Closed racke closed 1 year ago
For reference, this is the exim setup we use:
SYMPA_EXPL = /var/lib/sympa/list_data
SYMPA_ROBOT = /etc/sympa
SYMPA_QUEUE = /usr/lib/sympa/bin/queue
SYMPA_BOUNCE = /usr/lib/sympa/bin/bouncequeue
SYMPA_DOMAINS = lists.example.com
domainlist sympa_domains = SYMPA_DOMAINS
begin routers
# These routers handle sympa mailinglist mails
sympa_command:
debug_print = "R: sympa_command for $local_part@$domain"
driver = accept
domains = +sympa_domains
local_parts = sympa : listmaster
require_files = +SYMPA_ROBOT/${lc::$domain}/robot.conf
retry_use_local_part
transport = sympa_command
sympa_request_or_owner:
debug_print = "R: sympa_request_or_owner for ${local_part}${local_part_suffix}@$domain"
driver = redirect
domains = +sympa_domains
local_parts = sympa
local_part_suffix = -request : -owner
require_files = +SYMPA_ROBOT/${lc::$domain}/robot.conf
retry_use_local_part
data = postmaster@$domain
sympa_arf_or_bounce:
debug_print = "R: sympa_arf_or_bounce for $local_part@$domain"
driver = accept
domains = +sympa_domains
local_parts = abuse-feedback-report : bounce
require_files = +SYMPA_ROBOT/${lc::$domain}/robot.conf
retry_use_local_part
transport = sympa_bounce
sympa_list_owner:
debug_print = "R: sympa_list_owner for ${local_part}${local_part_suffix}@$domain"
driver = accept
domains = +sympa_domains
local_part_suffix = -owner
require_files = +SYMPA_EXPL/${lc::$domain}/${local_part}/config
retry_use_local_part
transport = sympa_bounce
sympa_list_bounce:
debug_print = "R: sympa_list_bounce for ${local_part_prefix}${local_part}@$domain"
driver = accept
domains = +sympa_domains
local_part_prefix = bounce+
require_files = +SYMPA_ROBOT/${lc::$domain}/robot.conf
retry_use_local_part
transport = sympa_bounce
sympa_list_queue:
debug_print = "R: sympa_list_queue for ${local_part}${local_part_suffix}@$domain"
driver = accept
domains = +sympa_domains
local_part_suffix_optional
local_part_suffix = -request : -editor : -subscribe : -unsubscribe
require_files = +SYMPA_EXPL/${lc::$domain}/${local_part}/config
retry_use_local_part
transport = sympa_queue
begin transport
# These transports are used for passing messages to sympa
sympa_command:
driver = pipe
command = "SYMPA_QUEUE ${local_part}\@$domain"
return_fail_output
user = sympa
sympa_queue:
driver = pipe
command = "SYMPA_QUEUE ${local_part}${local_part_suffix}\@$domain"
return_fail_output
user = sympa
sympa_bounce:
driver = pipe
command = "SYMPA_BOUNCE ${local_part_prefix}${local_part}\@$domain"
return_fail_output
user = sympa
From what I understand of what sympa needs this should cover all the addresses also covered for example in https://sympa-community.github.io/manual/install/configure-mail-server-opensmtpd.html
Please note that the user exim runs as will need read access to different parts of the exim data tree for this to work, we achieved this by adding the user exim runs as to the sympa group.
Hello. I have written a documentation for solving this issue. Exim configuration is simpler as suggested thegcat. Some point may be improved, but works on my Debian. See pull request #90
Just one point:
The manual page says that return_path_add
in pipe transport should be set so that Return-Path
field will be prepended to the message. I'd appreciate it if you could take this into consideration.
@ikedas Thanks, I'm going to test that out.
A complication is that the following no longer works in Exim 4.96:
command = "SYMPA_QUEUE ${local_part}${local_part_suffix}\@$domain"
because Exim is paranoid about passing "tainted" values into shell commands. The solution is to use "dsearch" directory lookups to match ${local_part} against existing lists on the system. This populates an untainted variable $local_part_data.
Here is the configuration that I am successfully using with Exim 4.96 (which should also work with older versions of Exim):
SYMPA_EXPL = /var/lib/sympa/list_data
SYMPA_QUEUE = /usr/libexec/sympa/queue
SYMPA_BOUNCE = /usr/libexec/sympa/bouncequeue
# Need to use dsearch to pass taint checks in Exim 4.96
# This lookup defines (untainted) $local_part_data when it matches.
SYMPA_DSEARCH = ${lookup {$local_part} dsearch {SYMPA_EXPL}}
begin routers
sympa_command:
driver = accept
local_parts = sympa
retry_use_local_part
transport = sympa_command
# $local_part_suffix automatically untainted as matching against fixed list of values
sympa_queue:
driver = accept
local_parts = SYMPA_DSEARCH
local_part_suffix_optional
local_part_suffix = -request : -editor : -subscribe : -unsubscribe
retry_use_local_part
transport = sympa_queue
# NB: Vanilla Sympa uses -owner for return path
sympa_bounces:
driver = accept
local_parts = SYMPA_DSEARCH
local_part_suffix = -bounces
retry_use_local_part
transport = sympa_bounce
# VERP looks like: bounce+dpc22==a==cam.ac.uk==test-dpc22@lists.cam.ac.uk
# Can't sensibly detaint that. Fortunately we don't have to.
# See sympa_bounce_verp transport for detail.
sympa_prefix_bounce:
driver = accept
local_part_prefix = bounce+
retry_use_local_part
transport = sympa_bounce_verp
begin transports
sympa_command:
driver = pipe
command = SYMPA_QUEUE sympa@lists.cam.ac.uk
return_fail_output
user = sympa
group = sympa
sympa_queue:
driver = pipe
command = SYMPA_QUEUE ${local_part_data}${local_part_suffix}@lists.cam.ac.uk
return_fail_output
# MLM will break existing DKIM signature without ARC signing
headers_remove = DKIM-Signature
user = sympa
group = sympa
# SYMPA_BOUNCE is actually looking at the To: header in message body.
#
# argv[1] just assigns a convenient filename in /var/spool/sympa/bounce
# Only reason for listname is to group msgs in /var/spool/sympa/bounce/bad/
# Consequently we don't need detaint ${local_part} for VERP bounces.
sympa_bounce:
driver = pipe
command = SYMPA_BOUNCE ${local_part_data}@lists.cam.ac.uk
return_fail_output
user = sympa
group = sympa
sympa_bounce_verp:
driver = pipe
command = SYMPA_BOUNCE sympa@lists.cam.ac.uk
return_fail_output
user = sympa
group = sympa
${domain} is also tainted. I don't have to worry about that as I only have a single domain to play with, lists.cam.ac.uk
@dpc22 thanks for the update. Exim 4.94 is also affected.
Tainting was first introduced in 4.94. The following still worked in 4.95:
command = "SYMPA_QUEUE ${local_part}${local_part_suffix}\@$domain"
but was broken by the following change in 4.96:
JH/25 Taint-check exec arguments for transport-initiated external processes.
Previously, tainted values could be used. This affects "pipe", "lmtp" and
"queryprogram" transport, transport-filter, and ETRN commands.
The ${run} expansion is also affected: in "preexpand" mode no part of
the command line may be tainted, in default mode the executable name
may not be tainted.
as I discovered (the hard way!) on upgrading to 4.96 earlier this week:
2022-07-11 06:32:30 +0100 1oAm22-000DXm-0O
** test-dpc22@lists.cam.ac.uk
F=<dpc22@cam.ac.uk> P=<dpc22@cam.ac.uk>
R=sympa_queue T=sympa_queue: Tainted arg 1
for sympa_queue
transport
command:
'test-dpc22@lists.cam.ac.uk'
DT=0s
PR #90 has been merged. Thank you for infomation!
This is missing and causing a 404: https://sympa-community.github.io/manual/install/configure-mail-server-exim.md.