instead of a message buffer and length. This is in preparation
for unix-dgram support in a spawn(8)-like service. Files:
master/dgram_server.c, master/mail_server.h, postlogd/postlogd.c.
+
+20241122
+
+ Documentation: updated the LOCAL_RECIPIENT_README text, and
+ pointed there from the local_recipient_maps description in
+ postconf(5). Files: proto/LOCAL_RECIPIENT_README.html,
+ proto/postconf.proto.
+
+20241127
+
+ Documentation: default_delivery_status_filter text. File:
+ proto/postconf.proto.
+
+ Documentation: support to convert superscripts in postconf.proto
+ manpage text from HTML to *roff. The result is a compromise:
+ vertical motion (\v'expr') works with groff, but not with
+ the newer mandoc and with the older UNIX nroff. So we use
+ ^ instead. Files: mantools/fixman, mantools/postconf2man,
+ proto/postconf.proto.
+
+20241129
+
+ Bugfix (introduced: on or before 19891104): the manpage
+ extractor mis-formatted titles with multiple names. File:
+ mantools/srctoman.
+
+20241130
+
+ Bugfix (defect introduced: 19991230): the spawn daemon
+ failed to enforce the command time limit. It was sending
+ the SIGKILL signal using the wrong effective UID and GID.
+ The pipe daemon has always done this right. File:
+ util/spawn_command.c.
+
+20241201
+
+ Bugfix (defect introduced Postfix 3.0). Missing UTF8
+ autodetection for headers that are automatically generated
+ by Postfix (for example, a From: header with UTF8 full name
+ information from the password file). Reported by Michael
+ Tokarev. File: src/cleanup/cleanup_message.c.
+
+20241202
+
+ Cleanup: don't leak parent directory information into
+ documentation checks. File: mantools/dehtml.
+
+ Documentation: reverted a breaking change made 20241122.
+ File: html/Makefile.in.
+
+ Documentation: revised spawn(8) manpage text. This is all
+ that remains of a failed experiment to implement a
+ datagram-based spawn(8) service. It was too difficult to
+ enforce that processes terminate as expected after "postfix
+ reload" etc. File: spawn/spawn.c.
* Configuring local_recipient_maps in main.cf
* When you need to change the local_recipient_maps setting in main.cf
- * Local recipient table format
+ * Local recipient table query format
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\blo\boc\bca\bal\bl_\b_r\bre\bec\bci\bip\bpi\bie\ben\bnt\bt_\b_m\bma\bap\bps\bs i\bin\bn m\bma\bai\bin\bn.\b.c\bcf\bf
matches $mydestination, $inet_interfaces or $proxy_interfaces. If a local
username or address is not listed in $local_recipient_maps, then the Postfix
SMTP server will reject the address with "User unknown in local recipient
-table". Other Postfix interfaces may still accept an "unknown" recipient.
+table". Other interfaces such as the Postfix sendmail(1) command may still
+accept an "unknown" recipient.
The default setting, shown below, assumes that you use the default Postfix
local(8) delivery agent for local delivery, where recipients are either UNIX
-accounts or local aliases:
+accounts (typically, in /etc/passwd) or local aliases (typically, in /etc/
+aliases):
/etc/postfix/main.cf:
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
- If you use a different delivery agent for $mydestination etc. domains, see
- the section "Local recipient table format" below for a description of how
- the table should be populated.
+ If you don't use the local(8) or virtual(8) delivery agent for
+ $mydestination etc. domains, see the section "Local recipient table format"
+ below for a description of how the table should be populated.
* Problem: you use the mailbox_transport or fallback_transport feature of the
Postfix local(8) delivery agent in order to deliver mail to non-UNIX
- accounts.
+ recipients.
- Solution: you need to add the database that lists the non-UNIX users:
+ Solution: you need to add the database that lists the non-UNIX recipients:
/etc/postfix/main.cf
local_recipient_maps = proxy:unix:passwd.byname, $alias_maps,
- <the database with non-UNIX accounts>
+ <the database with non-UNIX recipients>
See the section "Local recipient table format" below for a description of
how the table should be populated.
agent.
Solution: you must disable the local_recipient_maps feature completely, so
- that Postfix accepts mail for all local addresses:
+ that the Postfix SMTP server accepts mail for all local addresses:
/etc/postfix/main.cf
local_recipient_maps =
-L\bLo\boc\bca\bal\bl r\bre\bec\bci\bip\bpi\bie\ben\bnt\bt t\bta\bab\bbl\ble\be f\bfo\bor\brm\bma\bat\bt
+L\bLo\boc\bca\bal\bl r\bre\bec\bci\bip\bpi\bie\ben\bnt\bt t\bta\bab\bbl\ble\be q\bqu\bue\ber\bry\by f\bfo\bor\brm\bma\bat\bt
-If you use local files in postmap(1) format, then local_recipient_maps expects
-the following table format:
+If local_recipient_maps specifies local files, such as files in postmap(1) or
+postalias(1) format, then the Postfix SMTP server generates the following
+queries:
- * In the left-hand side, specify a bare username, an "@domain.tld" wild-card,
- or specify a complete "user@domain.tld" address.
+ * The full recipient address. This query supports a non-default
+ local_transport setting with a delivery agent such as lmtp(8) or virtual
+ (8). See "Configuring local_recipient_maps in main.cf: for additional
+ guidance for what lookup tables to specify.
- * You have to specify something on the right-hand side of the table, but the
- value is ignored by local_recipient_maps.
+ * The recipient address local-part. This query supports the default
+ local_transport setting with the UNIX-compatible local(8) delivery agent;
+ the Postfix SMTP server makes this query only when the recipient domain
+ matches $mydestination, $inet_interfaces or $proxy_interfaces.
-If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL, then
-local_recipient_maps does the same queries as for local files in postmap(1)
-format, and expects the same results.
+ * The recipient @domain. This query supports a non-default local_transport
+ setting with a delivery agent such as virtual(8); it is a wildcard for
+ domains that do not have a valid recipient list.
-With regular expression tables, Postfix only queries with the full recipient
-address, and not with the bare username or the "@domain.tld" wild-card.
+NOTES:
-NOTE: a lookup table should always return a result when the address exists, and
-should always return "not found" when the address does not exist. In
-particular, a zero-length result does not count as a "not found" result.
+ * A lookup table should return a non-empty result when the address exists,
+ and should return "not found" when the address does not exist. In
+ particular, a zero-length (empty) result does not count as a "not found"
+ result.
+
+ * When local_recipient_maps specifies a lookup table based on ldap:,
+ memcache:, mongodb:, mysql:, pgsql:, sqlite:, or other external database,
+ then the Postfix SMTP server queries that lookup table with the same
+ queries as described at the start of this section, and expects the same
+ results.
+
+ * To suppress lookups for the local-part and the @domain wild-card, specify
+ the d\bdo\bom\bma\bai\bin\bn setting in a Postfix ldap:, memcache:, mongodb:, mysql:, pgsql:,
+ sqlite:, etc., database client configuration file.
+
+ * When local_recipient_maps specifies a lookup table based on pcre:, regexp:,
+ socketmap: or tcp:, Postfix queries that table only with the full recipient
+ address, and not with the local-part or the @domain wild-card.
Things to do before the stable release:
+ Make the spawn_command fix conditional on compatibility_level.
+
make pre-release-check, HTML validator check.
Disable -DSNAPSHOT and -DNONPROD in makedefs.
relay_recipient_maps empty should default to 'no valid
recipients'. Subject to compatibility level.
+ In mantools/postlink, allow newline etc. in "<a href".
+
Add an option for a TLSRPT built-in JSON generator. This
would simplify TLSRPT adoption by eliminating a build-time
and run-time dependency on the libtlsrpt client library.
<li><a href="#change">When you need to change the local_recipient_maps
setting in main.cf</a>
-<li><a href="#format">Local recipient table format </a>
+<li><a href="#format">Local recipient table query format </a>
</ul>
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. If a local username or address is not listed in
$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, then the Postfix SMTP server will reject
the address with "User unknown in local recipient table". Other
-Postfix interfaces may still accept an "unknown" recipient. </p>
+interfaces such as the Postfix <a href="sendmail.1.html">sendmail(1)</a> command may still accept
+an "unknown" recipient. </p>
<p> The default setting, shown below, assumes that you use the
default Postfix <a href="local.8.html">local(8)</a> delivery agent for local delivery, where
-recipients are either UNIX accounts or local aliases: </p>
+recipients are either UNIX accounts (typically, in /etc/passwd) or
+local aliases (typically, in /etc/aliases): </p>
<blockquote>
<pre>
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
</pre>
- <p> If you use a different delivery agent for $<a href="postconf.5.html#mydestination">mydestination</a>
+ <p> If you don't use the <a href="local.8.html">local(8)</a> or <a href="virtual.8.html">virtual(8)</a> delivery agent
+ for $<a href="postconf.5.html#mydestination">mydestination</a>
etc. domains, see the section "<a href="#format">Local recipient
table format</a>" below for a description of how the table
should be populated. </p>
<li> <p> Problem: you use the <a href="postconf.5.html#mailbox_transport">mailbox_transport</a> or <a href="postconf.5.html#fallback_transport">fallback_transport</a>
feature of the Postfix <a href="local.8.html">local(8)</a> delivery agent in order to
- deliver mail to non-UNIX accounts. </p>
+ deliver mail to non-UNIX recipients. </p>
<p> Solution: you need to add the database that lists the
- non-UNIX users: </p>
+ non-UNIX recipients: </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = <a href="proxymap.8.html">proxy</a>:unix:passwd.byname, $<a href="postconf.5.html#alias_maps">alias_maps</a>,
- <the database with non-UNIX accounts>
+ <the database with non-UNIX recipients>
</pre>
<p> See the section "<a href="#format">Local recipient table
local delivery agent. </p>
<p> Solution: you must disable the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> feature
- completely, so that Postfix accepts mail for all local addresses:
- </p>
+ completely, so that the Postfix SMTP server accepts mail for
+ all local addresses: </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>
</ul>
-<h2><a name="format">Local recipient table format</a> </h2>
+<h2><a name="format">Local recipient table query format</a> </h2>
-<p> If you use local files in <a href="postmap.1.html">postmap(1)</a> format, then
-<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> expects the following table format: </p>
+<p> If <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies local files, such as files in
+<a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> format, then the Postfix SMTP server
+generates the following queries: </p>
<ul>
-<li> <p> In the left-hand side, specify a bare username, an
-"@domain.tld" wild-card, or specify a complete "user@domain.tld"
-address. </p>
+<li> <p> The full recipient address. This query supports a non-default
+<a href="postconf.5.html#local_transport">local_transport</a> setting with a delivery agent such as <a href="lmtp.8.html">lmtp(8)</a> or
+virtual(8). See "<a href="#main_config">Configuring local_recipient_maps
+in main.cf</a>: for additional guidance for what lookup tables to
+specify. </p>
-<li> <p> You have to specify something on the right-hand side of
-the table, but the value is ignored by <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>.
+<li> <p> The recipient address local-part. This query supports the
+default <a href="postconf.5.html#local_transport">local_transport</a> setting with the UNIX-compatible <a href="local.8.html">local(8)</a>
+delivery agent; the Postfix SMTP server makes this query only when
+the recipient domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
+$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </p>
+
+<li> <p> The recipient @domain. This query supports a non-default
+<a href="postconf.5.html#local_transport">local_transport</a> setting with a delivery agent such as <a href="virtual.8.html">virtual(8)</a>;
+it is a wildcard for domains that do not have a valid recipient
+list. </p>
</ul>
-<p> If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL,
-then <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> does the same queries as for local files
-in <a href="postmap.1.html">postmap(1)</a> format, and expects the same results. </p>
+<p> NOTES: </p>
+
+<ul>
+
+<li> <p> A lookup table should return a non-empty result when the
+address exists, and should return "not found" when the address does
+not exist. In particular, a zero-length (empty) result does not
+count as a "not found" result. </p>
-<p> With regular expression tables, Postfix only queries with the
-full recipient address, and not with the bare username or the
-"@domain.tld" wild-card. </p>
+<li> <p> When <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a lookup table based
+on <a href="ldap_table.5.html">ldap</a>:, <a href="memcache_table.5.html">memcache</a>:, <a href="mongodb_table.5.html">mongodb</a>:, <a href="mysql_table.5.html">mysql</a>:, <a href="pgsql_table.5.html">pgsql</a>:, <a href="sqlite_table.5.html">sqlite</a>:, or other
+external database, then the Postfix SMTP server queries that lookup
+table with the same queries as described at the start of this
+section, and expects the same results. </p>
-<p> NOTE: a lookup table should always return a result when the address
-exists, and should always return "not found" when the address does
-not exist. In particular, a zero-length result does not count as
-a "not found" result. </p>
+<li> <p> To suppress lookups for the <i>local-part</i> and the
+<i>@domain</i> wild-card, specify the <b>domain</b> setting in a
+Postfix <a href="ldap_table.5.html">ldap</a>:, <a href="memcache_table.5.html">memcache</a>:, <a href="mongodb_table.5.html">mongodb</a>:, <a href="mysql_table.5.html">mysql</a>:, <a href="pgsql_table.5.html">pgsql</a>:, <a href="sqlite_table.5.html">sqlite</a>:, etc.,
+database client configuration file. </p>
+
+<li> <p> When <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a lookup table based
+on <a href="pcre_table.5.html">pcre</a>:, <a href="regexp_table.5.html">regexp</a>:, <a href="socketmap_table.html">socketmap</a>: or <a href="tcp_table.5.html">tcp</a>:, Postfix queries that table
+only with the full recipient address, and not with the <i>local-part</i>
+or the <i>@domain</i> wild-card. </p>
+
+</ul>
</body>
clobber:
rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
-$(DAEMONS) $(COMMANDS) $(CONFIG): ../mantools/man2html
+# The following would add man2html to $? in rules for individual files.
+#$(DAEMONS) $(COMMANDS) $(CONFIG): ../mantools/man2html
index.html: ../proto/index.html
cp $? $@
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
<title> Postfix manual - smtp(8) </title>
</head> <body> <pre>
-SMTP,(LMTP) SMTP,(LMTP)
+SMTP(8) SMTP(8)
<b><a name="name">NAME</a></b>
smtp, lmtp - Postfix SMTP+LMTP client
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
Victor Duchovni
Morgan Stanley
- 8 SMTP,(LMTP)
+ SMTP(8)
</pre> </body> </html>
<DT><b><a name="default_delivery_status_filter">default_delivery_status_filter</a>
(default: empty)</b></DT><DD>
-<p> Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries. This does not allow
+<p> Optional filter in Postfix delivery agents, to replace the
+delivery status code or explanatory text of successful or unsuccessful
+deliveries. This allows the replacement of a temporary error status
+code (4.X.X) with a permanent error status code (5.X.X) or vice
+versa, but does not allow
the replacement of a successful status code (2.X.X) with an
-unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
+unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
<p> Note: the (smtp|lmtp)_delivery_status_filter is applied only
once per recipient: when delivery is successful, when delivery is
(default: 2)</b></DT><DD>
<p> The maximal number of digits after the decimal point when logging
-sub-second delay values. Specify a number in the range 0..6. </p>
+delay values. Specify a number in the range 0..6. </p>
+
+<p> To improve readability, delays are logged with only a limited
+number of significant digits: </p>
<ul>
-<li> <p> Delays ≥ 100s are rounded off to an integral number of
-seconds. </p>
+<li> Delays ≥ 100s are rounded off to an integral number of
+seconds.
-<li> <p> Delays < 10^-$<a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> are
-rounded off to "0". </p>
+<li> Delays < 10<sup>-$<a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a></sup> are
+rounded off to "0".
-<li> <p> Other delays are rounded off to two significant digits,
-or fewer if the result would exceed the delay_resolution_limit. </p>
+<li> Other delays are rounded off to two significant digits, or
+fewer if the result would exceed the <a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a>.
</ul>
<DT><b><a name="local_recipient_maps">local_recipient_maps</a>
(default: <a href="proxymap.8.html">proxy</a>:unix:passwd.byname $<a href="postconf.5.html#alias_maps">alias_maps</a>)</b></DT><DD>
-<p> Lookup tables with all names or addresses of local recipients:
-a recipient address is local when its domain matches $<a href="postconf.5.html#mydestination">mydestination</a>,
-$<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. Specify @domain as a
-wild-card for domains that do not have a valid recipient list.
+<p> Lookup tables with all names or addresses of valid local
+recipients. A recipient address is local when its domain matches
+$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </p>
+
+<p> If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter value is non-empty (the
+default), then the Postfix SMTP server queries <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
+as specified in "<a href="LOCAL_RECIPIENT_README.html#format">Local
+recipient table query format</a>", and rejects mail for unknown
+local recipients. Other Postfix interfaces such as the Postfix
+<a href="sendmail.1.html">sendmail(1)</a> command may still accept an "unknown" recipient. </p>
+
+<p> The default <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting assumes that <a href="postconf.5.html#local_transport">local_transport</a>
+specifies the UNIX-compatible <a href="local.8.html">local(8)</a> delivery agent which queries
+the UNIX passwd database (typically, /etc.passwd) and the local
+aliases database (typically, /etc/aliases). The <a href="proxymap.8.html">proxy</a>: agent allows
+the Postfix SMTP server to access the UNIX passwd database from
+outside a chroot jail. </p>
+
+<p> For other local mail delivery configurations, see "<a href="LOCAL_RECIPIENT_README.html#change">When you need to
+change the local_recipient_maps setting in main.cf</a>". </p>
+
+<p>
Technically, tables listed with $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> are used as
-lists: Postfix needs to know only if a lookup string is found or
-not, but it does not use the result from table lookup. </p>
+lists: The Postfix SMTP server needs to know only if a lookup string
+is found or not, but it does not use the result from table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
until a match is found.
</p>
-<p>
-If this parameter is non-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users. Other Postfix
-interfaces may still accept an "unknown" recipient. </p>
-
<p>
To turn off local recipient checking in the Postfix SMTP server,
specify "<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =" (i.e. empty).
</p>
-<p>
-The default setting assumes that you use the default Postfix local
-delivery agent for local delivery. You need to update the
-<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting if:
-</p>
-
-<ul>
-
-<li>You redefine the local delivery agent in <a href="master.5.html">master.cf</a>.
-
-<li>You redefine the "<a href="postconf.5.html#local_transport">local_transport</a>" setting in <a href="postconf.5.html">main.cf</a>.
-
-<li>You use the "<a href="postconf.5.html#luser_relay">luser_relay</a>", "<a href="postconf.5.html#mailbox_transport">mailbox_transport</a>", or "<a href="postconf.5.html#fallback_transport">fallback_transport</a>"
-feature of the Postfix <a href="local.8.html">local(8)</a> delivery agent.
-
-</ul>
-
-<p>
-Details are described in the <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> file.
-</p>
-
-<p>
-Beware: if the Postfix SMTP server runs chrooted, you need to access
-the passwd file via the <a href="proxymap.8.html">proxymap(8)</a> service, in order to overcome
-chroot access restrictions. The alternative, maintaining a copy of
-the system password file in the chroot jail is not practical.
-</p>
-
<p>
Examples:
</p>
<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
<title> Postfix manual - smtp(8) </title>
</head> <body> <pre>
-SMTP,(LMTP) SMTP,(LMTP)
+SMTP(8) SMTP(8)
<b><a name="name">NAME</a></b>
smtp, lmtp - Postfix SMTP+LMTP client
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log-
- ging sub-second delay values.
+ ging delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients.
Victor Duchovni
Morgan Stanley
- 8 SMTP,(LMTP)
+ SMTP(8)
</pre> </body> </html>
<b>spawn</b> [generic Postfix daemon options] command_attributes...
<b><a name="description">DESCRIPTION</a></b>
- The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon provides the Postfix equivalent of <b>inetd</b>. It lis-
- tens on a port as specified in the Postfix <a href="master.5.html"><b>master.cf</b></a> file and spawns an
- external command whenever a connection is established. The connection
- can be made over local IPC (such as UNIX-domain sockets) or over
- non-local IPC (such as TCP sockets). The command's standard input,
- output and error streams are connected directly to the communication
- endpoint.
+ The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon monitors a TCP or UNIX-domain stream socket, con-
+ figured in <a href="master.5.html"><b>master.cf</b></a> with a service type <b>inet</b> or <b>unix</b>.
- This daemon expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
+ This daemon spawns an external command whenever a connection is estab-
+ lished, with the standard input, output and error file descriptors con-
+ nected to the remote client.
+
+ The command process is subject to the time limit specified with the
+ parameter <a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> (default: <a href="postconf.5.html#command_time_limit">command_time_limit</a>) where
+ <i>transport</i> equals the service name field in <a href="master.5.html">master.cf</a>. A process that
+ exceeds the time limit will receive a SIGKILL signal.
+
+ The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon service typically has a process limit > 1 in its
+ <a href="master.5.html"><b>master.cf</b></a> service definition, so that the number of processes can scale
+ with demand.
<b><a name="command_attribute_syntax">COMMAND ATTRIBUTE SYNTAX</a></b>
The external command attributes are given in the <a href="master.5.html"><b>master.cf</b></a> file at the
out interpretation of shell meta characters by a shell command
interpreter.
-<b><a name="bugs">BUGS</a></b>
- In order to enforce standard Postfix process resource controls, each
- <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon process runs only one external command, and blocks
- until the command terminates or a time limit is reached. As such, it
- presents a noticeable overhead by wasting precious process resources.
- The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon is expected to be replaced by a more structural
- solution.
+ If a command argument must contain whitespace, or if a command
+ argument must begin with "{", enclose the argument with "{" and
+ "}". This form will ignore whitespace after the outer "{" and
+ before the outer "}". Example:
+
+ argv=/bin/sh -c { shell syntax here }
<b><a name="diagnostics">DIAGNOSTICS</a></b>
The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon reports abnormal child exits. Problems are logged
to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
<b><a name="security">SECURITY</a></b>
- This program needs root privilege in order to execute external commands
- as the specified user. It is therefore security sensitive. However the
- <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon does not talk to the external command and thus is not
- vulnerable to data-driven attacks.
+ The <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon needs root privilege in order to execute external
+ commands as the specified user. It is therefore security sensitive.
+
+ However, the <a href="spawn.8.html"><b>spawn</b>(8)</a> daemon does not receive data from or about ser-
+ vice clients or external commands, and thus is not vulnerable to
+ data-driven attacks.
<b><a name="configuration_parameters">CONFIGURATION PARAMETERS</a></b>
Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically as <a href="spawn.8.html"><b>spawn</b>(8)</a> processes
transport\-specific override, where \fItransport\fR is the master.cf
name of the message delivery transport.
.SH default_delivery_status_filter (default: empty)
-Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries. This does not allow
+Optional filter in Postfix delivery agents, to replace the
+delivery status code or explanatory text of successful or unsuccessful
+deliveries. This allows the replacement of a temporary error status
+code (4.X.X) with a permanent error status code (5.X.X) or vice
+versa, but does not allow
the replacement of a successful status code (2.X.X) with an
unsuccessful status code (4.X.X or 5.X.X) or vice versa.
.PP
.ad
.SH delay_logging_resolution_limit (default: 2)
The maximal number of digits after the decimal point when logging
-sub\-second delay values. Specify a number in the range 0..6.
+delay values. Specify a number in the range 0..6.
+.PP
+To improve readability, delays are logged with only a limited
+number of significant digits:
.IP \(bu
Delays >= 100s are rounded off to an integral number of
seconds.
Delays < 10^\-$delay_logging_resolution_limit are
rounded off to "0".
.IP \(bu
-Other delays are rounded off to two significant digits,
-or fewer if the result would exceed the delay_resolution_limit.
+Other delays are rounded off to two significant digits, or
+fewer if the result would exceed the delay_logging_resolution_limit.
.br
.PP
The format of the "delays=a/b/c/d" logging is as follows:
.PP
This feature is available in Postfix 3.6 and later.
.SH local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)
-Lookup tables with all names or addresses of local recipients:
-a recipient address is local when its domain matches $mydestination,
-$inet_interfaces or $proxy_interfaces. Specify @domain as a
-wild\-card for domains that do not have a valid recipient list.
+Lookup tables with all names or addresses of valid local
+recipients. A recipient address is local when its domain matches
+$mydestination, $inet_interfaces or $proxy_interfaces.
+.PP
+If the local_recipient_maps parameter value is non\-empty (the
+default), then the Postfix SMTP server queries local_recipient_maps
+as specified in "Local
+recipient table query format", and rejects mail for unknown
+local recipients. Other Postfix interfaces such as the Postfix
+\fBsendmail\fR(1) command may still accept an "unknown" recipient.
+.PP
+The default local_recipient_maps setting assumes that local_transport
+specifies the UNIX\-compatible \fBlocal\fR(8) delivery agent which queries
+the UNIX passwd database (typically, /etc.passwd) and the local
+aliases database (typically, /etc/aliases). The proxy: agent allows
+the Postfix SMTP server to access the UNIX passwd database from
+outside a chroot jail.
+.PP
+For other local mail delivery configurations, see "When you need to
+change the local_recipient_maps setting in main.cf".
+.PP
Technically, tables listed with $local_recipient_maps are used as
-lists: Postfix needs to know only if a lookup string is found or
-not, but it does not use the result from table lookup.
+lists: The Postfix SMTP server needs to know only if a lookup string
+is found or not, but it does not use the result from table lookup.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace or comma. Tables will be searched in the specified order
until a match is found.
.PP
-If this parameter is non\-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users. Other Postfix
-interfaces may still accept an "unknown" recipient.
-.PP
To turn off local recipient checking in the Postfix SMTP server,
specify "local_recipient_maps =" (i.e. empty).
.PP
-The default setting assumes that you use the default Postfix local
-delivery agent for local delivery. You need to update the
-local_recipient_maps setting if:
-.IP \(bu
-You redefine the local delivery agent in master.cf.
-.IP \(bu
-You redefine the "local_transport" setting in main.cf.
-.IP \(bu
-You use the "luser_relay", "mailbox_transport", or "fallback_transport"
-feature of the Postfix \fBlocal\fR(8) delivery agent.
-.br
-.PP
-Details are described in the LOCAL_RECIPIENT_README file.
-.PP
-Beware: if the Postfix SMTP server runs chrooted, you need to access
-the passwd file via the \fBproxymap\fR(8) service, in order to overcome
-chroot access restrictions. The alternative, maintaining a copy of
-the system password file in the chroot jail is not practical.
-.PP
Examples:
.PP
.nf
-.TH SMTP, LMTP 8
+.TH SMTP 8
.ad
.fi
.SH NAME
request before it is terminated by a built\-in watchdog timer.
.IP "\fBdelay_logging_resolution_limit (2)\fR"
The maximal number of digits after the decimal point when logging
-sub\-second delay values.
+delay values.
.IP "\fBdisable_dns_lookups (no)\fR"
Disable DNS lookups in the Postfix SMTP and LMTP clients.
.IP "\fBinet_interfaces (all)\fR"
.SH DESCRIPTION
.ad
.fi
-The \fBspawn\fR(8) daemon provides the Postfix equivalent
-of \fBinetd\fR.
-It listens on a port as specified in the Postfix \fBmaster.cf\fR file
-and spawns an external command whenever a connection is established.
-The connection can be made over local IPC (such as UNIX\-domain
-sockets) or over non\-local IPC (such as TCP sockets).
-The command's standard input, output and error streams are connected
-directly to the communication endpoint.
+The \fBspawn\fR(8) daemon monitors a TCP or UNIX\-domain stream
+socket, configured in \fBmaster.cf\fR with a service type
+\fBinet\fR or \fBunix\fR.
-This daemon expects to be run from the \fBmaster\fR(8) process
-manager.
+This daemon spawns an external command whenever a connection
+is established, with the standard input, output and error file
+descriptors connected to the remote client.
+
+The command process is subject to the time limit specified
+with the parameter \fItransport\fR_time_limit (default:
+command_time_limit) where \fItransport\fR equals the service
+name field in master.cf. A process that exceeds the time limit
+will receive a SIGKILL signal.
+
+The \fBspawn\fR(8) daemon service typically has a process limit >
+1 in its \fBmaster.cf\fR service definition, so that the number
+of processes can scale with demand.
.SH "COMMAND ATTRIBUTE SYNTAX"
.na
.nf
last command attribute.
The command is executed directly, i.e. without interpretation of
shell meta characters by a shell command interpreter.
-.SH BUGS
-.ad
+.sp
+If a command argument must contain whitespace, or if a command
+argument must begin with "{", enclose the argument with "{" and
+"}". This form will ignore whitespace after the outer "{" and
+before the outer "}". Example:
+.sp
.fi
-In order to enforce standard Postfix process resource controls,
-each \fBspawn\fR(8) daemon process runs only one external
-command, and blocks until the command terminates or a time
-limit is reached.
-As such, it presents a noticeable overhead by wasting precious
-process resources. The \fBspawn\fR(8) daemon is expected to be
-replaced by a more structural solution.
+ argv=/bin/sh \-c { shell syntax here }
.SH DIAGNOSTICS
.ad
.fi
.nf
.fi
.ad
-This program needs root privilege in order to execute external
-commands as the specified user. It is therefore security sensitive.
-However the \fBspawn\fR(8) daemon does not talk to the external command
-and thus is not vulnerable to data\-driven attacks.
+The \fBspawn\fR(8) daemon needs root privilege in order to
+execute external commands as the specified user. It is therefore
+security sensitive.
+
+However, the \fBspawn\fR(8) daemon does not receive data from
+or about service clients or external commands, and thus is not
+vulnerable to data\-driven attacks.
.SH "CONFIGURATION PARAMETERS"
.na
.nf
for i
do
case $i in
- /*) lynx -width=256 -dump file://localhost$i;;
- *) lynx -width=256 -dump file://localhost`pwd`/$i;;
+ /*) lynx -width=256 -dump file://$i;;
+ *) lynx -width=256 -dump file://`pwd`/$i;;
esac
-done | grep -v 'file://localhost/'
+done | grep -v 'file:///'
$block =~ s/≥/>=/g;
$block =~ s/</</g;
$block =~ s/>/>/g;
+ $block =~ s/<sup>/^/g;
+ $block =~ s;</sup>;;g;
# Peep-hole optimizer.
$block =~ s/^\s+//g;
$block =~ s/&/\&/g;
$block =~ s/–/-/g;
$block =~ s/—/-/g;
+ $block =~ s/<sup>/^/g;
+ $block =~ s;</sup>;;g;
$block =~ s/\s+\n/\n/g;
$block =~ s/^\n//g;
$block =~ s/\s*<\s*nroffescape\s+([^ >]+)\s*>\s*/\n\1\n/g;
/^NAME[ ]*$/{
N
s/^.*\n'"$B"'[ ]*//
+ s/[ ]*$//
h
+ s/,.*\( [0-9][^ ]*\)$/\1/
y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/
s/^.*$/.TH & '"$SECT"'\
.ad\
<li><a href="#change">When you need to change the local_recipient_maps
setting in main.cf</a>
-<li><a href="#format">Local recipient table format </a>
+<li><a href="#format">Local recipient table query format </a>
</ul>
$proxy_interfaces. If a local username or address is not listed in
$local_recipient_maps, then the Postfix SMTP server will reject
the address with "User unknown in local recipient table". Other
-Postfix interfaces may still accept an "unknown" recipient. </p>
+interfaces such as the Postfix sendmail(1) command may still accept
+an "unknown" recipient. </p>
<p> The default setting, shown below, assumes that you use the
default Postfix local(8) delivery agent for local delivery, where
-recipients are either UNIX accounts or local aliases: </p>
+recipients are either UNIX accounts (typically, in /etc/passwd) or
+local aliases (typically, in /etc/aliases): </p>
<blockquote>
<pre>
local_recipient_maps = $virtual_mailbox_maps
</pre>
- <p> If you use a different delivery agent for $mydestination
+ <p> If you don't use the local(8) or virtual(8) delivery agent
+ for $mydestination
etc. domains, see the section "<a href="#format">Local recipient
table format</a>" below for a description of how the table
should be populated. </p>
<li> <p> Problem: you use the mailbox_transport or fallback_transport
feature of the Postfix local(8) delivery agent in order to
- deliver mail to non-UNIX accounts. </p>
+ deliver mail to non-UNIX recipients. </p>
<p> Solution: you need to add the database that lists the
- non-UNIX users: </p>
+ non-UNIX recipients: </p>
<pre>
/etc/postfix/main.cf
local_recipient_maps = proxy:unix:passwd.byname, $alias_maps,
- <the database with non-UNIX accounts>
+ <the database with non-UNIX recipients>
</pre>
<p> See the section "<a href="#format">Local recipient table
local delivery agent. </p>
<p> Solution: you must disable the local_recipient_maps feature
- completely, so that Postfix accepts mail for all local addresses:
- </p>
+ completely, so that the Postfix SMTP server accepts mail for
+ all local addresses: </p>
<pre>
/etc/postfix/main.cf
</ul>
-<h2><a name="format">Local recipient table format</a> </h2>
+<h2><a name="format">Local recipient table query format</a> </h2>
-<p> If you use local files in postmap(1) format, then
-local_recipient_maps expects the following table format: </p>
+<p> If local_recipient_maps specifies local files, such as files in
+postmap(1) or postalias(1) format, then the Postfix SMTP server
+generates the following queries: </p>
<ul>
-<li> <p> In the left-hand side, specify a bare username, an
-"@domain.tld" wild-card, or specify a complete "user@domain.tld"
-address. </p>
+<li> <p> The full recipient address. This query supports a non-default
+local_transport setting with a delivery agent such as lmtp(8) or
+virtual(8). See "<a href="#main_config">Configuring local_recipient_maps
+in main.cf</a>: for additional guidance for what lookup tables to
+specify. </p>
-<li> <p> You have to specify something on the right-hand side of
-the table, but the value is ignored by local_recipient_maps.
+<li> <p> The recipient address local-part. This query supports the
+default local_transport setting with the UNIX-compatible local(8)
+delivery agent; the Postfix SMTP server makes this query only when
+the recipient domain matches $mydestination, $inet_interfaces or
+$proxy_interfaces. </p>
+
+<li> <p> The recipient @domain. This query supports a non-default
+local_transport setting with a delivery agent such as virtual(8);
+it is a wildcard for domains that do not have a valid recipient
+list. </p>
</ul>
-<p> If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL,
-then local_recipient_maps does the same queries as for local files
-in postmap(1) format, and expects the same results. </p>
+<p> NOTES: </p>
+
+<ul>
+
+<li> <p> A lookup table should return a non-empty result when the
+address exists, and should return "not found" when the address does
+not exist. In particular, a zero-length (empty) result does not
+count as a "not found" result. </p>
-<p> With regular expression tables, Postfix only queries with the
-full recipient address, and not with the bare username or the
-"@domain.tld" wild-card. </p>
+<li> <p> When local_recipient_maps specifies a lookup table based
+on ldap:, memcache:, mongodb:, mysql:, pgsql:, sqlite:, or other
+external database, then the Postfix SMTP server queries that lookup
+table with the same queries as described at the start of this
+section, and expects the same results. </p>
-<p> NOTE: a lookup table should always return a result when the address
-exists, and should always return "not found" when the address does
-not exist. In particular, a zero-length result does not count as
-a "not found" result. </p>
+<li> <p> To suppress lookups for the <i>local-part</i> and the
+<i>@domain</i> wild-card, specify the <b>domain</b> setting in a
+Postfix ldap:, memcache:, mongodb:, mysql:, pgsql:, sqlite:, etc.,
+database client configuration file. </p>
+
+<li> <p> When local_recipient_maps specifies a lookup table based
+on pcre:, regexp:, socketmap: or tcp:, Postfix queries that table
+only with the full recipient address, and not with the <i>local-part</i>
+or the <i>@domain</i> wild-card. </p>
+
+</ul>
</body>
%PARAM local_recipient_maps proxy:unix:passwd.byname $alias_maps
-<p> Lookup tables with all names or addresses of local recipients:
-a recipient address is local when its domain matches $mydestination,
-$inet_interfaces or $proxy_interfaces. Specify @domain as a
-wild-card for domains that do not have a valid recipient list.
+<p> Lookup tables with all names or addresses of valid local
+recipients. A recipient address is local when its domain matches
+$mydestination, $inet_interfaces or $proxy_interfaces. </p>
+
+<p> If the local_recipient_maps parameter value is non-empty (the
+default), then the Postfix SMTP server queries local_recipient_maps
+as specified in "<a href="LOCAL_RECIPIENT_README.html#format">Local
+recipient table query format</a>", and rejects mail for unknown
+local recipients. Other Postfix interfaces such as the Postfix
+sendmail(1) command may still accept an "unknown" recipient. </p>
+
+<p> The default local_recipient_maps setting assumes that local_transport
+specifies the UNIX-compatible local(8) delivery agent which queries
+the UNIX passwd database (typically, /etc.passwd) and the local
+aliases database (typically, /etc/aliases). The proxy: agent allows
+the Postfix SMTP server to access the UNIX passwd database from
+outside a chroot jail. </p>
+
+<p> For other local mail delivery configurations, see <!-- filler
+--> "<a href="LOCAL_RECIPIENT_README.html#change">When you need to
+change the local_recipient_maps setting in main.cf</a>". </p>
+
+<p>
Technically, tables listed with $local_recipient_maps are used as
-lists: Postfix needs to know only if a lookup string is found or
-not, but it does not use the result from table lookup. </p>
+lists: The Postfix SMTP server needs to know only if a lookup string
+is found or not, but it does not use the result from table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
until a match is found.
</p>
-<p>
-If this parameter is non-empty (the default), then the Postfix SMTP
-server will reject mail for unknown local users. Other Postfix
-interfaces may still accept an "unknown" recipient. </p>
-
<p>
To turn off local recipient checking in the Postfix SMTP server,
specify "local_recipient_maps =" (i.e. empty).
</p>
-<p>
-The default setting assumes that you use the default Postfix local
-delivery agent for local delivery. You need to update the
-local_recipient_maps setting if:
-</p>
-
-<ul>
-
-<li>You redefine the local delivery agent in master.cf.
-
-<li>You redefine the "local_transport" setting in main.cf.
-
-<li>You use the "luser_relay", "mailbox_transport", or "fallback_transport"
-feature of the Postfix local(8) delivery agent.
-
-</ul>
-
-<p>
-Details are described in the LOCAL_RECIPIENT_README file.
-</p>
-
-<p>
-Beware: if the Postfix SMTP server runs chrooted, you need to access
-the passwd file via the proxymap(8) service, in order to overcome
-chroot access restrictions. The alternative, maintaining a copy of
-the system password file in the chroot jail is not practical.
-</p>
-
<p>
Examples:
</p>
%PARAM delay_logging_resolution_limit 2
<p> The maximal number of digits after the decimal point when logging
-sub-second delay values. Specify a number in the range 0..6. </p>
+delay values. Specify a number in the range 0..6. </p>
+
+<p> To improve readability, delays are logged with only a limited
+number of significant digits: </p>
<ul>
-<li> <p> Delays ≥ 100s are rounded off to an integral number of
-seconds. </p>
+<li> Delays ≥ 100s are rounded off to an integral number of
+seconds.
-<li> <p> Delays < 10^-$delay_logging_resolution_limit are
-rounded off to "0". </p>
+<li> Delays < 10<sup>-$delay_logging_resolution_limit</sup> are
+rounded off to "0".
-<li> <p> Other delays are rounded off to two significant digits,
-or fewer if the result would exceed the delay_resolution_limit. </p>
+<li> Other delays are rounded off to two significant digits, or
+fewer if the result would exceed the delay_logging_resolution_limit.
</ul>
%PARAM default_delivery_status_filter
-<p> Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries. This does not allow
+<p> Optional filter in Postfix delivery agents, to replace the
+delivery status code or explanatory text of successful or unsuccessful
+deliveries. This allows the replacement of a temporary error status
+code (4.X.X) with a permanent error status code (5.X.X) or vice
+versa, but does not allow
the replacement of a successful status code (2.X.X) with an
-unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
+unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
<p> Note: the (smtp|lmtp)_delivery_status_filter is applied only
once per recipient: when delivery is successful, when delivery is
proto socketmap_table qmqpd qmqpd c tls tls_misc c
a dependency for html html File html Makefile in
master dgram_server c master mail_server h postlogd postlogd c
+ reload etc File spawn spawn c
MEMCACHE
sed
Wayback
+fixman
+mandoc
+v'expr
+roff
+diffs
vstring_sprintf(state->temp1, "%s.%s@%s",
time_stamp, state->queue_id, var_myhostname);
}
- cleanup_out_format(state, REC_TYPE_NORM, "%sMessage-Id: <%s>",
- state->resent, vstring_str(state->temp1));
+ vstring_sprintf(state->temp2, "%sMessage-Id: <%s>",
+ state->resent, vstring_str(state->temp1));
+ cleanup_out_header(state, state->temp2);
msg_info("%s: %smessage-id=<%s>",
state->queue_id, *state->resent ? "resent-" : "",
vstring_str(state->temp1));
if ((state->hdr_rewrite_context || var_always_add_hdrs)
&& (state->headers_seen & (1 << (state->resent[0] ?
HDR_RESENT_DATE : HDR_DATE))) == 0) {
- cleanup_out_format(state, REC_TYPE_NORM, "%sDate: %s",
+ vstring_sprintf(state->temp2, "%sDate: %s",
state->resent, mail_date(state->arrival_time.tv_sec));
+ cleanup_out_header(state, state->temp2);
}
/*
vstring_sprintf(state->temp2, "%sFrom: %s",
state->resent, vstring_str(state->temp1));
}
- CLEANUP_OUT_BUF(state, REC_TYPE_NORM, state->temp2);
+ cleanup_out_header(state, state->temp2);
}
/*
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20241122"
+#define MAIL_RELEASE_DATE "20241202"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT
/* request before it is terminated by a built-in watchdog timer.
/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
/* The maximal number of digits after the decimal point when logging
-/* sub-second delay values.
+/* delay values.
/* .IP "\fBdisable_dns_lookups (no)\fR"
/* Disable DNS lookups in the Postfix SMTP and LMTP clients.
/* .IP "\fBinet_interfaces (all)\fR"
/* SYNOPSIS
/* \fBspawn\fR [generic Postfix daemon options] command_attributes...
/* DESCRIPTION
-/* The \fBspawn\fR(8) daemon provides the Postfix equivalent
-/* of \fBinetd\fR.
-/* It listens on a port as specified in the Postfix \fBmaster.cf\fR file
-/* and spawns an external command whenever a connection is established.
-/* The connection can be made over local IPC (such as UNIX-domain
-/* sockets) or over non-local IPC (such as TCP sockets).
-/* The command's standard input, output and error streams are connected
-/* directly to the communication endpoint.
+/* The \fBspawn\fR(8) daemon monitors a TCP or UNIX-domain stream
+/* socket, configured in \fBmaster.cf\fR with a service type
+/* \fBinet\fR or \fBunix\fR.
/*
-/* This daemon expects to be run from the \fBmaster\fR(8) process
-/* manager.
+/* This daemon spawns an external command whenever a connection
+/* is established, with the standard input, output and error file
+/* descriptors connected to the remote client.
+/*
+/* The command process is subject to the time limit specified
+/* with the parameter \fItransport\fR_time_limit (default:
+/* command_time_limit) where \fItransport\fR equals the service
+/* name field in master.cf. A process that exceeds the time limit
+/* will receive a SIGKILL signal.
+/*
+/* The \fBspawn\fR(8) daemon service typically has a process limit >
+/* 1 in its \fBmaster.cf\fR service definition, so that the number
+/* of processes can scale with demand.
/* COMMAND ATTRIBUTE SYNTAX
/* .ad
/* .fi
/* last command attribute.
/* The command is executed directly, i.e. without interpretation of
/* shell meta characters by a shell command interpreter.
-/* BUGS
-/* In order to enforce standard Postfix process resource controls,
-/* each \fBspawn\fR(8) daemon process runs only one external
-/* command, and blocks until the command terminates or a time
-/* limit is reached.
-/* As such, it presents a noticeable overhead by wasting precious
-/* process resources. The \fBspawn\fR(8) daemon is expected to be
-/* replaced by a more structural solution.
+/* .sp
+/* If a command argument must contain whitespace, or if a command
+/* argument must begin with "{", enclose the argument with "{" and
+/* "}". This form will ignore whitespace after the outer "{" and
+/* before the outer "}". Example:
+/* .sp
+/* .fi
+/* argv=/bin/sh -c { shell syntax here }
/* DIAGNOSTICS
/* The \fBspawn\fR(8) daemon reports abnormal child exits.
/* Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8).
/* SECURITY
/* .fi
/* .ad
-/* This program needs root privilege in order to execute external
-/* commands as the specified user. It is therefore security sensitive.
-/* However the \fBspawn\fR(8) daemon does not talk to the external command
-/* and thus is not vulnerable to data-driven attacks.
+/* The \fBspawn\fR(8) daemon needs root privilege in order to
+/* execute external commands as the specified user. It is therefore
+/* security sensitive.
+/*
+/* However, the \fBspawn\fR(8) daemon does not receive data from
+/* or about service clients or external commands, and thus is not
+/* vulnerable to data-driven attacks.
/* CONFIGURATION PARAMETERS
/* .ad
/* .fi
spawn_command.o: clean_env.h
spawn_command.o: exec_command.h
spawn_command.o: msg.h
+spawn_command.o: set_eugid.h
spawn_command.o: set_ugid.h
spawn_command.o: spawn_command.c
spawn_command.o: spawn_command.h
#include <msg.h>
#include <timed_wait.h>
#include <set_ugid.h>
+#include <set_eugid.h>
#include <argv.h>
#include <spawn_command.h>
#include <exec_command.h>
case 0:
if (args.uid != (uid_t) - 1 || args.gid != (gid_t) - 1)
set_ugid(args.uid, args.gid);
- setsid();
+ if (setsid() < 0)
+ msg_warn("child: setsid: %m");
/*
* Pipe plumbing.
*/
if ((err = timed_waitpid(pid, &wait_status, 0, args.time_limit)) < 0
&& errno == ETIMEDOUT) {
+ uid_t saved_euid = geteuid();
+ gid_t saved_egid = getegid();
+
msg_warn("%s: process id %lu: command time limit exceeded",
args.command, (unsigned long) pid);
- kill(-pid, SIGKILL);
+ set_eugid(args.uid, args.gid);
+ if (kill(-pid, SIGKILL) < 0)
+ msg_warn("parent: kill: %m");
+ set_eugid(saved_euid, saved_egid);
err = waitpid(pid, &wait_status, 0);
}
if (err < 0)
projects / thirdparty / postfix.git / commitdiff
