Pipe channels are used to effect delivery for specific addresses via a site-supplied program or script. While pipe channels are loosely based upon the | (pipe) functionality of sendmail, they have been carefully designed to not pose a security threat. First, you, as the postmaster, have to manually add a pipe channel to your configuration before it can be used. If you do not trust the technology, then do not add one to your configuration. Second, the commands executed by the pipe channel are controlled by you, as the postmaster, and no user supplied input can find its way into those commands: each command you supply is used verbatim with the exception of the optional substitution of a filename generated by the channel itself without reference to user supplied input. Finally, the decision to run a command is not based upon the presence of special characters appearing in a recipient address, but rather upon a recipient address exactly matching a specific address or host name in a table or database which you must provide. If an exact match between an incoming address and your table or database exists, then your command listed in the table for that match is executed.

Unlike the sendmail pipe functionality, the PMDF pipe channel does not pipe the message to be processed to the program or script. Instead, it writes the message to be processed to a temporary file and then forks a subprocess to run the site-supplied command for that message. That command should make use of the name of the temporary file which can be substituted into the command by the channel. The temporary file should not be deleted or altered by the subprocess; the channel will delete it itself. If it is not possible to prevent the subprocess from disrupting the file, then the pipe channel should be marked with the single channel keyword.
On OpenVMS systems, if the subprocess exits with a successful completion code (i.e., an odd valued completion code), then the message is presumed to have been delivered successfully. If it exits with a completion code of PMDF:_$,$_NO (decimal value 178028690, hexadecimal value 0A9C8092), then the message is returned as undeliverable. Delivery of the message will be deferred if any other completion code is returned.

On UNIX systems, if the subprocess exits with exit code of 0 (EX_OK) then the message is presumed to have been delivered successfully and is removed from PMDF's queues. If it exits with an exit code of 71, 74, 75, or 79 (EX_OSERR, EX_IOERR, EX_TEMPFAIL, or EX_DB) then a temporary error is presumed to have occurred and delivery of the message is deferred. If any other exit code is returned, then the message will be returned to its originator as undeliverable. These exit codes are defined in the system header file sysexits.h.