summaryrefslogtreecommitdiffstats
path: root/proto/access
diff options
context:
space:
mode:
Diffstat (limited to 'proto/access')
-rw-r--r--proto/access478
1 files changed, 478 insertions, 0 deletions
diff --git a/proto/access b/proto/access
new file mode 100644
index 0000000..983bf37
--- /dev/null
+++ b/proto/access
@@ -0,0 +1,478 @@
+#++
+# NAME
+# access 5
+# SUMMARY
+# Postfix SMTP server access table
+# SYNOPSIS
+# \fBpostmap /etc/postfix/access\fR
+#
+# \fBpostmap -q "\fIstring\fB" /etc/postfix/access\fR
+#
+# \fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
+# DESCRIPTION
+# This document describes access control on remote SMTP client
+# information: host names, network addresses, and envelope
+# sender or recipient addresses; it is implemented by the
+# Postfix SMTP server. See \fBheader_checks\fR(5) or
+# \fBbody_checks\fR(5) for access control on the content of
+# email messages.
+#
+# Normally, the \fBaccess\fR(5) table is specified as a text file
+# that serves as input to the \fBpostmap\fR(1) command.
+# The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
+# is used for fast searching by the mail system. Execute the
+# command "\fBpostmap /etc/postfix/access\fR" to rebuild an
+# indexed file after changing the corresponding text file.
+#
+# When the table is provided via other means such as NIS, LDAP
+# or SQL, the same lookups are done as for ordinary indexed files.
+#
+# Alternatively, the table can be provided as a regular-expression
+# map where patterns are given as regular expressions, or lookups
+# can be directed to TCP-based server. In those cases, the lookups
+# are done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# CASE FOLDING
+# .ad
+# .fi
+# The search string is folded to lowercase before database
+# lookup. As of Postfix 2.3, the search string is not case
+# folded with database types such as regexp: or pcre: whose
+# lookup fields can match both upper and lower case.
+# TABLE FORMAT
+# .ad
+# .fi
+# The input format for the \fBpostmap\fR(1) command is as follows:
+# .IP "\fIpattern action\fR"
+# When \fIpattern\fR matches a mail address, domain or host address,
+# perform the corresponding \fIaction\fR.
+# .IP "blank lines and comments"
+# Empty lines and whitespace-only lines are ignored, as
+# are lines whose first non-whitespace character is a `#'.
+# .IP "multi-line text"
+# A logical line starts with non-whitespace text. A line that
+# starts with whitespace continues a logical line.
+# EMAIL ADDRESS PATTERNS
+# .ad
+# .fi
+# With lookups from indexed files such as DB or DBM, or from networked
+# tables such as NIS, LDAP or SQL, patterns are tried in the order as
+# listed below:
+# .IP \fIuser\fR@\fIdomain\fR
+# Matches the specified mail address.
+# .IP \fIdomain.tld\fR
+# Matches \fIdomain.tld\fR as the domain part of an email address.
+# .sp
+# The pattern \fIdomain.tld\fR also matches subdomains, but only
+# when the string \fBsmtpd_access_maps\fR is listed in the Postfix
+# \fBparent_domain_matches_subdomains\fR configuration setting.
+# .IP \fI.domain.tld\fR
+# Matches subdomains of \fIdomain.tld\fR, but only when the
+# string \fBsmtpd_access_maps\fR is not listed in the Postfix
+# \fBparent_domain_matches_subdomains\fR configuration setting.
+# .IP \fIuser\fR@
+# Matches all mail addresses with the specified user part.
+# .PP
+# Note: lookup of the null sender address is not possible with
+# some types of lookup table. By default, Postfix uses \fB<>\fR
+# as the lookup key for such addresses. The value is specified with
+# the \fBsmtpd_null_access_lookup_key\fR parameter in the Postfix
+# \fBmain.cf\fR file.
+# EMAIL ADDRESS EXTENSION
+# .fi
+# .ad
+# When a mail address localpart contains the optional recipient delimiter
+# (e.g., \fIuser+foo\fR@\fIdomain\fR), the lookup order becomes:
+# \fIuser+foo\fR@\fIdomain\fR, \fIuser\fR@\fIdomain\fR, \fIdomain\fR,
+# \fIuser+foo\fR@, and \fIuser\fR@.
+# HOST NAME/ADDRESS PATTERNS
+# .ad
+# .fi
+# With lookups from indexed files such as DB or DBM, or from networked
+# tables such as NIS, LDAP or SQL, the following lookup patterns are
+# examined in the order as listed:
+# .IP \fIdomain.tld\fR
+# Matches \fIdomain.tld\fR.
+# .sp
+# The pattern \fIdomain.tld\fR also matches subdomains, but only
+# when the string \fBsmtpd_access_maps\fR is listed in the Postfix
+# \fBparent_domain_matches_subdomains\fR configuration setting.
+# .IP \fI.domain.tld\fR
+# Matches subdomains of \fIdomain.tld\fR, but only when the
+# string \fBsmtpd_access_maps\fR is not listed in the Postfix
+# \fBparent_domain_matches_subdomains\fR configuration setting.
+# .IP \fInet.work.addr.ess\fR
+# .IP \fInet.work.addr\fR
+# .IP \fInet.work\fR
+# .IP \fInet\fR
+# Matches the specified IPv4 host address or subnetwork. An
+# IPv4 host address is a sequence of four decimal octets
+# separated by ".".
+#
+# Subnetworks are matched by repeatedly truncating the last
+# ".octet" from the remote IPv4 host address string until a
+# match is found in the access table, or until further
+# truncation is not possible.
+#
+# NOTE 1: The access map lookup key must be in canonical form:
+# do not specify unnecessary null characters, and do not
+# enclose network address information with "[]" characters.
+#
+# NOTE 2: use the \fBcidr\fR lookup table type to specify
+# network/netmask patterns. See \fBcidr_table\fR(5) for details.
+# .IP \fInet:work:addr:ess\fR
+# .IP \fInet:work:addr\fR
+# .IP \fInet:work\fR
+# .IP \fInet\fR
+# Matches the specified IPv6 host address or subnetwork. An
+# IPv6 host address is a sequence of three to eight hexadecimal
+# octet pairs separated by ":".
+#
+# Subnetworks are matched by repeatedly truncating the last
+# ":octetpair" from the remote IPv6 host address string until
+# a match is found in the access table, or until further
+# truncation is not possible.
+#
+# NOTE 1: the truncation and comparison are done with the
+# string representation of the IPv6 host address. Thus, not
+# all the ":" subnetworks will be tried.
+#
+# NOTE 2: The access map lookup key must be in canonical form:
+# do not specify unnecessary null characters, and do not
+# enclose network address information with "[]" characters.
+#
+# NOTE 3: use the \fBcidr\fR lookup table type to specify
+# network/netmask patterns. See \fBcidr_table\fR(5) for details.
+#
+# IPv6 support is available in Postfix 2.2 and later.
+# ACCEPT ACTIONS
+# .ad
+# .fi
+# .IP \fBOK\fR
+# Accept the address etc. that matches the pattern.
+# .IP \fIall-numerical\fR
+# An all-numerical result is treated as OK. This format is
+# generated by address-based relay authorization schemes
+# such as pop-before-smtp.
+# .PP
+# For other accept actions, see "OTHER ACTIONS" below.
+# REJECT ACTIONS
+# .ad
+# .fi
+# Postfix version 2.3 and later support enhanced status codes
+# as defined in RFC 3463.
+# When no code is specified at the beginning of the \fItext\fR
+# below, Postfix inserts a default enhanced status code of "5.7.1"
+# in the case of reject actions, and "4.7.1" in the case of
+# defer actions. See "ENHANCED STATUS CODES" below.
+# .IP "\fB4\fINN text\fR"
+# .IP "\fB5\fINN text\fR"
+# Reject the address etc. that matches the pattern, and respond with
+# the numerical three-digit code and text. \fB4\fINN\fR means "try
+# again later", while \fB5\fINN\fR means "do not try again".
+#
+# The following responses have special meaning for the Postfix
+# SMTP server:
+# .RS
+# .IP "\fB421 \fItext\fR (Postfix 2.3 and later)"
+# .IP "\fB521 \fItext\fR (Postfix 2.6 and later)"
+# After responding with the numerical three-digit code and
+# text, disconnect immediately from the SMTP client. This
+# frees up SMTP server resources so that they can be made
+# available to another SMTP client.
+# .IP
+# Note: The "521" response should be used only with botnets
+# and other malware where interoperability is of no concern.
+# The "send 521 and disconnect" behavior is NOT defined in
+# the SMTP standard.
+# .RE
+# .IP "\fBREJECT \fIoptional text...\fR
+# Reject the address etc. that matches the pattern. Reply with
+# "\fB$access_map_reject_code \fIoptional text...\fR" when the
+# optional text is
+# specified, otherwise reply with a generic error response message.
+# .IP "\fBDEFER \fIoptional text...\fR
+# Reject the address etc. that matches the pattern. Reply with
+# "\fB$access_map_defer_code \fIoptional text...\fR" when the
+# optional text is
+# specified, otherwise reply with a generic error response message.
+# .sp
+# This feature is available in Postfix 2.6 and later.
+# .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
+# Defer the request if some later restriction would result in a
+# REJECT action. Reply with "\fB$access_map_defer_code 4.7.1
+# \fIoptional text...\fR" when the
+# optional text is specified, otherwise reply with a generic error
+# response message.
+# .sp
+# Prior to Postfix 2.6, the SMTP reply code is 450.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
+# Defer the request if some later restriction would result in a
+# an explicit or implicit PERMIT action.
+# Reply with "\fB$access_map_defer_code 4.7.1 \fI optional
+# text...\fR" when the
+# optional text is specified, otherwise reply with a generic error
+# response message.
+# .sp
+# Prior to Postfix 2.6, the SMTP reply code is 450.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# .PP
+# For other reject actions, see "OTHER ACTIONS" below.
+# OTHER ACTIONS
+# .ad
+# .fi
+# .IP \fIrestriction...\fR
+# Apply the named UCE restriction(s) (\fBpermit\fR, \fBreject\fR,
+# \fBreject_unauth_destination\fR, and so on).
+# .IP "\fBBCC \fIuser@domain\fR"
+# Send one copy of the message to the specified recipient.
+# .sp
+# If multiple BCC actions are specified within the same SMTP
+# MAIL transaction, with Postfix 3.0 only the last action
+# will be used.
+# .sp
+# This feature is available in Postfix 3.0 and later.
+# \" .IP "\fBDELAY \fItime\fR"
+# \" Place the message into the deferred queue, and delay the
+# \" initial delivery attempt by \fItime\fR. The time value may
+# \" be followed by a one-character suffix that specifies the
+# \" time unit: s (seconds), m (minutes), h (hours), d (days),
+# \" w (weeks). The default time unit is s (seconds).
+# \" .sp
+# \" Limitations:
+# \" .RS
+# \" .IP \(bu
+# \" This action affects all the recipients of the message.
+# \" .IP \(bu
+# \" The delay value has no effect with remote file systems that
+# \" don't correctly emulate UNIX local file system semantics.
+# \" In that case, the delay will be half of $queue_run_delay
+# \" on average.
+# \" .IP \(bu
+# \" Mail will still be delivered with "sendmail -q", "postfix
+# \" flush" or "postqueue -f".
+# \" .IP \(bu
+# \" Delayed mail increases the amount of disk I/O during deferred
+# \" queue scans. When large amounts of mail are queued for
+# \" delayed delivery it may be preferable to use the HOLD feature
+# \" instead.
+# \" .RE
+# \" .IP
+# \" This feature is available in Postfix 2.3 and later.
+# .IP "\fBDISCARD \fIoptional text...\fR
+# Claim successful delivery and silently discard the message.
+# Log the optional text if specified, otherwise log a generic
+# message.
+# .sp
+# Note: this action currently affects all recipients of the message.
+# To discard only one recipient without discarding the entire message,
+# use the transport(5) table to direct mail to the discard(8) service.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .IP \fBDUNNO\fR
+# Pretend that the lookup key was not found. This
+# prevents Postfix from trying substrings of the lookup key
+# (such as a subdomain name, or a network address subnetwork).
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .IP "\fBFILTER \fItransport:destination\fR"
+# After the message is queued, send the entire message through
+# the specified external content filter. The \fItransport\fR
+# name specifies the first field of a mail delivery agent
+# definition in master.cf; the syntax of the next-hop
+# \fIdestination\fR is described in the manual page of the
+# corresponding delivery agent. More information about
+# external content filters is in the Postfix FILTER_README
+# file.
+# .sp
+# Note 1: do not use $\fInumber\fR regular expression
+# substitutions for \fItransport\fR or \fIdestination\fR
+# unless you know that the information has a trusted origin.
+# .sp
+# Note 2: this action overrides the main.cf \fBcontent_filter\fR
+# setting, and affects all recipients of the message. In the
+# case that multiple \fBFILTER\fR actions fire, only the last
+# one is executed.
+# .sp
+# Note 3: the purpose of the FILTER command is to override
+# message routing. To override the recipient's \fItransport\fR
+# but not the next-hop \fIdestination\fR, specify an empty
+# filter \fIdestination\fR (Postfix 2.7 and later), or specify
+# a \fItransport:destination\fR that delivers through a
+# different Postfix instance (Postfix 2.6 and earlier). Other
+# options are using the recipient-dependent \fBtrans\%port\%_maps\fR
+# or the sen\%der-dependent
+# \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR
+# features.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .IP "\fBHOLD \fIoptional text...\fR"
+# Place the message on the \fBhold\fR queue, where it will
+# sit until someone either deletes it or releases it for
+# delivery.
+# Log the optional text if specified, otherwise log a generic
+# message.
+#
+# Mail that is placed on hold can be examined with the
+# \fBpostcat\fR(1) command, and can be destroyed or released with
+# the \fBpostsuper\fR(1) command.
+# .sp
+# Note: use "\fBpostsuper -r\fR" to release mail that was kept on
+# hold for a significant fraction of \fB$maximal_queue_lifetime\fR
+# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
+# only for mail that will not expire within a few delivery attempts.
+# .sp
+# Note: this action currently affects all recipients of the message.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .IP "\fBPREPEND \fIheadername: headervalue\fR"
+# Prepend the specified message header to the message.
+# When more than one PREPEND action executes, the first
+# prepended header appears before the second etc. prepended
+# header.
+# .sp
+# Note: this action must execute before the message content
+# is received; it cannot execute in the context of
+# \fBsmtpd_end_of_data_restrictions\fR.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# .IP "\fBREDIRECT \fIuser@domain\fR"
+# After the message is queued, send the message to the specified
+# address instead of the intended recipient(s). When multiple
+# \fBREDIRECT\fR actions fire, only the last one takes effect.
+# .sp
+# Note: this action overrides the FILTER action, and currently
+# overrides all recipients of the message.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# .IP "\fBINFO \fIoptional text...\fR
+# Log an informational record with the optional text, together
+# with client information and if available, with helo, sender,
+# recipient and protocol information.
+# .sp
+# This feature is available in Postfix 3.0 and later.
+# .IP "\fBWARN \fIoptional text...\fR
+# Log a warning with the optional text, together with client information
+# and if available, with helo, sender, recipient and protocol information.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# ENHANCED STATUS CODES
+# .ad
+# .fi
+# Postfix version 2.3 and later support enhanced status codes
+# as defined in RFC 3463.
+# When an enhanced status code is specified in an access
+# table, it is subject to modification. The following
+# transformations are needed when the same access table is
+# used for client, helo, sender, or recipient access restrictions;
+# they happen regardless of whether Postfix replies to a MAIL
+# FROM, RCPT TO or other SMTP command.
+# .IP \(bu
+# When a sender address matches a REJECT action, the Postfix
+# SMTP server will transform a recipient DSN status (e.g.,
+# 4.1.1-4.1.6) into the corresponding sender DSN status, and
+# vice versa.
+# .IP \(bu
+# When non-address information matches a REJECT action (such
+# as the HELO command argument or the client hostname/address),
+# the Postfix SMTP server will transform a sender or recipient
+# DSN status into a generic non-address DSN status (e.g.,
+# 4.0.0).
+# REGULAR EXPRESSION TABLES
+# .ad
+# .fi
+# This section describes how the table lookups change when the table
+# is given in the form of regular expressions. For a description of
+# regular expression lookup table syntax, see \fBregexp_table\fR(5)
+# or \fBpcre_table\fR(5).
+#
+# Each pattern is a regular expression that is applied to the entire
+# string being looked up. Depending on the application, that string
+# is an entire client hostname, an entire client IP address, or an
+# entire mail address. Thus, no parent domain or parent network search
+# is done, \fIuser@domain\fR mail addresses are not broken up into
+# their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
+# \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
+#
+# Patterns are applied in the order as specified in the table, until a
+# pattern is found that matches the search string.
+#
+# Actions are the same as with indexed file lookups, with
+# the additional feature that parenthesized substrings from the
+# pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
+# TCP-BASED TABLES
+# .ad
+# .fi
+# This section describes how the table lookups change when lookups
+# are directed to a TCP-based server. For a description of the TCP
+# client/server lookup protocol, see \fBtcp_table\fR(5).
+# This feature is not available up to and including Postfix version 2.4.
+#
+# Each lookup operation uses the entire query string once.
+# Depending on the application, that string is an entire client
+# hostname, an entire client IP address, or an entire mail address.
+# Thus, no parent domain or parent network search is done,
+# \fIuser@domain\fR mail addresses are not broken up into
+# their \fIuser@\fR and \fIdomain\fR constituent parts, nor is
+# \fIuser+foo\fR broken up into \fIuser\fR and \fIfoo\fR.
+#
+# Actions are the same as with indexed file lookups.
+# EXAMPLE
+# .ad
+# .fi
+# The following example uses an indexed file, so that the
+# order of table entries does not matter. The example permits
+# access by the client at address 1.2.3.4 but rejects all
+# other clients in 1.2.3.0/24. Instead of \fBhash\fR lookup
+# tables, some systems use \fBdbm\fR. Use the command
+# "\fBpostconf -m\fR" to find out what lookup tables Postfix
+# supports on your system.
+#
+# .nf
+# .na
+# /etc/postfix/main.cf:
+# smtpd_client_restrictions =
+# check_client_access hash:/etc/postfix/access
+#
+# /etc/postfix/access:
+# 1.2.3 REJECT
+# 1.2.3.4 OK
+# .fi
+# .ad
+#
+# Execute the command "\fBpostmap /etc/postfix/access\fR" after
+# editing the file.
+# BUGS
+# The table format does not understand quoting conventions.
+# SEE ALSO
+# postmap(1), Postfix lookup table manager
+# smtpd(8), SMTP server
+# postconf(5), configuration parameters
+# transport(5), transport:nexthop syntax
+# README FILES
+# .ad
+# .fi
+# Use "\fBpostconf readme_directory\fR" or
+# "\fBpostconf html_directory\fR" to locate this information.
+# .na
+# .nf
+# SMTPD_ACCESS_README, built-in SMTP server access control
+# DATABASE_README, Postfix lookup table overview
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#
+# Wietse Venema
+# Google, Inc.
+# 111 8th Avenue
+# New York, NY 10011, USA
+#--