# HG changeset patch # User Ben Schmidt # Date 1289776288 -39600 # Node ID ddae562f7cf0359e357ea83a10ef3bb20b16de49 # Parent 93d445688ebe702186d14ee25627ed50200220f7 Document why 'nobody' is inappropriate and capitalise a few things diff -r 93d445688ebe -r ddae562f7cf0 README.postfix --- a/README.postfix Mon Nov 15 09:36:38 2010 +1100 +++ b/README.postfix Mon Nov 15 10:11:28 2010 +1100 @@ -2,8 +2,8 @@ POSTFIX ISSUES - The main issue with Postfix and mlmmj is the mlmmj requirement that - the mlmmj executables must be executed by root or the owner of the + The main issue with Postfix and Mlmmj is the Mlmmj requirement that + the Mlmmj executables must be executed by root or the owner of the list directory. This is at odds with Postfix. The standard local delivery mechanism @@ -19,12 +19,24 @@ files are disabled as a security precaution in aliases files for delivering to external programs. - This leaves us with a conundrum on how to execute the mlmmj - executables as an 'mlmmj' user without using alias files. One - answer is to use a postfix transport. + So Postfix then falls back to executing with the user specified by + the configuration option 'default_privs'. The default setting for + this option is the user 'nobody'. You can make Mlmmj work by having + your lists owned by 'nobody', but this is not recommended. Other + programs and daemons may use 'nobody' as a user who should not have + access to anything; most notably, some NFS implementations use this + user when somebody connects but fails to authenticate. Such users + should not be able to access your mailing lists. Changing + 'default_privs' to an 'mlmmj' user may open other security holes, + and may not be appropriate if Postfix is used for other external + programs besides Mlmmj. + + This leaves us with a conundrum on how to execute the Mlmmj + executables as an 'mlmmj' user. One answer is to use a Postfix + transport. First we'll get the 'mlmmj' user setup and then move onto the - postfix configuration: + Postfix configuration: MLMMJ SETUP @@ -51,8 +63,8 @@ Add a virtual_alias_map file to main.cf configuration. We'll use a regular expression map since we need to be able to match all the - various mjmml delimiter addresses (list-subscribe, list-unsubscribe, - etc) + various Mlmmj delimiter addresses (list-subscribe, list-unsubscribe, + confsub-0123456789abcdef, etc.). main.cf: virtual_alias_maps = hash:/etc/postfix/virtual, @@ -72,7 +84,7 @@ /^(list-name.*)@(domain\.com)$/ domain--${1} - Next we make sure that postfix can invoke the mlmmj executables as + Next we make sure that Postfix can invoke the mlmmj executables as the 'mlmmj' user. This is where the transport map comes in. So we add a transport map and a configuration option that instructs the transport to only deliver one file at a time. See transport(5) for @@ -97,7 +109,7 @@ /^(domain--list-name).*$/ mlmmj:domain/list-name Now we setup the 'mlmmj' transport. The 'mlmmj' in mlmmj:$1 above - indicates a transport listed in the postfix master.cf file. We are + indicates a transport listed in the Postfix master.cf file. We are just going to create a transport called 'mlmmj' but it is nothing more than a pipe(8) to the mlmmj-receive program that is invoked as the 'mlmmj' user. @@ -107,7 +119,7 @@ mlmmj unix - n n - - pipe flags=DORhu user=mlmmj argv=/usr/local/bin/mlmmj-receive -F -L /var/spool/mlmmj/$nexthop/ - This takes the pipe(8) postfix delivery agent and tells it to invoke + This takes the pipe(8) Postfix delivery agent and tells it to invoke '/usr/local/bin/mlmmj-receive' as the 'mlmmj' user and pipe the email to it on stdin. This mode of transportation is given the name 'mlmmj'. @@ -129,6 +141,6 @@ /var/spool/mlmmj/list-name as usual, or for the hierarchical multi-domain version, in /var/spool/mlmmj/domain/list-name. - Restart postfix and enjoy your new lists. + Restart Postfix and enjoy your new lists.