System command filter

This module executes an arbitrary system command during a specified stage of checks execution.

command executable_name arg0 arg1 ... {
    run_on body

    code 1 reject
    code 2 quarantine
}

Arguments

The module arguments specify the command to run. If the first argument is not an absolute path, it is looked up in the Libexec Directory (/usr/lib/maddy on Linux) and in $PATH (in that ordering). Note that no additional handling of arguments is done, especially, the command is executed directly, not via the system shell.

There is a set of special strings that are replaced with the corresponding message-specific values:

{source_ip} – IPv4/IPv6 address of the sending MTA.
{source_host} – Hostname of the sending MTA, from the HELO/EHLO command.
{source_rdns} – PTR record of the sending MTA IP address.
{msg_id} – Internal message identifier. Unique for each delivery.
{auth_user} – Client username, if authenticated using SASL PLAIN
{sender} – Message sender address, as specified in the MAIL FROM SMTP command.
{rcpts} – List of accepted recipient addresses, including the currently handled one.
{address} – Currently handled address. This is a recipient address if the command is called during RCPT TO command handling (run_on rcpt) or a sender address if the command is called during MAIL FROM command handling (run_on sender).

If value is undefined (e.g. {source_ip} for a message accepted over a Unix socket) or unavailable (the command is executed too early), the placeholder is replaced with an empty string. Note that it can not remove the argument. E.g. -i {source_ip} will not become just -i, it will be -i ""

Undefined placeholders are not replaced.

Command stdout

The command stdout must be either empty or contain a valid RFC 5322 header. If it contains a byte stream that does not look a valid header, the message will be rejected with a temporary error.

The header from stdout will be prepended to the message header.

Configuration directives

run_on `conn` | `sender` | `rcpt` | `body`

Default: body

When to run the command. This directive also affects the information visible for the message.

conn
Run before the sender address (MAIL FROM) is handled.
Stdin: Empty
Available placeholders: {source_ip}, {source_host}, {msg_id}, {auth_user}.
sender
Run during sender address (MAIL FROM) handling.
Stdin: Empty
Available placeholders: conn placeholders + {sender}, {address}. The {address} placeholder contains the MAIL FROM address.
rcpt
Run during recipient address (RCPT TO) handling. The command is executed once for each RCPT TO command, even if the same recipient is specified multiple times.
Stdin: Empty
Available placeholders: sender placeholders + {rcpts}. The {address} placeholder contains the recipient address.
body
Run during message body handling.
Stdin: The message header + body
Available placeholders: all except for {address}.

code integer ignore
code integer quarantine
code integer reject smtp-code smtp-enhanced-code smtp-message

This directive specifies the mapping from the command exit code integer to the message pipeline action.

Two codes are defined implicitly, exit code 1 causes the message to be rejected with a permanent error, exit code 2 causes the message to be quarantined. Both actions can be overridden using the 'code' directive.

Frequently Asked Questions
Tutorials
Release builds
Multiple domains configuration
Upgrading from older maddy versions
Outbound delivery security
Docker
Reference manual
- Modules introduction
- Global configuration directives
- TLS configuration
- Automatic certificate management via ACME
- Endpoints configuration
- IMAP storage
  - IMAP filters
  - SQL-indexed storage
  - Blob storage
    - Filesystem
    - Amazon S3
- SMTP message routing (pipeline)
- SMTP targets
- SMTP checks
- SMTP modifiers
  - DKIM signing
  - Envelope sender / recipient rewriting
- Lookup tables (string translation)
- Authentication providers
- Configuration files syntax
Integration with software
Internals