header_checks revision 1.1.1.2
1 1.1 tron # HEADER_CHECKS(5) HEADER_CHECKS(5) 2 1.1 tron # 3 1.1 tron # NAME 4 1.1 tron # header_checks - Postfix built-in content inspection 5 1.1 tron # 6 1.1 tron # SYNOPSIS 7 1.1 tron # header_checks = pcre:/etc/postfix/header_checks 8 1.1 tron # mime_header_checks = pcre:/etc/postfix/mime_header_checks 9 1.1 tron # nested_header_checks = pcre:/etc/postfix/nested_header_checks 10 1.1 tron # body_checks = pcre:/etc/postfix/body_checks 11 1.1 tron # 12 1.1 tron # postmap -q "string" pcre:/etc/postfix/filename 13 1.1 tron # postmap -q - pcre:/etc/postfix/filename <inputfile 14 1.1 tron # 15 1.1 tron # DESCRIPTION 16 1.1 tron # This document describes access control on the content of 17 1.1 tron # message headers and message body lines; it is implemented 18 1.1 tron # by the Postfix cleanup(8) server before mail is queued. 19 1.1 tron # See access(5) for access control on remote SMTP client 20 1.1 tron # information. 21 1.1 tron # 22 1.1 tron # Each message header or message body line is compared 23 1.1 tron # against a list of patterns. When a match is found the 24 1.1 tron # corresponding action is executed, and the matching process 25 1.1 tron # is repeated for the next message header or message body 26 1.1 tron # line. 27 1.1 tron # 28 1.1 tron # For examples, see the EXAMPLES section at the end of this 29 1.1 tron # manual page. 30 1.1 tron # 31 1.1 tron # Postfix header or body_checks are designed to stop a flood 32 1.1 tron # of mail from worms or viruses; they do not decode attach- 33 1.1 tron # ments, and they do not unzip archives. See the documents 34 1.1 tron # referenced below in the README FILES section if you need 35 1.1 tron # more sophisticated content analysis. 36 1.1 tron # 37 1.1 tron # Postfix supports four built-in content inspection classes: 38 1.1 tron # 39 1.1 tron # header_checks 40 1.1 tron # These are applied to initial message headers 41 1.1 tron # (except for the headers that are processed with 42 1.1 tron # mime_header_checks). 43 1.1 tron # 44 1.1 tron # mime_header_checks (default: $header_checks) 45 1.1 tron # These are applied to MIME related message headers 46 1.1 tron # only. 47 1.1 tron # 48 1.1 tron # This feature is available in Postfix 2.0 and later. 49 1.1 tron # 50 1.1 tron # nested_header_checks (default: $header_checks) 51 1.1 tron # These are applied to message headers of attached 52 1.1 tron # email messages (except for the headers that are 53 1.1 tron # processed with mime_header_checks). 54 1.1 tron # 55 1.1 tron # This feature is available in Postfix 2.0 and later. 56 1.1 tron # 57 1.1 tron # body_checks 58 1.1 tron # These are applied to all other content, including 59 1.1 tron # multi-part message boundaries. 60 1.1 tron # 61 1.1 tron # With Postfix versions before 2.0, all content after 62 1.1 tron # the initial message headers is treated as body con- 63 1.1 tron # tent. 64 1.1 tron # 65 1.1 tron # Note: message headers are examined one logical header at a 66 1.1 tron # time, even when a message header spans multiple lines. 67 1.1 tron # Body lines are always examined one line at a time. 68 1.1 tron # 69 1.1 tron # COMPATIBILITY 70 1.1 tron # With Postfix version 2.2 and earlier specify "postmap -fq" 71 1.1 tron # to query a table that contains case sensitive patterns. By 72 1.1 tron # default, regexp: and pcre: patterns are case insensitive. 73 1.1 tron # 74 1.1 tron # TABLE FORMAT 75 1.1 tron # This document assumes that header and body_checks rules 76 1.1 tron # are specified in the form of Postfix regular expression 77 1.1 tron # lookup tables. Usually the best performance is obtained 78 1.1 tron # with pcre (Perl Compatible Regular Expression) tables, but 79 1.1 tron # the slower regexp (POSIX regular expressions) support is 80 1.1 tron # more widely available. Use the command "postconf -m" to 81 1.1 tron # find out what lookup table types your Postfix system sup- 82 1.1 tron # ports. 83 1.1 tron # 84 1.1 tron # The general format of Postfix regular expression tables is 85 1.1 tron # given below. For a discussion of specific pattern or 86 1.1 tron # flags syntax, see pcre_table(5) or regexp_table(5), 87 1.1 tron # respectively. 88 1.1 tron # 89 1.1 tron # /pattern/flags action 90 1.1 tron # When /pattern/ matches the input string, execute 91 1.1 tron # the corresponding action. See below for a list of 92 1.1 tron # possible actions. 93 1.1 tron # 94 1.1 tron # !/pattern/flags action 95 1.1 tron # When /pattern/ does not match the input string, 96 1.1 tron # execute the corresponding action. 97 1.1 tron # 98 1.1 tron # if /pattern/flags 99 1.1 tron # 100 1.1 tron # endif Match the input string against the patterns between 101 1.1 tron # if and endif, if and only if the same input string 102 1.1 tron # also matches /pattern/. The if..endif can nest. 103 1.1 tron # 104 1.1 tron # Note: do not prepend whitespace to patterns inside 105 1.1 tron # if..endif. 106 1.1 tron # 107 1.1 tron # if !/pattern/flags 108 1.1 tron # 109 1.1 tron # endif Match the input string against the patterns between 110 1.1 tron # if and endif, if and only if the same input string 111 1.1 tron # does not match /pattern/. The if..endif can nest. 112 1.1 tron # 113 1.1 tron # blank lines and comments 114 1.1 tron # Empty lines and whitespace-only lines are ignored, 115 1.1 tron # as are lines whose first non-whitespace character 116 1.1 tron # is a `#'. 117 1.1 tron # 118 1.1 tron # multi-line text 119 1.1 tron # A pattern/action line starts with non-whitespace 120 1.1 tron # text. A line that starts with whitespace continues 121 1.1 tron # a logical line. 122 1.1 tron # 123 1.1 tron # TABLE SEARCH ORDER 124 1.1 tron # For each line of message input, the patterns are applied 125 1.1 tron # in the order as specified in the table. When a pattern is 126 1.1 tron # found that matches the input line, the corresponding 127 1.1 tron # action is executed and then the next input line is 128 1.1 tron # inspected. 129 1.1 tron # 130 1.1 tron # TEXT SUBSTITUTION 131 1.1 tron # Substitution of substrings from the matched expression 132 1.1 tron # into the action string is possible using the conventional 133 1.1 tron # Perl syntax ($1, $2, etc.). The macros in the result 134 1.1 tron # string may need to be written as ${n} or $(n) if they 135 1.1 tron # aren't followed by whitespace. 136 1.1 tron # 137 1.1 tron # Note: since negated patterns (those preceded by !) return 138 1.1 tron # a result when the expression does not match, substitutions 139 1.1 tron # are not available for negated patterns. 140 1.1 tron # 141 1.1 tron # ACTIONS 142 1.1 tron # Action names are case insensitive. They are shown in upper 143 1.1 tron # case for consistency with other Postfix documentation. 144 1.1 tron # 145 1.1 tron # DISCARD optional text... 146 1.1 tron # Claim successful delivery and silently discard the 147 1.1 tron # message. Log the optional text if specified, oth- 148 1.1 tron # erwise log a generic message. 149 1.1 tron # 150 1.1 tron # Note: this action disables further header or 151 1.1 tron # body_checks inspection of the current message and 152 1.1 tron # affects all recipients. To discard only one recip- 153 1.1 tron # ient without discarding the entire message, use the 154 1.1 tron # transport(5) table to direct mail to the discard(8) 155 1.1 tron # service. 156 1.1 tron # 157 1.1 tron # This feature is available in Postfix 2.0 and later. 158 1.1 tron # 159 1.1 tron # DUNNO Pretend that the input line did not match any pat- 160 1.1 tron # tern, and inspect the next input line. This action 161 1.1 tron # can be used to shorten the table search. 162 1.1 tron # 163 1.1 tron # For backwards compatibility reasons, Postfix also 164 1.1 tron # accepts OK but it is (and always has been) treated 165 1.1 tron # as DUNNO. 166 1.1 tron # 167 1.1 tron # This feature is available in Postfix 2.1 and later. 168 1.1 tron # 169 1.1 tron # FILTER transport:destination 170 1.1.1.2 tron # After the message is queued, send the entire mes- 171 1.1.1.2 tron # sage through the specified external content filter. 172 1.1.1.2 tron # The transport name specifies the first field of a 173 1.1.1.2 tron # mail delivery agent definition in master.cf; the 174 1.1.1.2 tron # syntax of the next-hop destination is described in 175 1.1.1.2 tron # the manual page of the corresponding delivery 176 1.1.1.2 tron # agent. More information about external content 177 1.1.1.2 tron # filters is in the Postfix FILTER_README file. 178 1.1.1.2 tron # 179 1.1.1.2 tron # Note 1: do not use $number regular expression sub- 180 1.1.1.2 tron # stitutions for transport or destination unless you 181 1.1.1.2 tron # know that the information has a trusted origin. 182 1.1.1.2 tron # 183 1.1.1.2 tron # Note 2: this action overrides the main.cf con- 184 1.1.1.2 tron # tent_filter setting, and affects all recipients of 185 1.1.1.2 tron # the message. In the case that multiple FILTER 186 1.1.1.2 tron # actions fire, only the last one is executed. 187 1.1.1.2 tron # 188 1.1.1.2 tron # Note 3: the purpose of the FILTER command is to 189 1.1.1.2 tron # override message routing. To override the recipi- 190 1.1.1.2 tron # ent's transport but not the next-hop destination, 191 1.1.1.2 tron # specify an empty filter destination (Postfix 2.7 192 1.1.1.2 tron # and later), or specify a transport:destination that 193 1.1.1.2 tron # delivers through a different Postfix instance 194 1.1.1.2 tron # (Postfix 2.6 and earlier). Other options are using 195 1.1.1.2 tron # the recipient-dependent transport_maps or the sen- 196 1.1.1.2 tron # der-dependent sender_dependent_default_transport- 197 1.1.1.2 tron # _maps features. 198 1.1 tron # 199 1.1 tron # This feature is available in Postfix 2.0 and later. 200 1.1 tron # 201 1.1 tron # HOLD optional text... 202 1.1.1.2 tron # Arrange for the message to be placed on the hold 203 1.1.1.2 tron # queue, and inspect the next input line. The mes- 204 1.1.1.2 tron # sage remains on hold until someone either deletes 205 1.1.1.2 tron # it or releases it for delivery. Log the optional 206 1.1 tron # text if specified, otherwise log a generic message. 207 1.1 tron # 208 1.1.1.2 tron # Mail that is placed on hold can be examined with 209 1.1.1.2 tron # the postcat(1) command, and can be destroyed or 210 1.1 tron # released with the postsuper(1) command. 211 1.1 tron # 212 1.1.1.2 tron # Note: use "postsuper -r" to release mail that was 213 1.1.1.2 tron # kept on hold for a significant fraction of $maxi- 214 1.1 tron # mal_queue_lifetime or $bounce_queue_lifetime, or 215 1.1.1.2 tron # longer. Use "postsuper -H" only for mail that will 216 1.1 tron # not expire within a few delivery attempts. 217 1.1 tron # 218 1.1.1.2 tron # Note: this action affects all recipients of the 219 1.1 tron # message. 220 1.1 tron # 221 1.1 tron # This feature is available in Postfix 2.0 and later. 222 1.1 tron # 223 1.1 tron # IGNORE Delete the current line from the input, and inspect 224 1.1 tron # the next input line. 225 1.1 tron # 226 1.1 tron # PREPEND text... 227 1.1.1.2 tron # Prepend one line with the specified text, and 228 1.1 tron # inspect the next input line. 229 1.1 tron # 230 1.1 tron # Notes: 231 1.1 tron # 232 1.1.1.2 tron # o The prepended text is output on a separate 233 1.1 tron # line, immediately before the input that 234 1.1 tron # triggered the PREPEND action. 235 1.1 tron # 236 1.1 tron # o The prepended text is not considered part of 237 1.1.1.2 tron # the input stream: it is not subject to 238 1.1 tron # header/body checks or address rewriting, and 239 1.1 tron # it does not affect the way that Postfix adds 240 1.1 tron # missing message headers. 241 1.1 tron # 242 1.1 tron # o When prepending text before a message header 243 1.1.1.2 tron # line, the prepended text must begin with a 244 1.1 tron # valid message header label. 245 1.1 tron # 246 1.1 tron # o This action cannot be used to prepend multi- 247 1.1 tron # line text. 248 1.1 tron # 249 1.1 tron # This feature is available in Postfix 2.1 and later. 250 1.1 tron # 251 1.1 tron # REDIRECT user@domain 252 1.1.1.2 tron # Write a message redirection request to the queue 253 1.1.1.2 tron # file, and inspect the next input line. After the 254 1.1 tron # message is queued, it will be sent to the specified 255 1.1 tron # address instead of the intended recipient(s). 256 1.1 tron # 257 1.1.1.2 tron # Note: this action overrides the FILTER action, and 258 1.1.1.2 tron # affects all recipients of the message. If multiple 259 1.1.1.2 tron # REDIRECT actions fire, only the last one is exe- 260 1.1 tron # cuted. 261 1.1 tron # 262 1.1 tron # This feature is available in Postfix 2.1 and later. 263 1.1 tron # 264 1.1 tron # REPLACE text... 265 1.1.1.2 tron # Replace the current line with the specified text, 266 1.1 tron # and inspect the next input line. 267 1.1 tron # 268 1.1 tron # This feature is available in Postfix 2.2 and later. 269 1.1.1.2 tron # The description below applies to Postfix 2.2.2 and 270 1.1 tron # later. 271 1.1 tron # 272 1.1 tron # Notes: 273 1.1 tron # 274 1.1.1.2 tron # o When replacing a message header line, the 275 1.1.1.2 tron # replacement text must begin with a valid 276 1.1 tron # header label. 277 1.1 tron # 278 1.1.1.2 tron # o The replaced text remains part of the input 279 1.1.1.2 tron # stream. Unlike the result from the PREPEND 280 1.1.1.2 tron # action, a replaced message header may be 281 1.1.1.2 tron # subject to address rewriting and may affect 282 1.1.1.2 tron # the way that Postfix adds missing message 283 1.1 tron # headers. 284 1.1 tron # 285 1.1 tron # REJECT optional text... 286 1.1.1.2 tron # Reject the entire message. Reply with optional 287 1.1 tron # text... when the optional text is specified, other- 288 1.1 tron # wise reply with a generic error message. 289 1.1 tron # 290 1.1.1.2 tron # Note: this action disables further header or 291 1.1.1.2 tron # body_checks inspection of the current message and 292 1.1 tron # affects all recipients. 293 1.1 tron # 294 1.1 tron # Postfix version 2.3 and later support enhanced sta- 295 1.1 tron # tus codes. When no code is specified at the begin- 296 1.1 tron # ning of optional text..., Postfix inserts a default 297 1.1 tron # enhanced status code of "5.7.1". 298 1.1 tron # 299 1.1 tron # WARN optional text... 300 1.1.1.2 tron # Log a warning with the optional text... (or log a 301 1.1.1.2 tron # generic message), and inspect the next input line. 302 1.1 tron # This action is useful for debugging and for testing 303 1.1 tron # a pattern before applying more drastic actions. 304 1.1 tron # 305 1.1 tron # BUGS 306 1.1 tron # Empty lines never match, because some map types mis-behave 307 1.1.1.2 tron # when given a zero-length search string. This limitation 308 1.1.1.2 tron # may be removed for regular expression tables in a future 309 1.1 tron # release. 310 1.1 tron # 311 1.1.1.2 tron # Many people overlook the main limitations of header and 312 1.1 tron # body_checks rules. 313 1.1 tron # 314 1.1.1.2 tron # o These rules operate on one logical message header 315 1.1 tron # or one body line at a time. A decision made for one 316 1.1 tron # line is not carried over to the next line. 317 1.1 tron # 318 1.1.1.2 tron # o If text in the message body is encoded (RFC 2045) 319 1.1 tron # then the rules need to be specified for the encoded 320 1.1 tron # form. 321 1.1 tron # 322 1.1.1.2 tron # o Likewise, when message headers are encoded (RFC 323 1.1.1.2 tron # 2047) then the rules need to be specified for the 324 1.1 tron # encoded form. 325 1.1 tron # 326 1.1.1.2 tron # Message headers added by the cleanup(8) daemon itself are 327 1.1 tron # excluded from inspection. Examples of such message headers 328 1.1 tron # are From:, To:, Message-ID:, Date:. 329 1.1 tron # 330 1.1.1.2 tron # Message headers deleted by the cleanup(8) daemon will be 331 1.1 tron # examined before they are deleted. Examples are: Bcc:, Con- 332 1.1 tron # tent-Length:, Return-Path:. 333 1.1 tron # 334 1.1 tron # CONFIGURATION PARAMETERS 335 1.1 tron # body_checks 336 1.1 tron # Lookup tables with content filter rules for message 337 1.1 tron # body lines. These filters see one physical line at 338 1.1.1.2 tron # a time, in chunks of at most $line_length_limit 339 1.1 tron # bytes. 340 1.1 tron # 341 1.1 tron # body_checks_size_limit 342 1.1.1.2 tron # The amount of content per message body segment 343 1.1 tron # (attachment) that is subjected to $body_checks fil- 344 1.1 tron # tering. 345 1.1 tron # 346 1.1 tron # header_checks 347 1.1 tron # 348 1.1 tron # mime_header_checks (default: $header_checks) 349 1.1 tron # 350 1.1 tron # nested_header_checks (default: $header_checks) 351 1.1 tron # Lookup tables with content filter rules for message 352 1.1.1.2 tron # header lines: respectively, these are applied to 353 1.1.1.2 tron # the initial message headers (not including MIME 354 1.1.1.2 tron # headers), to the MIME headers anywhere in the mes- 355 1.1.1.2 tron # sage, and to the initial headers of attached mes- 356 1.1 tron # sages. 357 1.1 tron # 358 1.1.1.2 tron # Note: these filters see one logical message header 359 1.1.1.2 tron # at a time, even when a message header spans multi- 360 1.1.1.2 tron # ple lines. Message headers that are longer than 361 1.1 tron # $header_size_limit characters are truncated. 362 1.1 tron # 363 1.1 tron # disable_mime_input_processing 364 1.1.1.2 tron # While receiving mail, give no special treatment to 365 1.1.1.2 tron # MIME related message headers; all text after the 366 1.1 tron # initial message headers is considered to be part of 367 1.1.1.2 tron # the message body. This means that header_checks is 368 1.1.1.2 tron # applied to all the initial message headers, and 369 1.1 tron # that body_checks is applied to the remainder of the 370 1.1 tron # message. 371 1.1 tron # 372 1.1.1.2 tron # Note: when used in this manner, body_checks will 373 1.1.1.2 tron # process a multi-line message header one line at a 374 1.1 tron # time. 375 1.1 tron # 376 1.1 tron # EXAMPLES 377 1.1.1.2 tron # Header pattern to block attachments with bad file name 378 1.1.1.2 tron # extensions. For convenience, the PCRE /x flag is speci- 379 1.1.1.2 tron # fied, so that there is no need to collapse the pattern 380 1.1.1.2 tron # into a single line of text. The purpose of the 381 1.1 tron # [[:xdigit:]] sub-expressions is to recognize Windows CLSID 382 1.1 tron # strings. 383 1.1 tron # 384 1.1 tron # /etc/postfix/main.cf: 385 1.1 tron # header_checks = pcre:/etc/postfix/header_checks.pcre 386 1.1 tron # 387 1.1 tron # /etc/postfix/header_checks.pcre: 388 1.1 tron # /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( 389 1.1 tron # ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 390 1.1 tron # hlp|ht[at]| 391 1.1 tron # inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 392 1.1 tron # \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| 393 1.1 tron # ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 394 1.1 tron # vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x 395 1.1 tron # REJECT Attachment name "$2" may not end with ".$4" 396 1.1 tron # 397 1.1 tron # Body pattern to stop a specific HTML browser vulnerability 398 1.1 tron # exploit. 399 1.1 tron # 400 1.1 tron # /etc/postfix/main.cf: 401 1.1 tron # body_checks = regexp:/etc/postfix/body_checks 402 1.1 tron # 403 1.1 tron # /etc/postfix/body_checks: 404 1.1 tron # /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 405 1.1 tron # REJECT IFRAME vulnerability exploit 406 1.1 tron # 407 1.1 tron # SEE ALSO 408 1.1 tron # cleanup(8), canonicalize and enqueue Postfix message 409 1.1 tron # pcre_table(5), format of PCRE lookup tables 410 1.1 tron # regexp_table(5), format of POSIX regular expression tables 411 1.1 tron # postconf(1), Postfix configuration utility 412 1.1 tron # postmap(1), Postfix lookup table management 413 1.1 tron # postsuper(1), Postfix janitor 414 1.1 tron # postcat(1), show Postfix queue file contents 415 1.1 tron # RFC 2045, base64 and quoted-printable encoding rules 416 1.1 tron # RFC 2047, message header encoding for non-ASCII text 417 1.1 tron # 418 1.1 tron # README FILES 419 1.1.1.2 tron # Use "postconf readme_directory" or "postconf html_direc- 420 1.1 tron # tory" to locate this information. 421 1.1 tron # DATABASE_README, Postfix lookup table overview 422 1.1 tron # CONTENT_INSPECTION_README, Postfix content inspection overview 423 1.1 tron # BUILTIN_FILTER_README, Postfix built-in content inspection 424 1.1 tron # BACKSCATTER_README, blocking returned forged mail 425 1.1 tron # 426 1.1 tron # LICENSE 427 1.1.1.2 tron # The Secure Mailer license must be distributed with this 428 1.1 tron # software. 429 1.1 tron # 430 1.1 tron # AUTHOR(S) 431 1.1 tron # Wietse Venema 432 1.1 tron # IBM T.J. Watson Research 433 1.1 tron # P.O. Box 704 434 1.1 tron # Yorktown Heights, NY 10598, USA 435 1.1 tron # 436 1.1 tron # HEADER_CHECKS(5) 437
Indexes created Mon May 04 00:23:20 UTC 2026