LOCAL(8) System Manager's Manual LOCAL(8)
NAME
local - Postfix local mail delivery
SYNOPSIS
local [generic Postfix daemon options]
DESCRIPTION
The local(8) daemon processes delivery requests from the Postfix queue
manager to deliver mail to local recipients. Each delivery request
specifies a queue file, a sender address, a domain or host to deliver
to, and one or more recipients. This program expects to be run from
the master(8) process manager.
The local(8) daemon updates queue files and marks recipients as fin‐
ished, or it informs the queue manager that delivery should be tried
again at a later time. Delivery status reports are sent to the
bounce(8), defer(8) or trace(8) daemon as appropriate.
CASE FOLDING
All delivery decisions are made using the bare recipient name (i.e. the
address localpart), folded to lower case. See also under ADDRESS EX‐
TENSION below for a few exceptions.
SYSTEM-WIDE AND USER-LEVEL ALIASING
The system administrator can set up one or more system-wide send‐
mail-style alias databases. Users can have sendmail-style ~/.forward
files. Mail for name is delivered to the alias name, to destinations
in ~name/.forward, to the mailbox owned by the user name, or it is sent
back as undeliverable.
The system administrator can specify a comma/space separated list of
~/.forward like files through the forward_path configuration parameter.
Upon delivery, the local delivery agent tries each pathname in the list
until a file is found.
Delivery via ~/.forward files is done with the privileges of the recip‐
ient. Thus, ~/.forward like files must be readable by the recipient,
and their parent directory needs to have "execute" permission for the
recipient.
The forward_path parameter is subject to interpolation of $user (recip‐
ient username), $home (recipient home directory), $shell (recipient
shell), $recipient (complete recipient address), $extension (recipient
address extension), $domain (recipient domain), $local (entire recipi‐
ent address localpart) and $recipient_delimiter. The forms
${name?value} and ${name?{value}} (Postfix 3.0 and later) expand condi‐
tionally to value when $name is defined, and the forms ${name:value}
${name:{value}} (Postfix 3.0 and later) expand conditionally to value
when $name is not defined. The form ${name?{value1}:{value2}} (Postfix
3.0 and later) expands conditionally to value1 when $name is defined,
or value2 otherwise. Characters that may have special meaning to the
shell or file system are replaced with underscores. The list of accept‐
able characters is specified with the forward_expansion_filter configu‐
ration parameter.
An alias or ~/.forward file may list any combination of external com‐
mands, destination file names, :include: directives, or mail addresses.
See aliases(5) for a precise description. Each line in a user's .for‐
ward file has the same syntax as the right-hand part of an alias.
When an address is found in its own alias expansion, delivery is made
to the user instead. When a user is listed in the user's own ~/.forward
file, delivery is made to the user's mailbox instead. An empty ~/.for‐
ward file means do not forward mail.
In order to prevent the mail system from using up unreasonable amounts
of memory, input records read from :include: or from ~/.forward files
are broken up into chunks of length line_length_limit.
While expanding aliases, ~/.forward files, and so on, the program at‐
tempts to avoid duplicate deliveries. The duplicate_filter_limit con‐
figuration parameter limits the number of remembered recipients.
MAIL FORWARDING
For the sake of reliability, forwarded mail is re-submitted as a new
message, so that each recipient has a separate on-file delivery status
record.
In order to stop mail forwarding loops early, the software adds an op‐
tional Delivered-To: header with the final envelope recipient address.
If mail arrives for a recipient that is already listed in a Deliv‐
ered-To: header, the message is bounced.
MAILBOX DELIVERY
The default per-user mailbox is a file in the UNIX mail spool directory
(/var/mail/user or /var/spool/mail/user); the location can be specified
with the mail_spool_directory configuration parameter. Specify a name
ending in / for qmail-compatible maildir delivery.
Alternatively, the per-user mailbox can be a file in the user's home
directory with a name specified via the home_mailbox configuration pa‐
rameter. Specify a relative path name. Specify a name ending in / for
qmail-compatible maildir delivery.
Mailbox delivery can be delegated to an external command specified with
the mailbox_command_maps and mailbox_command configuration parameters.
The command executes with the privileges of the recipient user (excep‐
tions: secondary groups are not enabled; in case of delivery as root,
the command executes with the privileges of default_privs).
Mailbox delivery can be delegated to alternative message transports
specified in the master.cf file. The mailbox_transport_maps and mail‐
box_transport configuration parameters specify an optional message
transport that is to be used for all local recipients, regardless of
whether they are found in the UNIX passwd database. The fall‐
back_transport_maps and fallback_transport parameters specify an op‐
tional message transport for recipients that are not found in the
aliases(5) or UNIX passwd database.
In the case of UNIX-style mailbox delivery, the local(8) daemon
prepends a "From sender time_stamp" envelope header to each message,
prepends an X-Original-To: header with the recipient address as given
to Postfix, prepends an optional Delivered-To: header with the final
envelope recipient address, prepends a Return-Path: header with the en‐
velope sender address, prepends a > character to lines beginning with
"From ", and appends an empty line. The mailbox is locked for exclu‐
sive access while delivery is in progress. In case of problems, an at‐
tempt is made to truncate the mailbox to its original length.
In the case of maildir delivery, the local daemon prepends an optional
Delivered-To: header with the final envelope recipient address,
prepends an X-Original-To: header with the recipient address as given
to Postfix, and prepends a Return-Path: header with the envelope sender
address.
EXTERNAL COMMAND DELIVERY
The allow_mail_to_commands configuration parameter restricts delivery
to external commands. The default setting (alias, forward) forbids com‐
mand destinations in :include: files.
Optionally, the process working directory is changed to the path speci‐
fied with command_execution_directory (Postfix 2.2 and later). Failure
to change directory causes mail to be deferred.
The command_execution_directory parameter value is subject to interpo‐
lation of $user (recipient username), $home (recipient home directory),
$shell (recipient shell), $recipient (complete recipient address), $ex‐
tension (recipient address extension), $domain (recipient domain), $lo‐
cal (entire recipient address localpart) and $recipient_delimiter. The
forms ${name?value} and ${name?{value}} (Postfix 3.0 and later) expand
conditionally to value when $name is defined, and the forms
${name:value} and ${name:{value}} (Postfix 3.0 and later) expand condi‐
tionally to value when $name is not defined. The form
${name?{value1}:{value2}} (Postfix 3.0 and later) expands conditionally
to value1 when $name is defined, or value2 otherwise. Characters that
may have special meaning to the shell or file system are replaced with
underscores. The list of acceptable characters is specified with the
execution_directory_expansion_filter configuration parameter.
The command is executed directly where possible. Assistance by the
shell (/bin/sh on UNIX systems) is used only when the command contains
shell magic characters, or when the command invokes a shell built-in
command.
A limited amount of command output (standard output and standard error)
is captured for inclusion with non-delivery status reports. A command
is forcibly terminated if it does not complete within com‐
mand_time_limit seconds. Command exit status codes are expected to
follow the conventions defined in <sysexits.h>. Exit status 0 means
normal successful completion.
Postfix version 2.3 and later support RFC 3463-style enhanced status
codes. If a command terminates with a non-zero exit status, and the
command output begins with an enhanced status code, this status code
takes precedence over the non-zero exit status.
A limited amount of message context is exported via environment vari‐
ables. Characters that may have special meaning to the shell are re‐
placed with underscores. The list of acceptable characters is speci‐
fied with the command_expansion_filter configuration parameter.
SHELL The envelope recipient user's login shell.
HOME The envelope recipient user's home directory.
USER The bare envelope recipient name.
EXTENSION
The optional envelope recipient address extension.
DOMAIN The envelope recipient address domain part.
LOGNAME
The bare envelope recipient name.
LOCAL The entire envelope recipient address localpart (text to the
left of the rightmost @ character).
ORIGINAL_RECIPIENT
The entire envelope recipient address, before any address
rewriting or aliasing (Postfix 2.5 and later).
RECIPIENT
The entire envelope recipient address.
SENDER The entire envelope sender address.
ENVID The optional RFC 3461 envelope ID. Available as of Postfix 3.9.
Additional remote client information is made available via the follow‐
ing environment variables:
CLIENT_ADDRESS
Remote client network address. Available as of Postfix 2.2.
CLIENT_HELO
Remote client EHLO command parameter. Available as of Postfix
2.2.
CLIENT_HOSTNAME
Remote client hostname. Available as of Postfix 2.2.
CLIENT_PROTOCOL
Remote client protocol. Available as of Postfix 2.2.
SASL_METHOD
SASL authentication method specified in the remote client AUTH
command. Available as of Postfix 2.2.
SASL_SENDER
SASL sender address specified in the remote client MAIL FROM
command. Available as of Postfix 2.2.
SASL_USERNAME
SASL username specified in the remote client AUTH command.
Available as of Postfix 2.2.
The PATH environment variable is always reset to a system-dependent de‐
fault path, and environment variables whose names are blessed by the
export_environment configuration parameter are exported unchanged.
The current working directory is the mail queue directory.
The local(8) daemon prepends a "From sender time_stamp" envelope header
to each message, prepends an X-Original-To: header with the recipient
address as given to Postfix, prepends an optional Delivered-To: header
with the final recipient envelope address, prepends a Return-Path:
header with the sender envelope address, and appends no empty line.
EXTERNAL FILE DELIVERY
The delivery format depends on the destination filename syntax. The
default is to use UNIX-style mailbox format. Specify a name ending in
/ for qmail-compatible maildir delivery.
The allow_mail_to_files configuration parameter restricts delivery to
external files. The default setting (alias, forward) forbids file des‐
tinations in :include: files.
In the case of UNIX-style mailbox delivery, the local(8) daemon
prepends a "From sender time_stamp" envelope header to each message,
prepends an X-Original-To: header with the recipient address as given
to Postfix, prepends an optional Delivered-To: header with the final
recipient envelope address, prepends a > character to lines beginning
with "From ", and appends an empty line. The envelope sender address
is available in the Return-Path: header. When the destination is a
regular file, it is locked for exclusive access while delivery is in
progress. In case of problems, an attempt is made to truncate a regular
file to its original length.
In the case of maildir delivery, the local daemon prepends an optional
Delivered-To: header with the final envelope recipient address, and
prepends an X-Original-To: header with the recipient address as given
to Postfix. The envelope sender address is available in the Re‐
turn-Path: header.
ADDRESS EXTENSION
The optional recipient_delimiter configuration parameter specifies how
to separate address extensions from local recipient names.
For example, with "recipient_delimiter = +", mail for name+foo is de‐
livered to the alias name+foo or to the alias name, to the destinations
listed in ~name/.forward+foo or in ~name/.forward, to the mailbox owned
by the user name, or it is sent back as undeliverable.
DELIVERY RIGHTS
Deliveries to external files and external commands are made with the
rights of the receiving user on whose behalf the delivery is made. In
the absence of a user context, the local(8) daemon uses the owner
rights of the :include: file or alias database. When those files are
owned by the superuser, delivery is made with the rights specified with
the default_privs configuration parameter.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8) or postlogd(8).
Corrupted message files are marked so that the queue manager can move
them to the corrupt queue afterwards.
Depending on the setting of the notify_classes parameter, the postmas‐
ter is notified of bounces and of other trouble.
SECURITY
The local(8) delivery agent needs a dual personality 1) to access the
private Postfix queue and IPC mechanisms, 2) to impersonate the recipi‐
ent and deliver to recipient-specified files or commands. It is there‐
fore security sensitive.
The local(8) delivery agent disallows regular expression substitution
of $1 etc. in alias_maps, because that would open a security hole.
The local(8) delivery agent will silently ignore requests to use the
proxymap(8) server within alias_maps. Instead it will open the table
directly. Before Postfix version 2.2, the local(8) delivery agent will
terminate with a fatal error.
BUGS
For security reasons, the message delivery status of external commands
or of external files is never checkpointed to file. As a result, the
program may occasionally deliver more than once to a command or exter‐
nal file. Better safe than sorry.
Mutually-recursive aliases or ~/.forward files are not detected early.
The resulting mail forwarding loop is broken by the use of the Deliv‐
ered-To: message header.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as local(8) processes
run for only a limited amount of time. Use the command "postfix reload"
to speed up a change.
The text below provides only a parameter summary. See postconf(5) for
more details including examples.
COMPATIBILITY CONTROLS
biff (yes)
Whether or not to use the local biff service.
expand_owner_alias (no)
When delivering to an alias "aliasname" that has an
"owner-aliasname" companion alias, set the envelope sender ad‐
dress to the expansion of the "owner-aliasname" alias.
owner_request_special (yes)
Enable special treatment for owner-listname entries in the
aliases(5) file, and don't split owner-listname and listname-re‐
quest address localparts when the recipient_delimiter is set to
"-".
sun_mailtool_compatibility (no)
Obsolete SUN mailtool compatibility feature.
Available in Postfix version 2.3 and later:
frozen_delivered_to (yes)
Update the local(8) delivery agent's idea of the Delivered-To:
address (see prepend_delivered_header) only once, at the start
of a delivery attempt; do not update the Delivered-To: address
while expanding aliases or .forward files.
Available in Postfix version 2.5.3 and later:
strict_mailbox_ownership (yes)
Defer delivery when a mailbox file is not owned by its recipi‐
ent.
reset_owner_alias (no)
Reset the local(8) delivery agent's idea of the owner-alias at‐
tribute, when delivering mail to a child alias that does not
have its own owner alias.
Available in Postfix version 3.0 and later:
local_delivery_status_filter ($default_delivery_status_filter)
Optional filter for the local(8) delivery agent to change the
status code or explanatory text of successful or unsuccessful
deliveries.
DELIVERY METHOD CONTROLS
The precedence of local(8) delivery methods from high to low is:
aliases, .forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
tory, fallback_transport_maps, fallback_transport, and luser_relay.
alias_maps (see 'postconf -d' output)
Optional lookup tables that are searched only with an email ad‐
dress localpart (no domain) and that apply only to local(8) re‐
cipients; this is unlike virtual_alias_maps that are often
searched with a full email address (including domain) and that
apply to all recipients: local(8), virtual, and remote.
forward_path (see 'postconf -d' output)
The local(8) delivery agent search list for finding a .forward
file with user-specified delivery methods.
mailbox_transport_maps (empty)
Optional lookup tables with per-recipient message delivery
transports to use for local(8) mailbox delivery, whether or not
the recipients are found in the UNIX passwd database.
mailbox_transport (empty)
Optional message delivery transport that the local(8) delivery
agent should use for mailbox delivery to all local recipients,
whether or not they are found in the UNIX passwd database.
mailbox_command_maps (empty)
Optional lookup tables with per-recipient external commands to
use for local(8) mailbox delivery.
mailbox_command (empty)
Optional external command that the local(8) delivery agent
should use for mailbox delivery.
home_mailbox (empty)
Optional pathname of a mailbox file relative to a local(8)
user's home directory.
mail_spool_directory (see 'postconf -d' output)
The directory where local(8) UNIX-style mailboxes are kept.
fallback_transport_maps (empty)
Optional lookup tables with per-recipient message delivery
transports for recipients that the local(8) delivery agent could
not find in the aliases(5) or UNIX password database.
fallback_transport (empty)
Optional message delivery transport that the local(8) delivery
agent should use for names that are not found in the aliases(5)
or UNIX password database.
luser_relay (empty)
Optional catch-all destination for unknown local(8) recipients.
Available in Postfix version 2.2 and later:
command_execution_directory (empty)
The local(8) delivery agent working directory for delivery to
external commands.
MAILBOX LOCKING CONTROLS
deliver_lock_attempts (20)
The maximal number of attempts to acquire an exclusive lock on a
mailbox file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an exclusive lock on a
mailbox file or bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive mailbox lockfile is re‐
moved.
mailbox_delivery_lock (see 'postconf -d' output)
How to lock a UNIX-style local(8) mailbox before attempting de‐
livery.
RESOURCE AND RATE CONTROLS
command_time_limit (1000s)
Time limit for delivery to external commands.
duplicate_filter_limit (1000)
The maximal number of addresses remembered by the address dupli‐
cate filter for aliases(5) or virtual(5) alias expansion, or for
showq(8) queue displays.
mailbox_size_limit (51200000)
The maximal size of any local(8) individual mailbox or maildir
file, or zero (no limit).
Implemented in the qmgr(8) daemon:
local_destination_concurrency_limit (2)
The maximal number of parallel deliveries via the local mail de‐
livery transport to the same recipient (when "local_destina‐
tion_recipient_limit = 1") or the maximal number of parallel de‐
liveries to the same local domain (when "local_destination_re‐
cipient_limit > 1").
local_destination_recipient_limit (1)
The maximal number of recipients per message delivery via the
local mail delivery transport.
SECURITY CONTROLS
allow_mail_to_commands (alias, forward)
Restrict local(8) mail delivery to external commands.
allow_mail_to_files (alias, forward)
Restrict local(8) mail delivery to external files.
command_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery agent allows
in $name expansions of $mailbox_command and $command_execu‐
tion_directory.
default_privs (nobody)
The default rights used by the local(8) delivery agent for de‐
livery to an external file or command.
forward_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery agent allows
in $name expansions of $forward_path.
Available in Postfix version 2.2 and later:
execution_directory_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery agent allows
in $name expansions of $command_execution_directory.
Available in Postfix version 2.5.3 and later:
strict_mailbox_ownership (yes)
Defer delivery when a mailbox file is not owned by its recipi‐
ent.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf con‐
figuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a re‐
quest before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log‐
ging delay values.
export_environment (see 'postconf -d' output)
The list of environment variables that a Postfix process will
export to non-Postfix processes.
ipc_timeout (3600s)
The time limit for sending or receiving information over an in‐
ternal communication channel.
local_command_shell (empty)
Optional shell program for local(8) delivery to non-Postfix com‐
mands.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon
process will service before terminating voluntarily.
prepend_delivered_header (command, file, forward)
The message delivery contexts where the Postfix local(8) deliv‐
ery agent prepends a Delivered-To: message header with the ad‐
dress that the mail was delivered to.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
propagate_unmatched_extensions (canonical, virtual)
What address lookup tables copy an address extension from the
lookup key to the lookup result.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
recipient_delimiter (empty)
The set of characters that can separate an email address local‐
part, user name, or a .forward file name from its extension.
require_home_directory (no)
Require that a local(8) recipient's home directory exists before
mail delivery is attempted.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available in Postfix version 3.3 and later:
enable_original_recipient (yes)
Enable support for the original recipient address after an ad‐
dress is rewritten to a different address (for example with
aliasing or with canonical mapping).
service_name (read-only)
The master.cf service name of a Postfix daemon process.
Available in Postfix 3.5 and later:
info_log_address_format (external)
The email address form that will be used in non-debug logging
(info, warning, etc.).
FILES
The following are examples; details differ between systems.
$HOME/.forward, per-user aliasing
/etc/aliases, system-wide alias database
/var/spool/mail, system mailboxes
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
newaliases(1), create/update alias database
postalias(1), create/update alias database
aliases(5), format of alias database
postconf(5), configuration parameters
master(5), generic daemon options
postlogd(8), Postfix logging
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The Delivered-To: message header appears in the qmail system by Daniel
Bernstein.
The maildir structure appears in the qmail system by Daniel Bernstein.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Wietse Venema
Google, Inc.
111 8th Avenue
New York, NY 10011, USA
Wietse Venema
porcupine.org
LOCAL(8)