header_checks revision 1.1.1.5
1 # HEADER_CHECKS(5) HEADER_CHECKS(5) 2 # 3 # NAME 4 # header_checks - Postfix built-in content inspection 5 # 6 # SYNOPSIS 7 # header_checks = pcre:/etc/postfix/header_checks 8 # mime_header_checks = pcre:/etc/postfix/mime_header_checks 9 # nested_header_checks = pcre:/etc/postfix/nested_header_checks 10 # body_checks = pcre:/etc/postfix/body_checks 11 # 12 # milter_header_checks = pcre:/etc/postfix/milter_header_checks 13 # 14 # smtp_header_checks = pcre:/etc/postfix/smtp_header_checks 15 # smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks 16 # smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks 17 # smtp_body_checks = pcre:/etc/postfix/smtp_body_checks 18 # 19 # postmap -q "string" pcre:/etc/postfix/filename 20 # postmap -q - pcre:/etc/postfix/filename <inputfile 21 # 22 # DESCRIPTION 23 # This document describes access control on the content of 24 # message headers and message body lines; it is implemented 25 # by the Postfix cleanup(8) server before mail is queued. 26 # See access(5) for access control on remote SMTP client 27 # information. 28 # 29 # Each message header or message body line is compared 30 # against a list of patterns. When a match is found the 31 # corresponding action is executed, and the matching process 32 # is repeated for the next message header or message body 33 # line. 34 # 35 # Note: message headers are examined one logical header at a 36 # time, even when a message header spans multiple lines. 37 # Body lines are always examined one line at a time. 38 # 39 # For examples, see the EXAMPLES section at the end of this 40 # manual page. 41 # 42 # Postfix header or body_checks are designed to stop a flood 43 # of mail from worms or viruses; they do not decode attach- 44 # ments, and they do not unzip archives. See the documents 45 # referenced below in the README FILES section if you need 46 # more sophisticated content analysis. 47 # 48 # FILTERS WHILE RECEIVING MAIL 49 # Postfix implements the following four built-in content 50 # inspection classes while receiving mail: 51 # 52 # header_checks (default: empty) 53 # These are applied to initial message headers 54 # (except for the headers that are processed with 55 # mime_header_checks). 56 # 57 # mime_header_checks (default: $header_checks) 58 # These are applied to MIME related message headers 59 # only. 60 # 61 # This feature is available in Postfix 2.0 and later. 62 # 63 # nested_header_checks (default: $header_checks) 64 # These are applied to message headers of attached 65 # email messages (except for the headers that are 66 # processed with mime_header_checks). 67 # 68 # This feature is available in Postfix 2.0 and later. 69 # 70 # body_checks 71 # These are applied to all other content, including 72 # multi-part message boundaries. 73 # 74 # With Postfix versions before 2.0, all content after 75 # the initial message headers is treated as body con- 76 # tent. 77 # 78 # FILTERS AFTER RECEIVING MAIL 79 # Postfix supports a subset of the built-in content inspec- 80 # tion classes after the message is received: 81 # 82 # milter_header_checks (default: empty) 83 # These are applied to headers that are added with 84 # Milter applications. 85 # 86 # This feature is available in Postfix 2.7 and later. 87 # 88 # FILTERS WHILE DELIVERING MAIL 89 # Postfix supports all four content inspection classes while 90 # delivering mail via SMTP. 91 # 92 # smtp_header_checks (default: empty) 93 # 94 # smtp_mime_header_checks (default: empty) 95 # 96 # smtp_nested_header_checks (default: empty) 97 # 98 # smtp_body_checks (default: empty) 99 # These features are available in Postfix 2.5 and 100 # later. 101 # 102 # COMPATIBILITY 103 # With Postfix version 2.2 and earlier specify "postmap -fq" 104 # to query a table that contains case sensitive patterns. By 105 # default, regexp: and pcre: patterns are case insensitive. 106 # 107 # TABLE FORMAT 108 # This document assumes that header and body_checks rules 109 # are specified in the form of Postfix regular expression 110 # lookup tables. Usually the best performance is obtained 111 # with pcre (Perl Compatible Regular Expression) tables. The 112 # regexp (POSIX regular expressions) tables are usually 113 # slower, but more widely available. Use the command "post- 114 # conf -m" to find out what lookup table types your Postfix 115 # system supports. 116 # 117 # The general format of Postfix regular expression tables is 118 # given below. For a discussion of specific pattern or 119 # flags syntax, see pcre_table(5) or regexp_table(5), 120 # respectively. 121 # 122 # /pattern/flags action 123 # When /pattern/ matches the input string, execute 124 # the corresponding action. See below for a list of 125 # possible actions. 126 # 127 # !/pattern/flags action 128 # When /pattern/ does not match the input string, 129 # execute the corresponding action. 130 # 131 # if /pattern/flags 132 # 133 # endif If the input string matches /pattern/, then match 134 # that input string against the patterns between if 135 # and endif. The if..endif can nest. 136 # 137 # Note: do not prepend whitespace to patterns inside 138 # if..endif. 139 # 140 # if !/pattern/flags 141 # 142 # endif If the input string does not match /pattern/, then 143 # match that input string against the patterns 144 # between if and endif. The if..endif can nest. 145 # 146 # blank lines and comments 147 # Empty lines and whitespace-only lines are ignored, 148 # as are lines whose first non-whitespace character 149 # is a `#'. 150 # 151 # multi-line text 152 # A pattern/action line starts with non-whitespace 153 # text. A line that starts with whitespace continues 154 # a logical line. 155 # 156 # TABLE SEARCH ORDER 157 # For each line of message input, the patterns are applied 158 # in the order as specified in the table. When a pattern is 159 # found that matches the input line, the corresponding 160 # action is executed and then the next input line is 161 # inspected. 162 # 163 # TEXT SUBSTITUTION 164 # Substitution of substrings from the matched expression 165 # into the action string is possible using the conventional 166 # Perl syntax ($1, $2, etc.). The macros in the result 167 # string may need to be written as ${n} or $(n) if they 168 # aren't followed by whitespace. 169 # 170 # Note: since negated patterns (those preceded by !) return 171 # a result when the expression does not match, substitutions 172 # are not available for negated patterns. 173 # 174 # ACTIONS 175 # Action names are case insensitive. They are shown in upper 176 # case for consistency with other Postfix documentation. 177 # 178 # BCC user@domain 179 # Add the specified address as a BCC recipient, and 180 # inspect the next input line. The address must have 181 # a local part and domain part. The number of BCC 182 # addresses that can be added is limited only by the 183 # amount of available storage space. 184 # 185 # Note 1: the BCC address is added as if it was spec- 186 # ified with NOTIFY=NONE. The sender will not be 187 # notified when the BCC address is undeliverable, as 188 # long as all down-stream software implements RFC 189 # 3461. 190 # 191 # Note 2: this ignores duplicate addresses (with the 192 # same delivery status notification options). 193 # 194 # This feature is available in Postfix 3.0 and later. 195 # 196 # This feature is not supported with smtp header/body 197 # checks. 198 # 199 # DISCARD optional text... 200 # Claim successful delivery and silently discard the 201 # message. Do not inspect the remainder of the input 202 # message. Log the optional text if specified, oth- 203 # erwise log a generic message. 204 # 205 # Note: this action disables further header or 206 # body_checks inspection of the current message and 207 # affects all recipients. To discard only one recip- 208 # ient without discarding the entire message, use the 209 # transport(5) table to direct mail to the discard(8) 210 # service. 211 # 212 # This feature is available in Postfix 2.0 and later. 213 # 214 # This feature is not supported with smtp header/body 215 # checks. 216 # 217 # DUNNO Pretend that the input line did not match any pat- 218 # tern, and inspect the next input line. This action 219 # can be used to shorten the table search. 220 # 221 # For backwards compatibility reasons, Postfix also 222 # accepts OK but it is (and always has been) treated 223 # as DUNNO. 224 # 225 # This feature is available in Postfix 2.1 and later. 226 # 227 # FILTER transport:destination 228 # Override the content_filter parameter setting, and 229 # inspect the next input line. After the message is 230 # queued, send the entire message through the speci- 231 # fied external content filter. The transport name 232 # specifies the first field of a mail delivery agent 233 # definition in master.cf; the syntax of the next-hop 234 # destination is described in the manual page of the 235 # corresponding delivery agent. More information 236 # about external content filters is in the Postfix 237 # FILTER_README file. 238 # 239 # Note 1: do not use $number regular expression sub- 240 # stitutions for transport or destination unless you 241 # know that the information has a trusted origin. 242 # 243 # Note 2: this action overrides the main.cf con- 244 # tent_filter setting, and affects all recipients of 245 # the message. In the case that multiple FILTER 246 # actions fire, only the last one is executed. 247 # 248 # Note 3: the purpose of the FILTER command is to 249 # override message routing. To override the recipi- 250 # ent's transport but not the next-hop destination, 251 # specify an empty filter destination (Postfix 2.7 252 # and later), or specify a transport:destination that 253 # delivers through a different Postfix instance 254 # (Postfix 2.6 and earlier). Other options are using 255 # the recipient-dependent transport_maps or the sen- 256 # der-dependent sender_dependent_default_transport- 257 # _maps features. 258 # 259 # This feature is available in Postfix 2.0 and later. 260 # 261 # This feature is not supported with smtp header/body 262 # checks. 263 # 264 # HOLD optional text... 265 # Arrange for the message to be placed on the hold 266 # queue, and inspect the next input line. The mes- 267 # sage remains on hold until someone either deletes 268 # it or releases it for delivery. Log the optional 269 # text if specified, otherwise log a generic message. 270 # 271 # Mail that is placed on hold can be examined with 272 # the postcat(1) command, and can be destroyed or 273 # released with the postsuper(1) command. 274 # 275 # Note: use "postsuper -r" to release mail that was 276 # kept on hold for a significant fraction of $maxi- 277 # mal_queue_lifetime or $bounce_queue_lifetime, or 278 # longer. Use "postsuper -H" only for mail that will 279 # not expire within a few delivery attempts. 280 # 281 # Note: this action affects all recipients of the 282 # message. 283 # 284 # This feature is available in Postfix 2.0 and later. 285 # 286 # This feature is not supported with smtp header/body 287 # checks. 288 # 289 # IGNORE Delete the current line from the input, and inspect 290 # the next input line. 291 # 292 # INFO optional text... 293 # Log an "info:" record with the optional text... (or 294 # log a generic text), and inspect the next input 295 # line. This action is useful for routine logging or 296 # for debugging. 297 # 298 # This feature is available in Postfix 2.8 and later. 299 # 300 # PREPEND text... 301 # Prepend one line with the specified text, and 302 # inspect the next input line. 303 # 304 # Notes: 305 # 306 # o The prepended text is output on a separate 307 # line, immediately before the input that 308 # triggered the PREPEND action. 309 # 310 # o The prepended text is not considered part of 311 # the input stream: it is not subject to 312 # header/body checks or address rewriting, and 313 # it does not affect the way that Postfix adds 314 # missing message headers. 315 # 316 # o When prepending text before a message header 317 # line, the prepended text must begin with a 318 # valid message header label. 319 # 320 # o This action cannot be used to prepend 321 # multi-line text. 322 # 323 # This feature is available in Postfix 2.1 and later. 324 # 325 # This feature is not supported with mil- 326 # ter_header_checks. 327 # 328 # REDIRECT user@domain 329 # Write a message redirection request to the queue 330 # file, and inspect the next input line. After the 331 # message is queued, it will be sent to the specified 332 # address instead of the intended recipient(s). 333 # 334 # Note: this action overrides the FILTER action, and 335 # affects all recipients of the message. If multiple 336 # REDIRECT actions fire, only the last one is exe- 337 # cuted. 338 # 339 # This feature is available in Postfix 2.1 and later. 340 # 341 # This feature is not supported with smtp header/body 342 # checks. 343 # 344 # REPLACE text... 345 # Replace the current line with the specified text, 346 # and inspect the next input line. 347 # 348 # This feature is available in Postfix 2.2 and later. 349 # The description below applies to Postfix 2.2.2 and 350 # later. 351 # 352 # Notes: 353 # 354 # o When replacing a message header line, the 355 # replacement text must begin with a valid 356 # header label. 357 # 358 # o The replaced text remains part of the input 359 # stream. Unlike the result from the PREPEND 360 # action, a replaced message header may be 361 # subject to address rewriting and may affect 362 # the way that Postfix adds missing message 363 # headers. 364 # 365 # REJECT optional text... 366 # Reject the entire message. Do not inspect the 367 # remainder of the input message. Reply with 368 # optional text... when the optional text is speci- 369 # fied, otherwise reply with a generic error message. 370 # 371 # Note: this action disables further header or 372 # body_checks inspection of the current message and 373 # affects all recipients. 374 # 375 # Postfix version 2.3 and later support enhanced sta- 376 # tus codes. When no code is specified at the begin- 377 # ning of optional text..., Postfix inserts a default 378 # enhanced status code of "5.7.1". 379 # 380 # This feature is not supported with smtp header/body 381 # checks. 382 # 383 # WARN optional text... 384 # Log a "warning:" record with the optional text... 385 # (or log a generic text), and inspect the next input 386 # line. This action is useful for debugging and for 387 # testing a pattern before applying more drastic 388 # actions. 389 # 390 # BUGS 391 # Empty lines never match, because some map types mis-behave 392 # when given a zero-length search string. This limitation 393 # may be removed for regular expression tables in a future 394 # release. 395 # 396 # Many people overlook the main limitations of header and 397 # body_checks rules. 398 # 399 # o These rules operate on one logical message header 400 # or one body line at a time. A decision made for one 401 # line is not carried over to the next line. 402 # 403 # o If text in the message body is encoded (RFC 2045) 404 # then the rules need to be specified for the encoded 405 # form. 406 # 407 # o Likewise, when message headers are encoded (RFC 408 # 2047) then the rules need to be specified for the 409 # encoded form. 410 # 411 # Message headers added by the cleanup(8) daemon itself are 412 # excluded from inspection. Examples of such message headers 413 # are From:, To:, Message-ID:, Date:. 414 # 415 # Message headers deleted by the cleanup(8) daemon will be 416 # examined before they are deleted. Examples are: Bcc:, Con- 417 # tent-Length:, Return-Path:. 418 # 419 # CONFIGURATION PARAMETERS 420 # body_checks 421 # Lookup tables with content filter rules for message 422 # body lines. These filters see one physical line at 423 # a time, in chunks of at most $line_length_limit 424 # bytes. 425 # 426 # body_checks_size_limit 427 # The amount of content per message body segment 428 # (attachment) that is subjected to $body_checks fil- 429 # tering. 430 # 431 # header_checks 432 # 433 # mime_header_checks (default: $header_checks) 434 # 435 # nested_header_checks (default: $header_checks) 436 # Lookup tables with content filter rules for message 437 # header lines: respectively, these are applied to 438 # the initial message headers (not including MIME 439 # headers), to the MIME headers anywhere in the mes- 440 # sage, and to the initial headers of attached mes- 441 # sages. 442 # 443 # Note: these filters see one logical message header 444 # at a time, even when a message header spans multi- 445 # ple lines. Message headers that are longer than 446 # $header_size_limit characters are truncated. 447 # 448 # disable_mime_input_processing 449 # While receiving mail, give no special treatment to 450 # MIME related message headers; all text after the 451 # initial message headers is considered to be part of 452 # the message body. This means that header_checks is 453 # applied to all the initial message headers, and 454 # that body_checks is applied to the remainder of the 455 # message. 456 # 457 # Note: when used in this manner, body_checks will 458 # process a multi-line message header one line at a 459 # time. 460 # 461 # EXAMPLES 462 # Header pattern to block attachments with bad file name 463 # extensions. For convenience, the PCRE /x flag is speci- 464 # fied, so that there is no need to collapse the pattern 465 # into a single line of text. The purpose of the 466 # [[:xdigit:]] sub-expressions is to recognize Windows CLSID 467 # strings. 468 # 469 # /etc/postfix/main.cf: 470 # header_checks = pcre:/etc/postfix/header_checks.pcre 471 # 472 # /etc/postfix/header_checks.pcre: 473 # /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( 474 # ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| 475 # hlp|ht[at]| 476 # inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| 477 # \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| 478 # ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| 479 # vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x 480 # REJECT Attachment name "$2" may not end with ".$4" 481 # 482 # Body pattern to stop a specific HTML browser vulnerability 483 # exploit. 484 # 485 # /etc/postfix/main.cf: 486 # body_checks = regexp:/etc/postfix/body_checks 487 # 488 # /etc/postfix/body_checks: 489 # /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ 490 # REJECT IFRAME vulnerability exploit 491 # 492 # SEE ALSO 493 # cleanup(8), canonicalize and enqueue Postfix message 494 # pcre_table(5), format of PCRE lookup tables 495 # regexp_table(5), format of POSIX regular expression tables 496 # postconf(1), Postfix configuration utility 497 # postmap(1), Postfix lookup table management 498 # postsuper(1), Postfix janitor 499 # postcat(1), show Postfix queue file contents 500 # RFC 2045, base64 and quoted-printable encoding rules 501 # RFC 2047, message header encoding for non-ASCII text 502 # 503 # README FILES 504 # Use "postconf readme_directory" or "postconf html_direc- 505 # tory" to locate this information. 506 # DATABASE_README, Postfix lookup table overview 507 # CONTENT_INSPECTION_README, Postfix content inspection overview 508 # BUILTIN_FILTER_README, Postfix built-in content inspection 509 # BACKSCATTER_README, blocking returned forged mail 510 # 511 # LICENSE 512 # The Secure Mailer license must be distributed with this 513 # software. 514 # 515 # AUTHOR(S) 516 # Wietse Venema 517 # IBM T.J. Watson Research 518 # P.O. Box 704 519 # Yorktown Heights, NY 10598, USA 520 # 521 # Wietse Venema 522 # Google, Inc. 523 # 111 8th Avenue 524 # New York, NY 10011, USA 525 # 526 # HEADER_CHECKS(5) 527
Indexes created Wed May 06 00:24:28 UTC 2026