HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
NAME
       header_checks - Postfix built-in content inspection
SYNOPSIS
       header_checks = pcre:/etc/postfix/header_checks
       mime_header_checks = pcre:/etc/postfix/mime_header_checks
       nested_header_checks = pcre:/etc/postfix/nested_header_checks
       body_checks = pcre:/etc/postfix/body_checks
       postmap -q "string" pcre:/etc/postfix/filename
       postmap -q - pcre:/etc/postfix/filename <inputfile
DESCRIPTION
       This  document  describes access control on the content of
       message headers and message body lines; it is  implemented
       by  the  Postfix  cleanup(8) server before mail is queued.
       See access(5) for access control  on  remote  SMTP  client
       information.
       Each  message  header  or  message  body  line is compared
       against a list of patterns.  When a  match  is  found  the
       corresponding action is executed, and the matching process
       is repeated for the next message header  or  message  body
       line.
       For  examples, see the EXAMPLES section at the end of this
       manual page.
       Postfix header or body_checks are designed to stop a flood
       of  mail from worms or viruses; they do not decode attach-
       ments, and they do not unzip archives. See  the  documents
       referenced  below  in the README FILES section if you need
       more sophisticated content analysis.
       Postfix supports four built-in content inspection classes:
       header_checks
              These   are  applied  to  initial  message  headers
              (except for the headers  that  are  processed  with
              mime_header_checks).
       mime_header_checks (default: $header_checks)
              These  are  applied to MIME related message headers
              only.
              This feature is available in Postfix 2.0 and later.
       nested_header_checks (default: $header_checks)
              These  are  applied  to message headers of attached
              email messages (except for  the  headers  that  are
              processed with mime_header_checks).
              This feature is available in Postfix 2.0 and later.
       body_checks
              These are applied to all other  content,  including
              multi-part message boundaries.
              With Postfix versions before 2.0, all content after
              the initial message headers is treated as body con-
              tent.
       Note: message headers are examined one logical header at a
       time, even when a message  header  spans  multiple  lines.
       Body lines are always examined one line at a time.
COMPATIBILITY
       With Postfix version 2.2 and earlier specify "postmap -fq"
       to query a table that contains case sensitive patterns. By
       default,  regexp: and pcre: patterns are case insensitive.
TABLE FORMAT
       This document assumes that header  and  body_checks  rules
       are  specified  in  the form of Postfix regular expression
       lookup tables. Usually the best  performance  is  obtained
       with pcre (Perl Compatible Regular Expression) tables, but
       the slower regexp (POSIX regular expressions)  support  is
       more  widely  available.  Use the command "postconf -m" to
       find out what lookup table types your Postfix system  sup-
       ports.
       The general format of Postfix regular expression tables is
       given below.  For a  discussion  of  specific  pattern  or
       flags   syntax,   see  pcre_table(5)  or  regexp_table(5),
       respectively.
       /pattern/flags action
              When /pattern/ matches the  input  string,  execute
              the  corresponding  action. See below for a list of
              possible actions.
       !/pattern/flags action
              When /pattern/ does not  match  the  input  string,
              execute the corresponding action.
       if /pattern/flags
       endif  Match the input string against the patterns between
              if and endif, if and only if the same input  string
              also matches /pattern/. The if..endif can nest.
              Note:  do not prepend whitespace to patterns inside
              if..endif.
       if !/pattern/flags
       endif  Match the input string against the patterns between
              if  and endif, if and only if the same input string
              does not match /pattern/. The if..endif can nest.
       blank lines and comments
              Empty lines and whitespace-only lines are  ignored,
              as  are  lines whose first non-whitespace character
              is a `#'.
       multi-line text
              A pattern/action line  starts  with  non-whitespace
              text.  A line that starts with whitespace continues
              a logical line.
TABLE SEARCH ORDER
       For each line of message input, the patterns  are  applied
       in  the order as specified in the table. When a pattern is
       found that  matches  the  input  line,  the  corresponding
       action  is  executed  and  then  the  next  input  line is
       inspected.
TEXT SUBSTITUTION
       Substitution of substrings  from  the  matched  expression
       into  the action string is possible using the conventional
       Perl syntax ($1, $2, etc.).   The  macros  in  the  result
       string  may  need  to  be  written as ${n} or $(n) if they
       aren't followed by whitespace.
       Note: since negated patterns (those preceded by !)  return
       a result when the expression does not match, substitutions
       are not available for negated patterns.
ACTIONS
       Action names are case insensitive. They are shown in upper
       case for consistency with other Postfix documentation.
       DISCARD optional text...
              Claim  successful delivery and silently discard the
              message.  Log the optional text if specified,  oth-
              erwise log a generic message.
              Note:   this  action  disables  further  header  or
              body_checks inspection of the current  message  and
              affects all recipients.  To discard only one recip-
              ient without discarding the entire message, use the
              transport(5) table to direct mail to the discard(8)
              service.
              This feature is available in Postfix 2.0 and later.
       DUNNO  Pretend  that the input line did not match any pat-
              tern, and inspect the next input line. This  action
              can be used to shorten the table search.
              For  backwards  compatibility reasons, Postfix also
              accepts OK but it is (and always has been)  treated
              as DUNNO.
              This feature is available in Postfix 2.1 and later.
       FILTER transport:destination
              After the message is queued, send the  entire  mes-
              sage through the specified external content filter.
              The transport name specifies the first field  of  a
              mail  delivery  agent  definition in master.cf; the
              syntax of the next-hop destination is described  in
              the  manual  page  of  the  corresponding  delivery
              agent.  More  information  about  external  content
              filters is in the Postfix FILTER_README file.
              Note  1: do not use $number regular expression sub-
              stitutions for transport or destination unless  you
              know that the information has a trusted origin.
              Note  2:  this  action  overrides  the main.cf con-
              tent_filter setting, and affects all recipients  of
              the  message.  In  the  case  that  multiple FILTER
              actions fire, only the last one is executed.
              Note 3: the purpose of the  FILTER  command  is  to
              override  message routing.  To override the recipi-
              ent's transport but not the  next-hop  destination,
              specify  an  empty  filter destination (Postfix 2.7
              and later), or specify a transport:destination that
              delivers   through  a  different  Postfix  instance
              (Postfix 2.6 and earlier). Other options are  using
              the  recipient-dependent transport_maps or the sen-
              der-dependent   sender_dependent_default_transport-
              _maps features.
              This feature is available in Postfix 2.0 and later.
       HOLD optional text...
              Arrange for the message to be placed  on  the  hold
              queue,  and  inspect the next input line.  The mes-
              sage remains on hold until someone  either  deletes
              it  or  releases it for delivery.  Log the optional
              text if specified, otherwise log a generic message.
              Mail  that  is  placed on hold can be examined with
              the postcat(1) command, and  can  be  destroyed  or
              released with the postsuper(1) command.
              Note:  use  "postsuper -r" to release mail that was
              kept on hold for a significant fraction  of  $maxi-
              mal_queue_lifetime  or  $bounce_queue_lifetime,  or
              longer. Use "postsuper -H" only for mail that  will
              not expire within a few delivery attempts.
              Note:  this  action  affects  all recipients of the
              message.
              This feature is available in Postfix 2.0 and later.
       IGNORE Delete the current line from the input, and inspect
              the next input line.
       PREPEND text...
              Prepend one  line  with  the  specified  text,  and
              inspect the next input line.
              Notes:
              o      The  prepended  text is output on a separate
                     line,  immediately  before  the  input  that
                     triggered the PREPEND action.
              o      The prepended text is not considered part of
                     the input  stream:  it  is  not  subject  to
                     header/body checks or address rewriting, and
                     it does not affect the way that Postfix adds
                     missing message headers.
              o      When prepending text before a message header
                     line, the prepended text must begin  with  a
                     valid message header label.
              o      This action cannot be used to prepend multi-
                     line text.
              This feature is available in Postfix 2.1 and later.
       REDIRECT user@domain
              Write  a  message  redirection request to the queue
              file, and inspect the next input  line.  After  the
              message is queued, it will be sent to the specified
              address instead of the intended recipient(s).
              Note: this action overrides the FILTER action,  and
              affects  all recipients of the message. If multiple
              REDIRECT actions fire, only the last  one  is  exe-
              cuted.
              This feature is available in Postfix 2.1 and later.
       REPLACE text...
              Replace the current line with the  specified  text,
              and inspect the next input line.
              This feature is available in Postfix 2.2 and later.
              The description below applies to Postfix 2.2.2  and
              later.
              Notes:
              o      When  replacing  a  message header line, the
                     replacement text must  begin  with  a  valid
                     header label.
              o      The  replaced text remains part of the input
                     stream. Unlike the result from  the  PREPEND
                     action,  a  replaced  message  header may be
                     subject to address rewriting and may  affect
                     the  way  that  Postfix adds missing message
                     headers.
       REJECT optional text...
              Reject the  entire  message.  Reply  with  optional
              text... when the optional text is specified, other-
              wise reply with a generic error message.
              Note:  this  action  disables  further  header   or
              body_checks  inspection  of the current message and
              affects all recipients.
              Postfix version 2.3 and later support enhanced sta-
              tus codes.  When no code is specified at the begin-
              ning of optional text..., Postfix inserts a default
              enhanced status code of "5.7.1".
       WARN optional text...
              Log  a  warning with the optional text... (or log a
              generic message), and inspect the next input  line.
              This action is useful for debugging and for testing
              a pattern before applying more drastic actions.
BUGS
       Empty lines never match, because some map types mis-behave
       when  given  a zero-length search string.  This limitation
       may be removed for regular expression tables in  a  future
       release.
       Many  people  overlook  the main limitations of header and
       body_checks rules.
       o      These rules operate on one logical  message  header
              or one body line at a time. A decision made for one
              line is not carried over to the next line.
       o      If text in the message body is encoded  (RFC  2045)
              then the rules need to be specified for the encoded
              form.
       o      Likewise, when message  headers  are  encoded  (RFC
              2047)  then  the rules need to be specified for the
              encoded form.
       Message headers added by the cleanup(8) daemon itself  are
       excluded from inspection. Examples of such message headers
       are From:, To:, Message-ID:, Date:.
       Message headers deleted by the cleanup(8) daemon  will  be
       examined before they are deleted. Examples are: Bcc:, Con-
       tent-Length:, Return-Path:.
CONFIGURATION PARAMETERS
       body_checks
              Lookup tables with content filter rules for message
              body lines.  These filters see one physical line at
              a time, in chunks  of  at  most  $line_length_limit
              bytes.
       body_checks_size_limit
              The  amount  of  content  per  message body segment
              (attachment) that is subjected to $body_checks fil-
              tering.
       header_checks
       mime_header_checks (default: $header_checks)
       nested_header_checks (default: $header_checks)
              Lookup tables with content filter rules for message
              header lines: respectively, these  are  applied  to
              the  initial  message  headers  (not including MIME
              headers), to the MIME headers anywhere in the  mes-
              sage,  and  to the initial headers of attached mes-
              sages.
              Note: these filters see one logical message  header
              at  a time, even when a message header spans multi-
              ple lines. Message headers  that  are  longer  than
              $header_size_limit characters are truncated.
       disable_mime_input_processing
              While  receiving mail, give no special treatment to
              MIME related message headers; all  text  after  the
              initial message headers is considered to be part of
              the message body. This means that header_checks  is
              applied  to  all  the  initial message headers, and
              that body_checks is applied to the remainder of the
              message.
              Note:  when  used  in this manner, body_checks will
              process a multi-line message header one line  at  a
              time.
EXAMPLES
       Header  pattern  to  block  attachments with bad file name
       extensions.  For convenience, the PCRE /x flag  is  speci-
       fied,  so  that  there  is no need to collapse the pattern
       into  a  single  line  of  text.   The  purpose   of   the
       [[:xdigit:]] sub-expressions is to recognize Windows CLSID
       strings.
       /etc/postfix/main.cf:
           header_checks = pcre:/etc/postfix/header_checks.pcre
       /etc/postfix/header_checks.pcre:
           /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
             ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
             hlp|ht[at]|
             inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
             \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
             ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
             vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
               REJECT Attachment name "$2" may not end with ".$4"
       Body pattern to stop a specific HTML browser vulnerability
       exploit.
       /etc/postfix/main.cf:
           body_checks = regexp:/etc/postfix/body_checks
       /etc/postfix/body_checks:
           /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
               REJECT IFRAME vulnerability exploit
SEE ALSO
       cleanup(8), canonicalize and enqueue Postfix message
       pcre_table(5), format of PCRE lookup tables
       regexp_table(5), format of POSIX regular expression tables
       postconf(1), Postfix configuration utility
       postmap(1), Postfix lookup table management
       postsuper(1), Postfix janitor
       postcat(1), show Postfix queue file contents
       RFC 2045, base64 and quoted-printable encoding rules
       RFC 2047, message header encoding for non-ASCII text
README FILES
       DATABASE_README, Postfix lookup table overview
       CONTENT_INSPECTION_README, Postfix content inspection overview
       BUILTIN_FILTER_README, Postfix built-in content inspection
       BACKSCATTER_README, blocking returned forged mail
LICENSE
       The Secure Mailer license must be  distributed  with  this
       software.
AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA
                                                              HEADER_CHECKS(5)