pipe(category14-security-amp-firewalls.html) - phpMan

PIPE(8)                     System Manager's Manual                    PIPE(8)

NAME
       pipe - Postfix delivery to external command
SYNOPSIS
       pipe [generic Postfix daemon options] command_attributes...
DESCRIPTION
       The pipe(8) daemon processes requests from the Postfix queue manager to
       deliver messages to external commands.  This program expects to be  run
       from the master(8) process manager.
       Message  attributes  such  as  sender  address,  recipient  address and
       next-hop host name can be specified as  command-line  macros  that  are
       expanded before the external command is executed.
       The  pipe(8)  daemon  updates  queue files and marks recipients as fin-
       ished, or it informs the queue manager that delivery  should  be  tried
       again  at  a  later  time.  Delivery  status  reports  are  sent to the
       bounce(8), defer(8) or trace(8) daemon as appropriate.
SINGLE-RECIPIENT DELIVERY
       Some destinations cannot handle more than one  recipient  per  delivery
       request.   Examples   are   pagers   or  fax  machines.   In  addition,
       multi-recipient delivery is undesirable when prepending a Delivered-to:
       or X-Original-To: message header.
       To  prevent  Postfix  from  sending  multiple  recipients  per delivery
       request, specify
           transport_destination_recipient_limit = 1
       in the Postfix main.cf file, where transport is the name in  the  first
       column  of  the  Postfix  master.cf  entry  for the pipe-based delivery
       transport.
COMMAND ATTRIBUTE SYNTAX
       The external command attributes are given in the master.cf file at  the
       end of a service definition.  The syntax is as follows:
       chroot=pathname (optional)
              Change  the  process root directory and working directory to the
              named directory. This happens before switching to the privileges
              specified  with  the  user  attribute,  and before executing the
              optional directory=pathname directive. Delivery is  deferred  in
              case of failure.
              This feature is available as of Postfix 2.3.
       directory=pathname (optional)
              Change to the named directory before executing the external com-
              mand.  The directory must be accessible for the  user  specified
              with the user attribute (see below).  The default working direc-
              tory is $queue_directory.  Delivery is deferred in case of fail-
              ure.
              This feature is available as of Postfix 2.2.
       eol=string (optional, default: \n)
              The output record delimiter. Typically one would use either \r\n
              or \n. The usual C-style backslash escape sequences  are  recog-
              nized:  \a \b \f \n \r \t \v \ddd (up to three octal digits) and
              \\.
       flags=BDFORXhqu.> (optional)
              Optional message processing flags.  By  default,  a  message  is
              copied unchanged.
              B      Append  a  blank line at the end of each message. This is
                     required by some mail user agents that recognize "From  "
                     lines only when preceded by a blank line.
              D      Prepend  a  "Delivered-To: recipient" message header with
                     the envelope recipient address. Note: for this  to  work,
                     the  transport_destination_recipient_limit must be 1 (see
                     SINGLE-RECIPIENT DELIVERY above for details).
                     The D flag also enforces loop detection (Postfix 2.5  and
                     later):  if  a  message  already contains a Delivered-To:
                     header with the same recipient address, then the  message
                     is  returned  as undeliverable. The address comparison is
                     case insensitive.
                     This feature is available as of Postfix 2.0.
              F      Prepend a "From sender time_stamp" envelope header to the
                     message  content.  This is expected by, for example, UUCP
                     software.
              O      Prepend an "X-Original-To: recipient" message header with
                     the recipient address as given to Postfix. Note: for this
                     to work, the  transport_destination_recipient_limit  must
                     be 1 (see SINGLE-RECIPIENT DELIVERY above for details).
                     This feature is available as of Postfix 2.0.
              R      Prepend  a  Return-Path: message header with the envelope
                     sender address.
              X      Indicate that the external command performs final  deliv-
                     ery.   This flag affects the status reported in "success"
                     DSN (delivery status notification) messages, and  changes
                     it from "relayed" into "delivered".
                     This feature is available as of Postfix 2.5.
              h      Fold  the command-line $original_recipient and $recipient
                     address domain part (text to the right of the  right-most
                     @  character) to lower case; fold the entire command-line
                     $domain and $nexthop host or domain information to  lower
                     case.  This is recommended for delivery via UUCP.
              q      Quote  white  space  and  other special characters in the
                     command-line $sender, $original_recipient and  $recipient
                     address  localparts (text to the left of the right-most @
                     character), according to an 8-bit transparent version  of
                     RFC  822.   This  is recommended for delivery via UUCP or
                     BSMTP.
                     The result is compatible with the address parsing of com-
                     mand-line recipients by the Postfix sendmail(1) mail sub-
                     mission command.
                     The q flag affects only entire addresses, not the partial
                     address  information from the $user, $extension or $mail-
                     box command-line macros.
              u      Fold the command-line $original_recipient and  $recipient
                     address  localpart  (text to the left of the right-most @
                     character) to lower case.  This is recommended for deliv-
                     ery via UUCP.
              .      Prepend  "."  to  lines starting with ".". This is needed
                     by, for example, BSMTP software.
              >      Prepend ">" to lines  starting  with  "From  ".  This  is
                     expected by, for example, UUCP software.
       null_sender=replacement (default: MAILER-DAEMON)
              Replace  the  null  sender  address (typically used for delivery
              status notifications) with the specified text when expanding the
              $sender  command-line  macro,  and  when  generating  a From_ or
              Return-Path: message header.
              If the null sender replacement text is a non-empty  string  then
              it is affected by the q flag for address quoting in command-line
              arguments.
              The null sender replacement text may be empty; this form is rec-
              ommended  for  content filters that feed mail back into Postfix.
              The empty sender address is not  affected  by  the  q  flag  for
              address quoting in command-line arguments.
              Caution:  a  null  sender  address is easily mis-parsed by naive
              software. For example, when the pipe(8) daemon executes  a  com-
              mand such as:
                  Wrong: command -f$sender -- $recipient
              the  command  will mis-parse the -f option value when the sender
              address is a null string.  For correct parsing, specify  $sender
              as an argument by itself:
                  Right: command -f $sender -- $recipient
              This feature is available as of Postfix 2.3.
       size=size_limit (optional)
              Don't  deliver  messages that exceed this size limit (in bytes);
              return them to the sender instead.
       user=username (required)
       user=username:groupname
              Execute the external command with the user ID and  group  ID  of
              the  specified  username.   The software refuses to execute com-
              mands with root privileges, or with the privileges of  the  mail
              system owner. If groupname is specified, the corresponding group
              ID is used instead of the group ID of username.
       argv=command... (required)
              The command to be executed. This must be specified as  the  last
              command attribute.  The command is executed directly, i.e. with-
              out interpretation of shell meta characters by a  shell  command
              interpreter.
              Specify "{" and "}" around command arguments that contain white-
              space (Postfix 3.0 and later). Whitespace after the opening  "{"
              and before the closing "}" is ignored.
              In  the command argument vector, the following macros are recog-
              nized and replaced with corresponding information from the Post-
              fix queue manager delivery request.
              In  addition to the form ${name}, the forms $name and the depre-
              cated form $(name) are also recognized.  Specify $$ where a sin-
              gle $ is wanted.
              ${client_address}
                     This macro expands to the remote client network address.
                     This feature is available as of Postfix 2.2.
              ${client_helo}
                     This  macro  expands  to  the  remote client HELO command
                     parameter.
                     This feature is available as of Postfix 2.2.
              ${client_hostname}
                     This macro expands to the remote client hostname.
                     This feature is available as of Postfix 2.2.
              ${client_port}
                     This macro expands to the remote client TCP port number.
                     This feature is available as of Postfix 2.5.
              ${client_protocol}
                     This macro expands to the remote client protocol.
                     This feature is available as of Postfix 2.2.
              ${domain}
                     This macro expands to the domain portion of the recipient
                     address.   For  example,  with an address user+foo@domain
                     the domain is domain.
                     This information is modified by the h flag for case fold-
                     ing.
                     This feature is available as of Postfix 2.5.
              ${extension}
                     This  macro  expands to the extension part of a recipient
                     address.  For example, with  an  address  user+foo@domain
                     the extension is foo.
                     A   command-line   argument  that  contains  ${extension}
                     expands into as many command-line arguments as there  are
                     recipients.
                     This information is modified by the u flag for case fold-
                     ing.
              ${mailbox}
                     This macro expands to the complete local part of a recip-
                     ient    address.     For   example,   with   an   address
                     user+foo@domain the mailbox is user+foo.
                     A command-line argument that contains ${mailbox}  expands
                     to  as  many  command-line arguments as there are recipi-
                     ents.
                     This information is modified by the u flag for case fold-
                     ing.
              ${nexthop}
                     This macro expands to the next-hop hostname.
                     This information is modified by the h flag for case fold-
                     ing.
              ${original_recipient}
                     This macro expands  to  the  complete  recipient  address
                     before any address rewriting or aliasing.
                     A  command-line argument that contains ${original_recipi-
                     ent} expands to as many command-line arguments  as  there
                     are recipients.
                     This information is modified by the hqu flags for quoting
                     and case folding.
                     This feature is available as of Postfix 2.5.
              ${queue_id}
                     This macro expands to the queue id.
                     This feature is available as of Postfix 2.11.
              ${recipient}
                     This macro expands to the complete recipient address.
                     A  command-line  argument  that   contains   ${recipient}
                     expands  to  as  many command-line arguments as there are
                     recipients.
                     This information is modified by the hqu flags for quoting
                     and case folding.
              ${sasl_method}
                     This macro expands to the name of the SASL authentication
                     mechanism in the  AUTH  command  when  the  Postfix  SMTP
                     server received the message.
                     This feature is available as of Postfix 2.2.
              ${sasl_sender}
                     This  macro  expands  to  the  SASL sender name (i.e. the
                     original submitter as per RFC 4954) in the MAIL FROM com-
                     mand when the Postfix SMTP server received the message.
                     This feature is available as of Postfix 2.2.
              ${sasl_username}
                     This macro expands to the SASL user name in the AUTH com-
                     mand when the Postfix SMTP server received the message.
                     This feature is available as of Postfix 2.2.
              ${sender}
                     This macro expands to the  envelope  sender  address.  By
                     default,  the  null sender address expands to MAILER-DAE-
                     MON; this can be changed with the null_sender  attribute,
                     as described above.
                     This information is modified by the q flag for quoting.
              ${size}
                     This macro expands to Postfix's idea of the message size,
                     which is an approximation of the size of the  message  as
                     delivered.
              ${user}
                     This  macro  expands  to the username part of a recipient
                     address.  For example, with  an  address  user+foo@domain
                     the username part is user.
                     A  command-line  argument  that  contains ${user} expands
                     into as many command-line arguments as there are  recipi-
                     ents.
                     This information is modified by the u flag for case fold-
                     ing.
STANDARDS
       RFC 3463 (Enhanced status codes)
DIAGNOSTICS
       Command exit status  codes  are  expected  to  follow  the  conventions
       defined in <sysexits.h>.  Exit status 0 means normal successful comple-
       tion.
       In the case of a non-zero exit status, a limited amount of command out-
       put  is  logged,  and reported in a delivery status notification.  When
       the output begins with a 4.X.X or 5.X.X enhanced status code, the  sta-
       tus  code  takes precedence over the non-zero exit status (Postfix ver-
       sion 2.3 and later).
       After successful delivery (zero exit status) a limited amount  of  com-
       mand  output is logged, and reported in "success" delivery status noti-
       fications (Postfix 3.0 and later).  This command output is not examined
       for the presence of an enhanced status code.
       Problems  and  transactions  are  logged  to syslogd(8) or postlogd(8).
       Corrupted message files are marked so that the queue manager  can  move
       them to the corrupt queue for further inspection.
SECURITY
       This  program needs a dual personality 1) to access the private Postfix
       queue and IPC mechanisms, and 2) to execute external  commands  as  the
       specified user. It is therefore security sensitive.
CONFIGURATION PARAMETERS
       Changes to main.cf are picked up automatically as pipe(8) processes run
       for only a limited amount of time. Use the command "postfix reload"  to
       speed up a change.
       The  text  below provides only a parameter summary. See postconf(5) for
       more details including examples.
RESOURCE AND RATE CONTROLS
       In the text below, transport is the first field in a master.cf entry.
       transport_time_limit ($command_time_limit)
              A transport-specific override for the command_time_limit parame-
              ter  value, where transport is the master.cf name of the message
              delivery transport.
       Implemented in the qmgr(8) daemon:
       transport_destination_concurrency_limit   ($default_destination_concur-
       rency_limit)
              A  transport-specific  override for the default_destination_con-
              currency_limit parameter value, where transport is the master.cf
              name of the message delivery transport.
       transport_destination_recipient_limit     ($default_destination_recipi-
       ent_limit)
              A transport-specific override for the default_destination_recip-
              ient_limit  parameter  value,  where  transport is the master.cf
              name of the message delivery transport.
MISCELLANEOUS CONTROLS
       config_directory (see 'postconf -d' output)
              The default location of the Postfix main.cf and  master.cf  con-
              figuration files.
       daemon_timeout (18000s)
              How  much  time  a  Postfix  daemon process may take to handle a
              request before it is terminated by a built-in watchdog timer.
       delay_logging_resolution_limit (2)
              The maximal number of digits after the decimal point  when  log-
              ging sub-second delay values.
       export_environment (see 'postconf -d' output)
              The  list  of  environment variables that a Postfix process will
              export to non-Postfix processes.
       ipc_timeout (3600s)
              The time limit for sending  or  receiving  information  over  an
              internal communication channel.
       mail_owner (postfix)
              The  UNIX  system  account  that owns the Postfix queue and most
              Postfix daemon processes.
       max_idle (100s)
              The maximum amount of time that an idle Postfix  daemon  process
              waits for an incoming connection before terminating voluntarily.
       max_use (100)
              The maximal number of incoming connections that a Postfix daemon
              process will service before terminating voluntarily.
       process_id (read-only)
              The process ID of a Postfix command or daemon process.
       process_name (read-only)
              The process name of a Postfix command or daemon process.
       queue_directory (see 'postconf -d' output)
              The location of the Postfix top-level queue directory.
       recipient_delimiter (empty)
              The set of characters that can separate a  user  name  from  its
              extension  (example: user+foo), or a .forward file name from its
              extension (example: .forward+foo).
       syslog_facility (mail)
              The syslog facility of Postfix logging.
       syslog_name (see 'postconf -d' output)
              A prefix that  is  prepended  to  the  process  name  in  syslog
              records, so that, for example, "smtpd" becomes "prefix/smtpd".
       Available in Postfix version 3.0 and later:
       pipe_delivery_status_filter ($default_delivery_status_filter)
              Optional  filter  for  the  pipe(8) delivery agent to change the
              delivery status code or explanatory text of successful or unsuc-
              cessful deliveries.
       Available in Postfix version 3.3 and later:
       enable_original_recipient (yes)
              Enable  support  for  the  original  recipient  address after an
              address is rewritten to a different address  (for  example  with
              aliasing or with canonical mapping).
       service_name (read-only)
              The master.cf service name of a Postfix daemon process.
       Available in Postfix 3.5 and later:
       info_log_address_format (external)
              The  email  address  form that will be used in non-debug logging
              (info, warning, etc.).
SEE ALSO
       qmgr(8), queue manager
       bounce(8), delivery status reports
       postconf(5), configuration parameters
       master(5), generic daemon options
       master(8), process manager
       postlogd(8), Postfix logging
       syslogd(8), system logging
LICENSE
       The Secure Mailer license must be distributed with this software.
AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA
       Wietse Venema
       Google, Inc.
       111 8th Avenue
       New York, NY 10011, USA

                                                                       PIPE(8)