Local delivery models The "monolithic" model: recursively expand the complete initial recipient list (via aliases, mailing lists, .forward files) to one expanded recipient list (mail addresses, shell commands, files, mailboxes). Sort/uniq the expanded recipient list, and deliver. The "forward as if sent by recipient" model: each level of recursion (aliases, mailing lists, forward files) takes one entire iteration through the mail system. Non-recursively expand one local recipient (via alias, mailing list, the recipient's .forward file) to a list of expanded recipients. Sort/uniq the list and deliver by re-injecting messages into the mail system. Since recipient expansion uses a non-recursive algorithm, the mailer might loop indefinitely, re-injecting messages into itself. These local forwarding loops must be broken by stamping a message when it reaches the local delivery stage (e.g., by adding a Delivered-To: message header). The Postfix system uses a hybrid approach. It does recursive alias expansion, but only one initial recipient at a time. It delivers to expanded recipients by re-submitting the message into the mail system, so it can keep track of the delivery status for each expanded recipient. Because alias expansion does not look in .forward files, it cannot prevent local forwarding loops. The Postfix system adds Delivered: message headers to break local and external forwarding loops. Delivery status management The "exact" model: maintain on file the delivery status of each expanded recipient: remote recipients, shell commands and files, including the privileges for delivery to shell commands and files. The "safe" model: maintain on file only the delivery status of non-sensitive destinations (local or remote addresses). Deliver to sensitive destinations first (commands, files), but do not keep a record of their status on file (including privileges). This means that the mail system will occasionally deliver the same message more than once to a file or command.