X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=debian%2FREADME.mail;h=46d77723b95438d207de6905fe90860365bc1334;hb=ee73b48c52cedb53381b6c0291693fa1e2a66d2c;hp=4e09688b25034f20b6884294f5ee431f6628458d;hpb=fc52b8f26b3655ac7ce5bc7e85ede6aa74856fdb;p=debbugs.git diff --git a/debian/README.mail b/debian/README.mail index 4e09688..46d7772 100644 --- a/debian/README.mail +++ b/debian/README.mail @@ -1,44 +1,135 @@ -=============== +Setting up MTAs for Debbugs +=========================== Config ------ -Be sure to set the $gMailer variable correctly in /etc/debbugs/config. The -options are (all lower case) exim, qmail and sendmail. +Be sure to set the $gMailer variable correctly in /etc/debbugs/config. +The options are (all lower case) exim, qmail and sendmail. -Exim + +Exim 4 +------ +The exim 4 setup supports virtual domains. This doesn't hurt on a +dedicated system. File names are for systems that use exim4's split +config scheme. If you use something else, you'll need to put the +configuration options in yourself at the appropriate place (most +likely /etc/exim4/exim4.conf or /etc/exim4/exim4.conf.template). + +Create a non-root user with a non-root group as its primary group. +We'll use Debian-debbugs as the user and group: + # adduser --system --group --home /var/lib/debbugs \ + --no-create-home --disabled-login --force-badname Debian-debbugs + +This user needs to be able to write to /var/lib/debbugs. + +/etc/exim4/conf.d/main/03_debbugs: +DEBBUGS_DOMAIN = +DEBBUGS_USER = Debian-debbugs +DEBBUGS_GROUP = Debian-debbugs + +/etc/exim4/conf.d/transport/30_debbugs: +debbugs_pipe: + debug_print = "T: debbugs_pipe for $local_part@$domain" + driver = pipe + user = DEBBUGS_USER + group = DEBBUGS_GROUP + command = /usr/lib/debbugs/receive + return_output + +/etc/exim4/conf.d/router/250_debbugs: +debbugs: + debug_print = "R: debbugs for $local_part@$domain" + driver = accept + transport = debbugs_pipe + local_parts = submit : bugs : maintonly : quiet : forwarded : \ + done : close : request : submitter : control : ^\\d+ + domains = DEBBUGS_DOMAIN + +bounce_debbugs: + debug_print = "R: bounce_debbugs for $local_part@$domain" + driver = redirect + allow_fail + data = :fail: Unknown user + domains = DEBBUGS_DOMAIN + +The bounce_debbugs router bounces all mail for the DEBBUGS_DOMAIN that +hasn't been picked up by the debbugs router. If you want addresses +from that domain that do not belong to debbugs to be handled normally, +simply omit that router. However, since the pattern on deb debbugs +router match a significant subset of the domain's local parts, it is +strongly recommended to use a dedicated domain for debbugs. + + +Exim 3 ---- -I've seen two lines in Exim used. If the machine is dedicated and all -email goes to the debbugs script: -(in the transport section) +I've seen two types of Exim 3 set ups being used: + + 1) If the machine is dedicated and all e-mail goes to the debbugs script, + add this in the transport section: + debbugs_pipe: driver = pipe - user={some UID root is very unsafe and unsecure here} - group={some GID either uid or gid needs write access} + user = + group = command = /usr/lib/debbugs/receive return_output -(and AT THE TOP of the directors) + Do not use root user/group, it is very unsafe. You could even add a new + (locked) account "debbugs", and use that. Either user or group needs + write access. + + And AT THE TOP of the directors section, add this: + debbugs: driver = smartuser transport = debbugs_pipe + local_parts = submit:bugs:maintonly:quiet:forwarded:done:close:request:submitter:control:^\\d+ -If the domain is a virtual host on a machine that needs it, there are many -ways of handling it. I think the neatest was: + 2) If the domain is a virtual host on a machine that needs it, there are + many ways of handling it. I think the neatest was to use the above + transport and director, except to add the following line to the + director's options: + + domains = + + Alternatively, Chad Miller suggests: + + The method I discovered involved adding at the top of the routers section: + +debbugs_router: + driver = domainlist + transport = debbugs_transport + route_list = "bugs.foo.bar;bugs.baz.quux" + + where bugs.foo.bar and bugs.baz.quux are mail-domains for which I want to + receive bug requests only. + Next, add anywhere in the transports section: + +debbugs_transport: + driver = pipe + command = /usr/lib/debbugs/receive + user = + group = + current_directory = /etc/debbugs + home_directory = /var/lib/debbugs/spool + + (current_directory may need to be /var/lib/debbugs/spool, depending on + your setup.) + + Next, the mail domains MUST NOT be in the "local_domains" list! + Instead, we MUST put them in the "relay_domains" list. + + Essentially, this tells exim that we agree ("relay_domains") to relay + mail for those zones ("debbugs_router") and "send" the mail using a pipe + ("debbugs_transport"). -debbugs: - driver = aliasfile - domains={domain name eg: bugs.debian.org} - file=/usr/lib/debbugs/receive - user={some UID} - group={some GID} - current_directory=/var/lib/debbugs/spool - home_directory=/var/lib/debbugs/spool Qmail ----- - -Here's my (tv@debian.org) suggestion for safe & secure -installation under qmail: +From Tommi Virtanen (tv@debian.org), amended by Daniel Ruoso +(daniel@ruoso.com): + +Here's my suggestion for safe & secure installation under qmail: Create a separate user for the debbugs system. # adduser --system --group --home /home/misc/debbugs debbugs @@ -47,7 +138,7 @@ Give control of a virtual domain to that user Give the user access to the bug databases # chown -R debbugs:debbugs /var/lib/debbugs/* Set the BTS owner address - # echo 'me@my.example.com' >~debbugs/.qmail-owner + # echo '&me@my.example.com' >~debbugs/.qmail-owner Make the BTS handle it's mail # echo '|/usr/lib/debbugs/receive' >~debbugs/.qmail-default Reload the virtualdomains config file @@ -122,45 +213,169 @@ Now the final step: run sendmailconfig to regenerate sendmail.cf and restart sendmail with the new configuration. Your system should now be up and running. Congratulations! -Postfix --------- -It seems Bdale isn't around currently, so I'll just mail this -here directly. This is a short description of how to get debbugs -working with postfix. If someone can verify this and give me some -feedback if would be appreciated. -Lets assume that you are going to install bugs.domain.net, and you +Postfix +------- +Let's assume that you are going to install bugs.domain.net, and you are going to run it on the machine master.domain.net. DNS setup: point the MX to the machine running debbugs: bugs.domain.net MX 50 master.domain.net. -In /etc/postfix/master.cf enable the transport maps by inserting the -following line: +For postfix we have to do three things now: - transport_maps =3D hash:/etc/postfix/transport + 1. Open postfix for any recipient address on the domain + bugs.domain.net + 2. Create a transport map to the debbugs script called + ,,receive''. + 3. Make sure that mails are handed individually into the + debbugs pipe. The receive script can only process mails + with _one_ recipient. -Now create /etc/postfix/transport and insert: +So, create /etc/postfix/transport and insert: bugs.domain.net debbugs: This tells postfix to use the debbugs transport agent to deliver any mail send to bugs.domain.net. Now we need to make a database from that +map, so that postfix can use: + + $ postmap hash:/etc/postfix/transport + +So, create /etc/postfix/debbugs-recipients and put: + + @bugs.domain.net ACCEPT + +into it. + +Here, we also need to make a database from that map, so that postfix can use: - # makemap hash transport + # postmap hash:/etc/postfix/debbugs-recipients -Now we need to teach postfix what the debbugs transport agent is. Edit +In /etc/postfix/main.cf we enable the transport and local recipient +map by inserting the following lines: + + transport_maps = hash:/etc/postfix/transport + # debbugs transport + local_recipient_maps = hash:/etc/postfix/non-unix-users + transport_maps = hash:/etc/postfix/transport + debbugs_destination_recipient_limit = 1 + +The last line in the block above assures that mails pour into +the debbugs receive scripts on a one by one recipient basis. + +At last we need to teach postfix what the debbugs transport agent is. Edit /etc/postfix/master.cf and add: debbugs unix - n n - - pipe - flags=3DF user=3Ddebbugs argv=3D/usr/lib/debbugs/receive $recipient + flags=F user=debbugs argv=/usr/lib/debbugs/receive $recipient This assumes that you are running debbugs with uid debbugs (the package doesn't do that by default, but I generally chown /var/lib/debbugs/* to a new debbugs account just to be safe). +Finally add bugs.domain.net to mydestination in main.cf: + + mydestination = $myhostname localhost.$mydomain bugs.domain.net + Now that all this is done, restart postfix and it should be working.. -Wichert. +Wichert +Updated+modified by Mike (20120919) + + +Procmail and SpamAssassin +------------------------- + +Publicly-accessible debbugs installations have been known to receive a lot +of spam. To combat this, some sites may find it useful to deliver mail to +debbugs via procmail and filter everything through a spam detector like +SpamAssassin. Here's a quick sketch of how to set this up (with Exim, but +other MTAs should be similar). + +Arrange for mail to be delivered to procmail somehow. At the time of +writing, bugs.debian.org uses a .forward file like this: + + |procmail -p -m /org/bugs.debian.org/mail/.procmailrc + +The first thing to do in .procmailrc is to set up various variables used +either implicitly or explicitly later on. Obviously, substitute +/org/bugs.debian.org and so on with details of your own installation, and +make sure any directories mentioned in mailbox names exist with appropriate +permissions under $MAILDIR. Many of these variables are documented in +procmailrc(5). + + MAILDIR=/org/bugs.debian.org/mail + LOGFILE=$MAILDIR/.logfile + COMSAT=no + UMASK=003 + SPAMC=/usr/bin/spamc + SENDMAIL=/usr/sbin/sendmail + YEARMONTH=`/bin/date +%Y-%m` + YEAR=`/bin/date +%Y` + +Next, a safety catch (optional): we copy all incoming mail into an mbox. +This can easily grow quite large! + + :0c: + backup/save-all.$YEARMONTH + +At this point you can insert customized rules for your site that drop or +bounce particular types of mail. Then, filter through SpamAssassin and file +matches off into a separate mailbox: + + :0fw:spamc.lock + | $SPAMC + + :0: + * ^X-Spam-Flag: yes + spam/assassinated.$YEARMONTH + +(The lock here is due to resource problems during mail floods. There may be +better solutions.) + +Now arrange for owner@bugs mail to be copied to another mailbox and sent on +to the right people. $LOCAL_PART is Exim-specific. Some people may prefer +this to come before the SpamAssassin check. + + :0 + ? test "$LOCAL_PART" = owner -o "$LOCAL_PART" = postmaster + { + :0c: + owner/owner.$YEAR + + :0 + !foo@example.org, bar@example.org + } + +Everything else can now be saved to yet another mailbox and passed on to the +receive script: + + :0c: + receive/receive.$YEARMONTH + + :0 + |/usr/lib/debbugs/receive + +This should be sufficient, or even overkill, for a small installation. + +Some sites need to block particular abusers from using particular services, +such as control@bugs, but don't want to ban them altogether. In this case an +autoreply approach may be useful. + + :0h + * LOCAL_PART ?? control + * !^FROM_DAEMON + * !^X-Loop: owner@bugs\.example\.org + * ^(From|Reply-To):.*(abuser1@example\.org|abuser2@example\.org) + | (formail -r -I"From: owner@bugs.example.org" -I"Precedence: junk" \ + -A"X-Loop: owner@bugs.example.org"; \ + echo "Processing commands for control@bugs.example.org:"; \ + echo; \ + echo "This service is unavailable.") | $SENDMAIL -oi -t + +Although not documented here, similar autoreply tricks should be possible +without procmail. For instance, I would be surprised if Exim filters weren't +up to the task.