ACCESS(5) ACCESS(5)
NAME
access - format of Postfix access table
SYNOPSIS
postmap /etc/postfix/access
postmap -q "string" /etc/postfix/access
postmap -q - /etc/postfix/access <inputfile
DESCRIPTION
The optional access table directs the Postfix SMTP server to selec-
tively reject or accept mail. Access can be allowed or denied for spe-
cific host names, domain names, networks, host network addresses or
mail addresses.
Normally, the access table is specified as a text file that serves as
input to the postmap(1) command. The result, an indexed file in dbm or
db format, is used for fast searching by the mail system. Execute the
command postmap /etc/postfix/access in order to rebuild the indexed
file after changing the access table.
When the table is provided via other means such as NIS, LDAP or SQL,
the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions. In that case, the
lookups are done in a slightly different way as described below.
TABLE FORMAT
The input format for the postmap(1) command is as follows:
pattern action
When pattern matches a mail address, domain or host address,
perform the corresponding action.
blank lines and comments
Empty lines and whitespace-only lines are ignored, as are lines
whose first non-whitespace character is a `#'.
multi-line text
A logical line starts with non-whitespace text. A line that
starts with whitespace continues a logical line.
EMAIL ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, patterns are tried in the order as
listed below:
user@domain
Matches the specified mail address.
domain.tld
Matches domain.tld as the domain part of an email address.
The pattern domain.tld also matches subdomains, but only when
the string smtpd_access_maps is listed in the Postfix par-
ent_domain_matches_subdomains configuration setting. Otherwise,
specify .domain.tld (note the initial dot) in order to match
subdomains.
user@ Matches all mail addresses with the specified user part.
Note: lookup of the null sender address is not possible with some types
of lookup table. By default, Postfix uses <> as the lookup key for such
addresses. The value is specified with the smtpd_null_access_lookup_key
parameter in the Postfix main.cf file.
ADDRESS EXTENSION
When a mail address localpart contains the optional recipient delimiter
(e.g., user+foo@domain), the lookup order becomes: user+foo@domain,
user@domain, domain, user+foo@, and user@.
HOST NAME/ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, the following lookup patterns are
examined in the order as listed:
domain.tld
Matches domain.tld.
The pattern domain.tld also matches subdomains, but only when
the string smtpd_access_maps is listed in the Postfix par-
ent_domain_matches_subdomains configuration setting. Otherwise,
specify .domain.tld (note the initial dot) in order to match
subdomains.
net.work.addr.ess
net.work.addr
net.work
net Matches any host address in the specified network. A network
address is a sequence of one or more octets separated by ".".
Note: CIDR notation (network/netmask) is not supported with
lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL.
ACTIONS
[45]NN text
Reject the address etc. that matches the pattern, and respond
with the numerical code and text.
REJECT
REJECT optional text...
Reject the address etc. that matches the pattern. Reply with
$reject_code optional text... when the optional text is speci-
fied, otherwise reply with a generic error response message.
OK Accept the address etc. that matches the pattern.
all-numerical
An all-numerical result is treated as OK. This format is gener-
ated by address-based relay authorization schemes.
DUNNO Pretend that the lookup key was not found in this table. This
prevents Postfix from trying substrings of the lookup key (such
as a subdomain name, or a network address subnetwork).
HOLD
HOLD optional text...
Place the message on the hold queue, where it will sit until
someone either deletes it or releases it for delivery. Log the
optional text if specified, otherwise log a generic message.
Mail that is placed on hold can be examined with the postcat(1)
command, and can be destroyed or released with the postsuper(1)
command.
Note: this action currently affects all recipients of the mes-
sage.
DISCARD
DISCARD optional text...
Claim successful delivery and silently discard the message. Log
the optional text if specified, otherwise log a generic message.
Note: this action currently affects all recipients of the mes-
sage.
FILTER transport:destination
After the message is queued, send the entire message through a
content filter. More information about content filters is in
the Postfix FILTER_README file.
Note: this action overrides the main.cf content_filter setting,
and currently affects all recipients of the message.
restriction...
Apply the named UCE restriction(s) (permit, reject,
reject_unauth_destination, and so on).
REGULAR EXPRESSION TABLES
This section describes how the table lookups change when the table is
given in the form of regular expressions. For a description of regular
expression lookup table syntax, see regexp_table(5) or pcre_table(5).
Each pattern is a regular expression that is applied to the entire
string being looked up. Depending on the application, that string is an
entire client hostname, an entire client IP address, or an entire mail
address. Thus, no parent domain or parent network search is done,
user@domain mail addresses are not broken up into their user@ and
domain constituent parts, nor is user+foo broken up into user and foo.
Patterns are applied in the order as specified in the table, until a
pattern is found that matches the search string.
Actions are the same as with indexed file lookups, with the additional
feature that parenthesized substrings from the pattern can be interpo-
lated as $1, $2 and so on.
BUGS
The table format does not understand quoting conventions.
SEE ALSO
postmap(1) create mapping table
smtpd(8) smtp server
pcre_table(5) format of PCRE tables
regexp_table(5) format of POSIX regular expression tables
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ACCESS(5)