CIDR_TABLE(5)                                                    CIDR_TABLE(5)

NAME
       cidr_table - format of Postfix CIDR tables

SYNOPSIS
       postmap -q "string" cidr:/etc/postfix/filename

       postmap -q - cidr:/etc/postfix/filename <inputfile

DESCRIPTION
       The  Postfix mail system uses optional lookup tables.  These tables are
       usually in dbm or db format.  Alternatively, lookup tables can be spec-
       ified in CIDR (Classless Inter-Domain Routing) form. In this case, each
       input is compared against a list of patterns. When a  match  is  found,
       the corresponding result is returned and the search is terminated.

       To  find  out  what types of lookup tables your Postfix system supports
       use the "postconf -m" command.

       To test lookup tables, use the "postmap -q" command as described in the
       SYNOPSIS above.

TABLE FORMAT
       The general form of a Postfix CIDR table is:

       pattern     result
              When a search string matches the specified pattern, use the cor-
              responding result value. The pattern must be  in  network/prefix
              or network_address form (see ADDRESS PATTERN SYNTAX below).

       !pattern     result
              When  a  search string does not match the specified pattern, use
              the specified result value. The pattern must be in  network/pre-
              fix  or network_address form (see ADDRESS PATTERN SYNTAX below).

              This feature is available in Postfix 3.2 and later.

       if pattern

       endif  When a search string matches the specified pattern,  match  that
              search  string  against  the patterns between if and endif.  The
              pattern must be in network/prefix or network_address  form  (see
              ADDRESS PATTERN SYNTAX below). The if..endif can nest.

              Note: do not prepend whitespace to text between if..endif.

              This feature is available in Postfix 3.2 and later.

       if !pattern

       endif  When a search string does not match the specified pattern, match
              that search string against the patterns between  if  and  endif.
              The  pattern  must  be in network/prefix or network_address form
              (see ADDRESS PATTERN SYNTAX below). The if..endif can nest.

              Note: do not prepend whitespace to text between if..endif.

              This feature is available in Postfix 3.2 and later.

       blank lines and comments
              Empty lines and whitespace-only lines are ignored, as are  lines
              whose first non-whitespace character is a `#'.

       multi-line text
              A  logical  line  starts  with  non-whitespace text. A line that
              starts with whitespace continues a logical line.

TABLE SEARCH ORDER
       Patterns are applied in the order as specified in the  table,  until  a
       pattern is found that matches the search string.

ADDRESS PATTERN SYNTAX
       Postfix  CIDR  tables  are  pattern-based.  A  pattern is either a net-
       work_address which requires an exact match, or  a  network_address/pre-
       fix_length  where  the  prefix_length  part specifies the length of the
       network_address prefix that must be matched (the other bits in the net-
       work_address part must be zero).

       An  IPv4 network address is a sequence of four decimal octets separated
       by ".", and an IPv6 network address is a sequence  of  three  to  eight
       hexadecimal  octet  pairs separated by ":" or "::", where the latter is
       short-hand for a sequence of one or more all-zero octet pairs. The pat-
       tern  0.0.0.0/0 matches every IPv4 address, and ::/0 matches every IPv6
       address.  IPv6 support is available in Postfix 2.2 and later.

       Before comparisons are made, lookup keys and  table  entries  are  con-
       verted  from string to binary. Therefore, IPv6 patterns will be matched
       regardless of leading zeros (a leading zero in an  IPv4  address  octet
       indicates octal notation).

       Note:  address information may be enclosed inside "[]" but this form is
       not required.

INLINE SPECIFICATION
       The contents of a table may be specified in the table name.  The  basic
       syntax is:

       main.cf:
           parameter = .. cidr:{ { rule-1 }, { rule-2 } .. } ..

       master.cf:
           .. -o { parameter = .. cidr:{ { rule-1 }, { rule-2 } .. } .. } ..

       Postfix  ignores  whitespace  after '{' and before '}', and writes each
       rule as one text line to an in-memory file:

       in-memory file:
           rule-1
           rule-2
           ..

       Postfix parses the result as if it is a file in /etc/postfix.

EXAMPLE SMTPD ACCESS MAP
       /etc/postfix/main.cf:
           smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...

       /etc/postfix/client.cidr:
           # Rule order matters. Put more specific allowlist entries
           # before more general denylist entries.
           192.168.1.1             OK
           192.168.0.0/16          REJECT
           2001:db8::1             OK
           2001:db8::/32           REJECT

SEE ALSO
       postmap(1), Postfix lookup table manager
       regexp_table(5), format of regular expression tables
       pcre_table(5), format of PCRE tables

README FILES
       DATABASE_README, Postfix lookup table overview

HISTORY
       CIDR table support was introduced with Postfix version 2.1.

AUTHOR(S)
       The CIDR table lookup code was originally written by:
       Jozsef Kadlecsik
       KFKI Research Institute for Particle and Nuclear Physics
       POB. 49
       1525 Budapest, Hungary

       Adopted and adapted by:
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

       Wietse Venema
       Google, Inc.
       111 8th Avenue
       New York, NY 10011, USA

                                                                 CIDR_TABLE(5)