README.postfix                                                   Jan 28th 2012

The main challenge to setting up Mlmmj with Postfix is that Mlmmj must be
executed by root or the owner of the list directory, but by default Postfix
will execute Mlmmj as 'nobody'[1].

There are a number of possible ways around this:

- Making 'nobody' own your lists (insecure) [2]
- Changing the Postfix default to an 'mlmmj' user (possibly insecure or
  impractical) [3]
- .forward files (impractical) [4]
- Using an :include: file owned by an 'mlmmj' user (possibly insecure and
  suboptimal) [5]
- Adding an alias table owned by an 'mlmmj' user (suboptimal) [6]
- Using a Postfix transport to run Mlmmj as an 'mlmmj' user (recommended)

As you can see, the last option is recommended. Here is how to set it up using
Postfix virtual domains (so you can host multiple domains on the same server).
(It can also be done with regular non-virtual aliases[7].)

 1) Add an 'mlmmj' user to your system (e.g. using 'useradd'). It usually
    makes sense to make this a 'system' user, with no password and no shell
    (/usr/false for the shell), and for its home directory to be
    /var/spool/mlmmj (or wherever you want to put your Mlmmj spool directory).

 2) Create your Mlmmj spool directory (we'll assume it's /var/spool/mlmmj)
    and change its owner to the 'mlmmj' user.

 3) Add an 'mlmmj' transport which uses the pipe(8) delivery agent to execute
    mlmmj-receive as the mlmmj user by adding something like the following to (often in /etc/postfix)[8]:

        # mlmmj mailing lists
        mlmmj   unix  -       n       n       -       -       pipe
            flags=ORhu user=mlmmj argv=/usr/local/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop

    Note that $nexthop is used to specify the list directory. We will return
    to that later.

 4) Integrate some necessary options in (also often in /etc/postfix):

        # Only deliver one message to Mlmmj at a time
        mlmmj_destination_recipient_limit = 1

        # Consider the part after '+' but before '@' to be an address extension
        # i.e. addresses have the form user+extension@domain.tld
        recipient_delimiter = +

        # A map to forward mail to a dummy domain
        virtual_alias_maps = hash:/var/spool/mlmmj/virtual

	# Allow virtual alias maps to specify only the user part of the address
	# and have the +extension part preserved when forwarding, so that
	# list-name+subscribe, list-name+confsub012345678, etc. will all work
        propagate_unmatched_extensions = virtual

        # A map to forward mail for the dummy domain to the Mlmmj transport
        transport_maps = hash:/var/spool/mlmmj/transport

    Of course, you may need to merge these options with existing ones (e.g.
    you probably have existing virtual_alias_maps if you run a multi-domain

    It is probably unnecessary to change propagate_unmatched_extensions because
    it defaults to something including 'virtual'. You can check this with
    something like 'postconf | grep propagate'.

 5) (For each list) Create a mailing list (e.g. by using mlmmj-make-ml). The
    list directory should be like /var/spool/mlmmj/list-dir for a flat
    structure, or /var/spool/mlmmj/domain.tld/list-name for a hierarchical
    structure (the -s option to mlmmj-make-ml may be useful to get the list
    created where you want it). Ensure the list directory and everything in it
    is owned by the mlmmj user (except you may want control files to be owned
    by your www server user in order to use web configuration interfaces; they
    must be readable by the mlmmj user though).

 6) (For each list) Add entries to the Postfix tables to accept mail for the
    list and forward it to the Mlmmj transport:

        list-name@domain.tld    domain.tld--list-name@localhost.mlmmj

        # for a flat structure
        domain.tld--list-name@localhost.mlmmj   mlmmj:list-dir
        # for a hierarchical structure
        domain.tld--list-name@localhost.mlmmj   mlmmj:domain.tld/list-name

    Note that we have used a dummy domain 'localhost.mlmmj' to connect the
    virtual alias with the Mlmmj transport. This could be anything as long as
    it isn't a real domain. The user part of the address could also be
    anything; as long as the address matches in both tables it should work.

    Also note that the text after 'mlmmj:' becomes $nexthop which was mentioned
    earlier, so it is used to specify the list directory when executing

 7) Refresh your postfix tables and reload your configuration so it takes

        postmap /var/spool/mlmmj/virtual
        postmap /var/spool/mlmmj/transport
        postfix reload

    Enjoy your new lists!

[1] Actually, the standard local(8) delivery agent will execute external
    programs (such as Mlmmj) as the 'receiving user'. However, unless you
    direct your mail to Mlmmj using a .forward file (see local(8)) or an
    :include: file (see aliases(5)), or your aliases file is not owned by root,
    there is no 'receiving user'. Without a 'receiving user', Postfix uses the
    user from the configuration option 'default_privs', which defaults to

[2] Making 'nobody' own your lists is insecure because other programs and
    daemons rely on 'nobody' not owning any files or having access to anything;
    they use 'nobody' as a way of denying access and keeping all your files and
    system secure. Most notably, some NFS implementations use 'nobody' when
    somebody connects but fails to authenticate. Your mailing lists should not
    be accessible in such situations, but they may be if they are owned by

[3] Changing 'default_privs' to an 'mlmmj' user may open other security holes,
    and may not be appropriate if Postfix is used for other external programs
    besides Mlmmj.

[4] Using .forward files is not practical, as it requires a user to be created
    for every mailing list.

[5] Using :include: files would require delivery to commands to be enabled in
    :include: files, which is not recommended for security reasons. It is also
    messy for virtual domains in the same way as an alias table owned by an
    'mlmmj' user is[6].

[6] Adding an alias table owned by an 'mlmmj' user works, and doesn't pose any
    great security risk. However, it is messy for virtual domains as you need
    to forward mail from the virtual domain to your non-virtual domain and then
    to Mlmmj. This results in each list having an additional address, which is
    not desirable. That extra intermediate address is also included in mail
    headers, which is not desirable (though it could be filtered out by Mlmmj).
    Setting up an Mlmmj transport is about the same amount of work and doesn't
    have these drawbacks. However, If you are not using virtual domains, this
    is a good and simple option; but it will not be explained in detail here.

[7] To use non-virtual alises, at step 4, you'll need to incorporate:
        alias_maps = hash:/var/spool/mlmmj/aliases
        propagate_unmatched_extensions = alias

    You probably will need to adjust propagate_unmatched_extensions in this
    case, probably by adding 'alias' to the existing value rather than using
    'alias' alone.

    If you want to use 'newaliases' to update the alias table, you should also

        alias_database = hash:/var/spool/mlmmj/aliases

    At step 6, entries in /var/spool/mlmmj/aliases should look something like:

        list-name:    list-name@localhost.mlmmj

    At step 7, you'll need:

        postalias /var/spool/mlmmj/aliases

    or (if you included alias_database above)


    And of course you can omit the virtual stuff if you're not using it.

    Note that this has not been tested, but we believe it should work.

[8] The flags for the transport are pretty critical. In particular if the 'R'
    option is not used mlmmj-receive fails to receive the mail correctly. The
    options mean:

        D - Prepend a 'Delivered-To: recipient' header (not used)
        O - Prepend an 'X-Original-To: recipient' header
        R - Prepend a 'Return-Path:'. header
        h - fold $nexthop to lowercase
        u - fold $recipient to lowercase