from small one page howto to huge articles all in one place

search text in:

Which screen resolution do you use?

poll results

Last additions:
using iotop to find disk usage hogs

using iotop to find disk usage hogs






average rating: 1.7 (82 votes) (1=very good 6=terrible)

May 25th. 2007:




why adblockers are bad

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels






average rating: 1.3 (27 votes) (1=very good 6=terrible)

April, 26th. 2006:

You are here: manpages


Section: Double Precision, Inc. (1)
Updated: 09/01/2014
Index Return to Main Contents


couriertcpd - the Courier mail server TCP server daemon  


couriertcpd [-pid=pidfile] [option...] {list} {program} {arg...}
couriertcpd {-pid=pidfile} {-stop}
couriertcpd {-pid=pidfile} {-restart}



accepts incoming network connections, and runs program after establishing each network connection. The program's standard input and output are set to the network connection.

list is a comma-separated list of TCP port numbers where incoming connections are created. program is the program to run. If program requires any arguments, they are specified on the command line, after program itself.

Before running program, couriertcpd initializes several environment variables that describe the network connection. The environment inherited by program will be the environment inherited by couriertcpd, plus any additional environment variables initialized by couriertcpd. It is also possible to reject certain network connections. Several options are available to specify which network connections will be rejected.  



Specifies an optional access file. The access file lists the IP addresses from which connections should be accepted or rejected. The access file is also used to initialize environment variables based on the IP address of the connection. filename is a GDBM or DB database file that's usually created by a script from one or more text files. See "ACCESS FILE" below for more information.


Lookup the local interface IP and port in the access file, in addition to looking up the remote IP. This gives a mechanism for setting environment variables depending on which IP address and/or port the client connected to. In the access file, "" matches connections to IP address port 25; "" matches connections to IP address on any port; and "*.25" matches connections to port 25 on any IP address.


Accept network connections only to IP address n.n.n.n. If not specified, couriertcpd accepts connections to any IP address that the system accepts connections on. If the system has multiple network interfaces with separate IP addresses, this option makes couriertcpd accept connections only to one specific IP address. Most systems have multiple network interfaces: the loopback interface, plus the local network interface, so that -address= accepts connections only from the local system. When multiple port numbers are specified, it is also possible to selectively bind different network addresses to each port number when list specifies more than one port number. See "m[blue]Multiple port listm[][1]" below for more information.

-block=zone[,var[/n.n.n.n][,msg]] or -allow=zone[,var[/n.n.n.n[,]]]

Initialize the environment variable var if both of the following conditions are true: var is not already initialized; the connecting IP address can be found in a DNS-based access list. See DNS ACCESS LISTS, below. Multiple -block and -allow options can be specified.

-block and -allow are very similar, differing only in minor semantics. -block's semantics are more appropriate for using DNS access list to block access, and -allow's semantics are more appropriate for using DNS access list to whitelist IP addresses and exempt them even if they appear in other -blocked zones.


Specifies an optional message to be returned to the client if the -access option rejects them. The default is to drop the TCP connection without sending back any messages.


If the environment variable var is set to a nonempty value, terminate immediately. Do not run the program to handle the connection. See DNS ACCESS LISTS, below, for more information. var defaults to lqBLOCKrq, if not specified.


Set couriertcpd's its group ID. group may be specified numerically, or by its name. Only the superuser may use -group.


Length of the queue which holds pending connections. n is a number. If not specified, the system default is used.


Maximum number of connections accepted from the same C network block. Using this option is recommended, because connection slots are limited. Without this option, the same C network block can potentially use up all available connection slots.


Maximum number of connections accepted from the same IP address. Use both the -maxperc and -maxperip options to fine tune connection limits. For example, when couriertcpd is listening on the SMTP port it makes sense to set an upper limit on the number of connections from the same C block. Domains that send a large amount of mail often have multiple servers sending outbound mail from the same C block, so it makes sense to set limits on individual C blocks. On the other hand, if couriertcpd is listening on the POP3 port it makes more sense to set limits on individual IP addresses. If a C block of addresses is assigned to a dialup modem pool, it is certainly possible to have many IP addresses within the same C block have connections to the POP3 server at the same time.


Maximum number of connection slots, or the maximum number of processes started. This effectively specifies the maximum number of connections accepted at the same time. After the maximum number of connections has been opened, couriertcpd waits for an existing connection to close, before accepting any more connections.


Log a LOG_WARNING message to syslog when the number of active processes exceeds n. The default is 90% of maxprocs. couriertcpd logs a LOG_ALERT syslog message when the number of active processes reaches the maximum.


Do not look up the hostname associated with connecting IP address and the local addres, do not initialize the TCPREMOTEHOST or TCPLOCALHOST environment variables (see below).


Do not perform an ident lookup, and do not initialize the TCPREMOTEINFO environment variable.


If given, couriertcpd puts itself into the background and saves its process ID in this file, usually somewhere in /var/run.

This option must also be present when using the -restart and -stop options.


Send a SIGHUP to an existing couriertcpd process. Specify the same -pid argument as the one that was used to start couriertcpd. The process ID is read from the -pid file, and the couriertcpd receives a SIGHUP signal.


Set program's standard error to the network connection, just like its standard input and output.


Set program's standard error to the specified file, logfile. The file is created, if necessary, and is opened in append mode.


Set program's standard error to a pipe, which is read by logprogram. Only one instance of logger is started, which receives standard error from every instance of program. The specified logger is executed with the output end of the stderr pipe connected as standard input. logprogram is executed with one argument - program's name.


Use name as the argument to logprogram, instead of the program's name.


Stop (kill) an existing couriertcpd process. Specify the same -pid argument as the one that was used to start couriertcpd. The process ID is read from the -pid file, and the couriertcpd process is killed. All child processes of couriertcpd will receive a SIGTERM signal.


Set couriertcpd's user ID. Also, the group ID is set to the user's group ID. Using both -group and -user is not necessary. Only the superuser can specify -user.


The list argument can be a comma-separated list of multiple port numbers. couriertcpd will create network connections on any listed port. Each port number can be optionally specified as "address.port", for example:

couriertcpd -pid=/var/run/,999 program

This instance accepts network connections to either port 25 or port 999, however connections on port 25 are created only on the IP address, the loopback interface.

Whenever an IP address is not specified, network connections are accepted to any IP address (called "wildcarding"). On IPv6-capable systems, couriertcpd will attempt to create two incoming network connection ports, if an IP address is not specified. After creating the first port as an IPv6 wildcard port, couriertcpd will then attept to create an IPv4 wildcard port, with the same port number. Some BSD-derived systems must use separate IPv6 and IPv4 wildcard ports to create incoming network connections. Most other systems only need an IPv6 port to create both IPv6 and IPv4 incoming network connections. couriertcpd quietly ignores a failure to create an IPv4 wildcard port, as long as an IPv6 wildcard was succesfully created.

The -address option can be used to default a specific IP address for every listed port number. For example:

couriertcpd -pid=/var/run/, program


couriertcpd -pid=/var/run/ -address= 25,999 program

will create network connections on ports 25 and 999 of the IP address  


The access file lists IP addresses that couriertcpd will accept or reject connections from. An access file is optional. Without an access file couriertcpd accepts a connection from any IP address.

Both IPv4 and IPv6 addresses can be specified, if IPv6 support is available. A non-standard syntax is currently used to specify IPv6 addresses. This is subject to change in the near future. IPv6 support is currently considered to be experimental.

The access file is a binary database file that's usually created by a script, such as m[blue]makesmtpaccess(8)m[][2], from one or more plain text files. Blank lines in the text file are ignored. Lines that start with the # character are also ignored.  

Rejecting and accepting connections by IP address

The following line instructs couriertcpd to reject all connections from an IP address range:


netblock is an IP address, such as <tab> is the ASCII tab character. There MUST be exactly one tab character after the IP address and the word "deny".

You can also block connections from an entire network C block:


This blocks connections from IP addresses through Blocking connections from an entire B or A network block works the same way.

Use the word "allow" instead of "deny" to explicitly allow connections from that IP address or netblock. For example:


This blocks all connections from to except for These two lines can occur in any order. couriertcpd always uses the line with the most specific IP address.

If the IP address of the connection is not found in the access file the connection is accepted by default. The following line causes unlisted connections to be rejected:


IPv6 addresses


IPv6 support in the access file is experimental, and is subject to change in a future release. The following syntax is subject to change at any time.

The access file can also specify IPv6 addresses, if IPv6 support is available. The existing IPv4 address format is used for IPv6-mapped IPv4 addresses, and no changes are required. For all other IPv6 addresses use the following format:


The IPv6 address must begin with :. The initial : character is not really a part of the IPv6 address, it is only used to designate this record as an IPv6 address, allowing an access file to contain a mixture of IPv4 and IPv6 addresses. The IPv6 address follows the initial : character, and it must be spelled out using zero-padded lowercase hexadecimal digits. For example:


Netblocks must be specified using even-word boundaries only:


This will deny entire 3ffe::/16 (6bone network, which is phased out).


This will deny 2002:c0a8::/32 (6to4 addresses derived from private address space).  

Setting environment variables

allow can be optionally followed by a list of environment variable assignments, separated by commas. The environment variables are set before executing program or checking access lists (see below). For example:


This sets RELAYCLIENT environment variable for connections from the 192.68.0 block. In addition to that, the SIZELIMIT environment variable is set to 1000000 if the connection comes from the IP address

Note that RELAYCLIENT must be explicitly specified for the IP address The first line is NOT used for connections from this IP address. couriertcpd only reads one entry from the access file, the entry for the most specific IP address.  


An alternative to listing banned IP addresses in access files is to use an external DNS-based IP access list.

There is no provision to support IPv6-based lists, because none yet exist. IPv6-based access list support will be added in the future.

couriertcpd's default configuration does not automatically reject connections from banned IP address unless the -drop option is present. Instead, couriertcpd sets an environment variable if the connecting address has a hit in the DNS access list. The Courier mail server rejects all mail if the connection's environment has the environment variable BLOCK set to a non-empty string, and it just so happens that -block and -allow set the BLOCK environment variable by default.

-allow and -block's parameter gives the DNS zone where the access list query gets performed. In this example, couriertcpd makes a DNS query for lqd.c.b.a.dnswl.example.comrq, then, if necessary, for lqd.c.b.a.dnsbl.example.comrq, for a connection from the IP address a.b.c.d.

If the DNS query succeeds (more details below), -allow sets the environment variable to an empty string, and -block sets the environment variable from the TXT record in the DNS response, or to lqAccess denied.rq if the DNS access list did not return a TXT record. It should be possible to use couriertcpd with DNS access lists that use either A or TXT records.

The DNS zone parameter to -allow and -block has up to three additional components, which must be given in the following order, if more than one optional component gets specified:,BLOCK2

The environment variable that gets set by the DNS access list query can be changed from the default of BLOCK to something else, BLOCK2 in this example. The Courier mail server pays attention only to BLOCK, this is for the benefit of local or custom hacks, which want to leverage couriertcpd's DNS access list lookup facilities, but want it for other purposes.

couriertcpd's DNS access list lookup normally ignores the contents of the actual A record in the DNS access list, however some DNS access lists may use different A record to indicate different kinds of records. Given an explicit IP address to couriertcpd results in the environment variable getting set only if the lookup returned the matching A record. An A record must exist in the DNS access list, in addition to any TXT record. If an explicit IP address is not given, any A or TXT record sets -allow and -block's environment variable.,BLOCK,Go away

The last component specifies a custom message that overrides any TXT record in the DNS access list. Note that this is a single parameter to couriertcpd, so the parameter must be quoted if it contains any spaces or special shell metacharacters.

The custom message parameter gets specified for the -block, option. -allow also allows takes this parameter, but it has a different meaning. If its set, even if it's an empty string, couriertcpd looks for TXT records in the DNS access list that's used as a whitelist, in addition to the A records (using the lqanyrq query):,BLOCK,

Without this parameter couriertcpd queries for A records only.

Finally, a literal IP address, if given, must always follow the variable name:,BLOCK/,Go away

-block normally searches the DNS access list for either A or TXT records using the lqanyrq DNS query. Sometimes this can cause problems, or not work at all, with older DNS servers. Specifying a custom message results in -block executing an ordinary A DNS query. -allow always uses an A query.  


Multiple -block and -allow options can be given. The connecting IP address gets looked up in multiple access lists. This is implemented as follows.

couriertcpd processes all -block and -allow options in list order. If each option's environment variable (BLOCK or something else) is already set, couriertcpd skips the DNS access list lookup. Therefore, when multiple options use the same environment variable, the first DNS access list it exists in will set the environment variable, and the remaining ones get ignored, but any remaining -blocks and -allows for different environment variables still get processed.

It follows that, in general, -allow options should always be listed first, before any -blocks; but it's also possible to implement a complicated policy with some -allows, then some -blocks, then more -allows and -blocks.  


Three additional environment variables may get set in conjunction with a successful DNS access list lookup:


The contents of the A record in the DNS access list, if one exists (this is not set for DNS access lists that use TXT record).


The contents of the TXT record in the DNS access list, if one exists. This will generally be the same as BLOCK for -blocks, but will also provide the contents of the TXT record for -allows (if it has a dummy custom message portion) which always set BLOCK to an empty string.


The DNS zone of the succesfull access list lookup, like lqdnsbl.example.comrq.

-block and -allow options that specify a custom environment variable name follow the same naming convention, of appending lq_IPrq, lq_TXTrq, and lq_ZONErq suffix to the name of the custom environment variable.  


Including lqallowokrq keyword in an SPF setting automatically passes the SPF check for senders whose IP address is found in an -allow-ed access list. See m[blue]courier(8)m[][3].  


couriertcpd also initializes the following environment variables prior to running program:


The name of the host on the local end of the network connection, looked up in DNS. TCPLOCALHOST will not be set if the IP address of the network connection's local end cannot be found in DNS, or if -nodnslookup option is specified. TCPLOCALHOST will be set to the string softdnserr if the DNS lookup fails with a temporary error (so you cannot tell if the IP address has a valid host name associated with it), or if the reverse and forward DNS lookups do not match. TCPLOCALHOST will not be set if the reverse DNS lookup fails completely.


The IP address of the local end of the network connection.


Rhe number of the port of the local end of the network connection.


The hostname of the connecting host. Like TCPLOCALHOST, but for the connecting IP address.


Connecting IP address.


Identification string received from the IDENT server on the remote IP address. Not set if the IDENT server returned an error, or if the -noidentlookup option was specified.


TCP port of the remote end of the network connection.




Sam Varshavchik



Multiple port list
[set $man.base.url.for.relative.links]/#list
[set $man.base.url.for.relative.links]/makesmtpaccess.html
[set $man.base.url.for.relative.links]/courier.html



Rejecting and accepting connections by IP address
IPv6 addresses
Setting environment variables

Please read "Why adblockers are bad".

Other free services
Shorten long
URLs to short
links like
Reverse DNS lookup
Find out which hostname(s)
resolve to a
given IP or other hostnames for the server
rdf newsfeed | rss newsfeed | Atom newsfeed
- Powered by LeopardCMS - Running on Gentoo -
Copyright 2004-2013 Sascha Nitsch Unternehmensberatung UG(haftungsbeschränkt)
Valid XHTML1.1 : Valid CSS : buttonmaker
- Level Triple-A Conformance to Web Content Accessibility Guidelines 1.0 -
- Copyright and legal notices -
Time to create this page: 3.5 ms