# ACCESS(5)                     File Formats Manual                    ACCESS(5)
# 
# NAME
#        access - Postfix SMTP server access table
# 
# SYNOPSIS
#        postmap /etc/postfix/access
# 
#        postmap -q "string" /etc/postfix/access
# 
#        postmap -q - /etc/postfix/access <inputfile
# 
# DESCRIPTION
#        This  document  describes  access  control  on remote SMTP
#        client information: host names, network addresses, and en‐
#        velope sender or recipient addresses; it is implemented by
#        the  Postfix  SMTP  server.    See   header_checks(5)   or
#        body_checks(5)  for access control on the content of email
#        messages.
# 
#        Normally, the access(5) table is specified as a text  file
#        that  serves  as input to the postmap(1) command to create
#        an indexed file for fast lookup.
# 
#        Execute the command "postmap /etc/postfix/access"  to  re‐
#        build  a default-type indexed file after changing the text
#        file, or  execute  "postmap  type:/etc/postfix/access"  to
#        specify an explicit type.
# 
#        The  default  indexed file type is configured with the de‐
#        fault_database_type parameter. Depending on  the  platform
#        this  may  be  one of lmdb:, cdb:, hash:, or dbm: (without
#        the trailing ':').
# 
#        When the table is provided via other means  such  as  NIS,
#        LDAP or SQL, the same lookups are done as for ordinary in‐
#        dexed files.  Managing such databases is outside the scope
#        of Postfix.
# 
#        Alternatively,  the table can be provided as a regular-ex‐
#        pression map where patterns are given as  regular  expres‐
#        sions,  or  lookups can be directed to a TCP-based server.
#        In those cases, the lookups are done in a slightly differ‐
#        ent way as described below under "REGULAR  EXPRESSION  TA‐
#        BLES" or "TCP-BASED TABLES".
# 
# CASE FOLDING
#        The  search  string is folded to lowercase before database
#        lookup. As of Postfix 2.3, the search string is  not  case
#        folded  with database types such as regexp: or pcre: whose
#        lookup fields can match both upper and lower case.
# 
# TABLE FORMAT
#        The input format for the postmap(1) command is as follows:
# 
#        pattern action
#               When pattern matches a mail address, domain or host
#               address, perform the corresponding action.
# 
#        blank lines and comments
#               Empty lines and whitespace-only lines are  ignored,
#               as  are  lines whose first non-whitespace character
#               is a `#'.
# 
#        multi-line text
#               A logical line starts with non-whitespace  text.  A
#               line  that starts with whitespace continues a logi‐
#               cal line.
# 
# EMAIL ADDRESS PATTERNS IN INDEXED TABLES
#        With lookups from indexed files such as DB or DBM, or from
#        networked tables such as NIS, LDAP or  SQL,  patterns  are
#        tried in the order as listed below:
# 
#        user@domain
#               Matches the specified mail address.
# 
#        domain.tld
#               Matches  domain.tld  as the domain part of an email
#               address.
# 
#               The pattern domain.tld also matches subdomains, but
#               only when the string smtpd_access_maps is listed in
#               the Postfix  parent_domain_matches_subdomains  con‐
#               figuration setting.
# 
#        .domain.tld
#               Matches subdomains of domain.tld, but only when the
#               string smtpd_access_maps is not listed in the Post‐
#               fix  parent_domain_matches_subdomains configuration
#               setting.
# 
#        user@  Matches all mail addresses with the specified  user
#               part.
# 
#        Note:  lookup  of  the null sender address is not possible
#        with some types of lookup table. By default, Postfix  uses
#        <>  as  the  lookup  key  for such addresses. The value is
#        specified with the smtpd_null_access_lookup_key  parameter
#        in the Postfix main.cf file.
# 
# EMAIL ADDRESS EXTENSION
#        When a mail address localpart contains the optional recip‐
#        ient  delimiter  (e.g., user+foo@domain), the lookup order
#        becomes: user+foo@domain, user@domain, domain,  user+foo@,
#        and user@.
# 
# HOST NAME/ADDRESS PATTERNS IN INDEXED TABLES
#        With lookups from indexed files such as DB or DBM, or from
#        networked  tables  such as NIS, LDAP or SQL, the following
#        lookup patterns are examined in the order as listed:
# 
#        domain.tld
#               Matches domain.tld.
# 
#               The pattern domain.tld also matches subdomains, but
#               only when the string smtpd_access_maps is listed in
#               the Postfix  parent_domain_matches_subdomains  con‐
#               figuration setting.
# 
#        .domain.tld
#               Matches subdomains of domain.tld, but only when the
#               string smtpd_access_maps is not listed in the Post‐
#               fix  parent_domain_matches_subdomains configuration
#               setting.
# 
#        net.work.addr.ess
# 
#        net.work.addr
# 
#        net.work
# 
#        net    Matches a remote IPv4 host address or  network  ad‐
#               dress  range.   Specify  one to four decimal octets
#               separated by ".". Do not specify "[]" , "/",  lead‐
#               ing zeros, or hexadecimal forms.
# 
#               Network ranges are matched by repeatedly truncating
#               the  last  ".octet" from a remote IPv4 host address
#               string, until a match is found in the access table,
#               or until further truncation is not possible.
# 
#               NOTE: use the cidr lookup  table  type  to  specify
#               network/netmask patterns. See cidr_table(5) for de‐
#               tails.
# 
#        net:work:addr:ess
# 
#        net:work:addr
# 
#        net:work
# 
#        net    Matches  a  remote IPv6 host address or network ad‐
#               dress range.  Specify three  to  eight  hexadecimal
#               octet  pairs separated by ":", using the compressed
#               form "::"  for  a  sequence  of  zero-valued  octet
#               pairs.  Do not specify "[]", "/", leading zeros, or
#               non-compressed forms.
# 
#               A network range is matched by repeatedly truncating
#               the last ":octetpair" from the compressed-form  re‐
#               mote  IPv6  host  address  string, until a match is
#               found in the access table, or until further trunca‐
#               tion is not possible.
# 
#               NOTE: use the cidr lookup  table  type  to  specify
#               network/netmask patterns. See cidr_table(5) for de‐
#               tails.
# 
#               IPv6 support is available in Postfix 2.2 and later.
# 
# ACCEPT ACTIONS
#        OK     Accept the address etc. that matches the pattern.
# 
#        all-numerical
#               An all-numerical result is treated as OK. This for‐
#               mat  is generated by address-based relay authoriza‐
#               tion schemes such as pop-before-smtp.
# 
#        For other accept actions, see "OTHER ACTIONS" below.
# 
# REJECT ACTIONS
#        Postfix version 2.3  and  later  support  enhanced  status
#        codes  as  defined in RFC 3463.  When no code is specified
#        at the beginning of the text below, Postfix inserts a  de‐
#        fault  enhanced  status code of "5.7.1" in the case of re‐
#        ject actions, and "4.7.1" in the case  of  defer  actions.
#        See "ENHANCED STATUS CODES" below.
# 
#        4NN text
# 
#        5NN text
#               Reject  the  address etc. that matches the pattern,
#               and respond with the numerical three-digit code and
#               text. 4NN means "try again later", while 5NN  means
#               "do not try again".
# 
#               The  following  responses  have special meaning for
#               the Postfix SMTP server:
# 
#               421 text (Postfix 2.3 and later)
# 
#               521 text (Postfix 2.6 and later)
#                      After   responding   with   the    numerical
#                      three-digit  code and text, disconnect imme‐
#                      diately from the SMTP client.  This frees up
#                      SMTP server resources so that  they  can  be
#                      made available to another SMTP client.
# 
#                      Note: The "521" response should be used only
#                      with  botnets and other malware where inter‐
#                      operability is of no concern.  The "send 521
#                      and disconnect" behavior is NOT  defined  in
#                      the SMTP standard.
# 
#        REJECT optional text...
#               Reject  the  address etc. that matches the pattern.
#               Reply   with   "$access_map_reject_code    optional
#               text..."  when the optional text is specified, oth‐
#               erwise reply with a generic error response message.
# 
#        DEFER optional text...
#               Reject the address etc. that matches  the  pattern.
#               Reply    with    "$access_map_defer_code   optional
#               text..." when the optional text is specified,  oth‐
#               erwise reply with a generic error response message.
# 
#               This feature is available in Postfix 2.6 and later.
# 
#        DEFER_IF_REJECT optional text...
#               Defer  the  request if some later restriction would
#               result  in  a  REJECT  action.  Reply  with   "$ac‐
#               cess_map_defer_code  4.7.1  optional  text..." when
#               the optional text  is  specified,  otherwise  reply
#               with a generic error response message.
# 
#               Prior to Postfix 2.6, the SMTP reply code is 450.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        DEFER_IF_PERMIT optional text...
#               Defer  the  request if some later restriction would
#               result in an explicit or  implicit  PERMIT  action.
#               Reply  with "$access_map_defer_code 4.7.1  optional
#               text..." when the optional text is specified,  oth‐
#               erwise reply with a generic error response message.
# 
#               Prior to Postfix 2.6, the SMTP reply code is 450.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        For other reject actions, see "OTHER ACTIONS" below.
# 
# OTHER ACTIONS
#        restriction...
#               Apply the named UCE restriction(s) (permit, reject,
#               reject_unauth_destination, and so on).
# 
#        BCC user@domain
#               Send  one  copy of the message to the specified re‐
#               cipient.
# 
#               If multiple BCC actions are  specified  within  the
#               same  SMTP  MAIL transaction, with Postfix 3.0 only
#               the last action will be used.
# 
#               This feature is available in Postfix 3.0 and later.
# 
#        DISCARD optional text...
#               Claim successful delivery and silently discard  the
#               message.   Log the optional text if specified, oth‐
#               erwise log a generic message.
# 
#               Note: this action currently affects all  recipients
#               of  the  message.   To  discard  only one recipient
#               without discarding  the  entire  message,  use  the
#               transport(5) table to direct mail to the discard(8)
#               service.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        DUNNO  Pretend  that  the  lookup  key was not found. This
#               prevents Postfix  from  trying  substrings  of  the
#               lookup  key (such as a subdomain name, or a network
#               address subnetwork).
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        FILTER transport:destination
#               After the message is queued, send the  entire  mes‐
#               sage through the specified external content filter.
#               The  transport  name specifies the first field of a
#               mail delivery agent definition  in  master.cf;  the
#               syntax  of the next-hop destination is described in
#               the  manual  page  of  the  corresponding  delivery
#               agent.   More  information  about  external content
#               filters is in the Postfix FILTER_README file.
# 
#               Note 1: do not use $number regular expression  sub‐
#               stitutions  for transport or destination unless you
#               know that the information has a trusted origin.
# 
#               Note 2: this  action  overrides  the  main.cf  con‐
#               tent_filter  setting, and affects all recipients of
#               the message. In the case that multiple  FILTER  ac‐
#               tions fire, only the last one is executed.
# 
#               Note  3:  the  purpose  of the FILTER command is to
#               override message routing.  To override the  recipi‐
#               ent's  transport  but not the next-hop destination,
#               specify an empty filter  destination  (Postfix  2.7
#               and later), or specify a transport:destination that
#               delivers   through  a  different  Postfix  instance
#               (Postfix 2.6 and earlier). Other options are  using
#               the  recipient-dependent transport_maps or the sen‐
#               der-dependent   sender_dependent_default_transport‐
#               _maps features.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        HOLD optional text...
#               Place  the message on the hold queue, where it will
#               sit until someone either deletes it or releases  it
#               for  delivery.  Log the optional text if specified,
#               otherwise log a generic message.
# 
#               Mail that is placed on hold can  be  examined  with
#               the postcat(1) command, and can be destroyed or re‐
#               leased with the postsuper(1) command.
# 
#               Note:  use  "postsuper -r" to release mail that was
#               kept on hold for a significant fraction  of  $maxi‐
#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
#               longer. Use "postsuper -H" only for mail that  will
#               not expire within a few delivery attempts.
# 
#               Note:  this action currently affects all recipients
#               of the message.
# 
#               This feature is available in Postfix 2.0 and later.
# 
#        PREPEND headername: headervalue
#               Prepend the specified message header  to  the  mes‐
#               sage.   When more than one PREPEND action executes,
#               the first prepended header appears before the  sec‐
#               ond etc. prepended header.
# 
#               Note:  this  action must execute before the message
#               content is received; it cannot execute in the  con‐
#               text of smtpd_end_of_data_restrictions.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        REDIRECT user@domain
#               After  the  message  is queued, send the message to
#               the specified address instead of the  intended  re‐
#               cipient(s).   When  multiple REDIRECT actions fire,
#               only the last one takes effect.
# 
#               Note 1: this action overrides  the  FILTER  action,
#               and  currently overrides all recipients of the mes‐
#               sage.
# 
#               Note 2: a REDIRECT address is subject to canonical‐
#               ization (add missing domain)  but  NOT  subject  to
#               canonical,  masquerade,  bcc, or virtual alias map‐
#               ping.
# 
#               This feature is available in Postfix 2.1 and later.
# 
#        INFO optional text...
#               Log an informational record with the optional text,
#               together with client information and if  available,
#               with  helo, sender, recipient and protocol informa‐
#               tion.
# 
#               This feature is available in Postfix 3.0 and later.
# 
#        WARN optional text...
#               Log a warning with the optional text, together with
#               client information and  if  available,  with  helo,
#               sender, recipient and protocol information.
# 
#               This feature is available in Postfix 2.1 and later.
# 
# ENHANCED STATUS CODES
#        Postfix  version  2.3  and  later  support enhanced status
#        codes as defined in RFC 3463.   When  an  enhanced  status
#        code  is  specified  in  an access table, it is subject to
#        modification. The  following  transformations  are  needed
#        when  the  same  access  table  is  used for client, helo,
#        sender, or recipient access restrictions; they happen  re‐
#        gardless  of  whether Postfix replies to a MAIL FROM, RCPT
#        TO or other SMTP command.
# 
#        •      When a sender address matches a REJECT action,  the
#               Postfix  SMTP server will transform a recipient DSN
#               status (e.g., 4.1.1-4.1.6) into  the  corresponding
#               sender DSN status, and vice versa.
# 
#        •      When  non-address  information matches a REJECT ac‐
#               tion (such as the  HELO  command  argument  or  the
#               client  hostname/address),  the Postfix SMTP server
#               will transform a sender  or  recipient  DSN  status
#               into   a  generic  non-address  DSN  status  (e.g.,
#               4.0.0).
# 
# REGULAR EXPRESSION TABLES
#        This section describes how the table lookups  change  when
#        the table is given in the form of regular expressions. For
#        a  description  of regular expression lookup table syntax,
#        see regexp_table(5) or pcre_table(5).
# 
#        Each pattern is a regular expression that  is  applied  to
#        the entire string being looked up. Depending on the appli‐
#        cation,  that  string is an entire client hostname, an en‐
#        tire client IP address, or an entire mail  address.  Thus,
#        no  parent  domain  or  parent  network  search  is  done,
#        user@domain mail addresses are not broken  up  into  their
#        user@ and domain constituent parts, nor is user+foo broken
#        up into user and foo.
# 
#        Patterns  are applied in the order as specified in the ta‐
#        ble, until a pattern is  found  that  matches  the  search
#        string.
# 
#        Actions  are  the  same as with indexed file lookups, with
#        the additional feature that parenthesized substrings  from
#        the pattern can be interpolated as $1, $2 and so on.
# 
# TCP-BASED TABLES
#        This  section  describes how the table lookups change when
#        lookups are directed to a TCP-based server. For a descrip‐
#        tion of the TCP client/server lookup protocol, see tcp_ta‐
#        ble(5).  This feature is not available up to and including
#        Postfix version 2.4.
# 
#        Each lookup operation uses the entire query  string  once.
#        Depending  on  the  application,  that string is an entire
#        client hostname, an entire client IP address, or an entire
#        mail address.  Thus, no parent domain  or  parent  network
#        search  is done, user@domain mail addresses are not broken
#        up into their user@ and domain constituent parts,  nor  is
#        user+foo broken up into user and foo.
# 
#        Actions are the same as with indexed file lookups.
# 
# EXAMPLE
#        The  following  example  uses an indexed file, so that the
#        order of table entries does not matter. The  example  per‐
#        mits  access  by the client at address 1.2.3.4 but rejects
#        all other clients in 1.2.3.0/24. Instead  of  hash  lookup
#        tables,  some  systems use dbm.  Use the command "postconf
#        -m" to find out what lookup  tables  Postfix  supports  on
#        your system.
# 
#        /etc/postfix/main.cf:
#            smtpd_client_restrictions =
#                check_client_access hash:/etc/postfix/access
# 
#        /etc/postfix/access:
#            1.2.3   REJECT
#            1.2.3.4 OK
# 
#        Execute  the  command  "postmap /etc/postfix/access" after
#        editing the file.
# 
# BUGS
#        The table format does not understand quoting conventions.
# 
# SEE ALSO
#        postmap(1), Postfix lookup table manager
#        smtpd(8), SMTP server
#        postconf(5), configuration parameters
#        transport(5), transport:nexthop syntax
# 
# README FILES
#        Use "postconf readme_directory" or  "postconf  html_direc‐
#        tory" to locate this information.
#        SMTPD_ACCESS_README, built-in SMTP server access control
#        DATABASE_README, Postfix lookup table overview
# 
# LICENSE
#        The  Secure  Mailer  license must be distributed with this
#        software.
# 
# AUTHOR(S)
#        Wietse Venema
#        IBM T.J. Watson Research
#        P.O. Box 704
#        Yorktown Heights, NY 10598, USA
# 
#        Wietse Venema
#        Google, Inc.
#        111 8th Avenue
#        New York, NY 10011, USA
# 
#                                                                      ACCESS(5)
