aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org407
1 files changed, 405 insertions, 2 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 76a807a..00baf00 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -1393,8 +1393,8 @@ If everything goes through, it is now time to modify Postfix's main.cf:
:: /etc/postfix/main.cf
[...]
+ smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = yes
- smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = fripost.org
# TODO:add sasl exceptions for our other clients
smtpd_sasl_exceptions_networks = $mynetworks
@@ -1448,7 +1448,7 @@ What the user type is here emphasized and prefixed with a `*'
Verify return code: 0 (ok)
---
250 DSN
- * EHLO localhost
+ * EHLO localhost.localdomain
[...]
250-ETRN
250-AUTH LOGIN PLAIN
@@ -1599,6 +1599,8 @@ responsability to masquerade it I suppose.
/^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5}
+ /^X-Originating-IP:/ IGNORE
+
:: /etc/postfix/main.cf
@@ -1863,6 +1865,407 @@ mv hooks/post-update.sample hooks/post-update
echo "Mötesprotokoll" > fripost-meetings.git/description
+** Configuring the list managers
+Right now, the list managers are hosted on our outgoing SMTP (and Mail
+Submission Agent), namely GNU. However, incoming email that is to be delivered
+to a list, as for regular email, is handled by the MX:s since we do not relay a
+whole domain for lists.
+
+*** Configuring the MTA on the MX:s
+Postfix does not support virtual transport out of the box. Virtual lists need
+to be forwarded to a local alias first (replacing the '@' by '#', hence '#' needs to
+be forbidden in list names), that can in turn be piped into a command
+or transported elswere.
+
+ :: /etc/postfix/main.cf
+ virtual_alias_maps = ..., ldap:$config_directory/ldap/virtual_alias_lists.cf
+ mailbox_transport_maps = ldap:$config_directory/ldap/transport_lists.cf
+
+ :: /etc/postfix/ldap/virtual_alias_maps.cf
+ test-list@fripost.org test-list#fripost.org
+ test-list-admin@fripost.org test-list-admin#fripost.org
+ test-list-bounces@fripost.org test-list-bounces#fripost.org
+ test-list-confirm@fripost.org test-list-confirm#fripost.org
+ test-list-join@fripost.org test-list-join#fripost.org
+ test-list-leave@fripost.org test-list-leave#fripost.org
+ test-list-owner@fripost.org test-list-owner#fripost.org
+ test-list-request@fripost.org test-list-request#fripost.org
+ test-list-subscribe@fripost.org test-list-subscribe#fripost.org
+ test-list-unsubscribe@fripost.org test-list-unsubscribe#fripost.org
+
+ test-schleuder@fripost.org test-schleuder#fripost.org
+ test-schleuder-bounces@fripost.org test-schleuder-bounces#fripost.org
+ test-schleuder-sendkey@fripost.org test-schleuder-sendkey#fripost.org
+ TODO: give the LDAP configuration
+
+ :: /etc/postfix/ldap/transport_lists.cf
+ test-list#fripost.org smtp:[127.0.0.1]:2345
+ test-list-admin#fripost.org smtp:[127.0.0.1]:2345
+ test-list-bounces#fripost.org smtp:[127.0.0.1]:2345
+ test-list-confirm#fripost.org smtp:[127.0.0.1]:2345
+ test-list-join#fripost.org smtp:[127.0.0.1]:2345
+ test-list-leave#fripost.org smtp:[127.0.0.1]:2345
+ test-list-owner#fripost.org smtp:[127.0.0.1]:2345
+ test-list-request#fripost.org smtp:[127.0.0.1]:2345
+ test-list-subscribe#fripost.org smtp:[127.0.0.1]:2345
+ test-list-unsubscribe#fripost.org smtp:[127.0.0.1]:2345
+
+ test-schleuder#fripost.org smtp:[127.0.0.1]:2345
+ test-schleuder-bounces#fripost.org smtp:[127.0.0.1]:2345
+ test-schleuder-sendkey#fripost.org smtp:[127.0.0.1]:2345
+ TODO: give the LDAP configuration
+
+Note: in 'virtual_alias_maps', 'virtual_alias_lists.cf' should come before the
+catchalls to be effective.
+
+
+So every email that is to be delivered to a list manager is dropped into
+127.0.0.1:2345 using the SMTP protocol.
+
+*** Configuring the MTA on the machine hosting the list managers
+
+In the rest of this section, we assume there is a tunnel from each MX (port 2345)
+to the machine hosting the lists managers (port 2345).
+
+Since this machine is currently also hosting the outgoing SMTP and the Mail
+Submission Agent, we cannot the whole Postfix server to lists. Instead, we create a
+new Postfix instance for this purpose. (We need to because we need custom
+'virtual_alias_maps' that cannot be specified for a particular SMTP server only.)
+
+**** Installation
+
+sudo apt-get install postfix postfix-pcre postfix-cdb
+
+**** Creating a new postfix instance
+
+Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
+
+ sudo postmulti -e init
+ sudo postmulti -I postfix-lists -G mta -e create
+ sudo ln -s ../postfix/dynamicmaps.cf /etc/postfix-lists/
+
+
+/etc/postfix/main.cf should be modified with
+
+ :: /etc/postfix/main.cf
+ ...
+ multi_instance_wrapper = ${command_directory}/postmulti -p --
+ multi_instance_enable = yes
+ multi_instance_directories = /etc/postfix-lists
+ ...
+
+ :: /etc/postfix-lists/main.cf
+ master_service_disable =
+ queue_directory = /var/spool/postfix-lists
+ mail_owner = postfix
+ multi_instance_group = mta
+ multi_instance_name = postfix-lists
+ multi_instance_enable = yes
+
+ readme_directory = no
+ data_directory = /var/lib/postfix-lists
+
+ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+ myorigin = /etc/mailname
+ myhostname = lists.fripost.org
+
+ mydestination = $myhostname
+ mynetworks = 127.0.0.0/8
+
+ default_database_type = cdb
+
+ recipient_delimiter = +
+ alias_database =
+ alias_maps =
+ local_recipient_maps = $transport_maps
+
+ virtual_mailbox_domains = pcre:$config_directory/virtual_domains.pcre
+ virtual_alias_maps = pcre:$config_directory/virtual_aliases.pcre
+ virtual_mailbox_maps =
+
+ virtual_transport = error:5.1.1 Virtual transport unavailable
+ default_transport = smtp:[127.0.0.1]
+
+ relay_domains = $myhostname
+ transport_maps = cdb:$config_directory/transport_mailman
+ cdb:$config_directory/transport_schleuder
+ mailman_destination_recipient_limit = 1
+ schleuder_destination_recipient_limit = 1
+
+ :: /etc/postfix-lists/master.cf
+ 127.0.0.1:2345 inet n - - - - smtpd
+ ...
+ mailman unix - n n - - pipe
+ flags=FR user=list:list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 127.0.0.1 ${user}
+ # TODO: put ${nexthop} back (it's lists.fripost.org)
+ schleuder unix - n n - - pipe
+ flags=FR user=schleuder:schleuder argv=/usr/local/bin/postfix-to-schleuder.sh ${user}
+
+(Don't forget to remove the other 'inet' services in the /etc/postfix-lists/master.cf)
+
+Note: you need to to append the configuration directory to Postfix commands to talk to this
+instance, for instance:
+- sudo postfix -c /etc/postfix-lists reload # reload (without -c, it reloads both the slave and the master instances)
+- sudo postmap -c /etc/postfix-lists /etc/postfix-lists/transport_mailman # postmap
+- sudo postfix -c /etc/postfix-lists flush # flush the mail queue
+- mailq -C /etc/postfix-lists # dump the mail queue
+- ...
+
+ :: /etc/postfix-lists/virtual_domains.pcre
+ # Accept all domains that are not our destination.
+ # (Only the MX's destinations are required, but...)
+ !/^lists\.fripost\.org$/ OK
+
+ :: /etc/postfix-lists/virtual_aliases.pcre
+ # Keep the local part, but replace the local part by our relay domain.
+ /^([^@]+)@/ ${1}@lists.fripost.org
+
+ :: /etc/postfix-lists/transport_mailman
+ test-mailman#fripost.org@lists.fripost.org mailman:
+ test-mailman-admin#fripost.org@lists.fripost.org mailman:
+ test-mailman-bounces#fripost.org@lists.fripost.org mailman:
+ test-mailman-confirm#fripost.org@lists.fripost.org mailman:
+ test-mailman-join#fripost.org@lists.fripost.org mailman:
+ test-mailman-leave#fripost.org@lists.fripost.org mailman:
+ test-mailman-owner#fripost.org@lists.fripost.org mailman:
+ test-mailman-request#fripost.org@lists.fripost.org mailman:
+ test-mailman-subscribe#fripost.org@lists.fripost.org mailman:
+ test-mailman-unsubscribe#fripost.org@lists.fripost.org mailman:
+
+ :: /etc/postfix-lists/transport_schleuder
+ test-schleuder#fripost.org@lists.fripost.org schleuder:
+ test-schleuder-bounces#fripost.org@lists.fripost.org schleuder:
+ test-schleuder-sendkey#fripost.org@lists.fripost.org schleuder:
+
+Note: we could use LDAP lookups in transport as well, but it is not easy for
+list commands, and we have write access to the disk when adding a new list
+anyway. Also, searching in a CDB table is much more efficent.
+
+After modifying /etc/postfix-lists/transport_mailman, type
+
+ sudo postmap -c /etc/postfix-lists /etc/postfix-lists/transport_mailman
+
+to produce a CDB table. It is not necessary to reload Postfix after that, but
+you may have to wait one minute or two for Postfix to reload the file in memory.
+If you are in a hurry, type
+
+ sudo postfix -c /etc/postfix-lists reload
+
+to reload this instance only.
+
+
+Finally, we need a new set of rules for logcheck:
+
+ :: /etc/logcheck/ignore.d.server/postfix-lists
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=(mailman|schleuder), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via (mailman|schleuder) service\)$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/local\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[[:digit:].]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced) \(.+\)$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: skipped, still being delivered$
+
+(We could use the whole /etc/logcheck/ignore.d.server/postfix, but it's better to
+stick to the smallest rule set.)
+
+*** GNU Mailman
+
+**** Installation
+
+ :: sudo apt-get install mailman
+
+As of Debian 6.0 (Squeeze), saldy only mailman2 is available, and we need to apply
+third party patches for virtual domains to work. Hopefully GNU Mailman 3 will be
+available with Wheezy: it has native support for virtual domains, a LMTP server, a
+much nicer interface and design...
+
+References:
+- http://wiki.list.org/pages/viewpage.action?pageId=4030604
+- http://mail.python.org/pipermail/mailman-users/2010-January/068571.html
+- for Mailman 3: http://wiki.list.org/display/DEV/Mailman+3.0
+
+
+ cd $HOME && wget http://www.msapiro.net/mm/2.1.13-1_vhost.patch
+ cd /var/lib/mailman
+ sudo patch -p1 < $HOME/2.1.13-1_vhost.patch
+
+Two hunks fail due to Debian specific patches, but it's merely line numbers that changed:
+1 out of 1 hunk FAILED -- saving rejects to file Mailman/Defaults.py.in.rej
+1 out of 1 hunk FAILED -- saving rejects to file Mailman/HTMLFormatter.py.rej
+
+In 'Defaults.py', the DEFAULT_MSG_FOOTER should be kept to
+ ...
+ %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
+
+as we want the a fully qualified list here. But we need to patch 'HTMLFormatter.py'.
+
+ sudo patch -p0 << EOF
+--- Mailman/HTMLFormatter.py
++++ Mailman/HTMLFormatter.py
+@@ -382,7 +382,8 @@
+ d = {
+ '<mm-mailman-footer>' : self.GetMailmanFooter(),
+ '<mm-list-name>' : self.real_name,
+- '<mm-email-user>' : self._internal_name,
++ '<mm-email-user>' : self.local_part,
++ '<mm-complete-name>' : self.internal_name(),
+ '<mm-list-description>' : Utils.websafe(self.description),
+ '<mm-list-info>' :
+ '<!---->' + BR.join(self.info.split(NL)) + '<!---->',
+EOF
+
+
+We need a last patch to keep fully qualified lists in URLs:
+
+ sudo patch -p0 << EOF
+--- Mailman/MailList.py
++++ Mailman/MailList.py
+@@ -253,7 +253,7 @@
+ # Using "local_part" here works for both site wide lists on
+ # the default url host and for vhost lists on the vhost url host.
+ return Utils.ScriptURL(scriptname, self.web_page_url, absolute) + \\
+- '/' + self.local_part
++ '/' + self._internal_name
+
+ def GetOptionsURL(self, user, obscure=0, absolute=0):
+ url = self.GetScriptURL('options', absolute)
+EOF
+
+ sudo patch -p0 << EOF
+--- Mailman/Archiver/Archiver.py
++++ Mailman/Archiver/Archiver.py
+@@ -162,7 +162,7 @@
+ if hostname == mm_cfg.DEFAULT_URL_HOST:
+- fullname = self.local_part
++ fullname = self._internal_name
+ else:
+- fullname = os.path.join(hostname, self.local_part)
++ fullname = os.path.join(hostname, self._internal_name)
+ url = mm_cfg.PUBLIC_ARCHIVE_URL % {
+ 'listname': fullname,
+ 'hostname': hostname
+EOF
+
+ sudo patch -p0 << EOF
+--- bin/postfix-to-mailman.py
++++ bin/postfix-to-mailman.py
+@@ -111,6 +111,11 @@
+ 'mailman_destination_recipient_limit=1 '
+ 'in main.cf?')
+ sys.exit(EX_USAGE)
++ try:
++ l,d = local.split('#',2)
++ local = '%s@%s' % (l,d)
++ except ValueError:
++ l,d = local, None
+
+ # Redirect required addresses to
+ if local in ('postmaster', 'abuse', 'mailer-daemon'):
+@@ -140,8 +145,9 @@
+ '-subscribe',
+ '-unsubscribe',
+ ):
+- if local.endswith(ext):
+- mlist = local[:-len(ext)]
++ if l.endswith(ext):
++ mlist = l[:-len(ext)]
++ if d: mlist = '%s@%s' % (mlist,d)
+ func = ext[1:]
+ break
+EOF
+
+ sudo find -L /var/lib/mailman -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete
+
+**** Configuration
+
+ :: /etc/mailman/mm_cfg.py
+ DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
+ PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private'
+ IMAGE_LOGOS = '/images/mailman/'
+ DEFAULT_EMAIL_HOST = 'lists.fripost.org'
+ DEFAULT_URL_HOST = 'smtp.fripost.org' # TODO: change that to lists.fripost.org once the A record is changed
+ MTA = None
+ DEB_LISTMASTER = 'listmaster@lists.fripost.org'
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9@]'
+ PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s/'
+ DEFAULT_CHARSET = 'UTF-8'
+ add_language('en', 'English', 'utf-8')
+ add_language('sv', 'Swedish', 'utf-8')
+
+TODO: https; use a better URL scheme for the two list managers, perhaps something like
+https://lists.fripost.org/mailman/ and https://lists.fripost.org/schleuder/ .
+
+TODO: what URL format shall we choose (cf. DEFAULT_MSG_FOOTER)?
+%(real_name)s@%(host_name)s vs %(host_name)s/%(host_name)s
+(Right now it is the first choice.)
+
+
+A first list 'mailman' is required:
+
+ sudo -u list ./bin/newlist -q -u smtp.fripost.org mailman listmaster@fripost.org xxxxxxxxxxxxxxxx
+
+The daemon can now be started:
+
+ sudo /etc/init.d/mailman start
+
+
+To create a list:
+
+ sudo -u list ./bin/newlist -q -u smtp.fripost.org test-mailman@fripost.org user@fripost.org xxxxxxxxxxxxxxxx
+
+TODO: switch to '-u lists.fripost.org' when the DEFAULT_URL_HOST is updated.
+
+**** Web server configuration
+
+ sudo apt-get install apache2 libapache2-mod-python
+ ln -s ../mods-available/python.load /etc/apache2/mods-enabled/
+
+A template can be found in '/etc/mailman/apache.conf'.
+
+In our case the archives under /pipermail/ do not have the right forwat, a quick &
+dirty fix is to use a RewriteRule:
+
+ <Directory /var/lib/mailman/archives/public/>
+ RewriteEngine On
+ RewriteBase /
+ RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1 [L]
+ ...
+ </Directory>
+
+TODO: Forbid access to '/create': it is not a proper way to create lists in our setting,
+since one needs to update the LDAP directory first.
+
+Note: when creating a new list with '-u lists.example.org', it is not visible under
+"http://smtp.fripost.org/cgi-bin/mailman/listinfo", but one can access it under
+"http://smtp.fripost.org/cgi-bin/mailman/listinfo/listname@lists.example.org". (TODO:
+check that). As usual the list owner can make the list invisible, though.
+
+*** Schleuder
+
+**** Installation
+
+**** Patches
+
+**** Web server configuration
+
+*** Create a new list
+
+We need two small scripts to create new lists (one for GNU Mailman, the other
+for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user
+respectively, hence the two files transport_mailman and transport_schleuder.
+
+These scripts should:
+- Ensure that the email is signed with the Admin WebPanel GPG key,
+- Create a new list, given for instance in the subject,
+- Append the new commands to transport_mailman or transport_schleuder,
+- Hash the transport file.
+
+In the case of Schleuder we also, create the web.conf file with the provided
+password.
+
** Logging
*** Overview
We want to limit how much we log for privacy reasons. At the same time we want