Configure the list manager (Sympa).

18 files changed, 744 insertions, 70 deletions

diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
new file mode 100644
index 0000000..5887dd0
--- /dev/null
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -0,0 +1,62 @@
+server {
+    listen      80;
+    listen [::]:80 ipv6only=on;
+
+    server_name lists.fripost.org;
+
+    access_log /var/log/nginx/lists.access.log;
+    error_log  /var/log/nginx/lists.error.log info;
+
+    return 301 https://$host$request_uri;
+}
+
+
+server {
+    listen      443;
+    listen [::]:443 ipv6only=on;
+
+    server_name  lists.fripost.org;
+
+    include ssl/config;
+    ssl_certificate     /etc/nginx/ssl/lists.fripost.org.pem;
+    ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
+
+    location = / {
+        return 301 /sympa$args;
+    }
+
+    location ^~ /static-sympa/ {
+        alias /var/lib/sympa/static_content/;
+    }
+
+    location ^~ /sympa {
+        fastcgi_split_path_info ^(/sympa)(.*)$;
+        include fastcgi/params;
+       
+        fastcgi_pass unix:/run/wwsympa.socket;
+        gzip off;
+    }
+
+    location ~* ^/([^/]+)/?$ {
+        return 301 /$1/sympa$args;
+    }
+    location ~* ^/([^/]+)/sympa(/.*)?$ {
+        set $vhost $1;
+
+        if (!-f /etc/sympa/$vhost/robot.conf) {
+            return 404;
+        }
+
+        fastcgi_split_path_info ^(/[^/]+/sympa)(.*)$;
+        include fastcgi/params;
+        
+        fastcgi_pass unix:/run/wwsympa.socket;
+        gzip off;
+    
+        fastcgi_param  SERVER_NAME        $vhost;
+    }
+
+    location / {
+        return 404;
+    }
+}
diff --git a/roles/lists/files/etc/postfix/transport b/roles/lists/files/etc/postfix/transport
new file mode 100644
index 0000000..d3ddde3
--- /dev/null
+++ b/roles/lists/files/etc/postfix/transport
@@ -0,0 +1,11 @@
+# Each valid address user@example.org is aliased (on the MX) into some
+# example.org/user@xxx.fripost.org, and non-defaults next-hop:port are
+# chosen here in that table, depending on 'xxx'.  The reason for such
+# indirection is that there is only one qmgr(8) daemon, which delegate
+# the routing strategy to the trivial-rewrite(8), which in turns queries
+# transport_maps.  Hence high latency maps such as LDAP or SQL would
+# congestion the queue manager.  On the other hand, virtual aliasing is
+# performed by cleanup(8), multiples instances of which can run in
+# parallel. See http://www.postfix.org/ADDRESS_REWRITING_README.html .
+
+sympa.fripost.org  sympa:
diff --git a/roles/lists/files/etc/postfix/virtual/domains.cf b/roles/lists/files/etc/postfix/virtual/domains.cf
deleted file mode 120000
index 320a970..0000000
--- a/roles/lists/files/etc/postfix/virtual/domains.cf
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../MX/templates/etc/postfix/virtual/domains.cf.j2
\ No newline at end of file
diff --git a/roles/lists/files/etc/postfix/virtual/transport_list.cf b/roles/lists/files/etc/postfix/virtual/transport_list.cf
deleted file mode 100644
index 384b832..0000000
--- a/roles/lists/files/etc/postfix/virtual/transport_list.cf
+++ /dev/null
@@ -1,8 +0,0 @@
-server_host      = ldapi://%2Fprivate%2Fldapi/
-version          = 3
-search_base      = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
-domain           = static:all
-scope            = base
-bind             = none
-query_filter     = (&(objectClass=FripostVirtualList)(fvl=%u))
-result_attribute = fripostListManager
diff --git a/roles/lists/files/etc/sympa/sympa.conf b/roles/lists/files/etc/sympa/sympa.conf
new file mode 100644
index 0000000..f761383
--- /dev/null
+++ b/roles/lists/files/etc/sympa/sympa.conf
@@ -0,0 +1,319 @@
+###\\\\ Site customization ////###
+
+## Main robot hostname
+domain		lists.fripost.org
+
+## Local part of sympa email address
+## Effective address will be [EMAIL]@[HOST]
+email	sympa
+
+## Listmasters email list comma separated
+## Sympa will associate listmaster privileges to these email addresses (mail and web interfaces). Some error reports may also be sent to these addresses.
+listmaster		listmaster@fripost.org
+
+## URL of main Web page
+#wwsympa_url http://lists.fripost.org/sympa
+
+max_wrong_password	19
+
+## Directory for storing static contents (CSS, members pictures, documentation) directly delivered by Apache
+static_content_path	/var/lib/sympa/static_content
+
+## URL mapped with the static_content_path directory defined above
+static_content_url	/static-sympa
+
+css_url /static-sympa/css
+
+## Secret used by Sympa to make MD5 fingerprint in web cookies secure
+## Should not be changed ! May invalid all user password
+cookie `cat /etc/sympa/cookie`
+
+## Who is able to create lists
+## This parameter is a scenario, check sympa documentation about scenarios if you want to define one
+create_list	intranet
+
+###\\\\ Directories ////###
+
+## Directory containing mailing lists subdirectories
+home	/var/lib/sympa/list_data
+
+## Directory for configuration files; it also contains scenari/ and templates/ directories
+etc	/etc/sympa
+
+###\\\\ System related ////###
+
+## Syslog facility for sympa
+## Do not forget to edit syslog.conf
+syslog `cat /etc/sympa/facility`
+
+## Log verbosity
+## 0: normal, 2,3,4: for debug
+log_level	0
+
+## Communication mode with syslogd (unix | inet)
+log_socket_type	unix
+
+## Umask used for file creation by Sympa
+umask	027
+
+###\\\\ Sending related ////###
+
+## Path to the MTA (sendmail, postfix, exim or qmail)
+## should point to a sendmail-compatible binary (eg: a binary named "sendmail" is distributed with Postfix)
+sendmail	/usr/sbin/sendmail
+sendmail_aliases none
+
+distribution_mode fork
+
+## Max. number of Sendmail processes (launched by Sympa) running simultaneously
+## Proposed value is quite low, you can rise it up to 100, 200 or even 300 with powerfull systems.
+maxsmtp	128
+
+log_smtp	off
+
+## comma separated list of operations for which blacklist filter is applied
+## Setting this parameter to "none" will hide the blacklist feature
+use_blacklist	send,create_list
+
+## Default maximum size (in bytes) for messages (can be re-defined for each list)
+max_size	5242880
+
+## Maximum number of recipients per call to Sendmail. The nrcpt_by_domain.conf file allows a different tuning per destination domain.
+nrcpt	25
+
+## Max. number of different domains per call to Sendmail
+avg	10
+
+## Specify which rfc2369 mailing list headers to add
+rfc2369_header_fields	help,subscribe,unsubscribe,post,owner,archive
+
+## Specify header fields to be removed before message distribution
+remove_headers	X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To
+
+## Reject mail from automates (crontab, etc) sent to a list?
+reject_mail_from_automates_feature	on
+
+alias_manager /bin/true
+
+###\\\\ Bulk mailer ////###
+
+## Default priority for a packet to be sent by bulk.
+sympa_packet_priority	5
+
+## Minimum number of packets in database before the bulk forks to increase sending rate
+## 
+bulk_fork_threshold	1
+
+## Max number of bulks that will run on the same server
+## 
+bulk_max_count	3
+
+## The number of seconds a slave bulk will remain running without processing a message before it spontaneously dies.
+## 
+bulk_lazytime	600
+
+## The number of seconds a bulk sleeps between starting a new loop if it didn't find a message to send.
+## Keep it small if you want your server to be reactive.
+bulk_sleep	1
+
+## Number of seconds a master bulk waits between two packets number checks.
+## Keep it small if you expect brutal increases in the message sending load.
+bulk_wait_to_fork	10
+
+###\\\\ Quotas ////###
+
+###\\\\ Spool related ////###
+
+## Directory containing various specialized spools
+## All spool are created at runtime by sympa.pl
+spool	/var/spool/sympa
+
+## Directory for incoming spool
+queue	/var/spool/sympa/msg
+
+queuedistribute	/var/spool/sympa/distribute
+
+## Directory for moderation spool
+queuemod	/var/spool/sympa/moderation
+
+## Directory for digest spool
+queuedigest	/var/spool/sympa/digest
+
+## Directory for authentication spool
+queueauth	/var/spool/sympa/auth
+
+## Directory for outgoing spool
+queueoutgoing	/var/spool/sympa/outgoing
+
+## Directory for subscription spool
+queuesubscribe	/var/spool/sympa/subscribe
+
+## Directory for topic spool
+queuetopic	/var/spool/sympa/topic
+
+## Directory for bounce incoming spool
+queuebounce	/var/spool/sympa/bounce
+
+## Directory for task spool
+queuetask	/var/spool/sympa/task
+
+## Directory for automatic list creation spool
+queueautomatic	/var/spool/sympa/automatic
+
+###\\\\ Internationalization related ////###
+
+## Supported languages
+## This is the set of language that will be proposed to your users for the Sympa GUI. Don't select a language if you don't have the proper locale packages installed.
+supported_lang		sv,en_US
+
+## Default language (one of supported languages)
+## This is the default language used by Sympa
+lang		sv
+
+## If set to "on", enables support of legacy character set
+## In some language environments, legacy encoding (character set) is preferred for e-mail messages: for example iso-2022-jp in Japanese language.
+legacy_character_support_feature	off
+
+###\\\\ Bounce related ////###
+
+## Welcome message return-path ( unique | owner )
+## If set to unique, new subcriber is removed if welcome message bounce
+welcome_return_path	owner
+
+## Remind message return-path ( unique | owner )
+## If set to unique, subcriber is removed if remind message bounce, use with care
+remind_return_path	owner
+
+## Task name for expiration of old bounces
+expire_bounce_task	daily
+
+## Bouncing email rate for warn list owner
+bounce_warn_rate	30
+
+## Bouncing email rate for halt the list (not implemented)
+## Not yet used in current version, Default is 50
+bounce_halt_rate	50
+
+###\\\\ Tuning ////###
+
+## Use of binary version of the list config structure on disk (none | binary_file)
+## Set this parameter to "binary_file" if you manage a big amount of lists (1000+); it should make the web interface startup faster
+cache_list_config	none
+
+## Sympa commands priority
+sympa_priority	1
+
+request_priority	0
+
+owner_priority	9
+
+## Default priority for list messages
+default_list_priority	5
+
+## comma-separated list of files that will be parsed by Sympa when instantiating a family (no space allowed in file names)
+parsed_family_files	message.footer,message.header,message.footer.mime,message.header.mime,info
+
+###\\\\ Database related ////###
+
+## Type of the database (mysql|ODBC|Oracle|Pg|SQLite|Sybase)
+## Be careful to the case
+db_type	mysql
+
+## Name of the database
+## With SQLite, the name of the DB corresponds to the DB file
+db_name	sympa
+
+## Hostname of the database server
+db_host	localhost
+
+## User for the database connection
+db_user	sympa
+
+## Password for the database connection
+## What ever you use a password or not, you must protect the SQL server (is it not a public internet service ?)
+#db_passwd	your_passwd
+
+## Database private extention to subscriber table
+## You need to extend the database format with these fields
+#db_additional_subscriber_fields	billing_delay,subscription_expiration
+
+## Database private extention to user table
+## You need to extend the database format with these fields
+#db_additional_user_fields	age,address
+
+## Number of months that elapse before a log is expired
+logs_expiration_period	3
+
+## Default timeout between two scheduled synchronizations of list members with data sources.
+default_ttl	3600
+
+## Default timeout between two action-triggered synchronizations of list members with data sources.
+default_distribution_ttl	300
+
+## Default timeout while performing a fetch for an include_sql_query sync
+default_sql_fetch_timeout	300
+
+###\\\\ Loop prevention ////###
+
+###\\\\ S/MIME configuration ////###
+
+## Path to OpenSSL
+## Sympa recognizes S/MIME if OpenSSL is installed
+#openssl	/usr/bin/ssl
+
+## Directory containing trusted CA certificates
+#capath	/etc/sympa/ssl.crt
+
+## File containing bundled trusted CA certificates
+#cafile	/usr/local/apache/conf/ssl.crt/ca-bundle.crt
+
+crl_dir	/var/lib/sympa/list_data/crl
+
+## Directory containing user certificates
+ssl_cert_dir	/var/lib/sympa/list_data/X509-user-certs
+
+## Password used to crypt lists private keys
+#key_passwd	your_password
+
+###\\\\ DKIM ////###
+
+dkim_feature	off
+
+## Insert a DKIM signature to message from the robot, from the list or both
+dkim_add_signature_to	robot,list
+
+## Type of message that is added a DKIM signature before distribution to subscribers. Possible values are "none", "any" or a list of the following keywords: "md5_authenticated_messages", "smime_authenticated_messages", "dkim_authenticated_messages", "editor_validated_messages".
+dkim_signature_apply_on	md5_authenticated_messages,smime_authenticated_messages,dkim_authenticated_messages,editor_validated_messages
+
+###\\\\ Antivirus plug-in ////###
+
+## Path to the antivirus scanner engine
+## Supported antivirus: McAfee/uvscan, Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall
+#antivirus_path	/usr/local/uvscan/uvscan
+
+## Antivirus plugin command argument
+#antivirus_args	--secure --summary --dat /usr/local/uvscan
+
+###\\\\ Tag based spam filtering ////###
+
+## If a spam filter (like spamassassin or j-chkmail) add a smtp headers to tag spams, name of this header (example X-Spam-Status)
+antispam_tag_header_name	X-Spam-Status
+
+## Regexp applied on this header to verify message is a spam (example \s*Yes)
+antispam_tag_header_spam_regexp	^\s*Yes
+
+## Regexp applied on this header to verify message is NOT a spam (example \s*No)
+antispam_tag_header_ham_regexp	^\s*No
+
+## Messages are supposed to be filtered by an antispam that add one more headers to messages. This parameter is used to select a special scenario in order to decide the message spam status: ham, spam or unsure. This parameter replace antispam_tag_header_name, antispam_tag_header_spam_regexp and antispam_tag_header_ham_regexp.
+spam_status	x-spam-status
+
+###\\\\ Web interface parameters ////###
+
+edit_list	owner
+
+## URL of a virtual host
+#http_host	http://fripost.org
+
+## The password validation techniques to be used against user passwords that are added to mailing lists. Options come from Data::Password (http://search.cpan.org/~razinf/Data-Password-1.07/Password.pm#VARIABLES)
+#password_validation	MINLEN=8,GROUPS=3,DICTIONARY=4,DICTIONARIES=/pentest/dictionaries
diff --git a/roles/lists/files/etc/sympa/topics.conf b/roles/lists/files/etc/sympa/topics.conf
new file mode 100644
index 0000000..e45c9c2
--- /dev/null
+++ b/roles/lists/files/etc/sympa/topics.conf
@@ -0,0 +1 @@
+other
diff --git a/roles/lists/files/etc/sympa/wwsympa.conf b/roles/lists/files/etc/sympa/wwsympa.conf
new file mode 100644
index 0000000..4d420a3
--- /dev/null
+++ b/roles/lists/files/etc/sympa/wwsympa.conf
@@ -0,0 +1,85 @@
+###\\\\ Site customization ////###
+
+###\\\\ Directories ////###
+
+###\\\\ System related ////###
+
+###\\\\ Sending related ////###
+
+###\\\\ Bulk mailer ////###
+
+###\\\\ Quotas ////###
+
+###\\\\ Spool related ////###
+
+###\\\\ Internationalization related ////###
+
+###\\\\ Bounce related ////###
+
+## Directory for storing bounces
+## Better if not in a critical partition
+bounce_path	/var/spool/sympa/wwsbounce
+
+###\\\\ Tuning ////###
+
+###\\\\ Database related ////###
+
+###\\\\ Loop prevention ////###
+
+###\\\\ S/MIME configuration ////###
+
+###\\\\ DKIM ////###
+
+###\\\\ Antivirus plug-in ////###
+
+###\\\\ Tag based spam filtering ////###
+
+###\\\\ Web interface parameters ////###
+
+## Directory for storing HTML archives
+## Better if not in a critical partition
+arc_path	/var/lib/sympa/wwsarchive
+
+## Default index organization when entering the web archive: either threaded (thrd) or in chronological (mail) order
+archive_default_index	thrd
+
+## HTTP cookies lifetime
+cookie_expire	0
+
+## HTTP cookies validity domain
+cookie_domain	localhost
+
+## Average interval to refresh HTTP session ID.
+cookie_refresh	60
+
+## Type of main Web page ( lists | home )
+default_home	home
+
+## When using LDAP authentication, if the identifier provided by the user was a valid email, if this parameter is set to false, then the provided email will be used to authenticate the user. Otherwise, use of the first email returned by the LDAP server will be used.
+ldap_force_canonical_email	1
+
+## Syslog facility for wwsympa, archived and bounced
+## Default is to use previously defined sympa log facility.
+log_facility `cat /etc/sympa/facility`
+
+## Path to MHonArc mail2html plugin
+## This is required for HTML mail archiving
+mhonarc	/usr/bin/mhonarc
+
+## Password case (insensitive | sensitive)
+## Should not be changed ! May invalid all user password
+password_case	insensitive
+
+## Default number of lines of the array displaying users in the review page
+review_page_size	25
+
+## Title of main Web page
+title	Mailing lists service
+
+## Is fast_cgi module for Apache (or Roxen) installed (0 | 1)
+## This module provide much faster web interface
+use_fast_cgi	1
+
+## Default number of lines of the array displaying the log entries in the logs page
+viewlogs_page_size	25
+
diff --git a/roles/lists/files/lib/systemd/system/wwsympa.service b/roles/lists/files/lib/systemd/system/wwsympa.service
new file mode 100644
index 0000000..ea2a78f
--- /dev/null
+++ b/roles/lists/files/lib/systemd/system/wwsympa.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=WWSympa Service
+After=network.target
+PartOf=sympa.service
+Requires=wwsympa.socket
+
+[Service]
+StandardInput=socket
+User=sympa
+Group=sympa
+ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/lists/files/lib/systemd/system/wwsympa.socket b/roles/lists/files/lib/systemd/system/wwsympa.socket
new file mode 100644
index 0000000..10fe721
--- /dev/null
+++ b/roles/lists/files/lib/systemd/system/wwsympa.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=WWSympa Listen Socket
+
+[Socket]
+SocketUser=www-data
+SocketGroup=www-data
+SocketMode=0600
+ListenStream=/run/wwsympa.socket
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/lists/files/usr/local/bin/sympa-queue b/roles/lists/files/usr/local/bin/sympa-queue
new file mode 100755
index 0000000..85001bb
--- /dev/null
+++ b/roles/lists/files/usr/local/bin/sympa-queue
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+PATH=/bin:/usr/bin
+set -ue
+
+[ $# -eq 1 ] || exit 1
+
+username="${1#*/}"
+domainname="${1%%/*}"
+
+if [ "$username" = 'abuse-feedback-report' ] || [ "$username" = bounce ]; then
+    exec /usr/lib/sympa/lib/sympa/bouncequeue "sympa@$domainname"
+elif [ "${username%-owner}" != "$username" ]; then
+    exec /usr/lib/sympa/lib/sympa/bouncequeue "${username%-owner}@$domainname"
+else
+    exec /usr/lib/sympa/lib/sympa/queue "$username@$domainname"
+fi
diff --git a/roles/lists/handlers/main.yml b/roles/lists/handlers/main.yml
index 76084e4..811b86d 100644
--- a/roles/lists/handlers/main.yml
+++ b/roles/lists/handlers/main.yml
@@ -4,3 +4,9 @@
 
 - name: Restart Nginx
   service: name=nginx state=restarted
+
+- name: Restart Sympa
+  service: name=sympa state=restarted
+
+- name: systemctl daemon-reload
+  command: /bin/systemctl daemon-reload
diff --git a/roles/lists/tasks/mail.yml b/roles/lists/tasks/mail.yml
index 15d381d..6d1a4f5 100644
--- a/roles/lists/tasks/mail.yml
+++ b/roles/lists/tasks/mail.yml
@@ -12,22 +12,43 @@
   notify:
     - Reload Postfix
 
-- name: Create directory /etc/postfix-.../virtual
-  file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Copy lookup tables
-  copy: src=etc/postfix/virtual/{{ item }}
-        dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
+- name: Copy the transport maps
+  copy: src=etc/postfix/transport
+        dest=/etc/postfix-{{ postfix_instance[inst].name }}/transport
         owner=root group=root
         mode=0644
-  with_items:
-    - domains.cf
-    - transport_list.cf
+  # no need to reload upon change, as cleanup(8) is short-running
+
+- name: Copy the Postfix relay clientcerts map
+  template: src=etc/postfix/relay_clientcerts.j2
+            dest=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts
+            owner=root group=root
+            mode=0644
+  tags:
+    - tls_policy
+
+- name: Compile the Postfix relay clientcerts map
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/relay_clientcerts db=cdb
+           owner=root group=root
+           mode=0644
+  tags:
+    - tls_policy
+
+- name: Compile the Postfix transport maps
+  # trivial-rewrite(8) is a long-running process, so it's safer to reload
+  postmap: cmd=postmap src=/etc/postfix-{{ postfix_instance[inst].name }}/transport db=cdb
+           owner=root group=root
+           mode=0644
+  notify:
+    - Reload Postfix
 
 - meta: flush_handlers
 
 - name: Start Postfix
   service: name=postfix state=started
+
+- name: Copy the 'sympa-queue' wrapper
+  copy: src=usr/local/bin/sympa-queue
+        dest=/usr/local/bin/sympa-queue
+        owner=root group=root
+        mode=0755
diff --git a/roles/lists/tasks/main.yml b/roles/lists/tasks/main.yml
index 13d3451..f0e8e26 100644
--- a/roles/lists/tasks/main.yml
+++ b/roles/lists/tasks/main.yml
@@ -1,2 +1,3 @@
 - include: mail.yml      tags=postfix,mail
-- include: mlmmj.yml     tags=mlmmj,lists
+- include: nginx.yml     tags=nginx,www,web
+- include: sympa.yml     tags=sympa,lists
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
new file mode 100644
index 0000000..a0aab68
--- /dev/null
+++ b/roles/lists/tasks/nginx.yml
@@ -0,0 +1,40 @@
+- name: Install Nginx
+  apt: pkg=nginx
+
+- name: Generate a private key and a X.509 certificate for Nginx
+  command: genkeypair.sh x509
+                         --pubkey=/etc/nginx/ssl/lists.fripost.org.pem
+                         --privkey=/etc/nginx/ssl/lists.fripost.org.key
+                         --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org
+                         -t rsa -b 4096 -h sha512
+  register: r1
+  changed_when: r1.rc == 0
+  failed_when: r1.rc > 1
+  notify:
+    - Restart Nginx
+  tags:
+    - genkey
+
+- name: Copy /etc/nginx/sites-available/sympa
+  copy: src=etc/nginx/sites-available/sympa
+        dest=/etc/nginx/sites-available/sympa
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart Nginx
+
+- name: Create /etc/nginx/sites-enabled/sympa
+  file: src=../sites-available/sympa
+        dest=/etc/nginx/sites-enabled/sympa
+        owner=root group=root
+        state=link
+  register: r3
+  notify:
+    - Restart Nginx
+
+- name: Start nginx
+  service: name=nginx state=started
+  when: not (r1.changed or r2.changed or r3.changed)
+
+- meta: flush_handlers
diff --git a/roles/lists/tasks/sympa.yml b/roles/lists/tasks/sympa.yml
new file mode 100644
index 0000000..d1ae505
--- /dev/null
+++ b/roles/lists/tasks/sympa.yml
@@ -0,0 +1,79 @@
+- apt: pkg={{ item }} install_recommends=no
+  with_items:
+    - mysql-server
+    - sympa
+
+- name: Make the 'sympa' MySQL user use auth_socket
+  mysql_user: name=sympa auth_plugin=auth_socket
+              state=present
+
+- name: Configure Sympa
+  copy: src=etc/sympa/{{ item }}
+        dest=/etc/sympa/{{ item }}
+        owner=root group=sympa
+        mode=0644
+  with_items:
+    - sympa.conf
+    - wwsympa.conf
+    - topics.conf
+  register: r1
+  notify:
+    - Restart Sympa
+
+- name: Create Virtual hosts for Sympa (1)
+  file: path=/etc/sympa/{{ item }}
+        state=directory
+        owner=root group=root
+        mode=0755
+  with_items:
+    - lists.fripost.org
+  register: r2
+  notify:
+    - Restart Sympa
+
+- name: Create Virtual hosts for Sympa (2)
+  file: path=/var/lib/sympa/list_data/{{ item }}
+        state=directory
+        owner=sympa group=sympa
+        mode=0770
+  with_items:
+    - lists.fripost.org
+  register: r3
+  notify:
+    - Restart Sympa
+
+- name: Install robot.conf
+  template: src=etc/sympa/robot.conf.j2
+            dest=/etc/sympa/{{ item }}/robot.conf
+            owner=root group=root
+            mode=0644
+  with_items:
+    - lists.fripost.org
+  register: r4
+  notify:
+    - Restart Sympa
+
+- name: Start Sympa
+  service: name=sympa state=started
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed)
+
+- meta: flush_handlers
+
+- name: Copy wwsympa.{service,socket}
+  copy: src=lib/systemd/system/{{ item }}
+        dest=/lib/systemd/system/{{ item }}
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+  with_items:
+    - wwsympa.service
+    - wwsympa.socket
+
+- meta: flush_handlers
+
+- name: Enable WWSympa
+  service: name=wwsympa enabled=yes
+
+- name: Start WWSympa
+  service: name=wwsympa state=started
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index da68a42..e55eb9e 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -1,5 +1,5 @@
 ########################################################################
-# Lists configuration
+# Sympa configuration
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
@@ -13,14 +13,12 @@ delay_warning_time     = 4h
 maximal_queue_lifetime = 5d
 
 myorigin            = /etc/mailname
-myhostname          = lists{{ listsno | default('') }}.$mydomain
+myhostname          = lists.$mydomain
 mydomain            = fripost.org
 append_dot_mydomain = no
 
-# Turn off all TCP/IP listener ports except that necessary for the list server.
-# XXX: mlmmj is not compatible with the MX, see
-# http://mlmmj.org/bugs/bug.php?id=51
-master_service_disable = !127.0.0.1:smtp.inet !2527.inet inet
+# Turn off all TCP/IP listener ports except that necessary for Sympa
+master_service_disable = !2527.inet inet
 
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
@@ -30,11 +28,8 @@ multi_instance_enable = yes
 
 # This server is a Mail Delivery Agent
 mynetworks_style = host
-inet_interfaces  = 172.16.0.1
-{% if 'MX' in group_names %}
-                   127.0.0.1
-{% endif %}
-inet_protocols   = ipv4
+inet_interfaces  = all
+
 
 # No local delivery
 mydestination        =
@@ -46,45 +41,57 @@ local_recipient_maps =
 message_size_limit  = 67108864
 recipient_delimiter = +
 
-# Forward everything to our internal mailhub
-{% if 'out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
-relay_domains =
+# No relay: this server is inbound-only
+relay_transport   = error:5.1.1 Relay unavailable
+default_transport = error:5.1.1 Transport unavailable
+
 
-# Virtual transport (the alias resolution is already done by the MX:es)
-transport_maps = ldap:$config_directory/virtual/transport_list.cf
-mlmmj_destination_recipient_limit = 1
+relay_domains                     = sympa.$mydomain
+transport_maps                    = cdb:$config_directory/transport
+sympa_destination_recipient_limit = 1
 
 # Don't rewrite remote headers
-local_header_rewrite_clients     =
-# Avoid splitting the envelope and scanning messages multiple times
-smtp_destination_recipient_limit = 1000
-# Tolerate occasional high latency
-smtp_data_done_timeout       = 1200s
-
-
-# Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
-relay_domains =
-
-{% if 'out' in group_names %}
-smtp_tls_security_level         = none
-smtp_bind_address               = 127.0.0.1
-{% else %}
-smtp_tls_security_level         = encrypt
-smtp_tls_cert_file              = $config_directory/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file               = $config_directory/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps            = cdb:$config_directory/tls_policy
-smtp_tls_fingerprint_digest     = sha256
-{% endif %}
-smtpd_tls_security_level        = none
+local_header_rewrite_clients =
+
+
+relay_clientcerts               = cdb:$config_directory/relay_clientcerts
+smtpd_tls_security_level        = may
+smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
+smtpd_tls_received_header       = yes
+smtpd_tls_ask_ccert             = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_fingerprint_digest    = sha256
+
+
+strict_rfc821_envelopes = yes
+smtpd_delay_reject      = yes
+disable_vrfy_command    = yes
+
+smtpd_client_restrictions =
+    permit_mynetworks
+    permit_tls_clientcerts
+    # We are the only ones using this proxy, but if things go wrong we
+    # want to know why
+    defer
+
+smtpd_helo_required     = yes
+smtpd_helo_restrictions =
+    reject_invalid_helo_hostname
+
+smtpd_sender_restrictions =
+    reject_non_fqdn_sender
+
+smtpd_relay_restrictions =
+    permit_mynetworks
+    permit_tls_clientcerts
+    reject
+
+smtpd_recipient_restrictions =
+    reject_non_fqdn_recipient
+
+smtpd_data_restrictions =
+    reject_unauth_pipelining
 
 # vim: set filetype=pfmain :
diff --git a/roles/lists/templates/etc/postfix/relay_clientcerts.j2 b/roles/lists/templates/etc/postfix/relay_clientcerts.j2
new file mode 100644
index 0000000..42a83b5
--- /dev/null
+++ b/roles/lists/templates/etc/postfix/relay_clientcerts.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256!
+
+{% for h in groups.MX | difference([inventory_hostname]) | sort %}
+{{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {{ h }}
+{% endfor %}
diff --git a/roles/lists/templates/etc/sympa/robot.conf.j2 b/roles/lists/templates/etc/sympa/robot.conf.j2
new file mode 100644
index 0000000..75687d8
--- /dev/null
+++ b/roles/lists/templates/etc/sympa/robot.conf.j2
@@ -0,0 +1,3 @@
+http_host   {{ item }}
+wwsympa_url https://{{ item }}/sympa
+# wwsympa_url https://lists.fripost.org/{{ item }}/sympa