David’s Blog

I got Postfix e-mail submissions to Bugzilla (3.0.5) working properly.
Perhaps these notes of mine could save someone some trouble when attempting this.

Certainly postfix could accomplish e-mail submissions via a custom transport using a pipe.
I however decided to use a pipe in the /etc/aliases file; mine contains this important line :

bug-submit: "|/var/www/bugz/email_in.pl -vvv 2>/tmp/emailin.log"


Note that for troubleshooting I can take a look at email_in.pl’s STDERR in /tmp/emailin.log;

Log in via the Bugzilla admin account and go to the Email section of the Parameters page.
Change the mailfrom to match the above e-mail alias so that Bugzilla users can add a comment to a bug by replying to Bugzilla’s e-mails.


I’m using SPF to verify sender e-mail addresses.
Here’s part of my /etc/postfix/main.cf containing some configuration for SPF :

alias_maps = hash:/etc/aliases

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_policy_service unix:private/policy-spf

policyd-spf_time_limit = 3600

and part of my /etc/postfix/master.cf :

policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf


Next I got DomainKeys working.
SPF and DomainKeys are especially important for this setup because
Bugzilla will not be doing and e-mail spam filtering.
All a spammer would have to do to submit annoying bugs into our Bugzilla
system would be to forge an e-mail from a Bugzilla user’s e-mail address
and send it to bug-submit@xxx.xxx… This is why I want SPF and DomainKeys fully
operational… that way many forgery attempts will be rejected.

The DKIM filters for inbound and outbound mail are started like this :

/usr/local/dkimproxy/bin/dkimproxy.in --listen=127.0.0.1:10025 --relay=127.0.0.1:10026 \

--user=dkim --group=dkim --daemonize --pidfile=/var/run/dkimproxy.in

/usr/local/dkimproxy/bin/dkimproxy.out --listen=127.0.0.1:10027 --relay=127.0.0.1:10028 \

--keyfile=/usr/local/dkimproxy/etc/private.key --selector=selector1 --domain=bugzilla.spinn3r.com \

--user=dkim --group=dkim --signature=dkim --daemonize --pidfile=/var/run/dkimproxy.out

For filtering inbound mail via DKIM edit the master.cf with something like this :

# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
# DKIM
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks


for outgoing DKIM edit the master.cf like this:


## outgoing dkim
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,reject
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8


Do a postfix reload