Bugzilla:PostfixMTA

There seem to be two approaches to enabling email input to Bugzilla:

1. A 'bugzilla' user with .forward and .procmail files in its home directory to invoke email_in.pl -- In this case the process runs with the privileges of the recipient.

1. Using /etc/aliases to pipe the email directly to email_in.pl -- In this case I believe (but haven't been able to verify) the process runs under the MTA user.

When setting up Bugzilla the documentation says to run checksetup.pl as root. This results in the Bugzilla installation files being chown'ed to root.apache (or whatever group you set for $webservergroup in localconfig). You might think that all you have to do is give the 'bugzilla' or MTA user supplementary membership in the web server group (typicilly 'apache') to give it access to the necessary files.

While this might work for sendmail, it fails for Postfix because Postfix does not grant the child process any supplementary group memberships (see [1]) and cannot load data/params.

The solution I've gotten to work for the .forward/.procmail scenario is as follows (bugzilla installed at /opt/bugzilla):

1. chown -R bugzilla.bugzilla /opt/bugzilla
2. usermod -G apache bugzilla
3. as user 'bugzilla' run checksetup.pl -- the bugzilla files get chown'ed to bugzilla.apache and locked down

Step 2 is needed to allow step 3 to succeed. You can revoke bugzilla's apache membership after step 3 if you want.

This setup allows the MTA to run .forward/.procmail as the 'bugzilla' user while apache also has the necessary access.