From 53cd6d2c79d206273fbe9b924156b440894a4776 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 7 Dec 2018 22:33:54 +0100 Subject: Upgrade 'lists' role to Debian Stretch. --- .../etc/logcheck/ignore.d.server/common-local | 12 +- roles/lists/files/etc/nginx/sites-available/sympa | 13 +- roles/lists/files/etc/sympa/sympa.conf | 323 ----------------- roles/lists/files/etc/sympa/sympa/sympa.conf | 401 +++++++++++++++++++++ roles/lists/files/etc/sympa/wwsympa.conf | 85 ----- .../lists/files/etc/systemd/system/wwsympa.service | 6 +- roles/lists/tasks/nginx.yml | 2 +- roles/lists/tasks/sympa.yml | 21 +- roles/lists/templates/etc/postfix/main.cf.j2 | 8 +- 9 files changed, 433 insertions(+), 438 deletions(-) delete mode 100644 roles/lists/files/etc/sympa/sympa.conf create mode 100644 roles/lists/files/etc/sympa/sympa/sympa.conf delete mode 100644 roles/lists/files/etc/sympa/wwsympa.conf diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local index 6210cc1..e64ec44 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local @@ -55,9 +55,15 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ liblogging-stdlog: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www\.rsyslog\.com"\] rsyslogd was HUPed$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9]+|): Invoked with -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (sympa\((command|distribute)\)|wwsympa|archived|bounced|bulk|task_manager)\[[[:digit:]]+\]: (info|notice)\s -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa\(command\)\[[[:digit:]]+\]: err tools::valid_email\(\) Invalid email address 'MAILER-DAEMON'$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: err .* main::check_action_parameters\(\) user not logged in$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Request::Message:: +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: info Sympa::Request::Handler:: +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Bulk::store\(\) +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: (info|notice) Sympa::Spindle::Process(Incoming|Message|Template|Digest):: +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ task_manager\[[0-9]+\]: (info|notice) main:: +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[0-9]+\]: info main::do_ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: notice main:: \([.[:alnum:]-]+\) \[robot [.[:alnum:]-]+\] \[client [[:xdigit:].:]{3,39}\] Does NOT match HTTP_HOST; setting cookie_domain to [.[:alnum:]-]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: notice Sympa::(Spindle::ProcessTemplate::_twist|Bulk::store)\(\) +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ bulk\[[[:digit:]]+\]: notice Sympa::(Spindle::ProcessOutgoing::_twist|Mailer::store)\(\) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: (flushing old values|rotating journals|started new journal /\S+$|removing old journal /\S+$) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: queue_thread_main: rrd_update_r \(([^)]+)\) failed with status -1. \(opening '\1': No such file or directory\) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$ diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 48dcf3d..f5a67bf 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -16,8 +16,8 @@ server { server { - listen 443 spdy; - listen [::]:443 spdy; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name lists.fripost.org; @@ -33,6 +33,13 @@ server { ssl_certificate_key ssl/lists.fripost.org.key; include snippets/lists.fripost.org.hpkp-hdr; + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + alias /etc/sympa/robots.txt; + } + location = / { return 302 /sympa$args; } @@ -66,7 +73,7 @@ server { fastcgi_pass unix:/run/wwsympa.socket; gzip off; - fastcgi_param SERVER_NAME $vhost; + fastcgi_param SERVER_NAME $vhost; } location / { diff --git a/roles/lists/files/etc/sympa/sympa.conf b/roles/lists/files/etc/sympa/sympa.conf deleted file mode 100644 index 606bd59..0000000 --- a/roles/lists/files/etc/sympa/sympa.conf +++ /dev/null @@ -1,323 +0,0 @@ -###\\\\ Site customization ////### - -## Main robot hostname -domain lists.fripost.org - -## Local part of sympa email address -## Effective address will be [EMAIL]@[HOST] -email sympa - -## Listmasters email list comma separated -## Sympa will associate listmaster privileges to these email addresses (mail and web interfaces). Some error reports may also be sent to these addresses. -listmaster listmaster@fripost.org - -## URL of main Web page -#wwsympa_url https://lists.fripost.org/sympa - -max_wrong_password 19 - -## Directory for storing static contents (CSS, members pictures, documentation) directly delivered by Apache -static_content_path /var/lib/sympa/static_content - -## URL mapped with the static_content_path directory defined above -static_content_url /static-sympa - -css_url /static-sympa/css - -## Secret used by Sympa to make MD5 fingerprint in web cookies secure -## Should not be changed ! May invalid all user password -cookie `cat /etc/sympa/cookie` - -## Who is able to create lists -## This parameter is a scenario, check sympa documentation about scenarios if you want to define one -create_list intranet - -###\\\\ Directories ////### - -## Directory containing mailing lists subdirectories -home /var/lib/sympa/list_data - -## Directory for configuration files; it also contains scenari/ and templates/ directories -etc /etc/sympa - -###\\\\ System related ////### - -## Syslog facility for sympa -## Do not forget to edit syslog.conf -syslog `cat /etc/sympa/facility` - -## Log verbosity -## 0: normal, 2,3,4: for debug -log_level 0 - -## Communication mode with syslogd (unix | inet) -log_socket_type unix - -## Umask used for file creation by Sympa -umask 027 - -###\\\\ Sending related ////### - -## Path to the MTA (sendmail, postfix, exim or qmail) -## should point to a sendmail-compatible binary (eg: a binary named "sendmail" is distributed with Postfix) -sendmail /usr/sbin/sendmail -sendmail_aliases none - -distribution_mode fork - -## Max. number of Sendmail processes (launched by Sympa) running simultaneously -## Proposed value is quite low, you can rise it up to 100, 200 or even 300 with powerfull systems. -maxsmtp 128 - -log_smtp off - -## comma separated list of operations for which blacklist filter is applied -## Setting this parameter to "none" will hide the blacklist feature -use_blacklist send,create_list - -## Default maximum size (in bytes) for messages (can be re-defined for each list) -max_size 5242880 - -## Maximum number of recipients per call to Sendmail. The nrcpt_by_domain.conf file allows a different tuning per destination domain. -nrcpt 25 - -## Max. number of different domains per call to Sendmail -avg 10 - -## Specify which rfc2369 mailing list headers to add -rfc2369_header_fields help,subscribe,unsubscribe,post,owner,archive - -## Specify header fields to be removed before message distribution -remove_headers X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To - -## Reject mail from automates (crontab, etc) sent to a list? -reject_mail_from_automates_feature on - -alias_manager /bin/true - -###\\\\ Bulk mailer ////### - -## Default priority for a packet to be sent by bulk. -sympa_packet_priority 5 - -## Minimum number of packets in database before the bulk forks to increase sending rate -## -bulk_fork_threshold 1 - -## Max number of bulks that will run on the same server -## -bulk_max_count 3 - -## The number of seconds a slave bulk will remain running without processing a message before it spontaneously dies. -## -bulk_lazytime 600 - -## The number of seconds a bulk sleeps between starting a new loop if it didn't find a message to send. -## Keep it small if you want your server to be reactive. -bulk_sleep 1 - -## Number of seconds a master bulk waits between two packets number checks. -## Keep it small if you expect brutal increases in the message sending load. -bulk_wait_to_fork 10 - -###\\\\ Quotas ////### - -###\\\\ Spool related ////### - -## Directory containing various specialized spools -## All spool are created at runtime by sympa.pl -spool /var/spool/sympa - -## Directory for incoming spool -queue /var/spool/sympa/msg - -queuedistribute /var/spool/sympa/distribute - -## Directory for moderation spool -queuemod /var/spool/sympa/moderation - -## Directory for digest spool -queuedigest /var/spool/sympa/digest - -## Directory for authentication spool -queueauth /var/spool/sympa/auth - -## Directory for outgoing spool -queueoutgoing /var/spool/sympa/outgoing - -## Directory for subscription spool -queuesubscribe /var/spool/sympa/subscribe - -## Directory for topic spool -queuetopic /var/spool/sympa/topic - -## Directory for bounce incoming spool -queuebounce /var/spool/sympa/bounce - -## Directory for task spool -queuetask /var/spool/sympa/task - -## Directory for automatic list creation spool -queueautomatic /var/spool/sympa/automatic - -###\\\\ Internationalization related ////### - -## Supported languages -## This is the set of language that will be proposed to your users for the Sympa GUI. Don't select a language if you don't have the proper locale packages installed. -supported_lang sv,en_US - -## Default language (one of supported languages) -## This is the default language used by Sympa -lang sv - -## If set to "on", enables support of legacy character set -## In some language environments, legacy encoding (character set) is preferred for e-mail messages: for example iso-2022-jp in Japanese language. -legacy_character_support_feature off - -###\\\\ Bounce related ////### - -verp_rate 100% -#tracking_delivery_status_notification on -#tracking_message_disposition_notification on - -## Welcome message return-path ( unique | owner ) -## If set to unique, new subcriber is removed if welcome message bounce -welcome_return_path unique - -## Remind message return-path ( unique | owner ) -## If set to unique, subcriber is removed if remind message bounce, use with care -remind_return_path owner - -## Task name for expiration of old bounces -expire_bounce_task daily - -## Bouncing email rate for warn list owner -bounce_warn_rate 30 - -## Bouncing email rate for halt the list (not implemented) -## Not yet used in current version, Default is 50 -bounce_halt_rate 50 - -###\\\\ Tuning ////### - -## Use of binary version of the list config structure on disk (none | binary_file) -## Set this parameter to "binary_file" if you manage a big amount of lists (1000+); it should make the web interface startup faster -cache_list_config none - -## Sympa commands priority -sympa_priority 1 - -request_priority 0 - -owner_priority 9 - -## Default priority for list messages -default_list_priority 5 - -## comma-separated list of files that will be parsed by Sympa when instantiating a family (no space allowed in file names) -parsed_family_files message.footer,message.header,message.footer.mime,message.header.mime,info - -###\\\\ Database related ////### - -## Type of the database (mysql|ODBC|Oracle|Pg|SQLite|Sybase) -## Be careful to the case -db_type mysql - -## Name of the database -## With SQLite, the name of the DB corresponds to the DB file -db_name sympa - -## Hostname of the database server -db_host localhost - -## User for the database connection -db_user sympa - -## Password for the database connection -## What ever you use a password or not, you must protect the SQL server (is it not a public internet service ?) -#db_passwd your_passwd - -## Database private extention to subscriber table -## You need to extend the database format with these fields -#db_additional_subscriber_fields billing_delay,subscription_expiration - -## Database private extention to user table -## You need to extend the database format with these fields -#db_additional_user_fields age,address - -## Number of months that elapse before a log is expired -logs_expiration_period 3 - -## Default timeout between two scheduled synchronizations of list members with data sources. -default_ttl 3600 - -## Default timeout between two action-triggered synchronizations of list members with data sources. -default_distribution_ttl 300 - -## Default timeout while performing a fetch for an include_sql_query sync -default_sql_fetch_timeout 300 - -###\\\\ Loop prevention ////### - -###\\\\ S/MIME configuration ////### - -## Path to OpenSSL -## Sympa recognizes S/MIME if OpenSSL is installed -#openssl /usr/bin/ssl - -## Directory containing trusted CA certificates -#capath /etc/sympa/ssl.crt - -## File containing bundled trusted CA certificates -#cafile /usr/local/apache/conf/ssl.crt/ca-bundle.crt - -crl_dir /var/lib/sympa/list_data/crl - -## Directory containing user certificates -ssl_cert_dir /var/lib/sympa/list_data/X509-user-certs - -## Password used to crypt lists private keys -#key_passwd your_password - -###\\\\ DKIM ////### - -dkim_feature off - -## Insert a DKIM signature to message from the robot, from the list or both -dkim_add_signature_to robot,list - -## Type of message that is added a DKIM signature before distribution to subscribers. Possible values are "none", "any" or a list of the following keywords: "md5_authenticated_messages", "smime_authenticated_messages", "dkim_authenticated_messages", "editor_validated_messages". -dkim_signature_apply_on md5_authenticated_messages,smime_authenticated_messages,dkim_authenticated_messages,editor_validated_messages - -###\\\\ Antivirus plug-in ////### - -## Path to the antivirus scanner engine -## Supported antivirus: McAfee/uvscan, Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall -#antivirus_path /usr/local/uvscan/uvscan - -## Antivirus plugin command argument -#antivirus_args --secure --summary --dat /usr/local/uvscan - -###\\\\ Tag based spam filtering ////### - -## If a spam filter (like spamassassin or j-chkmail) add a smtp headers to tag spams, name of this header (example X-Spam-Status) -antispam_tag_header_name X-Spam-Status - -## Regexp applied on this header to verify message is a spam (example \s*Yes) -antispam_tag_header_spam_regexp ^\s*Yes - -## Regexp applied on this header to verify message is NOT a spam (example \s*No) -antispam_tag_header_ham_regexp ^\s*No - -## Messages are supposed to be filtered by an antispam that add one more headers to messages. This parameter is used to select a special scenario in order to decide the message spam status: ham, spam or unsure. This parameter replace antispam_tag_header_name, antispam_tag_header_spam_regexp and antispam_tag_header_ham_regexp. -spam_status x-spam-status - -###\\\\ Web interface parameters ////### - -edit_list owner - -## URL of a virtual host -#http_host https://fripost.org - -## The password validation techniques to be used against user passwords that are added to mailing lists. Options come from Data::Password (http://search.cpan.org/~razinf/Data-Password-1.07/Password.pm#VARIABLES) -#password_validation MINLEN=8,GROUPS=3,DICTIONARY=4,DICTIONARIES=/pentest/dictionaries diff --git a/roles/lists/files/etc/sympa/sympa/sympa.conf b/roles/lists/files/etc/sympa/sympa/sympa.conf new file mode 100644 index 0000000..0e88baf --- /dev/null +++ b/roles/lists/files/etc/sympa/sympa/sympa.conf @@ -0,0 +1,401 @@ +###\\\\ Site customization ////### + +## Main robot hostname +domain lists.fripost.org + +## Local part of sympa email address +## Effective address will be [EMAIL]@[HOST] +email sympa + +## Listmasters email list comma separated +## Sympa will associate listmaster privileges to these email addresses (mail and web interfaces). Some error reports may also be sent to these addresses. +listmaster listmaster@fripost.org + +## URL of main Web page +wwsympa_url http://lists.fripost.org/sympa + +max_wrong_password 19 + +## Directory for storing static contents (CSS, members pictures, documentation) directly delivered by Apache +static_content_path /var/lib/sympa/static_content + +## URL mapped with the static_content_path directory defined above +static_content_url /static-sympa + +css_url /static-sympa/css + +## Secret used by Sympa to make MD5 fingerprint in web cookies secure +## Should not be changed ! May invalid all user password +cookie `head -n1 /etc/sympa/cookie` + +## Who is able to create lists +## This parameter is a scenario, check sympa documentation about scenarios if you want to define one +create_list intranet + +###\\\\ Directories ////### + +## Directory containing mailing lists subdirectories +home /var/lib/sympa/list_data + +## Directory for configuration files; it also contains scenari/ and templates/ directories +etc /etc/sympa + +###\\\\ System related ////### + +## Syslog facility for sympa +## Do not forget to edit syslog.conf +syslog `cat /etc/sympa/facility` + +## Log verbosity +## 0: normal, 2,3,4: for debug +log_level 0 + +## Communication mode with syslogd (unix | inet) +log_socket_type unix + +## Umask used for file creation by Sympa +umask 027 + +###\\\\ Sending related ////### + +## Path to the MTA (sendmail, postfix, exim or qmail) +## should point to a sendmail-compatible binary (eg: a binary named "sendmail" is distributed with Postfix) +sendmail /usr/sbin/sendmail +sendmail_aliases none + +distribution_mode fork + +## Max. number of Sendmail processes (launched by Sympa) running simultaneously +## Proposed value is quite low, you can rise it up to 100, 200 or even 300 with powerfull systems. +maxsmtp 128 + +log_smtp off + +## comma separated list of operations for which blacklist filter is applied +## Setting this parameter to "none" will hide the blacklist feature +use_blacklist send,create_list + +## Default maximum size (in bytes) for messages (can be re-defined for each list) +max_size 5242880 + +## Maximum number of recipients per call to Sendmail. The nrcpt_by_domain.conf file allows a different tuning per destination domain. +nrcpt 25 + +## Max. number of different domains per call to Sendmail +avg 10 + +## Specify which rfc2369 mailing list headers to add +rfc2369_header_fields help,subscribe,unsubscribe,post,owner,archive + +## Specify header fields to be removed before message distribution +remove_headers X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To + +## Reject mail from automates (crontab, etc) sent to a list? +reject_mail_from_automates_feature on + +alias_manager /bin/true + +###\\\\ Bulk mailer ////### + +## Default priority for a packet to be sent by bulk. +sympa_packet_priority 5 + +## Minimum number of packets in database before the bulk forks to increase sending rate +## +bulk_fork_threshold 1 + +## Max number of bulks that will run on the same server +## +bulk_max_count 3 + +## The number of seconds a slave bulk will remain running without processing a message before it spontaneously dies. +## +bulk_lazytime 600 + +## The number of seconds a bulk sleeps between starting a new loop if it didn't find a message to send. +## Keep it small if you want your server to be reactive. +bulk_sleep 1 + +## Number of seconds a master bulk waits between two packets number checks. +## Keep it small if you expect brutal increases in the message sending load. +bulk_wait_to_fork 10 + +###\\\\ Quotas ////### + +###\\\\ Spool related ////### + +## Directory containing various specialized spools +## All spool are created at runtime by sympa.pl +spool /var/spool/sympa + +## Directory for incoming spool +queue /var/spool/sympa/msg + +queuedistribute /var/spool/sympa/distribute + +## Directory for moderation spool +queuemod /var/spool/sympa/moderation + +## Directory for digest spool +queuedigest /var/spool/sympa/digest + +## Directory for authentication spool +queueauth /var/spool/sympa/auth + +## Directory for outgoing spool +queueoutgoing /var/spool/sympa/outgoing + +## Directory for subscription spool +queuesubscribe /var/spool/sympa/subscribe + +## Directory for topic spool +queuetopic /var/spool/sympa/topic + +## Directory for bounce incoming spool +queuebounce /var/spool/sympa/bounce + +## Directory for task spool +queuetask /var/spool/sympa/task + +## Directory for automatic list creation spool +queueautomatic /var/spool/sympa/automatic + +###\\\\ Internationalization related ////### + +## Supported languages +## This is the set of language that will be proposed to your users for the Sympa GUI. Don't select a language if you don't have the proper locale packages installed. +supported_lang sv,en_US + +## Default language (one of supported languages) +## This is the default language used by Sympa +lang sv + +## If set to "on", enables support of legacy character set +## In some language environments, legacy encoding (character set) is preferred for e-mail messages: for example iso-2022-jp in Japanese language. +legacy_character_support_feature off + +###\\\\ Bounce related ////### + +verp_rate 100% +#tracking_delivery_status_notification on +#tracking_message_disposition_notification on + +## Welcome message return-path ( unique | owner ) +## If set to unique, new subcriber is removed if welcome message bounce +welcome_return_path unique + +## Remind message return-path ( unique | owner ) +## If set to unique, subcriber is removed if remind message bounce, use with care +remind_return_path owner + +## Task name for expiration of old bounces +expire_bounce_task daily + +## Bouncing email rate for warn list owner +bounce_warn_rate 30 + +## Bouncing email rate for halt the list (not implemented) +## Not yet used in current version, Default is 50 +bounce_halt_rate 50 + +###\\\\ Tuning ////### + +## Use of binary version of the list config structure on disk (none | binary_file) +## Set this parameter to "binary_file" if you manage a big amount of lists (1000+); it should make the web interface startup faster +cache_list_config none + +## Sympa commands priority +sympa_priority 1 + +request_priority 0 + +owner_priority 9 + +## Default priority for list messages +default_list_priority 5 + +## comma-separated list of files that will be parsed by Sympa when instantiating a family (no space allowed in file names) +parsed_family_files message.footer,message.header,message.footer.mime,message.header.mime,info + +###\\\\ Database related ////### + +## Type of the database (mysql|ODBC|Oracle|Pg|SQLite|Sybase) +## Be careful to the case +db_type mysql + +## Name of the database +## With SQLite, the name of the DB corresponds to the DB file +db_name sympa + +## Hostname of the database server +db_host localhost + +## User for the database connection +db_user sympa + +## Password for the database connection +## What ever you use a password or not, you must protect the SQL server (is it not a public internet service ?) +#db_passwd your_passwd + +## Database private extention to subscriber table +## You need to extend the database format with these fields +#db_additional_subscriber_fields billing_delay,subscription_expiration + +## Database private extention to user table +## You need to extend the database format with these fields +#db_additional_user_fields age,address + +## Number of months that elapse before a log is expired +logs_expiration_period 3 + +## Default timeout between two scheduled synchronizations of list members with data sources. +default_ttl 3600 + +## Default timeout between two action-triggered synchronizations of list members with data sources. +default_distribution_ttl 300 + +## Default timeout while performing a fetch for an include_sql_query sync +default_sql_fetch_timeout 300 + +###\\\\ Loop prevention ////### + +###\\\\ S/MIME configuration ////### + +## Path to OpenSSL +## Sympa recognizes S/MIME if OpenSSL is installed +openssl /usr/bin/openssl + +## Directory containing trusted CA certificates +#capath /etc/sympa/ssl.crt + +## File containing bundled trusted CA certificates +#cafile /usr/local/apache/conf/ssl.crt/ca-bundle.crt + +crl_dir /var/lib/sympa/list_data/crl + +## Directory containing user certificates +ssl_cert_dir /var/lib/sympa/list_data/X509-user-certs + +## Password used to crypt lists private keys +#key_passwd your_password + +###\\\\ DKIM ////### + +dkim_feature off + +## Insert a DKIM signature to message from the robot, from the list or both +dkim_add_signature_to robot,list + +## Type of message that is added a DKIM signature before distribution to subscribers. Possible values are "none", "any" or a list of the following keywords: "md5_authenticated_messages", "smime_authenticated_messages", "dkim_authenticated_messages", "editor_validated_messages". +dkim_signature_apply_on md5_authenticated_messages,smime_authenticated_messages,dkim_authenticated_messages,editor_validated_messages + +## DMARC protection +## https://sympa-community.github.io/manual/customize/dmarc-protection.html +dmarc_protection_mode dmarc_reject + +###\\\\ Antivirus plug-in ////### + +## Path to the antivirus scanner engine +## Supported antivirus: McAfee/uvscan, Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall +#antivirus_path /usr/local/uvscan/uvscan + +## Antivirus plugin command argument +#antivirus_args --secure --summary --dat /usr/local/uvscan + +###\\\\ Tag based spam filtering ////### + +## If a spam filter (like spamassassin or j-chkmail) add a smtp headers to tag spams, name of this header (example X-Spam-Status) +antispam_tag_header_name X-Spam-Status + +## Regexp applied on this header to verify message is a spam (example \s*Yes) +antispam_tag_header_spam_regexp ^\s*Yes + +## Regexp applied on this header to verify message is NOT a spam (example \s*No) +antispam_tag_header_ham_regexp ^\s*No + +## Messages are supposed to be filtered by an antispam that add one more headers to messages. This parameter is used to select a special scenario in order to decide the message spam status: ham, spam or unsure. This parameter replace antispam_tag_header_name, antispam_tag_header_spam_regexp and antispam_tag_header_ham_regexp. +spam_status x-spam-status + +###\\\\ Web interface parameters ////### + +edit_list owner + +## URL of a virtual host +#http_host https://fripost.org + +## The password validation techniques to be used against user passwords that are added to mailing lists. Options come from Data::Password (http://search.cpan.org/~razinf/Data-Password-1.07/Password.pm#VARIABLES) +#password_validation MINLEN=8,GROUPS=3,DICTIONARY=4,DICTIONARIES=/pentest/dictionaries + +## Directory for storing HTML archives +## Better if not in a critical partition +arc_path /var/lib/sympa/wwsarchive + +## Default index organization when entering the web archive: either threaded +## or in chronological order +archive_default_index thrd + +## Directory for storing bounces +## Better if not in a critical partition +bounce_path /var/spool/sympa/wwsbounce + +## HTTP cookies validity domain +cookie_domain lists.fripost.org + +## HTTP cookies lifetime +cookie_expire 0 + +## Average interval to refresh HTTP session ID. +cookie_refresh 60 + +## Activates a custom archiver to use instead of MHonArc. The value of this +## parameter is the absolute path on the file system to the script of the +## custom archiver. +#custom_archiver + +## Type of main Web page ( lists | home ) +default_home home + +## Javascript excerpt that enables and configures the WYSIWYG HTML editor. +#html_editor_init + +#htmlarea_url + +## When using LDAP authentication, if the identifier provided by the user was +## a valid email, if this parameter is set to false, then the provided email +## will be used to authenticate the user. Otherwise, use of the first email +## returned by the LDAP server will be used. +ldap_force_canonical_email 1 + +#log_condition + +## Syslog facility for wwsympa, archived and bounced +## Default is to use previously defined sympa log facility. +log_facility `cat /etc/sympa/facility` + +#log_module + +## Path to MHonArc mail2html plugin +## This is required for HTML mail archiving +mhonarc /usr/bin/mhonarc + +## Password case (insensitive | sensitive) +## Should not be changed ! May invalid all user password +password_case insensitive + +## Default number of lines of the array displaying users in the review page +review_page_size 25 + +## Title of main Web page +title Mailing lists service + +## If set to "on", users will be able to post messages in HTML using a +## javascript WYSIWYG editor. +use_html_editor 0 + +## Is fast_cgi module for Apache (or Roxen) installed (0 | 1) +## This module provide much faster web interface +use_fast_cgi 1 + +## Default number of lines of the array displaying the log entries in the logs +## page +viewlogs_page_size 25 diff --git a/roles/lists/files/etc/sympa/wwsympa.conf b/roles/lists/files/etc/sympa/wwsympa.conf deleted file mode 100644 index 4d420a3..0000000 --- a/roles/lists/files/etc/sympa/wwsympa.conf +++ /dev/null @@ -1,85 +0,0 @@ -###\\\\ Site customization ////### - -###\\\\ Directories ////### - -###\\\\ System related ////### - -###\\\\ Sending related ////### - -###\\\\ Bulk mailer ////### - -###\\\\ Quotas ////### - -###\\\\ Spool related ////### - -###\\\\ Internationalization related ////### - -###\\\\ Bounce related ////### - -## Directory for storing bounces -## Better if not in a critical partition -bounce_path /var/spool/sympa/wwsbounce - -###\\\\ Tuning ////### - -###\\\\ Database related ////### - -###\\\\ Loop prevention ////### - -###\\\\ S/MIME configuration ////### - -###\\\\ DKIM ////### - -###\\\\ Antivirus plug-in ////### - -###\\\\ Tag based spam filtering ////### - -###\\\\ Web interface parameters ////### - -## Directory for storing HTML archives -## Better if not in a critical partition -arc_path /var/lib/sympa/wwsarchive - -## Default index organization when entering the web archive: either threaded (thrd) or in chronological (mail) order -archive_default_index thrd - -## HTTP cookies lifetime -cookie_expire 0 - -## HTTP cookies validity domain -cookie_domain localhost - -## Average interval to refresh HTTP session ID. -cookie_refresh 60 - -## Type of main Web page ( lists | home ) -default_home home - -## When using LDAP authentication, if the identifier provided by the user was a valid email, if this parameter is set to false, then the provided email will be used to authenticate the user. Otherwise, use of the first email returned by the LDAP server will be used. -ldap_force_canonical_email 1 - -## Syslog facility for wwsympa, archived and bounced -## Default is to use previously defined sympa log facility. -log_facility `cat /etc/sympa/facility` - -## Path to MHonArc mail2html plugin -## This is required for HTML mail archiving -mhonarc /usr/bin/mhonarc - -## Password case (insensitive | sensitive) -## Should not be changed ! May invalid all user password -password_case insensitive - -## Default number of lines of the array displaying users in the review page -review_page_size 25 - -## Title of main Web page -title Mailing lists service - -## Is fast_cgi module for Apache (or Roxen) installed (0 | 1) -## This module provide much faster web interface -use_fast_cgi 1 - -## Default number of lines of the array displaying the log entries in the logs page -viewlogs_page_size 25 - diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service index cccf508..7d2440c 100644 --- a/roles/lists/files/etc/systemd/system/wwsympa.service +++ b/roles/lists/files/etc/systemd/system/wwsympa.service @@ -16,10 +16,10 @@ PrivateDevices=yes ProtectHome=yes ProtectSystem=strict PrivateTmp=yes -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/lib/sympa +ReadWriteDirectories=/etc/sympa +ReadWriteDirectories=/var/lib/sympa ReadWriteDirectories=-/var/run/sympa -ReadWriteDirectories=-/var/spool/sympa +ReadWriteDirectories=/var/spool/sympa [Install] WantedBy=multi-user.target diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml index 6bf4afc..bbff34a 100644 --- a/roles/lists/tasks/nginx.yml +++ b/roles/lists/tasks/nginx.yml @@ -1,5 +1,5 @@ - name: Install Nginx - apt: pkg=nginx + apt: pkg=nginx-light - name: Copy /etc/nginx/sites-available/sympa copy: src=etc/nginx/sites-available/sympa diff --git a/roles/lists/tasks/sympa.yml b/roles/lists/tasks/sympa.yml index 284f320..0d5eac1 100644 --- a/roles/lists/tasks/sympa.yml +++ b/roles/lists/tasks/sympa.yml @@ -13,26 +13,13 @@ mysql_user2: name=sympa password= auth_plugin=unix_socket state=present -# XXX We want to change the retun-path for sendpasswd notices from -# 'sympa-request@$robot' to 'noreply@fripost.org'. -# * /usr/lib/cgi-bin/sympa/wwsympa.fcgi -# do_requestpasswd, do_subrequest -# add $param->{'return_path'}='noreply@fripost.org'; -# * /usr/share/sympa/lib/List.pm -# send_global_file -# $data->{'return_path'} //= &Conf::get_robot_conf($robot, 'request'); -# * /usr/share/sympa/default/scenari/send.newsletter -# last line -# true() smtp,dkim,smime,md5 -> reject,quiet -# See #787946. - name: Configure Sympa copy: src=etc/sympa/{{ item }} dest=/etc/sympa/{{ item }} owner=root group=sympa mode=0644 with_items: - - sympa.conf - - wwsympa.conf + - sympa/sympa.conf - topics.conf register: r1 notify: @@ -41,7 +28,7 @@ - name: Create Virtual hosts for Sympa (1) file: path=/etc/sympa/{{ item }} state=directory - owner=root group=root + owner=sympa group=sympa mode=0755 with_items: - lists.fripost.org @@ -63,8 +50,8 @@ - name: Install robot.conf template: src=etc/sympa/robot.conf.j2 dest=/etc/sympa/{{ item }}/robot.conf - owner=root group=root - mode=0644 + owner=sympa group=sympa + mode=0640 with_items: - lists.fripost.org register: r4 diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2 index 792a397..1bf02eb 100644 --- a/roles/lists/templates/etc/postfix/main.cf.j2 +++ b/roles/lists/templates/etc/postfix/main.cf.j2 @@ -4,9 +4,11 @@ # {{ ansible_managed }} # Do NOT edit this file directly! -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +compatibility_level = 2 +smtputf8_enable = no delay_warning_time = 4h maximal_queue_lifetime = 5d -- cgit v1.2.3