ACCESS(5) ACCESS(5)
NAME
access - format of Postfix access table
SYNOPSIS
postmap /usr/local/etc/postfix/access
postmap -q "string" /usr/local/etc/postfix/access
postmap -q - /usr/local/etc/postfix/access <inputfile
DESCRIPTION
The optional access table directs the Postfix SMTP server
to selectively reject or accept mail. Access can be
allowed or denied for specific host names, domain names,
networks, host network addresses or mail addresses.
Normally, the access table is specified as a text file
that serves as input to the postmap(1) command. The
result, an indexed file in dbm or db format, is used for
fast searching by the mail system. Execute the command
postmap /usr/local/etc/postfix/access in order to rebuild the
indexed file after changing the access table.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
indexed files.
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions. In that case, the lookups are done in a slightly
different way as described below.
TABLE FORMAT
The format of the access table is as follows:
pattern action
When pattern matches a mail address, domain or host
address, perform the corresponding action.
blank lines and comments
Empty lines and whitespace-only lines are ignored,
as are lines whose first non-whitespace character
is a `#'.
multi-line text
A logical line starts with non-whitespace text. A
line that starts with whitespace continues a logi-
cal line.
EMAIL ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from
networked tables such as NIS, LDAP or SQL, the following
lookup patterns are examined in the order as listed:
user@domain
Matches the specified mail address.
domain.tld
Matches domain.tld as the domain part of an email
address.
The pattern domain.tld also matches subdomains, but
only when the string smtpd_access_maps is listed in
the Postfix parent_domain_matches_subdomains con-
figuration setting. Otherwise, specify .domain.tld
(note the initial dot) in order to match subdo-
mains.
user@ Matches all mail addresses with the specified user
part.
Note: lookup of the null sender address is not possible
with some types of lookup table. By default, Postfix uses
<> as the lookup key for such addresses. The value is
specified with the workaround is to specify
smtpd_null_access_lookup_key parameter in the Postfix
main.cf file.
ADDRESS EXTENSION
When a mail address localpart contains the optional recip-
ient delimiter (e.g., user+foo@domain), the lookup order
becomes: user+foo@domain, user@domain, domain, user+foo@,
and user@.
HOST NAME/ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from
networked tables such as NIS, LDAP or SQL, the following
lookup patterns are examined in the order as listed:
domain.tld
Matches domain.tld.
The pattern domain.tld also matches subdomains, but
only when the string smtpd_access_maps is listed in
the Postfix parent_domain_matches_subdomains con-
figuration setting. Otherwise, specify .domain.tld
(note the initial dot) in order to match subdo-
mains.
net.work.addr.ess
net.work.addr
net.work
net Matches any host address in the specified network.
A network address is a sequence of one or more
octets separated by ".".
ACTIONS
[45]NN text
Reject the address etc. that matches the pattern,
and respond with the numerical code and text.
REJECT
REJECT optional text...
Reject the address etc. that matches the pattern.
Reply with $reject_code optional text... when the
optional text is specified, otherwise reply with a
generic error response message.
OK Accept the address etc. that matches the pattern.
all-numerical
An all-numerical result is treated as OK. This for-
mat is generated by address-based relay authoriza-
tion schemes.
DUNNO Pretend that the lookup key was not found in this
table, to prevents Postfix from trying substrings
of the lookup key (such as a subdomain name, or a
network address subnetwork).
HOLD
HOLD optional text...
Place the message on the hold queue, where it will
sit until someone either deletes it or releases it
for delivery. Log the optional text if specified,
otherwise log a generic message.
Mail that is placed on hold can be examined with
the postcat(1) command, and can be destroyed or
released with the postsuper(1) command.
Note: this action currently affects all recipients
of the message.
DISCARD
DISCARD optional text...
Claim successful delivery and silently discard the
message. Log the optional text if specified, oth-
erwise log a generic message.
Note: this action currently affects all recipients
of the message.
FILTER transport:destination
After the message is queued, send the entire mes-
sage through a content filter. More information
about content filters is in the Postfix FIL-
TER_README file.
Note: this action currently affects all recipients
of the message.
restriction...
Apply the named UCE restriction(s) (permit, reject,
reject_unauth_destination, and so on).
REGULAR EXPRESSION TABLES
This section describes how the table lookups change when
the table is given in the form of regular expressions. For
a description of regular expression lookup table syntax,
see regexp_table(5) or pcre_table(5).
Each pattern is a regular expression that is applied to
the entire string being looked up. Depending on the appli-
cation, that string is an entire client hostname, an
entire client IP address, or an entire mail address. Thus,
no parent domain or parent network search is done,
user@domain mail addresses are not broken up into their
user@ and domain constituent parts, nor is user+foo broken
up into user and foo.
Patterns are applied in the order as specified in the
table, until a pattern is found that matches the search
string.
Actions are the same as with indexed file lookups, with
the additional feature that parenthesized substrings from
the pattern can be interpolated as $1, $2 and so on.
BUGS
The table format does not understand quoting conventions.
SEE ALSO
postmap(1) create mapping table
smtpd(8) smtp server
pcre_table(5) format of PCRE tables
regexp_table(5) format of POSIX regular expression tables
LICENSE
The Secure Mailer license must be distributed with this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ACCESS(5)