summaryrefslogtreecommitdiffstats
path: root/proto/header_checks
diff options
context:
space:
mode:
Diffstat (limited to 'proto/header_checks')
-rw-r--r--proto/header_checks520
1 files changed, 520 insertions, 0 deletions
diff --git a/proto/header_checks b/proto/header_checks
new file mode 100644
index 0000000..1aa6f5a
--- /dev/null
+++ b/proto/header_checks
@@ -0,0 +1,520 @@
+#++
+# NAME
+# header_checks 5
+# SUMMARY
+# Postfix built-in content inspection
+# SYNOPSIS
+# .nf
+# \fBheader_checks = pcre:/etc/postfix/header_checks\fR
+# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR
+# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR
+# \fBbody_checks = pcre:/etc/postfix/body_checks\fR
+# .sp
+# \fBmilter_header_checks = pcre:/etc/postfix/milter_header_checks\fR
+# .sp
+# \fBsmtp_header_checks = pcre:/etc/postfix/smtp_header_checks\fR
+# \fBsmtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks\fR
+# \fBsmtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks\fR
+# \fBsmtp_body_checks = pcre:/etc/postfix/smtp_body_checks\fR
+# .sp
+# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
+# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+# .fi
+# DESCRIPTION
+# This document describes access control on the content of
+# message headers and message body lines; it is implemented
+# by the Postfix \fBcleanup\fR(8) server before mail is queued.
+# See \fBaccess\fR(5) for access control on remote SMTP client
+# information.
+#
+# Each message header or message body line is compared against
+# a list of patterns.
+# When a match is found the corresponding action is executed, and
+# the matching process is repeated for the next message header or
+# message body line.
+#
+# Note: message headers are examined one logical header at a time,
+# even when a message header spans multiple lines. Body lines are
+# always examined one line at a time.
+#
+# For examples, see the EXAMPLES section at the end of this
+# manual page.
+#
+# Postfix header or body_checks are designed to stop a flood of mail
+# from worms or viruses; they do not decode attachments, and they do
+# not unzip archives. See the documents referenced below in the README
+# FILES section if you need more sophisticated content analysis.
+# FILTERS WHILE RECEIVING MAIL
+# .ad
+# .fi
+# Postfix implements the following four built-in content
+# inspection classes while receiving mail:
+# .IP "\fBheader_checks\fR (default: empty)"
+# These are applied to initial message headers (except for
+# the headers that are processed with \fBmime_header_checks\fR).
+# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)"
+# These are applied to MIME related message headers only.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)"
+# These are applied to message headers of attached email
+# messages (except for the headers that are processed with
+# \fBmime_header_checks\fR).
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .IP \fBbody_checks\fR
+# These are applied to all other content, including multi-part
+# message boundaries.
+# .sp
+# With Postfix versions before 2.0, all content after the initial
+# message headers is treated as body content.
+# FILTERS AFTER RECEIVING MAIL
+# .ad
+# .fi
+# Postfix supports a subset of the built-in content inspection
+# classes after the message is received:
+# .IP "\fBmilter_header_checks\fR (default: empty)"
+# These are applied to headers that are added with Milter
+# applications.
+# .sp
+# This feature is available in Postfix 2.7 and later.
+# FILTERS WHILE DELIVERING MAIL
+# .ad
+# .fi
+# Postfix supports all four content inspection classes while
+# delivering mail via SMTP.
+# .IP "\fBsmtp_header_checks\fR (default: empty)"
+# .IP "\fBsmtp_mime_header_checks\fR (default: empty)"
+# .IP "\fBsmtp_nested_header_checks\fR (default: empty)"
+# .IP "\fBsmtp_body_checks\fR (default: empty)"
+# These features are available in Postfix 2.5 and later.
+# COMPATIBILITY
+# .ad
+# .fi
+# With Postfix version 2.2 and earlier specify "\fBpostmap
+# -fq\fR" to query a table that contains case sensitive
+# patterns. By default, regexp: and pcre: patterns are case
+# insensitive.
+# TABLE FORMAT
+# .ad
+# .fi
+# This document assumes that header and body_checks rules are specified
+# in the form of Postfix regular expression lookup tables. Usually the
+# best performance is obtained with \fBpcre\fR (Perl Compatible Regular
+# Expression) tables. The \fBregexp\fR (POSIX regular
+# expressions) tables are usually slower, but more widely
+# available.
+# Use the command "\fBpostconf -m\fR" to find out what lookup table
+# types your Postfix system supports.
+#
+# The general format of Postfix regular expression tables is
+# given below.
+# For a discussion of specific pattern or flags syntax,
+# see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively.
+# .IP "\fB/\fIpattern\fB/\fIflags action\fR"
+# When /\fIpattern\fR/ matches the input string, execute
+# the corresponding \fIaction\fR. See below for a list
+# of possible actions.
+# .IP "\fB!/\fIpattern\fB/\fIflags action\fR"
+# When /\fIpattern\fR/ does \fBnot\fR match the input string,
+# execute the corresponding \fIaction\fR.
+# .IP "\fBif /\fIpattern\fB/\fIflags\fR"
+# .IP "\fBendif\fR"
+# If the input string matches /\fIpattern\fR/, then match that
+# input string against the patterns between \fBif\fR and
+# \fBendif\fR. The \fBif\fR..\fBendif\fR can nest.
+# .sp
+# Note: do not prepend whitespace to patterns inside
+# \fBif\fR..\fBendif\fR.
+# .IP "\fBif !/\fIpattern\fB/\fIflags\fR"
+# .IP "\fBendif\fR"
+# If the input string does not match /\fIpattern\fR/, then
+# match that input string against the patterns between \fBif\fR
+# and \fBendif\fR. The \fBif\fR..\fBendif\fR can nest.
+# .IP "blank lines and comments"
+# Empty lines and whitespace-only lines are ignored, as
+# are lines whose first non-whitespace character is a `#'.
+# .IP "multi-line text"
+# A pattern/action line starts with non-whitespace text. A line that
+# starts with whitespace continues a logical line.
+# TABLE SEARCH ORDER
+# .ad
+# .fi
+# For each line of message input, the patterns are applied in the
+# order as specified in the table. When a pattern is found that matches
+# the input line, the corresponding action is executed and then the
+# next input line is inspected.
+# TEXT SUBSTITUTION
+# .ad
+# .fi
+# Substitution of substrings from the matched expression into the
+# \fIaction\fR
+# string is possible using the conventional Perl syntax
+# (\fB$1\fR, \fB$2\fR, etc.).
+# The macros in the result string may need to be written as \fB${n}\fR
+# or \fB$(n)\fR if they aren't followed by whitespace.
+#
+# Note: since negated patterns (those preceded by \fB!\fR) return a
+# result when the expression does not match, substitutions are not
+# available for negated patterns.
+# ACTIONS
+# .ad
+# .fi
+# Action names are case insensitive. They are shown in upper case
+# for consistency with other Postfix documentation.
+# .IP "\fBBCC \fIuser@domain\fR"
+# Add the specified address as a BCC recipient, and inspect
+# the next input line. The address
+# must have a local part and domain part. The number of BCC
+# addresses that can be added is limited only by the amount
+# of available storage space.
+#
+# Note 1: the BCC address is added as if it was specified with
+# NOTIFY=NONE. The sender will not be notified when the BCC
+# address is undeliverable, as long as all down-stream software
+# implements RFC 3461.
+#
+# Note 2: this ignores duplicate addresses (with the same
+# delivery status notification options).
+# .sp
+# This feature is available in Postfix 3.0 and later.
+# .sp
+# This feature is not supported with smtp header/body checks.
+# \" .IP "\fBDELAY \fItime\fR"
+# \" Place the message into the deferred queue, and delay the
+# \" initial delivery attempt by \fItime\fR. The time value may
+# \" be followed by a one-character suffix that specifies the
+# \" time unit: s (seconds), m (minutes), h (hours), d (days),
+# \" w (weeks). The default time unit is s (seconds).
+# \" .sp
+# \" Limitations:
+# \" .RS
+# \" .IP \(bu
+# \" This action affects all the recipients of the message.
+# \" .IP \(bu
+# \" The delay value has no effect with remote file systems that
+# \" don't correctly emulate UNIX local file system semantics.
+# \" In that case, the delay will be half of $queue_run_delay
+# \" on average.
+# \" .IP \(bu
+# \" Mail will still be delivered with "sendmail -q", "postfix
+# \" flush" or "postqueue -f".
+# \" .IP \(bu
+# \" Delayed mail increases the amount of disk I/O during deferred
+# \" queue scans. When large amounts of mail are queued for
+# \" delayed delivery it may be preferable to use the HOLD feature
+# \" instead.
+# \" .RE
+# \" .IP
+# \" This feature is available in Postfix 2.3 and later.
+# .IP "\fBDISCARD \fIoptional text...\fR"
+# Claim successful delivery and silently discard the message.
+# Do not inspect the remainder of the input message.
+# Log the optional text if specified, otherwise log a generic
+# message.
+# .sp
+# Note: this action disables further header or body_checks inspection
+# of the current message and affects all recipients.
+# To discard only one recipient without discarding the entire message,
+# use the transport(5) table to direct mail to the discard(8) service.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .sp
+# This feature is not supported with smtp header/body checks.
+# .IP \fBDUNNO\fR
+# Pretend that the input line did not match any pattern, and inspect the
+# next input line. This action can be used to shorten the table search.
+# .sp
+# For backwards compatibility reasons, Postfix also accepts
+# \fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# .IP "\fBFILTER \fItransport:destination\fR"
+# Override the content_filter parameter setting, and inspect
+# the next input line.
+# After the message is queued, send the entire message through
+# the specified external content filter. The \fItransport\fR
+# name specifies the first field of a mail delivery agent
+# definition in master.cf; the syntax of the next-hop
+# \fIdestination\fR is described in the manual page of the
+# corresponding delivery agent. More information about
+# external content filters is in the Postfix FILTER_README
+# file.
+# .sp
+# Note 1: do not use $\fInumber\fR regular expression
+# substitutions for \fItransport\fR or \fIdestination\fR
+# unless you know that the information has a trusted origin.
+# .sp
+# Note 2: this action overrides the main.cf \fBcontent_filter\fR
+# setting, and affects all recipients of the message. In the
+# case that multiple \fBFILTER\fR actions fire, only the last
+# one is executed.
+# .sp
+# Note 3: the purpose of the FILTER command is to override
+# message routing. To override the recipient's \fItransport\fR
+# but not the next-hop \fIdestination\fR, specify an empty
+# filter \fIdestination\fR (Postfix 2.7 and later), or specify
+# a \fItransport:destination\fR that delivers through a
+# different Postfix instance (Postfix 2.6 and earlier). Other
+# options are using the recipient-dependent \fBtrans\%port\%_maps\fR
+# or the sen\%der-dependent
+# \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR
+# features.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .sp
+# This feature is not supported with smtp header/body checks.
+# .IP "\fBHOLD \fIoptional text...\fR"
+# Arrange for the message to be placed on the \fBhold\fR queue,
+# and inspect the next input line. The message remains on \fBhold\fR
+# until someone either deletes it or releases it for delivery.
+# Log the optional text if specified, otherwise log a generic
+# message.
+#
+# Mail that is placed on hold can be examined with the
+# \fBpostcat\fR(1) command, and can be destroyed or released with
+# the \fBpostsuper\fR(1) command.
+# .sp
+# Note: use "\fBpostsuper -r\fR" to release mail that was kept on
+# hold for a significant fraction of \fB$maximal_queue_lifetime\fR
+# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
+# only for mail that will not expire within a few delivery attempts.
+# .sp
+# Note: this action affects all recipients of the message.
+# .sp
+# This feature is available in Postfix 2.0 and later.
+# .sp
+# This feature is not supported with smtp header/body checks.
+# .IP \fBIGNORE\fR
+# Delete the current line from the input, and inspect
+# the next input line. See \fBSTRIP\fR for an alternative
+# that logs the action.
+# .IP "\fBINFO \fIoptional text...\fR
+# Log an "info:" record with the \fIoptional text...\fR (or
+# log a generic text), and inspect the next input line. This
+# action is useful for routine logging or for debugging.
+# .sp
+# This feature is available in Postfix 2.8 and later.
+# .IP "\fBPASS \fIoptional text...\fR"
+# Log a "pass:" record with the \fIoptional text...\fR (or
+# log a generic text), and turn off header, body, and Milter
+# inspection for the remainder of this message.
+# .sp
+# Note: this feature relies on trust in information that is
+# easy to forge.
+# .sp
+# This feature is available in Postfix 3.2 and later.
+# .sp
+# This feature is not supported with smtp header/body checks.
+# .IP "\fBPREPEND \fItext...\fR"
+# Prepend one line with the specified text, and inspect the next
+# input line.
+# .sp
+# Notes:
+# .RS
+# .IP \(bu
+# The prepended text is output on a separate line, immediately
+# before the input that triggered the \fBPREPEND\fR action.
+# .IP \(bu
+# The prepended text is not considered part of the input
+# stream: it is not subject to header/body checks or address
+# rewriting, and it does not affect the way that Postfix adds
+# missing message headers.
+# .IP \(bu
+# When prepending text before a message header line, the prepended
+# text must begin with a valid message header label.
+# .IP \(bu
+# This action cannot be used to prepend multi-line text.
+# .RE
+# .IP
+# This feature is available in Postfix 2.1 and later.
+# .sp
+# This feature is not supported with milter_header_checks.
+# .IP "\fBREDIRECT \fIuser@domain\fR"
+# Write a message redirection request to the queue file, and
+# inspect the next input line. After the message is queued,
+# it will be sent to the specified address instead of the
+# intended recipient(s).
+# .sp
+# Note: this action overrides the \fBFILTER\fR action, and affects
+# all recipients of the message. If multiple \fBREDIRECT\fR actions
+# fire, only the last one is executed.
+# .sp
+# This feature is available in Postfix 2.1 and later.
+# .sp
+# This feature is not supported with smtp header/body checks.
+# .IP "\fBREPLACE \fItext...\fR"
+# Replace the current line with the specified text, and inspect the next
+# input line.
+# .sp
+# This feature is available in Postfix 2.2 and later. The
+# description below applies to Postfix 2.2.2 and later.
+# .sp
+# Notes:
+# .RS
+# .IP \(bu
+# When replacing a message header line, the replacement text
+# must begin with a valid header label.
+# .IP \(bu
+# The replaced text remains part of the input stream. Unlike
+# the result from the \fBPREPEND\fR action, a replaced message
+# header may be subject to address rewriting and may affect
+# the way that Postfix adds missing message headers.
+# .RE
+# .IP "\fBREJECT \fIoptional text...\fR
+# Reject the entire message. Do not inspect the remainder of
+# the input message. Reply with \fIoptional text...\fR when
+# the optional text is specified, otherwise reply with a
+# generic error message.
+# .sp
+# Note: this action disables further header or body_checks inspection
+# of the current message and affects all recipients.
+# .sp
+# Postfix version 2.3 and later support enhanced status codes.
+# When no code is specified at the beginning of \fIoptional
+# text...\fR, Postfix inserts a default enhanced status code of
+# "5.7.1".
+# .sp
+# This feature is not supported with smtp header/body checks.
+# .IP "\fBSTRIP \fIoptional text...\fR"
+# Log a "strip:" record with the \fIoptional text...\fR (or
+# log a generic text), delete the input line from the input,
+# and inspect the next input line. See \fBIGNORE\fR for a
+# silent alternative.
+# .sp
+# This feature is available in Postfix 3.2 and later.
+# .IP "\fBWARN \fIoptional text...\fR
+# Log a "warning:" record with the \fIoptional text...\fR (or
+# log a generic text), and inspect the next input line. This
+# action is useful for debugging and for testing a pattern
+# before applying more drastic actions.
+# BUGS
+# Empty lines never match, because some map types mis-behave
+# when given a zero-length search string. This limitation may
+# be removed for regular expression tables in a future release.
+#
+# Many people overlook the main limitations of header and body_checks
+# rules.
+# .IP \(bu
+# These rules operate on one logical message header or one body
+# line at a time. A decision made for one line is not carried over
+# to the next line.
+# .IP \(bu
+# If text in the message body is encoded
+# (RFC 2045) then the rules need to be specified for the encoded
+# form.
+# .IP \(bu
+# Likewise, when message headers are encoded (RFC
+# 2047) then the rules need to be specified for the encoded
+# form.
+# .PP
+# Message headers added by the \fBcleanup\fR(8) daemon itself
+# are excluded from inspection. Examples of such message headers
+# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR.
+#
+# Message headers deleted by the \fBcleanup\fR(8) daemon will
+# be examined before they are deleted. Examples are: \fBBcc:\fR,
+# \fBContent-Length:\fR, \fBReturn-Path:\fR.
+# CONFIGURATION PARAMETERS
+# .ad
+# .fi
+# .IP \fBbody_checks\fR
+# Lookup tables with content filter rules for message body lines.
+# These filters see one physical line at a time, in chunks of
+# at most \fB$line_length_limit\fR bytes.
+# .IP \fBbody_checks_size_limit\fP
+# The amount of content per message body segment (attachment) that is
+# subjected to \fB$body_checks\fR filtering.
+# .IP \fBheader_checks\fR
+# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)"
+# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)"
+# Lookup tables with content filter rules for message header lines:
+# respectively, these are applied to the initial message headers
+# (not including MIME headers), to the MIME headers anywhere in
+# the message, and to the initial headers of attached messages.
+# .sp
+# Note: these filters see one logical message header at a time, even
+# when a message header spans multiple lines. Message headers that
+# are longer than \fB$header_size_limit\fR characters are truncated.
+# .IP \fBdisable_mime_input_processing\fR
+# While receiving mail, give no special treatment to MIME related
+# message headers; all text after the initial message headers is
+# considered to be part of the message body. This means that
+# \fBheader_checks\fR is applied to all the initial message headers,
+# and that \fBbody_checks\fR is applied to the remainder of the
+# message.
+# .sp
+# Note: when used in this manner, \fBbody_checks\fR will process
+# a multi-line message header one line at a time.
+# EXAMPLES
+# .ad
+# .fi
+# Header pattern to block attachments with bad file name
+# extensions. For convenience, the PCRE /x flag is specified,
+# so that there is no need to collapse the pattern into a
+# single line of text. The purpose of the [[:xdigit:]]
+# sub-expressions is to recognize Windows CLSID strings.
+#
+# .na
+# .nf
+# /etc/postfix/main.cf:
+# header_checks = pcre:/etc/postfix/header_checks.pcre
+#
+# /etc/postfix/header_checks.pcre:
+# /^Content-(Disposition|Type).*name\es*=\es*"?([^;]*(\e.|=2E)(
+# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
+# hlp|ht[at]|
+# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
+# \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}|
+# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
+# vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x
+# REJECT Attachment name "$2" may not end with ".$4"
+# .ad
+# .fi
+#
+# Body pattern to stop a specific HTML browser vulnerability exploit.
+#
+# .na
+# .nf
+# /etc/postfix/main.cf:
+# body_checks = regexp:/etc/postfix/body_checks
+#
+# /etc/postfix/body_checks:
+# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
+# REJECT IFRAME vulnerability exploit
+# SEE ALSO
+# cleanup(8), canonicalize and enqueue Postfix message
+# pcre_table(5), format of PCRE lookup tables
+# regexp_table(5), format of POSIX regular expression tables
+# postconf(1), Postfix configuration utility
+# postmap(1), Postfix lookup table management
+# postsuper(1), Postfix janitor
+# postcat(1), show Postfix queue file contents
+# RFC 2045, base64 and quoted-printable encoding rules
+# RFC 2047, message header encoding for non-ASCII text
+# README FILES
+# .ad
+# .fi
+# Use "\fBpostconf readme_directory\fR" or
+# "\fBpostconf html_directory\fR" to locate this information.
+# .na
+# .nf
+# DATABASE_README, Postfix lookup table overview
+# CONTENT_INSPECTION_README, Postfix content inspection overview
+# BUILTIN_FILTER_README, Postfix built-in content inspection
+# BACKSCATTER_README, blocking returned forged mail
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#
+# Wietse Venema
+# Google, Inc.
+# 111 8th Avenue
+# New York, NY 10011, USA
+#--