Postfix/sendmail: Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
|||
| Zeile 11: | Zeile 11: | ||
NAME | NAME | ||
sendmail - Postfix to Sendmail compatibility interface | |||
SYNOPSIS | SYNOPSIS | ||
sendmail [option ...] [recipient ...] | |||
mailq | |||
sendmail -bp | |||
newaliases | |||
sendmail -I | |||
DESCRIPTION | DESCRIPTION | ||
The Postfix sendmail(1) command implements the Postfix to Sendmail compatibility interface. For the sake of compatibility with existing applica‐ | |||
tions, some Sendmail command-line options are recognized but silently ignored. | |||
By default, Postfix sendmail(1) reads a message from standard input until EOF or until it reads a line with only a . character, and arranges for de‐ | |||
livery. Postfix sendmail(1) relies on the postdrop(1) command to create a queue file in the maildrop directory. | |||
Specific command aliases are provided for other common modes of operation: | |||
mailq List the mail queue. Each entry shows the queue file ID, message size, arrival time, sender, and the recipients that still need to be deliv‐ | |||
ered. If mail could not be delivered upon the last attempt, the reason for failure is shown. The queue ID string is followed by an optional | |||
status character: | |||
* The message is in the active queue, i.e. the message is selected for delivery. | |||
! The message is in the hold queue, i.e. no further delivery attempt will be made until the mail is taken off hold. | |||
# The message is forced to expire. See the postsuper(1) options -e or -f. | |||
This mode of operation is implemented by executing the postqueue(1) command. | |||
newaliases | |||
Initialize the alias database. If no input file is specified (with the -oA option, see below), the program processes the file(s) specified | |||
with the alias_database configuration parameter. If no alias database type is specified, the program uses the type specified with the de‐ | |||
fault_database_type configuration parameter. This mode of operation is implemented by running the postalias(1) command. | |||
Note: it may take a minute or so before an alias database update becomes visible. Use the "postfix reload" command to eliminate this delay. | |||
These and other features can be selected by specifying the appropriate combination of command-line options. Some features are controlled by parame‐ | |||
ters in the main.cf configuration file. | |||
The following options are recognized: | |||
-Am (ignored) | |||
-Ac (ignored) | |||
Postfix sendmail uses the same configuration file regardless of whether or not a message is an initial submission. | |||
-B body_type | |||
The message body MIME type: 7BIT or 8BITMIME. | |||
-bd Go into daemon mode. This mode of operation is implemented by executing the "postfix start" command. | |||
-bh (ignored) | |||
-bH (ignored) | |||
Postfix has no persistent host status database. | |||
-bi Initialize alias database. See the newaliases command above. | |||
-bl Go into daemon mode. To accept only local connections as with Sendmail´s -bl option, specify "inet_interfaces = loopback" in the Postfix | |||
main.cf configuration file. | |||
-bm Read mail from standard input and arrange for delivery. This is the default mode of operation. | |||
-bp List the mail queue. See the mailq command above. | |||
-bs Stand-alone SMTP server mode. Read SMTP commands from standard input, and write responses to standard output. In stand-alone SMTP server | |||
mode, mail relaying and other access controls are disabled by default. To enable them, run the process as the mail_owner user. | |||
This mode of operation is implemented by running the smtpd(8) daemon. | |||
-bv Do not collect or deliver a message. Instead, send an email report after verifying each recipient address. This is useful for testing address | |||
rewriting and routing configurations. | |||
This feature is available in Postfix version 2.1 and later. | |||
-C config_file | |||
-C config_dir | |||
The path name of the Postfix main.cf file, or of its parent directory. This information is ignored with Postfix versions before 2.3. | |||
With Postfix version 3.2 and later, a non-default directory must be authorized in the default main.cf file, through the alternate_config_di‐ | |||
rectories or multi_instance_directories parameters. | |||
With all Postfix versions, you can specify a directory pathname with the MAIL_CONFIG environment variable to override the location of configu‐ | |||
ration files. | |||
-F full_name | |||
Set the sender full name. This overrides the NAME environment variable, and is used only with messages that have no From: message header. | |||
-f sender | |||
Set the envelope sender address. This is the address where delivery problems are sent to. With Postfix versions before 2.1, the Errors-To: | |||
message header overrides the error return address. | |||
-G Gateway (relay) submission, as opposed to initial user submission. Either do not rewrite addresses at all, or update incomplete addresses | |||
with the domain information specified with remote_header_rewrite_domain. | |||
This option is ignored before Postfix version 2.3. | |||
-h hop_count (ignored) | |||
Hop count limit. Use the hopcount_limit configuration parameter instead. | |||
-I Initialize alias database. See the newaliases command above. | |||
-i When reading a message from standard input, don´t treat a line with only a . character as the end of input. | |||
-L label (ignored) | |||
The logging label. Use the syslog_name configuration parameter instead. | |||
-m (ignored) | |||
Backwards compatibility. | |||
-N dsn (default: 'delay, failure') | |||
Delivery status notification control. Specify either a comma-separated list with one or more of failure (send notification when delivery | |||
fails), delay (send notification when delivery is delayed), or success (send notification when the message is delivered); or specify never | |||
(don't send any notifications at all). | |||
This feature is available in Postfix 2.3 and later. | |||
-n (ignored) | |||
Backwards compatibility. | |||
-oAalias_database | |||
Non-default alias database. Specify pathname or type:pathname. See postalias(1) for details. | |||
-O option=value (ignored) | |||
Set the named option to value. Use the equivalent configuration parameter in main.cf instead. | |||
-o7 (ignored) | |||
-o8 (ignored) | |||
To send 8-bit or binary content, use an appropriate MIME encapsulation and specify the appropriate -B command-line option. | |||
-oi When reading a message from standard input, don´t treat a line with only a . character as the end of input. | |||
-om (ignored) | |||
The sender is never eliminated from alias etc. expansions. | |||
-o x value (ignored) | |||
Set option x to value. Use the equivalent configuration parameter in main.cf instead. | |||
-r sender | |||
Set the envelope sender address. This is the address where delivery problems are sent to. With Postfix versions before 2.1, the Errors-To: | |||
message header overrides the error return address. | |||
-R return | |||
Delivery status notification control. Specify "hdrs" to return only the header when a message bounces, "full" to return a full copy (the de‐ | |||
fault behavior). | |||
The -R option specifies an upper bound; Postfix will return only the header, when a full copy would exceed the bounce_size_limit setting. | |||
This option is ignored before Postfix version 2.10. | |||
-q Attempt to deliver all queued mail. This is implemented by executing the postqueue(1) command. | |||
Warning: flushing undeliverable mail frequently will result in poor delivery performance of all other mail. | |||
-qinterval (ignored) | |||
The interval between queue runs. Use the queue_run_delay configuration parameter instead. | |||
-qIqueueid | |||
Schedule immediate delivery of mail with the specified queue ID. This option is implemented by executing the postqueue(1) command, and is | |||
available with Postfix version 2.4 and later. | |||
-qRsite | |||
Schedule immediate delivery of all mail that is queued for the named site. This option accepts only site names that are eligible for the "fast | |||
flush" service, and is implemented by executing the postqueue(1) command. See flush(8) for more information about the "fast flush" service. | |||
-qSsite | |||
This command is not implemented. Use the slower "sendmail -q" command instead. | |||
-t Extract recipients from message headers. These are added to any recipients specified on the command line. | |||
With Postfix versions prior to 2.1, this option requires that no recipient addresses are specified on the command line. | |||
-U (ignored) | |||
Initial user submission. | |||
-V envid | |||
Specify the envelope ID for notification by servers that support DSN. | |||
This feature is available in Postfix 2.3 and later. | |||
-XV (Postfix 2.2 and earlier: -V) | |||
Variable Envelope Return Path. Given an envelope sender address of the form owner-listname@origin, each recipient user@domain receives mail | |||
with a personalized envelope sender address. | |||
By default, the personalized envelope sender address is owner-listname+user=domain@origin. The default + and = characters are configurable | |||
with the default_verp_delimiters configuration parameter. | |||
-XVxy (Postfix 2.2 and earlier: -Vxy) | |||
As -XV, but uses x and y as the VERP delimiter characters, instead of the characters specified with the default_verp_delimiters configuration | |||
parameter. | |||
-v Send an email report of the first delivery attempt (Postfix versions 2.1 and later). Mail delivery always happens in the background. When mul‐ | |||
tiple -v options are given, enable verbose logging for debugging purposes. | |||
-X log_file (ignored) | |||
Log mailer traffic. Use the debug_peer_list and debug_peer_level configuration parameters instead. | |||
SECURITY | SECURITY | ||
By design, this program is not set-user (or group) id. It is prepared to handle message content from untrusted, possibly remote, users. | |||
However, like most Postfix programs, this program does not enforce a security policy on its command-line arguments. Instead, it relies on the UNIX | |||
system to enforce access policies based on the effective user and group IDs of the process. Concretely, this means that running Postfix commands as | |||
root (from sudo or equivalent) on behalf of a non-root user is likely to create privilege escalation opportunities. | |||
If an application runs any Postfix programs on behalf of users that do not have normal shell access to Postfix commands, then that application MUST | |||
restrict user-specified command-line arguments to avoid privilege escalation. | |||
• Filter all command-line arguments, for example arguments that contain a pathname or that specify a database access method. These pathname | |||
checks must reject user-controlled symlinks or hardlinks to sensitive files, and must not be vulnerable to TOCTOU race attacks. | |||
• Disable command options processing for all command arguments that contain user-specified data. For example, the Postfix sendmail(1) command | |||
line MUST be structured as follows: | |||
/path/to/sendmail system-arguments -- user-arguments | |||
Here, the "--" disables command option processing for all user-arguments that follow. | |||
Without the "--", a malicious user could enable Postfix sendmail(1) command options, by specifying an email address that starts with "-". | |||
DIAGNOSTICS | DIAGNOSTICS | ||
Problems are logged to syslogd(8) or postlogd(8), and to the standard error stream. | |||
ENVIRONMENT | ENVIRONMENT | ||
MAIL_CONFIG | |||
Directory with Postfix configuration files. | |||
MAIL_VERBOSE (value does not matter) | |||
Enable verbose logging for debugging purposes. | |||
MAIL_DEBUG (value does not matter) | |||
Enable debugging with an external command, as specified with the debugger_command configuration parameter. | |||
NAME The sender full name. This is used only with messages that have no From: message header. See also the -F option above. | |||
CONFIGURATION PARAMETERS | CONFIGURATION PARAMETERS | ||
The following main.cf parameters are especially relevant to this program. The text below provides only a parameter summary. See postconf(5) for more | |||
details including examples. | |||
COMPATIBILITY CONTROLS | COMPATIBILITY CONTROLS | ||
Available with Postfix 2.9 and later: | |||
sendmail_fix_line_endings (always) | |||
Controls how the Postfix sendmail command converts email message line endings from <CR><LF> into UNIX format (<LF>). | |||
TROUBLE SHOOTING CONTROLS | TROUBLE SHOOTING CONTROLS | ||
The DEBUG_README file gives examples of how to troubleshoot a Postfix system. | |||
debugger_command (empty) | |||
The external command to execute when a Postfix daemon program is invoked with the -D option. | |||
debug_peer_level (2) | |||
The increment in verbose logging level when a nexthop destination, remote client or server name or network address matches a pattern given | |||
with the debug_peer_list parameter. | |||
debug_peer_list (empty) | |||
Optional list of nexthop destination, remote client or server name or network address patterns that, if matched, cause the verbose logging | |||
level to increase by the amount specified in $debug_peer_level. | |||
ACCESS CONTROLS | ACCESS CONTROLS | ||
Available in Postfix version 2.2 and later: | |||
authorized_flush_users (static:anyone) | |||
List of users who are authorized to flush the queue. | |||
authorized_mailq_users (static:anyone) | |||
List of users who are authorized to view the queue. | |||
authorized_submit_users (static:anyone) | |||
List of users who are authorized to submit mail with the sendmail(1) command (and with the privileged postdrop(1) helper command). | |||
RESOURCE AND RATE CONTROLS | RESOURCE AND RATE CONTROLS | ||
bounce_size_limit (50000) | |||
The maximal amount of original message text that is sent in a non-delivery notification. | |||
fork_attempts (5) | |||
The maximal number of attempts to fork() a child process. | |||
fork_delay (1s) | |||
The delay between attempts to fork() a child process. | |||
hopcount_limit (50) | |||
The maximal number of Received: message headers that is allowed in the primary message headers. | |||
queue_run_delay (300s) | |||
The time between deferred queue scans by the queue manager; prior to Postfix 2.4 the default value was 1000s. | |||
FAST FLUSH CONTROLS | FAST FLUSH CONTROLS | ||
The ETRN_README file describes configuration and operation details for the Postfix "fast flush" service. | |||
fast_flush_domains ($relay_domains) | |||
Optional list of destinations that are eligible for per-destination logfiles with mail that is queued to those destinations. | |||
VERP CONTROLS | VERP CONTROLS | ||
The VERP_README file describes configuration and operation details of Postfix support for variable envelope return path addresses. | |||
default_verp_delimiters (+=) | |||
The two default VERP delimiter characters. | |||
verp_delimiter_filter (-=+) | |||
The characters Postfix accepts as VERP delimiter characters on the Postfix sendmail(1) command line and in SMTP commands. | |||
MISCELLANEOUS CONTROLS | MISCELLANEOUS CONTROLS | ||
alias_database (see 'postconf -d' output) | |||
The alias databases for local(8) delivery that are updated with "newaliases" or with "sendmail -bi". | |||
command_directory (see 'postconf -d' output) | |||
The location of all postfix administrative commands. | |||
config_directory (see 'postconf -d' output) | |||
The default location of the Postfix main.cf and master.cf configuration files. | |||
daemon_directory (see 'postconf -d' output) | |||
The directory with Postfix support programs and daemon programs. | |||
default_database_type (see 'postconf -d' output) | |||
The default database type for use in newaliases(1), postalias(1) and postmap(1) commands. | |||
delay_warning_time (0h) | |||
The time after which the sender receives a copy of the message headers of mail that is still queued. | |||
import_environment (see 'postconf -d' output) | |||
The list of environment parameters that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment | |||
overrides. | |||
mail_owner (postfix) | |||
The UNIX system account that owns the Postfix queue and most Postfix daemon processes. | |||
queue_directory (see 'postconf -d' output) | |||
The location of the Postfix top-level queue directory. | |||
remote_header_rewrite_domain (empty) | |||
Don't rewrite message headers from remote clients at all when this parameter is empty; otherwise, rewrite message headers and append the spec‐ | |||
ified domain name to incomplete addresses. | |||
syslog_facility (mail) | |||
The syslog facility of Postfix logging. | |||
syslog_name (see 'postconf -d' output) | |||
A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". | |||
Postfix 3.2 and later: | |||
alternate_config_directories (empty) | |||
A list of non-default Postfix configuration directories that may be specified with "-c config_directory" on the command line (in the case of | |||
sendmail(1), with the "-C" option), or via the MAIL_CONFIG environment parameter. | |||
multi_instance_directories (empty) | |||
An optional list of non-default Postfix configuration directories; these directories belong to additional Postfix instances that share the | |||
Postfix executable files and documentation with the default Postfix instance, and that are started, stopped, etc., together with the default | |||
Postfix instance. | |||
FILES | FILES | ||
/var/spool/postfix, mail queue | |||
/etc/postfix, configuration files | |||
SEE ALSO | SEE ALSO | ||
pickup(8), mail pickup daemon | |||
qmgr(8), queue manager | |||
smtpd(8), SMTP server | |||
flush(8), fast flush service | |||
postsuper(1), queue maintenance | |||
postalias(1), create/update/query alias database | |||
postdrop(1), mail posting utility | |||
postfix(1), mail system control | |||
postqueue(1), mail queue control | |||
postlogd(8), Postfix logging | |||
syslogd(8), system logging | |||
README_FILES | README_FILES | ||
Use "postconf readme_directory" or "postconf html_directory" to locate this information. | |||
DEBUG_README, Postfix debugging howto | |||
ETRN_README, Postfix ETRN howto | |||
VERP_README, Postfix VERP howto | |||
LICENSE | LICENSE | ||
The Secure Mailer license must be distributed with this software. | |||
AUTHOR(S) | AUTHOR(S) | ||
Wietse Venema | |||
IBM T.J. Watson Research | |||
P.O. Box 704 | |||
Yorktown Heights, NY 10598, USA | |||
Wietse Venema | |||
Google, Inc. | |||
111 8th Avenue | |||
New York, NY 10011, USA | |||
SENDMAIL(1) | |||
Version vom 28. Mai 2022, 12:41 Uhr
# type sendmail sendmail is /usr/sbin/sendmail
# whereis sendmail sendmail: /usr/sbin/sendmail /usr/lib/sendmail /usr/share/man/man1/sendmail.1.gz
TMP
SENDMAIL(1) General Commands Manual SENDMAIL(1)
NAME sendmail - Postfix to Sendmail compatibility interface
SYNOPSIS sendmail [option ...] [recipient ...]
mailq sendmail -bp
newaliases sendmail -I
DESCRIPTION The Postfix sendmail(1) command implements the Postfix to Sendmail compatibility interface. For the sake of compatibility with existing applica‐ tions, some Sendmail command-line options are recognized but silently ignored.
By default, Postfix sendmail(1) reads a message from standard input until EOF or until it reads a line with only a . character, and arranges for de‐ livery. Postfix sendmail(1) relies on the postdrop(1) command to create a queue file in the maildrop directory.
Specific command aliases are provided for other common modes of operation:
mailq List the mail queue. Each entry shows the queue file ID, message size, arrival time, sender, and the recipients that still need to be deliv‐ ered. If mail could not be delivered upon the last attempt, the reason for failure is shown. The queue ID string is followed by an optional status character:
- The message is in the active queue, i.e. the message is selected for delivery.
! The message is in the hold queue, i.e. no further delivery attempt will be made until the mail is taken off hold.
- The message is forced to expire. See the postsuper(1) options -e or -f.
This mode of operation is implemented by executing the postqueue(1) command.
newaliases Initialize the alias database. If no input file is specified (with the -oA option, see below), the program processes the file(s) specified with the alias_database configuration parameter. If no alias database type is specified, the program uses the type specified with the de‐ fault_database_type configuration parameter. This mode of operation is implemented by running the postalias(1) command.
Note: it may take a minute or so before an alias database update becomes visible. Use the "postfix reload" command to eliminate this delay.
These and other features can be selected by specifying the appropriate combination of command-line options. Some features are controlled by parame‐ ters in the main.cf configuration file.
The following options are recognized:
-Am (ignored)
-Ac (ignored) Postfix sendmail uses the same configuration file regardless of whether or not a message is an initial submission.
-B body_type The message body MIME type: 7BIT or 8BITMIME.
-bd Go into daemon mode. This mode of operation is implemented by executing the "postfix start" command.
-bh (ignored)
-bH (ignored) Postfix has no persistent host status database.
-bi Initialize alias database. See the newaliases command above.
-bl Go into daemon mode. To accept only local connections as with Sendmail´s -bl option, specify "inet_interfaces = loopback" in the Postfix main.cf configuration file.
-bm Read mail from standard input and arrange for delivery. This is the default mode of operation.
-bp List the mail queue. See the mailq command above.
-bs Stand-alone SMTP server mode. Read SMTP commands from standard input, and write responses to standard output. In stand-alone SMTP server mode, mail relaying and other access controls are disabled by default. To enable them, run the process as the mail_owner user.
This mode of operation is implemented by running the smtpd(8) daemon.
-bv Do not collect or deliver a message. Instead, send an email report after verifying each recipient address. This is useful for testing address rewriting and routing configurations.
This feature is available in Postfix version 2.1 and later.
-C config_file
-C config_dir The path name of the Postfix main.cf file, or of its parent directory. This information is ignored with Postfix versions before 2.3.
With Postfix version 3.2 and later, a non-default directory must be authorized in the default main.cf file, through the alternate_config_di‐ rectories or multi_instance_directories parameters.
With all Postfix versions, you can specify a directory pathname with the MAIL_CONFIG environment variable to override the location of configu‐ ration files.
-F full_name Set the sender full name. This overrides the NAME environment variable, and is used only with messages that have no From: message header.
-f sender Set the envelope sender address. This is the address where delivery problems are sent to. With Postfix versions before 2.1, the Errors-To: message header overrides the error return address.
-G Gateway (relay) submission, as opposed to initial user submission. Either do not rewrite addresses at all, or update incomplete addresses with the domain information specified with remote_header_rewrite_domain.
This option is ignored before Postfix version 2.3.
-h hop_count (ignored) Hop count limit. Use the hopcount_limit configuration parameter instead.
-I Initialize alias database. See the newaliases command above.
-i When reading a message from standard input, don´t treat a line with only a . character as the end of input.
-L label (ignored) The logging label. Use the syslog_name configuration parameter instead.
-m (ignored) Backwards compatibility.
-N dsn (default: 'delay, failure') Delivery status notification control. Specify either a comma-separated list with one or more of failure (send notification when delivery fails), delay (send notification when delivery is delayed), or success (send notification when the message is delivered); or specify never (don't send any notifications at all).
This feature is available in Postfix 2.3 and later.
-n (ignored) Backwards compatibility.
-oAalias_database Non-default alias database. Specify pathname or type:pathname. See postalias(1) for details.
-O option=value (ignored) Set the named option to value. Use the equivalent configuration parameter in main.cf instead.
-o7 (ignored)
-o8 (ignored) To send 8-bit or binary content, use an appropriate MIME encapsulation and specify the appropriate -B command-line option.
-oi When reading a message from standard input, don´t treat a line with only a . character as the end of input.
-om (ignored) The sender is never eliminated from alias etc. expansions.
-o x value (ignored) Set option x to value. Use the equivalent configuration parameter in main.cf instead.
-r sender Set the envelope sender address. This is the address where delivery problems are sent to. With Postfix versions before 2.1, the Errors-To: message header overrides the error return address.
-R return Delivery status notification control. Specify "hdrs" to return only the header when a message bounces, "full" to return a full copy (the de‐ fault behavior).
The -R option specifies an upper bound; Postfix will return only the header, when a full copy would exceed the bounce_size_limit setting.
This option is ignored before Postfix version 2.10.
-q Attempt to deliver all queued mail. This is implemented by executing the postqueue(1) command.
Warning: flushing undeliverable mail frequently will result in poor delivery performance of all other mail.
-qinterval (ignored) The interval between queue runs. Use the queue_run_delay configuration parameter instead.
-qIqueueid Schedule immediate delivery of mail with the specified queue ID. This option is implemented by executing the postqueue(1) command, and is available with Postfix version 2.4 and later.
-qRsite Schedule immediate delivery of all mail that is queued for the named site. This option accepts only site names that are eligible for the "fast flush" service, and is implemented by executing the postqueue(1) command. See flush(8) for more information about the "fast flush" service.
-qSsite This command is not implemented. Use the slower "sendmail -q" command instead.
-t Extract recipients from message headers. These are added to any recipients specified on the command line.
With Postfix versions prior to 2.1, this option requires that no recipient addresses are specified on the command line.
-U (ignored) Initial user submission.
-V envid Specify the envelope ID for notification by servers that support DSN.
This feature is available in Postfix 2.3 and later.
-XV (Postfix 2.2 and earlier: -V) Variable Envelope Return Path. Given an envelope sender address of the form owner-listname@origin, each recipient user@domain receives mail with a personalized envelope sender address.
By default, the personalized envelope sender address is owner-listname+user=domain@origin. The default + and = characters are configurable with the default_verp_delimiters configuration parameter.
-XVxy (Postfix 2.2 and earlier: -Vxy) As -XV, but uses x and y as the VERP delimiter characters, instead of the characters specified with the default_verp_delimiters configuration parameter.
-v Send an email report of the first delivery attempt (Postfix versions 2.1 and later). Mail delivery always happens in the background. When mul‐ tiple -v options are given, enable verbose logging for debugging purposes.
-X log_file (ignored) Log mailer traffic. Use the debug_peer_list and debug_peer_level configuration parameters instead.
SECURITY By design, this program is not set-user (or group) id. It is prepared to handle message content from untrusted, possibly remote, users.
However, like most Postfix programs, this program does not enforce a security policy on its command-line arguments. Instead, it relies on the UNIX system to enforce access policies based on the effective user and group IDs of the process. Concretely, this means that running Postfix commands as root (from sudo or equivalent) on behalf of a non-root user is likely to create privilege escalation opportunities.
If an application runs any Postfix programs on behalf of users that do not have normal shell access to Postfix commands, then that application MUST restrict user-specified command-line arguments to avoid privilege escalation.
• Filter all command-line arguments, for example arguments that contain a pathname or that specify a database access method. These pathname checks must reject user-controlled symlinks or hardlinks to sensitive files, and must not be vulnerable to TOCTOU race attacks.
• Disable command options processing for all command arguments that contain user-specified data. For example, the Postfix sendmail(1) command line MUST be structured as follows:
/path/to/sendmail system-arguments -- user-arguments
Here, the "--" disables command option processing for all user-arguments that follow.
Without the "--", a malicious user could enable Postfix sendmail(1) command options, by specifying an email address that starts with "-".
DIAGNOSTICS Problems are logged to syslogd(8) or postlogd(8), and to the standard error stream.
ENVIRONMENT MAIL_CONFIG Directory with Postfix configuration files.
MAIL_VERBOSE (value does not matter) Enable verbose logging for debugging purposes.
MAIL_DEBUG (value does not matter) Enable debugging with an external command, as specified with the debugger_command configuration parameter.
NAME The sender full name. This is used only with messages that have no From: message header. See also the -F option above.
CONFIGURATION PARAMETERS The following main.cf parameters are especially relevant to this program. The text below provides only a parameter summary. See postconf(5) for more details including examples.
COMPATIBILITY CONTROLS Available with Postfix 2.9 and later:
sendmail_fix_line_endings (always) Controls how the Postfix sendmail command converts email message line endings from <CR><LF> into UNIX format (<LF>).
TROUBLE SHOOTING CONTROLS The DEBUG_README file gives examples of how to troubleshoot a Postfix system.
debugger_command (empty) The external command to execute when a Postfix daemon program is invoked with the -D option.
debug_peer_level (2) The increment in verbose logging level when a nexthop destination, remote client or server name or network address matches a pattern given with the debug_peer_list parameter.
debug_peer_list (empty) Optional list of nexthop destination, remote client or server name or network address patterns that, if matched, cause the verbose logging level to increase by the amount specified in $debug_peer_level.
ACCESS CONTROLS Available in Postfix version 2.2 and later:
authorized_flush_users (static:anyone) List of users who are authorized to flush the queue.
authorized_mailq_users (static:anyone) List of users who are authorized to view the queue.
authorized_submit_users (static:anyone) List of users who are authorized to submit mail with the sendmail(1) command (and with the privileged postdrop(1) helper command).
RESOURCE AND RATE CONTROLS bounce_size_limit (50000) The maximal amount of original message text that is sent in a non-delivery notification.
fork_attempts (5) The maximal number of attempts to fork() a child process.
fork_delay (1s) The delay between attempts to fork() a child process.
hopcount_limit (50) The maximal number of Received: message headers that is allowed in the primary message headers.
queue_run_delay (300s) The time between deferred queue scans by the queue manager; prior to Postfix 2.4 the default value was 1000s.
FAST FLUSH CONTROLS The ETRN_README file describes configuration and operation details for the Postfix "fast flush" service.
fast_flush_domains ($relay_domains) Optional list of destinations that are eligible for per-destination logfiles with mail that is queued to those destinations.
VERP CONTROLS The VERP_README file describes configuration and operation details of Postfix support for variable envelope return path addresses.
default_verp_delimiters (+=) The two default VERP delimiter characters.
verp_delimiter_filter (-=+) The characters Postfix accepts as VERP delimiter characters on the Postfix sendmail(1) command line and in SMTP commands.
MISCELLANEOUS CONTROLS alias_database (see 'postconf -d' output) The alias databases for local(8) delivery that are updated with "newaliases" or with "sendmail -bi".
command_directory (see 'postconf -d' output) The location of all postfix administrative commands.
config_directory (see 'postconf -d' output) The default location of the Postfix main.cf and master.cf configuration files.
daemon_directory (see 'postconf -d' output) The directory with Postfix support programs and daemon programs.
default_database_type (see 'postconf -d' output) The default database type for use in newaliases(1), postalias(1) and postmap(1) commands.
delay_warning_time (0h) The time after which the sender receives a copy of the message headers of mail that is still queued.
import_environment (see 'postconf -d' output) The list of environment parameters that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides.
mail_owner (postfix) The UNIX system account that owns the Postfix queue and most Postfix daemon processes.
queue_directory (see 'postconf -d' output) The location of the Postfix top-level queue directory.
remote_header_rewrite_domain (empty) Don't rewrite message headers from remote clients at all when this parameter is empty; otherwise, rewrite message headers and append the spec‐ ified domain name to incomplete addresses.
syslog_facility (mail) The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output) A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd".
Postfix 3.2 and later:
alternate_config_directories (empty) A list of non-default Postfix configuration directories that may be specified with "-c config_directory" on the command line (in the case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environment parameter.
multi_instance_directories (empty) An optional list of non-default Postfix configuration directories; these directories belong to additional Postfix instances that share the Postfix executable files and documentation with the default Postfix instance, and that are started, stopped, etc., together with the default Postfix instance.
FILES /var/spool/postfix, mail queue /etc/postfix, configuration files
SEE ALSO pickup(8), mail pickup daemon qmgr(8), queue manager smtpd(8), SMTP server flush(8), fast flush service postsuper(1), queue maintenance postalias(1), create/update/query alias database postdrop(1), mail posting utility postfix(1), mail system control postqueue(1), mail queue control postlogd(8), Postfix logging syslogd(8), system logging
README_FILES Use "postconf readme_directory" or "postconf html_directory" to locate this information. DEBUG_README, Postfix debugging howto ETRN_README, Postfix ETRN howto VERP_README, Postfix VERP howto
LICENSE The Secure Mailer license must be distributed with this software.
AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA
Wietse Venema Google, Inc. 111 8th Avenue New York, NY 10011, USA
SENDMAIL(1)