From 347aaec2a3f7b74752038ab8869360ce68509f4d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 17 Sep 2012 03:08:23 +0200 Subject: How to install & configure Schleuder. --- fripost-docs.org | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 133 insertions(+), 6 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index fa698d3..6ac5f96 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -1352,7 +1352,7 @@ In the rest of this section, we assume there is a tunnel from the master LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on this machine actually speaks to the master). -**** CApath +**** Fixing CApath As of Debian Squeeze, Postfix doesn't copy the content of 'smtp_tls_CApath' and 'smtpd_tls_CApath' in the chroot jail. This leads to a flood of "Untrusted @@ -1360,7 +1360,8 @@ connections" since Postfix doesn't have any root CA to trust. To do it by hand, copy the files (don't forget the symlink targets) under '/var/spool/postfix/etc/ssl/certs' and c_rehash this last directory. -A script is availble in the fripost-admin repository. +The issue is fixed under Postfix 2.8. For the time being, a script to automatize +the above process is available in the fripost-admin repository. **** Configure SASLauthd @@ -1876,17 +1877,22 @@ mv hooks/post-update.sample hooks/post-update echo "Mötesprotokoll" > fripost-meetings.git/description ** Configuring the list managers + Right now, the list managers are hosted on our outgoing SMTP (and Mail Submission Agent), namely GNU. However, incoming email that is to be delivered to a list, as for regular email, is handled by the MX:s since we do not relay a whole domain for lists. *** Configuring the MTA on the MX:s + Postfix does not support virtual transport out of the box. Virtual lists need to be forwarded to a local alias first (replacing the '@' by '#', hence '#' needs to be forbidden in list names), that can in turn be piped into a command or transported elswere. +This is not optimal since a domain owner/postmaster cannot control all the lists under +his/her domain for instance. But it is the only solution we found so far. + :: /etc/postfix/main.cf virtual_alias_maps = ..., ldap:$config_directory/ldap/virtual_alias_lists.cf mailbox_transport_maps = ldap:$config_directory/ldap/transport_lists.cf @@ -2201,6 +2207,10 @@ EOF DEB_LISTMASTER = 'listmaster@lists.fripost.org' ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9@]' PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s/' + DEFAULT_MSG_FOOTER = """_______________________________________________ + %(real_name)s mailing list + %(real_name)s@%(host_name)s + %(web_page_url)slistinfo%(cgiext)s/%(real_name)s@%(host_name)s""" DEFAULT_CHARSET = 'UTF-8' add_language('en', 'English', 'utf-8') add_language('sv', 'Swedish', 'utf-8') @@ -2238,30 +2248,147 @@ A template can be found in '/etc/mailman/apache.conf'. In our case the archives under /pipermail/ do not have the right forwat, a quick & dirty fix is to use a RewriteRule: + :: /etc/apache2/site-enabled/000-default + ... RewriteEngine On RewriteBase / - RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1 [L] + RewriteRule ^([^@]+)@([^/]+)/ /pipermail/$2/$1/ [L] ... + ... TODO: Forbid access to '/create': it is not a proper way to create lists in our setting, since one needs to update the LDAP directory first. +TODO: Use SSL. Switch to Nginx+FastCGI. + Note: when creating a new list with '-u lists.example.org', it is not visible under "http://smtp.fripost.org/cgi-bin/mailman/listinfo", but one can access it under "http://smtp.fripost.org/cgi-bin/mailman/listinfo/listname@lists.example.org". (TODO: check that). As usual the list owner can make the list invisible, though. -*** Schleuder +*** Schleuder + +Documentation: https://schleuder2.nadir.org/ **** Installation -**** Patches + sudo apt-get install schleuder + sudo chown 'root:schleuder' /etc/schleuder/lists/ + sudo chown ug+rwx,o-rwx /etc/schleuder/lists/ + +*** Configuration + + :: /etc/schleuder/schleuder.conf + smtp_host: smtp.fripost.org + log_rotate_keep: 3 + superadminaddr: listmaster@fripost.org + +A first list can be created with: +(Note: it can take a very long while, up to 20min. Isn't it weird by the way?) + + sudo -u schleuder schleuder-newlist test-schleuder@fripost.org -email test-schleuder@fripost.org -realname test-schleuder -nointeractive -adminaddress user@fripost.org -initmember user@fripost.org -initmemberkey /tmp/user.pub + +Note: unlinke Mailman, '-initmember' and '-initmemberkey' are required. + +To add members, from the command line: + + sudo -u schleuder gpg --homedir /var/schleuder/lists/test-schleuder@fripost.org --import < /tmp/user2.pub + # sudo -u schleuder bash + echo '- email: user2@fripost.org' >> /var/schleuder/lists/foobar/members.conf **** Web server configuration -*** Create a new list +We will use webschleuder [http://webschleuder.nadir.org/]. Sadly, it is shipped +in a precompiled Debian Package. Instruction for the installation: +http://webschleuder.nadir.org/documentation/installation.html + + sudo apt-get install rubygems libactiverecord-ruby librack-ruby camping + sudo gem install bcrypt-ruby + sudo mkdir -m 0755 /opt/webschleuder + sudo chown nobody /opt/webschleuder + cd /opt + sudo -u nobody git clone git://git.immerda.ch/webschleuder.git webschleuder + + +A patch is needed because our camping is too old (2.0). + + sudo patch -p0 << EOF +--- webschleuder/webschleuder.rb ++++ webschleuder/webschleuder.rb +@@ -23,8 +23,8 @@ + + + module Webschleuder +- set :secret, Webschleuder::Models::WebConfig.loadconfig.session_secret + include Camping::Session ++ secret Webschleuder::Models::WebConfig.loadconfig.session_secret + + def r404(path) + "Sorry, but I can't find #{path}." +EOF + + sudo find -L /opt/webschleuder -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete + sudo chown -R 'nobody:schleuder' /opt/webschleuder + +Configuration: + + sudo cp webschleuder/ext/webschleuder.conf /etc/schleuder/ + sudo chown 'schleuder:schleuder' /etc/schleuder/webschleuder.conf + sudo chmod 0600 /etc/schleuder/webschleuder.conf + :: /etc/schleuder/webschleuder.conf + session_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + web_authtimeout: 900 + + +If you want the list to be available from the web interface, you have to create +a file called 'web.conf' in the list's config directory, containing the bcrypt-ed +password for the web interface. It can be done by hand, or using + + sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org xxxxxxxxxxxxxxxx + +A test server (for testing/debugging/development purposes only) can be started with + + sudo -u schleuder camping webschleuder/webschleuder.rb + +***** Using mod_passenger: + + sudo apt-get install libapache2-mod-passenger + +Passenger setuid to the owner of 'config.ru'. In our case, webschleuder *must* +be run by schleuder as it has to read list configuration and the public keyring. + + sudo chown 'schleuder:schleuder' /opt/webschleuder/config.ru + sudo mkdir -p /var/tmp/webschleuder/data/ + sudo chown 'schleuder:schleuder' /var/tmp/webschleuder/data/ + + sudo ln -s ../mods-available/passenger.load ../mods-available/passenger.conf /etc/apache2/mods-enabled/ + + :: /etc/apache2/site-enabled/000-default + + ... + PassengerTempDir /var/tmp/webschleuder/data + DocumentRoot /opt/webschleuder/static/ + Alias /static/ /opt/webschleuder/static/ + + AllowOverride None + Order allow,deny + Allow from all + + ... + + +TODO: Use SSL. Switch to Nginx+FastCGI/Passenger. + +**** Wrapper for Postfix's transport + +We need to strip out the list command before sending the list name to the +schleuder executable (it does it for us, but not when the list is fully qualified). + +The wrapper (postfix-to-schleuder.sh) is available in the fripost-admin repository. + +*** Tools We need two small scripts to create new lists (one for GNU Mailman, the other for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user -- cgit v1.2.3