1LOCAL(8) System Manager's Manual LOCAL(8)
2
6 local - Postfix local mail delivery
7
9 local [generic Postfix daemon options]
10
12 The local(8) daemon processes delivery requests from the Postfix queue
13 manager to deliver mail to local recipients. Each delivery request
14 specifies a queue file, a sender address, a domain or host to deliver
15 to, and one or more recipients. This program expects to be run from
16 the master(8) process manager.
17 The local(8) daemon updates queue files and marks recipients as fin‐
19 ished, or it informs the queue manager that delivery should be tried
20 again at a later time. Delivery status reports are sent to the
21 bounce(8), defer(8) or trace(8) daemon as appropriate.
22
24 All delivery decisions are made using the bare recipient name (i.e. the
25 address localpart), folded to lower case. See also under ADDRESS
26 EXTENSION below for a few exceptions.
27
29 The system administrator can set up one or more system-wide sendmail-
30 style alias databases. Users can have sendmail-style ~/.forward files.
31 Mail for name is delivered to the alias name, to destinations in
32 ~name/.forward, to the mailbox owned by the user name, or it is sent
33 back as undeliverable.
34 The system administrator can specify a comma/space separated list of
36 ~/.forward like files through the forward_path configuration parameter.
37 Upon delivery, the local delivery agent tries each pathname in the list
38 until a file is found.
39 Delivery via ~/.forward files is done with the privileges of the recip‐
41 ient. Thus, ~/.forward like files must be readable by the recipient,
42 and their parent directory needs to have "execute" permission for the
43 recipient.
44 The forward_path parameter is subject to interpolation of $user (recip‐
46 ient username), $home (recipient home directory), $shell (recipient
47 shell), $recipient (complete recipient address), $extension (recipient
48 address extension), $domain (recipient domain), $local (entire recipi‐
49 ent address localpart) and $recipient_delimiter. The forms
50 ${name?value} and ${name:value} expand conditionally to value when
51 $name is (is not) defined. Characters that may have special meaning to
52 the shell or file system are replaced by underscores. The list of
53 acceptable characters is specified with the forward_expansion_filter
54 configuration parameter.
55 An alias or ~/.forward file may list any combination of external com‐
57 mands, destination file names, :include: directives, or mail addresses.
58 See aliases(5) for a precise description. Each line in a user's .for‐
59 ward file has the same syntax as the right-hand part of an alias.
60 When an address is found in its own alias expansion, delivery is made
62 to the user instead. When a user is listed in the user's own ~/.forward
63 file, delivery is made to the user's mailbox instead. An empty ~/.for‐
64 ward file means do not forward mail.
65 In order to prevent the mail system from using up unreasonable amounts
67 of memory, input records read from :include: or from ~/.forward files
68 are broken up into chunks of length line_length_limit.
69 While expanding aliases, ~/.forward files, and so on, the program
71 attempts to avoid duplicate deliveries. The duplicate_filter_limit con‐
72 figuration parameter limits the number of remembered recipients.
73
75 For the sake of reliability, forwarded mail is re-submitted as a new
76 message, so that each recipient has a separate on-file delivery status
77 record.
78 In order to stop mail forwarding loops early, the software adds an
80 optional Delivered-To: header with the final envelope recipient
81 address. If mail arrives for a recipient that is already listed in a
82 Delivered-To: header, the message is bounced.
83
85 The default per-user mailbox is a file in the UNIX mail spool directory
86 (/var/mail/user or /var/spool/mail/user); the location can be specified
87 with the mail_spool_directory configuration parameter. Specify a name
88 ending in / for qmail-compatible maildir delivery.
89 Alternatively, the per-user mailbox can be a file in the user's home
91 directory with a name specified via the home_mailbox configuration
92 parameter. Specify a relative path name. Specify a name ending in / for
93 qmail-compatible maildir delivery.
94 Mailbox delivery can be delegated to an external command specified with
96 the mailbox_command_maps and mailbox_command configuration parameters.
97 The command executes with the privileges of the recipient user (excep‐
98 tions: secondary groups are not enabled; in case of delivery as root,
99 the command executes with the privileges of default_privs).
100 Mailbox delivery can be delegated to alternative message transports
102 specified in the master.cf file. The mailbox_transport_maps and mail‐
103 box_transport configuration parameters specify an optional message
104 transport that is to be used for all local recipients, regardless of
105 whether they are found in the UNIX passwd database. The fall‐
106 back_transport_maps and fallback_transport parameters specify an
107 optional message transport for recipients that are not found in the
108 aliases(5) or UNIX passwd database.
109 In the case of UNIX-style mailbox delivery, the local(8) daemon
111 prepends a "From sender time_stamp" envelope header to each message,
112 prepends an X-Original-To: header with the recipient address as given
113 to Postfix, prepends an optional Delivered-To: header with the final
114 envelope recipient address, prepends a Return-Path: header with the
115 envelope sender address, prepends a > character to lines beginning with
116 "From ", and appends an empty line. The mailbox is locked for exclu‐
117 sive access while delivery is in progress. In case of problems, an
118 attempt is made to truncate the mailbox to its original length.
119 In the case of maildir delivery, the local daemon prepends an optional
121 Delivered-To: header with the final envelope recipient address,
122 prepends an X-Original-To: header with the recipient address as given
123 to Postfix, and prepends a Return-Path: header with the envelope sender
124 address.
125
127 The allow_mail_to_commands configuration parameter restricts delivery
128 to external commands. The default setting (alias, forward) forbids com‐
129 mand destinations in :include: files.
130 Optionally, the process working directory is changed to the path speci‐
132 fied with command_execution_directory (Postfix 2.2 and later). Failure
133 to change directory causes mail to be deferred.
134 The command_execution_directory parameter value is subject to interpo‐
136 lation of $user (recipient username), $home (recipient home directory),
137 $shell (recipient shell), $recipient (complete recipient address),
138 $extension (recipient address extension), $domain (recipient domain),
139 $local (entire recipient address localpart) and $recipient_delimiter.
140 The forms ${name?value} and ${name:value} expand conditionally to value
141 when $name is (is not) defined. Characters that may have special mean‐
142 ing to the shell or file system are replaced by underscores. The list
143 of acceptable characters is specified with the execution_direc‐
144 tory_expansion_filter configuration parameter.
145 The command is executed directly where possible. Assistance by the
147 shell (/bin/sh on UNIX systems) is used only when the command contains
148 shell magic characters, or when the command invokes a shell built-in
149 command.
150 A limited amount of command output (standard output and standard error)
152 is captured for inclusion with non-delivery status reports. A command
153 is forcibly terminated if it does not complete within com‐
154 mand_time_limit seconds. Command exit status codes are expected to
155 follow the conventions defined in <sysexits.h>. Exit status 0 means
156 normal successful completion.
157 Postfix version 2.3 and later support RFC 3463-style enhanced status
159 codes. If a command terminates with a non-zero exit status, and the
160 command output begins with an enhanced status code, this status code
161 takes precedence over the non-zero exit status.
162 A limited amount of message context is exported via environment vari‐
164 ables. Characters that may have special meaning to the shell are
165 replaced by underscores. The list of acceptable characters is speci‐
166 fied with the command_expansion_filter configuration parameter.
167 SHELL The recipient user's login shell.
169 HOME The recipient user's home directory.
171 USER The bare recipient name.
173 EXTENSION
175 The optional recipient address extension.
176 DOMAIN The recipient address domain part.
178 LOGNAME
180 The bare recipient name.
181 LOCAL The entire recipient address localpart (text to the left of the
183 rightmost @ character).
184 RECIPIENT
186 The entire recipient address.
187 SENDER The entire sender address.
189 Additional remote client information is made available via the follow‐
191 ing environment variables:
192 CLIENT_ADDRESS
194 Remote client network address. Available as of Postfix 2.2.
195 CLIENT_HELO
197 Remote client EHLO command parameter. Available as of Postfix
198 2.2.
199 CLIENT_HOSTNAME
201 Remote client hostname. Available as of Postfix 2.2.
202 CLIENT_PROTOCOL
204 Remote client protocol. Available as of Postfix 2.2.
205 SASL_METHOD
207 SASL authentication method specified in the remote client AUTH
208 command. Available as of Postfix 2.2.
209 SASL_SENDER
211 SASL sender address specified in the remote client MAIL FROM
212 command. Available as of Postfix 2.2.
213 SASL_USERNAME
215 SASL username specified in the remote client AUTH command.
216 Available as of Postfix 2.2.
217 The PATH environment variable is always reset to a system-dependent
219 default path, and environment variables whose names are blessed by the
220 export_environment configuration parameter are exported unchanged.
221 The current working directory is the mail queue directory.
223 The local(8) daemon prepends a "From sender time_stamp" envelope header
225 to each message, prepends an X-Original-To: header with the recipient
226 address as given to Postfix, prepends an optional Delivered-To: header
227 with the final recipient envelope address, prepends a Return-Path:
228 header with the sender envelope address, and appends no empty line.
229
231 The delivery format depends on the destination filename syntax. The
232 default is to use UNIX-style mailbox format. Specify a name ending in
233 / for qmail-compatible maildir delivery.
234 The allow_mail_to_files configuration parameter restricts delivery to
236 external files. The default setting (alias, forward) forbids file des‐
237 tinations in :include: files.
238 In the case of UNIX-style mailbox delivery, the local(8) daemon
240 prepends a "From sender time_stamp" envelope header to each message,
241 prepends an X-Original-To: header with the recipient address as given
242 to Postfix, prepends an optional Delivered-To: header with the final
243 recipient envelope address, prepends a > character to lines beginning
244 with "From ", and appends an empty line. The envelope sender address
245 is available in the Return-Path: header. When the destination is a
246 regular file, it is locked for exclusive access while delivery is in
247 progress. In case of problems, an attempt is made to truncate a regular
248 file to its original length.
249 In the case of maildir delivery, the local daemon prepends an optional
251 Delivered-To: header with the final envelope recipient address, and
252 prepends an X-Original-To: header with the recipient address as given
253 to Postfix. The envelope sender address is available in the Return-
254 Path: header.
255
257 The optional recipient_delimiter configuration parameter specifies how
258 to separate address extensions from local recipient names.
259 For example, with "recipient_delimiter = +", mail for name+foo is
261 delivered to the alias name+foo or to the alias name, to the destina‐
262 tions listed in ~name/.forward+foo or in ~name/.forward, to the mailbox
263 owned by the user name, or it is sent back as undeliverable.
264 In all cases the local(8) daemon prepends an optional `Delivered-To:
266 header line with the final recipient address.
267
269 Deliveries to external files and external commands are made with the
270 rights of the receiving user on whose behalf the delivery is made. In
271 the absence of a user context, the local(8) daemon uses the owner
272 rights of the :include: file or alias database. When those files are
273 owned by the superuser, delivery is made with the rights specified with
274 the default_privs configuration parameter.
275
277 RFC 822 (ARPA Internet Text Messages)
278 RFC 3463 (Enhanced status codes)
279
281 Problems and transactions are logged to syslogd(8). Corrupted message
282 files are marked so that the queue manager can move them to the corrupt
283 queue afterwards.
284 Depending on the setting of the notify_classes parameter, the postmas‐
286 ter is notified of bounces and of other trouble.
287
289 The local(8) delivery agent needs a dual personality 1) to access the
290 private Postfix queue and IPC mechanisms, 2) to impersonate the recipi‐
291 ent and deliver to recipient-specified files or commands. It is there‐
292 fore security sensitive.
293 The local(8) delivery agent disallows regular expression substitution
295 of $1 etc. in alias_maps, because that would open a security hole.
296 The local(8) delivery agent will silently ignore requests to use the
298 proxymap(8) server within alias_maps. Instead it will open the table
299 directly. Before Postfix version 2.2, the local(8) delivery agent will
300 terminate with a fatal error.
301
303 For security reasons, the message delivery status of external commands
304 or of external files is never checkpointed to file. As a result, the
305 program may occasionally deliver more than once to a command or exter‐
306 nal file. Better safe than sorry.
307 Mutually-recursive aliases or ~/.forward files are not detected early.
309 The resulting mail forwarding loop is broken by the use of the Deliv‐
310 ered-To: message header.
311
313 Changes to main.cf are picked up automatically, as local(8) processes
314 run for only a limited amount of time. Use the command "postfix reload"
315 to speed up a change.
316 The text below provides only a parameter summary. See postconf(5) for
318 more details including examples.
319
321 biff (yes)
322 Whether or not to use the local biff service.
323 expand_owner_alias (no)
325 When delivering to an alias "aliasname" that has an "owner-
326 aliasname" companion alias, set the envelope sender address to
327 the expansion of the "owner-aliasname" alias.
328 owner_request_special (yes)
330 Give special treatment to owner-listname and listname-request
331 address localparts: don't split such addresses when the recipi‐
332 ent_delimiter is set to "-".
333 sun_mailtool_compatibility (no)
335 Obsolete SUN mailtool compatibility feature.
336 Available in Postfix version 2.3 and later:
338 frozen_delivered_to (yes)
340 Update the local(8) delivery agent's idea of the Delivered-To:
341 address (see prepend_delivered_header) only once, at the start
342 of a delivery attempt; do not update the Delivered-To: address
343 while expanding aliases or .forward files.
344
346 The precedence of local(8) delivery methods from high to low is:
347 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
348 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
349 tory, fallback_transport_maps, fallback_transport, and luser_relay.
350 alias_maps (see 'postconf -d' output)
352 The alias databases that are used for local(8) delivery.
353 forward_path (see 'postconf -d' output)
355 The local(8) delivery agent search list for finding a .forward
356 file with user-specified delivery methods.
357 mailbox_transport_maps (empty)
359 Optional lookup tables with per-recipient message delivery
360 transports to use for local(8) mailbox delivery, whether or not
361 the recipients are found in the UNIX passwd database.
362 mailbox_transport (empty)
364 Optional message delivery transport that the local(8) delivery
365 agent should use for mailbox delivery to all local recipients,
366 whether or not they are found in the UNIX passwd database.
367 mailbox_command_maps (empty)
369 Optional lookup tables with per-recipient external commands to
370 use for local(8) mailbox delivery.
371 mailbox_command (empty)
373 Optional external command that the local(8) delivery agent
374 should use for mailbox delivery.
375 home_mailbox (empty)
377 Optional pathname of a mailbox file relative to a local(8)
378 user's home directory.
379 mail_spool_directory (see 'postconf -d' output)
381 The directory where local(8) UNIX-style mailboxes are kept.
382 fallback_transport_maps (empty)
384 Optional lookup tables with per-recipient message delivery
385 transports for recipients that the local(8) delivery agent could
386 not find in the aliases(5) or UNIX password database.
387 fallback_transport (empty)
389 Optional message delivery transport that the local(8) delivery
390 agent should use for names that are not found in the aliases(5)
391 or UNIX password database.
392 luser_relay (empty)
394 Optional catch-all destination for unknown local(8) recipients.
395 Available in Postfix version 2.2 and later:
397 command_execution_directory (empty)
399 The local(8) delivery agent working directory for delivery to
400 external command.
401
403 deliver_lock_attempts (20)
404 The maximal number of attempts to acquire an exclusive lock on a
405 mailbox file or bounce(8) logfile.
406 deliver_lock_delay (1s)
408 The time between attempts to acquire an exclusive lock on a
409 mailbox file or bounce(8) logfile.
410 stale_lock_time (500s)
412 The time after which a stale exclusive mailbox lockfile is
413 removed.
414 mailbox_delivery_lock (see 'postconf -d' output)
416 How to lock a UNIX-style local(8) mailbox before attempting
417 delivery.
418
420 command_time_limit (1000s)
421 Time limit for delivery to external commands.
422 duplicate_filter_limit (1000)
424 The maximal number of addresses remembered by the address dupli‐
425 cate filter for aliases(5) or virtual(5) alias expansion, or for
426 showq(8) queue displays.
427 local_destination_concurrency_limit (2)
429 The maximal number of parallel deliveries via the local mail
430 delivery transport to the same recipient (when "local_destina‐
431 tion_recipient_limit = 1") or the maximal number of parallel
432 deliveries to the same local domain (when "local_destina‐
433 tion_recipient_limit > 1").
434 local_destination_recipient_limit (1)
436 The maximal number of recipients per message delivery via the
437 local mail delivery transport.
438 mailbox_size_limit (51200000)
440 The maximal size of any local(8) individual mailbox or maildir
441 file, or zero (no limit).
442
444 allow_mail_to_commands (alias, forward)
445 Restrict local(8) mail delivery to external commands.
446 allow_mail_to_files (alias, forward)
448 Restrict local(8) mail delivery to external files.
449 command_expansion_filter (see 'postconf -d' output)
451 Restrict the characters that the local(8) delivery agent allows
452 in $name expansions of $mailbox_command.
453 default_privs (nobody)
455 The default rights used by the local(8) delivery agent for
456 delivery to external file or command.
457 forward_expansion_filter (see 'postconf -d' output)
459 Restrict the characters that the local(8) delivery agent allows
460 in $name expansions of $forward_path.
461 Available in Postfix version 2.2 and later:
463 execution_directory_expansion_filter (see 'postconf -d' output)
465 Restrict the characters that the local(8) delivery agent allows
466 in $name expansions of $command_execution_directory.
467
469 config_directory (see 'postconf -d' output)
470 The default location of the Postfix main.cf and master.cf con‐
471 figuration files.
472 daemon_timeout (18000s)
474 How much time a Postfix daemon process may take to handle a
475 request before it is terminated by a built-in watchdog timer.
476 delay_logging_resolution_limit (2)
478 The maximal number of digits after the decimal point when log‐
479 ging sub-second delay values.
480 export_environment (see 'postconf -d' output)
482 The list of environment variables that a Postfix process will
483 export to non-Postfix processes.
484 ipc_timeout (3600s)
486 The time limit for sending or receiving information over an
487 internal communication channel.
488 local_command_shell (empty)
490 Optional shell program for local(8) delivery to non-Postfix com‐
491 mand.
492 max_idle (100s)
494 The maximum amount of time that an idle Postfix daemon process
495 waits for an incoming connection before terminating voluntarily.
496 max_use (100)
498 The maximal number of incoming connections that a Postfix daemon
499 process will service before terminating voluntarily.
500 prepend_delivered_header (command, file, forward)
502 The message delivery contexts where the Postfix local(8) deliv‐
503 ery agent prepends a Delivered-To: message header with the
504 address that the mail was delivered to.
505 process_id (read-only)
507 The process ID of a Postfix command or daemon process.
508 process_name (read-only)
510 The process name of a Postfix command or daemon process.
511 propagate_unmatched_extensions (canonical, virtual)
513 What address lookup tables copy an address extension from the
514 lookup key to the lookup result.
515 queue_directory (see 'postconf -d' output)
517 The location of the Postfix top-level queue directory.
518 recipient_delimiter (empty)
520 The separator between user names and address extensions
521 (user+foo).
522 require_home_directory (no)
524 Whether or not a local(8) recipient's home directory must exist
525 before mail delivery is attempted.
526 syslog_facility (mail)
528 The syslog facility of Postfix logging.
529 syslog_name (postfix)
531 The mail system name that is prepended to the process name in
532 syslog records, so that "smtpd" becomes, for example, "post‐
533 fix/smtpd".
534
536 The following are examples; details differ between systems.
537 $HOME/.forward, per-user aliasing
538 /etc/aliases, system-wide alias database
539 /var/spool/mail, system mailboxes
540
542 qmgr(8), queue manager
543 bounce(8), delivery status reports
544 newaliases(1), create/update alias database
545 postalias(1), create/update alias database
546 aliases(5), format of alias database
547 postconf(5), configuration parameters
548 master(5), generic daemon options
549 syslogd(8), system logging
550
552 The Secure Mailer license must be distributed with this software.
553
555 The Delivered-To: message header appears in the qmail system by Daniel
556 Bernstein.
557 The maildir structure appears in the qmail system by Daniel Bernstein.
559
561 Wietse Venema
562 IBM T.J. Watson Research
563 P.O. Box 704
564 Yorktown Heights, NY 10598, USA
565 LOCAL(8)