NAME

pipe - Postfix delivery to external command

SYNOPSIS


ppiippee [generic Postfix daemon options] command_attributes...

DESCRIPTION

The ppiippee(8) daemon processes requests from the Postfix queue manager to deliver messages to external commands. This program expects to be run from the mmaasstteerr(8) process manager.

Message attributes such as sender address, recipient address and next-hop host name can be specified as command-line macros that are expanded before the external command is executed.

The ppiippee(8) daemon updates queue files and marks recipients as finished, or it informs the queue manager that delivery should be tried again at a later time. Delivery status reports are sent to the bboouunnccee(8), ddeeffeerr(8) or ttrraaccee(8) daemon as appropriate.

SINGLE-RECIPIENT DELIVERY



Some destinations cannot handle more than one recipient per
delivery request. Examples are pagers or fax machines.
In addition, multi-recipient delivery is undesirable when
prepending a DDeelliivveerreedd--ttoo:: or XX--OOrriiggiinnaall--TToo::
message header.
        

To prevent Postfix from sending multiple recipients per delivery request, specify


    _t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt == 11

in the Postfix mmaaiinn..ccff file, where _t_r_a_n_s_p_o_r_t is the name in the first column of the Postfix mmaasstteerr..ccff entry for the pipe-based delivery transport.

COMMAND ATTRIBUTE SYNTAX



The external command attributes are given in the mmaasstteerr..ccff
file at the end of a service definition.  The syntax is as follows:
cchhrroooott==_p_a_t_h_n_a_m_e (optional) Change the process root directory and working directory to
the named directory. This happens before switching to the privileges specified with the uusseerr attribute, and before executing the optional ddiirreeccttoorryy==_p_a_t_h_n_a_m_e directive. Delivery is deferred in case of failure.

This feature is available as of Postfix 2.3.
ddiirreeccttoorryy==_p_a_t_h_n_a_m_e (optional) Change to the named directory before executing the external command.
The directory must be accessible for the user specified with the uusseerr attribute (see below). The default working directory is $$qquueeuuee__ddiirreeccttoorryy. Delivery is deferred in case of failure.

This feature is available as of Postfix 2.2.
eeooll==_s_t_r_i_n_g (optional, default: \\nn) The output record delimiter. Typically one would use either
\\rr\\nn or \\nn. The usual C-style backslash escape sequences are recognized: \\aa \\bb \\ff \\nn \\rr \\tt \\vv \\_d_d_d (up to three octal digits) and \\\\.
ffllaaggss==BBDDFFOORRXXhhqquu..>> (optional) Optional message processing flags. By default, a message is
copied unchanged.
BB Append a blank line at the end of each message. This is required
by some mail user agents that recognize "FFrroomm " lines only when preceded by a blank line.
DD Prepend a "DDeelliivveerreedd--TToo:: _r_e_c_i_p_i_e_n_t" message header with the
envelope recipient address. Note: for this to work, the _t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt must be 1 (see SINGLE-RECIPIENT DELIVERY above for details).

The DD flag also enforces loop detection (Postfix 2.5 and later): if a message already contains a DDeelliivveerreedd--TToo:: header with the same recipient address, then the message is returned as undeliverable. The address comparison is case insensitive.

This feature is available as of Postfix 2.0.
FF Prepend a "FFrroomm _s_e_n_d_e_r _t_i_m_e___s_t_a_m_p" envelope header to
the message content. This is expected by, for example, UUUUCCPP software.
OO Prepend an "XX--OOrriiggiinnaall--TToo:: _r_e_c_i_p_i_e_n_t" message header
with the recipient address as given to Postfix. Note: for this to work, the _t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt must be 1 (see SINGLE-RECIPIENT DELIVERY above for details).

This feature is available as of Postfix 2.0.
RR Prepend a RReettuurrnn--PPaatthh:: message header with the envelope sender
address.
XX Indicate that the external command performs final delivery.
This flag affects the status reported in "success" DSN (delivery status notification) messages, and changes it from "relayed" into "delivered".

This feature is available as of Postfix 2.5.
hh Fold the command-line $$oorriiggiinnaall__rreecciippiieenntt and
$$rreecciippiieenntt address domain part (text to the right of the right-most @@ character) to lower case; fold the entire command-line $$ddoommaaiinn and $$nneexxtthhoopp host or domain information to lower case. This is recommended for delivery via UUUUCCPP.
qq Quote white space and other special characters in the command-line
$$sseennddeerr, $$oorriiggiinnaall__rreecciippiieenntt and $$rreecciippiieenntt address localparts (text to the left of the right-most @@ character), according to an 8-bit transparent version of RFC 822. This is recommended for delivery via UUUUCCPP or BBSSMMTTPP.

The result is compatible with the address parsing of command-line recipients by the Postfix sseennddmmaaiill(1) mail submission command.

The qq flag affects only entire addresses, not the partial address information from the $$uusseerr, $$eexxtteennssiioonn or $$mmaaiillbbooxx command-line macros.
uu Fold the command-line $$oorriiggiinnaall__rreecciippiieenntt and
$$rreecciippiieenntt address localpart (text to the left of the right-most @@ character) to lower case. This is recommended for delivery via UUUUCCPP.
.. Prepend ".." to lines starting with "..". This is needed
by, for example, BBSSMMTTPP software.
>> Prepend ">>" to lines starting with "FFrroomm ". This is expected
by, for example, UUUUCCPP software.
nnuullll__sseennddeerr=_r_e_p_l_a_c_e_m_e_n_t (default: MAILER-DAEMON) Replace the null sender address (typically used for delivery
status notifications) with the specified text when expanding the $$sseennddeerr command-line macro, and when generating a From_ or Return-Path: message header.

If the null sender replacement text is a non-empty string then it is affected by the qq flag for address quoting in command-line arguments.

The null sender replacement text may be empty; this form is recommended for content filters that feed mail back into Postfix. The empty sender address is not affected by the qq flag for address quoting in command-line arguments.

Caution: a null sender address is easily mis-parsed by naive software. For example, when the ppiippee(8) daemon executes a command such as:


    _W_r_o_n_g: command -f$sender -- $recipient
the command will mis-parse the -f option value when the
sender address is a null string. For correct parsing, specify $$sseennddeerr as an argument by itself:


    _R_i_g_h_t: command -f $sender -- $recipient
This feature is available as of Postfix 2.3.
ssiizzee=_s_i_z_e___l_i_m_i_t (optional) Don't deliver messages that exceed this size limit (in
bytes); return them to the sender instead.
uusseerr=_u_s_e_r_n_a_m_e (required)
uusseerr=_u_s_e_r_n_a_m_e:_g_r_o_u_p_n_a_m_e Execute the external command with the user ID and group ID of the
specified _u_s_e_r_n_a_m_e. The software refuses to execute commands with root privileges, or with the privileges of the mail system owner. If _g_r_o_u_p_n_a_m_e is specified, the corresponding group ID is used instead of the group ID of _u_s_e_r_n_a_m_e.
aarrggvv=_c_o_m_m_a_n_d... (required) The command to be executed. This must be specified as the
last command attribute. The command is executed directly, i.e. without interpretation of shell meta characters by a shell command interpreter.

In the command argument vector, the following macros are recognized and replaced with corresponding information from the Postfix queue manager delivery request.

In addition to the form ${_n_a_m_e}, the forms $_n_a_m_e and $(_n_a_m_e) are also recognized. Specify $$$$ where a single $$ is wanted.
$${{cclliieenntt__aaddddrreessss} This macro expands to the remote client network address.


This feature is available as of Postfix 2.2.
$${{cclliieenntt__hheelloo} This macro expands to the remote client HELO command parameter.


This feature is available as of Postfix 2.2.
$${{cclliieenntt__hhoossttnnaammee} This macro expands to the remote client hostname.


This feature is available as of Postfix 2.2.
$${{cclliieenntt__ppoorrtt} This macro expands to the remote client TCP port number.


This feature is available as of Postfix 2.5.
$${{cclliieenntt__pprroottooccooll} This macro expands to the remote client protocol.


This feature is available as of Postfix 2.2.
$${{ddoommaaiinn} This macro expands to the domain portion of the recipient
address. For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the domain is _d_o_m_a_i_n.

This information is modified by the hh flag for case folding.

This feature is available as of Postfix 2.5.
$${{eexxtteennssiioonn} This macro expands to the extension part of a recipient address.
For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the extension is _f_o_o.

A command-line argument that contains $${{eexxtteennssiioonn} expands into as many command-line arguments as there are recipients.

This information is modified by the uu flag for case folding.
$${{mmaaiillbbooxx} This macro expands to the complete local part of a recipient address.
For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the mailbox is _u_s_e_r_+_f_o_o.

A command-line argument that contains $${{mmaaiillbbooxx} expands to as many command-line arguments as there are recipients.

This information is modified by the uu flag for case folding.
$${{nneexxtthhoopp} This macro expands to the next-hop hostname.


This information is modified by the hh flag for case folding.
$${{oorriiggiinnaall__rreecciippiieenntt} This macro expands to the complete recipient address before any
address rewriting or aliasing.

A command-line argument that contains $${{oorriiggiinnaall__rreecciippiieenntt} expands to as many command-line arguments as there are recipients.

This information is modified by the hhqquu flags for quoting and case folding.

This feature is available as of Postfix 2.5.
$${{rreecciippiieenntt} This macro expands to the complete recipient address.


A command-line argument that contains $${{rreecciippiieenntt} expands to as many command-line arguments as there are recipients.

This information is modified by the hhqquu flags for quoting and case folding.
$${{ssaassll__mmeetthhoodd} This macro expands to the name of the SASL authentication
mechanism in the AUTH command when the Postfix SMTP server received the message.

This feature is available as of Postfix 2.2.
$${{ssaassll__sseennddeerr} This macro expands to the SASL sender name (i.e. the original
submitter as per RFC 4954) in the MAIL FROM command when the Postfix SMTP server received the message.

This feature is available as of Postfix 2.2.
$${{ssaassll__uusseerrnnaammee} This macro expands to the SASL user name in the AUTH command
when the Postfix SMTP server received the message.

This feature is available as of Postfix 2.2.
$${{sseennddeerr} This macro expands to the envelope sender address. By default,
the null sender address expands to MAILER-DAEMON; this can be changed with the nnuullll__sseennddeerr attribute, as described above.

This information is modified by the qq flag for quoting.
$${{ssiizzee} This macro expands to Postfix's idea of the message size, which
is an approximation of the size of the message as delivered.
$${{uusseerr} This macro expands to the username part of a recipient address.
For example, with an address _u_s_e_r_+_f_o_o_@_d_o_m_a_i_n the username part is _u_s_e_r.

A command-line argument that contains $${{uusseerr} expands into as many command-line arguments as there are recipients.

This information is modified by the uu flag for case folding.

STANDARDS


RFC 3463 (Enhanced status codes)

DIAGNOSTICS

Command exit status codes are expected to follow the conventions defined in . Exit status 0 means normal successful completion.

In the case of a non-zero exit status, a limited amount of command output is reported in an delivery status notification. When the output begins with a 4.X.X or 5.X.X enhanced status code, the status code takes precedence over the non-zero exit status (Postfix version 2.3 and later).

Problems and transactions are logged to ssyyssllooggdd(8). Corrupted message files are marked so that the queue manager can move them to the ccoorrrruupptt queue for further inspection.

SECURITY



This program needs a dual personality 1) to access the private
Postfix queue and IPC mechanisms, and 2) to execute external
commands as the specified user. It is therefore security sensitive.

CONFIGURATION PARAMETERS



Changes to mmaaiinn..ccff are picked up automatically as ppiippee(8)
processes run for only a limited amount of time. Use the command
"ppoossttffiixx rreellooaadd" to speed up a change.
        

The text below provides only a parameter summary. See ppoossttccoonnff(5) for more details including examples.

RESOURCE AND RATE CONTROLS



In the text below, _t_r_a_n_s_p_o_r_t is the first field in a
mmaasstteerr..ccff entry.
_t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__ccoonnccuurrrreennccyy__lliimmiitt (($$ddeeffaauulltt__ddeessttiinnaattiioonn__ccoonnccuurrrreennccyy__lliimmiitt)) Limit the number of parallel deliveries to the same destination,
for delivery via the named _t_r_a_n_s_p_o_r_t. The limit is enforced by the Postfix queue manager.
_t_r_a_n_s_p_o_r_t__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt (($$ddeeffaauulltt__ddeessttiinnaattiioonn__rreecciippiieenntt__lliimmiitt)) Limit the number of recipients per message delivery, for delivery
via the named _t_r_a_n_s_p_o_r_t. The limit is enforced by the Postfix queue manager.
_t_r_a_n_s_p_o_r_t__ttiimmee__lliimmiitt (($$ccoommmmaanndd__ttiimmee__lliimmiitt)) Limit the time for delivery to external command, for delivery via
the named _t_r_a_n_s_p_o_r_t. The limit is enforced by the pipe delivery agent.

Postfix 2.4 and later support a suffix that specifies the time unit: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is seconds.

MISCELLANEOUS CONTROLS



ccoonnffiigg__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt)) The default location of the Postfix main.cf and master.cf
configuration files.
ddaaeemmoonn__ttiimmeeoouutt ((1188000000ss)) How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
ddeellaayy__llooggggiinngg__rreessoolluuttiioonn__lliimmiitt ((22)) The maximal number of digits after the decimal point when logging
sub-second delay values.
eexxppoorrtt__eennvviirroonnmmeenntt ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt)) The list of environment variables that a Postfix process will export
to non-Postfix processes.
iippcc__ttiimmeeoouutt ((33660000ss)) The time limit for sending or receiving information over an internal
communication channel.
mmaaiill__oowwnneerr ((ppoossttffiixx)) The UNIX system account that owns the Postfix queue and most Postfix
daemon processes.
mmaaxx__iiddllee ((110000ss)) The maximum amount of time that an idle Postfix daemon process waits
for an incoming connection before terminating voluntarily.
mmaaxx__uussee ((110000)) The maximal number of incoming connections that a Postfix daemon
process will service before terminating voluntarily.
pprroocceessss__iidd ((rreeaadd--oonnllyy)) The process ID of a Postfix command or daemon process.
pprroocceessss__nnaammee ((rreeaadd--oonnllyy)) The process name of a Postfix command or daemon process.
qquueeuuee__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt)) The location of the Postfix top-level queue directory.
rreecciippiieenntt__ddeelliimmiitteerr ((eemmppttyy)) The separator between user names and address extensions (user+foo).
ssyysslloogg__ffaacciilliittyy ((mmaaiill)) The syslog facility of Postfix logging.
ssyysslloogg__nnaammee ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt)) The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".

SEE ALSO


qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging

LICENSE



The Secure Mailer license must be distributed with this software.

AUTHOR(S)


Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA