Provided by: postfix_3.7.4-2build1_amd64 bug

NAME

       local - Postfix local mail delivery

SYNOPSIS

       local [generic Postfix daemon options]

DESCRIPTION

       The  local(8) daemon processes delivery requests from the Postfix queue manager to deliver
       mail to local recipients.  Each delivery request specifies a queue file, a sender address,
       a  domain  or  host to deliver to, and one or more recipients.  This program expects to be
       run from the master(8) process manager.

       The local(8) daemon updates queue files and marks recipients as finished,  or  it  informs
       the  queue  manager  that  delivery should be tried again at a later time. Delivery status
       reports are sent to the bounce(8), defer(8) or trace(8) daemon as appropriate.

CASE FOLDING

       All delivery  decisions  are  made  using  the  bare  recipient  name  (i.e.  the  address
       localpart),  folded  to  lower  case.   See  also  under ADDRESS EXTENSION below for a few
       exceptions.

SYSTEM-WIDE AND USER-LEVEL ALIASING

       The system  administrator  can  set  up  one  or  more  system-wide  sendmail-style  alias
       databases.  Users can have sendmail-style ~/.forward files.  Mail for name is delivered to
       the alias name, to destinations in ~name/.forward, to the mailbox owned by the user  name,
       or it is sent back as undeliverable.

       The system administrator can specify a comma/space separated list of ~/.forward like files
       through the forward_path configuration parameter. Upon delivery, the local delivery  agent
       tries each pathname in the list until a file is found.

       Delivery  via  ~/.forward  files  is  done  with  the  privileges of the recipient.  Thus,
       ~/.forward like files must be readable by the recipient, and their parent directory  needs
       to have "execute" permission for the recipient.

       The  forward_path  parameter  is  subject  to interpolation of $user (recipient username),
       $home (recipient home directory), $shell (recipient shell), $recipient (complete recipient
       address),  $extension  (recipient  address  extension), $domain (recipient domain), $local
       (entire recipient address localpart) and $recipient_delimiter. The forms ${name?value} and
       ${name?{value}}  (Postfix  3.0  and  later)  expand  conditionally  to value when $name is
       defined, and the forms  ${name:value}  ${name:{value}}  (Postfix  3.0  and  later)  expand
       conditionally  to  value  when  $name  is not defined.  The form ${name?{value1}:{value2}}
       (Postfix 3.0 and later) expands conditionally to value1 when $name is defined,  or  value2
       otherwise.  Characters  that  may  have  special  meaning  to the shell or file system are
       replaced with underscores. The  list  of  acceptable  characters  is  specified  with  the
       forward_expansion_filter configuration parameter.

       An  alias  or  ~/.forward  file may list any combination of external commands, destination
       file names, :include: directives,  or  mail  addresses.   See  aliases(5)  for  a  precise
       description.  Each  line  in  a user's .forward file has the same syntax as the right-hand
       part of an alias.

       When an address is found in its own alias expansion, delivery is made to the user instead.
       When  a  user  is listed in the user's own ~/.forward file, delivery is made to the user's
       mailbox instead.  An empty ~/.forward file means do not forward mail.

       In order to prevent the mail system from using up unreasonable amounts  of  memory,  input
       records  read  from :include: or from ~/.forward files are broken up into chunks of length
       line_length_limit.

       While expanding aliases, ~/.forward files, and  so  on,  the  program  attempts  to  avoid
       duplicate deliveries. The duplicate_filter_limit configuration parameter limits the number
       of remembered recipients.

MAIL FORWARDING

       For the sake of reliability, forwarded mail is re-submitted as a new message, so that each
       recipient has a separate on-file delivery status record.

       In  order to stop mail forwarding loops early, the software adds an optional Delivered-To:
       header with the final envelope recipient address. If mail arrives for a recipient that  is
       already listed in a Delivered-To: header, the message is bounced.

MAILBOX DELIVERY

       The default per-user mailbox is a file in the UNIX mail spool directory (/var/mail/user or
       /var/spool/mail/user);  the  location  can  be  specified  with  the  mail_spool_directory
       configuration parameter. Specify a name ending in / for qmail-compatible maildir delivery.

       Alternatively, the per-user mailbox can be a file in the user's home directory with a name
       specified via the home_mailbox configuration parameter.  Specify  a  relative  path  name.
       Specify a name ending in / for qmail-compatible maildir delivery.

       Mailbox   delivery   can   be   delegated  to  an  external  command  specified  with  the
       mailbox_command_maps and mailbox_command configuration parameters.  The  command  executes
       with  the  privileges of the recipient user (exceptions: secondary groups are not enabled;
       in case of delivery as root, the command executes with the privileges of default_privs).

       Mailbox delivery can be delegated to  alternative  message  transports  specified  in  the
       master.cf file.  The mailbox_transport_maps and mailbox_transport configuration parameters
       specify an optional message transport that  is  to  be  used  for  all  local  recipients,
       regardless   of   whether   they   are   found   in   the   UNIX   passwd  database.   The
       fallback_transport_maps and fallback_transport  parameters  specify  an  optional  message
       transport for recipients that are not found in the aliases(5) or UNIX passwd database.

       In  the  case  of UNIX-style mailbox delivery, the local(8) daemon prepends a "From sender
       time_stamp" envelope header to each message, prepends an X-Original-To:  header  with  the
       recipient  address as given to Postfix, prepends an optional Delivered-To: header with the
       final envelope recipient address, prepends a Return-Path: header with the envelope  sender
       address,  prepends  a  >  character  to lines beginning with "From ", and appends an empty
       line.  The mailbox is locked for exclusive access while delivery is in progress.  In  case
       of problems, an attempt is made to truncate the mailbox to its original length.

       In  the  case  of  maildir  delivery,  the local daemon prepends an optional Delivered-To:
       header with the final envelope recipient address, prepends an X-Original-To:  header  with
       the  recipient  address  as  given to Postfix, and prepends a Return-Path: header with the
       envelope sender address.

EXTERNAL COMMAND DELIVERY

       The  allow_mail_to_commands  configuration  parameter  restricts  delivery   to   external
       commands.  The  default setting (alias, forward) forbids command destinations in :include:
       files.

       Optionally,  the  process  working  directory  is  changed  to  the  path  specified  with
       command_execution_directory  (Postfix  2.2  and later). Failure to change directory causes
       mail to be deferred.

       The command_execution_directory parameter value  is  subject  to  interpolation  of  $user
       (recipient   username),  $home  (recipient  home  directory),  $shell  (recipient  shell),
       $recipient (complete recipient address), $extension (recipient address extension), $domain
       (recipient  domain), $local (entire recipient address localpart) and $recipient_delimiter.
       The forms ${name?value} and ${name?{value}} (Postfix 3.0 and later)  expand  conditionally
       to  value  when $name is defined, and the forms ${name:value} and ${name:{value}} (Postfix
       3.0 and later) expand conditionally  to  value  when  $name  is  not  defined.   The  form
       ${name?{value1}:{value2}}  (Postfix  3.0  and  later) expands conditionally to value1 when
       $name is defined, or value2 otherwise. Characters that may have  special  meaning  to  the
       shell  or  file system are replaced with underscores. The list of acceptable characters is
       specified with the execution_directory_expansion_filter configuration parameter.

       The command is executed directly where possible. Assistance by the shell (/bin/sh on  UNIX
       systems)  is  used  only  when  the  command  contains shell magic characters, or when the
       command invokes a shell built-in command.

       A limited amount of command output (standard output and standard error)  is  captured  for
       inclusion  with  non-delivery status reports.  A command is forcibly terminated if it does
       not complete within command_time_limit seconds.  Command exit status codes are expected to
       follow  the  conventions  defined  in <sysexits.h>.  Exit status 0 means normal successful
       completion.

       Postfix version 2.3 and later support RFC 3463-style enhanced status codes.  If a  command
       terminates  with  a  non-zero  exit status, and the command output begins with an enhanced
       status code, this status code takes precedence over the non-zero exit status.

       A limited amount of message context is exported via environment variables. Characters that
       may  have  special  meaning  to  the  shell  are  replaced  with underscores.  The list of
       acceptable  characters  is  specified  with  the  command_expansion_filter   configuration
       parameter.

       SHELL  The recipient user's login shell.

       HOME   The recipient user's home directory.

       USER   The bare recipient name.

       EXTENSION
              The optional recipient address extension.

       DOMAIN The recipient address domain part.

       LOGNAME
              The bare recipient name.

       LOCAL  The  entire  recipient  address  localpart  (text  to  the  left of the rightmost @
              character).

       ORIGINAL_RECIPIENT
              The entire recipient address, before any address rewriting or aliasing (Postfix 2.5
              and later).

       RECIPIENT
              The entire recipient address.

       SENDER The entire sender address.

       Additional  remote  client  information  is  made  available via the following environment
       variables:

       CLIENT_ADDRESS
              Remote client network address. Available as of Postfix 2.2.

       CLIENT_HELO
              Remote client EHLO command parameter. Available as of Postfix 2.2.

       CLIENT_HOSTNAME
              Remote client hostname. Available as of Postfix 2.2.

       CLIENT_PROTOCOL
              Remote client protocol. Available as of Postfix 2.2.

       SASL_METHOD
              SASL authentication method specified in the remote client AUTH  command.  Available
              as of Postfix 2.2.

       SASL_SENDER
              SASL  sender address specified in the remote client MAIL FROM command. Available as
              of Postfix 2.2.

       SASL_USERNAME
              SASL username specified in the remote client AUTH command.  Available as of Postfix
              2.2.

       The  PATH  environment  variable  is  always reset to a system-dependent default path, and
       environment variables whose names are  blessed  by  the  export_environment  configuration
       parameter are exported unchanged.

       The current working directory is the mail queue directory.

       The  local(8)  daemon prepends a "From sender time_stamp" envelope header to each message,
       prepends an X-Original-To: header with the recipient address as given to Postfix, prepends
       an  optional  Delivered-To:  header  with the final recipient envelope address, prepends a
       Return-Path: header with the sender envelope address, and appends no empty line.

EXTERNAL FILE DELIVERY

       The delivery format depends on the destination filename syntax.  The  default  is  to  use
       UNIX-style  mailbox  format.   Specify  a  name  ending  in / for qmail-compatible maildir
       delivery.

       The allow_mail_to_files configuration parameter restricts delivery to external files.  The
       default setting (alias, forward) forbids file destinations in :include: files.

       In  the  case  of UNIX-style mailbox delivery, the local(8) daemon prepends a "From sender
       time_stamp" envelope header to each message, prepends an X-Original-To:  header  with  the
       recipient  address as given to Postfix, prepends an optional Delivered-To: header with the
       final recipient envelope address, prepends a > character to lines beginning with "From  ",
       and  appends  an empty line.  The envelope sender address is available in the Return-Path:
       header.  When the destination is a regular file, it is locked for exclusive  access  while
       delivery  is  in  progress.  In case of problems, an attempt is made to truncate a regular
       file to its original length.

       In the case of maildir delivery, the  local  daemon  prepends  an  optional  Delivered-To:
       header  with  the  final envelope recipient address, and prepends an X-Original-To: header
       with the recipient address as given to Postfix.  The envelope sender address is  available
       in the Return-Path: header.

ADDRESS EXTENSION

       The optional recipient_delimiter configuration parameter specifies how to separate address
       extensions from local recipient names.

       For example, with "recipient_delimiter = +", mail for name+foo is delivered to  the  alias
       name+foo  or  to  the  alias  name, to the destinations listed in ~name/.forward+foo or in
       ~name/.forward,  to  the  mailbox  owned  by  the  user  name,  or  it  is  sent  back  as
       undeliverable.

DELIVERY RIGHTS

       Deliveries  to  external  files  and  external  commands  are  made with the rights of the
       receiving user on whose behalf the delivery is made.  In the absence of  a  user  context,
       the  local(8)  daemon uses the owner rights of the :include: file or alias database.  When
       those files are owned by the superuser, delivery is made with the  rights  specified  with
       the default_privs configuration parameter.

STANDARDS

       RFC 822 (ARPA Internet Text Messages)
       RFC 3463 (Enhanced status codes)

DIAGNOSTICS

       Problems  and  transactions  are  logged  to syslogd(8) or postlogd(8).  Corrupted message
       files are marked so that the queue manager can move them to the corrupt queue afterwards.

       Depending on the setting of the notify_classes parameter, the postmaster  is  notified  of
       bounces and of other trouble.

SECURITY

       The  local(8)  delivery  agent  needs  a dual personality 1) to access the private Postfix
       queue  and  IPC  mechanisms,  2)   to   impersonate   the   recipient   and   deliver   to
       recipient-specified files or commands. It is therefore security sensitive.

       The  local(8)  delivery  agent  disallows  regular  expression  substitution of $1 etc. in
       alias_maps, because that would open a security hole.

       The local(8) delivery agent will silently ignore requests to use  the  proxymap(8)  server
       within  alias_maps.  Instead it will open the table directly.  Before Postfix version 2.2,
       the local(8) delivery agent will terminate with a fatal error.

BUGS

       For security reasons, the message delivery status of  external  commands  or  of  external
       files  is  never  checkpointed  to file. As a result, the program may occasionally deliver
       more than once to a command or external file. Better safe than sorry.

       Mutually-recursive aliases or ~/.forward files are not detected early.  The resulting mail
       forwarding loop is broken by the use of the Delivered-To: message header.

CONFIGURATION PARAMETERS

       Changes  to  main.cf  are  picked  up  automatically, as local(8) processes run for only a
       limited amount of time. Use the command "postfix reload" to speed up a change.

       The text below provides only  a  parameter  summary.  See  postconf(5)  for  more  details
       including examples.

COMPATIBILITY CONTROLS

       biff (yes)
              Whether or not to use the local biff service.

       expand_owner_alias (no)
              When  delivering  to  an  alias "aliasname" that has an "owner-aliasname" companion
              alias, set the envelope sender address to the expansion  of  the  "owner-aliasname"
              alias.

       owner_request_special (yes)
              Enable  special  treatment  for  owner-listname entries in the aliases(5) file, and
              don't  split  owner-listname  and  listname-request  address  localparts  when  the
              recipient_delimiter is set to "-".

       sun_mailtool_compatibility (no)
              Obsolete SUN mailtool compatibility feature.

       Available in Postfix version 2.3 and later:

       frozen_delivered_to (yes)
              Update  the  local(8)  delivery  agent's  idea  of  the  Delivered-To: address (see
              prepend_delivered_header) only once, at the start of a  delivery  attempt;  do  not
              update the Delivered-To: address while expanding aliases or .forward files.

       Available in Postfix version 2.5.3 and later:

       strict_mailbox_ownership (yes)
              Defer delivery when a mailbox file is not owned by its recipient.

       reset_owner_alias (no)
              Reset  the  local(8)  delivery  agent's  idea  of  the  owner-alias attribute, when
              delivering mail to a child alias that does not have its own owner alias.

       Available in Postfix version 3.0 and later:

       local_delivery_status_filter ($default_delivery_status_filter)
              Optional filter for the local(8) delivery  agent  to  change  the  status  code  or
              explanatory text of successful or unsuccessful deliveries.

DELIVERY METHOD CONTROLS

       The  precedence of local(8) delivery methods from high to low is: aliases, .forward files,
       mailbox_transport_maps,    mailbox_transport,    mailbox_command_maps,    mailbox_command,
       home_mailbox,   mail_spool_directory,   fallback_transport_maps,  fallback_transport,  and
       luser_relay.

       alias_maps (see 'postconf -d' output)
              The alias databases that are used for local(8) delivery.

       forward_path (see 'postconf -d' output)
              The  local(8)  delivery  agent  search  list  for  finding  a  .forward  file  with
              user-specified delivery methods.

       mailbox_transport_maps (empty)
              Optional  lookup  tables  with per-recipient message delivery transports to use for
              local(8) mailbox delivery, whether or not the recipients  are  found  in  the  UNIX
              passwd database.

       mailbox_transport (empty)
              Optional message delivery transport that the local(8) delivery agent should use for
              mailbox delivery to all local recipients, whether or not they are found in the UNIX
              passwd database.

       mailbox_command_maps (empty)
              Optional  lookup  tables  with  per-recipient external commands to use for local(8)
              mailbox delivery.

       mailbox_command (empty)
              Optional external command that the local(8) delivery agent should use  for  mailbox
              delivery.

       home_mailbox (empty)
              Optional pathname of a mailbox file relative to a local(8) user's home directory.

       mail_spool_directory (see 'postconf -d' output)
              The directory where local(8) UNIX-style mailboxes are kept.

       fallback_transport_maps (empty)
              Optional   lookup   tables  with  per-recipient  message  delivery  transports  for
              recipients that the local(8) delivery agent could not find  in  the  aliases(5)  or
              UNIX password database.

       fallback_transport (empty)
              Optional message delivery transport that the local(8) delivery agent should use for
              names that are not found in the aliases(5) or UNIX password database.

       luser_relay (empty)
              Optional catch-all destination for unknown local(8) recipients.

       Available in Postfix version 2.2 and later:

       command_execution_directory (empty)
              The local(8) delivery agent working directory for delivery to external commands.

MAILBOX LOCKING CONTROLS

       deliver_lock_attempts (20)
              The maximal number of attempts to acquire an exclusive lock on a  mailbox  file  or
              bounce(8) logfile.

       deliver_lock_delay (1s)
              The  time  between  attempts  to  acquire  an  exclusive  lock on a mailbox file or
              bounce(8) logfile.

       stale_lock_time (500s)
              The time after which a stale exclusive mailbox lockfile is removed.

       mailbox_delivery_lock (see 'postconf -d' output)
              How to lock a UNIX-style local(8) mailbox before attempting delivery.

RESOURCE AND RATE CONTROLS

       command_time_limit (1000s)
              Time limit for delivery to external commands.

       duplicate_filter_limit (1000)
              The maximal number of addresses remembered by  the  address  duplicate  filter  for
              aliases(5) or virtual(5) alias expansion, or for showq(8) queue displays.

       mailbox_size_limit (51200000)
              The  maximal  size  of any local(8) individual mailbox or maildir file, or zero (no
              limit).

       Implemented in the qmgr(8) daemon:

       local_destination_concurrency_limit (2)
              The maximal number of parallel deliveries via the local mail delivery transport  to
              the  same  recipient  (when "local_destination_recipient_limit = 1") or the maximal
              number   of   parallel   deliveries   to    the    same    local    domain    (when
              "local_destination_recipient_limit > 1").

       local_destination_recipient_limit (1)
              The  maximal  number of recipients per message delivery via the local mail delivery
              transport.

SECURITY CONTROLS

       allow_mail_to_commands (alias, forward)
              Restrict local(8) mail delivery to external commands.

       allow_mail_to_files (alias, forward)
              Restrict local(8) mail delivery to external files.

       command_expansion_filter (see 'postconf -d' output)
              Restrict the characters that the local(8) delivery agent allows in $name expansions
              of $mailbox_command and $command_execution_directory.

       default_privs (nobody)
              The  default rights used by the local(8) delivery agent for delivery to an external
              file or command.

       forward_expansion_filter (see 'postconf -d' output)
              Restrict the characters that the local(8) delivery agent allows in $name expansions
              of $forward_path.

       Available in Postfix version 2.2 and later:

       execution_directory_expansion_filter (see 'postconf -d' output)
              Restrict the characters that the local(8) delivery agent allows in $name expansions
              of $command_execution_directory.

       Available in Postfix version 2.5.3 and later:

       strict_mailbox_ownership (yes)
              Defer delivery when a mailbox file is not owned by its recipient.

MISCELLANEOUS CONTROLS

       config_directory (see 'postconf -d' output)
              The default location of the Postfix main.cf and master.cf configuration files.

       daemon_timeout (18000s)
              How much time a Postfix daemon process may take to handle a request  before  it  is
              terminated by a built-in watchdog timer.

       delay_logging_resolution_limit (2)
              The  maximal number of digits after the decimal point when logging sub-second delay
              values.

       export_environment (see 'postconf -d' output)
              The list of environment variables that a Postfix process will export to non-Postfix
              processes.

       ipc_timeout (3600s)
              The  time limit for sending or receiving information over an internal communication
              channel.

       local_command_shell (empty)
              Optional shell program for local(8) delivery to non-Postfix commands.

       max_idle (100s)
              The maximum amount of time that  an  idle  Postfix  daemon  process  waits  for  an
              incoming connection before terminating voluntarily.

       max_use (100)
              The  maximal  number  of  incoming  connections  that a Postfix daemon process will
              service before terminating voluntarily.

       prepend_delivered_header (command, file, forward)
              The message delivery contexts where the Postfix local(8) delivery agent prepends  a
              Delivered-To:  message header with the address that the mail was delivered to.

       process_id (read-only)
              The process ID of a Postfix command or daemon process.

       process_name (read-only)
              The process name of a Postfix command or daemon process.

       propagate_unmatched_extensions (canonical, virtual)
              What  address  lookup  tables  copy an address extension from the lookup key to the
              lookup result.

       queue_directory (see 'postconf -d' output)
              The location of the Postfix top-level queue directory.

       recipient_delimiter (empty)
              The set of characters that can separate an email address localpart, user name, or a
              .forward file name from its extension.

       require_home_directory (no)
              Require  that  a local(8) recipient's home directory exists before mail delivery is
              attempted.

       syslog_facility (mail)
              The syslog facility of Postfix logging.

       syslog_name (see 'postconf -d' output)
              A prefix that is prepended to the process name in  syslog  records,  so  that,  for
              example, "smtpd" becomes "prefix/smtpd".

       Available in Postfix version 3.3 and later:

       enable_original_recipient (yes)
              Enable  support for the original recipient address after an address is rewritten to
              a different address (for example with aliasing or with canonical mapping).

       service_name (read-only)
              The master.cf service name of a Postfix daemon process.

       Available in Postfix 3.5 and later:

       info_log_address_format (external)
              The email address form that will be  used  in  non-debug  logging  (info,  warning,
              etc.).

FILES

       The following are examples; details differ between systems.
       $HOME/.forward, per-user aliasing
       /etc/aliases, system-wide alias database
       /var/spool/mail, system mailboxes

SEE ALSO

       qmgr(8), queue manager
       bounce(8), delivery status reports
       newaliases(1), create/update alias database
       postalias(1), create/update alias database
       aliases(5), format of alias database
       postconf(5), configuration parameters
       master(5), generic daemon options
       postlogd(8), Postfix logging
       syslogd(8), system logging

LICENSE

       The Secure Mailer license must be distributed with this software.

HISTORY

       The Delivered-To: message header appears in the qmail system by Daniel Bernstein.

       The maildir structure appears in the qmail system by Daniel Bernstein.

AUTHOR(S)

       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

       Wietse Venema
       Google, Inc.
       111 8th Avenue
       New York, NY 10011, USA

                                                                                  LOCAL(8postfix)