{ "content": [ { "type": "text", "text": "# access(5) (man)\n\n**Summary:** access - Postfix SMTP server access table\n\n## Examples\n\n- `The following example uses an indexed file, so that the order of table entries does not mat‐`\n- `ter. The example permits access by the client at address 1.2.3.4 but rejects all other`\n- `clients in 1.2.3.0/24. Instead of hash lookup tables, some systems use dbm. Use the command`\n- `\"postconf -m\" to find out what lookup tables Postfix supports on your system.`\n- `/etc/postfix/main.cf:`\n- `smtpdclientrestrictions =`\n- `checkclientaccess hash:/etc/postfix/access`\n- `/etc/postfix/access:`\n- `1.2.3 REJECT`\n- `1.2.3.4 OK`\n- `Execute the command \"postmap /etc/postfix/access\" after editing the file.`\n\n## See Also\n\n- postmap(1)\n- smtpd(8)\n- postconf(5)\n- transport(5)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (1 lines) — 1 subsections\n - postmap /etc/postfix/access (4 lines)\n- **DESCRIPTION** (18 lines)\n- **CASE FOLDING** (4 lines)\n- **TABLE FORMAT** (14 lines)\n- **EMAIL ADDRESS PATTERNS** (23 lines)\n- **EMAIL ADDRESS EXTENSION** (3 lines)\n- **HOST NAME/ADDRESS PATTERNS** (51 lines)\n- **ACCEPT ACTIONS** (8 lines)\n- **REJECT ACTIONS** (57 lines)\n- **OTHER ACTIONS** (98 lines)\n- **ENHANCED STATUS CODES** (14 lines)\n- **REGULAR EXPRESSION TABLES** (16 lines)\n- **TCP-BASED TABLES** (12 lines)\n- **EXAMPLE** (15 lines)\n- **BUGS** (2 lines)\n- **SEE ALSO** (5 lines)\n- **README FILES** (4 lines)\n- **LICENSE** (16 lines)\n\n## Full Content\n\n### NAME\n\naccess - Postfix SMTP server access table\n\n### SYNOPSIS\n\n#### postmap /etc/postfix/access\n\npostmap -q \"string\" /etc/postfix/access\n\npostmap -q - /etc/postfix/access as the lookup key for such addresses. The value is specified with\nthe smtpdnullaccesslookupkey parameter in the Postfix main.cf file.\n\n### EMAIL ADDRESS EXTENSION\n\nWhen a mail address localpart contains the optional recipient delimiter (e.g., user+foo@do‐\nmain), the lookup order becomes: user+foo@domain, user@domain, domain, user+foo@, and user@.\n\n### HOST NAME/ADDRESS PATTERNS\n\nWith lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP\nor SQL, the following lookup patterns are examined in the order as listed:\n\ndomain.tld\nMatches domain.tld.\n\nThe pattern domain.tld also matches subdomains, but only when the string smtpdac‐‐\ncessmaps is listed in the Postfix parentdomainmatchessubdomains configuration set‐\nting.\n\n.domain.tld\nMatches subdomains of domain.tld, but only when the string smtpdaccessmaps is not\nlisted in the Postfix parentdomainmatchessubdomains configuration setting.\n\nnet.work.addr.ess\n\nnet.work.addr\n\nnet.work\n\nnet Matches a remote IPv4 host address or network address range. Specify one to four dec‐\nimal octets separated by \".\". Do not specify \"[]\" , \"/\", leading zeros, or hexadecimal\nforms.\n\nNetwork ranges are matched by repeatedly truncating the last \".octet\" from a remote\nIPv4 host address string, until a match is found in the access table, or until further\ntruncation is not possible.\n\nNOTE: use the cidr lookup table type to specify network/netmask patterns. See cidrta‐‐\nble(5) for details.\n\nnet:work:addr:ess\n\nnet:work:addr\n\nnet:work\n\nnet Matches a remote IPv6 host address or network address range. Specify three to eight\nhexadecimal octet pairs separated by \":\", using the compressed form \"::\" for a se‐\nquence of zero-valued octet pairs. Do not specify \"[]\", \"/\", leading zeros, or\nnon-compressed forms.\n\nA network range is matched by repeatedly truncating the last \":octetpair\" from the\ncompressed-form remote IPv6 host address string, until a match is found in the access\ntable, or until further truncation is not possible.\n\nNOTE: use the cidr lookup table type to specify network/netmask patterns. See cidrta‐‐\nble(5) for details.\n\nIPv6 support is available in Postfix 2.2 and later.\n\n### ACCEPT ACTIONS\n\nOK Accept the address etc. that matches the pattern.\n\nall-numerical\nAn all-numerical result is treated as OK. This format is generated by address-based\nrelay authorization schemes such as pop-before-smtp.\n\nFor other accept actions, see \"OTHER ACTIONS\" below.\n\n### REJECT ACTIONS\n\nPostfix version 2.3 and later support enhanced status codes as defined in RFC 3463. When no\ncode is specified at the beginning of the text below, Postfix inserts a default enhanced sta‐\ntus code of \"5.7.1\" in the case of reject actions, and \"4.7.1\" in the case of defer actions.\nSee \"ENHANCED STATUS CODES\" below.\n\n4NN text\n\n5NN text\nReject the address etc. that matches the pattern, and respond with the numerical\nthree-digit code and text. 4NN means \"try again later\", while 5NN means \"do not try\nagain\".\n\nThe following responses have special meaning for the Postfix SMTP server:\n\n421 text (Postfix 2.3 and later)\n\n521 text (Postfix 2.6 and later)\nAfter responding with the numerical three-digit code and text, disconnect imme‐\ndiately from the SMTP client. This frees up SMTP server resources so that they\ncan be made available to another SMTP client.\n\nNote: The \"521\" response should be used only with botnets and other malware\nwhere interoperability is of no concern. The \"send 521 and disconnect\" behav‐\nior is NOT defined in the SMTP standard.\n\nREJECT optional text...\nReject the address etc. that matches the pattern. Reply with \"$accessmaprejectcode\noptional text...\" when the optional text is specified, otherwise reply with a generic\nerror response message.\n\nDEFER optional text...\nReject the address etc. that matches the pattern. Reply with \"$accessmapdefercode\noptional text...\" when the optional text is specified, otherwise reply with a generic\nerror response message.\n\nThis feature is available in Postfix 2.6 and later.\n\nDEFERIFREJECT optional text...\nDefer the request if some later restriction would result in a REJECT action. Reply\nwith \"$accessmapdefercode 4.7.1 optional text...\" when the optional text is speci‐\nfied, otherwise reply with a generic error response message.\n\nPrior to Postfix 2.6, the SMTP reply code is 450.\n\nThis feature is available in Postfix 2.1 and later.\n\nDEFERIFPERMIT optional text...\nDefer the request if some later restriction would result in a an explicit or implicit\nPERMIT action. Reply with \"$accessmapdefercode 4.7.1 optional text...\" when the\noptional text is specified, otherwise reply with a generic error response message.\n\nPrior to Postfix 2.6, the SMTP reply code is 450.\n\nThis feature is available in Postfix 2.1 and later.\n\nFor other reject actions, see \"OTHER ACTIONS\" below.\n\n### OTHER ACTIONS\n\nrestriction...\nApply the named UCE restriction(s) (permit, reject, rejectunauthdestination, and so\non).\n\nBCC user@domain\nSend one copy of the message to the specified recipient.\n\nIf multiple BCC actions are specified within the same SMTP MAIL transaction, with\nPostfix 3.0 only the last action will be used.\n\nThis feature is available in Postfix 3.0 and later.\n\nDISCARD optional text...\nClaim successful delivery and silently discard the message. Log the optional text if\nspecified, otherwise log a generic message.\n\nNote: this action currently affects all recipients of the message. To discard only\none recipient without discarding the entire message, use the transport(5) table to di‐\nrect mail to the discard(8) service.\n\nThis feature is available in Postfix 2.0 and later.\n\nDUNNO Pretend that the lookup key was not found. This prevents Postfix from trying sub‐\nstrings of the lookup key (such as a subdomain name, or a network address subnetwork).\n\nThis feature is available in Postfix 2.0 and later.\n\nFILTER transport:destination\nAfter the message is queued, send the entire message through the specified external\ncontent filter. The transport name specifies the first field of a mail delivery agent\ndefinition in master.cf; the syntax of the next-hop destination is described in the\nmanual page of the corresponding delivery agent. More information about external con‐\ntent filters is in the Postfix FILTERREADME file.\n\nNote 1: do not use $number regular expression substitutions for transport or destina‐\ntion unless you know that the information has a trusted origin.\n\nNote 2: this action overrides the main.cf contentfilter setting, and affects all re‐\ncipients of the message. In the case that multiple FILTER actions fire, only the last\none is executed.\n\nNote 3: the purpose of the FILTER command is to override message routing. To override\nthe recipient's transport but not the next-hop destination, specify an empty filter\ndestination (Postfix 2.7 and later), or specify a transport:destination that delivers\nthrough a different Postfix instance (Postfix 2.6 and earlier). Other options are us‐\ning the recipient-dependent transportmaps or the sender-dependent senderdependent‐‐\ndefaulttransportmaps features.\n\nThis feature is available in Postfix 2.0 and later.\n\nHOLD optional text...\nPlace the message on the hold queue, where it will sit until someone either deletes it\nor releases it for delivery. Log the optional text if specified, otherwise log a\ngeneric message.\n\nMail that is placed on hold can be examined with the postcat(1) command, and can be\ndestroyed or released with the postsuper(1) command.\n\nNote: use \"postsuper -r\" to release mail that was kept on hold for a significant frac‐\ntion of $maximalqueuelifetime or $bouncequeuelifetime, or longer. Use \"postsuper\n-H\" only for mail that will not expire within a few delivery attempts.\n\nNote: this action currently affects all recipients of the message.\n\nThis feature is available in Postfix 2.0 and later.\n\nPREPEND headername: headervalue\nPrepend the specified message header to the message. When more than one PREPEND ac‐\ntion executes, the first prepended header appears before the second etc. prepended\nheader.\n\nNote: this action must execute before the message content is received; it cannot exe‐\ncute in the context of smtpdendofdatarestrictions.\n\nThis feature is available in Postfix 2.1 and later.\n\nREDIRECT user@domain\nAfter the message is queued, send the message to the specified address instead of the\nintended recipient(s). When multiple REDIRECT actions fire, only the last one takes\neffect.\n\nNote: this action overrides the FILTER action, and currently overrides all recipients\nof the message.\n\nThis feature is available in Postfix 2.1 and later.\n\nINFO optional text...\nLog an informational record with the optional text, together with client information\nand if available, with helo, sender, recipient and protocol information.\n\nThis feature is available in Postfix 3.0 and later.\n\nWARN optional text...\nLog a warning with the optional text, together with client information and if avail‐\nable, with helo, sender, recipient and protocol information.\n\nThis feature is available in Postfix 2.1 and later.\n\n### ENHANCED STATUS CODES\n\nPostfix version 2.3 and later support enhanced status codes as defined in RFC 3463. When an\nenhanced status code is specified in an access table, it is subject to modification. The fol‐\nlowing transformations are needed when the same access table is used for client, helo,\nsender, or recipient access restrictions; they happen regardless of whether Postfix replies\nto a MAIL FROM, RCPT TO or other SMTP command.\n\n• When a sender address matches a REJECT action, the Postfix SMTP server will transform\na recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding sender DSN status,\nand vice versa.\n\n• When non-address information matches a REJECT action (such as the HELO command argu‐\nment or the client hostname/address), the Postfix SMTP server will transform a sender\nor recipient DSN status into a generic non-address DSN status (e.g., 4.0.0).\n\n### REGULAR EXPRESSION TABLES\n\nThis section describes how the table lookups change when the table is given in the form of\nregular expressions. For a description of regular expression lookup table syntax, see reg‐‐\nexptable(5) or pcretable(5).\n\nEach pattern is a regular expression that is applied to the entire string being looked up.\nDepending on the application, that string is an entire client hostname, an entire client IP\naddress, or an entire mail address. Thus, no parent domain or parent network search is done,\nuser@domain mail addresses are not broken up into their user@ and domain constituent parts,\nnor is user+foo broken up into user and foo.\n\nPatterns are applied in the order as specified in the table, until a pattern is found that\nmatches the search string.\n\nActions are the same as with indexed file lookups, with the additional feature that parenthe‐\nsized substrings from the pattern can be interpolated as $1, $2 and so on.\n\n### TCP-BASED TABLES\n\nThis section describes how the table lookups change when lookups are directed to a TCP-based\nserver. For a description of the TCP client/server lookup protocol, see tcptable(5). This\nfeature is not available up to and including Postfix version 2.4.\n\nEach lookup operation uses the entire query string once. Depending on the application, that\nstring is an entire client hostname, an entire client IP address, or an entire mail address.\nThus, no parent domain or parent network search is done, user@domain mail addresses are not\nbroken up into their user@ and domain constituent parts, nor is user+foo broken up into user\nand foo.\n\nActions are the same as with indexed file lookups.\n\n### EXAMPLE\n\nThe following example uses an indexed file, so that the order of table entries does not mat‐\nter. The example permits access by the client at address 1.2.3.4 but rejects all other\nclients in 1.2.3.0/24. Instead of hash lookup tables, some systems use dbm. Use the command\n\"postconf -m\" to find out what lookup tables Postfix supports on your system.\n\n/etc/postfix/main.cf:\nsmtpdclientrestrictions =\ncheckclientaccess hash:/etc/postfix/access\n\n/etc/postfix/access:\n1.2.3 REJECT\n1.2.3.4 OK\n\nExecute the command \"postmap /etc/postfix/access\" after editing the file.\n\n### BUGS\n\nThe table format does not understand quoting conventions.\n\n### SEE ALSO\n\npostmap(1), Postfix lookup table manager\nsmtpd(8), SMTP server\npostconf(5), configuration parameters\ntransport(5), transport:nexthop syntax\n\n### README FILES\n\nUse \"postconf readmedirectory\" or \"postconf htmldirectory\" to locate this information.\nSMTPDACCESSREADME, built-in SMTP server access control\nDATABASEREADME, Postfix lookup table overview\n\n### LICENSE\n\nThe Secure Mailer license must be distributed with this software.\n\nAUTHOR(S)\nWietse Venema\nIBM T.J. Watson Research\nP.O. Box 704\nYorktown Heights, NY 10598, USA\n\nWietse Venema\nGoogle, Inc.\n111 8th Avenue\nNew York, NY 10011, USA\n\n\n\nACCESS(5)\n\n" } ], "structuredContent": { "command": "access", "section": "5", "mode": "man", "summary": "access - Postfix SMTP server access table", "synopsis": "", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [ "The following example uses an indexed file, so that the order of table entries does not mat‐", "ter. The example permits access by the client at address 1.2.3.4 but rejects all other", "clients in 1.2.3.0/24. Instead of hash lookup tables, some systems use dbm. Use the command", "\"postconf -m\" to find out what lookup tables Postfix supports on your system.", "/etc/postfix/main.cf:", "smtpdclientrestrictions =", "checkclientaccess hash:/etc/postfix/access", "/etc/postfix/access:", "1.2.3 REJECT", "1.2.3.4 OK", "Execute the command \"postmap /etc/postfix/access\" after editing the file." ], "see_also": [ { "name": "postmap", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/postmap/1/json" }, { "name": "smtpd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/smtpd/8/json" }, { "name": "postconf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/postconf/5/json" }, { "name": "transport", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/transport/5/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 1, "subsections": [ { "name": "postmap /etc/postfix/access", "lines": 4 } ] }, { "name": "DESCRIPTION", "lines": 18, "subsections": [] }, { "name": "CASE FOLDING", "lines": 4, "subsections": [] }, { "name": "TABLE FORMAT", "lines": 14, "subsections": [] }, { "name": "EMAIL ADDRESS PATTERNS", "lines": 23, "subsections": [] }, { "name": "EMAIL ADDRESS EXTENSION", "lines": 3, "subsections": [] }, { "name": "HOST NAME/ADDRESS PATTERNS", "lines": 51, "subsections": [] }, { "name": "ACCEPT ACTIONS", "lines": 8, "subsections": [] }, { "name": "REJECT ACTIONS", "lines": 57, "subsections": [] }, { "name": "OTHER ACTIONS", "lines": 98, "subsections": [] }, { "name": "ENHANCED STATUS CODES", "lines": 14, "subsections": [] }, { "name": "REGULAR EXPRESSION TABLES", "lines": 16, "subsections": [] }, { "name": "TCP-BASED TABLES", "lines": 12, "subsections": [] }, { "name": "EXAMPLE", "lines": 15, "subsections": [] }, { "name": "BUGS", "lines": 2, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] }, { "name": "README FILES", "lines": 4, "subsections": [] }, { "name": "LICENSE", "lines": 16, "subsections": [] } ] } }