| blob | 0fdc33235704a00d499bc36f211057295027faf8 |
1 # HEADER_CHECKS(5) HEADER_CHECKS(5)
2 #
3 # NAME
4 # header_checks - Postfix built-in content inspection
5 #
6 # SYNOPSIS
7 # header_checks = pcre:/etc/postfix/header_checks
8 # mime_header_checks = pcre:/etc/postfix/mime_header_checks
9 # nested_header_checks = pcre:/etc/postfix/nested_header_checks
10 # body_checks = pcre:/etc/postfix/body_checks
11 #
12 # postmap -q "string" pcre:/etc/postfix/filename
13 # postmap -q - pcre:/etc/postfix/filename <inputfile
14 #
15 # DESCRIPTION
16 # This document describes access control on the content of
17 # message headers and message body lines; it is implemented
18 # by the Postfix cleanup(8) server before mail is queued.
19 # See access(5) for access control on remote SMTP client
20 # information.
21 #
22 # Each message header or message body line is compared
23 # against a list of patterns. When a match is found the
24 # corresponding action is executed, and the matching process
25 # is repeated for the next message header or message body
26 # line.
27 #
28 # For examples, see the EXAMPLES section at the end of this
29 # manual page.
30 #
31 # Postfix header or body_checks are designed to stop a flood
32 # of mail from worms or viruses; they do not decode attach-
33 # ments, and they do not unzip archives. See the documents
34 # referenced below in the README FILES section if you need
35 # more sophisticated content analysis.
36 #
37 # Postfix supports four built-in content inspection classes:
38 #
39 # header_checks
40 # These are applied to initial message headers
41 # (except for the headers that are processed with
42 # mime_header_checks).
43 #
44 # mime_header_checks (default: $header_checks)
45 # These are applied to MIME related message headers
46 # only.
47 #
48 # This feature is available in Postfix 2.0 and later.
49 #
50 # nested_header_checks (default: $header_checks)
51 # These are applied to message headers of attached
52 # email messages (except for the headers that are
53 # processed with mime_header_checks).
54 #
55 # This feature is available in Postfix 2.0 and later.
56 #
57 # body_checks
58 # These are applied to all other content, including
59 # multi-part message boundaries.
60 #
61 # With Postfix versions before 2.0, all content after
62 # the initial message headers is treated as body con-
63 # tent.
64 #
65 # Note: message headers are examined one logical header at a
66 # time, even when a message header spans multiple lines.
67 # Body lines are always examined one line at a time.
68 #
69 # COMPATIBILITY
70 # With Postfix version 2.2 and earlier specify "postmap -fq"
71 # to query a table that contains case sensitive patterns. By
72 # default, regexp: and pcre: patterns are case insensitive.
73 #
74 # TABLE FORMAT
75 # This document assumes that header and body_checks rules
76 # are specified in the form of Postfix regular expression
77 # lookup tables. Usually the best performance is obtained
78 # with pcre (Perl Compatible Regular Expression) tables, but
79 # the slower regexp (POSIX regular expressions) support is
80 # more widely available. Use the command "postconf -m" to
81 # find out what lookup table types your Postfix system sup-
82 # ports.
83 #
84 # The general format of Postfix regular expression tables is
85 # given below. For a discussion of specific pattern or
86 # flags syntax, see pcre_table(5) or regexp_table(5),
87 # respectively.
88 #
89 # /pattern/flags action
90 # When /pattern/ matches the input string, execute
91 # the corresponding action. See below for a list of
92 # possible actions.
93 #
94 # !/pattern/flags action
95 # When /pattern/ does not match the input string,
96 # execute the corresponding action.
97 #
98 # if /pattern/flags
99 #
100 # endif Match the input string against the patterns between
101 # if and endif, if and only if the same input string
102 # also matches /pattern/. The if..endif can nest.
103 #
104 # Note: do not prepend whitespace to patterns inside
105 # if..endif.
106 #
107 # if !/pattern/flags
108 #
109 # endif Match the input string against the patterns between
110 # if and endif, if and only if the same input string
111 # does not match /pattern/. The if..endif can nest.
112 #
113 # blank lines and comments
114 # Empty lines and whitespace-only lines are ignored,
115 # as are lines whose first non-whitespace character
116 # is a `#'.
117 #
118 # multi-line text
119 # A pattern/action line starts with non-whitespace
120 # text. A line that starts with whitespace continues
121 # a logical line.
122 #
123 # TABLE SEARCH ORDER
124 # For each line of message input, the patterns are applied
125 # in the order as specified in the table. When a pattern is
126 # found that matches the input line, the corresponding
127 # action is executed and then the next input line is
128 # inspected.
129 #
130 # TEXT SUBSTITUTION
131 # Substitution of substrings from the matched expression
132 # into the action string is possible using the conventional
133 # Perl syntax ($1, $2, etc.). The macros in the result
134 # string may need to be written as ${n} or $(n) if they
135 # aren't followed by whitespace.
136 #
137 # Note: since negated patterns (those preceded by !) return
138 # a result when the expression does not match, substitutions
139 # are not available for negated patterns.
140 #
141 # ACTIONS
142 # Action names are case insensitive. They are shown in upper
143 # case for consistency with other Postfix documentation.
144 #
145 # DISCARD optional text...
146 # Claim successful delivery and silently discard the
147 # message. Log the optional text if specified, oth-
148 # erwise log a generic message.
149 #
150 # Note: this action disables further header or
151 # body_checks inspection of the current message and
152 # affects all recipients. To discard only one recip-
153 # ient without discarding the entire message, use the
154 # transport(5) table to direct mail to the discard(8)
155 # service.
156 #
157 # This feature is available in Postfix 2.0 and later.
158 #
159 # DUNNO Pretend that the input line did not match any pat-
160 # tern, and inspect the next input line. This action
161 # can be used to shorten the table search.
162 #
163 # For backwards compatibility reasons, Postfix also
164 # accepts OK but it is (and always has been) treated
165 # as DUNNO.
166 #
167 # This feature is available in Postfix 2.1 and later.
168 #
169 # FILTER transport:destination
170 # Write a content filter request to the queue file,
171 # and inspect the next input line. After the com-
172 # plete message is received it will be sent through
173 # the specified external content filter. More infor-
174 # mation about external content filters is in the
175 # Postfix FILTER_README file.
176 #
177 # Note: this action overrides the content_filter set-
178 # ting, and affects all recipients of the message. In
179 # the case that multiple FILTER actions fire, only
180 # the last one is executed.
181 #
182 # This feature is available in Postfix 2.0 and later.
183 #
184 # HOLD optional text...
185 # Arrange for the message to be placed on the hold
186 # queue, and inspect the next input line. The mes-
187 # sage remains on hold until someone either deletes
188 # it or releases it for delivery. Log the optional
189 # text if specified, otherwise log a generic message.
190 #
191 # Mail that is placed on hold can be examined with
192 # the postcat(1) command, and can be destroyed or
193 # released with the postsuper(1) command.
194 #
195 # Note: use "postsuper -r" to release mail that was
196 # kept on hold for a significant fraction of $maxi-
197 # mal_queue_lifetime or $bounce_queue_lifetime, or
198 # longer. Use "postsuper -H" only for mail that will
199 # not expire within a few delivery attempts.
200 #
201 # Note: this action affects all recipients of the
202 # message.
203 #
204 # This feature is available in Postfix 2.0 and later.
205 #
206 # IGNORE Delete the current line from the input, and inspect
207 # the next input line.
208 #
209 # PREPEND text...
210 # Prepend one line with the specified text, and
211 # inspect the next input line.
212 #
213 # Notes:
214 #
215 # o The prepended text is output on a separate
216 # line, immediately before the input that
217 # triggered the PREPEND action.
218 #
219 # o The prepended text is not considered part of
220 # the input stream: it is not subject to
221 # header/body checks or address rewriting, and
222 # it does not affect the way that Postfix adds
223 # missing message headers.
224 #
225 # o When prepending text before a message header
226 # line, the prepended text must begin with a
227 # valid message header label.
228 #
229 # o This action cannot be used to prepend multi-
230 # line text.
231 #
232 # This feature is available in Postfix 2.1 and later.
233 #
234 # REDIRECT user@domain
235 # Write a message redirection request to the queue
236 # file, and inspect the next input line. After the
237 # message is queued, it will be sent to the specified
238 # address instead of the intended recipient(s).
239 #
240 # Note: this action overrides the FILTER action, and
241 # affects all recipients of the message. If multiple
242 # REDIRECT actions fire, only the last one is exe-
243 # cuted.
244 #
245 # This feature is available in Postfix 2.1 and later.
246 #
247 # REPLACE text...
248 # Replace the current line with the specified text,
249 # and inspect the next input line.
250 #
251 # This feature is available in Postfix 2.2 and later.
252 # The description below applies to Postfix 2.2.2 and
253 # later.
254 #
255 # Notes:
256 #
257 # o When replacing a message header line, the
258 # replacement text must begin with a valid
259 # header label.
260 #
261 # o The replaced text remains part of the input
262 # stream. Unlike the result from the PREPEND
263 # action, a replaced message header may be
264 # subject to address rewriting and may affect
265 # the way that Postfix adds missing message
266 # headers.
267 #
268 # REJECT optional text...
269 # Reject the entire message. Reply with optional
270 # text... when the optional text is specified, other-
271 # wise reply with a generic error message.
272 #
273 # Note: this action disables further header or
274 # body_checks inspection of the current message and
275 # affects all recipients.
276 #
277 # Postfix version 2.3 and later support enhanced sta-
278 # tus codes. When no code is specified at the begin-
279 # ning of optional text..., Postfix inserts a default
280 # enhanced status code of "5.7.1".
281 #
282 # WARN optional text...
283 # Log a warning with the optional text... (or log a
284 # generic message), and inspect the next input line.
285 # This action is useful for debugging and for testing
286 # a pattern before applying more drastic actions.
287 #
288 # BUGS
289 # Empty lines never match, because some map types mis-behave
290 # when given a zero-length search string. This limitation
291 # may be removed for regular expression tables in a future
292 # release.
293 #
294 # Many people overlook the main limitations of header and
295 # body_checks rules.
296 #
297 # o These rules operate on one logical message header
298 # or one body line at a time. A decision made for one
299 # line is not carried over to the next line.
300 #
301 # o If text in the message body is encoded (RFC 2045)
302 # then the rules need to be specified for the encoded
303 # form.
304 #
305 # o Likewise, when message headers are encoded (RFC
306 # 2047) then the rules need to be specified for the
307 # encoded form.
308 #
309 # Message headers added by the cleanup(8) daemon itself are
310 # excluded from inspection. Examples of such message headers
311 # are From:, To:, Message-ID:, Date:.
312 #
313 # Message headers deleted by the cleanup(8) daemon will be
314 # examined before they are deleted. Examples are: Bcc:, Con-
315 # tent-Length:, Return-Path:.
316 #
317 # CONFIGURATION PARAMETERS
318 # body_checks
319 # Lookup tables with content filter rules for message
320 # body lines. These filters see one physical line at
321 # a time, in chunks of at most $line_length_limit
322 # bytes.
323 #
324 # body_checks_size_limit
325 # The amount of content per message body segment
326 # (attachment) that is subjected to $body_checks fil-
327 # tering.
328 #
329 # header_checks
330 #
331 # mime_header_checks (default: $header_checks)
332 #
333 # nested_header_checks (default: $header_checks)
334 # Lookup tables with content filter rules for message
335 # header lines: respectively, these are applied to
336 # the initial message headers (not including MIME
337 # headers), to the MIME headers anywhere in the mes-
338 # sage, and to the initial headers of attached mes-
339 # sages.
340 #
341 # Note: these filters see one logical message header
342 # at a time, even when a message header spans multi-
343 # ple lines. Message headers that are longer than
344 # $header_size_limit characters are truncated.
345 #
346 # disable_mime_input_processing
347 # While receiving mail, give no special treatment to
348 # MIME related message headers; all text after the
349 # initial message headers is considered to be part of
350 # the message body. This means that header_checks is
351 # applied to all the initial message headers, and
352 # that body_checks is applied to the remainder of the
353 # message.
354 #
355 # Note: when used in this manner, body_checks will
356 # process a multi-line message header one line at a
357 # time.
358 #
359 # EXAMPLES
360 # Header pattern to block attachments with bad file name
361 # extensions. For convenience, the PCRE /x flag is speci-
362 # fied, so that there is no need to collapse the pattern
363 # into a single line of text. The purpose of the
364 # [[:xdigit:]] sub-expressions is to recognize Windows CLSID
365 # strings.
366 #
367 # /etc/postfix/main.cf:
368 # header_checks = pcre:/etc/postfix/header_checks.pcre
369 #
370 # /etc/postfix/header_checks.pcre:
371 # /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
372 # ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
373 # hlp|ht[at]|
374 # inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
375 # \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
376 # ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
377 # vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
378 # REJECT Attachment name "$2" may not end with ".$4"
379 #
380 # Body pattern to stop a specific HTML browser vulnerability
381 # exploit.
382 #
383 # /etc/postfix/main.cf:
384 # body_checks = regexp:/etc/postfix/body_checks
385 #
386 # /etc/postfix/body_checks:
387 # /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
388 # REJECT IFRAME vulnerability exploit
389 #
390 # SEE ALSO
391 # cleanup(8), canonicalize and enqueue Postfix message
392 # pcre_table(5), format of PCRE lookup tables
393 # regexp_table(5), format of POSIX regular expression tables
394 # postconf(1), Postfix configuration utility
395 # postmap(1), Postfix lookup table management
396 # postsuper(1), Postfix janitor
397 # postcat(1), show Postfix queue file contents
398 # RFC 2045, base64 and quoted-printable encoding rules
399 # RFC 2047, message header encoding for non-ASCII text
400 #
401 # README FILES
402 # Use "postconf readme_directory" or "postconf html_direc-
403 # tory" to locate this information.
404 # DATABASE_README, Postfix lookup table overview
405 # CONTENT_INSPECTION_README, Postfix content inspection overview
406 # BUILTIN_FILTER_README, Postfix built-in content inspection
407 # BACKSCATTER_README, blocking returned forged mail
408 #
409 # LICENSE
410 # The Secure Mailer license must be distributed with this
411 # software.
412 #
413 # AUTHOR(S)
414 # Wietse Venema
415 # IBM T.J. Watson Research
416 # P.O. Box 704
417 # Yorktown Heights, NY 10598, USA
418 #
419 # HEADER_CHECKS(5)