2026-06-08 09:18 @216.73.217.65
CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PIPE(8postfix) PIPE(8postfix) NAME pipe - Postfix delivery to external command SYNOPSIS pipe [generic Postfix daemon options] command_attributes... DESCRIPTION The pipe(8) daemon processes requests from the Postfix queue manager to deliver messages to external commands. This program expects to be run from the master(8) process manager. Message attributes such as sender address, recipient address and next-hop host name can be specified as command-line macros that are ex- panded before the external command is executed. The pipe(8) daemon updates queue files and marks recipients as fin- ished, or it informs the queue manager that delivery should be tried again at a later time. Delivery status reports are sent to the bounce(8), defer(8) or trace(8) daemon as appropriate. SINGLE-RECIPIENT DELIVERY Some destinations cannot handle more than one recipient per delivery request. Examples are pagers or fax machines. In addition, multi-re- cipient delivery is undesirable when prepending a Delivered-to: or X-Original-To: message header. To prevent Postfix from sending multiple recipients per delivery re- quest, specify transport_destination_recipient_limit = 1 in the Postfix main.cf file, where transport is the name in the first column of the Postfix master.cf entry for the pipe-based delivery transport. COMMAND ATTRIBUTE SYNTAX The external command attributes are given in the master.cf file at the end of a service definition. The syntax is as follows: chroot=pathname (optional) Change the process root directory and working directory to the named directory. This happens before switching to the privileges specified with the user attribute, and before executing the op- tional directory=pathname directive. Delivery is deferred in case of failure. This feature is available as of Postfix 2.3. directory=pathname (optional) Change to the named directory before executing the external com- mand. The directory must be accessible for the user specified with the user attribute (see below). The default working direc- tory is $queue_directory. Delivery is deferred in case of fail- ure. This feature is available as of Postfix 2.2. eol=string (optional, default: \n) The output record delimiter. Typically one would use either \r\n or \n. The usual C-style backslash escape sequences are recog- nized: \a \b \f \n \r \t \v \ddd (up to three octal digits) and \\. flags=BDFORXhqu.> (optional) Optional message processing flags. By default, a message is copied unchanged. B Append a blank line at the end of each message. This is required by some mail user agents that recognize "From " lines only when preceded by a blank line. D Prepend a "Delivered-To: recipient" message header with the envelope recipient address. Note: for this to work, the transport_destination_recipient_limit must be 1 (see SINGLE-RECIPIENT DELIVERY above for details). The D flag also enforces loop detection (Postfix 2.5 and later): if a message already contains a Delivered-To: header with the same recipient address, then the message is returned as undeliverable. The address comparison is case insensitive. This feature is available as of Postfix 2.0. F Prepend a "From sender time_stamp" envelope header to the message content. This is expected by, for example, UUCP software. O Prepend an "X-Original-To: recipient" message header with the recipient address as given to Postfix. Note: for this to work, the transport_destination_recipient_limit must be 1 (see SINGLE-RECIPIENT DELIVERY above for details). This feature is available as of Postfix 2.0. R Prepend a Return-Path: message header with the envelope sender address. X Indicate that the external command performs final deliv- ery. This flag affects the status reported in "success" DSN (delivery status notification) messages, and changes it from "relayed" into "delivered". This feature is available as of Postfix 2.5. h Fold the command-line $original_recipient and $recipient address domain part (text to the right of the right-most @ character) to lower case; fold the entire command-line $domain and $nexthop host or domain information to lower case. This is recommended for delivery via UUCP. q Quote white space and other special characters in the command-line $sender, $original_recipient and $recipient address localparts (text to the left of the right-most @ character), according to an 8-bit transparent version of RFC 822. This is recommended for delivery via UUCP or BSMTP. The result is compatible with the address parsing of com- mand-line recipients by the Postfix sendmail(1) mail sub- mission command. The q flag affects only entire addresses, not the partial address information from the $user, $extension or $mail- box command-line macros. u Fold the command-line $original_recipient and $recipient address localpart (text to the left of the right-most @ character) to lower case. This is recommended for deliv- ery via UUCP. . Prepend "." to lines starting with ".". This is needed by, for example, BSMTP software. > Prepend ">" to lines starting with "From ". This is ex- pected by, for example, UUCP software. null_sender=replacement (default: MAILER-DAEMON) Replace the null sender address (typically used for delivery status notifications) with the specified text when expanding the $sender command-line macro, and when generating a From_ or Re- turn-Path: message header. If the null sender replacement text is a non-empty string then it is affected by the q flag for address quoting in command-line arguments. The null sender replacement text may be empty; this form is rec- ommended for content filters that feed mail back into Postfix. The empty sender address is not affected by the q flag for ad- dress quoting in command-line arguments. Caution: a null sender address is easily mis-parsed by naive software. For example, when the pipe(8) daemon executes a com- mand such as: Wrong: command -f$sender -- $recipient the command will mis-parse the -f option value when the sender address is a null string. For correct parsing, specify $sender as an argument by itself: Right: command -f $sender -- $recipient This feature is available as of Postfix 2.3. size=size_limit (optional) Don't deliver messages that exceed this size limit (in bytes); return them to the sender instead. user=username (required) user=username:groupname Execute the external command with the user ID and group ID of the specified username. The software refuses to execute com- mands with root privileges, or with the privileges of the mail system owner. If groupname is specified, the corresponding group ID is used instead of the group ID of username. argv=command... (required) The command to be executed. This must be specified as the last command attribute. The command is executed directly, i.e. with- out interpretation of shell meta characters by a shell command interpreter. Specify "{" and "}" around command arguments that contain white- space (Postfix 3.0 and later). Whitespace after the opening "{" and before the closing "}" is ignored. In the command argument vector, the following macros are recog- nized and replaced with corresponding information from the Post- fix queue manager delivery request. In addition to the form ${name}, the forms $name and the depre- cated form $(name) are also recognized. Specify $$ where a sin- gle $ is wanted. ${client_address} This macro expands to the remote client network address. This feature is available as of Postfix 2.2. ${client_helo} This macro expands to the remote client HELO command pa- rameter. This feature is available as of Postfix 2.2. ${client_hostname} This macro expands to the remote client hostname. This feature is available as of Postfix 2.2. ${client_port} This macro expands to the remote client TCP port number. This feature is available as of Postfix 2.5. ${client_protocol} This macro expands to the remote client protocol. This feature is available as of Postfix 2.2. ${domain} This macro expands to the domain portion of the recipient address. For example, with an address user+foo@domain the domain is domain. This information is modified by the h flag for case fold- ing. This feature is available as of Postfix 2.5. ${extension} This macro expands to the extension part of a recipient address. For example, with an address user+foo@domain the extension is foo. A command-line argument that contains ${extension} ex- pands into as many command-line arguments as there are recipients. This information is modified by the u flag for case fold- ing. ${mailbox} This macro expands to the complete local part of a recip- ient address. For example, with an address user+foo@do- main the mailbox is user+foo. A command-line argument that contains ${mailbox} expands to as many command-line arguments as there are recipi- ents. This information is modified by the u flag for case fold- ing. ${nexthop} This macro expands to the next-hop hostname. This information is modified by the h flag for case fold- ing. ${original_recipient} This macro expands to the complete recipient address be- fore any address rewriting or aliasing. A command-line argument that contains ${original_recipi- ent} expands to as many command-line arguments as there are recipients. This information is modified by the hqu flags for quoting and case folding. This feature is available as of Postfix 2.5. ${queue_id} This macro expands to the queue id. This feature is available as of Postfix 2.11. ${recipient} This macro expands to the complete recipient address. A command-line argument that contains ${recipient} ex- pands to as many command-line arguments as there are re- cipients. This information is modified by the hqu flags for quoting and case folding. ${sasl_method} This macro expands to the name of the SASL authentication mechanism in the AUTH command when the Postfix SMTP server received the message. This feature is available as of Postfix 2.2. ${sasl_sender} This macro expands to the SASL sender name (i.e. the original submitter as per RFC 4954) in the MAIL FROM com- mand when the Postfix SMTP server received the message. This feature is available as of Postfix 2.2. ${sasl_username} This macro expands to the SASL user name in the AUTH com- mand when the Postfix SMTP server received the message. This feature is available as of Postfix 2.2. ${sender} This macro expands to the envelope sender address. By de- fault, the null sender address expands to MAILER-DAEMON; this can be changed with the null_sender attribute, as described above. This information is modified by the q flag for quoting. ${size} This macro expands to Postfix's idea of the message size, which is an approximation of the size of the message as delivered. ${user} This macro expands to the username part of a recipient address. For example, with an address user+foo@domain the username part is user. A command-line argument that contains ${user} expands into as many command-line arguments as there are recipi- ents. This information is modified by the u flag for case fold- ing. STANDARDS RFC 3463 (Enhanced status codes) DIAGNOSTICS Command exit status codes are expected to follow the conventions de- fined in <sysexits.h>. Exit status 0 means normal successful comple- tion. In the case of a non-zero exit status, a limited amount of command out- put is logged, and reported in a delivery status notification. When the output begins with a 4.X.X or 5.X.X enhanced status code, the sta- tus code takes precedence over the non-zero exit status (Postfix ver- sion 2.3 and later). After successful delivery (zero exit status) a limited amount of com- mand output is logged, and reported in "success" delivery status noti- fications (Postfix 3.0 and later). This command output is not examined for the presence of an enhanced status code. Problems and transactions are logged to syslogd(8) or postlogd(8). Corrupted message files are marked so that the queue manager can move them to the corrupt queue for further inspection. SECURITY This program needs a dual personality 1) to access the private Postfix queue and IPC mechanisms, and 2) to execute external commands as the specified user. It is therefore security sensitive. CONFIGURATION PARAMETERS Changes to main.cf are picked up automatically as pipe(8) processes run for only a limited amount of time. Use the command "postfix reload" to speed up a change. The text below provides only a parameter summary. See postconf(5) for more details including examples. RESOURCE AND RATE CONTROLS In the text below, transport is the first field in a master.cf entry. transport_time_limit ($command_time_limit) A transport-specific override for the command_time_limit parame- ter value, where transport is the master.cf name of the message delivery transport. Implemented in the qmgr(8) daemon: transport_destination_concurrency_limit ($default_destination_concur- rency_limit) A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- ient_limit parameter value, where transport is the master.cf name of the message delivery transport. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) How much time a Postfix daemon process may take to handle a re- quest before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- ging sub-second delay values. export_environment (see 'postconf -d' output) The list of environment variables that a Postfix process will export to non-Postfix processes. ipc_timeout (3600s) The time limit for sending or receiving information over an in- ternal communication channel. mail_owner (postfix) The UNIX system account that owns the Postfix queue and most Postfix daemon processes. max_idle (100s) The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) The maximal number of incoming connections that a Postfix daemon process will service before terminating voluntarily. process_id (read-only) The process ID of a Postfix command or daemon process. process_name (read-only) The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) The location of the Postfix top-level queue directory. recipient_delimiter (empty) The set of characters that can separate a user name from its ex- tension (example: user+foo), or a .forward file name from its extension (example: .forward+foo). syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 3.0 and later: pipe_delivery_status_filter ($default_delivery_status_filter) Optional filter for the pipe(8) delivery agent to change the de- livery status code or explanatory text of successful or unsuc- cessful deliveries. Available in Postfix version 3.3 and later: enable_original_recipient (yes) Enable support for the original recipient address after an ad- dress is rewritten to a different address (for example with aliasing or with canonical mapping). service_name (read-only) The master.cf service name of a Postfix daemon process. Available in Postfix 3.5 and later: info_log_address_format (external) The email address form that will be used in non-debug logging (info, warning, etc.). SEE ALSO qmgr(8), queue manager bounce(8), delivery status reports postconf(5), configuration parameters master(5), generic daemon options master(8), process manager postlogd(8), Postfix logging syslogd(8), system logging LICENSE The Secure Mailer license must be distributed with this software. AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA Wietse Venema Google, Inc. 111 8th Avenue New York, NY 10011, USA PIPE(8postfix) PIPE(7) Linux Programmer's Manual PIPE(7) NAME pipe - overview of pipes and FIFOs DESCRIPTION Pipes and FIFOs (also known as named pipes) provide a unidirectional interprocess communication channel. A pipe has a read end and a write end. Data written to the write end of a pipe can be read from the read end of the pipe. A pipe is created using pipe(2), which creates a new pipe and returns two file descriptors, one referring to the read end of the pipe, the other referring to the write end. Pipes can be used to create a commu- nication channel between related processes; see pipe(2) for an example. A FIFO (short for First In First Out) has a name within the filesystem (created using mkfifo(3)), and is opened using open(2). Any process may open a FIFO, assuming the file permissions allow it. The read end is opened using the O_RDONLY flag; the write end is opened using the O_WRONLY flag. See fifo(7) for further details. Note: although FIFOs have a pathname in the filesystem, I/O on FIFOs does not involve opera- tions on the underlying device (if there is one). I/O on pipes and FIFOs The only difference between pipes and FIFOs is the manner in which they are created and opened. Once these tasks have been accomplished, I/O on pipes and FIFOs has exactly the same semantics. If a process attempts to read from an empty pipe, then read(2) will block until data is available. If a process attempts to write to a full pipe (see below), then write(2) blocks until sufficient data has been read from the pipe to allow the write to complete. Nonblocking I/O is possible by using the fcntl(2) F_SETFL operation to enable the O_NONBLOCK open file status flag. The communication channel provided by a pipe is a byte stream: there is no concept of message boundaries. If all file descriptors referring to the write end of a pipe have been closed, then an attempt to read(2) from the pipe will see end-of-file (read(2) will return 0). If all file descriptors referring to the read end of a pipe have been closed, then a write(2) will cause a SIGPIPE signal to be generated for the calling process. If the calling process is ignoring this signal, then write(2) fails with the error EPIPE. An application that uses pipe(2) and fork(2) should use suitable close(2) calls to close unnecessary duplicate file descriptors; this ensures that end-of-file and SIGPIPE/EPIPE are delivered when appropriate. It is not possible to apply lseek(2) to a pipe. Pipe capacity A pipe has a limited capacity. If the pipe is full, then a write(2) will block or fail, depending on whether the O_NONBLOCK flag is set (see below). Different implementations have different limits for the pipe capacity. Applications should not rely on a particular capacity: an application should be designed so that a reading process consumes data as soon as it is available, so that a writing process does not re- main blocked. In Linux versions before 2.6.11, the capacity of a pipe was the same as the system page size (e.g., 4096 bytes on i386). Since Linux 2.6.11, the pipe capacity is 16 pages (i.e., 65,536 bytes in a system with a page size of 4096 bytes). Since Linux 2.6.35, the default pipe capac- ity is 16 pages, but the capacity can be queried and set using the fc- ntl(2) F_GETPIPE_SZ and F_SETPIPE_SZ operations. See fcntl(2) for more information. The following ioctl(2) operation, which can be applied to a file de- scriptor that refers to either end of a pipe, places a count of the number of unread bytes in the pipe in the int buffer pointed to by the final argument of the call: ioctl(fd, FIONREAD, &nbytes); The FIONREAD operation is not specified in any standard, but is pro- vided on many implementations. /proc files On Linux, the following files control how much memory can be used for pipes: /proc/sys/fs/pipe-max-pages (only in Linux 2.6.34) An upper limit, in pages, on the capacity that an unprivileged user (one without the CAP_SYS_RESOURCE capability) can set for a pipe. The default value for this limit is 16 times the default pipe capacity (see above); the lower limit is two pages. This interface was removed in Linux 2.6.35, in favor of /proc/sys/fs/pipe-max-size. /proc/sys/fs/pipe-max-size (since Linux 2.6.35) The maximum size (in bytes) of individual pipes that can be set by users without the CAP_SYS_RESOURCE capability. The value as- signed to this file may be rounded upward, to reflect the value actually employed for a convenient implementation. To determine the rounded-up value, display the contents of this file after assigning a value to it. The default value for this file is 1048576 (1 MiB). The minimum value that can be assigned to this file is the system page size. Attempts to set a limit less than the page size cause write(2) to fail with the error EINVAL. Since Linux 4.9, the value on this file also acts as a ceiling on the default capacity of a new pipe or newly opened FIFO. /proc/sys/fs/pipe-user-pages-hard (since Linux 4.5) The hard limit on the total size (in pages) of all pipes created or set by a single unprivileged user (i.e., one with neither the CAP_SYS_RESOURCE nor the CAP_SYS_ADMIN capability). So long as the total number of pages allocated to pipe buffers for this user is at this limit, attempts to create new pipes will be de- nied, and attempts to increase a pipe's capacity will be denied. When the value of this limit is zero (which is the default), no hard limit is applied. /proc/sys/fs/pipe-user-pages-soft (since Linux 4.5) The soft limit on the total size (in pages) of all pipes created or set by a single unprivileged user (i.e., one with neither the CAP_SYS_RESOURCE nor the CAP_SYS_ADMIN capability). So long as the total number of pages allocated to pipe buffers for this user is at this limit, individual pipes created by a user will be limited to one page, and attempts to increase a pipe's capac- ity will be denied. When the value of this limit is zero, no soft limit is applied. The default value for this file is 16384, which permits creating up to 1024 pipes with the default capacity. Before Linux 4.9, some bugs affected the handling of the pipe-user- pages-soft and pipe-user-pages-hard limits; see BUGS. PIPE_BUF POSIX.1 says that write(2)s of less than PIPE_BUF bytes must be atomic: the output data is written to the pipe as a contiguous sequence. Writes of more than PIPE_BUF bytes may be nonatomic: the kernel may in- terleave the data with data written by other processes. POSIX.1 re- quires PIPE_BUF to be at least 512 bytes. (On Linux, PIPE_BUF is 4096 bytes.) The precise semantics depend on whether the file descriptor is nonblocking (O_NONBLOCK), whether there are multiple writers to the pipe, and on n, the number of bytes to be written: O_NONBLOCK disabled, n <= PIPE_BUF All n bytes are written atomically; write(2) may block if there is not room for n bytes to be written immediately O_NONBLOCK enabled, n <= PIPE_BUF If there is room to write n bytes to the pipe, then write(2) succeeds immediately, writing all n bytes; otherwise write(2) fails, with errno set to EAGAIN. O_NONBLOCK disabled, n > PIPE_BUF The write is nonatomic: the data given to write(2) may be inter- leaved with write(2)s by other process; the write(2) blocks un- til n bytes have been written. O_NONBLOCK enabled, n > PIPE_BUF If the pipe is full, then write(2) fails, with errno set to EA- GAIN. Otherwise, from 1 to n bytes may be written (i.e., a "partial write" may occur; the caller should check the return value from write(2) to see how many bytes were actually writ- ten), and these bytes may be interleaved with writes by other processes. Open file status flags The only open file status flags that can be meaningfully applied to a pipe or FIFO are O_NONBLOCK and O_ASYNC. Setting the O_ASYNC flag for the read end of a pipe causes a signal (SIGIO by default) to be generated when new input becomes available on the pipe. The target for delivery of signals must be set using the fc- ntl(2) F_SETOWN command. On Linux, O_ASYNC is supported for pipes and FIFOs only since kernel 2.6. Portability notes On some systems (but not Linux), pipes are bidirectional: data can be transmitted in both directions between the pipe ends. POSIX.1 requires only unidirectional pipes. Portable applications should avoid reliance on bidirectional pipe semantics. BUGS Before Linux 4.9, some bugs affected the handling of the pipe-user- pages-soft and pipe-user-pages-hard limits when using the fcntl(2) F_SETPIPE_SZ operation to change a pipe's capacity: (1) When increasing the pipe capacity, the checks against the soft and hard limits were made against existing consumption, and excluded the memory required for the increased pipe capacity. The new in- crease in pipe capacity could then push the total memory used by the user for pipes (possibly far) over a limit. (This could also trigger the problem described next.) Starting with Linux 4.9, the limit checking includes the memory required for the new pipe capacity. (2) The limit checks were performed even when the new pipe capacity was less than the existing pipe capacity. This could lead to problems if a user set a large pipe capacity, and then the limits were lowered, with the result that the user could no longer de- crease the pipe capacity. Starting with Linux 4.9, checks against the limits are performed only when increasing a pipe's capacity; an unprivileged user can always decrease a pipe's capacity. (3) The accounting and checking against the limits were done as fol- lows: (a) Test whether the user has exceeded the limit. (b) Make the new pipe buffer allocation. (c) Account new allocation against the limits. This was racey. Multiple processes could pass point (a) simulta- neously, and then allocate pipe buffers that were accounted for only in step (c), with the result that the user's pipe buffer al- location could be pushed over the limit. Starting with Linux 4.9, the accounting step is performed before doing the allocation, and the operation fails if the limit would be exceeded. Before Linux 4.9, bugs similar to points (1) and (3) could also occur when the kernel allocated memory for a new pipe buffer; that is, when calling pipe(2) and when opening a previously unopened FIFO. SEE ALSO mkfifo(1), dup(2), fcntl(2), open(2), pipe(2), poll(2), select(2), socketpair(2), splice(2), stat(2), tee(2), vmsplice(2), mkfifo(3), epoll(7), fifo(7) COLOPHON This page is part of release 5.10 of the Linux man-pages project. A description of the project, information about reporting bugs, and the latest version of this page, can be found at https://www.kernel.org/doc/man-pages/. Linux 2017-09-15 PIPE(7)
Generated by phpMan v3.6.3-2-gc817beb Author: Che Dong Under GNU General Public License
2026-06-08 09:18 @216.73.217.65
CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)