CIDR_TABLE(5) CIDR_TABLE(5)
NAME
cidr_table - format of Postfix CIDR tables
SYNOPSISpostmap -q "string" cidr:/etc/postfix/filenamepostmap -q - cidr:/etc/postfix/filename <inputfileDESCRIPTION
The Postfix mail system uses optional lookup tables. These tables are
usually in dbm or db format. Alternatively, lookup tables can be spec-
ified in CIDR (Classless Inter-Domain Routing) form. In this case, each
input is compared against a list of patterns. When a match is found,
the corresponding result is returned and the search is terminated.
To find out what types of lookup tables your Postfix system supports
use the "postconf -m" command.
To test lookup tables, use the "postmap -q" command as described in the
SYNOPSIS above.
TABLE FORMAT
The general form of a Postfix CIDR table is:
pattern result
When a search string matches the specified pattern, use the cor-
responding result value. The pattern must be in network/prefix
or network_address form (see ADDRESS PATTERN SYNTAX below).
!pattern result
When a search string does not match the specified pattern, use
the specified result value. The pattern must be in network/pre-fix or network_address form (see ADDRESS PATTERN SYNTAX below).
This feature is available in Postfix 3.2 and later.
ifpatternendif When a search string matches the specified pattern, match that
search string against the patterns between if and endif. The
pattern must be in network/prefix or network_address form (see
ADDRESS PATTERN SYNTAX below). The if..endif can nest.
Note: do not prepend whitespace to text between if..endif.
This feature is available in Postfix 3.2 and later.
if !patternendif When a search string does not match the specified pattern, match
that search string against the patterns between if and endif.
The pattern must be in network/prefix or network_address form
(see ADDRESS PATTERN SYNTAX below). The if..endif can nest.
Note: do not prepend whitespace to text between if..endif.
This feature is available in Postfix 3.2 and later.
blank lines and comments
Empty lines and whitespace-only lines are ignored, as are lines
whose first non-whitespace character is a `#'.
multi-line text
A logical line starts with non-whitespace text. A line that
starts with whitespace continues a logical line.
TABLE SEARCH ORDER
Patterns are applied in the order as specified in the table, until a
pattern is found that matches the search string.
ADDRESS PATTERN SYNTAX
Postfix CIDR tables are pattern-based. A pattern is either a net-work_address which requires an exact match, or a network_address/pre-fix_length where the prefix_length part specifies the length of the
network_address prefix that must be matched (the other bits in the net-work_address part must be zero).
An IPv4 network address is a sequence of four decimal octets separated
by ".", and an IPv6 network address is a sequence of three to eight
hexadecimal octet pairs separated by ":" or "::", where the latter is
short-hand for a sequence of one or more all-zero octet pairs. The pat-
tern 0.0.0.0/0 matches every IPv4 address, and ::/0 matches every IPv6
address. IPv6 support is available in Postfix 2.2 and later.
Before comparisons are made, lookup keys and table entries are con-
verted from string to binary. Therefore, IPv6 patterns will be matched
regardless of leading zeros (a leading zero in an IPv4 address octet
indicates octal notation).
Note: address information may be enclosed inside "[]" but this form is
not required.
INLINE SPECIFICATION
The contents of a table may be specified in the table name (Postfix 3.7
and later). The basic syntax is:
main.cf:
parameter= .. cidr:{ {rule-1}, {rule-2} .. } ..master.cf:
.. -o {parameter= .. cidr:{ {rule-1}, {rule-2} .. } .. } ..
Postfix ignores whitespace after '{' and before '}', and writes each
rule as one text line to an in-memory file:
in-memory file:
rule-1
rule-2
..
Postfix parses the result as if it is a file in /etc/postfix.
Note: if a rule contains $, specify $$ to keep Postfix from trying to
do $name expansion as it evaluates a parameter value.
EXAMPLE SMTPD ACCESS MAP
/etc/postfix/main.cf:
smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...
/etc/postfix/client.cidr:
# Rule order matters. Put more specific allowlist entries
# before more general denylist entries.
192.168.1.1 OK
192.168.0.0/16 REJECT
2001:db8::1 OK
2001:db8::/32 REJECT
SEE ALSOpostmap(1), Postfix lookup table manager
regexp_table(5), format of regular expression tables
pcre_table(5), format of PCRE tables
README FILESDATABASE_README, Postfix lookup table overview
HISTORY
CIDR table support was introduced with Postfix version 2.1.
AUTHOR(S)
The CIDR table lookup code was originally written by:
Jozsef Kadlecsik
KFKI Research Institute for Particle and Nuclear Physics
POB. 49
1525 Budapest, Hungary
Adopted and adapted by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA
CIDR_TABLE(5)