NAME
pipe
-
Postfix delivery to external command
SYNOPSIS
ppiippee [generic Postfix daemon options] command_attributes...
DESCRIPTION
The ppiippee(8) daemon processes requests from the Postfix queue
manager to deliver messages to external commands.
This program expects to be run from the mmaasstteerr(8) process
manager.
Message attributes such as sender address, recipient address and
next-hop host name can be specified as command-line macros that are
expanded before the external command is executed.
The ppiippee(8) daemon updates queue files and marks recipients
as finished, or it informs the queue manager that delivery should
be tried again at a later time. Delivery status reports are sent
to the bboouunnccee(8), ddeeffeerr(8) or ttrraaccee(8) daemon as
appropriate.
SINGLE-RECIPIENT DELIVERY
Some destinations cannot handle more than one recipient per
delivery request. Examples are pagers or fax machines.
In addition, multi-recipient delivery is undesirable when
prepending a DDeelliivveerreedd--ttoo:: or XX--OOrriiggiinnaall--TToo::
message header.
To prevent Postfix from sending multiple recipients per delivery
request, specify
_t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt == 11
in the Postfix mmaaiinn..ccff file, where _t_r_a_n_s_p_o_r_t
is the name in the first column of the Postfix mmaasstteerr..ccff
entry for the pipe-based delivery transport.
COMMAND ATTRIBUTE SYNTAX
The external command attributes are given in the mmaasstteerr..ccff
file at the end of a service definition. The syntax is as follows:
-
cchhrroooott==_p_a_t_h_n_a_m_e (optional)
Change the process root directory and working directory to
-
the named directory. This happens before switching to the
privileges specified with the uusseerr attribute, and
before executing the optional ddiirreeccttoorryy==_p_a_t_h_n_a_m_e
directive. Delivery is deferred in case of failure.
This feature is available as of Postfix 2.3.
-
ddiirreeccttoorryy==_p_a_t_h_n_a_m_e (optional)
Change to the named directory before executing the external command.
-
The directory must be accessible for the user specified with the
uusseerr attribute (see below).
The default working directory is $$qquueeuuee__ddiirreeccttoorryy.
Delivery is deferred in case of failure.
This feature is available as of Postfix 2.2.
-
eeooll==_s_t_r_i_n_g (optional, default: \\nn)
The output record delimiter. Typically one would use either
-
\\rr\\nn or \\nn. The usual C-style backslash escape
sequences are recognized: \\aa \\bb \\ff \\nn \\rr \\tt \\vv
\\_d_d_d (up to three octal digits) and \\\\.
-
ffllaaggss==BBDDFFOORRXXhhqquu..>> (optional)
Optional message processing flags. By default, a message is
-
copied unchanged.
-
BB
Append a blank line at the end of each message. This is required
-
by some mail user agents that recognize "FFrroomm " lines only
when preceded by a blank line.
-
DD
Prepend a "DDeelliivveerreedd--TToo:: _r_e_c_i_p_i_e_n_t" message header with the
-
envelope recipient address. Note: for this to work, the
_t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt must be 1
(see SINGLE-RECIPIENT DELIVERY above for details).
The DD flag also enforces loop detection (Postfix 2.5 and later):
if a message already contains a DDeelliivveerreedd--TToo:: header
with the same recipient address, then the message is
returned as undeliverable. The address comparison is case
insensitive.
This feature is available as of Postfix 2.0.
-
FF
Prepend a "FFrroomm _s_e_n_d_e_r _t_i_m_e___s_t_a_m_p" envelope header to
-
the message content.
This is expected by, for example, UUUUCCPP software.
-
OO
Prepend an "XX--OOrriiggiinnaall--TToo:: _r_e_c_i_p_i_e_n_t" message header
-
with the recipient address as given to Postfix. Note: for this to
work, the _t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt must be 1
(see SINGLE-RECIPIENT DELIVERY above for details).
This feature is available as of Postfix 2.0.
-
RR
Prepend a RReettuurrnn--PPaatthh:: message header with the envelope sender
-
address.
-
XX
Indicate that the external command performs final delivery.
-
This flag affects the status reported in "success" DSN
(delivery status notification) messages, and changes it
from "relayed" into "delivered".
This feature is available as of Postfix 2.5.
-
hh
Fold the command-line $$oorriiggiinnaall__rreecciippiieenntt and
-
$$rreecciippiieenntt address domain part
(text to the right of the right-most @@ character) to
lower case; fold the entire command-line $$ddoommaaiinn and
$$nneexxtthhoopp host or domain information to lower case.
This is recommended for delivery via UUUUCCPP.
-
qq
Quote white space and other special characters in the command-line
-
$$sseennddeerr, $$oorriiggiinnaall__rreecciippiieenntt and $$rreecciippiieenntt
address localparts (text to the
left of the right-most @@ character), according to an 8-bit
transparent version of RFC 822.
This is recommended for delivery via UUUUCCPP or BBSSMMTTPP.
The result is compatible with the address parsing of command-line
recipients by the Postfix sseennddmmaaiill(1) mail submission command.
The qq flag affects only entire addresses, not the partial
address information from the $$uusseerr, $$eexxtteennssiioonn or
$$mmaaiillbbooxx command-line macros.
-
uu
Fold the command-line $$oorriiggiinnaall__rreecciippiieenntt and
-
$$rreecciippiieenntt address localpart (text to
the left of the right-most @@ character) to lower case.
This is recommended for delivery via UUUUCCPP.
-
..
Prepend ".." to lines starting with "..". This is needed
-
by, for example, BBSSMMTTPP software.
-
>>
Prepend ">>" to lines starting with "FFrroomm ". This is expected
-
by, for example, UUUUCCPP software.
-
nnuullll__sseennddeerr=_r_e_p_l_a_c_e_m_e_n_t (default: MAILER-DAEMON)
Replace the null sender address (typically used for delivery
-
status notifications) with the specified text
when expanding the $$sseennddeerr command-line macro, and
when generating a From_ or Return-Path: message header.
If the null sender replacement text is a non-empty string
then it is affected by the qq flag for address quoting
in command-line arguments.
The null sender replacement text may be empty; this form
is recommended for content filters that feed mail back into
Postfix. The empty sender address is not affected by the
qq flag for address quoting in command-line arguments.
Caution: a null sender address is easily mis-parsed by
naive software. For example, when the ppiippee(8) daemon
executes a command such as:
_W_r_o_n_g: command -f$sender -- $recipient
-
the command will mis-parse the -f option value when the
-
sender address is a null string. For correct parsing,
specify $$sseennddeerr as an argument by itself:
_R_i_g_h_t: command -f $sender -- $recipient
-
This feature is available as of Postfix 2.3.
-
-
ssiizzee=_s_i_z_e___l_i_m_i_t (optional)
Don't deliver messages that exceed this size limit (in
-
bytes); return them to the sender instead.
-
uusseerr=_u_s_e_r_n_a_m_e (required)
-
-
uusseerr=_u_s_e_r_n_a_m_e:_g_r_o_u_p_n_a_m_e
Execute the external command with the user ID and group ID of the
-
specified _u_s_e_r_n_a_m_e. The software refuses to execute
commands with root privileges, or with the privileges of the
mail system owner. If _g_r_o_u_p_n_a_m_e is specified, the
corresponding group ID is used instead of the group ID of
_u_s_e_r_n_a_m_e.
-
aarrggvv=_c_o_m_m_a_n_d... (required)
The command to be executed. This must be specified as the
-
last command attribute.
The command is executed directly, i.e. without interpretation of
shell meta characters by a shell command interpreter.
In the command argument vector, the following macros are recognized
and replaced with corresponding information from the Postfix queue
manager delivery request.
In addition to the form ${_n_a_m_e}, the forms $_n_a_m_e and
$(_n_a_m_e) are also recognized. Specify $$$$ where a single
$$ is wanted.
-
$${{cclliieenntt__aaddddrreessss}
This macro expands to the remote client network address.
-
This feature is available as of Postfix 2.2.
-
$${{cclliieenntt__hheelloo}
This macro expands to the remote client HELO command parameter.
-
This feature is available as of Postfix 2.2.
-
$${{cclliieenntt__hhoossttnnaammee}
This macro expands to the remote client hostname.
-
This feature is available as of Postfix 2.2.
-
$${{cclliieenntt__ppoorrtt}
This macro expands to the remote client TCP port number.
-
This feature is available as of Postfix 2.5.
-
$${{cclliieenntt__pprroottooccooll}
This macro expands to the remote client protocol.
-
This feature is available as of Postfix 2.2.
-
$${{ddoommaaiinn}
This macro expands to the domain portion of the recipient
-
address. For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n
the domain is _d_o_m_a_i_n.
This information is modified by the hh flag for case folding.
This feature is available as of Postfix 2.5.
-
$${{eexxtteennssiioonn}
This macro expands to the extension part of a recipient address.
-
For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the extension is
_f_o_o.
A command-line argument that contains $${{eexxtteennssiioonn} expands
into as many command-line arguments as there are recipients.
This information is modified by the uu flag for case folding.
-
$${{mmaaiillbbooxx}
This macro expands to the complete local part of a recipient address.
-
For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the mailbox is
_u_s_e_r_+_f_o_o.
A command-line argument that contains $${{mmaaiillbbooxx}
expands to as many command-line arguments as there are recipients.
This information is modified by the uu flag for case folding.
-
$${{nneexxtthhoopp}
This macro expands to the next-hop hostname.
-
This information is modified by the hh flag for case folding.
-
$${{oorriiggiinnaall__rreecciippiieenntt}
This macro expands to the complete recipient address before any
-
address rewriting or aliasing.
A command-line argument that contains
$${{oorriiggiinnaall__rreecciippiieenntt} expands to as many
command-line arguments as there are recipients.
This information is modified by the hhqquu flags for quoting
and case folding.
This feature is available as of Postfix 2.5.
-
$${{rreecciippiieenntt}
This macro expands to the complete recipient address.
-
A command-line argument that contains $${{rreecciippiieenntt}
expands to as many command-line arguments as there are recipients.
This information is modified by the hhqquu flags for quoting
and case folding.
-
$${{ssaassll__mmeetthhoodd}
This macro expands to the name of the SASL authentication
-
mechanism in the AUTH command when the Postfix SMTP server
received the message.
This feature is available as of Postfix 2.2.
-
$${{ssaassll__sseennddeerr}
This macro expands to the SASL sender name (i.e. the original
-
submitter as per RFC 4954) in the MAIL FROM command when
the Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
-
$${{ssaassll__uusseerrnnaammee}
This macro expands to the SASL user name in the AUTH command
-
when the Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
-
$${{sseennddeerr}
This macro expands to the envelope sender address. By default,
-
the null sender address expands to MAILER-DAEMON; this can
be changed with the nnuullll__sseennddeerr attribute, as described
above.
This information is modified by the qq flag for quoting.
-
$${{ssiizzee}
This macro expands to Postfix's idea of the message size, which
-
is an approximation of the size of the message as delivered.
-
$${{uusseerr}
This macro expands to the username part of a recipient address.
-
For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the username
part is _u_s_e_r.
A command-line argument that contains $${{uusseerr} expands
into as many command-line arguments as there are recipients.
This information is modified by the uu flag for case folding.
STANDARDS
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Command exit status codes are expected to
follow the conventions defined in .
Exit status 0 means normal successful completion.
In the case of a non-zero exit status, a limited amount of
command output is reported in an delivery status notification.
When the output begins with a 4.X.X or 5.X.X enhanced status
code, the status code takes precedence over the non-zero
exit status (Postfix version 2.3 and later).
Problems and transactions are logged to ssyyssllooggdd(8).
Corrupted message files are marked so that the queue manager
can move them to the ccoorrrruupptt queue for further inspection.
SECURITY
This program needs a dual personality 1) to access the private
Postfix queue and IPC mechanisms, and 2) to execute external
commands as the specified user. It is therefore security sensitive.
CONFIGURATION PARAMETERS
Changes to mmaaiinn..ccff are picked up automatically as ppiippee(8)
processes run for only a limited amount of time. Use the command
"ppoossttffiixx rreellooaadd" to speed up a change.
The text below provides only a parameter summary. See
ppoossttccoonnff(5) for more details including examples.
RESOURCE AND RATE CONTROLS
In the text below, _t_r_a_n_s_p_o_r_t is the first field in a
mmaasstteerr..ccff entry.
-
_t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__ccoonnccuurrrreennccyy__lliimmiitt (($$ddeeffaauulltt__ddeessttiinnaattiioonn__ccoonnccuurrrreennccyy__lliimmiitt))
Limit the number of parallel deliveries to the same destination,
-
for delivery via the named _t_r_a_n_s_p_o_r_t.
The limit is enforced by the Postfix queue manager.
-
_t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt (($$ddeeffaauulltt__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt))
Limit the number of recipients per message delivery, for delivery
-
via the named _t_r_a_n_s_p_o_r_t.
The limit is enforced by the Postfix queue manager.
-
_t_r_a_n_s_p_o_r_t__ttiimmee__lliimmiitt (($$ccoommmmaanndd__ttiimmee__lliimmiitt))
Limit the time for delivery to external command, for delivery via
-
the named _t_r_a_n_s_p_o_r_t.
The limit is enforced by the pipe delivery agent.
Postfix 2.4 and later support a suffix that specifies the
time unit: s (seconds), m (minutes), h (hours), d (days),
w (weeks). The default time unit is seconds.
MISCELLANEOUS CONTROLS
-
ccoonnffiigg__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The default location of the Postfix main.cf and master.cf
-
configuration files.
-
ddaaeemmoonn__ttiimmeeoouutt ((1188000000ss))
How much time a Postfix daemon process may take to handle a
-
request before it is terminated by a built-in watchdog timer.
-
ddeellaayy__llooggggiinngg__rreessoolluuttiioonn__lliimmiitt ((22))
The maximal number of digits after the decimal point when logging
-
sub-second delay values.
-
eexxppoorrtt__eennvviirroonnmmeenntt ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The list of environment variables that a Postfix process will export
-
to non-Postfix processes.
-
iippcc__ttiimmeeoouutt ((33660000ss))
The time limit for sending or receiving information over an internal
-
communication channel.
-
mmaaiill__oowwnneerr ((ppoossttffiixx))
The UNIX system account that owns the Postfix queue and most Postfix
-
daemon processes.
-
mmaaxx__iiddllee ((110000ss))
The maximum amount of time that an idle Postfix daemon process waits
-
for an incoming connection before terminating voluntarily.
-
mmaaxx__uussee ((110000))
The maximal number of incoming connections that a Postfix daemon
-
process will service before terminating voluntarily.
-
pprroocceessss__iidd ((rreeaadd--oonnllyy))
The process ID of a Postfix command or daemon process.
-
-
pprroocceessss__nnaammee ((rreeaadd--oonnllyy))
The process name of a Postfix command or daemon process.
-
-
qquueeuuee__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The location of the Postfix top-level queue directory.
-
-
rreecciippiieenntt__ddeelliimmiitteerr ((eemmppttyy))
The separator between user names and address extensions (user+foo).
-
-
ssyysslloogg__ffaacciilliittyy ((mmaaiill))
The syslog facility of Postfix logging.
-
-
ssyysslloogg__nnaammee ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The mail system name that is prepended to the process name in syslog
-
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA