# ACCESS(5)                     File Formats Manual                    ACCESS(5)
# 
# NAME
#        access - Postfix SMTP server access table
# 
# SYNOPSIS
#        postmap /etc/postfix/access
# 
#        postmap -q "string" /etc/postfix/access
# 
#        postmap -q - /etc/postfix/access <inputfile
# 
# DESCRIPTION
#        This  document  describes  access  control  on remote SMTP
#        client information: host names, network addresses, and en‐
#        velope sender or recipient addresses; it is implemented by
#        the  Postfix  SMTP  server.    See   header_checks(5)   or
#        body_checks(5)  for access control on the content of email
#        messages.
# 
#        Normally, the access(5) table is specified as a text  file
#        that  serves  as input to the postmap(1) command.  The re‐
#        sult, an indexed file in dbm or db  format,  is  used  for
#        fast  searching  by  the  mail system. Execute the command
#        "postmap /etc/postfix/access" to rebuild an  indexed  file
#        after changing the corresponding text file.
# 
#        When  the  table  is provided via other means such as NIS,
#        LDAP or SQL, the same lookups are done as for ordinary in‐
#        dexed files.
# 
#        Alternatively, the table can be provided as a  regular-ex‐
#        pression  map  where patterns are given as regular expres‐
#        sions, or lookups can be directed to a  TCP-based  server.
#        In those cases, the lookups are done in a slightly differ‐
#        ent  way  as described below under "REGULAR EXPRESSION TA‐
#        BLES" or "TCP-BASED TABLES".
# 
# CASE FOLDING
#        The search string is folded to lowercase  before  database
#        lookup.  As  of Postfix 2.3, the search string is not case
#        folded with database types such as regexp: or pcre:  whose
#        lookup fields can match both upper and lower case.
# 
# TABLE FORMAT
#        The input format for the postmap(1) command is as follows:
# 
#        pattern action
#               When pattern matches a mail address, domain or host
#               address, perform the corresponding action.
# 
#        blank lines and comments
#               Empty  lines and whitespace-only lines are ignored,
#               as are lines whose first  non-whitespace  character
#               is a `#'.
# 
#        multi-line text
#               A  logical  line starts with non-whitespace text. A
#               line that starts with whitespace continues a  logi‐
#               cal line.
# 
# EMAIL ADDRESS PATTERNS IN INDEXED TABLES
#        With lookups from indexed files such as DB or DBM, or from
#        networked  tables  such  as NIS, LDAP or SQL, patterns are
#        tried in the order as listed below:
# 
#        user@domain
#               Matches the specified mail address.
# 
#        domain.tld
#               Matches domain.tld as the domain part of  an  email
#               address.
# 
#               The pattern domain.tld also matches subdomains, but
#               only when the string smtpd_access_maps is listed in
#               the  Postfix  parent_domain_matches_subdomains con‐
#               figuration setting.
# 
#        .domain.tld
#               Matches subdomains of domain.tld, but only when the
#               string smtpd_access_maps is not listed in the Post‐
#               fix parent_domain_matches_subdomains  configuration
#               setting.
# 
#        user@  Matches  all mail addresses with the specified user
#               part.
# 
#        Note: lookup of the null sender address  is  not  possible
#        with  some types of lookup table. By default, Postfix uses
#        <> as the lookup key for  such  addresses.  The  value  is
#        specified  with the smtpd_null_access_lookup_key parameter
#        in the Postfix main.cf file.
# 
# EMAIL ADDRESS EXTENSION
#        When a mail address localpart contains the optional recip‐
#        ient delimiter (e.g., user+foo@domain), the  lookup  order
#        becomes:  user+foo@domain, user@domain, domain, user+foo@,
#        and user@.
# 
# HOST NAME/ADDRESS PATTERNS IN INDEXED TABLES
#        With lookups from indexed files such as DB or DBM, or from
#        networked tables such as NIS, LDAP or SQL,  the  following
#        lookup patterns are examined in the order as listed:
# 
#        domain.tld
#               Matches domain.tld.
# 
#               The pattern domain.tld also matches subdomains, but
#               only when the string smtpd_access_maps is listed in
#               the  Postfix  parent_domain_matches_subdomains con‐
#               figuration setting.
# 
#        .domain.tld
#               Matches subdomains of domain.tld, but only when the
#               string smtpd_access_maps is not listed in the Post‐
#               fix parent_domain_matches_subdomains  configuration
#               setting.
# 
#        net.work.addr.ess
# 
#        net.work.addr
# 
#        net.work
# 
#        net    Matches  a  remote IPv4 host address or network ad‐
#               dress range.  Specify one to  four  decimal  octets
#               separated  by ".". Do not specify "[]" , "/", lead‐
#               ing zeros, or hexadecimal forms.
# 
#               Network ranges are matched by repeatedly truncating
#               the last ".octet" from a remote IPv4  host  address
#               string, until a match is found in the access table,
#               or until further truncation is not possible.
# 
#               NOTE:  use  the  cidr  lookup table type to specify
#               network/netmask patterns. See cidr_table(5) for de‐
#               tails.
# 
#        net:work:addr:ess
# 
#        net:work:addr
# 
#        net:work
# 
#        net    Matches a remote IPv6 host address or  network  ad‐
#               dress  range.   Specify  three to eight hexadecimal
#               octet pairs separated by ":", using the  compressed
#               form  "::"  for  a  sequence  of  zero-valued octet
#               pairs. Do not specify "[]", "/", leading zeros,  or
#               non-compressed forms.
# 
#               A network range is matched by repeatedly truncating
#               the  last ":octetpair" from the compressed-form re‐
#               mote IPv6 host address string,  until  a  match  is
#               found in the access table, or until further trunca‐
#               tion is not possible.
# 
#               NOTE:  use  the  cidr  lookup table type to specify
#               network/netmask patterns. See cidr_table(5) for de‐
#               tails.
# 
#               IPv6 support is available in Postfix 2.2 and later.
# 
# ACCEPT ACTIONS
#        OK     Accept the address etc. that matches the pattern.
# 
#        all-numerical
#               An all-numerical result is treated as OK. This for‐
#               mat is generated by address-based relay  authoriza‐
#               tion schemes such as pop-before-smtp.
# 
#        For other accept actions, see "OTHER ACTIONS" below.
# 
# REJECT ACTIONS
#        Postfix  version  2.3  and  later  support enhanced status
#        codes as defined in RFC 3463.  When no code  is  specified
#        at  the beginning of the text below, Postfix inserts a de‐
#        fault enhanced status code of "5.7.1" in the case  of  re‐
#        ject  actions,  and  "4.7.1" in the case of defer actions.
#        See "ENHANCED STATUS CODES" below.
# 
#        4NN text
# 
#        5NN text
#               Reject the address etc. that matches  the  pattern,
#               and respond with the numerical three-digit code and
#               text.  4NN means "try again later", while 5NN means
#               "do not try again".
# 
#               The following responses have  special  meaning  for
#               the Postfix SMTP server:
# 
#               421 text (Postfix 2.3 and later)
# 
#               521 text (Postfix 2.6 and later)
#                      After    responding   with   the   numerical
#                      three-digit code and text, disconnect  imme‐
#                      diately from the SMTP client.  This frees up
#                      SMTP  server  resources  so that they can be
#                      made available to another SMTP client.
# 
#                      Note: The "521" response should be used only
#                      with botnets and other malware where  inter‐
#                      operability is of no concern.  The "send 521
#                      and  disconnect"  behavior is NOT defined in
#                      the SMTP standard.
# 
#        REJECT optional text...
#               Reject the address etc. that matches  the  pattern.
#               Reply    with   "$access_map_reject_code   optional
#               text..." when the optional text is specified,  oth‐
#               erwise reply with a generic error response message.
# 
#        DEFER optional text...
#               Reject  the  address etc. that matches the pattern.
#               Reply   with    "$access_map_defer_code    optional
#               text..."  when the optional text is specified, oth‐
#               erwise reply with a generic error response message.
# 
#               This feature is available in Postfix 2.6 and later.
# 
#        DEFER_IF_REJECT optional text...
#               Defer the request if some later  restriction  would
#               result   in  a  REJECT  action.  Reply  with  "$ac‐
#               cess_map_defer_code 4.7.1  optional  text..."  when
#               the  optional  text  is  specified, otherwise reply
#               with a generic error response message.
# 
#               Prior to Postfix 2.6, the SMTP reply code is 450.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        DEFER_IF_PERMIT optional text...
#               Defer the request if some later  restriction  would
#               result  in  an  explicit or implicit PERMIT action.
#               Reply with "$access_map_defer_code 4.7.1   optional
#               text..."  when the optional text is specified, oth‐
#               erwise reply with a generic error response message.
# 
#               Prior to Postfix 2.6, the SMTP reply code is 450.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        For other reject actions, see "OTHER ACTIONS" below.
# 
# OTHER ACTIONS
#        restriction...
#               Apply the named UCE restriction(s) (permit, reject,
#               reject_unauth_destination, and so on).
# 
#        BCC user@domain
#               Send one copy of the message to the  specified  re‐
#               cipient.
# 
#               If  multiple  BCC  actions are specified within the
#               same SMTP MAIL transaction, with Postfix  3.0  only
#               the last action will be used.
# 
#               This feature is available in Postfix 3.0 and later.
# 
#        DISCARD optional text...
#               Claim  successful delivery and silently discard the
#               message.  Log the optional text if specified,  oth‐
#               erwise log a generic message.
# 
#               Note:  this action currently affects all recipients
#               of the message.   To  discard  only  one  recipient
#               without  discarding  the  entire  message,  use the
#               transport(5) table to direct mail to the discard(8)
#               service.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        DUNNO  Pretend that the lookup key  was  not  found.  This
#               prevents  Postfix  from  trying  substrings  of the
#               lookup key (such as a subdomain name, or a  network
#               address subnetwork).
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        FILTER transport:destination
#               After  the  message is queued, send the entire mes‐
#               sage through the specified external content filter.
#               The transport name specifies the first field  of  a
#               mail  delivery  agent  definition in master.cf; the
#               syntax of the next-hop destination is described  in
#               the  manual  page  of  the  corresponding  delivery
#               agent.  More  information  about  external  content
#               filters is in the Postfix FILTER_README file.
# 
#               Note  1: do not use $number regular expression sub‐
#               stitutions for transport or destination unless  you
#               know that the information has a trusted origin.
# 
#               Note  2:  this  action  overrides  the main.cf con‐
#               tent_filter setting, and affects all recipients  of
#               the  message.  In the case that multiple FILTER ac‐
#               tions fire, only the last one is executed.
# 
#               Note 3: the purpose of the  FILTER  command  is  to
#               override  message routing.  To override the recipi‐
#               ent's transport but not the  next-hop  destination,
#               specify  an  empty  filter destination (Postfix 2.7
#               and later), or specify a transport:destination that
#               delivers  through  a  different  Postfix   instance
#               (Postfix  2.6 and earlier). Other options are using
#               the recipient-dependent transport_maps or the  sen‐
#               der-dependent   sender_dependent_default_transport‐
#               _maps features.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        HOLD optional text...
#               Place the message on the hold queue, where it  will
#               sit  until someone either deletes it or releases it
#               for delivery.  Log the optional text if  specified,
#               otherwise log a generic message.
# 
#               Mail  that  is  placed on hold can be examined with
#               the postcat(1) command, and can be destroyed or re‐
#               leased with the postsuper(1) command.
# 
#               Note: use "postsuper -r" to release mail  that  was
#               kept  on  hold for a significant fraction of $maxi‐
#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
#               longer.  Use "postsuper -H" only for mail that will
#               not expire within a few delivery attempts.
# 
#               Note: this action currently affects all  recipients
#               of the message.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        PREPEND headername: headervalue
#               Prepend  the  specified  message header to the mes‐
#               sage.  When more than one PREPEND action  executes,
#               the  first prepended header appears before the sec‐
#               ond etc. prepended header.
# 
#               Note: this action must execute before  the  message
#               content  is received; it cannot execute in the con‐
#               text of smtpd_end_of_data_restrictions.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        REDIRECT user@domain
#               After the message is queued, send  the  message  to
#               the  specified  address instead of the intended re‐
#               cipient(s).  When multiple REDIRECT  actions  fire,
#               only the last one takes effect.
# 
#               Note  1:  this  action overrides the FILTER action,
#               and currently overrides all recipients of the  mes‐
#               sage.
# 
#               Note 2: a REDIRECT address is subject to canonical‐
#               ization  (add  missing  domain)  but NOT subject to
#               canonical, masquerade, bcc, or virtual  alias  map‐
#               ping.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        INFO optional text...
#               Log an informational record with the optional text,
#               together  with client information and if available,
#               with helo, sender, recipient and protocol  informa‐
#               tion.
# 
#               This feature is available in Postfix 3.0 and later.
# 
#        WARN optional text...
#               Log a warning with the optional text, together with
#               client  information  and  if  available, with helo,
#               sender, recipient and protocol information.
# 
#               This feature is available in Postfix 2.1 and later.
# 
# ENHANCED STATUS CODES
#        Postfix version 2.3  and  later  support  enhanced  status
#        codes  as  defined  in  RFC 3463.  When an enhanced status
#        code is specified in an access table,  it  is  subject  to
#        modification.  The  following  transformations  are needed
#        when the same access  table  is  used  for  client,  helo,
#        sender,  or recipient access restrictions; they happen re‐
#        gardless of whether Postfix replies to a MAIL  FROM,  RCPT
#        TO or other SMTP command.
# 
#        •      When  a sender address matches a REJECT action, the
#               Postfix SMTP server will transform a recipient  DSN
#               status  (e.g.,  4.1.1-4.1.6) into the corresponding
#               sender DSN status, and vice versa.
# 
#        •      When non-address information matches a  REJECT  ac‐
#               tion  (such  as  the  HELO  command argument or the
#               client hostname/address), the Postfix  SMTP  server
#               will  transform  a  sender  or recipient DSN status
#               into  a  generic  non-address  DSN  status   (e.g.,
#               4.0.0).
# 
# REGULAR EXPRESSION TABLES
#        This  section  describes how the table lookups change when
#        the table is given in the form of regular expressions. For
#        a description of regular expression lookup  table  syntax,
#        see regexp_table(5) or pcre_table(5).
# 
#        Each  pattern  is  a regular expression that is applied to
#        the entire string being looked up. Depending on the appli‐
#        cation, that string is an entire client hostname,  an  en‐
#        tire  client  IP address, or an entire mail address. Thus,
#        no  parent  domain  or  parent  network  search  is  done,
#        user@domain  mail  addresses  are not broken up into their
#        user@ and domain constituent parts, nor is user+foo broken
#        up into user and foo.
# 
#        Patterns are applied in the order as specified in the  ta‐
#        ble,  until  a  pattern  is  found that matches the search
#        string.
# 
#        Actions are the same as with indexed  file  lookups,  with
#        the  additional feature that parenthesized substrings from
#        the pattern can be interpolated as $1, $2 and so on.
# 
# TCP-BASED TABLES
#        This section describes how the table lookups  change  when
#        lookups are directed to a TCP-based server. For a descrip‐
#        tion of the TCP client/server lookup protocol, see tcp_ta‐
#        ble(5).  This feature is not available up to and including
#        Postfix version 2.4.
# 
#        Each  lookup  operation uses the entire query string once.
#        Depending on the application, that  string  is  an  entire
#        client hostname, an entire client IP address, or an entire
#        mail  address.   Thus,  no parent domain or parent network
#        search is done, user@domain mail addresses are not  broken
#        up  into  their user@ and domain constituent parts, nor is
#        user+foo broken up into user and foo.
# 
#        Actions are the same as with indexed file lookups.
# 
# EXAMPLE
#        The following example uses an indexed file,  so  that  the
#        order  of  table entries does not matter. The example per‐
#        mits access by the client at address 1.2.3.4  but  rejects
#        all  other  clients  in 1.2.3.0/24. Instead of hash lookup
#        tables, some systems use dbm.  Use the  command  "postconf
#        -m"  to  find  out  what lookup tables Postfix supports on
#        your system.
# 
#        /etc/postfix/main.cf:
#            smtpd_client_restrictions =
#                check_client_access hash:/etc/postfix/access
# 
#        /etc/postfix/access:
#            1.2.3   REJECT
#            1.2.3.4 OK
# 
#        Execute the command  "postmap  /etc/postfix/access"  after
#        editing the file.
# 
# BUGS
#        The table format does not understand quoting conventions.
# 
# SEE ALSO
#        postmap(1), Postfix lookup table manager
#        smtpd(8), SMTP server
#        postconf(5), configuration parameters
#        transport(5), transport:nexthop syntax
# 
# README FILES
#        Use  "postconf  readme_directory" or "postconf html_direc‐
#        tory" to locate this information.
#        SMTPD_ACCESS_README, built-in SMTP server access control
#        DATABASE_README, Postfix lookup table overview
# 
# LICENSE
#        The Secure Mailer license must be  distributed  with  this
#        software.
# 
# AUTHOR(S)
#        Wietse Venema
#        IBM T.J. Watson Research
#        P.O. Box 704
#        Yorktown Heights, NY 10598, USA
# 
#        Wietse Venema
#        Google, Inc.
#        111 8th Avenue
#        New York, NY 10011, USA
# 
#                                                                      ACCESS(5)
