ppoossttmmaapp //eettcc//ppoossttffiixx//aacccceessss
ppoossttmmaapp --qq ""_s_t_r_i_n_g"" //eettcc//ppoossttffiixx//aacccceessss
ppoossttmmaapp --qq -- //eettcc//ppoossttffiixx//aacccceessss <<_i_n_p_u_t_f_i_l_e
Normally, the aacccceessss(5) table is specified as a text file that serves as input to the ppoossttmmaapp(1) command. The result, an indexed file in ddbbmm or ddbb format, is used for fast searching by the mail system. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//aacccceessss" to rebuild an indexed file after changing the corresponding text file.
When the table is provided via other means such as NIS, LDAP or SQL, the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression map where patterns are given as regular expressions, or lookups can be directed to TCP-based server. In those cases, the lookups are done in a slightly different way as described below under "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
The search string is folded to lowercase before database lookup. As of Postfix 2.3, the search string is not case folded with database types such as regexp: or pcre: whose lookup fields can match both upper and lower case.
The input format for the ppoossttmmaapp(1) command is as follows:
With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below:
Note: lookup of the null sender address is not possible with some types of lookup table. By default, Postfix uses <<>> as the lookup key for such addresses. The value is specified with the ssmmttppdd__nnuullll__aacccceessss__llooookkuupp__kkeeyy parameter in the Postfix mmaaiinn..ccff file.
When a mail address localpart contains the optional recipient delimiter (e.g., _u_s_e_r_+_f_o_o@_d_o_m_a_i_n), the lookup order becomes: _u_s_e_r_+_f_o_o@_d_o_m_a_i_n, _u_s_e_r@_d_o_m_a_i_n, _d_o_m_a_i_n, _u_s_e_r_+_f_o_o@, and _u_s_e_r@.
With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following lookup patterns are examined in the order as listed:
Subnetworks are matched by repeatedly truncating the last ".octet" from the remote IPv4 host address string until a match is found in the access table, or until further truncation is not possible.
NOTE 1: The access map lookup key must be in canonical form: do not specify unnecessary null characters, and do not enclose network address information with "[]" characters.
NOTE 2: use the cciiddrr lookup table type to specify network/netmask patterns. See cciiddrr__ttaabbllee(5) for details.
Subnetworks are matched by repeatedly truncating the last ":octetpair" from the remote IPv6 host address string until a match is found in the access table, or until further truncation is not possible.
NOTE 1: the truncation and comparison are done with the string representation of the IPv6 host address. Thus, not all the ":" subnetworks will be tried.
NOTE 2: The access map lookup key must be in canonical form: do not specify unnecessary null characters, and do not enclose network address information with "[]" characters.
NOTE 3: use the cciiddrr lookup table type to specify network/netmask patterns. See cciiddrr__ttaabbllee(5) for details.
IPv6 support is available in Postfix 2.2 and later.
Postfix version 2.3 and later support enhanced status codes as defined in RFC 3463. When no code is specified at the beginning of the _t_e_x_t below, Postfix inserts a default enhanced status code of "5.7.1" in the case of reject actions, and "4.7.1" in the case of defer actions. See "ENHANCED STATUS CODES" below.
Mail that is placed on hold can be examined with the
ppoossttccaatt(1) command, and can be destroyed or released with
the ppoossttssuuppeerr(1) command.
Note: use "ppoossttssuuppeerr --rr" to release mail that was kept on
hold for a significant fraction of $$mmaaxxiimmaall__qquueeuuee__lliiffeettiimmee
or $$bboouunnccee__qquueeuuee__lliiffeettiimmee, or longer. Use "ppoossttssuuppeerr --HH"
only for mail that will not expire within a few delivery attempts.
Note: this action currently affects all recipients of the message.
This feature is available in Postfix 2.0 and later.
Postfix version 2.3 and later support enhanced status codes as defined in RFC 3463. When an enhanced status code is specified in an access table, it is subject to modification. The following transformations are needed when the same access table is used for client, helo, sender, or recipient access restrictions; they happen regardless of whether Postfix replies to a MAIL FROM, RCPT TO or other SMTP command.
This section describes how the table lookups change when the table is given in the form of regular expressions. For a description of regular expression lookup table syntax, see rreeggeexxpp__ttaabbllee(5) or ppccrree__ttaabbllee(5).
Each pattern is a regular expression that is applied to the entire string being looked up. Depending on the application, that string is an entire client hostname, an entire client IP address, or an entire mail address. Thus, no parent domain or parent network search is done, _u_s_e_r_@_d_o_m_a_i_n mail addresses are not broken up into their _u_s_e_r_@ and _d_o_m_a_i_n constituent parts, nor is _u_s_e_r_+_f_o_o broken up into _u_s_e_r and _f_o_o.
Patterns are applied in the order as specified in the table, until a pattern is found that matches the search string.
Actions are the same as with indexed file lookups, with the additional feature that parenthesized substrings from the pattern can be interpolated as $$11, $$22 and so on.
This section describes how the table lookups change when lookups are directed to a TCP-based server. For a description of the TCP client/server lookup protocol, see ttccpp__ttaabbllee(5). This feature is not available up to and including Postfix version 2.4.
Each lookup operation uses the entire query string once. Depending on the application, that string is an entire client hostname, an entire client IP address, or an entire mail address. Thus, no parent domain or parent network search is done, _u_s_e_r_@_d_o_m_a_i_n mail addresses are not broken up into their _u_s_e_r_@ and _d_o_m_a_i_n constituent parts, nor is _u_s_e_r_+_f_o_o broken up into _u_s_e_r and _f_o_o.
Actions are the same as with indexed file lookups.
The following example uses an indexed file, so that the order of table entries does not matter. The example permits access by the client at address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of hhaasshh lookup tables, some systems use ddbbmm. Use the command "ppoossttccoonnff --mm" to find out what lookup tables Postfix supports on your system.
/etc/postfix/main.cf:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/access
/etc/postfix/access: 1.2.3 REJECT 1.2.3.4 OK
Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//aacccceessss" after editing the file.
postmap(1), Postfix lookup table manager smtpd(8), SMTP server postconf(5), configuration parameters transport(5), transport:nexthop syntax
Use "ppoossttccoonnff rreeaaddmmee__ddiirreeccttoorryy" or "ppoossttccoonnff hhttmmll__ddiirreeccttoorryy" to locate this information.
SMTPD_ACCESS_README, built-in SMTP server access control DATABASE_README, Postfix lookup table overview
The Secure Mailer license must be distributed with this software.
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA