postfix/man/man5/cidr_table.5

.TH CIDR_TABLE 5 
.ad
.fi
.SH NAME
cidr_table
\-
format of Postfix CIDR tables
.SH "SYNOPSIS"
.na
.nf
\fBpostmap \-q "\fIstring\fB" cidr:/etc/postfix/\fIfilename\fR

\fBpostmap \-q \- cidr:/etc/postfix/\fIfilename\fB <\fIinputfile\fR
.SH DESCRIPTION
.ad
.fi
The Postfix mail system uses optional lookup tables.
These tables are usually in \fBdbm\fR or \fBdb\fR format.
Alternatively, lookup tables can be specified in CIDR
(Classless Inter\-Domain Routing) form. In this case, each
input is compared against a list of patterns. When a match
is found, the corresponding result is returned and the search
is terminated.

To find out what types of lookup tables your Postfix system
supports use the "\fBpostconf \-m\fR" command.

To test lookup tables, use the "\fBpostmap \-q\fR" command as
described in the SYNOPSIS above.
.SH "TABLE FORMAT"
.na
.nf
.ad
.fi
The general form of a Postfix CIDR table is:
.IP "\fIpattern     result\fR"
When a search string matches the specified \fIpattern\fR, use
the corresponding \fIresult\fR value. The \fIpattern\fR must be
in \fInetwork/prefix\fR or \fInetwork_address\fR form (see
ADDRESS PATTERN SYNTAX below).
.IP "\fB!\fIpattern     result\fR"
When a search string does not match the specified \fIpattern\fR,
use the specified \fIresult\fR value. The \fIpattern\fR must
be in \fInetwork/prefix\fR or \fInetwork_address\fR form (see
ADDRESS PATTERN SYNTAX below).
.sp
This feature is available in Postfix 3.2 and later.
.IP "\fBif \fIpattern\fR"
.IP "\fBendif\fR"
When a search string matches the specified \fIpattern\fR, match
that search string against the patterns between \fBif\fR and
\fBendif\fR.  The \fIpattern\fR must be in \fInetwork/prefix\fR or
\fInetwork_address\fR form (see ADDRESS PATTERN SYNTAX below). The
\fBif\fR..\fBendif\fR can nest.
.sp
Note: do not prepend whitespace to text between
\fBif\fR..\fBendif\fR.
.sp
This feature is available in Postfix 3.2 and later.
.IP "\fBif !\fIpattern\fR"
.IP "\fBendif\fR"
When a search string does not match the specified \fIpattern\fR,
match that search string against the patterns between \fBif\fR and
\fBendif\fR. The \fIpattern\fR must be in \fInetwork/prefix\fR or
\fInetwork_address\fR form (see ADDRESS PATTERN SYNTAX below). The
\fBif\fR..\fBendif\fR can nest.
.sp
Note: do not prepend whitespace to text between
\fBif\fR..\fBendif\fR.
.sp
This feature is available in Postfix 3.2 and later.
.IP "blank lines and comments"
Empty lines and whitespace\-only lines are ignored, as
are lines whose first non\-whitespace character is a `#'.
.IP "multi\-line text"
A logical line starts with non\-whitespace text. A line that
starts with whitespace continues a logical line.
.SH "TABLE SEARCH ORDER"
.na
.nf
.ad
.fi
Patterns are applied in the order as specified in the table, until a
pattern is found that matches the search string.
.SH "ADDRESS PATTERN SYNTAX"
.na
.nf
.ad
.fi
Postfix CIDR tables are pattern\-based. A pattern is either
a \fInetwork_address\fR which requires an exact match, or a
\fInetwork_address/prefix_length\fR where the \fIprefix_length\fR
part specifies the length of the \fInetwork_address\fR prefix
that must be matched (the other bits in the \fInetwork_address\fR
part must be zero).

An IPv4 network address is a sequence of four decimal octets
separated by ".", and an IPv6 network address is a sequence
of three to eight hexadecimal octet pairs separated by ":"
or "::", where the latter is short\-hand for a sequence of
one or more all\-zero octet pairs. The pattern 0.0.0.0/0
matches every IPv4 address, and ::/0 matches every IPv6
address.  IPv6 support is available in Postfix 2.2 and
later.

Before comparisons are made, lookup keys and table entries
are converted from string to binary. Therefore, IPv6 patterns
will be matched regardless of leading zeros (a leading zero in
an IPv4 address octet indicates octal notation).

Note: address information may be enclosed inside "[]" but
this form is not required.
.SH "INLINE SPECIFICATION"
.na
.nf
.ad
.fi
The contents of a table may be specified in the table name
(Postfix 3.7 and later).
The basic syntax is:

.nf
main.cf:
    \fIparameter\fR \fB= .. cidr:{ { \fIrule\-1\fB }, { \fIrule\-2\fB } .. } ..\fR

master.cf:
    \fB.. \-o { \fIparameter\fR \fB= .. cidr:{ { \fIrule\-1\fB }, { \fIrule\-2\fB } .. } .. } ..\fR
.fi

Postfix recursively expands any \fI$parametername\fR instances
in the above parameter value, ignores whitespace after '{'
and before '}', and writes each \fIrule\fR as one text line to
an in\-memory file:

.nf
in\-memory file:
    rule\-1
    rule\-2
    ..
.fi

Postfix parses the result as if it is a file in /etc/postfix.

Note: if a rule contains \fB$\fR, specify \fB$$\fR to keep
Postfix from trying to do \fI$name\fR expansion as it
evaluates a parameter value.
.SH "EXAMPLE SMTPD ACCESS MAP"
.na
.nf
.nf
/etc/postfix/main.cf:
    smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...

/etc/postfix/client.cidr:
    # Rule order matters. Put more specific allowlist entries
    # before more general denylist entries.
    192.168.1.1             OK
    192.168.0.0/16          REJECT
    2001:db8::1             OK
    2001:db8::/32           REJECT
.fi
.SH "SEE ALSO"
.na
.nf
postmap(1), Postfix lookup table manager
regexp_table(5), format of regular expression tables
pcre_table(5), format of PCRE tables
.SH "README FILES"
.na
.nf
.ad
.fi
Use "\fBpostconf readme_directory\fR" or
"\fBpostconf html_directory\fR" to locate this information.
.na
.nf
DATABASE_README, Postfix lookup table overview
.SH HISTORY
.ad
.fi
CIDR table support was introduced with Postfix version 2.1.
.SH "AUTHOR(S)"
.na
.nf
The CIDR table lookup code was originally written by:
Jozsef Kadlecsik
KFKI Research Institute for Particle and Nuclear Physics
POB. 49
1525 Budapest, Hungary

Adopted and adapted by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA

Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA