NAME
proxymap
-
Postfix lookup table proxy server
SYNOPSIS
pprrooxxyymmaapp [generic Postfix daemon options]
DESCRIPTION
The pprrooxxyymmaapp(8) server provides read-only or read-write
table lookup service to Postfix processes. These services are
implemented with distinct service names: pprrooxxyymmaapp and
pprrooxxyywwrriittee, respectively. The purpose of these services is:
-
·
To overcome chroot restrictions. For example, a chrooted SMTP
-
server needs access to the system passwd file in order to
reject mail for non-existent local addresses, but it is not
practical to maintain a copy of the passwd file in the chroot
jail. The solution:
local_recipient_maps =
proxy:unix:passwd.byname $alias_maps
-
·
To consolidate the number of open lookup tables by sharing
-
one open table among multiple processes. For example, making
mysql connections from every Postfix daemon process results
in "too many connections" errors. The solution:
virtual_alias_maps =
proxy:mysql:/etc/postfix/virtual_alias.cf
The total number of connections is limited by the number of
proxymap server processes.
-
·
To provide single-updater functionality for lookup tables
-
that do not reliably support multiple writers (i.e. all
file-based tables).
The pprrooxxyymmaapp(8) server implements the following requests:
-
ooppeenn _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e _f_l_a_g_s
Open the table with type _m_a_p_t_y_p_e and name _m_a_p_n_a_m_e,
-
as controlled by _f_l_a_g_s. The reply includes the _m_a_p_t_y_p_e
dependent flags (to distinguish a fixed string table from a regular
expression table).
-
llooookkuupp _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e _f_l_a_g_s _k_e_y
Look up the data stored under the requested key.
-
The reply is the request completion status code and
the lookup result value.
The _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e and _f_l_a_g_s are the same
as with the ooppeenn request.
-
uuppddaattee _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e _f_l_a_g_s _k_e_y _v_a_l_u_e
Update the data stored under the requested key.
-
The reply is the request completion status code.
The _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e and _f_l_a_g_s are the same
as with the ooppeenn request.
To implement single-updater maps, specify a process limit
of 1 in the master.cf file entry for the pprrooxxyywwrriittee
service.
This request is supported in Postfix 2.5 and later.
-
ddeelleettee _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e _f_l_a_g_s _k_e_y
Delete the data stored under the requested key.
-
The reply is the request completion status code.
The _m_a_p_t_y_p_e_:_m_a_p_n_a_m_e and _f_l_a_g_s are the same
as with the ooppeenn request.
This request is supported in Postfix 2.5 and later.
The request completion status is one of OK, RETRY, NOKEY
(lookup failed because the key was not found), BAD (malformed
request) or DENY (the table is not approved for proxy read
or update access).
There is no cclloossee command, nor are tables implicitly closed
when a client disconnects. The purpose is to share tables among
multiple client processes.
SERVER PROCESS MANAGEMENT
pprrooxxyymmaapp(8) servers run under control by the Postfix
mmaasstteerr(8)
server. Each server can handle multiple simultaneous connections.
When all servers are busy while a client connects, the mmaasstteerr(8)
creates a new pprrooxxyymmaapp(8) server process, provided that the
process limit is not exceeded.
Each server terminates after serving at least $$mmaaxx__uussee clients
or after $$mmaaxx__iiddllee seconds of idle time.
SECURITY
The pprrooxxyymmaapp(8) server opens only tables that are
approved via the pprrooxxyy__rreeaadd__mmaappss or pprrooxxyy__wwrriittee__mmaappss
configuration parameters, does not talk to
users, and can run at fixed low privilege, chrooted or not.
However, running the proxymap server chrooted severely limits
usability, because it can open only chrooted tables.
The pprrooxxyymmaapp(8) server is not a trusted daemon process, and must
not be used to look up sensitive information such as user or
group IDs, mailbox file/directory names or external commands.
In Postfix version 2.2 and later, the proxymap client recognizes
requests to access a table for security-sensitive purposes,
and opens the table directly. This allows the same main.cf
setting to be used by sensitive and non-sensitive processes.
Postfix-writable data files should be stored under a dedicated
directory that is writable only by the Postfix mail system,
such as the Postfix-owned ddaattaa__ddiirreeccttoorryy.
In particular, Postfix-writable files should never exist
in root-owned directories. That would open up a particular
type of security hole where ownership of a file or directory
does not match the provider of its content.
DIAGNOSTICS
Problems and transactions are logged to ssyyssllooggdd(8).
BUGS
The pprrooxxyymmaapp(8) server provides service to multiple clients,
and must therefore not be used for tables that have high-latency
lookups.
The pprrooxxyymmaapp(8) read-write service does not explicitly
close lookup tables (even if it did, this could not be relied on,
because the process may be terminated between table updates).
The read-write service should therefore not be used with tables that
leave persistent storage in an inconsistent state between
updates (for example, CDB). Tables that support "sync on
update" should be safe (for example, Berkeley DB) as should
tables that are implemented by a real DBMS.
CONFIGURATION PARAMETERS
On busy mail systems a long time may pass before
pprrooxxyymmaapp(8) relevant
changes to mmaaiinn..ccff are picked up. Use the command
"ppoossttffiixx rreellooaadd" to speed up a change.
The text below provides only a parameter summary. See
ppoossttccoonnff(5) for more details including examples.
-
ccoonnffiigg__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The default location of the Postfix main.cf and master.cf
-
configuration files.
-
ddaattaa__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The directory with Postfix-writable data files (for example:
-
caches, pseudo-random numbers).
-
ddaaeemmoonn__ttiimmeeoouutt ((1188000000ss))
How much time a Postfix daemon process may take to handle a
-
request before it is terminated by a built-in watchdog timer.
-
iippcc__ttiimmeeoouutt ((33660000ss))
The time limit for sending or receiving information over an internal
-
communication channel.
-
mmaaxx__iiddllee ((110000ss))
The maximum amount of time that an idle Postfix daemon process waits
-
for an incoming connection before terminating voluntarily.
-
mmaaxx__uussee ((110000))
The maximal number of incoming connections that a Postfix daemon
-
process will service before terminating voluntarily.
-
pprroocceessss__iidd ((rreeaadd--oonnllyy))
The process ID of a Postfix command or daemon process.
-
-
pprroocceessss__nnaammee ((rreeaadd--oonnllyy))
The process name of a Postfix command or daemon process.
-
-
pprrooxxyy__rreeaadd__mmaappss ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The lookup tables that the pprrooxxyymmaapp(8) server is allowed to
-
access for the read-only service.
Available in Postfix 2.5 and later:
-
ddaattaa__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The directory with Postfix-writable data files (for example:
-
caches, pseudo-random numbers).
-
pprrooxxyy__wwrriittee__mmaappss ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt))
The lookup tables that the pprrooxxyymmaapp(8) server is allowed to
-
access for the read-write service.
SEE ALSO
postconf(5), configuration parameters
master(5), generic daemon options
README FILES
Use "ppoossttccoonnff rreeaaddmmee__ddiirreeccttoorryy" or
"ppoossttccoonnff hhttmmll__ddiirreeccttoorryy" to locate this information.
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The proxymap service was introduced with Postfix 2.0.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA