aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org139
1 files changed, 133 insertions, 6 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index fa698d3..6ac5f96 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -1352,7 +1352,7 @@ In the rest of this section, we assume there is a tunnel from the master
LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
this machine actually speaks to the master).
-**** CApath
+**** Fixing CApath
As of Debian Squeeze, Postfix doesn't copy the content of 'smtp_tls_CApath' and
'smtpd_tls_CApath' in the chroot jail. This leads to a flood of "Untrusted
@@ -1360,7 +1360,8 @@ connections" since Postfix doesn't have any root CA to trust.
To do it by hand, copy the files (don't forget the symlink targets) under
'/var/spool/postfix/etc/ssl/certs' and c_rehash this last directory.
-A script is availble in the fripost-admin repository.
+The issue is fixed under Postfix 2.8. For the time being, a script to automatize
+the above process is available in the fripost-admin repository.
**** Configure SASLauthd
@@ -1876,17 +1877,22 @@ mv hooks/post-update.sample hooks/post-update
echo "Mötesprotokoll" > fripost-meetings.git/description
** Configuring the list managers
+
Right now, the list managers are hosted on our outgoing SMTP (and Mail
Submission Agent), namely GNU. However, incoming email that is to be delivered
to a list, as for regular email, is handled by the MX:s since we do not relay a
whole domain for lists.
*** Configuring the MTA on the MX:s
+
Postfix does not support virtual transport out of the box. Virtual lists need
to be forwarded to a local alias first (replacing the '@' by '#', hence '#' needs to
be forbidden in list names), that can in turn be piped into a command
or transported elswere.
+This is not optimal since a domain owner/postmaster cannot control all the lists under
+his/her domain for instance. But it is the only solution we found so far.
+
:: /etc/postfix/main.cf
virtual_alias_maps = ..., ldap:$config_directory/ldap/virtual_alias_lists.cf
mailbox_transport_maps = ldap:$config_directory/ldap/transport_lists.cf
@@ -2201,6 +2207,10 @@ EOF
DEB_LISTMASTER = 'listmaster@lists.fripost.org'
ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9@]'
PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s/'
+ DEFAULT_MSG_FOOTER = """_______________________________________________
+ %(real_name)s mailing list
+ %(real_name)s@%(host_name)s
+ %(web_page_url)slistinfo%(cgiext)s/%(real_name)s@%(host_name)s"""
DEFAULT_CHARSET = 'UTF-8'
add_language('en', 'English', 'utf-8')
add_language('sv', 'Swedish', 'utf-8')
@@ -2238,30 +2248,147 @@ A template can be found in '/etc/mailman/apache.conf'.
In our case the archives under /pipermail/ do not have the right forwat, a quick &
dirty fix is to use a RewriteRule:
+ :: /etc/apache2/site-enabled/000-default
+ ...
<Directory /var/lib/mailman/archives/public/>
RewriteEngine On
RewriteBase /
- RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1 [L]
+ RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1/ [L]
...
</Directory>
+ ...
TODO: Forbid access to '/create': it is not a proper way to create lists in our setting,
since one needs to update the LDAP directory first.
+TODO: Use SSL. Switch to Nginx+FastCGI.
+
Note: when creating a new list with '-u lists.example.org', it is not visible under
"http://smtp.fripost.org/cgi-bin/mailman/listinfo", but one can access it under
"http://smtp.fripost.org/cgi-bin/mailman/listinfo/listname@lists.example.org". (TODO:
check that). As usual the list owner can make the list invisible, though.
-*** Schleuder
+*** Schleuder
+
+Documentation: https://schleuder2.nadir.org/
**** Installation
-**** Patches
+ sudo apt-get install schleuder
+ sudo chown 'root:schleuder' /etc/schleuder/lists/
+ sudo chown ug+rwx,o-rwx /etc/schleuder/lists/
+
+*** Configuration
+
+ :: /etc/schleuder/schleuder.conf
+ smtp_host: smtp.fripost.org
+ log_rotate_keep: 3
+ superadminaddr: listmaster@fripost.org
+
+A first list can be created with:
+(Note: it can take a very long while, up to 20min. Isn't it weird by the way?)
+
+ sudo -u schleuder schleuder-newlist test-schleuder@fripost.org -email test-schleuder@fripost.org -realname test-schleuder -nointeractive -adminaddress user@fripost.org -initmember user@fripost.org -initmemberkey /tmp/user.pub
+
+Note: unlinke Mailman, '-initmember' and '-initmemberkey' are required.
+
+To add members, from the command line:
+
+ sudo -u schleuder gpg --homedir /var/schleuder/lists/test-schleuder@fripost.org --import < /tmp/user2.pub
+ # sudo -u schleuder bash
+ echo '- email: user2@fripost.org' >> /var/schleuder/lists/foobar/members.conf
**** Web server configuration
-*** Create a new list
+We will use webschleuder [http://webschleuder.nadir.org/]. Sadly, it is shipped
+in a precompiled Debian Package. Instruction for the installation:
+http://webschleuder.nadir.org/documentation/installation.html
+
+ sudo apt-get install rubygems libactiverecord-ruby librack-ruby camping
+ sudo gem install bcrypt-ruby
+ sudo mkdir -m 0755 /opt/webschleuder
+ sudo chown nobody /opt/webschleuder
+ cd /opt
+ sudo -u nobody git clone git://git.immerda.ch/webschleuder.git webschleuder
+
+
+A patch is needed because our camping is too old (2.0).
+
+ sudo patch -p0 << EOF
+--- webschleuder/webschleuder.rb
++++ webschleuder/webschleuder.rb
+@@ -23,8 +23,8 @@
+
+
+ module Webschleuder
+- set :secret, Webschleuder::Models::WebConfig.loadconfig.session_secret
+ include Camping::Session
++ secret Webschleuder::Models::WebConfig.loadconfig.session_secret
+
+ def r404(path)
+ "Sorry, but I can't find #{path}."
+EOF
+
+ sudo find -L /opt/webschleuder -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete
+ sudo chown -R 'nobody:schleuder' /opt/webschleuder
+
+Configuration:
+
+ sudo cp webschleuder/ext/webschleuder.conf /etc/schleuder/
+ sudo chown 'schleuder:schleuder' /etc/schleuder/webschleuder.conf
+ sudo chmod 0600 /etc/schleuder/webschleuder.conf
+ :: /etc/schleuder/webschleuder.conf
+ session_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ web_authtimeout: 900
+
+
+If you want the list to be available from the web interface, you have to create
+a file called 'web.conf' in the list's config directory, containing the bcrypt-ed
+password for the web interface. It can be done by hand, or using
+
+ sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org xxxxxxxxxxxxxxxx
+
+A test server (for testing/debugging/development purposes only) can be started with
+
+ sudo -u schleuder camping webschleuder/webschleuder.rb
+
+***** Using mod_passenger:
+
+ sudo apt-get install libapache2-mod-passenger
+
+Passenger setuid to the owner of 'config.ru'. In our case, webschleuder *must*
+be run by schleuder as it has to read list configuration and the public keyring.
+
+ sudo chown 'schleuder:schleuder' /opt/webschleuder/config.ru
+ sudo mkdir -p /var/tmp/webschleuder/data/
+ sudo chown 'schleuder:schleuder' /var/tmp/webschleuder/data/
+
+ sudo ln -s ../mods-available/passenger.load ../mods-available/passenger.conf /etc/apache2/mods-enabled/
+
+ :: /etc/apache2/site-enabled/000-default
+ <VirtualHost *:80>
+ ...
+ PassengerTempDir /var/tmp/webschleuder/data
+ DocumentRoot /opt/webschleuder/static/
+ Alias /static/ /opt/webschleuder/static/
+ <Directory /var/local/lib/webschleuder/static/>
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+ </Directory>
+ ...
+ </VirtualHost>
+
+TODO: Use SSL. Switch to Nginx+FastCGI/Passenger.
+
+**** Wrapper for Postfix's transport
+
+We need to strip out the list command before sending the list name to the
+schleuder executable (it does it for us, but not when the list is fully qualified).
+
+The wrapper (postfix-to-schleuder.sh) is available in the fripost-admin repository.
+
+*** Tools
We need two small scripts to create new lists (one for GNU Mailman, the other
for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user