1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4<html> 5 6<head> 7 8<title>Postfix Lookup Table Overview</title> 9 10<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 11 12</head> 13 14<body> 15 16<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix 17Lookup Table Overview</h1> 18 19<hr> 20 21<h2>Overview </h2> 22 23This document covers the following topics: 24 25<ul> 26 27<li><a href="#intro">The Postfix lookup table model</a> 28 29<li><a href="#lists">Postfix lists versus tables </a> 30 31<li><a href="#preparing">Preparing Postfix for LDAP or SQL lookups</a> 32 33<li><a href="#detect">Maintaining Postfix lookup table files</a> 34 35<li><a href="#safe_db">Updating Berkeley DB files safely</a> 36 37<li><a href="#types">Postfix lookup table types</a> 38 39</ul> 40 41<h2><a name="intro">The Postfix lookup table model</a></h2> 42 43<p> Postfix uses lookup tables to store and look up information 44for access control, address rewriting and even for content filtering. 45All Postfix lookup tables are specified as "type:table", where 46"type" is one of the database types described under "<a 47href="#types">Postfix lookup table types</a>" at the end of this 48document, and where "table" is the lookup table name. The Postfix 49documentation uses the terms "database" and "lookup table" for the 50same thing. </p> 51 52<p> Examples of lookup tables that appear often in the Postfix 53documentation: </p> 54 55<blockquote> 56<pre> 57/etc/postfix/main.cf: 58 alias_maps = hash:/etc/postfix/aliases (local aliasing) 59 header_checks = regexp:/etc/postfix/header_checks (content filtering) 60 transport_maps = hash:/etc/postfix/transport (routing table) 61 virtual_alias_maps = hash:/etc/postfix/virtual (address rewriting) 62</pre> 63</blockquote> 64 65<p> All Postfix lookup tables store information as (key, value) 66pairs. This interface may seem simplistic at first, but it turns 67out to be very powerful. The (key, value) query interface completely 68hides the complexities of LDAP or SQL from Postfix. This is a good 69example of connecting complex systems with simple interfaces. </p> 70 71<p> Benefits of the Postfix (key, value) query interface:</p> 72 73<ul> 74 75<li> You can implement Postfix lookup tables first with local 76Berkeley DB files and then switch to LDAP or MySQL without any 77impact on the Postfix configuration itself, as described under "<a 78href="#preparing">Preparing Postfix for LDAP or SQL lookups</a>" 79below. 80 81<li> You can use Berkeley DB files with fixed lookup strings for 82simple address rewriting operations and you can use regular expression 83tables for the more complicated work. In other words, you don't 84have to put everything into the same table. 85 86</ul> 87 88<h2><a name="lists">Postfix lists versus tables </a></h2> 89 90<p> Most Postfix lookup tables are used to look up information. 91Examples are address rewriting (the lookup string is the old address, 92and the result is the new address) or access control (the lookup 93string is the client, sender or recipient, and the result is an 94action such as "reject"). </p> 95 96<p> With some tables, however, Postfix needs to know only if the 97lookup key exists. The lookup result itself is not used. Examples 98are the local_recipient_maps that determine what local recipients 99Postfix accepts in mail from the network, the mydestination parameter 100that specifies what domains Postfix delivers locally, or the 101mynetworks parameter that specifies the IP addresses of trusted 102clients or client networks. Technically, these are lists, not 103tables. Despite the difference, Postfix lists are described here 104because they use the same underlying infrastructure as Postfix 105lookup tables. </p> 106 107<h2><a name="preparing">Preparing Postfix for LDAP or SQL lookups</a> 108</h2> 109 110<p> LDAP and SQL are complex systems. Trying to set up both Postfix 111and LDAP or SQL at the same time is definitely not a good idea. 112You can save yourself a lot of time by implementing Postfix first 113with local files such as Berkeley DB. Local files have few surprises, 114and are easy to debug with the postmap(1) command: </p> 115 116<blockquote> 117<pre> 118% <b>postmap -q info@example.com hash:/etc/postfix/virtual </b> 119</pre> 120</blockquote> 121 122<p> Once you have local files working properly you can follow the 123instructions in ldap_table(5), mysql_table(5), pgsql_table(5) 124or sqlite_table(5) 125and replace local file lookups with LDAP or SQL lookups. When you 126do this, you should use the postmap(1) command again, to verify 127that database lookups still produce the exact same results as local 128file lookup: </p> 129 130<blockquote> 131<pre> 132% <b>postmap -q info@example.com ldap:/etc/postfix/virtual.cf </b> 133</pre> 134</blockquote> 135 136<p> Be sure to exercise all the partial address or parent domain 137queries that are documented under "table search order" in the 138relevant manual page: access(5), canonical(5), virtual(5), 139transport(5), or under the relevant configuration parameter: 140mynetworks, relay_domains, parent_domain_matches_subdomains. </p> 141 142<h2><a name="detect">Maintaining Postfix lookup table files</a></h2> 143 144<p> When you make changes to a database while the mail system is 145running, it would be desirable if Postfix avoids reading information 146while that information is being changed. It would also be nice if 147you can change a database without having to execute "postfix reload", 148in order to force Postfix to use the new information. Each time 149you do "postfix reload" Postfix loses a lot of performance. 150</p> 151 152<ul> 153 154<li> <p> If you change a network database such as LDAP, NIS or 155SQL, there is no need to execute "postfix reload". The LDAP, NIS 156or SQL server takes care of read/write access conflicts and gives 157the new data to Postfix once that data is available. </p> 158 159<li> <p> If you change a regexp: or pcre: file then Postfix may or 160may not pick up the file changes immediately. This is because a 161Postfix process reads the entire file into memory once and never 162examines the file again. </p> 163 164<ul> 165 166<li> <p> If the file is used by a short-running process such as 167smtpd(8), cleanup(8) or local(8), there is no need to execute 168"postfix reload" after making a change. </p> 169 170<li> <p> If the file is being used by a long-running process such 171as trivial-rewrite(8) on a busy server it may be necessary to 172execute "postfix reload". </p> 173 174</ul> 175 176<li> <p> If you change a local file based database such as DBM or 177Berkeley DB, there is no need to execute "postfix reload". Postfix 178uses file locking to avoid read/write access conflicts, and whenever 179a Postfix daemon process notices that a file has changed it will 180terminate before handling the next client request, so that a new 181process can initialize with the new database. </p> 182 183</ul> 184 185<h2><a name="safe_db">Updating Berkeley DB files safely</a></h2> 186 187<p> Although Postfix uses file locking to avoid access conflicts 188while updating Berkeley DB or other local database files, you still 189have a problem when the update fails because the disk is full or 190because something else happens. This is because commands such as 191postmap(1) or postalias(1) overwrite existing files. If the update 192fails in the middle then you have no usable database, and Postfix 193will stop working. This is not an issue with the CDB database type 194available with Postfix 2.2 and later: <a href="CDB_README.html">CDB</a> 195creates a new file, and renames the file upon successful completion. 196</p> 197 198<p> With multi-file databases such as DBM, there is no simple 199solution. With Berkeley DB and other "one file" databases, it is 200possible to add some extra robustness by using "mv" to REPLACE an 201existing database file instead of overwriting it: </p> 202 203<blockquote> 204<pre> 205# <b>postmap access.in && mv access.in.db access.db</b> 206</pre> 207</blockquote> 208 209<p> This converts the input file "access.in" into the output file 210"access.in.db", and replaces the file "access.db" only when the 211postmap(1) command was successful. Of course typing such commands 212becomes boring quickly, and this is why people use "make" instead, 213as shown below. User input is shown in bold font. </p> 214 215<blockquote> 216<pre> 217# <b>cat Makefile</b> 218all: aliases.db access.db virtual.db ...etcetera... 219 220# Note 1: commands are specified after a TAB character. 221# Note 2: use postalias(1) for local aliases, postmap(1) for the rest. 222aliases.db: aliases.in 223 postalias aliases.in 224 mv aliases.in.db aliases.db 225 226access.db: access.in 227 postmap access.in 228 mv access.in.db access.db 229 230virtual.db: virtual.in 231 postmap virtual.in 232 mv virtual.in.db virtual.db 233 234...etcetera... 235# <b>vi access.in</b> 236...editing session not shown... 237# <b>make</b> 238postmap access.in 239mv access.in.db access.db 240# 241</pre> 242</blockquote> 243 244<p> The "make" command updates only the files that have changed. 245In case of error, the "make" command will stop and will not invoke 246the "mv" command, so that Postfix will keep using the existing 247database file as if nothing happened. </p> 248 249<h2><a name="types">Postfix lookup table types</a> </h2> 250 251<p> To find out what database types your Postfix system supports, 252use the "<b>postconf -m</b>" command. Here is a list of database types 253that are often supported: </p> 254 255<blockquote> 256 257<dl> 258 259<dt> <b>btree</b> </dt> 260 261<dd> A sorted, balanced tree structure. This is available only on 262systems with support for Berkeley DB databases. Database files are 263created with the postmap(1) or postalias(1) command. The lookup 264table name as used in "btree:table" is the database file name 265without the ".db" suffix. </dd> 266 267<dt> <b>cdb</b> </dt> 268 269<dd> A read-optimized structure with no support for incremental updates. 270Database files are created with the postmap(1) or postalias(1) command. 271The lookup table name as used in "cdb:table" is the database file name 272without the ".cdb" suffix. This feature is available with Postfix 2.2 273and later. </dd> 274 275<dt> <b>cidr</b> </dt> 276 277<dd> A table that associates values with Classless Inter-Domain 278Routing (CIDR) patterns. The table format is described in cidr_table(5). 279</dd> 280 281<dt> <b>dbm</b> </dt> 282 283<dd> An indexed file type based on hashing. This is available only 284on systems with support for DBM databases. Database files are 285created with the postmap(1) or postalias(1) command. The lookup 286table name as used in "dbm:table" is the database file name without 287the ".dir" or ".pag" suffix. </dd> 288 289<dt> <b>environ</b> </dt> 290 291<dd> The UNIX process environment array. The lookup key is the 292variable name. The lookup table name in "environ:table" is ignored. 293</dd> 294 295<dt> <b>fail</b> </dt> 296 297<dd> A table that reliably fails all requests. The lookup table 298name is used for logging only. This table exists to simplify Postfix 299error tests. </dd> 300 301<dt> <b>hash</b> </dt> 302 303<dd> An indexed file type based on hashing. This is available only 304on systems with support for Berkeley DB databases. Database files are 305created with the postmap(1) or postalias(1) command. The database 306name as used in "hash:table" is the database file name without the 307".db" suffix. </dd> 308 309<dt> <b>internal</b> </dt> 310 311<dd> A non-shared, in-memory hash table. Its content are lost when 312a process terminates. </dd> 313 314<dt> <b>ldap</b> (read-only) </dt> 315 316<dd> Perform lookups using the LDAP protocol. Configuration details 317are given in the ldap_table(5). </dd> 318 319<dt> <b>memcache</b> </dt> 320 321<dd> Perform memcache database lookups or updates. Configuration 322details are given in memcache_table(5). </dd> 323 324<dt> <b>mysql</b> (read-only) </dt> 325 326<dd> Perform MySQL database lookups. Configuration details are given 327in mysql_table(5). </dd> 328 329<dt> <b>netinfo</b> (read-only) </dt> 330 331<dd> Perform Netinfo database lookups. </dd> 332 333<dt> <b>nis</b> (read-only) </dt> 334 335<dd> Perform NIS database lookups. </dd> 336 337<dt> <b>nisplus</b> (read-only) </dt> 338 339<dd> Perform NIS+ database lookups. Configuration details are given 340in nisplus_table(5). </dd> 341 342<dt> <b>pcre</b> (read-only) </dt> 343 344<dd> A lookup table based on Perl Compatible Regular Expressions. 345The file format is described in pcre_table(5). The lookup table 346name as used in "pcre:table" is the name of the regular expression 347file. </dd> 348 349<dt> <b>pgsql</b> (read-only) </dt> 350 351<dd> Perform PostgreSQL database lookups. Configuration details 352are given in pgsql_table(5). </dd> 353 354<dt> <b>proxy</b> </dt> 355 356<dd> Access information via the Postfix proxymap(8) service. The 357lookup table name syntax is "proxy:type:table". </dd> 358 359<dt> <b>regexp</b> (read-only) </dt> 360 361<dd> A lookup table based on regular expressions. The file format 362is described in regexp_table(5). The lookup table name as used in 363"regexp:table" is the name of the regular expression file. </dd> 364 365<dt> <b>sdbm</b> </dt> 366 367<dd> An indexed file type based on hashing. This is available only 368on systems with support for SDBM databases. Database files are 369created with the postmap(1) or postalias(1) command. The lookup 370table name as used in "sdbm:table" is the database file name without 371the ".dir" or ".pag" suffix. </dd> 372 373<dt> <b>socketmap</b> (read-only) </dt> 374 375<dd> Query a Sendmail-style socketmap server. The name of the table 376specifies <b>inet</b>:<i>host</i>:<i>port</i>:<i>socketmap-name</i> 377for a TCP-based server, or 378<b>unix</b>:<i>pathname</i>:<i>socketmap-name</i> for a UNIX-domain 379server. In both cases <i>socketmap-name</i> is the name of the 380socketmap. </dd> 381 382<dt> <b>sqlite</b> (read-only) </dt> 383 384<dd> Perform SQLite database lookups. Configuration details are given 385in sqlite_table(5). </dd> 386 387<dt> <b>static</b> (read-only) </dt> 388 389<dd> Always returns its lookup table name as lookup result. For 390example, the lookup table "static:foobar" always returns the string 391"foobar" as lookup result. </dd> 392 393<dt> <b>tcp</b> </dt> 394 395<dd> Access information through a TCP/IP server. The protocol is 396described in tcp_table(5). The lookup table name is "tcp:host:port" 397where "host" specifies a symbolic hostname or a numeric IP address, 398and "port" specifies a symbolic service name or a numeric port 399number. 400</dd> 401 402<dt> <b>texthash</b> (read-only) </dt> 403 404<dd> This produces similar results as hash: files, except that you 405don't have to run the postmap(1) command before you can use the 406file, and that texthash: does not detect changes after the file is 407read. The lookup table name is "texthash:filename", where the file 408name is taken literally; no suffix is appended. </dd> 409 410<dt> <b>unix</b> (read-only) </dt> 411 412<dd> A limited way to query the UNIX authentication database. The 413following tables are implemented: 414 415<dl> 416 417<dt> <b>unix:passwd.byname</b> </dt> 418 419<dd>The table is the UNIX password database. The key is a login 420name. The result is a password file entry in passwd(5) format. 421</dd> 422 423<dt> <b>unix:group.byname</b> </dt> 424 425<dd> The table is the UNIX group database. The key is a group name. 426The result is a group file entry in group(5) format. </dd> 427 428</dl> </dd> 429 430</dl> 431 432</blockquote> 433 434<p> Other lookup table types may be available depending on how 435Postfix was built. With some Postfix distributions the list is 436dynamically extensible as support for lookup tables is dynamically 437linked into Postfix. </p> 438 439</body> 440 441</html> 442
