LOCAL(8) LOCAL(8) NAME local - Postfix local mail delivery SYNOPSIS local [generic Postfix daemon options] DESCRIPTION The local daemon processes delivery requests from the Postfix queue manager to deliver mail to local recipients. Each delivery request specifies a queue file, a sender address, a domain or host to deliver to, and one or more recipients. This program expects to be run from the mas- ter(8) process manager. The local daemon updates queue files and marks recipients as finished, or it informs the queue manager that delivery should be tried again at a later time. Delivery problem reports are sent to the bounce(8) or defer(8) daemon as appropriate. SYSTEM-WIDE AND USER-LEVEL ALIASING The system adminstrator can set up one or more system-wide sendmail-style alias databases. Users can have sendmail- style ~/.forward files. Mail for name is delivered to the alias name, to destinations in ~name/.forward, to the mailbox owned by the user name, or it is sent back as undeliverable. An alias or ~/.forward file may list any combination of external commands, destination file names, :include: directives, or mail addresses. See aliases(5) for a pre- cise description. Each line in a user's .forward file has the same syntax as the right-hand part of an alias. When an address is found in its own alias expansion, delivery is made to the user instead. When a user is listed in the user's own ~/.forward file, delivery is made to the user's mailbox instead. An empty ~/.forward file means do not forward mail. In order to prevent the mail system from using up unrea- sonable amounts of memory, input records read from :include: or from ~/.forward files are broken up into chunks of length line_length_limit. While expanding aliases, ~/.forward files, and so on, the program attempts to avoid duplicate deliveries. The dupli- cate_filter_limit configuration parameter limits the num- ber of remembered recipients. MAIL FORWARDING For the sake of reliability, forwarded mail is re-submit- ted as a new message, so that each recipient has a sepa- rate on-file delivery status record. 1 LOCAL(8) LOCAL(8) In order to stop mail forwarding loops early, the software adds a Delivered-To: header with the envelope recipient address. If mail arrives for a recipient that is already listed in a Delivered-To: header, the message is bounced. MAILBOX DELIVERY The per-user mailbox is either a file in the default UNIX mailbox directory (/var/mail/user or /var/spool/mail/user) or it is a file in the user's home directory with a name specified via the home_mailbox configuration parameter. Mailbox delivery can be delegated to an external command specified with the mailbox_command configuration parame- ter. The local daemon prepends a "From sender time_stamp" enve- lope header to each message, prepends a Delivered-To: header with the envelope recipient address, prepends a > character to lines beginning with "From ", and appends an empty line. The mailbox is locked for exclusive access while delivery is in progress. In case of problems, an attempt is made to truncate the mailbox to its original length. EXTERNAL COMMAND DELIVERY The allow_mail_to_commands configuration parameter restricts delivery to external commands. The default set- ting (alias, forward) forbids command destinations in :include: files. The command is executed directly where possible. Assis- tance by the shell (/bin/sh on UNIX systems) is used only when the command contains shell magic characters, or when the command invokes a shell built-in command. A limited amount of command output (standard output and standard error) is captured for inclusion with non-deliv- ery status reports. A command is forcibly terminated if it does not complete within command_time_limit seconds. Command exit status codes are expected to follow the con- ventions defined in <sysexits.h>. When mail is delivered on behalf of a user, the HOME, LOG- NAME, and SHELL environment variables are set accordingly. The PATH environment variable is always reset to a system- dependent default path, and the TZ (time zone) environment variable is always passed on without change. The current working directory is the mail queue directory. The local daemon prepends a "From sender time_stamp" enve- lope header to each message, prepends a Delivered-To: header with the recipient envelope address, and appends an empty line. 2 LOCAL(8) LOCAL(8) EXTERNAL FILE DELIVERY The allow_mail_to_files configuration parameter restricts delivery to external files. The default setting (alias, forward) forbids file destinations in :include: files. The local daemon prepends a "From sender time_stamp" enve- lope header to each message, prepends a Delivered-To: header with the recipient envelope address, prepends a > character to lines beginning with "From ", and appends an empty line. When the destination is a regular file, it is locked for exclusive access while delivery is in progress. In case of problems, an attempt is made to truncate a reg- ular file to its original length. ADDRESS EXTENSION The optional recipient_delimiter configuration parameter specifies how to separate address extensions from local recipient names. For example, with "recipient_delimiter = +", mail for name+foo is delivered to the alias name+foo or to the alias name, to the destinations listed in ~name/.for- ward+foo or in ~name/.forward, to the mailbox owned by the user name, or it is sent back as undeliverable. In all cases the local daemon prepends a `Delivered-To: name+foo' header line. FEATURE CONTROL The optional recipient_feature_delimiter configuration parameter specifies how to separate feature control suf- fixes from recipient addresses. For example, with "recipient_feature_delimiter = -", mail to foo-nodelivered is delivered without prepending a Delivered-To: header. A recipient address can have multiple feature control suf- fixes. DELIVERY RIGHTS Deliveries to external files and external commands are made with the rights of the receiving user on whose behalf the delivery is made. In the absence of a user context, the local daemon uses the owner rights of the :include: file or alias database. When those files are owned by the superuser, delivery is made with the rights specified with the default_privs configuration parameter. STANDARDS RFC 822 (ARPA Internet Text Messages) DIAGNOSTICS Problems and transactions are logged to syslogd(8). 3 LOCAL(8) LOCAL(8) Corrupted message files are marked so that the queue man- ager can move them to the corrupt queue afterwards. Depending on the setting of the notify_classes parameter, the postmaster is notified of bounces and of other trou- ble. BUGS For security reasons, the message delivery status of external commands or of external files is never check- pointed to file. As a result, the program may occasionally deliver more than once to a command or external file. Bet- ter safe than sorry. Mutually-recursive aliases or ~/.forward files are not detected early. The resulting mail forwarding loop is broken by the use of the Delivered-To: message header. CONFIGURATION PARAMETERS The following main.cf parameters are especially relevant to this program. See the Postfix main.cf file for syntax details and for default values. Use the postfix reload command after a configuration change. Miscellaneous alias_maps List of alias databases. home_mailbox Pathname of a mailbox relative to a user's home directory. mailbox_command External command to use for mailbox delivery. recipient_delimiter Separator between username and address extension. recipient_feature_delimiter Separator between feature control address suffixes. Locking controls deliver_lock_attempts Limit the number of attempts to acquire an exclu- sive lock on a mailbox or external file. deliver_lock_delay Time in seconds between successive attempts to acquire an exclusive lock. stale_lock_time Limit the time after which a stale lock is removed. 4 LOCAL(8) LOCAL(8) Resource controls command_time_limit Limit the amount of time for delivery to external command. duplicate_filter_limit Limit the size of the duplicate filter for results from alias etc. expansion. line_length_limit Limit the amount of memory used for processing a partial input line. local_destination_concurrency_limit Limit the number of parallel deliveries to the same user. The default limit is taken from the default_destination_concurrency_limit parameter. local_destination_recipient_limit Limit the number of recipients per message deliv- ery. The default limit is taken from the default_destination_recipient_limit parameter. Security controls allow_mail_to_commands Restrict the usage of mail delivery to external command. allow_mail_to_files Restrict the usage of mail delivery to external file. default_privs Default rights for delivery to external file or command. HISTORY The Delivered-To: header appears in the qmail system by Daniel Bernstein. SEE ALSO aliases(5) format of alias database bounce(8) non-delivery status reports postalias(1) create/update alias database syslogd(8) system logging qmgr(8) queue manager LICENSE The Secure Mailer license must be distributed with this software. AUTHOR(S) Wietse Venema IBM T.J. Watson Research 5 LOCAL(8) LOCAL(8) P.O. Box 704 Yorktown Heights, NY 10598, USA 6