Allow Postfix to call custom scripts by using mail aliases

Using custom mail aliases to run scripts is an existing practice. However, on modern Linux distributions it is blocked as a security risk. Following Postfix common guidelines do not allow for it to run the scripts. It reports the script as called, however – it does actually nothing. This has been verified on Oracle Linux 9 (OEL9).

The reason for it doing nothing is that systemd has a limited unit file for Postfix, on OEL9 (and most likely – on RHEL9/8 as well).

Let’s go over the setup required to make it work.

Initially, we need to have aliases file with a few examples. Let’s show one. A snippet of a few lines from /etc/aliases

user1: someuser@gmail.com
user2: /tmp/last_user2_email.txt
user3: "|/usr/local/bin/mail_parse.sh"

After the required modification, run the command ‘newaliases’ to build the map and update Postfix.

However, mail targeted at these accounts (user2 and user3) will do nothing. Postfix logs will show that the script was called, but it will not happen, and there is no indication in the logs as to why.

The cause of that is systemd Postfix unit, as mentioned before. A hint pointing me at the correct direction was found in this forum post. In order to work around it, my best offer is to create a replacement systemd file in /etc/systemd/system/postfix.service :

Note the commented out lines, including PrivateTmp, CapabilityBoundingSet, ProtectSystem and PrivateDevices. Now, to reload systemd, we need to run

This should do the trick, and allow Postfix (under default OEL9 configuration) to run scripts. Of course – you need to make sure that the script is executable by ‘nobody’ and that the script can be called without any problems.

Additional parameters which might be required in Postfix to allow mailing to scripts are allow_mail_to_commands and allow_mail_to_files. You can enable them like this:

Now it should work as expected. Test your setup and see that it actually works.