Postfix alias file, mailman and virtualmin

Hi,

We have an issue with our mailman installation. In Postfix' main.cf we have:

alias_maps = dbm:/opt/redknot/mailman/data/aliases,dbm:/etc/opt/redknot/postfix/aliases

It seems Virtualmin puts new aliases in the last specified alias_map file which is fine for normal aliases. But the Mailman aliases should go into the first alias_map. When we create a mailinglist via the Mailman interface this works OK but when we create a mailinglist with the Virtualmin interface the aliases go into the wrong file.

Martijn

Status: 
Active

Comments

Yes, Virtualmin always uses the last alias file.

Why does it cause problems if that file is used in this case though? Would re-ordering them in main.cf fix the problem?

The problem is the permission of those files. The postfix alias file is owned by root:root so when postfix 'executes' an alias the privileges are dropped to nobody:nobody. The mailman alias file is owned by root:mailman and postfix drops the privileges to nobody:mailman. The mailman scripts need to be executed with the group mailman (in our case) so when the aliases are in the postfis alias file mailman complains about the wrong group running the mailman program.

Also we use some self made scripts to sync the alias files (and other files) to other postfix servers. We would like to handle different alias files in a different way.

So would just swapping the order of the files in main.cf work for you? Webmin is currently hard-coded to add new aliases to the last one ... although I guess that would cause problems with non-mailman aliases.

Swapping the order doesn't solve the problem. We also use scripts to sync the alias files, the mailman file is handled differently. Also this could cause a security issue because users can create aliases which run with mailman privileges.

Swapping the order doesn't solve the problem. We also use scripts to sync the alias files, the mailman file is handled differently. Also this could cause a security issue because users can create aliases which run with mailman privileges.

Unfortunately there is no way to support this type of configuration in Virtualmin, and adding support for it would require quite a lot of changes in various places.

A typical Virtualmin install uses only a single map file, and runs Mailman commands via the wrapper /usr/lib/mailman/mail/mailman which is setuid or setgid.

If the wrapper you main is provided with mailman it checks if the user calling the wrapper has the right group. When the user has the wrong group you get an error like this:

"Group mismatch error. Mailman expected the mail wrapper script to be executed as group "mailman", but the system's mail server executed the mail script as group "mail". Try tweaking the mail server to run the script as group "mailman", or re-run configure, providing the command line option `--with-mail-gid=mail'."

That is exactly the problem which happens when all the aliases are in one file.

I don't understand that it would require modifying the code in a lot of places, only the mailman plugin needs to be modified and use a different alias file?

Are you running Virtualmin on Solaris, installed using our install script?

Unfortunately the mailman plugin doesn't write to the Postfix alias files itself - it calls at least 2 other layers of APIs to provide mailserver-independence, all of which would need to be updated to support specification of the file to add the alias to.