1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2        "https://www.w3.org/TR/html4/loose.dtd">
3
4<html>
5
6<head>
7
8<title>Postfix Lookup Table Overview</title>
9
10<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
11<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
12
13</head>
14
15<body>
16
17<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
18Lookup Table Overview</h1>
19
20<hr>
21
22<h2>Overview </h2>
23
24This document covers the following topics:
25
26<ul>
27
28<li><a href="#intro">The Postfix lookup table model</a>
29
30<li><a href="#lists">Postfix lists versus tables </a>
31
32<li><a href="#preparing">Preparing Postfix for LDAP or SQL lookups</a>
33
34<li><a href="#detect">Maintaining Postfix lookup table files</a>
35
36<li><a href="#safe_db">Updating Berkeley DB files safely</a>
37
38<li><a href="#types">Postfix lookup table types</a>
39
40</ul>
41
42<h2><a name="intro">The Postfix lookup table model</a></h2>
43
44<p> Postfix uses lookup tables to store and look up information
45for access control, address rewriting and even for content filtering.
46All Postfix lookup tables are specified as "<a href="DATABASE_README.html">type:table</a>", where
47"type" is one of the database types described under "<a
48href="#types">Postfix lookup table types</a>" at the end of this
49document, and where "table" is the lookup table name. The Postfix
50documentation uses the terms "database" and "lookup table" for the
51same thing.  </p>
52
53<p> Examples of lookup tables that appear often in the Postfix
54documentation: </p>
55
56<blockquote>
57<pre>
58/etc/postfix/<a href="postconf.5.html">main.cf</a>:
59    <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/aliases            (<a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a>)
60    <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks (content filtering)
61    <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport      (routing table)
62    <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual    (<a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a>)
63</pre>
64</blockquote>
65
66<p> All Postfix lookup tables store information as (key, value)
67pairs.  This interface may seem simplistic at first, but it turns
68out to be very powerful. The (key, value) query interface completely
69hides the complexities of LDAP or SQL from Postfix. This is a good
70example of connecting complex systems with simple interfaces.  </p>
71
72<p> Benefits of the Postfix (key, value) query interface:</p>
73
74<ul>
75
76<li>  You can implement Postfix lookup tables first with local
77Berkeley DB files and then switch to LDAP or MySQL without any
78impact on the Postfix configuration itself, as described under "<a
79href="#preparing">Preparing Postfix for LDAP or SQL lookups</a>"
80below.
81
82<li> You can use Berkeley DB files with fixed lookup strings for
83simple address rewriting operations and you can use regular expression
84tables for the more complicated work. In other words, you don't
85have to put everything into the same table.
86
87</ul>
88
89<h2><a name="lists">Postfix lists versus tables </a></h2>
90
91<p> Most Postfix lookup tables are used to look up information.
92Examples are address rewriting (the lookup string is the old address,
93and the result is the new address) or access control (the lookup
94string is the client, sender or recipient, and the result is an
95action such as "reject"). </p>
96
97<p> With some tables, however, Postfix needs to know only if the
98lookup key exists.  Any non-empty lookup result value may be used
99here: the lookup result is not used. Examples
100are the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> that determine what local recipients
101Postfix accepts in mail from the network, the <a href="postconf.5.html#mydestination">mydestination</a> parameter
102that specifies what domains Postfix delivers locally for, or the
103<a href="postconf.5.html#mynetworks">mynetworks</a> parameter that specifies the IP addresses of trusted
104clients or client networks.  Technically, these are lists, not
105tables. Despite the difference, Postfix lists are described here
106because they use the same underlying infrastructure as Postfix
107lookup tables.  </p>
108
109<h2><a name="preparing">Preparing Postfix for LDAP or SQL lookups</a>
110</h2>
111
112<p> LDAP and SQL are complex systems. Trying to set up both Postfix
113and LDAP or SQL at the same time is definitely not a good idea.
114You can save yourself a lot of time by implementing Postfix first
115with local files such as Berkeley DB.  Local files have few surprises,
116and are easy to debug with the <a href="postmap.1.html">postmap(1)</a> command:  </p>
117
118<blockquote>
119<pre>
120% <b>postmap -q info@example.com <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual </b>
121</pre>
122</blockquote>
123
124<p> Once you have local files working properly you can follow the
125instructions in <a href="ldap_table.5.html">ldap_table(5)</a>, <a href="mysql_table.5.html">mysql_table(5)</a>, <a href="pgsql_table.5.html">pgsql_table(5)</a>
126or <a href="sqlite_table.5.html">sqlite_table(5)</a>
127and replace local file lookups with LDAP or SQL lookups.  When you
128do this, you should use the <a href="postmap.1.html">postmap(1)</a> command again, to verify
129that database lookups still produce the exact same results as local
130file lookup:  </p>
131
132<blockquote>
133<pre>
134% <b>postmap -q info@example.com <a href="ldap_table.5.html">ldap</a>:/etc/postfix/virtual.cf </b>
135</pre>
136</blockquote>
137
138<p> Be sure to exercise all the partial address or parent domain
139queries that are documented under "table search order" in the
140relevant manual page:  <a href="access.5.html">access(5)</a>, <a href="canonical.5.html">canonical(5)</a>, <a href="virtual.5.html">virtual(5)</a>,
141<a href="transport.5.html">transport(5)</a>, or under the relevant configuration parameter:
142<a href="postconf.5.html#mynetworks">mynetworks</a>, <a href="postconf.5.html#relay_domains">relay_domains</a>, <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>. </p>
143
144<h2><a name="detect">Maintaining Postfix lookup table files</a></h2>
145
146<p> When you make changes to a database while the mail system is
147running, it would be desirable if Postfix avoids reading information
148while that information is being changed. It would also be nice if
149you can change a database without having to execute "postfix reload",
150in order to force Postfix to use the new information. Each time
151you do "postfix reload" Postfix loses a lot of performance.
152</p>
153
154<ul>
155
156<li> <p> If you change a network database such as LDAP, NIS or
157SQL, there is no need to execute "postfix reload".  The LDAP, NIS
158or SQL server takes care of read/write access conflicts and gives
159the new data to Postfix once that data is available.  </p>
160
161<li> <p> If you change a <a href="regexp_table.5.html">regexp</a>:, <a href="pcre_table.5.html">pcre</a>:, <a href="cidr_table.5.html">cidr</a>: or <a href="DATABASE_README.html#types">texthash</a>: file
162then Postfix
163may not pick up the file changes immediately. This is because a
164Postfix process reads the entire file into memory once and never
165examines the file again.  </p>
166
167<ul>
168
169<li> <p> If the file is used by a short-running process such as
170<a href="smtpd.8.html">smtpd(8)</a>, <a href="cleanup.8.html">cleanup(8)</a> or <a href="local.8.html">local(8)</a>, there is no need to execute
171"postfix reload" after making a change. </p>
172
173<li> <p> If the file is being used by a long-running process such
174as <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> on a busy server it may be necessary to
175execute "postfix reload". </p>
176
177</ul>
178
179<li> <p> If you change a local file based database such as DBM or
180Berkeley DB, there is no need to execute "postfix reload".  Postfix
181uses file locking to avoid read/write access conflicts, and whenever
182a Postfix daemon process notices that a file has changed it will
183terminate before handling the next client request, so that a new
184process can initialize with the new database.  </p>
185
186</ul>
187
188<h2><a name="safe_db">Updating Berkeley DB files safely</a></h2>
189
190<p> Postfix uses file locking to avoid access conflicts while
191updating Berkeley DB or other local database files. This used to
192be safe, but as Berkeley DB has evolved to use more aggressive
193caching, file locking may no longer be sufficient. </p>
194
195<p> Furthermore, file locking would not prevent problems when the
196update fails because the disk is full or something else causes a
197database update to fail. In particular, commands such as <a href="postmap.1.html">postmap(1)</a>
198or <a href="postalias.1.html">postalias(1)</a> overwrite existing files. If the overwrite
199fails in the middle then you have no usable database, and Postfix
200will stop working. This is not an issue with the CDB database type
201available with Postfix 2.2 and later: <a href="CDB_README.html">CDB</a>
202creates a new file, and renames the file upon successful completion.
203</p>
204
205<p> With Berkeley DB and other "one file" databases, it is
206possible to add some extra robustness by using "mv" to REPLACE an
207existing database file instead of overwriting it:  </p>
208
209<blockquote>
210<pre>
211# <b>postmap access.in &amp;&amp; mv access.in.db access.db</b>
212</pre>
213</blockquote>
214
215<p> This converts the input file "access.in" into the output file
216"access.in.db", and replaces the file "access.db" only when the
217<a href="postmap.1.html">postmap(1)</a> command was successful. Of course typing such commands
218becomes boring quickly, and this is why people use "make" instead,
219as shown below.  User input is shown in bold font. </p>
220
221<blockquote>
222<pre>
223# <b>cat Makefile</b>
224all: aliases.db access.db virtual.db ...etcetera...
225
226# Note 1: commands are specified after a TAB character.
227# Note 2: use <a href="postalias.1.html">postalias(1)</a> for local aliases, <a href="postmap.1.html">postmap(1)</a> for the rest.
228aliases.db: aliases.in
229        postalias aliases.in
230        mv aliases.in.db aliases.db
231
232access.db: access.in
233        postmap access.in
234        mv access.in.db access.db
235
236virtual.db: virtual.in
237        postmap virtual.in
238        mv virtual.in.db virtual.db
239
240...etcetera...
241# <b>vi access.in</b>
242...editing session not shown...
243# <b>make</b>
244postmap access.in
245mv access.in.db access.db
246#
247</pre>
248</blockquote>
249
250<p> The "make" command updates only the files that have changed.
251In case of error, the "make" command will stop and will not invoke
252the "mv" command, so that Postfix will keep using the existing
253database file as if nothing happened. </p>
254
255<h2><a name="types">Postfix lookup table types</a> </h2>
256
257<p> To find out what database types your Postfix system supports,
258use the "<b>postconf -m</b>" command.  Here is a list of database types
259that are often supported: </p>
260
261<blockquote>
262
263<dl>
264
265<dt> <b>btree</b> </dt>
266
267<dd> A sorted, balanced tree structure.  This is available only on
268systems with support for Berkeley DB databases. Database files are
269created with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> command. The lookup
270table name as used in "<a href="DATABASE_README.html#types">btree</a>:table" is the database file name
271without the ".db" suffix.  </dd>
272
273<dt> <b>cdb</b> </dt>
274
275<dd> A read-optimized structure with no support for incremental updates.
276Database files are created with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> command.
277The lookup table name as used in "<a href="CDB_README.html">cdb</a>:table" is the database file name
278without the ".cdb" suffix.  This feature is available with Postfix 2.2
279and later. </dd>
280
281<dt> <b>cidr</b> </dt>
282
283<dd> A table that associates values with Classless Inter-Domain
284Routing (CIDR) patterns. The table format is described in <a href="cidr_table.5.html">cidr_table(5)</a>.
285</dd>
286
287<dt> <b>dbm</b> </dt>
288
289<dd> An indexed file type based on hashing.  This is available only
290on systems with support for DBM databases. Public database files
291are created with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> command, and private
292databases are maintained by Postfix daemons. The lookup table name
293as used in "<a href="DATABASE_README.html#types">dbm</a>:table" is the database file name without the ".dir"
294or ".pag" suffix.  </dd>
295
296<dt> <b>environ</b> </dt>
297
298<dd> The UNIX process environment array. The lookup key is the
299variable name. The lookup table name in "<a href="DATABASE_README.html#types">environ</a>:table" is ignored.
300</dd>
301
302<dt> <b>fail</b> </dt>
303
304<dd> A table that reliably fails all requests. The lookup table
305name is used for logging only. This table exists to simplify Postfix
306error tests. </dd>
307
308<dt> <b>hash</b> </dt>
309
310<dd> An indexed file type based on hashing.  This is available only
311on systems with support for Berkeley DB databases. Public database
312files are created with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> command, and
313private databases are maintained by Postfix daemons. The database
314name as used in "<a href="DATABASE_README.html#types">hash</a>:table" is the database file name without the
315".db" suffix.  </dd>
316
317<dt> <b>inline</b> (read-only) </dt>
318
319<dd> A non-shared, in-memory lookup table. Example: "<a href="DATABASE_README.html#types">inline</a>:{
320<i>key=value</i>, { <i>key = text with whitespace or comma</i> }}".
321Key-value pairs are separated by whitespace or comma; with a key-value
322pair inside "{}", whitespace is ignored after the opening "{",
323around the "=" between key and value, and before the closing "}".
324Inline tables eliminate the
325need to create a database file for just a few fixed elements. See
326also the <a href="DATABASE_README.html#types">static</a>: map type. </dd>
327
328<dt> <b>internal</b> </dt>
329
330<dd> A non-shared, in-memory hash table. Its contents are lost when
331a process terminates. </dd>
332
333<dt> <b>lmdb</b> </dt>
334
335<dd> OpenLDAP LMDB database.  This is available only on systems
336with support for LMDB databases. Public database files are created
337with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> command, and private databases
338are maintained by Postfix daemons. The database name as used in
339"<a href="lmdb_table.5.html">lmdb</a>:table" is the database file name without the ".lmdb" suffix.
340See <a href="lmdb_table.5.html">lmdb_table(5)</a> for details.  </dd>
341
342<dt> <b>ldap</b> (read-only) </dt>
343
344<dd> LDAP database client. Configuration details are given in the
345<a href="ldap_table.5.html">ldap_table(5)</a>. </dd>
346
347<dt> <b>memcache</b> </dt>
348
349<dd> Memcache database client. Configuration details are given in
350<a href="memcache_table.5.html">memcache_table(5)</a>. </dd>
351
352<dt> <b>mongodb</b> (read-only) </dt>
353
354<dd> MongoDB database client. Configuration details are given in
355<a href="mongodb_table.5.html">mongodb_table(5)</a>, with examples in <a href="MONGODB_README.html">MONGODB_README</a>. </dd>
356
357<dt> <b>mysql</b> (read-only) </dt>
358
359<dd> MySQL database client. Configuration details are given in
360<a href="mysql_table.5.html">mysql_table(5)</a>.  </dd>
361
362<dt> <b>netinfo</b> (read-only) </dt>
363
364<dd> Netinfo database client. </dd>
365
366<dt> <b>nis</b> (read-only) </dt>
367
368<dd> NIS database client. </dd>
369
370<dt> <b>nisplus</b> (read-only) </dt>
371
372<dd> NIS+ database client. Configuration details are given in
373<a href="nisplus_table.5.html">nisplus_table(5)</a>.  </dd>
374
375<dt> <b>pcre</b> (read-only) </dt>
376
377<dd> A lookup table based on Perl Compatible Regular Expressions.
378The file format is described in <a href="pcre_table.5.html">pcre_table(5)</a>. The lookup table
379name as used in "<a href="pcre_table.5.html">pcre</a>:table" is the name of the regular expression
380file.  </dd>
381
382<dt> <b>pipemap</b> (read-only) </dt>
383
384<dd> A pipeline of lookup tables. Example:
385"<a href="DATABASE_README.html#types">pipemap</a>:{<i>type<sub>1</sub>:name<sub>1</sub>, ...,
386type<sub>n</sub>:name<sub>n</sub></i>}".  Each "<a href="DATABASE_README.html#types">pipemap</a>:" query is
387given to the first table.  Each lookup result becomes the query for
388the next table in the pipeline, and the last table produces the
389final result.  When any table lookup produces no result, the pipeline
390produces no result.  The first and last characters of the "<a href="DATABASE_README.html#types">pipemap</a>:"
391table name must be "{" and "}". Within these, individual maps are
392separated with comma or whitespace.  </dd>
393
394<dt> <b>pgsql</b> (read-only) </dt>
395
396<dd> PostgreSQL database client.  Configuration details are given
397in <a href="pgsql_table.5.html">pgsql_table(5)</a>. </dd>
398
399<dt> <b>proxy</b> </dt>
400
401<dd> Postfix <a href="proxymap.8.html">proxymap(8)</a> client for shared access to Postfix
402databases. The lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html">type:table</a>".
403</dd>
404
405<dt> <b>randmap</b> (read-only) </dt>
406
407<dd> An in-memory table that performs random selection.  Example:
408"<a href="DATABASE_README.html#types">randmap</a>:{<i>result<sub>1</sub>. ..., result<sub>n</sub></i>}".
409Each table query returns a random choice from the specified results.
410The first and last characters of the "<a href="DATABASE_README.html#types">randmap</a>:" table name must be
411"{" and "}".  Within these, individual maps are separated with comma
412or whitespace. To give a specific result more weight, specify it
413multiple times. </dd>
414
415<dt> <b>regexp</b> (read-only) </dt>
416
417<dd> A lookup table based on regular expressions. The file format
418is described in <a href="regexp_table.5.html">regexp_table(5)</a>. The lookup table name as used in
419"<a href="regexp_table.5.html">regexp</a>:table" is the name of the regular expression file. </dd>
420
421<dt> <b>sdbm</b> </dt>
422
423<dd> An indexed file type based on hashing.  This is available only
424on systems with support for SDBM databases. Public database files
425are created with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> command, and private
426databases are maintained by Postfix daemons. The lookup table name
427as used in "<a href="DATABASE_README.html#types">sdbm</a>:table" is the database file name without the ".dir"
428or ".pag" suffix.  </dd>
429
430<dt> <b>socketmap</b> (read-only) </dt>
431
432<dd> Sendmail-style socketmap client. The name of the table is
433either <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i> for a TCP/IP
434server, or <b>unix</b>:<i>pathname</i>:<i>name</i> for a UNIX-domain
435server. See <a href="socketmap_table.5.html">socketmap_table(5)</a> for details.  </dd>
436
437<dt> <b>sqlite</b> (read-only) </dt>
438
439<dd> SQLite database. Configuration details are given in <a href="sqlite_table.5.html">sqlite_table(5)</a>.
440</dd>
441
442<dt> <b>static</b> (read-only) </dt>
443
444<dd> A table that always returns its name as the lookup result.
445For example, "<a href="DATABASE_README.html#types">static</a>:foobar" always returns the string "foobar" as
446lookup result. Specify "<a href="DATABASE_README.html#types">static</a>:{ <i>text with whitespace</i> }"
447when the result contains whitespace; this form ignores whitespace
448after the opening "{" and before the closing "}". See also the
449<a href="DATABASE_README.html#types">inline</a>: map type. </dd>
450
451<dt> <b>tcp</b> </dt>
452
453<dd> TCP/IP client. The protocol is described in <a href="tcp_table.5.html">tcp_table(5)</a>. The
454lookup table name is "<a href="tcp_table.5.html">tcp</a>:host:port" where "host" specifies a
455symbolic hostname or a numeric IP address, and "port" specifies a
456symbolic service name or a numeric port number.  </dd>
457
458<dt> <b>texthash</b> (read-only) </dt>
459
460<dd> A table that produces similar results as <a href="DATABASE_README.html#types">hash</a>: files, except
461that you don't have to run the <a href="postmap.1.html">postmap(1)</a> command before you can
462use the file, and that <a href="DATABASE_README.html#types">texthash</a>: does not detect changes after the
463file is read.  The lookup table name is "<a href="DATABASE_README.html#types">texthash</a>:filename", where
464the file name is taken literally; no suffix is appended. </dd>
465
466<dt> <b>unionmap</b> (read-only) </dt>
467
468<dd> A table that sends each query to multiple lookup tables and
469that concatenates all found results, separated by comma. The table
470name syntax is the same as for pipemap tables. </dd>
471
472<dt> <b>unix</b> (read-only) </dt>
473
474<dd> A limited view of the UNIX authentication database. The following
475tables are implemented:
476
477<dl>
478
479<dt> <b>unix:passwd.byname</b> </dt>
480
481<dd>The table is the UNIX password database. The key is a login
482name.  The result is a password file entry in passwd(5) format.
483</dd>
484
485<dt> <b>unix:group.byname</b> </dt>
486
487<dd> The table is the UNIX group database. The key is a group name.
488The result is a group file entry in group(5) format. </dd>
489
490</dl> </dd>
491
492</dl>
493
494</blockquote>
495
496<p> Other lookup table types may be available depending on how
497Postfix was built. With some Postfix distributions the list is
498dynamically extensible as support for lookup tables is dynamically
499linked into Postfix.  </p>
500
501</body>
502
503</html>
504