summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/common-local12
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa13
-rw-r--r--roles/lists/files/etc/sympa/sympa/sympa.conf (renamed from roles/lists/files/etc/sympa/sympa.conf)94
-rw-r--r--roles/lists/files/etc/sympa/wwsympa.conf85
-rw-r--r--roles/lists/files/etc/systemd/system/wwsympa.service6
-rw-r--r--roles/lists/tasks/nginx.yml2
-rw-r--r--roles/lists/tasks/sympa.yml21
-rw-r--r--roles/lists/templates/etc/postfix/main.cf.j28
8 files changed, 118 insertions, 123 deletions
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local
index 6210cc1..e64ec44 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local
@@ -55,9 +55,15 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ liblogging-stdlog: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www\.rsyslog\.com"\] rsyslogd was HUPed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9]+|<stdin>): Invoked with
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (sympa\((command|distribute)\)|wwsympa|archived|bounced|bulk|task_manager)\[[[:digit:]]+\]: (info|notice)\s
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa\(command\)\[[[:digit:]]+\]: err tools::valid_email\(\) Invalid email address 'MAILER-DAEMON'$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: err .* main::check_action_parameters\(\) user not logged in$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Request::Message::
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: info Sympa::Request::Handler::
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Bulk::store\(\)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: (info|notice) Sympa::Spindle::Process(Incoming|Message|Template|Digest)::
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: (info|notice) main::
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info main::do_
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: notice main:: \([.[:alnum:]-]+\) \[robot [.[:alnum:]-]+\] \[client [[:xdigit:].:]{3,39}\] Does NOT match HTTP_HOST; setting cookie_domain to [.[:alnum:]-]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: notice Sympa::(Spindle::ProcessTemplate::_twist|Bulk::store)\(\)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ bulk\[[[:digit:]]+\]: notice Sympa::(Spindle::ProcessOutgoing::_twist|Mailer::store)\(\)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: (flushing old values|rotating journals|started new journal /\S+$|removing old journal /\S+$)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: queue_thread_main: rrd_update_r \(([^)]+)\) failed with status -1. \(opening '\1': No such file or directory\)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 48dcf3d..f5a67bf 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -16,8 +16,8 @@ server {
server {
- listen 443 spdy;
- listen [::]:443 spdy;
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
server_name lists.fripost.org;
@@ -33,6 +33,13 @@ server {
ssl_certificate_key ssl/lists.fripost.org.key;
include snippets/lists.fripost.org.hpkp-hdr;
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ alias /etc/sympa/robots.txt;
+ }
+
location = / {
return 302 /sympa$args;
}
@@ -66,7 +73,7 @@ server {
fastcgi_pass unix:/run/wwsympa.socket;
gzip off;
- fastcgi_param SERVER_NAME $vhost;
+ fastcgi_param SERVER_NAME $vhost;
}
location / {
diff --git a/roles/lists/files/etc/sympa/sympa.conf b/roles/lists/files/etc/sympa/sympa/sympa.conf
index 606bd59..0e88baf 100644
--- a/roles/lists/files/etc/sympa/sympa.conf
+++ b/roles/lists/files/etc/sympa/sympa/sympa.conf
@@ -1,7 +1,7 @@
###\\\\ Site customization ////###
## Main robot hostname
-domain lists.fripost.org
+domain lists.fripost.org
## Local part of sympa email address
## Effective address will be [EMAIL]@[HOST]
@@ -12,7 +12,7 @@ email sympa
listmaster listmaster@fripost.org
## URL of main Web page
-#wwsympa_url https://lists.fripost.org/sympa
+wwsympa_url http://lists.fripost.org/sympa
max_wrong_password 19
@@ -26,7 +26,7 @@ css_url /static-sympa/css
## Secret used by Sympa to make MD5 fingerprint in web cookies secure
## Should not be changed ! May invalid all user password
-cookie `cat /etc/sympa/cookie`
+cookie `head -n1 /etc/sympa/cookie`
## Who is able to create lists
## This parameter is a scenario, check sympa documentation about scenarios if you want to define one
@@ -101,15 +101,15 @@ alias_manager /bin/true
sympa_packet_priority 5
## Minimum number of packets in database before the bulk forks to increase sending rate
-##
+##
bulk_fork_threshold 1
## Max number of bulks that will run on the same server
-##
+##
bulk_max_count 3
## The number of seconds a slave bulk will remain running without processing a message before it spontaneously dies.
-##
+##
bulk_lazytime 600
## The number of seconds a bulk sleeps between starting a new loop if it didn't find a message to send.
@@ -168,7 +168,7 @@ supported_lang sv,en_US
## Default language (one of supported languages)
## This is the default language used by Sympa
-lang sv
+lang sv
## If set to "on", enables support of legacy character set
## In some language environments, legacy encoding (character set) is preferred for e-mail messages: for example iso-2022-jp in Japanese language.
@@ -263,7 +263,7 @@ default_sql_fetch_timeout 300
## Path to OpenSSL
## Sympa recognizes S/MIME if OpenSSL is installed
-#openssl /usr/bin/ssl
+openssl /usr/bin/openssl
## Directory containing trusted CA certificates
#capath /etc/sympa/ssl.crt
@@ -289,6 +289,10 @@ dkim_add_signature_to robot,list
## Type of message that is added a DKIM signature before distribution to subscribers. Possible values are "none", "any" or a list of the following keywords: "md5_authenticated_messages", "smime_authenticated_messages", "dkim_authenticated_messages", "editor_validated_messages".
dkim_signature_apply_on md5_authenticated_messages,smime_authenticated_messages,dkim_authenticated_messages,editor_validated_messages
+## DMARC protection
+## https://sympa-community.github.io/manual/customize/dmarc-protection.html
+dmarc_protection_mode dmarc_reject
+
###\\\\ Antivirus plug-in ////###
## Path to the antivirus scanner engine
@@ -321,3 +325,77 @@ edit_list owner
## The password validation techniques to be used against user passwords that are added to mailing lists. Options come from Data::Password (http://search.cpan.org/~razinf/Data-Password-1.07/Password.pm#VARIABLES)
#password_validation MINLEN=8,GROUPS=3,DICTIONARY=4,DICTIONARIES=/pentest/dictionaries
+
+## Directory for storing HTML archives
+## Better if not in a critical partition
+arc_path /var/lib/sympa/wwsarchive
+
+## Default index organization when entering the web archive: either threaded
+## or in chronological order
+archive_default_index thrd
+
+## Directory for storing bounces
+## Better if not in a critical partition
+bounce_path /var/spool/sympa/wwsbounce
+
+## HTTP cookies validity domain
+cookie_domain lists.fripost.org
+
+## HTTP cookies lifetime
+cookie_expire 0
+
+## Average interval to refresh HTTP session ID.
+cookie_refresh 60
+
+## Activates a custom archiver to use instead of MHonArc. The value of this
+## parameter is the absolute path on the file system to the script of the
+## custom archiver.
+#custom_archiver
+
+## Type of main Web page ( lists | home )
+default_home home
+
+## Javascript excerpt that enables and configures the WYSIWYG HTML editor.
+#html_editor_init
+
+#htmlarea_url
+
+## When using LDAP authentication, if the identifier provided by the user was
+## a valid email, if this parameter is set to false, then the provided email
+## will be used to authenticate the user. Otherwise, use of the first email
+## returned by the LDAP server will be used.
+ldap_force_canonical_email 1
+
+#log_condition
+
+## Syslog facility for wwsympa, archived and bounced
+## Default is to use previously defined sympa log facility.
+log_facility `cat /etc/sympa/facility`
+
+#log_module
+
+## Path to MHonArc mail2html plugin
+## This is required for HTML mail archiving
+mhonarc /usr/bin/mhonarc
+
+## Password case (insensitive | sensitive)
+## Should not be changed ! May invalid all user password
+password_case insensitive
+
+## Default number of lines of the array displaying users in the review page
+review_page_size 25
+
+## Title of main Web page
+title Mailing lists service
+
+## If set to "on", users will be able to post messages in HTML using a
+## javascript WYSIWYG editor.
+use_html_editor 0
+
+## Is fast_cgi module for Apache (or Roxen) installed (0 | 1)
+## This module provide much faster web interface
+use_fast_cgi 1
+
+## Default number of lines of the array displaying the log entries in the logs
+## page
+viewlogs_page_size 25
diff --git a/roles/lists/files/etc/sympa/wwsympa.conf b/roles/lists/files/etc/sympa/wwsympa.conf
deleted file mode 100644
index 4d420a3..0000000
--- a/roles/lists/files/etc/sympa/wwsympa.conf
+++ /dev/null
@@ -1,85 +0,0 @@
-###\\\\ Site customization ////###
-
-###\\\\ Directories ////###
-
-###\\\\ System related ////###
-
-###\\\\ Sending related ////###
-
-###\\\\ Bulk mailer ////###
-
-###\\\\ Quotas ////###
-
-###\\\\ Spool related ////###
-
-###\\\\ Internationalization related ////###
-
-###\\\\ Bounce related ////###
-
-## Directory for storing bounces
-## Better if not in a critical partition
-bounce_path /var/spool/sympa/wwsbounce
-
-###\\\\ Tuning ////###
-
-###\\\\ Database related ////###
-
-###\\\\ Loop prevention ////###
-
-###\\\\ S/MIME configuration ////###
-
-###\\\\ DKIM ////###
-
-###\\\\ Antivirus plug-in ////###
-
-###\\\\ Tag based spam filtering ////###
-
-###\\\\ Web interface parameters ////###
-
-## Directory for storing HTML archives
-## Better if not in a critical partition
-arc_path /var/lib/sympa/wwsarchive
-
-## Default index organization when entering the web archive: either threaded (thrd) or in chronological (mail) order
-archive_default_index thrd
-
-## HTTP cookies lifetime
-cookie_expire 0
-
-## HTTP cookies validity domain
-cookie_domain localhost
-
-## Average interval to refresh HTTP session ID.
-cookie_refresh 60
-
-## Type of main Web page ( lists | home )
-default_home home
-
-## When using LDAP authentication, if the identifier provided by the user was a valid email, if this parameter is set to false, then the provided email will be used to authenticate the user. Otherwise, use of the first email returned by the LDAP server will be used.
-ldap_force_canonical_email 1
-
-## Syslog facility for wwsympa, archived and bounced
-## Default is to use previously defined sympa log facility.
-log_facility `cat /etc/sympa/facility`
-
-## Path to MHonArc mail2html plugin
-## This is required for HTML mail archiving
-mhonarc /usr/bin/mhonarc
-
-## Password case (insensitive | sensitive)
-## Should not be changed ! May invalid all user password
-password_case insensitive
-
-## Default number of lines of the array displaying users in the review page
-review_page_size 25
-
-## Title of main Web page
-title Mailing lists service
-
-## Is fast_cgi module for Apache (or Roxen) installed (0 | 1)
-## This module provide much faster web interface
-use_fast_cgi 1
-
-## Default number of lines of the array displaying the log entries in the logs page
-viewlogs_page_size 25
-
diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service
index cccf508..7d2440c 100644
--- a/roles/lists/files/etc/systemd/system/wwsympa.service
+++ b/roles/lists/files/etc/systemd/system/wwsympa.service
@@ -16,10 +16,10 @@ PrivateDevices=yes
ProtectHome=yes
ProtectSystem=strict
PrivateTmp=yes
-ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/lib/sympa
+ReadWriteDirectories=/etc/sympa
+ReadWriteDirectories=/var/lib/sympa
ReadWriteDirectories=-/var/run/sympa
-ReadWriteDirectories=-/var/spool/sympa
+ReadWriteDirectories=/var/spool/sympa
[Install]
WantedBy=multi-user.target
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 6bf4afc..bbff34a 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -1,5 +1,5 @@
- name: Install Nginx
- apt: pkg=nginx
+ apt: pkg=nginx-light
- name: Copy /etc/nginx/sites-available/sympa
copy: src=etc/nginx/sites-available/sympa
diff --git a/roles/lists/tasks/sympa.yml b/roles/lists/tasks/sympa.yml
index 284f320..0d5eac1 100644
--- a/roles/lists/tasks/sympa.yml
+++ b/roles/lists/tasks/sympa.yml
@@ -13,26 +13,13 @@
mysql_user2: name=sympa password= auth_plugin=unix_socket
state=present
-# XXX We want to change the retun-path for sendpasswd notices from
-# 'sympa-request@$robot' to 'noreply@fripost.org'.
-# * /usr/lib/cgi-bin/sympa/wwsympa.fcgi
-# do_requestpasswd, do_subrequest
-# add $param->{'return_path'}='noreply@fripost.org';
-# * /usr/share/sympa/lib/List.pm
-# send_global_file
-# $data->{'return_path'} //= &Conf::get_robot_conf($robot, 'request');
-# * /usr/share/sympa/default/scenari/send.newsletter
-# last line
-# true() smtp,dkim,smime,md5 -> reject,quiet
-# See #787946.
- name: Configure Sympa
copy: src=etc/sympa/{{ item }}
dest=/etc/sympa/{{ item }}
owner=root group=sympa
mode=0644
with_items:
- - sympa.conf
- - wwsympa.conf
+ - sympa/sympa.conf
- topics.conf
register: r1
notify:
@@ -41,7 +28,7 @@
- name: Create Virtual hosts for Sympa (1)
file: path=/etc/sympa/{{ item }}
state=directory
- owner=root group=root
+ owner=sympa group=sympa
mode=0755
with_items:
- lists.fripost.org
@@ -63,8 +50,8 @@
- name: Install robot.conf
template: src=etc/sympa/robot.conf.j2
dest=/etc/sympa/{{ item }}/robot.conf
- owner=root group=root
- mode=0644
+ owner=sympa group=sympa
+ mode=0640
with_items:
- lists.fripost.org
register: r4
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index 792a397..1bf02eb 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -4,9 +4,11 @@
# {{ ansible_managed }}
# Do NOT edit this file directly!
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-readme_directory = no
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+compatibility_level = 2
+smtputf8_enable = no
delay_warning_time = 4h
maximal_queue_lifetime = 5d