1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"https://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
<title> Postfix manual - cidr_table(5) </title>
</head> <body> <pre>
CIDR_TABLE(5) CIDR_TABLE(5)
<b><a name="name">NAME</a></b>
cidr_table - format of Postfix CIDR tables
<b><a name="synopsis">SYNOPSIS</a></b>
<b>postmap -q "</b><i>string</i><b>" <a href="cidr_table.5.html">cidr</a>:/etc/postfix/</b><i>filename</i>
<b>postmap -q - <a href="cidr_table.5.html">cidr</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
<b><a name="description">DESCRIPTION</a></b>
The Postfix mail system uses optional lookup tables. These tables are
usually in <b>dbm</b> or <b>db</b> format. Alternatively, lookup tables can be spec-
ified in CIDR (Classless Inter-Domain Routing) form. In this case, each
input is compared against a list of patterns. When a match is found,
the corresponding result is returned and the search is terminated.
To find out what types of lookup tables your Postfix system supports
use the "<b>postconf -m</b>" command.
To test lookup tables, use the "<b>postmap -q</b>" command as described in the
SYNOPSIS above.
<b><a name="table_format">TABLE FORMAT</a></b>
The general form of a Postfix CIDR table is:
<i>pattern result</i>
When a search string matches the specified <i>pattern</i>, use the cor-
responding <i>result</i> value. The <i>pattern</i> must be in <i>network/prefix</i>
or <i>network</i><b>_</b><i>address</i> form (see ADDRESS PATTERN SYNTAX below).
<b>!</b><i>pattern result</i>
When a search string does not match the specified <i>pattern</i>, use
the specified <i>result</i> value. The <i>pattern</i> must be in <i>network/pre-</i>
<i>fix</i> or <i>network</i><b>_</b><i>address</i> form (see ADDRESS PATTERN SYNTAX below).
This feature is available in Postfix 3.2 and later.
<b>if</b> <i>pattern</i>
<b>endif</b> When a search string matches the specified <i>pattern</i>, match that
search string against the patterns between <b>if</b> and <b>endif</b>. The
<i>pattern</i> must be in <i>network/prefix</i> or <i>network</i><b>_</b><i>address</i> form (see
ADDRESS PATTERN SYNTAX below). The <b>if</b>..<b>endif</b> can nest.
Note: do not prepend whitespace to text between <b>if</b>..<b>endif</b>.
This feature is available in Postfix 3.2 and later.
<b>if !</b><i>pattern</i>
<b>endif</b> When a search string does not match the specified <i>pattern</i>, match
that search string against the patterns between <b>if</b> and <b>endif</b>.
The <i>pattern</i> must be in <i>network/prefix</i> or <i>network</i><b>_</b><i>address</i> form
(see ADDRESS PATTERN SYNTAX below). The <b>if</b>..<b>endif</b> can nest.
Note: do not prepend whitespace to text between <b>if</b>..<b>endif</b>.
This feature is available in Postfix 3.2 and later.
blank lines and comments
Empty lines and whitespace-only lines are ignored, as are lines
whose first non-whitespace character is a `#'.
multi-line text
A logical line starts with non-whitespace text. A line that
starts with whitespace continues a logical line.
<b><a name="table_search_order">TABLE SEARCH ORDER</a></b>
Patterns are applied in the order as specified in the table, until a
pattern is found that matches the search string.
<b><a name="address_pattern_syntax">ADDRESS PATTERN SYNTAX</a></b>
Postfix CIDR tables are pattern-based. A pattern is either a <i>net-</i>
<i>work</i><b>_</b><i>address</i> which requires an exact match, or a <i>network</i><b>_</b><i>address/pre-</i>
<i>fix</i><b>_</b><i>length</i> where the <i>prefix</i><b>_</b><i>length</i> part specifies the length of the
<i>network</i><b>_</b><i>address</i> prefix that must be matched (the other bits in the <i>net-</i>
<i>work</i><b>_</b><i>address</i> part must be zero).
An IPv4 network address is a sequence of four decimal octets separated
by ".", and an IPv6 network address is a sequence of three to eight
hexadecimal octet pairs separated by ":" or "::", where the latter is
short-hand for a sequence of one or more all-zero octet pairs. The pat-
tern 0.0.0.0/0 matches every IPv4 address, and ::/0 matches every IPv6
address. IPv6 support is available in Postfix 2.2 and later.
Before comparisons are made, lookup keys and table entries are con-
verted from string to binary. Therefore, IPv6 patterns will be matched
regardless of leading zeros (a leading zero in an IPv4 address octet
indicates octal notation).
Note: address information may be enclosed inside "[]" but this form is
not required.
<b><a name="inline_specification">INLINE SPECIFICATION</a></b>
The contents of a table may be specified in the table name (Postfix 3.7
and later). The basic syntax is:
<a href="postconf.5.html">main.cf</a>:
<i>parameter</i> <b>= .. <a href="cidr_table.5.html">cidr</a>:{ {</b> <i>rule-1</i> <b>}, {</b> <i>rule-2</i> <b>} .. } ..</b>
<a href="master.5.html">master.cf</a>:
<b>.. -o {</b> <i>parameter</i> <b>= .. <a href="cidr_table.5.html">cidr</a>:{ {</b> <i>rule-1</i> <b>}, {</b> <i>rule-2</i> <b>} .. } .. } ..</b>
Postfix recursively expands any <i>$parametername</i> instances in the above
parameter value, ignores whitespace after '{' and before '}', and
writes each <i>rule</i> as one text line to an in-memory file:
in-memory file:
rule-1
rule-2
..
Postfix parses the result as if it is a file in /etc/postfix.
Note: if a rule contains <b>$</b>, specify <b>$$</b> to keep Postfix from trying to
do <i>$name</i> expansion as it evaluates a parameter value.
<b><a name="example_smtpd_access_map">EXAMPLE SMTPD ACCESS MAP</a></b>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = ... <a href="cidr_table.5.html">cidr</a>:/etc/postfix/client.cidr ...
/etc/postfix/client.<a href="cidr_table.5.html">cidr</a>:
# Rule order matters. Put more specific allowlist entries
# before more general denylist entries.
192.168.1.1 OK
192.168.0.0/16 REJECT
2001:db8::1 OK
2001:db8::/32 REJECT
<b><a name="see_also">SEE ALSO</a></b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
<a href="regexp_table.5.html">regexp_table(5)</a>, format of regular expression tables
<a href="pcre_table.5.html">pcre_table(5)</a>, format of PCRE tables
<b><a name="readme_files">README FILES</a></b>
<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
<b><a name="history">HISTORY</a></b>
CIDR table support was introduced with Postfix version 2.1.
<b>AUTHOR(S)</b>
The CIDR table lookup code was originally written by:
Jozsef Kadlecsik
KFKI Research Institute for Particle and Nuclear Physics
POB. 49
1525 Budapest, Hungary
Adopted and adapted by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA
CIDR_TABLE(5)
</pre> </body> </html>
|
