From MozillaWiki
Jump to: navigation, search

EMail Integration with Postfix as your MTA

Postfix can run email_in.pl from two places (as seen from postconf allow_mail_to_commands):

  1. /etc/aliases line "bugzilla |/.../email_in.pl" — In this case email_in.pl runs under $default_privs (by default nobody) and has no access to Bugzilla.
  2. A 'bugzilla' user with .forward in its home directory to invoke email_in.pl — In this case the process runs with the privileges of the recipient.

When setting up Bugzilla the documentation says to run checksetup.pl as root. This results in the Bugzilla installation files being chown'ed to root.apache (or whatever group you set for $webservergroup in localconfig). You might think that all you have to do is give the 'bugzilla' or MTA user supplementary membership in the web server group (typicilly 'apache') to give it access to the necessary files.

While this might work for sendmail, it fails for Postfix because Postfix does not grant the child process any supplementary group memberships (see [1]) and cannot load data/params.

Solution by bugzilla file ownership

You can give the bugzilla user ownership to Bugzilla files for the .forward/.procmail scenario as follows (bugzilla installed at /opt/bugzilla):

  1. chown -R bugzilla.bugzilla /opt/bugzilla
  2. usermod -G apache bugzilla
  3. as user 'bugzilla' run checksetup.pl — the bugzilla files get chown'ed to bugzilla.apache and locked down

Step 2 is needed to allow step 3 to succeed. You can revoke bugzilla's apache membership after step 3 if you want.

This setup allows the MTA to run .forward/.procmail as the 'bugzilla' user while apache also has the necessary access.

Solution by user primary group

Another way is to use a user that has the $webservergroup as his primary group: usermod -g apache bugzilla.

If you do not want to modify the bugzilla user for this, or have a bugzilla user at all, the web server user (typically wwwrun or apache) might already have the proper primary group.

Since you do not want to forward all mail for apache to email_in.pl, you might set the recipient_delimiter to + (postconf recipient_delimiter=+) and instead alias bugzilla to extension apache+bugzilla. For this to work, you can not have an alias for apache and need to take it out. You'll have in /etc/aliases:

#apache: root
bugzilla: apache+bugzilla

Then in the home directory of apache user (see getent passwd apache, maybe /var/lib/apache, bash gives it automatically with ~apache), pipe to email_in.pl in file .forward+bugzilla (as specified by postconf default $forward_path, and do not forget any original apache forward):

echo 'root' > ~apache/.forward
echo '|/.../email_in.pl' > ~apache/.forward+bugzilla