| |

Allow Postfix to call custom scripts by using mail aliases

Using custom mail aliases to run scripts is an existing practice. However, on modern Linux distributions it is blocked as a security risk. Following Postfix common guidelines do not allow for it to run the scripts. It reports the script as called, however – it does actually nothing. This has been verified on Oracle Linux 9 (OEL9).

The reason for it doing nothing is that systemd has a limited unit file for Postfix, on OEL9 (and most likely – on RHEL9/8 as well).

Let’s go over the setup required to make it work.

Initially, we need to have aliases file with a few examples. Let’s show one. A snippet of a few lines from /etc/aliases

user1: [email protected]
user2: /tmp/last_user2_email.txt
user3: "|/usr/local/bin/mail_parse.sh"

After the required modification, run the command ‘newaliases’ to build the map and update Postfix.

However, mail targeted at these accounts (user2 and user3) will do nothing. Postfix logs will show that the script was called, but it will not happen, and there is no indication in the logs as to why.

The cause of that is systemd Postfix unit, as mentioned before. A hint pointing me at the correct direction was found in this forum post. In order to work around it, my best offer is to create a replacement systemd file in /etc/systemd/system/postfix.service :

Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service
ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop


Note the commented out lines, including PrivateTmp, CapabilityBoundingSet, ProtectSystem and PrivateDevices. Now, to reload systemd, we need to run

systemctl daemon-reload
systemctl restart postfix.service

This should do the trick, and allow Postfix (under default OEL9 configuration) to run scripts. Of course – you need to make sure that the script is executable by ‘nobody’ and that the script can be called without any problems.

Additional parameters which might be required in Postfix to allow mailing to scripts are allow_mail_to_commands and allow_mail_to_files. You can enable them like this:

postconf allow_mail_to_commands=alias,forward,include
postconf allow_mail_to_files=alias,forward,include
systemctl restart postfix.service

Now it should work as expected. Test your setup and see that it actually works.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.