diff options
Diffstat (limited to 'proto/header_checks')
-rw-r--r-- | proto/header_checks | 520 |
1 files changed, 520 insertions, 0 deletions
diff --git a/proto/header_checks b/proto/header_checks new file mode 100644 index 0000000..1aa6f5a --- /dev/null +++ b/proto/header_checks @@ -0,0 +1,520 @@ +#++ +# NAME +# header_checks 5 +# SUMMARY +# Postfix built-in content inspection +# SYNOPSIS +# .nf +# \fBheader_checks = pcre:/etc/postfix/header_checks\fR +# \fBmime_header_checks = pcre:/etc/postfix/mime_header_checks\fR +# \fBnested_header_checks = pcre:/etc/postfix/nested_header_checks\fR +# \fBbody_checks = pcre:/etc/postfix/body_checks\fR +# .sp +# \fBmilter_header_checks = pcre:/etc/postfix/milter_header_checks\fR +# .sp +# \fBsmtp_header_checks = pcre:/etc/postfix/smtp_header_checks\fR +# \fBsmtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks\fR +# \fBsmtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks\fR +# \fBsmtp_body_checks = pcre:/etc/postfix/smtp_body_checks\fR +# .sp +# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR +# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR +# .fi +# DESCRIPTION +# This document describes access control on the content of +# message headers and message body lines; it is implemented +# by the Postfix \fBcleanup\fR(8) server before mail is queued. +# See \fBaccess\fR(5) for access control on remote SMTP client +# information. +# +# Each message header or message body line is compared against +# a list of patterns. +# When a match is found the corresponding action is executed, and +# the matching process is repeated for the next message header or +# message body line. +# +# Note: message headers are examined one logical header at a time, +# even when a message header spans multiple lines. Body lines are +# always examined one line at a time. +# +# For examples, see the EXAMPLES section at the end of this +# manual page. +# +# Postfix header or body_checks are designed to stop a flood of mail +# from worms or viruses; they do not decode attachments, and they do +# not unzip archives. See the documents referenced below in the README +# FILES section if you need more sophisticated content analysis. +# FILTERS WHILE RECEIVING MAIL +# .ad +# .fi +# Postfix implements the following four built-in content +# inspection classes while receiving mail: +# .IP "\fBheader_checks\fR (default: empty)" +# These are applied to initial message headers (except for +# the headers that are processed with \fBmime_header_checks\fR). +# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" +# These are applied to MIME related message headers only. +# .sp +# This feature is available in Postfix 2.0 and later. +# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" +# These are applied to message headers of attached email +# messages (except for the headers that are processed with +# \fBmime_header_checks\fR). +# .sp +# This feature is available in Postfix 2.0 and later. +# .IP \fBbody_checks\fR +# These are applied to all other content, including multi-part +# message boundaries. +# .sp +# With Postfix versions before 2.0, all content after the initial +# message headers is treated as body content. +# FILTERS AFTER RECEIVING MAIL +# .ad +# .fi +# Postfix supports a subset of the built-in content inspection +# classes after the message is received: +# .IP "\fBmilter_header_checks\fR (default: empty)" +# These are applied to headers that are added with Milter +# applications. +# .sp +# This feature is available in Postfix 2.7 and later. +# FILTERS WHILE DELIVERING MAIL +# .ad +# .fi +# Postfix supports all four content inspection classes while +# delivering mail via SMTP. +# .IP "\fBsmtp_header_checks\fR (default: empty)" +# .IP "\fBsmtp_mime_header_checks\fR (default: empty)" +# .IP "\fBsmtp_nested_header_checks\fR (default: empty)" +# .IP "\fBsmtp_body_checks\fR (default: empty)" +# These features are available in Postfix 2.5 and later. +# COMPATIBILITY +# .ad +# .fi +# With Postfix version 2.2 and earlier specify "\fBpostmap +# -fq\fR" to query a table that contains case sensitive +# patterns. By default, regexp: and pcre: patterns are case +# insensitive. +# TABLE FORMAT +# .ad +# .fi +# This document assumes that header and body_checks rules are specified +# in the form of Postfix regular expression lookup tables. Usually the +# best performance is obtained with \fBpcre\fR (Perl Compatible Regular +# Expression) tables. The \fBregexp\fR (POSIX regular +# expressions) tables are usually slower, but more widely +# available. +# Use the command "\fBpostconf -m\fR" to find out what lookup table +# types your Postfix system supports. +# +# The general format of Postfix regular expression tables is +# given below. +# For a discussion of specific pattern or flags syntax, +# see \fBpcre_table\fR(5) or \fBregexp_table\fR(5), respectively. +# .IP "\fB/\fIpattern\fB/\fIflags action\fR" +# When /\fIpattern\fR/ matches the input string, execute +# the corresponding \fIaction\fR. See below for a list +# of possible actions. +# .IP "\fB!/\fIpattern\fB/\fIflags action\fR" +# When /\fIpattern\fR/ does \fBnot\fR match the input string, +# execute the corresponding \fIaction\fR. +# .IP "\fBif /\fIpattern\fB/\fIflags\fR" +# .IP "\fBendif\fR" +# If the input string matches /\fIpattern\fR/, then match that +# input string against the patterns between \fBif\fR and +# \fBendif\fR. The \fBif\fR..\fBendif\fR can nest. +# .sp +# Note: do not prepend whitespace to patterns inside +# \fBif\fR..\fBendif\fR. +# .IP "\fBif !/\fIpattern\fB/\fIflags\fR" +# .IP "\fBendif\fR" +# If the input string does not match /\fIpattern\fR/, then +# match that input string against the patterns between \fBif\fR +# and \fBendif\fR. The \fBif\fR..\fBendif\fR can nest. +# .IP "blank lines and comments" +# Empty lines and whitespace-only lines are ignored, as +# are lines whose first non-whitespace character is a `#'. +# .IP "multi-line text" +# A pattern/action line starts with non-whitespace text. A line that +# starts with whitespace continues a logical line. +# TABLE SEARCH ORDER +# .ad +# .fi +# For each line of message input, the patterns are applied in the +# order as specified in the table. When a pattern is found that matches +# the input line, the corresponding action is executed and then the +# next input line is inspected. +# TEXT SUBSTITUTION +# .ad +# .fi +# Substitution of substrings from the matched expression into the +# \fIaction\fR +# string is possible using the conventional Perl syntax +# (\fB$1\fR, \fB$2\fR, etc.). +# The macros in the result string may need to be written as \fB${n}\fR +# or \fB$(n)\fR if they aren't followed by whitespace. +# +# Note: since negated patterns (those preceded by \fB!\fR) return a +# result when the expression does not match, substitutions are not +# available for negated patterns. +# ACTIONS +# .ad +# .fi +# Action names are case insensitive. They are shown in upper case +# for consistency with other Postfix documentation. +# .IP "\fBBCC \fIuser@domain\fR" +# Add the specified address as a BCC recipient, and inspect +# the next input line. The address +# must have a local part and domain part. The number of BCC +# addresses that can be added is limited only by the amount +# of available storage space. +# +# Note 1: the BCC address is added as if it was specified with +# NOTIFY=NONE. The sender will not be notified when the BCC +# address is undeliverable, as long as all down-stream software +# implements RFC 3461. +# +# Note 2: this ignores duplicate addresses (with the same +# delivery status notification options). +# .sp +# This feature is available in Postfix 3.0 and later. +# .sp +# This feature is not supported with smtp header/body checks. +# \" .IP "\fBDELAY \fItime\fR" +# \" Place the message into the deferred queue, and delay the +# \" initial delivery attempt by \fItime\fR. The time value may +# \" be followed by a one-character suffix that specifies the +# \" time unit: s (seconds), m (minutes), h (hours), d (days), +# \" w (weeks). The default time unit is s (seconds). +# \" .sp +# \" Limitations: +# \" .RS +# \" .IP \(bu +# \" This action affects all the recipients of the message. +# \" .IP \(bu +# \" The delay value has no effect with remote file systems that +# \" don't correctly emulate UNIX local file system semantics. +# \" In that case, the delay will be half of $queue_run_delay +# \" on average. +# \" .IP \(bu +# \" Mail will still be delivered with "sendmail -q", "postfix +# \" flush" or "postqueue -f". +# \" .IP \(bu +# \" Delayed mail increases the amount of disk I/O during deferred +# \" queue scans. When large amounts of mail are queued for +# \" delayed delivery it may be preferable to use the HOLD feature +# \" instead. +# \" .RE +# \" .IP +# \" This feature is available in Postfix 2.3 and later. +# .IP "\fBDISCARD \fIoptional text...\fR" +# Claim successful delivery and silently discard the message. +# Do not inspect the remainder of the input message. +# Log the optional text if specified, otherwise log a generic +# message. +# .sp +# Note: this action disables further header or body_checks inspection +# of the current message and affects all recipients. +# To discard only one recipient without discarding the entire message, +# use the transport(5) table to direct mail to the discard(8) service. +# .sp +# This feature is available in Postfix 2.0 and later. +# .sp +# This feature is not supported with smtp header/body checks. +# .IP \fBDUNNO\fR +# Pretend that the input line did not match any pattern, and inspect the +# next input line. This action can be used to shorten the table search. +# .sp +# For backwards compatibility reasons, Postfix also accepts +# \fBOK\fR but it is (and always has been) treated as \fBDUNNO\fR. +# .sp +# This feature is available in Postfix 2.1 and later. +# .IP "\fBFILTER \fItransport:destination\fR" +# Override the content_filter parameter setting, and inspect +# the next input line. +# After the message is queued, send the entire message through +# the specified external content filter. The \fItransport\fR +# name specifies the first field of a mail delivery agent +# definition in master.cf; the syntax of the next-hop +# \fIdestination\fR is described in the manual page of the +# corresponding delivery agent. More information about +# external content filters is in the Postfix FILTER_README +# file. +# .sp +# Note 1: do not use $\fInumber\fR regular expression +# substitutions for \fItransport\fR or \fIdestination\fR +# unless you know that the information has a trusted origin. +# .sp +# Note 2: this action overrides the main.cf \fBcontent_filter\fR +# setting, and affects all recipients of the message. In the +# case that multiple \fBFILTER\fR actions fire, only the last +# one is executed. +# .sp +# Note 3: the purpose of the FILTER command is to override +# message routing. To override the recipient's \fItransport\fR +# but not the next-hop \fIdestination\fR, specify an empty +# filter \fIdestination\fR (Postfix 2.7 and later), or specify +# a \fItransport:destination\fR that delivers through a +# different Postfix instance (Postfix 2.6 and earlier). Other +# options are using the recipient-dependent \fBtrans\%port\%_maps\fR +# or the sen\%der-dependent +# \fBsender\%_de\%pen\%dent\%_de\%fault\%_trans\%port\%_maps\fR +# features. +# .sp +# This feature is available in Postfix 2.0 and later. +# .sp +# This feature is not supported with smtp header/body checks. +# .IP "\fBHOLD \fIoptional text...\fR" +# Arrange for the message to be placed on the \fBhold\fR queue, +# and inspect the next input line. The message remains on \fBhold\fR +# until someone either deletes it or releases it for delivery. +# Log the optional text if specified, otherwise log a generic +# message. +# +# Mail that is placed on hold can be examined with the +# \fBpostcat\fR(1) command, and can be destroyed or released with +# the \fBpostsuper\fR(1) command. +# .sp +# Note: use "\fBpostsuper -r\fR" to release mail that was kept on +# hold for a significant fraction of \fB$maximal_queue_lifetime\fR +# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR" +# only for mail that will not expire within a few delivery attempts. +# .sp +# Note: this action affects all recipients of the message. +# .sp +# This feature is available in Postfix 2.0 and later. +# .sp +# This feature is not supported with smtp header/body checks. +# .IP \fBIGNORE\fR +# Delete the current line from the input, and inspect +# the next input line. See \fBSTRIP\fR for an alternative +# that logs the action. +# .IP "\fBINFO \fIoptional text...\fR +# Log an "info:" record with the \fIoptional text...\fR (or +# log a generic text), and inspect the next input line. This +# action is useful for routine logging or for debugging. +# .sp +# This feature is available in Postfix 2.8 and later. +# .IP "\fBPASS \fIoptional text...\fR" +# Log a "pass:" record with the \fIoptional text...\fR (or +# log a generic text), and turn off header, body, and Milter +# inspection for the remainder of this message. +# .sp +# Note: this feature relies on trust in information that is +# easy to forge. +# .sp +# This feature is available in Postfix 3.2 and later. +# .sp +# This feature is not supported with smtp header/body checks. +# .IP "\fBPREPEND \fItext...\fR" +# Prepend one line with the specified text, and inspect the next +# input line. +# .sp +# Notes: +# .RS +# .IP \(bu +# The prepended text is output on a separate line, immediately +# before the input that triggered the \fBPREPEND\fR action. +# .IP \(bu +# The prepended text is not considered part of the input +# stream: it is not subject to header/body checks or address +# rewriting, and it does not affect the way that Postfix adds +# missing message headers. +# .IP \(bu +# When prepending text before a message header line, the prepended +# text must begin with a valid message header label. +# .IP \(bu +# This action cannot be used to prepend multi-line text. +# .RE +# .IP +# This feature is available in Postfix 2.1 and later. +# .sp +# This feature is not supported with milter_header_checks. +# .IP "\fBREDIRECT \fIuser@domain\fR" +# Write a message redirection request to the queue file, and +# inspect the next input line. After the message is queued, +# it will be sent to the specified address instead of the +# intended recipient(s). +# .sp +# Note: this action overrides the \fBFILTER\fR action, and affects +# all recipients of the message. If multiple \fBREDIRECT\fR actions +# fire, only the last one is executed. +# .sp +# This feature is available in Postfix 2.1 and later. +# .sp +# This feature is not supported with smtp header/body checks. +# .IP "\fBREPLACE \fItext...\fR" +# Replace the current line with the specified text, and inspect the next +# input line. +# .sp +# This feature is available in Postfix 2.2 and later. The +# description below applies to Postfix 2.2.2 and later. +# .sp +# Notes: +# .RS +# .IP \(bu +# When replacing a message header line, the replacement text +# must begin with a valid header label. +# .IP \(bu +# The replaced text remains part of the input stream. Unlike +# the result from the \fBPREPEND\fR action, a replaced message +# header may be subject to address rewriting and may affect +# the way that Postfix adds missing message headers. +# .RE +# .IP "\fBREJECT \fIoptional text...\fR +# Reject the entire message. Do not inspect the remainder of +# the input message. Reply with \fIoptional text...\fR when +# the optional text is specified, otherwise reply with a +# generic error message. +# .sp +# Note: this action disables further header or body_checks inspection +# of the current message and affects all recipients. +# .sp +# Postfix version 2.3 and later support enhanced status codes. +# When no code is specified at the beginning of \fIoptional +# text...\fR, Postfix inserts a default enhanced status code of +# "5.7.1". +# .sp +# This feature is not supported with smtp header/body checks. +# .IP "\fBSTRIP \fIoptional text...\fR" +# Log a "strip:" record with the \fIoptional text...\fR (or +# log a generic text), delete the input line from the input, +# and inspect the next input line. See \fBIGNORE\fR for a +# silent alternative. +# .sp +# This feature is available in Postfix 3.2 and later. +# .IP "\fBWARN \fIoptional text...\fR +# Log a "warning:" record with the \fIoptional text...\fR (or +# log a generic text), and inspect the next input line. This +# action is useful for debugging and for testing a pattern +# before applying more drastic actions. +# BUGS +# Empty lines never match, because some map types mis-behave +# when given a zero-length search string. This limitation may +# be removed for regular expression tables in a future release. +# +# Many people overlook the main limitations of header and body_checks +# rules. +# .IP \(bu +# These rules operate on one logical message header or one body +# line at a time. A decision made for one line is not carried over +# to the next line. +# .IP \(bu +# If text in the message body is encoded +# (RFC 2045) then the rules need to be specified for the encoded +# form. +# .IP \(bu +# Likewise, when message headers are encoded (RFC +# 2047) then the rules need to be specified for the encoded +# form. +# .PP +# Message headers added by the \fBcleanup\fR(8) daemon itself +# are excluded from inspection. Examples of such message headers +# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. +# +# Message headers deleted by the \fBcleanup\fR(8) daemon will +# be examined before they are deleted. Examples are: \fBBcc:\fR, +# \fBContent-Length:\fR, \fBReturn-Path:\fR. +# CONFIGURATION PARAMETERS +# .ad +# .fi +# .IP \fBbody_checks\fR +# Lookup tables with content filter rules for message body lines. +# These filters see one physical line at a time, in chunks of +# at most \fB$line_length_limit\fR bytes. +# .IP \fBbody_checks_size_limit\fP +# The amount of content per message body segment (attachment) that is +# subjected to \fB$body_checks\fR filtering. +# .IP \fBheader_checks\fR +# .IP "\fBmime_header_checks\fR (default: \fB$header_checks\fR)" +# .IP "\fBnested_header_checks\fR (default: \fB$header_checks\fR)" +# Lookup tables with content filter rules for message header lines: +# respectively, these are applied to the initial message headers +# (not including MIME headers), to the MIME headers anywhere in +# the message, and to the initial headers of attached messages. +# .sp +# Note: these filters see one logical message header at a time, even +# when a message header spans multiple lines. Message headers that +# are longer than \fB$header_size_limit\fR characters are truncated. +# .IP \fBdisable_mime_input_processing\fR +# While receiving mail, give no special treatment to MIME related +# message headers; all text after the initial message headers is +# considered to be part of the message body. This means that +# \fBheader_checks\fR is applied to all the initial message headers, +# and that \fBbody_checks\fR is applied to the remainder of the +# message. +# .sp +# Note: when used in this manner, \fBbody_checks\fR will process +# a multi-line message header one line at a time. +# EXAMPLES +# .ad +# .fi +# Header pattern to block attachments with bad file name +# extensions. For convenience, the PCRE /x flag is specified, +# so that there is no need to collapse the pattern into a +# single line of text. The purpose of the [[:xdigit:]] +# sub-expressions is to recognize Windows CLSID strings. +# +# .na +# .nf +# /etc/postfix/main.cf: +# header_checks = pcre:/etc/postfix/header_checks.pcre +# +# /etc/postfix/header_checks.pcre: +# /^Content-(Disposition|Type).*name\es*=\es*"?([^;]*(\e.|=2E)( +# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| +# hlp|ht[at]| +# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| +# \e{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\e}| +# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| +# vb[esx]?|vxd|ws[cfh]))(\e?=)?"?\es*(;|$)/x +# REJECT Attachment name "$2" may not end with ".$4" +# .ad +# .fi +# +# Body pattern to stop a specific HTML browser vulnerability exploit. +# +# .na +# .nf +# /etc/postfix/main.cf: +# body_checks = regexp:/etc/postfix/body_checks +# +# /etc/postfix/body_checks: +# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ +# REJECT IFRAME vulnerability exploit +# SEE ALSO +# cleanup(8), canonicalize and enqueue Postfix message +# pcre_table(5), format of PCRE lookup tables +# regexp_table(5), format of POSIX regular expression tables +# postconf(1), Postfix configuration utility +# postmap(1), Postfix lookup table management +# postsuper(1), Postfix janitor +# postcat(1), show Postfix queue file contents +# RFC 2045, base64 and quoted-printable encoding rules +# RFC 2047, message header encoding for non-ASCII text +# README FILES +# .ad +# .fi +# Use "\fBpostconf readme_directory\fR" or +# "\fBpostconf html_directory\fR" to locate this information. +# .na +# .nf +# DATABASE_README, Postfix lookup table overview +# CONTENT_INSPECTION_README, Postfix content inspection overview +# BUILTIN_FILTER_README, Postfix built-in content inspection +# BACKSCATTER_README, blocking returned forged mail +# LICENSE +# .ad +# .fi +# The Secure Mailer license must be distributed with this software. +# AUTHOR(S) +# Wietse Venema +# IBM T.J. Watson Research +# P.O. Box 704 +# Yorktown Heights, NY 10598, USA +# +# Wietse Venema +# Google, Inc. +# 111 8th Avenue +# New York, NY 10011, USA +#-- |