NAME
local - Postfix local mail delivery
SYNOPSIS
local [generic Postfix daemon options]
DESCRIPTION
The
local(8) daemon processes delivery requests from the Postfix queue
manager to deliver mail to local recipients. Each delivery request specifies a
queue file, a sender address, a domain or host to deliver to, and one or more
recipients. This program expects to be run from the
master(8) process
manager.
The
local(8) daemon updates queue files and marks recipients as finished,
or it informs the queue manager that delivery should be tried again at a later
time. Delivery status reports are sent to the
bounce(8),
defer(8) or
trace(8) daemon as appropriate.
CASE FOLDING
All delivery decisions are made using the bare recipient name (i.e. the address
localpart), folded to lower case. See also under ADDRESS EXTENSION below for a
few exceptions.
SYSTEM-WIDE AND USER-LEVEL ALIASING
The system administrator can set up one or more system-wide
sendmail-style alias databases. Users can have
sendmail-style
~/.
forward files. Mail for
name is delivered to the alias
name, to destinations in ~
name/.
forward, to the mailbox
owned by the user
name, or it is sent back as undeliverable.
The system administrator can specify a comma/space separated list of ~/.
forward like files through the
forward_path configuration
parameter. Upon delivery, the local delivery agent tries each pathname in the
list until a file is found.
Delivery via ~/.
forward files is done with the privileges of the
recipient. Thus, ~/.
forward like files must be readable by the
recipient, and their parent directory needs to have "execute"
permission for the recipient.
The
forward_path parameter is subject to interpolation of
$user
(recipient username),
$home (recipient home directory),
$shell
(recipient shell),
$recipient (complete recipient address),
$extension (recipient address extension),
$domain (recipient
domain),
$local (entire recipient address localpart) and
$recipient_delimiter. The forms
${name?value} and
${name:value} expand conditionally to
value when
$name is
(is not) defined. Characters that may have special meaning to the shell or
file system are replaced by underscores. The list of acceptable characters is
specified with the
forward_expansion_filter configuration parameter.
An alias or ~/.
forward file may list any combination of external
commands, destination file names,
:include: directives, or mail
addresses. See
aliases(5) for a precise description. Each line in a
user's .
forward file has the same syntax as the right-hand part of an
alias.
When an address is found in its own alias expansion, delivery is made to the
user instead. When a user is listed in the user's own ~/.
forward file,
delivery is made to the user's mailbox instead. An empty ~/.
forward
file means do not forward mail.
In order to prevent the mail system from using up unreasonable amounts of
memory, input records read from
:include: or from ~/.
forward
files are broken up into chunks of length
line_length_limit.
While expanding aliases, ~/.
forward files, and so on, the program
attempts to avoid duplicate deliveries. The
duplicate_filter_limit
configuration parameter limits the number of remembered recipients.
MAIL FORWARDING
For the sake of reliability, forwarded mail is re-submitted as a new message, so
that each recipient has a separate on-file delivery status record.
In order to stop mail forwarding loops early, the software adds an optional
Delivered-To: header with the final envelope recipient address. If mail
arrives for a recipient that is already listed in a
Delivered-To:
header, the message is bounced.
MAILBOX DELIVERY
The default per-user mailbox is a file in the UNIX mail spool directory (
/var/mail/ user or
/var/spool/mail/user); the
location can be specified with the
mail_spool_directory configuration
parameter. Specify a name ending in
/ for
qmail-compatible
maildir delivery.
Alternatively, the per-user mailbox can be a file in the user's home directory
with a name specified via the
home_mailbox configuration parameter.
Specify a relative path name. Specify a name ending in
/ for
qmail-compatible
maildir delivery.
Mailbox delivery can be delegated to an external command specified with the
mailbox_command_maps and
mailbox_command configuration
parameters. The command executes with the privileges of the recipient user
(exceptions: secondary groups are not enabled; in case of delivery as root,
the command executes with the privileges of
default_privs).
Mailbox delivery can be delegated to alternative message transports specified in
the
master.cf file. The
mailbox_transport_maps and
mailbox_transport configuration parameters specify an optional message
transport that is to be used for all local recipients, regardless of whether
they are found in the UNIX passwd database. The
fallback_transport_maps
and
fallback_transport parameters specify an optional message transport
for recipients that are not found in the aliases(5) or UNIX passwd database.
In the case of UNIX-style mailbox delivery, the
local(8) daemon prepends
a "
From sender time_stamp" envelope header to each
message, prepends an
X-Original-To: header with the recipient address
as given to Postfix, prepends an optional
Delivered-To: header with the
final envelope recipient address, prepends a
Return-Path: header with
the envelope sender address, prepends a
> character to lines
beginning with "
From ", and appends an empty line. The
mailbox is locked for exclusive access while delivery is in progress. In case
of problems, an attempt is made to truncate the mailbox to its original
length.
In the case of
maildir delivery, the local daemon prepends an optional
Delivered-To: header with the final envelope recipient address,
prepends an
X-Original-To: header with the recipient address as given
to Postfix, and prepends a
Return-Path: header with the envelope sender
address.
EXTERNAL COMMAND DELIVERY
The
allow_mail_to_commands configuration parameter restricts delivery to
external commands. The default setting (
alias, forward) forbids
command destinations in
:include: files.
Optionally, the process working directory is changed to the path specified with
command_execution_directory (Postfix 2.2 and later). Failure to change
directory causes mail to be deferred.
The
command_execution_directory parameter value is subject to
interpolation of
$user (recipient username),
$home (recipient
home directory),
$shell (recipient shell),
$recipient (complete
recipient address),
$extension (recipient address extension),
$domain (recipient domain),
$local (entire recipient address
localpart) and
$recipient_delimiter. The forms
${name?value} and
${name:value} expand conditionally to
value when
$name is
(is not) defined. Characters that may have special meaning to the shell or
file system are replaced by underscores. The list of acceptable characters is
specified with the
execution_directory_expansion_filter configuration
parameter.
The command is executed directly where possible. Assistance by the shell (
/bin/sh on UNIX systems) is used only when the command contains shell
magic characters, or when the command invokes a shell built-in command.
A limited amount of command output (standard output and standard error) is
captured for inclusion with non-delivery status reports. A command is forcibly
terminated if it does not complete within
command_time_limit seconds.
Command exit status codes are expected to follow the conventions defined in
<
sysexits.h>. Exit status 0 means normal successful completion.
Postfix version 2.3 and later support RFC 3463-style enhanced status codes. If a
command terminates with a non-zero exit status, and the command output begins
with an enhanced status code, this status code takes precedence over the
non-zero exit status.
A limited amount of message context is exported via environment variables.
Characters that may have special meaning to the shell are replaced by
underscores. The list of acceptable characters is specified with the
command_expansion_filter configuration parameter.
- SHELL
- The recipient user's login shell.
- HOME
- The recipient user's home directory.
- USER
- The bare recipient name.
- EXTENSION
- The optional recipient address extension.
- DOMAIN
- The recipient address domain part.
- LOGNAME
- The bare recipient name.
- LOCAL
- The entire recipient address localpart (text to the left of
the rightmost @ character).
- ORIGINAL_RECIPIENT
- The entire recipient address, before any address rewriting
or aliasing (Postfix 2.5 and later).
- RECIPIENT
- The entire recipient address.
- SENDER
- The entire sender address.
Additional remote client information is made available via the following
environment variables:
- CLIENT_ADDRESS
- Remote client network address. Available as of Postfix
2.2.
- CLIENT_HELO
- Remote client EHLO command parameter. Available as of
Postfix 2.2.
- CLIENT_HOSTNAME
- Remote client hostname. Available as of Postfix 2.2.
- CLIENT_PROTOCOL
- Remote client protocol. Available as of Postfix 2.2.
- SASL_METHOD
- SASL authentication method specified in the remote client
AUTH command. Available as of Postfix 2.2.
- SASL_SENDER
- SASL sender address specified in the remote client MAIL
FROM command. Available as of Postfix 2.2.
- SASL_USERNAME
- SASL username specified in the remote client AUTH command.
Available as of Postfix 2.2.
The
PATH environment variable is always reset to a system-dependent
default path, and environment variables whose names are blessed by the
export_environment configuration parameter are exported unchanged.
The current working directory is the mail queue directory.
The
local(8) daemon prepends a "
From sender
time_stamp" envelope header to each message, prepends an
X-Original-To: header with the recipient address as given to Postfix,
prepends an optional
Delivered-To: header with the final recipient
envelope address, prepends a
Return-Path: header with the sender
envelope address, and appends no empty line.
EXTERNAL FILE DELIVERY
The delivery format depends on the destination filename syntax. The default is
to use UNIX-style mailbox format. Specify a name ending in
/ for
qmail-compatible
maildir delivery.
The
allow_mail_to_files configuration parameter restricts delivery to
external files. The default setting (
alias, forward) forbids
file destinations in
:include: files.
In the case of UNIX-style mailbox delivery, the
local(8) daemon prepends
a "
From sender time_stamp" envelope header to each
message, prepends an
X-Original-To: header with the recipient address
as given to Postfix, prepends an optional
Delivered-To: header with the
final recipient envelope address, prepends a
> character to lines
beginning with "
From ", and appends an empty line. The
envelope sender address is available in the
Return-Path: header. When
the destination is a regular file, it is locked for exclusive access while
delivery is in progress. In case of problems, an attempt is made to truncate a
regular file to its original length.
In the case of
maildir delivery, the local daemon prepends an optional
Delivered-To: header with the final envelope recipient address, and
prepends an
X-Original-To: header with the recipient address as given
to Postfix. The envelope sender address is available in the
Return-Path: header.
ADDRESS EXTENSION
The optional
recipient_delimiter configuration parameter specifies how to
separate address extensions from local recipient names.
For example, with "
recipient_delimiter = +", mail for
name+
foo is delivered to the alias
name+
foo or to
the alias
name, to the destinations listed in ~
name/.
forward+
foo or in ~
name/.
forward, to
the mailbox owned by the user
name, or it is sent back as
undeliverable.
DELIVERY RIGHTS
Deliveries to external files and external commands are made with the rights of
the receiving user on whose behalf the delivery is made. In the absence of a
user context, the
local(8) daemon uses the owner rights of the
:include: file or alias database. When those files are owned by the
superuser, delivery is made with the rights specified with the
default_privs configuration parameter.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Problems and transactions are logged to
syslogd(8). Corrupted message
files are marked so that the queue manager can move them to the
corrupt
queue afterwards.
Depending on the setting of the
notify_classes parameter, the postmaster
is notified of bounces and of other trouble.
SECURITY
The
local(8) delivery agent needs a dual personality 1) to access the
private Postfix queue and IPC mechanisms, 2) to impersonate the recipient and
deliver to recipient-specified files or commands. It is therefore security
sensitive.
The
local(8) delivery agent disallows regular expression substitution of
$1 etc. in
alias_maps, because that would open a security hole.
The
local(8) delivery agent will silently ignore requests to use the
proxymap(8) server within
alias_maps. Instead it will open the
table directly. Before Postfix version 2.2, the
local(8) delivery agent
will terminate with a fatal error.
BUGS
For security reasons, the message delivery status of external commands or of
external files is never checkpointed to file. As a result, the program may
occasionally deliver more than once to a command or external file. Better safe
than sorry.
Mutually-recursive aliases or ~/.
forward files are not detected early.
The resulting mail forwarding loop is broken by the use of the
Delivered-To: message header.
CONFIGURATION PARAMETERS
Changes to
main.cf are picked up automatically, as
local(8)
processes run for only a limited amount of time. Use the command "
postfix reload" to speed up a change.
The text below provides only a parameter summary. See
postconf(5) for
more details including examples.
COMPATIBILITY CONTROLS
- biff (yes)
- Whether or not to use the local biff service.
- expand_owner_alias (no)
- When delivering to an alias "aliasname" that has
an "owner-aliasname" companion alias, set the envelope sender
address to the expansion of the "owner-aliasname" alias.
- owner_request_special (yes)
- Give special treatment to owner-listname and
listname-request address localparts: don't split such addresses when the
recipient_delimiter is set to "-".
- sun_mailtool_compatibility (no)
- Obsolete SUN mailtool compatibility feature.
Available in Postfix version 2.3 and later:
- frozen_delivered_to (yes)
- Update the local(8) delivery agent's idea of the
Delivered-To: address (see prepend_delivered_header) only once, at the
start of a delivery attempt; do not update the Delivered-To: address while
expanding aliases or .forward files.
Available in Postfix version 2.5.3 and later:
- strict_mailbox_ownership (yes)
- Defer delivery when a mailbox file is not owned by its
recipient.
- reset_owner_alias (no)
- Reset the local(8) delivery agent's idea of the
owner-alias attribute, when delivering mail to a child alias that does not
have its own owner alias.
Available in Postfix version 3.0 and later:
- local_delivery_status_filter
($default_delivery_status_filter)
- Optional filter for the local(8) delivery agent to
change the status code or explanatory text of successful or unsuccessful
deliveries.
DELIVERY METHOD CONTROLS
The precedence of
local(8) delivery methods from high to low is: aliases,
.forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport, and luser_relay.
- alias_maps (see 'postconf -d' output)
- The alias databases that are used for local(8)
delivery.
- forward_path (see 'postconf -d' output)
- The local(8) delivery agent search list for finding
a .forward file with user-specified delivery methods.
- mailbox_transport_maps (empty)
- Optional lookup tables with per-recipient message delivery
transports to use for local(8) mailbox delivery, whether or not the
recipients are found in the UNIX passwd database.
- mailbox_transport (empty)
- Optional message delivery transport that the
local(8) delivery agent should use for mailbox delivery to all
local recipients, whether or not they are found in the UNIX passwd
database.
- mailbox_command_maps (empty)
- Optional lookup tables with per-recipient external commands
to use for local(8) mailbox delivery.
- mailbox_command (empty)
- Optional external command that the local(8) delivery
agent should use for mailbox delivery.
- home_mailbox (empty)
- Optional pathname of a mailbox file relative to a
local(8) user's home directory.
- mail_spool_directory (see 'postconf -d' output)
- The directory where local(8) UNIX-style mailboxes
are kept.
- fallback_transport_maps (empty)
- Optional lookup tables with per-recipient message delivery
transports for recipients that the local(8) delivery agent could
not find in the aliases(5) or UNIX password database.
- fallback_transport (empty)
- Optional message delivery transport that the
local(8) delivery agent should use for names that are not found in
the aliases(5) or UNIX password database.
- luser_relay (empty)
- Optional catch-all destination for unknown local(8)
recipients.
Available in Postfix version 2.2 and later:
- command_execution_directory (empty)
- The local(8) delivery agent working directory for
delivery to external command.
MAILBOX LOCKING CONTROLS
- deliver_lock_attempts (20)
- The maximal number of attempts to acquire an exclusive lock
on a mailbox file or bounce(8) logfile.
- deliver_lock_delay (1s)
- The time between attempts to acquire an exclusive lock on a
mailbox file or bounce(8) logfile.
- stale_lock_time (500s)
- The time after which a stale exclusive mailbox lockfile is
removed.
- mailbox_delivery_lock (see 'postconf -d'
output)
- How to lock a UNIX-style local(8) mailbox before
attempting delivery.
RESOURCE AND RATE CONTROLS
- command_time_limit (1000s)
- Time limit for delivery to external commands.
- duplicate_filter_limit (1000)
- The maximal number of addresses remembered by the address
duplicate filter for aliases(5) or virtual(5) alias
expansion, or for showq(8) queue displays.
- local_destination_concurrency_limit (2)
- The maximal number of parallel deliveries via the local
mail delivery transport to the same recipient (when
"local_destination_recipient_limit = 1") or the maximal number
of parallel deliveries to the same local domain (when
"local_destination_recipient_limit > 1").
- local_destination_recipient_limit (1)
- The maximal number of recipients per message delivery via
the local mail delivery transport.
- mailbox_size_limit (51200000)
- The maximal size of any local(8) individual mailbox
or maildir file, or zero (no limit).
SECURITY CONTROLS
- allow_mail_to_commands (alias, forward)
- Restrict local(8) mail delivery to external
commands.
- allow_mail_to_files (alias, forward)
- Restrict local(8) mail delivery to external
files.
- command_expansion_filter (see 'postconf -d'
output)
- Restrict the characters that the local(8) delivery
agent allows in $name expansions of $mailbox_command and
$command_execution_directory.
- default_privs (nobody)
- The default rights used by the local(8) delivery
agent for delivery to external file or command.
- forward_expansion_filter (see 'postconf -d'
output)
- Restrict the characters that the local(8) delivery
agent allows in $name expansions of $forward_path.
Available in Postfix version 2.2 and later:
- execution_directory_expansion_filter (see 'postconf -d'
output)
- Restrict the characters that the local(8) delivery
agent allows in $name expansions of $command_execution_directory.
Available in Postfix version 2.5.3 and later:
- strict_mailbox_ownership (yes)
- Defer delivery when a mailbox file is not owned by its
recipient.
MISCELLANEOUS CONTROLS
- config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf
configuration files.
- daemon_timeout (18000s)
- How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
- delay_logging_resolution_limit (2)
- The maximal number of digits after the decimal point when
logging sub-second delay values.
- export_environment (see 'postconf -d' output)
- The list of environment variables that a Postfix process
will export to non-Postfix processes.
- ipc_timeout (3600s)
- The time limit for sending or receiving information over an
internal communication channel.
- local_command_shell (empty)
- Optional shell program for local(8) delivery to
non-Postfix command.
- max_idle (100s)
- The maximum amount of time that an idle Postfix daemon
process waits for an incoming connection before terminating
voluntarily.
- max_use (100)
- The maximal number of incoming connections that a Postfix
daemon process will service before terminating voluntarily.
- prepend_delivered_header (command, file,
forward)
- The message delivery contexts where the Postfix
local(8) delivery agent prepends a Delivered-To: message header
with the address that the mail was delivered to.
- process_id (read-only)
- The process ID of a Postfix command or daemon process.
- process_name (read-only)
- The process name of a Postfix command or daemon
process.
- propagate_unmatched_extensions (canonical,
virtual)
- What address lookup tables copy an address extension from
the lookup key to the lookup result.
- queue_directory (see 'postconf -d' output)
- The location of the Postfix top-level queue directory.
- recipient_delimiter (empty)
- The set of characters that can separate a user name from
its extension (example: user+foo), or a .forward file name from its
extension (example: .forward+foo).
- require_home_directory (no)
- Require that a local(8) recipient's home directory
exists before mail delivery is attempted.
- syslog_facility (mail)
- The syslog facility of Postfix logging.
- syslog_name (see 'postconf -d' output)
- The mail system name that is prepended to the process name
in syslog records, so that "smtpd" becomes, for example,
"postfix/smtpd".
FILES
The following are examples; details differ between systems.
$HOME/.forward, per-user aliasing
/etc/aliases, system-wide alias database
/var/spool/mail, system mailboxes
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
newaliases(1), create/update alias database
postalias(1), create/update alias database
aliases(5), format of alias database
postconf(5), configuration parameters
master(5), generic daemon options
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The
Delivered-To: message header appears in the
qmail system by
Daniel Bernstein.
The
maildir structure appears in the
qmail system by Daniel
Bernstein.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA