LOCAL(8) LOCAL(8)
NAME
local - Postfix local mail delivery
SYNOPSIS
local [generic Postfix daemon options]
DESCRIPTION
The local(8) daemon processes delivery requests from the
Postfix queue manager to deliver mail to local recipients.
Each delivery request specifies a queue file, a sender
address, a domain or host to deliver to, and one or more
recipients. This program expects to be run from the mas-
ter(8) process manager.
The local(8) daemon updates queue files and marks recipi-
ents as finished, or it informs the queue manager that
delivery should be tried again at a later time. Delivery
status reports are sent to the bounce(8), defer(8) or
trace(8) daemon as appropriate.
CASE FOLDING
All delivery decisions are made using the bare recipient
name (i.e. the address localpart), folded to lower case.
See also under ADDRESS EXTENSION below for a few excep-
tions.
SYSTEM-WIDE AND USER-LEVEL ALIASING
The system administrator can set up one or more system-
wide sendmail-style alias databases. Users can have send-
mail-style ~/.forward files. Mail for name is delivered
to the alias name, to destinations in ~name/.forward, to
the mailbox owned by the user name, or it is sent back as
undeliverable.
The system administrator can specify a comma/space sepa-
rated list of ~/.forward like files through the for-
ward_path configuration parameter. Upon delivery, the
local delivery agent tries each pathname in the list until
a file is found.
Delivery via ~/..forward files is done with the privileges
of the recipient. Thus, ~/.forward like files must be
readable by the recipient, and their parent directory
needs to have "execute" permission for the recipient.
The forward_path parameter is subject to interpolation of
$user (recipient username), $home (recipient home direc-
tory), $shell (recipient shell), $recipient (complete
recipient address), $extension (recipient address exten-
sion), $domain (recipient domain), $local (entire recipi-
ent address localpart) and $recipient_delimiter. The forms
${name?value} and ${name:value} expand conditionally to
value when $name is (is not) defined. Characters that may
have special meaning to the shell or file system are
replaced by underscores. The list of acceptable charac-
ters is specified with the forward_expansion_filter con-
figuration parameter.
An alias or ~/.forward file may list any combination of
external commands, destination file names, :include:
directives, or mail addresses. See aliases(5) for a pre-
cise description. Each line in a user's .forward file has
the same syntax as the right-hand part of an alias.
When an address is found in its own alias expansion,
delivery is made to the user instead. When a user is
listed in the user's own ~/.forward file, delivery is made
to the user's mailbox instead. An empty ~/.forward file
means do not forward mail.
In order to prevent the mail system from using up unrea-
sonable amounts of memory, input records read from
:include: or from ~/.forward files are broken up into
chunks of length line_length_limit.
While expanding aliases, ~/.forward files, and so on, the
program attempts to avoid duplicate deliveries. The dupli-
cate_filter_limit configuration parameter limits the num-
ber of remembered recipients.
MAIL FORWARDING
For the sake of reliability, forwarded mail is re-submit-
ted as a new message, so that each recipient has a sepa-
rate on-file delivery status record.
In order to stop mail forwarding loops early, the software
adds an optional Delivered-To: header with the final enve-
lope recipient address. If mail arrives for a recipient
that is already listed in a Delivered-To: header, the mes-
sage is bounced.
MAILBOX DELIVERY
The default per-user mailbox is a file in the UNIX mail
spool directory (/var/mail/user or /var/spool/mail/user);
the location can be specified with the mail_spool_direc-
tory configuration parameter. Specify a name ending in /
for qmail-compatible maildir delivery.
Alternatively, the per-user mailbox can be a file in the
user's home directory with a name specified via the
home_mailbox configuration parameter. Specify a relative
path name. Specify a name ending in / for qmail-compatible
maildir delivery.
Mailbox delivery can be delegated to an external command
specified with the mailbox_command_maps and mailbox_com-
mand configuration parameters. The command executes with
the privileges of the recipient user (exceptions: sec-
ondary groups are not enabled; in case of delivery as
root, the command executes with the privileges of
default_privs).
Mailbox delivery can be delegated to alternative message
transports specified in the master.cf file. The mail-
box_transport_maps and mailbox_transport configuration
parameters specify an optional message transport that is
to be used for all local recipients, regardless of whether
they are found in the UNIX passwd database. The fall-
back_transport_maps and fallback_transport parameters
specify an optional message transport for recipients that
are not found in the aliases(5) or UNIX passwd database.
In the case of UNIX-style mailbox delivery, the local(8)
daemon prepends a "From sender time_stamp" envelope header
to each message, prepends an X-Original-To: header with
the recipient address as given to Postfix, prepends an
optional Delivered-To: header with the final envelope
recipient address, prepends a Return-Path: header with the
envelope sender address, prepends a > character to lines
beginning with "From ", and appends an empty line. The
mailbox is locked for exclusive access while delivery is
in progress. In case of problems, an attempt is made to
truncate the mailbox to its original length.
In the case of maildir delivery, the local daemon prepends
an optional Delivered-To: header with the final envelope
recipient address, prepends an X-Original-To: header with
the recipient address as given to Postfix, and prepends a
Return-Path: header with the envelope sender address.
EXTERNAL COMMAND DELIVERY
The allow_mail_to_commands configuration parameter
restricts delivery to external commands. The default set-
ting (alias, forward) forbids command destinations in
:include: files.
Optionally, the process working directory is changed to
the path specified with command_execution_directory (Post-
fix 2.2 and later). Failure to change directory causes
mail to be deferred.
The command_execution_directory parameter value is subject
to interpolation of $user (recipient username), $home
(recipient home directory), $shell (recipient shell),
$recipient (complete recipient address), $extension
(recipient address extension), $domain (recipient domain),
$local (entire recipient address localpart) and $recipi-
ent_delimiter. The forms ${name?value} and ${name:value}
expand conditionally to value when $name is (is not)
defined. Characters that may have special meaning to the
shell or file system are replaced by underscores. The
list of acceptable characters is specified with the execu-
tion_directory_expansion_filter configuration parameter.
The command is executed directly where possible. Assis-
tance by the shell (/bin/sh on UNIX systems) is used only
when the command contains shell magic characters, or when
the command invokes a shell built-in command.
A limited amount of command output (standard output and
standard error) is captured for inclusion with non-deliv-
ery status reports. A command is forcibly terminated if
it does not complete within command_time_limit seconds.
Command exit status codes are expected to follow the con-
ventions defined in <sysexits.h>. Exit status 0 means
normal successful completion.
Postfix version 2.3 and later support RFC 3463-style
enhanced status codes. If a command terminates with a
non-zero exit status, and the command output begins with
an enhanced status code, this status code takes precedence
over the non-zero exit status.
A limited amount of message context is exported via envi-
ronment variables. Characters that may have special mean-
ing to the shell are replaced by underscores. The list of
acceptable characters is specified with the command_expan-
sion_filter configuration parameter.
SHELL The recipient user's login shell.
HOME The recipient user's home directory.
USER The bare recipient name.
EXTENSION
The optional recipient address extension.
DOMAIN The recipient address domain part.
LOGNAME
The bare recipient name.
LOCAL The entire recipient address localpart (text to the
left of the rightmost @ character).
RECIPIENT
The entire recipient address.
SENDER The entire sender address.
Additional remote client information is made available via
the following environment variables:
CLIENT_ADDRESS
Remote client network address. Available as of
Postfix 2.2.
CLIENT_HELO
Remote client EHLO command parameter. Available as
of Postfix 2.2.
CLIENT_HOSTNAME
Remote client hostname. Available as of Postfix
2.2.
CLIENT_PROTOCOL
Remote client protocol. Available as of Postfix
2.2.
SASL_METHOD
SASL authentication method specified in the remote
client AUTH command. Available as of Postfix 2.2.
SASL_SENDER
SASL sender address specified in the remote client
MAIL FROM command. Available as of Postfix 2.2.
SASL_USERNAME
SASL username specified in the remote client AUTH
command. Available as of Postfix 2.2.
The PATH environment variable is always reset to a system-
dependent default path, and environment variables whose
names are blessed by the export_environment configuration
parameter are exported unchanged.
The current working directory is the mail queue directory.
The local(8) daemon prepends a "From sender time_stamp"
envelope header to each message, prepends an X-Original-
To: header with the recipient address as given to Postfix,
prepends an optional Delivered-To: header with the final
recipient envelope address, prepends a Return-Path: header
with the sender envelope address, and appends no empty
line.
EXTERNAL FILE DELIVERY
The delivery format depends on the destination filename
syntax. The default is to use UNIX-style mailbox format.
Specify a name ending in / for qmail-compatible maildir
delivery.
The allow_mail_to_files configuration parameter restricts
delivery to external files. The default setting (alias,
forward) forbids file destinations in :include: files.
In the case of UNIX-style mailbox delivery, the local(8)
daemon prepends a "From sender time_stamp" envelope header
to each message, prepends an X-Original-To: header with
the recipient address as given to Postfix, prepends an
optional Delivered-To: header with the final recipient
envelope address, prepends a > character to lines begin-
ning with "From ", and appends an empty line. The enve-
lope sender address is available in the Return-Path:
header. When the destination is a regular file, it is
locked for exclusive access while delivery is in progress.
In case of problems, an attempt is made to truncate a reg-
ular file to its original length.
In the case of maildir delivery, the local daemon prepends
an optional Delivered-To: header with the final envelope
recipient address, and prepends an X-Original-To: header
with the recipient address as given to Postfix. The enve-
lope sender address is available in the Return-Path:
header.
ADDRESS EXTENSION
The optional recipient_delimiter configuration parameter
specifies how to separate address extensions from local
recipient names.
For example, with "recipient_delimiter = +", mail for
name+foo is delivered to the alias name+foo or to the
alias name, to the destinations listed in ~name/.for-
ward+foo or in ~name/.forward, to the mailbox owned by the
user name, or it is sent back as undeliverable.
In all cases the local(8) daemon prepends an optional
`Delivered-To: header line with the final recipient
address.
DELIVERY RIGHTS
Deliveries to external files and external commands are
made with the rights of the receiving user on whose behalf
the delivery is made. In the absence of a user context,
the local(8) daemon uses the owner rights of the :include:
file or alias database. When those files are owned by the
superuser, delivery is made with the rights specified with
the default_privs configuration parameter.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8). Cor-
rupted message files are marked so that the queue manager
can move them to the corrupt queue afterwards.
Depending on the setting of the notify_classes parameter,
the postmaster is notified of bounces and of other trou-
ble.
SECURITY
The local(8) delivery agent needs a dual personality 1) to
access the private Postfix queue and IPC mechanisms, 2) to
impersonate the recipient and deliver to recipient-speci-
fied files or commands. It is therefore security sensi-
tive.
The local(8) delivery agent disallows regular expression
substitution of $1 etc. in alias_maps, because that would
open a security hole.
The local(8) delivery agent will silently ignore requests
to use the proxymap(8) server within alias_maps. Instead
it will open the table directly. Before Postfix version
2.2, the local(8) delivery agent will terminate with a
fatal error.
BUGS
For security reasons, the message delivery status of
external commands or of external files is never check-
pointed to file. As a result, the program may occasionally
deliver more than once to a command or external file. Bet-
ter safe than sorry.
Mutually-recursive aliases or ~/.forward files are not
detected early. The resulting mail forwarding loop is
broken by the use of the Delivered-To: message header.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as
local(8) processes run for only a limited amount of time.
Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See
postconf(5) for more details including examples.
COMPATIBILITY CONTROLS
biff (yes)
Whether or not to use the local biff service.
expand_owner_alias (no)
When delivering to an alias "aliasname" that has an
"owner-aliasname" companion alias, set the envelope
sender address to the expansion of the "owner-
aliasname" alias.
owner_request_special (yes)
Give special treatment to owner-listname and list-
name-request address localparts: don't split such
addresses when the recipient_delimiter is set to
"-".
sun_mailtool_compatibility (no)
Obsolete SUN mailtool compatibility feature.
Available in Postfix version 2.3 and later:
frozen_delivered_to (yes)
Update the local(8) delivery agent's idea of the
Delivered-To: address (see prepend_deliv-
ered_header) only once, at the start of a delivery
attempt; do not update the Delivered-To: address
while expanding aliases or .forward files.
DELIVERY METHOD CONTROLS
The precedence of local(8) delivery methods from high to
low is: aliases, .forward files, mailbox_transport_maps,
mailbox_transport, mailbox_command_maps, mailbox_command,
home_mailbox, mail_spool_directory, fallback_trans-
port_maps, fallback_transport, and luser_relay.
alias_maps (see 'postconf -d' output)
The alias databases that are used for local(8)
delivery.
forward_path (see 'postconf -d' output)
The local(8) delivery agent search list for finding
a .forward file with user-specified delivery meth-
ods.
mailbox_transport_maps (empty)
Optional lookup tables with per-recipient message
delivery transports to use for local(8) mailbox
delivery, whether or not the recipients are found
in the UNIX passwd database.
mailbox_transport (empty)
Optional message delivery transport that the
local(8) delivery agent should use for mailbox
delivery to all local recipients, whether or not
they are found in the UNIX passwd database.
mailbox_command_maps (empty)
Optional lookup tables with per-recipient external
commands to use for local(8) mailbox delivery.
mailbox_command (empty)
Optional external command that the local(8) deliv-
ery agent should use for mailbox delivery.
home_mailbox (empty)
Optional pathname of a mailbox file relative to a
local(8) user's home directory.
mail_spool_directory (see 'postconf -d' output)
The directory where local(8) UNIX-style mailboxes
are kept.
fallback_transport_maps (empty)
Optional lookup tables with per-recipient message
delivery transports for recipients that the
local(8) delivery agent could not find in the
aliases(5) or UNIX password database.
fallback_transport (empty)
Optional message delivery transport that the
local(8) delivery agent should use for names that
are not found in the aliases(5) or UNIX password
database.
luser_relay (empty)
Optional catch-all destination for unknown local(8)
recipients.
Available in Postfix version 2.2 and later:
command_execution_directory (empty)
The local(8) delivery agent working directory for
delivery to external command.
MAILBOX LOCKING CONTROLS
deliver_lock_attempts (20)
The maximal number of attempts to acquire an exclu-
sive lock on a mailbox file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an exclusive
lock on a mailbox file or bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive mailbox
lockfile is removed.
mailbox_delivery_lock (see 'postconf -d' output)
How to lock a UNIX-style local(8) mailbox before
attempting delivery.
RESOURCE AND RATE CONTROLS
command_time_limit (1000s)
Time limit for delivery to external commands.
duplicate_filter_limit (1000)
The maximal number of addresses remembered by the
address duplicate filter for aliases(5) or vir-
tual(5) alias expansion, or for showq(8) queue dis-
plays.
local_destination_concurrency_limit (2)
The maximal number of parallel deliveries via the
local mail delivery transport to the same recipient
(when "local_destination_recipient_limit = 1") or
the maximal number of parallel deliveries to the
same local domain (when "local_destination_recipi-
ent_limit > 1").
local_destination_recipient_limit (1)
The maximal number of recipients per message deliv-
ery via the local mail delivery transport.
mailbox_size_limit (51200000)
The maximal size of any local(8) individual mailbox
or maildir file, or zero (no limit).
SECURITY CONTROLS
allow_mail_to_commands (alias, forward)
Restrict local(8) mail delivery to external com-
mands.
allow_mail_to_files (alias, forward)
Restrict local(8) mail delivery to external files.
command_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery
agent allows in $name expansions of $mailbox_com-
mand.
default_privs (nobody)
The default rights used by the local(8) delivery
agent for delivery to external file or command.
forward_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery
agent allows in $name expansions of $forward_path.
Available in Postfix version 2.2 and later:
execution_directory_expansion_filter (see 'postconf -d'
output)
Restrict the characters that the local(8) delivery
agent allows in $name expansions of $command_execu-
tion_directory.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal
point when logging sub-second delay values.
export_environment (see 'postconf -d' output)
The list of environment variables that a Postfix
process will export to non-Postfix processes.
ipc_timeout (3600s)
The time limit for sending or receiving information
over an internal communication channel.
local_command_shell (empty)
Optional shell program for local(8) delivery to
non-Postfix command.
max_idle (100s)
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
before exiting.
max_use (100)
The maximal number of connection requests before a
Postfix daemon process terminates.
prepend_delivered_header (command, file, forward)
The message delivery contexts where the Postfix
local(8) delivery agent prepends a Delivered-To:
message header with the address that the mail was
delivered to.
process_id (read-only)
The process ID of a Postfix command or daemon
process.
process_name (read-only)
The process name of a Postfix command or daemon
process.
propagate_unmatched_extensions (canonical, virtual)
What address lookup tables copy an address exten-
sion from the lookup key to the lookup result.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue direc-
tory.
recipient_delimiter (empty)
The separator between user names and address exten-
sions (user+foo).
require_home_directory (no)
Whether or not a local(8) recipient's home direc-
tory must exist before mail delivery is attempted.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
FILES
The following are examples; details differ between systems.
$HOME/.forward, per-user aliasing
/etc/aliases, system-wide alias database
/var/spool/mail, system mailboxes
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
newaliases(1), create/update alias database
postalias(1), create/update alias database
aliases(5), format of alias database
postconf(5), configuration parameters
master(5), generic daemon options
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this
software.
HISTORY
The Delivered-To: message header appears in the qmail sys-
tem by Daniel Bernstein.
The maildir structure appears in the qmail system by
Daniel Bernstein.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
LOCAL(8)