 # subject to address rewriting and may affect 382 # the way that Postfix adds missing message 383 # headers. 384 # 385 # REJECT optional text... 386 # Reject the entire message. Do not inspect the 387 # remainder of the input message. Reply with 388 # optional text... when the optional text is speci- 389 # fied, otherwise reply with a generic error message. 390 # 391 # Note: this action disables further header or 392 # body_checks inspection of the current message and 393 # affects all recipients. 394 # 395 # Postfix version 2.3 and later support enhanced sta- 396 # tus codes. When no code is specified at the begin- 397 # ning of optional text..., Postfix inserts a default 398 # enhanced status code of "5.7.1". 399 # 400 # This feature is not supported with smtp header/body 401 # checks. 402 # 403 # STRIP optional text... 404 # Log a "strip:" record with the optional text... (or 405 # log a generic text), delete the input line from the 406 # input, and inspect the next input line. See IGNORE 407 # for a silent alternative. 408 # 409 # This feature is available in Postfix 3.2 and later. 410 # 411 # WARN optional text... 412 # Log a "warning:" record with the optional text... 413 # (or log a generic text), and inspect the next input 414 # line. This action is useful for debugging and for 415 # testing a pattern before applying more drastic 416 # actions. 417 # 418 # BUGS 419 # Empty lines never match, because some map types mis-behave 420 # when given a zero-length search string. This limitation 421 # may be removed for regular expression tables in a future 422 # release. 423 # 424 # Many people overlook the main limitations of header and 425 # body_checks rules. 426 # 427 # o These rules operate on one logical message header 428 # or one body line at a time. A decision made for one 429 # line is not carried over to the next line. 430 # 431 # o If text in the message body is encoded (RFC 2045) 432 # then the rules need to be specified for the encoded 433 # form. 434 # 435 # o Likewise, when message headers are encoded (RFC 436 # 2047) then the rules need to be specified for the 437 # encoded form. 438 # 439 # Message headers added by the cleanup(8) daemon itself are 440 # excluded from inspection. Examples of such message headers 441 # are From:, To:, Message-ID:, Date:. 442 # 443 # Message headers deleted by the cleanup(8) daemon will be 444 # examined before they are deleted. Examples are: Bcc:, Con- 445 # tent-Length:, Return-Path:. 446 # 447 # CONFIGURATION PARAMETERS 448 # body_checks (empty) 449 # Optional lookup tables for content inspection as 450 # specified in the body_checks(5) manual page. 451 # 452 # body_checks_size_limit (51200) 453 # How much text in a message body segment (or attach- 454 # ment, if you prefer to use that term) is subjected 455 # to body_checks inspection. 456 # 457 # header_checks (empty) 458 # Optional lookup tables for content inspection of 459 # primary non-MIME message headers, as specified in 460 # the header_checks(5) manual page. 461 # 462 # mime_header_checks ($header_checks) 463 # Optional lookup tables for content inspection of 464 # MIME related message headers, as described in the 465 # header_checks(5) manual page. 466 # 467 # nested_header_checks ($header_checks) 468 # Optional lookup tables for content inspection of 469 # non-MIME message headers in attached messages, as 470 # described in the header_checks(5) manual page. 471 # 472 # disable_mime_input_processing (no) 473 # Turn off MIME processing while receiving mail. 474 # 475 # EXAMPLES 476 # Header pattern to block attachments with bad file name 477 # extensions. For convenience, the PCRE /x flag is speci- 478 # fied, so that there is no need to collapse the pattern 479 # into a single line of text. The purpose of the 480 # [[:xdigit:]] sub-expressions is to recognize Windows CLSID 481 # strings. 482 # 483 # /etc/postfix/main.cf: 484 # header_checks = pcre:/etc/postfix/header_checks.pcre 485 # 486 # /etc/postfix/header_checks.pcre: 487 # /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( 488 # ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 489 # hlp|ht[at]| 490 # inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 491 # \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| 492 # ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 493 # vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x 494 # REJECT Attachment name "$2" may not end with ".$4" 495 # 496 # Body pattern to stop a specific HTML browser vulnerability 497 # exploit. 498 # 499 # /etc/postfix/main.cf: 500 # body_checks = regexp:/etc/postfix/body_checks 501 # 502 # /etc/postfix/body_checks: 503 # /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 504 # REJECT IFRAME vulnerability exploit 505 # 506 # SEE ALSO 507 # cleanup(8), canonicalize and enqueue Postfix message 508 # pcre_table(5), format of PCRE lookup tables 509 # regexp_table(5), format of POSIX regular expression tables 510 # postconf(1), Postfix configuration utility 511 # postmap(1), Postfix lookup table management 512 # postsuper(1), Postfix janitor 513 # postcat(1), show Postfix queue file contents 514 # RFC 2045, base64 and quoted-printable encoding rules 515 # RFC 2047, message header encoding for non-ASCII text 516 # 517 # README FILES 518 # Use "postconf readme_directory" or "postconf html_direc- 519 # tory" to locate this information. 520 # DATABASE_README, Postfix lookup table overview 521 # CONTENT_INSPECTION_README, Postfix content inspection overview 522 # BUILTIN_FILTER_README, Postfix built-in content inspection 523 # BACKSCATTER_README, blocking returned forged mail 524 # 525 # LICENSE 526 # The Secure Mailer license must be distributed with this 527 # software. 528 # 529 # AUTHOR(S) 530 # Wietse Venema 531 # IBM T.J. Watson Research 532 # P.O. Box 704 533 # Yorktown Heights, NY 10598, USA 534 # 535 # Wietse Venema 536 # Google, Inc. 537 # 111 8th Avenue 538 # New York, NY 10011, USA 539 # 540 # HEADER_CHECKS(5) 541
Indexes created Mon Apr 27 00:23:16 UTC 2026