NAME
pipe - Postfix delivery to external command
SYNOPSIS
pipe [generic Postfix daemon options] command_attributes...
DESCRIPTION
The
pipe(8) daemon processes requests from the Postfix queue manager to
deliver messages to external commands. This program expects to be run from the
master(8) process manager.
Message attributes such as sender address, recipient address and next-hop host
name can be specified as command-line macros that are expanded before the
external command is executed.
The
pipe(8) daemon updates queue files and marks recipients as finished,
or it informs the queue manager that delivery should be tried again at a later
time. Delivery status reports are sent to the
bounce(8),
defer(8) or
trace(8) daemon as appropriate.
SINGLE-RECIPIENT DELIVERY
Some destinations cannot handle more than one recipient per delivery request.
Examples are pagers or fax machines. In addition, multi-recipient delivery is
undesirable when prepending a
Delivered-to: or
X-Original-To:
message header.
To prevent Postfix from sending multiple recipients per delivery request,
specify
transport_destination_recipient_limit = 1
in the Postfix
main.cf file, where
transport is the name in the
first column of the Postfix
master.cf entry for the pipe-based delivery
transport.
COMMAND ATTRIBUTE SYNTAX
The external command attributes are given in the
master.cf file at the
end of a service definition. The syntax is as follows:
- chroot=pathname (optional)
- Change the process root directory and working directory to
the named directory. This happens before switching to the privileges
specified with the user attribute, and before executing the
optional directory=pathname directive. Delivery is deferred
in case of failure.
This feature is available as of Postfix 2.3.
- directory=pathname (optional)
- Change to the named directory before executing the external
command. The directory must be accessible for the user specified with the
user attribute (see below). The default working directory is
$queue_directory. Delivery is deferred in case of failure.
This feature is available as of Postfix 2.2.
- eol=string (optional, default:
\n)
- The output record delimiter. Typically one would use either
\r\n or \n. The usual C-style backslash escape sequences are
recognized: \a \b \f \n \r \t \v \ddd (up to three
octal digits) and \\.
- flags=BDFORXhqu.> (optional)
- Optional message processing flags. By default, a message is
copied unchanged.
- B
- Append a blank line at the end of each message. This is
required by some mail user agents that recognize " From "
lines only when preceded by a blank line.
- D
- Prepend a "Delivered-To: recipient"
message header with the envelope recipient address. Note: for this to
work, the transport_destination_recipient_limit must be 1
(see SINGLE-RECIPIENT DELIVERY above for details).
The D flag also enforces loop detection (Postfix 2.5 and later): if a
message already contains a Delivered-To: header with the same
recipient address, then the message is returned as undeliverable. The
address comparison is case insensitive.
This feature is available as of Postfix 2.0.
- F
- Prepend a "From sender time_stamp"
envelope header to the message content. This is expected by, for example,
UUCP software.
- O
- Prepend an "X-Original-To:
recipient" message header with the recipient address as
given to Postfix. Note: for this to work, the
transport_destination_recipient_limit must be 1 (see
SINGLE-RECIPIENT DELIVERY above for details).
This feature is available as of Postfix 2.0.
- R
- Prepend a Return-Path: message header with the
envelope sender address.
- X
- Indicate that the external command performs final delivery.
This flag affects the status reported in "success" DSN (delivery
status notification) messages, and changes it from "relayed"
into "delivered".
This feature is available as of Postfix 2.5.
- h
- Fold the command-line $original_recipient and
$recipient address domain part (text to the right of the right-most
@ character) to lower case; fold the entire command-line
$domain and $nexthop host or domain information to lower
case. This is recommended for delivery via UUCP.
- q
- Quote white space and other special characters in the
command-line $sender, $original_recipient and
$recipient address localparts (text to the left of the right-most
@ character), according to an 8-bit transparent version of RFC 822.
This is recommended for delivery via UUCP or BSMTP.
The result is compatible with the address parsing of command-line recipients
by the Postfix sendmail(1) mail submission command.
The q flag affects only entire addresses, not the partial address
information from the $user, $extension or $mailbox
command-line macros.
- u
- Fold the command-line $original_recipient and
$recipient address localpart (text to the left of the right-most
@ character) to lower case. This is recommended for delivery via
UUCP.
- .
- Prepend "." to lines starting with
".". This is needed by, for example, BSMTP
software.
- >
- Prepend ">" to lines starting with
" From ". This is expected by, for example, UUCP
software.
- null_sender=replacement (default:
MAILER-DAEMON)
- Replace the null sender address (typically used for
delivery status notifications) with the specified text when expanding the
$sender command-line macro, and when generating a From_ or
Return-Path: message header.
If the null sender replacement text is a non-empty string then it is
affected by the q flag for address quoting in command-line
arguments.
The null sender replacement text may be empty; this form is recommended for
content filters that feed mail back into Postfix. The empty sender address
is not affected by the q flag for address quoting in command-line
arguments.
Caution: a null sender address is easily mis-parsed by naive software. For
example, when the pipe(8) daemon executes a command such as:
Wrong: command -f$sender -- $recipient
- the command will mis-parse the -f option value when the
sender address is a null string. For correct parsing, specify
$sender as an argument by itself:
Right: command -f $sender -- $recipient
- This feature is available as of Postfix 2.3.
- size=size_limit (optional)
- Don't deliver messages that exceed this size limit (in
bytes); return them to the sender instead.
- user=username (required)
- user=username:groupname
- Execute the external command with the user ID and group ID
of the specified username. The software refuses to execute commands
with root privileges, or with the privileges of the mail system owner. If
groupname is specified, the corresponding group ID is used instead
of the group ID of username.
- argv=command... (required)
- The command to be executed. This must be specified as the
last command attribute. The command is executed directly, i.e. without
interpretation of shell meta characters by a shell command interpreter.
Specify "{" and "}" around command arguments that
contain whitespace (Postfix 3.0 and later). Whitespace after "{"
and before "}" is ignored.
In the command argument vector, the following macros are recognized and
replaced with corresponding information from the Postfix queue manager
delivery request.
In addition to the form ${ name}, the forms $name and the
deprecated form $( name) are also recognized. Specify $$
where a single $ is wanted.
- ${client_address}
- This macro expands to the remote client network address.
This feature is available as of Postfix 2.2.
- ${client_helo}
- This macro expands to the remote client HELO command
parameter.
This feature is available as of Postfix 2.2.
- ${client_hostname}
- This macro expands to the remote client hostname.
This feature is available as of Postfix 2.2.
- ${client_port}
- This macro expands to the remote client TCP port number.
This feature is available as of Postfix 2.5.
- ${client_protocol}
- This macro expands to the remote client protocol.
This feature is available as of Postfix 2.2.
- ${domain}
- This macro expands to the domain portion of the recipient
address. For example, with an address user+foo@domain the domain is
domain.
This information is modified by the h flag for case folding.
This feature is available as of Postfix 2.5.
- ${extension}
- This macro expands to the extension part of a recipient
address. For example, with an address user+foo@domain the extension
is foo.
A command-line argument that contains ${extension} expands into as
many command-line arguments as there are recipients.
This information is modified by the u flag for case folding.
- ${mailbox}
- This macro expands to the complete local part of a
recipient address. For example, with an address user+foo@domain the
mailbox is user+foo.
A command-line argument that contains ${mailbox} expands to as many
command-line arguments as there are recipients.
This information is modified by the u flag for case folding.
- ${nexthop}
- This macro expands to the next-hop hostname.
This information is modified by the h flag for case folding.
- ${original_recipient}
- This macro expands to the complete recipient address before
any address rewriting or aliasing.
A command-line argument that contains ${original_recipient} expands
to as many command-line arguments as there are recipients.
This information is modified by the hqu flags for quoting and case
folding.
This feature is available as of Postfix 2.5.
- ${queue_id}
- This macro expands to the queue id.
This feature is available as of Postfix 2.11.
- ${recipient}
- This macro expands to the complete recipient address.
A command-line argument that contains ${recipient} expands to as many
command-line arguments as there are recipients.
This information is modified by the hqu flags for quoting and case
folding.
- ${sasl_method}
- This macro expands to the name of the SASL authentication
mechanism in the AUTH command when the Postfix SMTP server received the
message.
This feature is available as of Postfix 2.2.
- ${sasl_sender}
- This macro expands to the SASL sender name (i.e. the
original submitter as per RFC 4954) in the MAIL FROM command when the
Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
- ${sasl_username}
- This macro expands to the SASL user name in the AUTH
command when the Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
- ${sender}
- This macro expands to the envelope sender address. By
default, the null sender address expands to MAILER-DAEMON; this can be
changed with the null_sender attribute, as described above.
This information is modified by the q flag for quoting.
- ${size}
- This macro expands to Postfix's idea of the message size,
which is an approximation of the size of the message as delivered.
- ${user}
- This macro expands to the username part of a recipient
address. For example, with an address user+foo@domain the username
part is user.
A command-line argument that contains ${user} expands into as many
command-line arguments as there are recipients.
This information is modified by the u flag for case folding.
STANDARDS
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Command exit status codes are expected to follow the conventions defined in <
sysexits.h>. Exit status 0 means normal successful completion.
In the case of a non-zero exit status, a limited amount of command output is
logged, and reported in a delivery status notification. When the output begins
with a 4.X.X or 5.X.X enhanced status code, the status code takes precedence
over the non-zero exit status (Postfix version 2.3 and later).
After successful delivery (zero exit status) a limited amount of command output
is logged, and reported in "success" delivery status notifications
(Postfix 3.0 and later). This command output is not examined for the presence
of an enhanced status code.
Problems and transactions are logged to
syslogd(8). Corrupted message
files are marked so that the queue manager can move them to the
corrupt
queue for further inspection.
SECURITY
This program needs a dual personality 1) to access the private Postfix queue and
IPC mechanisms, and 2) to execute external commands as the specified user. It
is therefore security sensitive.
CONFIGURATION PARAMETERS
Changes to
main.cf are picked up automatically as
pipe(8)
processes run for only a limited amount of time. Use the command "
postfix reload" to speed up a change.
The text below provides only a parameter summary. See
postconf(5) for
more details including examples.
RESOURCE AND RATE CONTROLS
In the text below,
transport is the first field in a
master.cf
entry.
- transport_destination_concurrency_limit
($default_destination_concurrency_limit)
- Limit the number of parallel deliveries to the same
destination, for delivery via the named transport. The limit is
enforced by the Postfix queue manager.
- transport_destination_recipient_limit
($default_destination_recipient_limit)
- Limit the number of recipients per message delivery, for
delivery via the named transport. The limit is enforced by the
Postfix queue manager.
- transport_time_limit
($command_time_limit)
- Limit the time for delivery to external command, for
delivery via the named transport. The limit is enforced by the pipe
delivery agent.
Postfix 2.4 and later support a suffix that specifies the time unit: s
(seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is seconds.
MISCELLANEOUS CONTROLS
- config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf
configuration files.
- daemon_timeout (18000s)
- How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
- delay_logging_resolution_limit (2)
- The maximal number of digits after the decimal point when
logging sub-second delay values.
- export_environment (see 'postconf -d' output)
- The list of environment variables that a Postfix process
will export to non-Postfix processes.
- ipc_timeout (3600s)
- The time limit for sending or receiving information over an
internal communication channel.
- mail_owner (postfix)
- The UNIX system account that owns the Postfix queue and
most Postfix daemon processes.
- max_idle (100s)
- The maximum amount of time that an idle Postfix daemon
process waits for an incoming connection before terminating
voluntarily.
- max_use (100)
- The maximal number of incoming connections that a Postfix
daemon process will service before terminating voluntarily.
- process_id (read-only)
- The process ID of a Postfix command or daemon process.
- process_name (read-only)
- The process name of a Postfix command or daemon
process.
- queue_directory (see 'postconf -d' output)
- The location of the Postfix top-level queue directory.
- recipient_delimiter (empty)
- The set of characters that can separate a user name from
its extension (example: user+foo), or a .forward file name from its
extension (example: .forward+foo).
- syslog_facility (mail)
- The syslog facility of Postfix logging.
- syslog_name (see 'postconf -d' output)
- The mail system name that is prepended to the process name
in syslog records, so that "smtpd" becomes, for example,
"postfix/smtpd".
Available in Postfix version 3.0 and later:
- pipe_delivery_status_filter
($default_delivery_status_filter)
- Optional filter for the pipe(8) delivery agent to
change the delivery status code or explanatory text of successful or
unsuccessful deliveries.
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA