1LOCAL(8) System Manager's Manual LOCAL(8)
2
6 local - Postfix local mail delivery
7
9 local [generic Postfix daemon options]
10
12 The local(8) daemon processes delivery requests from the Postfix queue
13 manager to deliver mail to local recipients. Each delivery request
14 specifies a queue file, a sender address, a domain or host to deliver
15 to, and one or more recipients. This program expects to be run from
16 the master(8) process manager.
17 The local(8) daemon updates queue files and marks recipients as fin‐
19 ished, or it informs the queue manager that delivery should be tried
20 again at a later time. Delivery status reports are sent to the
21 bounce(8), defer(8) or trace(8) daemon as appropriate.
22
24 All delivery decisions are made using the bare recipient name (i.e. the
25 address localpart), folded to lower case. See also under ADDRESS
26 EXTENSION below for a few exceptions.
27
29 The system administrator can set up one or more system-wide sendmail-
30 style alias databases. Users can have sendmail-style ~/.forward files.
31 Mail for name is delivered to the alias name, to destinations in
32 ~name/.forward, to the mailbox owned by the user name, or it is sent
33 back as undeliverable.
34 The system administrator can specify a comma/space separated list of
36 ~/.forward like files through the forward_path configuration parameter.
37 Upon delivery, the local delivery agent tries each pathname in the list
38 until a file is found.
39 Delivery via ~/.forward files is done with the privileges of the recip‐
41 ient. Thus, ~/.forward like files must be readable by the recipient,
42 and their parent directory needs to have "execute" permission for the
43 recipient.
44 The forward_path parameter is subject to interpolation of $user (recip‐
46 ient username), $home (recipient home directory), $shell (recipient
47 shell), $recipient (complete recipient address), $extension (recipient
48 address extension), $domain (recipient domain), $local (entire recipi‐
49 ent address localpart) and $recipient_delimiter. The forms
50 ${name?value} and ${name:value} expand conditionally to value when
51 $name is (is not) defined. Characters that may have special meaning to
52 the shell or file system are replaced by underscores. The list of
53 acceptable characters is specified with the forward_expansion_filter
54 configuration parameter.
55 An alias or ~/.forward file may list any combination of external com‐
57 mands, destination file names, :include: directives, or mail addresses.
58 See aliases(5) for a precise description. Each line in a user's .for‐
59 ward file has the same syntax as the right-hand part of an alias.
60 When an address is found in its own alias expansion, delivery is made
62 to the user instead. When a user is listed in the user's own ~/.forward
63 file, delivery is made to the user's mailbox instead. An empty ~/.for‐
64 ward file means do not forward mail.
65 In order to prevent the mail system from using up unreasonable amounts
67 of memory, input records read from :include: or from ~/.forward files
68 are broken up into chunks of length line_length_limit.
69 While expanding aliases, ~/.forward files, and so on, the program
71 attempts to avoid duplicate deliveries. The duplicate_filter_limit con‐
72 figuration parameter limits the number of remembered recipients.
73
75 For the sake of reliability, forwarded mail is re-submitted as a new
76 message, so that each recipient has a separate on-file delivery status
77 record.
78 In order to stop mail forwarding loops early, the software adds an
80 optional Delivered-To: header with the final envelope recipient
81 address. If mail arrives for a recipient that is already listed in a
82 Delivered-To: header, the message is bounced.
83
85 The default per-user mailbox is a file in the UNIX mail spool directory
86 (/var/mail/user or /var/spool/mail/user); the location can be specified
87 with the mail_spool_directory configuration parameter. Specify a name
88 ending in / for qmail-compatible maildir delivery.
89 Alternatively, the per-user mailbox can be a file in the user's home
91 directory with a name specified via the home_mailbox configuration
92 parameter. Specify a relative path name. Specify a name ending in / for
93 qmail-compatible maildir delivery.
94 Mailbox delivery can be delegated to an external command specified with
96 the mailbox_command_maps and mailbox_command configuration parameters.
97 The command executes with the privileges of the recipient user (excep‐
98 tions: secondary groups are not enabled; in case of delivery as root,
99 the command executes with the privileges of default_privs).
100 Mailbox delivery can be delegated to alternative message transports
102 specified in the master.cf file. The mailbox_transport_maps and mail‐
103 box_transport configuration parameters specify an optional message
104 transport that is to be used for all local recipients, regardless of
105 whether they are found in the UNIX passwd database. The fall‐
106 back_transport_maps and fallback_transport parameters specify an
107 optional message transport for recipients that are not found in the
108 aliases(5) or UNIX passwd database.
109 In the case of UNIX-style mailbox delivery, the local(8) daemon
111 prepends a "From sender time_stamp" envelope header to each message,
112 prepends an X-Original-To: header with the recipient address as given
113 to Postfix, prepends an optional Delivered-To: header with the final
114 envelope recipient address, prepends a Return-Path: header with the
115 envelope sender address, prepends a > character to lines beginning with
116 "From ", and appends an empty line. The mailbox is locked for exclu‐
117 sive access while delivery is in progress. In case of problems, an
118 attempt is made to truncate the mailbox to its original length.
119 In the case of maildir delivery, the local daemon prepends an optional
121 Delivered-To: header with the final envelope recipient address,
122 prepends an X-Original-To: header with the recipient address as given
123 to Postfix, and prepends a Return-Path: header with the envelope sender
124 address.
125
127 The allow_mail_to_commands configuration parameter restricts delivery
128 to external commands. The default setting (alias, forward) forbids com‐
129 mand destinations in :include: files.
130 Optionally, the process working directory is changed to the path speci‐
132 fied with command_execution_directory (Postfix 2.2 and later). Failure
133 to change directory causes mail to be deferred.
134 The command_execution_directory parameter value is subject to interpo‐
136 lation of $user (recipient username), $home (recipient home directory),
137 $shell (recipient shell), $recipient (complete recipient address),
138 $extension (recipient address extension), $domain (recipient domain),
139 $local (entire recipient address localpart) and $recipient_delimiter.
140 The forms ${name?value} and ${name:value} expand conditionally to value
141 when $name is (is not) defined. Characters that may have special mean‐
142 ing to the shell or file system are replaced by underscores. The list
143 of acceptable characters is specified with the execution_direc‐
144 tory_expansion_filter configuration parameter.
145 The command is executed directly where possible. Assistance by the
147 shell (/bin/sh on UNIX systems) is used only when the command contains
148 shell magic characters, or when the command invokes a shell built-in
149 command.
150 A limited amount of command output (standard output and standard error)
152 is captured for inclusion with non-delivery status reports. A command
153 is forcibly terminated if it does not complete within com‐
154 mand_time_limit seconds. Command exit status codes are expected to
155 follow the conventions defined in <sysexits.h>. Exit status 0 means
156 normal successful completion.
157 Postfix version 2.3 and later support RFC 3463-style enhanced status
159 codes. If a command terminates with a non-zero exit status, and the
160 command output begins with an enhanced status code, this status code
161 takes precedence over the non-zero exit status.
162 A limited amount of message context is exported via environment vari‐
164 ables. Characters that may have special meaning to the shell are
165 replaced by underscores. The list of acceptable characters is speci‐
166 fied with the command_expansion_filter configuration parameter.
167 SHELL The recipient user's login shell.
169 HOME The recipient user's home directory.
171 USER The bare recipient name.
173 EXTENSION
175 The optional recipient address extension.
176 DOMAIN The recipient address domain part.
178 LOGNAME
180 The bare recipient name.
181 LOCAL The entire recipient address localpart (text to the left of the
183 rightmost @ character).
184 ORIGINAL_RECIPIENT
186 The entire recipient address, before any address rewriting or
187 aliasing (Postfix 2.5 and later).
188 RECIPIENT
190 The entire recipient address.
191 SENDER The entire sender address.
193 Additional remote client information is made available via the follow‐
195 ing environment variables:
196 CLIENT_ADDRESS
198 Remote client network address. Available as of Postfix 2.2.
199 CLIENT_HELO
201 Remote client EHLO command parameter. Available as of Postfix
202 2.2.
203 CLIENT_HOSTNAME
205 Remote client hostname. Available as of Postfix 2.2.
206 CLIENT_PROTOCOL
208 Remote client protocol. Available as of Postfix 2.2.
209 SASL_METHOD
211 SASL authentication method specified in the remote client AUTH
212 command. Available as of Postfix 2.2.
213 SASL_SENDER
215 SASL sender address specified in the remote client MAIL FROM
216 command. Available as of Postfix 2.2.
217 SASL_USERNAME
219 SASL username specified in the remote client AUTH command.
220 Available as of Postfix 2.2.
221 The PATH environment variable is always reset to a system-dependent
223 default path, and environment variables whose names are blessed by the
224 export_environment configuration parameter are exported unchanged.
225 The current working directory is the mail queue directory.
227 The local(8) daemon prepends a "From sender time_stamp" envelope header
229 to each message, prepends an X-Original-To: header with the recipient
230 address as given to Postfix, prepends an optional Delivered-To: header
231 with the final recipient envelope address, prepends a Return-Path:
232 header with the sender envelope address, and appends no empty line.
233
235 The delivery format depends on the destination filename syntax. The
236 default is to use UNIX-style mailbox format. Specify a name ending in
237 / for qmail-compatible maildir delivery.
238 The allow_mail_to_files configuration parameter restricts delivery to
240 external files. The default setting (alias, forward) forbids file des‐
241 tinations in :include: files.
242 In the case of UNIX-style mailbox delivery, the local(8) daemon
244 prepends a "From sender time_stamp" envelope header to each message,
245 prepends an X-Original-To: header with the recipient address as given
246 to Postfix, prepends an optional Delivered-To: header with the final
247 recipient envelope address, prepends a > character to lines beginning
248 with "From ", and appends an empty line. The envelope sender address
249 is available in the Return-Path: header. When the destination is a
250 regular file, it is locked for exclusive access while delivery is in
251 progress. In case of problems, an attempt is made to truncate a regular
252 file to its original length.
253 In the case of maildir delivery, the local daemon prepends an optional
255 Delivered-To: header with the final envelope recipient address, and
256 prepends an X-Original-To: header with the recipient address as given
257 to Postfix. The envelope sender address is available in the Return-
258 Path: header.
259
261 The optional recipient_delimiter configuration parameter specifies how
262 to separate address extensions from local recipient names.
263 For example, with "recipient_delimiter = +", mail for name+foo is
265 delivered to the alias name+foo or to the alias name, to the destina‐
266 tions listed in ~name/.forward+foo or in ~name/.forward, to the mailbox
267 owned by the user name, or it is sent back as undeliverable.
268
270 Deliveries to external files and external commands are made with the
271 rights of the receiving user on whose behalf the delivery is made. In
272 the absence of a user context, the local(8) daemon uses the owner
273 rights of the :include: file or alias database. When those files are
274 owned by the superuser, delivery is made with the rights specified with
275 the default_privs configuration parameter.
276
278 RFC 822 (ARPA Internet Text Messages)
279 RFC 3463 (Enhanced status codes)
280
282 Problems and transactions are logged to syslogd(8). Corrupted message
283 files are marked so that the queue manager can move them to the corrupt
284 queue afterwards.
285 Depending on the setting of the notify_classes parameter, the postmas‐
287 ter is notified of bounces and of other trouble.
288
290 The local(8) delivery agent needs a dual personality 1) to access the
291 private Postfix queue and IPC mechanisms, 2) to impersonate the recipi‐
292 ent and deliver to recipient-specified files or commands. It is there‐
293 fore security sensitive.
294 The local(8) delivery agent disallows regular expression substitution
296 of $1 etc. in alias_maps, because that would open a security hole.
297 The local(8) delivery agent will silently ignore requests to use the
299 proxymap(8) server within alias_maps. Instead it will open the table
300 directly. Before Postfix version 2.2, the local(8) delivery agent will
301 terminate with a fatal error.
302
304 For security reasons, the message delivery status of external commands
305 or of external files is never checkpointed to file. As a result, the
306 program may occasionally deliver more than once to a command or exter‐
307 nal file. Better safe than sorry.
308 Mutually-recursive aliases or ~/.forward files are not detected early.
310 The resulting mail forwarding loop is broken by the use of the Deliv‐
311 ered-To: message header.
312
314 Changes to main.cf are picked up automatically, as local(8) processes
315 run for only a limited amount of time. Use the command "postfix reload"
316 to speed up a change.
317 The text below provides only a parameter summary. See postconf(5) for
319 more details including examples.
320
322 biff (yes)
323 Whether or not to use the local biff service.
324 expand_owner_alias (no)
326 When delivering to an alias "aliasname" that has an "owner-
327 aliasname" companion alias, set the envelope sender address to
328 the expansion of the "owner-aliasname" alias.
329 owner_request_special (yes)
331 Give special treatment to owner-listname and listname-request
332 address localparts: don't split such addresses when the recipi‐
333 ent_delimiter is set to "-".
334 sun_mailtool_compatibility (no)
336 Obsolete SUN mailtool compatibility feature.
337 Available in Postfix version 2.3 and later:
339 frozen_delivered_to (yes)
341 Update the local(8) delivery agent's idea of the Delivered-To:
342 address (see prepend_delivered_header) only once, at the start
343 of a delivery attempt; do not update the Delivered-To: address
344 while expanding aliases or .forward files.
345 Available in Postfix version 2.5.3 and later:
347 strict_mailbox_ownership (yes)
349 Defer delivery when a mailbox file is not owned by its recipi‐
350 ent.
351 reset_owner_alias (no)
353 Reset the local(8) delivery agent's idea of the owner-alias
354 attribute, when delivering mail to a child alias that does not
355 have its own owner alias.
356
358 The precedence of local(8) delivery methods from high to low is:
359 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
360 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
361 tory, fallback_transport_maps, fallback_transport, and luser_relay.
362 alias_maps (see 'postconf -d' output)
364 The alias databases that are used for local(8) delivery.
365 forward_path (see 'postconf -d' output)
367 The local(8) delivery agent search list for finding a .forward
368 file with user-specified delivery methods.
369 mailbox_transport_maps (empty)
371 Optional lookup tables with per-recipient message delivery
372 transports to use for local(8) mailbox delivery, whether or not
373 the recipients are found in the UNIX passwd database.
374 mailbox_transport (empty)
376 Optional message delivery transport that the local(8) delivery
377 agent should use for mailbox delivery to all local recipients,
378 whether or not they are found in the UNIX passwd database.
379 mailbox_command_maps (empty)
381 Optional lookup tables with per-recipient external commands to
382 use for local(8) mailbox delivery.
383 mailbox_command (empty)
385 Optional external command that the local(8) delivery agent
386 should use for mailbox delivery.
387 home_mailbox (empty)
389 Optional pathname of a mailbox file relative to a local(8)
390 user's home directory.
391 mail_spool_directory (see 'postconf -d' output)
393 The directory where local(8) UNIX-style mailboxes are kept.
394 fallback_transport_maps (empty)
396 Optional lookup tables with per-recipient message delivery
397 transports for recipients that the local(8) delivery agent could
398 not find in the aliases(5) or UNIX password database.
399 fallback_transport (empty)
401 Optional message delivery transport that the local(8) delivery
402 agent should use for names that are not found in the aliases(5)
403 or UNIX password database.
404 luser_relay (empty)
406 Optional catch-all destination for unknown local(8) recipients.
407 Available in Postfix version 2.2 and later:
409 command_execution_directory (empty)
411 The local(8) delivery agent working directory for delivery to
412 external command.
413
415 deliver_lock_attempts (20)
416 The maximal number of attempts to acquire an exclusive lock on a
417 mailbox file or bounce(8) logfile.
418 deliver_lock_delay (1s)
420 The time between attempts to acquire an exclusive lock on a
421 mailbox file or bounce(8) logfile.
422 stale_lock_time (500s)
424 The time after which a stale exclusive mailbox lockfile is
425 removed.
426 mailbox_delivery_lock (see 'postconf -d' output)
428 How to lock a UNIX-style local(8) mailbox before attempting
429 delivery.
430
432 command_time_limit (1000s)
433 Time limit for delivery to external commands.
434 duplicate_filter_limit (1000)
436 The maximal number of addresses remembered by the address dupli‐
437 cate filter for aliases(5) or virtual(5) alias expansion, or for
438 showq(8) queue displays.
439 local_destination_concurrency_limit (2)
441 The maximal number of parallel deliveries via the local mail
442 delivery transport to the same recipient (when "local_destina‐
443 tion_recipient_limit = 1") or the maximal number of parallel
444 deliveries to the same local domain (when "local_destina‐
445 tion_recipient_limit > 1").
446 local_destination_recipient_limit (1)
448 The maximal number of recipients per message delivery via the
449 local mail delivery transport.
450 mailbox_size_limit (51200000)
452 The maximal size of any local(8) individual mailbox or maildir
453 file, or zero (no limit).
454
456 allow_mail_to_commands (alias, forward)
457 Restrict local(8) mail delivery to external commands.
458 allow_mail_to_files (alias, forward)
460 Restrict local(8) mail delivery to external files.
461 command_expansion_filter (see 'postconf -d' output)
463 Restrict the characters that the local(8) delivery agent allows
464 in $name expansions of $mailbox_command and $command_execu‐
465 tion_directory.
466 default_privs (nobody)
468 The default rights used by the local(8) delivery agent for
469 delivery to external file or command.
470 forward_expansion_filter (see 'postconf -d' output)
472 Restrict the characters that the local(8) delivery agent allows
473 in $name expansions of $forward_path.
474 Available in Postfix version 2.2 and later:
476 execution_directory_expansion_filter (see 'postconf -d' output)
478 Restrict the characters that the local(8) delivery agent allows
479 in $name expansions of $command_execution_directory.
480 Available in Postfix version 2.5.3 and later:
482 strict_mailbox_ownership (yes)
484 Defer delivery when a mailbox file is not owned by its recipi‐
485 ent.
486
488 config_directory (see 'postconf -d' output)
489 The default location of the Postfix main.cf and master.cf con‐
490 figuration files.
491 daemon_timeout (18000s)
493 How much time a Postfix daemon process may take to handle a
494 request before it is terminated by a built-in watchdog timer.
495 delay_logging_resolution_limit (2)
497 The maximal number of digits after the decimal point when log‐
498 ging sub-second delay values.
499 export_environment (see 'postconf -d' output)
501 The list of environment variables that a Postfix process will
502 export to non-Postfix processes.
503 ipc_timeout (3600s)
505 The time limit for sending or receiving information over an
506 internal communication channel.
507 local_command_shell (empty)
509 Optional shell program for local(8) delivery to non-Postfix com‐
510 mand.
511 max_idle (100s)
513 The maximum amount of time that an idle Postfix daemon process
514 waits for an incoming connection before terminating voluntarily.
515 max_use (100)
517 The maximal number of incoming connections that a Postfix daemon
518 process will service before terminating voluntarily.
519 prepend_delivered_header (command, file, forward)
521 The message delivery contexts where the Postfix local(8) deliv‐
522 ery agent prepends a Delivered-To: message header with the
523 address that the mail was delivered to.
524 process_id (read-only)
526 The process ID of a Postfix command or daemon process.
527 process_name (read-only)
529 The process name of a Postfix command or daemon process.
530 propagate_unmatched_extensions (canonical, virtual)
532 What address lookup tables copy an address extension from the
533 lookup key to the lookup result.
534 queue_directory (see 'postconf -d' output)
536 The location of the Postfix top-level queue directory.
537 recipient_delimiter (empty)
539 The separator between user names and address extensions
540 (user+foo).
541 require_home_directory (no)
543 Require that a local(8) recipient's home directory exists before
544 mail delivery is attempted.
545 syslog_facility (mail)
547 The syslog facility of Postfix logging.
548 syslog_name (see 'postconf -d' output)
550 The mail system name that is prepended to the process name in
551 syslog records, so that "smtpd" becomes, for example, "post‐
552 fix/smtpd".
553
555 The following are examples; details differ between systems.
556 $HOME/.forward, per-user aliasing
557 /etc/aliases, system-wide alias database
558 /var/spool/mail, system mailboxes
559
561 qmgr(8), queue manager
562 bounce(8), delivery status reports
563 newaliases(1), create/update alias database
564 postalias(1), create/update alias database
565 aliases(5), format of alias database
566 postconf(5), configuration parameters
567 master(5), generic daemon options
568 syslogd(8), system logging
569
571 The Secure Mailer license must be distributed with this software.
572
574 The Delivered-To: message header appears in the qmail system by Daniel
575 Bernstein.
576 The maildir structure appears in the qmail system by Daniel Bernstein.
578
580 Wietse Venema
581 IBM T.J. Watson Research
582 P.O. Box 704
583 Yorktown Heights, NY 10598, USA
584 LOCAL(8)