#++ # NAME # cidr_table 5 # SUMMARY # format of Postfix CIDR tables # SYNOPSIS # \fBpostmap -q "\fIstring\fB" cidr:/etc/postfix/\fIfilename\fR # # \fBpostmap -q - cidr:/etc/postfix/\fIfilename\fB <\fIinputfile\fR # DESCRIPTION # The Postfix mail system uses optional lookup tables. # These tables are usually in \fBdbm\fR or \fBdb\fR format. # Alternatively, lookup tables can be specified in CIDR # (Classless Inter-Domain Routing) form. In this case, each # input is compared against a list of patterns. When a match # is found, the corresponding result is returned and the search # is terminated. # # To find out what types of lookup tables your Postfix system # supports use the "\fBpostconf -m\fR" command. # # To test lookup tables, use the "\fBpostmap -q\fR" command as # described in the SYNOPSIS above. # TABLE FORMAT # .ad # .fi # The general form of a Postfix CIDR table is: # .IP "\fIpattern result\fR" # When a search string matches the specified \fIpattern\fR, use # the corresponding \fIresult\fR value. The \fIpattern\fR must be # in \fInetwork/prefix\fR or \fInetwork_address\fR form (see # ADDRESS PATTERN SYNTAX below). # .IP "\fB!\fIpattern result\fR" # When a search string does not match the specified \fIpattern\fR, # use the specified \fIresult\fR value. The \fIpattern\fR must # be in \fInetwork/prefix\fR or \fInetwork_address\fR form (see # ADDRESS PATTERN SYNTAX below). # .sp # This feature is available in Postfix 3.2 and later. # .IP "\fBif \fIpattern\fR" # .IP "\fBendif\fR" # When a search string matches the specified \fIpattern\fR, match # that search string against the patterns between \fBif\fR and # \fBendif\fR. The \fIpattern\fR must be in \fInetwork/prefix\fR or # \fInetwork_address\fR form (see ADDRESS PATTERN SYNTAX below). The # \fBif\fR..\fBendif\fR can nest. # .sp # Note: do not prepend whitespace to text between # \fBif\fR..\fBendif\fR. # .sp # This feature is available in Postfix 3.2 and later. # .IP "\fBif !\fIpattern\fR" # .IP "\fBendif\fR" # When a search string does not match the specified \fIpattern\fR, # match that search string against the patterns between \fBif\fR and # \fBendif\fR. The \fIpattern\fR must be in \fInetwork/prefix\fR or # \fInetwork_address\fR form (see ADDRESS PATTERN SYNTAX below). The # \fBif\fR..\fBendif\fR can nest. # .sp # Note: do not prepend whitespace to text between # \fBif\fR..\fBendif\fR. # .sp # This feature is available in Postfix 3.2 and later. # .IP "blank lines and comments" # Empty lines and whitespace-only lines are ignored, as # are lines whose first non-whitespace character is a `#'. # .IP "multi-line text" # A logical line starts with non-whitespace text. A line that # starts with whitespace continues a logical line. # TABLE SEARCH ORDER # .ad # .fi # Patterns are applied in the order as specified in the table, until a # pattern is found that matches the search string. # ADDRESS PATTERN SYNTAX # .ad # .fi # Postfix CIDR tables are pattern-based. A pattern is either # a \fInetwork_address\fR which requires an exact match, or a # \fInetwork_address/prefix_length\fR where the \fIprefix_length\fR # part specifies the length of the \fInetwork_address\fR prefix # that must be matched (the other bits in the \fInetwork_address\fR # part must be zero). # # An IPv4 network address is a sequence of four decimal octets # separated by ".", and an IPv6 network address is a sequence # of three to eight hexadecimal octet pairs separated by ":" # or "::", where the latter is short-hand for a sequence of # one or more all-zero octet pairs. The pattern 0.0.0.0/0 # matches every IPv4 address, and ::/0 matches every IPv6 # address. IPv6 support is available in Postfix 2.2 and # later. # # Before comparisons are made, lookup keys and table entries # are converted from string to binary. Therefore, IPv6 patterns # will be matched regardless of leading zeros (a leading zero in # an IPv4 address octet indicates octal notation). # # Note: address information may be enclosed inside "[]" but # this form is not required. # INLINE SPECIFICATION # .ad # .fi # The contents of a table may be specified in the table name # (Postfix 3.7 and later). # The basic syntax is: # # .nf # main.cf: # \fIparameter\fR \fB= .. cidr:{ { \fIrule-1\fB }, { \fIrule-2\fB } .. } ..\fR # # master.cf: # \fB.. -o { \fIparameter\fR \fB= .. cidr:{ { \fIrule-1\fB }, { \fIrule-2\fB } .. } .. } ..\fR # .fi # # Postfix ignores whitespace after '{' and before '}', and # writes each \fIrule\fR as one text line to an in-memory # file: # # .nf # in-memory file: # rule-1 # rule-2 # .. # .fi # # Postfix parses the result as if it is a file in /etc/postfix. # # Note: if a rule contains \fB$\fR, specify \fB$$\fR to keep # Postfix from trying to do \fI$name\fR expansion as it # evaluates a parameter value. # EXAMPLE SMTPD ACCESS MAP # .nf # /etc/postfix/main.cf: # smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ... # # /etc/postfix/client.cidr: # # Rule order matters. Put more specific allowlist entries # # before more general denylist entries. # 192.168.1.1 OK # 192.168.0.0/16 REJECT # 2001:db8::1 OK # 2001:db8::/32 REJECT # .fi # SEE ALSO # postmap(1), Postfix lookup table manager # regexp_table(5), format of regular expression tables # pcre_table(5), format of PCRE tables # README FILES # .ad # .fi # Use "\fBpostconf readme_directory\fR" or # "\fBpostconf html_directory\fR" to locate this information. # .na # .nf # DATABASE_README, Postfix lookup table overview # HISTORY # CIDR table support was introduced with Postfix version 2.1. # AUTHOR(S) # The CIDR table lookup code was originally written by: # Jozsef Kadlecsik # KFKI Research Institute for Particle and Nuclear Physics # POB. 49 # 1525 Budapest, Hungary # # Adopted and adapted by: # Wietse Venema # IBM T.J. Watson Research # P.O. Box 704 # Yorktown Heights, NY 10598, USA # # Wietse Venema # Google, Inc. # 111 8th Avenue # New York, NY 10011, USA #--