-MTA for Debbugs
-===============
+Setting up MTAs for Debbugs
+===========================
Config
------
-Be sure to set the $gMailer variable correctly in /etc/debbugs/config. The
-options are (all lower case) exim, qmail and sendmail.
+Be sure to set the $gMailer variable correctly in /etc/debbugs/config.
+The options are (all lower case) exim, qmail and sendmail.
-Exim
+
+Exim 4
+------
+The exim 4 setup supports virtual domains. This doesn't hurt on a
+dedicated system. File names are for systems that use exim4's split
+config scheme. If you use something else, you'll need to put the
+configuration options in yourself at the appropriate place (most
+likely /etc/exim4/exim4.conf or /etc/exim4/exim4.conf.template).
+
+Create a non-root user with a non-root group as its primary group.
+We'll use Debian-debbugs as the user and group:
+ # adduser --system --group --home /var/lib/debbugs \
+ --no-create-home --disabled-login --force-badname Debian-debbugs
+
+This user needs to be able to write to /var/lib/debbugs.
+
+/etc/exim4/conf.d/main/03_debbugs:
+DEBBUGS_DOMAIN = <domain name>
+DEBBUGS_USER = Debian-debbugs
+DEBBUGS_GROUP = Debian-debbugs
+
+/etc/exim4/conf.d/transport/30_debbugs:
+debbugs_pipe:
+ debug_print = "T: debbugs_pipe for $local_part@$domain"
+ driver = pipe
+ user = DEBBUGS_USER
+ group = DEBBUGS_GROUP
+ command = /usr/lib/debbugs/receive
+ return_output
+
+/etc/exim4/conf.d/router/250_debbugs:
+debbugs:
+ debug_print = "R: debbugs for $local_part@$domain"
+ driver = accept
+ transport = debbugs_pipe
+ local_parts = submit : bugs : maintonly : quiet : forwarded : \
+ done : close : request : submitter : control : ^\\d+
+ domains = DEBBUGS_DOMAIN
+
+bounce_debbugs:
+ debug_print = "R: bounce_debbugs for $local_part@$domain"
+ driver = redirect
+ allow_fail
+ data = :fail: Unknown user
+ domains = DEBBUGS_DOMAIN
+
+The bounce_debbugs router bounces all mail for the DEBBUGS_DOMAIN that
+hasn't been picked up by the debbugs router. If you want addresses
+from that domain that do not belong to debbugs to be handled normally,
+simply omit that router. However, since the pattern on deb debbugs
+router match a significant subset of the domain's local parts, it is
+strongly recommended to use a dedicated domain for debbugs.
+
+
+Exim 3
----
-I've seen two lines in Exim used. If the machine is dedicated and all
-email goes to the debbugs script:
-(in the transport section)
+I've seen two types of Exim 3 set ups being used:
+
+ 1) If the machine is dedicated and all e-mail goes to the debbugs script,
+ add this in the transport section:
+
debbugs_pipe:
driver = pipe
- user={some UID root is very unsafe and unsecure here}
- group={some GID either uid or gid needs write access}
+ user = <some non-root user>
+ group = <some non-root group>
command = /usr/lib/debbugs/receive
return_output
-(and AT THE TOP of the directors)
+ Do not use root user/group, it is very unsafe. You could even add a new
+ (locked) account "debbugs", and use that. Either user or group needs
+ write access.
+
+ And AT THE TOP of the directors section, add this:
+
debbugs:
driver = smartuser
transport = debbugs_pipe
+ local_parts = submit:bugs:maintonly:quiet:forwarded:done:close:request:submitter:control:^\\d+
-If the domain is a virtual host on a machine that needs it, there are many
-ways of handling it. I think the neatest was:
+ 2) If the domain is a virtual host on a machine that needs it, there are
+ many ways of handling it. I think the neatest was to use the above
+ transport and director, except to add the following line to the
+ director's options:
+
+ domains = <domain name>
+
+ Alternatively, Chad Miller <cmiller@surfsouth.com> suggests:
+
+ The method I discovered involved adding at the top of the routers section:
+
+debbugs_router:
+ driver = domainlist
+ transport = debbugs_transport
+ route_list = "bugs.foo.bar;bugs.baz.quux"
+
+ where bugs.foo.bar and bugs.baz.quux are mail-domains for which I want to
+ receive bug requests only.
+ Next, add anywhere in the transports section:
+
+debbugs_transport:
+ driver = pipe
+ command = /usr/lib/debbugs/receive
+ user = <some non-root user>
+ group = <some non-root group>
+ current_directory = /etc/debbugs
+ home_directory = /var/lib/debbugs/spool
+
+ (current_directory may need to be /var/lib/debbugs/spool, depending on
+ your setup.)
+
+ Next, the mail domains MUST NOT be in the "local_domains" list!
+ Instead, we MUST put them in the "relay_domains" list.
+
+ Essentially, this tells exim that we agree ("relay_domains") to relay
+ mail for those zones ("debbugs_router") and "send" the mail using a pipe
+ ("debbugs_transport").
-debbugs:
- driver = aliasfile
- domains={domain name eg: bugs.debian.org}
- file=/usr/lib/debbugs/receive
- user={some UID}
- group={some GID}
- current_directory=/var/lib/debbugs/spool
- home_directory=/var/lib/debbugs/spool
Qmail
-----
-
-Here's my (tv@debian.org) suggestion for safe & secure
-installation under qmail:
+From Tommi Virtanen (tv@debian.org), amended by Daniel Ruoso
+(daniel@ruoso.com):
+
+Here's my suggestion for safe & secure installation under qmail:
Create a separate user for the debbugs system.
# adduser --system --group --home /home/misc/debbugs debbugs
Give the user access to the bug databases
# chown -R debbugs:debbugs /var/lib/debbugs/*
Set the BTS owner address
- # echo 'me@my.example.com' >~debbugs/.qmail-owner
+ # echo '&me@my.example.com' >~debbugs/.qmail-owner
Make the BTS handle it's mail
# echo '|/usr/lib/debbugs/receive' >~debbugs/.qmail-default
Reload the virtualdomains config file
restart sendmail with the new configuration. Your system should now
be up and running. Congratulations!
-Postfix
---------
-It seems Bdale isn't around currently, so I'll just mail this
-here directly. This is a short description of how to get debbugs
-working with postfix. If someone can verify this and give me some
-feedback if would be appreciated.
-Lets assume that you are going to install bugs.domain.net, and you
+Postfix
+-------
+Let's assume that you are going to install bugs.domain.net, and you
are going to run it on the machine master.domain.net.
DNS setup: point the MX to the machine running debbugs:
bugs.domain.net MX 50 master.domain.net.
-In /etc/postfix/master.cf enable the transport maps by inserting the
-following line:
+For postfix we have to do three things now:
- transport_maps =3D hash:/etc/postfix/transport
+ 1. Open postfix for any recipient address on the domain
+ bugs.domain.net
+ 2. Create a transport map to the debbugs script called
+ ,,receive''.
+ 3. Make sure that mails are handed individually into the
+ debbugs pipe. The receive script can only process mails
+ with _one_ recipient.
-Now create /etc/postfix/transport and insert:
+So, create /etc/postfix/transport and insert:
bugs.domain.net debbugs:
This tells postfix to use the debbugs transport agent to deliver any
mail send to bugs.domain.net. Now we need to make a database from that
+map, so that postfix can use:
+
+ $ postmap hash:/etc/postfix/transport
+
+So, create /etc/postfix/debbugs-recipients and put:
+
+ @bugs.domain.net ACCEPT
+
+into it.
+
+Here, we also need to make a database from that map, so
that postfix can use:
- # makemap hash transport
+ # postmap hash:/etc/postfix/debbugs-recipients
-Now we need to teach postfix what the debbugs transport agent is. Edit
+In /etc/postfix/main.cf we enable the transport and local recipient
+map by inserting the following lines:
+
+ transport_maps = hash:/etc/postfix/transport
+ # debbugs transport
+ local_recipient_maps = hash:/etc/postfix/non-unix-users
+ transport_maps = hash:/etc/postfix/transport
+ debbugs_destination_recipient_limit = 1
+
+The last line in the block above assures that mails pour into
+the debbugs receive scripts on a one by one recipient basis.
+
+At last we need to teach postfix what the debbugs transport agent is. Edit
/etc/postfix/master.cf and add:
debbugs unix - n n - - pipe
- flags=3DF user=3Ddebbugs argv=3D/usr/lib/debbugs/receive $recipient
+ flags=F user=debbugs argv=/usr/lib/debbugs/receive $recipient
This assumes that you are running debbugs with uid debbugs (the package
doesn't do that by default, but I generally chown /var/lib/debbugs/*
to a new debbugs account just to be safe).
+Finally add bugs.domain.net to mydestination in main.cf:
+
+ mydestination = $myhostname localhost.$mydomain bugs.domain.net
+
Now that all this is done, restart postfix and it should be working..
-Wichert.
+Wichert
+Updated+modified by Mike (20120919)
+
+
+Procmail and SpamAssassin
+-------------------------
+
+Publicly-accessible debbugs installations have been known to receive a lot
+of spam. To combat this, some sites may find it useful to deliver mail to
+debbugs via procmail and filter everything through a spam detector like
+SpamAssassin. Here's a quick sketch of how to set this up (with Exim, but
+other MTAs should be similar).
+
+Arrange for mail to be delivered to procmail somehow. At the time of
+writing, bugs.debian.org uses a .forward file like this:
+
+ |procmail -p -m /org/bugs.debian.org/mail/.procmailrc
+
+The first thing to do in .procmailrc is to set up various variables used
+either implicitly or explicitly later on. Obviously, substitute
+/org/bugs.debian.org and so on with details of your own installation, and
+make sure any directories mentioned in mailbox names exist with appropriate
+permissions under $MAILDIR. Many of these variables are documented in
+procmailrc(5).
+
+ MAILDIR=/org/bugs.debian.org/mail
+ LOGFILE=$MAILDIR/.logfile
+ COMSAT=no
+ UMASK=003
+ SPAMC=/usr/bin/spamc
+ SENDMAIL=/usr/sbin/sendmail
+ YEARMONTH=`/bin/date +%Y-%m`
+ YEAR=`/bin/date +%Y`
+
+Next, a safety catch (optional): we copy all incoming mail into an mbox.
+This can easily grow quite large!
+
+ :0c:
+ backup/save-all.$YEARMONTH
+
+At this point you can insert customized rules for your site that drop or
+bounce particular types of mail. Then, filter through SpamAssassin and file
+matches off into a separate mailbox:
+
+ :0fw:spamc.lock
+ | $SPAMC
+
+ :0:
+ * ^X-Spam-Flag: yes
+ spam/assassinated.$YEARMONTH
+
+(The lock here is due to resource problems during mail floods. There may be
+better solutions.)
+
+Now arrange for owner@bugs mail to be copied to another mailbox and sent on
+to the right people. $LOCAL_PART is Exim-specific. Some people may prefer
+this to come before the SpamAssassin check.
+
+ :0
+ ? test "$LOCAL_PART" = owner -o "$LOCAL_PART" = postmaster
+ {
+ :0c:
+ owner/owner.$YEAR
+
+ :0
+ !foo@example.org, bar@example.org
+ }
+
+Everything else can now be saved to yet another mailbox and passed on to the
+receive script:
+
+ :0c:
+ receive/receive.$YEARMONTH
+
+ :0
+ |/usr/lib/debbugs/receive
+
+This should be sufficient, or even overkill, for a small installation.
+
+Some sites need to block particular abusers from using particular services,
+such as control@bugs, but don't want to ban them altogether. In this case an
+autoreply approach may be useful.
+
+ :0h
+ * LOCAL_PART ?? control
+ * !^FROM_DAEMON
+ * !^X-Loop: owner@bugs\.example\.org
+ * ^(From|Reply-To):.*(abuser1@example\.org|abuser2@example\.org)
+ | (formail -r -I"From: owner@bugs.example.org" -I"Precedence: junk" \
+ -A"X-Loop: owner@bugs.example.org"; \
+ echo "Processing commands for control@bugs.example.org:"; \
+ echo; \
+ echo "This service is unavailable.") | $SENDMAIL -oi -t
+
+Although not documented here, similar autoreply tricks should be possible
+without procmail. For instance, I would be surprised if Exim filters weren't
+up to the task.
projects / debbugs.git / blobdiff