aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org148
1 files changed, 91 insertions, 57 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 7f7c390..f89f344 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -165,6 +165,8 @@ sudo aptitude install logcheck syslog-summary
# | Postfix reload
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
+# | slapo-constraint ignores slapd's logging configuration
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: constraint_update\(\)$
** Configuring aptitude and friends
@@ -2123,7 +2125,7 @@ Finally, we need a new set of rules for logcheck:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
- ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=(mailman|schleuder), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via (mailman|schleuder) service\)$
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=(mailman|schleuder|mklist-mailman|mklist-schleuder), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via \2 service\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/local\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[[:digit:].]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced) \(.+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?$
@@ -2233,30 +2235,46 @@ And the archives:
sudo rm -rf /var/lib/mailman/archives/{public,private}/domain/listname
-**** Web server configuration
-
- sudo apt-get install apache2 libapache2-mod-python
- ln -s ../mods-available/python.load /etc/apache2/mods-enabled/
+**** Web server configuration (nginx + fcgiwrap)
-A template can be found in '/etc/mailman/apache.conf'.
+ sudo apt-get install nginx fcgiwrap
In our case the archives under /pipermail/ do not have the right forwat, a quick &
dirty fix is to use a RewriteRule:
- :: /etc/apache2/site-enabled/000-default
- ...
- <Directory /var/lib/mailman/archives/public/>
- RewriteEngine On
- RewriteBase /
- RewriteRule ^([^@/]+)@([^/]+)/ /pipermail/$2/$1/ [R,L]
- ...
- </Directory>
- ...
-
-TODO: Forbid access to '/create': it is not a proper way to create lists in our setting,
-since one needs to update the LDAP directory first.
+ :: /etc/nginx/sites-enabled/lists
+ # Default list manager
+ location = / {
+ rewrite ^ /mailman/listinfo permanent;
+ }
+
+ # Mailman
+ location ^~ /mailman/ {
+ location ^~ /mailman/create { return 403; }
+ rewrite ^/mailman/?$ /mailman/listinfo permanent;
+ root /usr/lib/cgi-bin;
+ gzip off;
+ include fastcgi/params;
+# include fastcgi/ssl; #TODO
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+ location ^~ /images/mailman/ {
+ alias /var/lib/mailman/icons/;
+ }
+ location ^~ /pipermail/ {
+ rewrite ^/pipermail/([^@/]+)@([^@/]+)/?(.*)$ /pipermail/$2/$1/$3 last;
+ index index.html;
+ alias /var/lib/mailman/archives/public/;
+ }
+
+For the web interface to be available, one needs to start *both* fcgiwrap and nginx:
+ sudo /etc/init.d/fcgiwrap start
+ sudo /etc/init.d/nginx start
-TODO: Use SSL. Switch to Nginx+FastCGI.
+Note: We forbid access to '/create' as it is not a proper way to create lists in our
+setting (one has to update the LDAP directory first).
+We have a rewrite rule for '/pipermail/' as internally, archives are stored hierarchically
+under the list's domain.
Note: when creating a new list with '-u lists.example.org', it is not visible under
"http://smtp.fripost.org/cgi-bin/mailman/listinfo", but one can access it under
@@ -2355,57 +2373,73 @@ If you want the list to be available from the web interface, you have to create
a file called 'web.conf' in the list's config directory, containing the bcrypt-ed
password for the web interface. It can be done by hand, or using
- sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org xxxxxxxxxxxxxxxx
+ echo xxxxxxxxxxxx | sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org
A test server (for testing/debugging/development purposes only) can be started with
sudo -u schleuder camping webschleuder/webschleuder.rb
-***** Using mod_passenger:
-
- sudo apt-get install libapache2-mod-passenger
-
-Passenger setuid to the owner of 'config.ru'. In our case, webschleuder *must*
-be run by schleuder as it has to read list configuration and the public keyring.
+***** Configuring nginx + thin
- sudo chown 'schleuder:schleuder' /opt/webschleuder/config.ru
- sudo mkdir -m 0700 -p /var/tmp/webschleuder/{data,upload}/
- sudo chown 'schleuder:schleuder' /var/tmp/webschleuder/data/
- sudo chown 'www-data:www-data' /var/tmp/webschleuder/upload/
+ sudo apt-get install nginx thin
+ sudo mkdir /var/run/webschleuder/
+ sudo chown 'schleuder:schleuder' /var/run/webschleuder/
- sudo ln -s ../mods-available/passenger.load ../mods-available/passenger.conf /etc/apache2/mods-enabled/
+ :: /etc/thin/webschleuder.yml
+ ---
+ rackup: config.ru
+ pid: /var/run/webschleuder/pid
+ timeout: 30
+ log: /var/log/schleuder/webschleuder.log
+ max_conns: 1024
+ require: []
+
+ max_persistent_conns: 512
+ environment: production
+ user: schleuder
+ group: schleuder
+ servers: 1
+ daemonize: true
+ chdir: /opt/webschleuder
+ socket: /var/run/webschleuder/socket
+
+ :: /etc/nginx/sites-enabled/lists
+ # Webschleuder
+ location ^~ /schleuder/ {
+ gzip off;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $http_host;
+ proxy_redirect off;
+ proxy_pass http://unix:/var/run/webschleuder/socket.0;
+ }
+ location ^~ /static/ {
+ alias /opt/webschleuder/static/;
+ }
- :: /etc/apache2/site-enabled/000-default
- <VirtualHost *:80>
- ...
- PassengerTempDir /var/tmp/webschleuder/data/
- PassengerUploadBufferDir /var/tmp/webschleuder/upload/
- DocumentRoot /opt/webschleuder/static/
- Alias /static/ /opt/webschleuder/static/
- <Directory /var/local/lib/webschleuder/static/>
- AllowOverride None
- Order allow,deny
- Allow from all
- </Directory>
- ...
- </VirtualHost>
+For the web interface to be available, one needs to start *both* thin and nginx:
+ sudo /etc/init.d/thin start
+ sudo /etc/init.d/nginx start
-TODO: Use SSL. Switch to Nginx+FastCGI/Passenger.
+*** Creating new lists
-*** Tools
+The task is somewhat more tricky than for domains / aliases / mailbox creation as
+the list manager has to be asked to create the list *on disk*.
-We need two small scripts to create new lists (one for GNU Mailman, the other
-for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user
-respectively, hence the two distinct files transport_mailman and transport_schleuder.
+The solution we chose is to create a special address 'mklist@fripost.org', for which each
+email will be piped by Postfix into a list creation script run with the right user
+(list or schleuder, depending on the extension: mklist+mailman@fripost.org or
+mklist+schleuder@fripost.org.)
-These scripts should:
-- Ensure that the email is signed with the Admin WebPanel GPG key,
-- Create a new list, given for instance in the subject,
-- Append the new commands to transport_mailman or transport_schleuder,
-- Hash the transport file.
+Of course, we don't want to give everyone the permission to create lists, hence the script:
+ 1/ ensures the email is signed with a known *and authorized* GPG key,
+ 2/ ensures the list that is to be created is in the "pending" state,
+ 3/ asks the list manager to create the list (for schleuder, also create the web.conf),
+ 4/ updates and hashes the lookup tables, and
+ 5/ adds the list commands to the LDAP directory, and removes the "pending" state.
-In the case of Schleuder we also create the web.conf file with the provided
-password.
+The script can be found in the "fripost-panel" repository. See INSTALL and README for
+further insformations.
** Logging
*** Overview