From 669970ec3ac5066d925c740d1631c38a242e8345 Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Fri, 22 Jun 2018 15:29:40 -0400 Subject: [PATCH 1/8] Use a local domain reverse proxy for accessing mailman By default alternc panel runs as a uid which is not accepted by the debian version of mailman. This takes any requests are proxies it through mailman.localdomain which runs as the default www-data user. Refs #14 --- Makefile | 1 + alternc-mailman-install | 13 +++++++------ debian/alternc-mailman.postinst | 1 + mm_cfg.py | 7 +++++++ 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 2cbd2ca..bf16dc1 100644 --- a/Makefile +++ b/Makefile @@ -33,6 +33,7 @@ install: chown 1999:1999 -R $(DESTDIR)/usr/share/alternc/panel/ install -m 0644 mm_cfg.py \ $(DESTDIR)/etc/alternc/templates/mailman/ + install -m 0644 alternc-mailman.conf $(DESTDIR)/etc/alternc/alternc-mailman.conf install -m 0644 -o root -g root src/get_url_alternc.py src/set_url_alternc.py \ $(DESTDIR)/usr/lib/mailman/bin/ install -m 0755 src/update_mailman.sh \ diff --git a/alternc-mailman-install b/alternc-mailman-install index 9374b69..c77ab57 100644 --- a/alternc-mailman-install +++ b/alternc-mailman-install @@ -30,14 +30,15 @@ then echo "ensuring apache2 symlink is setup in /etc/apache2/conf.d/" # compatibility with both Apache 2.2 and 2.4 makes it Wheezy AND Jessie-compliant : if [ -d "/etc/apache2/conf.d" ] - then - ln -sf /etc/mailman/apache.conf /etc/apache2/conf.d/mailman.conf + then + ln -sf /etc/alternc/alternc-mailman.conf /etc/apache2/conf.d/mailman.conf fi - if [ -d "/etc/apache2/conf-enabled" ] - then - ln -sf /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf + if [ -d "/etc/apache2/conf-available" ] + then + ln -sf /etc/alternc/alternc-mailman.conf /etc/apache2/conf-enabled/mailman.conf + a2enconf mailman.conf fi -fi +fi if [ "$1" = "before-reload" ] then diff --git a/debian/alternc-mailman.postinst b/debian/alternc-mailman.postinst index 95fbcef..a252c46 100755 --- a/debian/alternc-mailman.postinst +++ b/debian/alternc-mailman.postinst @@ -139,6 +139,7 @@ case "$1" in echo "installing required apache modules" a2enmod rewrite + a2enmod proxy # only necessary on Jessie: a2enmod cgi || true diff --git a/mm_cfg.py b/mm_cfg.py index 5d5df1c..025e867 100644 --- a/mm_cfg.py +++ b/mm_cfg.py @@ -48,6 +48,12 @@ DEFAULT_MSG_FOOTER for an example.""" +# This is some trickery to reverse proxies to work with list creation +# and when restarting mailman. +import os +if os.environ.get('REQUEST_URI') is not None: + os.environ["REQUEST_URI"] = os.environ["REQUEST_URI"].replace("/cgi/", "/cgi-bin/") + ####################################################### # Here's where we get the distributed defaults. # @@ -86,3 +92,4 @@ # Alternc-mailman does the job of creating aliases for us. MTA = None # So that mailman skips aliases generation +VIRTUAL_HOST_OVERVIEW = False From 38fed3ed7b8debe6f8d98c24490e0a69a705c7cd Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Fri, 22 Jun 2018 15:34:42 -0400 Subject: [PATCH 2/8] Add apache configuration for mailman --- alternc-mailman.conf | 60 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 alternc-mailman.conf diff --git a/alternc-mailman.conf b/alternc-mailman.conf new file mode 100644 index 0000000..f78c05f --- /dev/null +++ b/alternc-mailman.conf @@ -0,0 +1,60 @@ +# +# Apache configuration for AlternC-mailman module +# + +Alias /images/mailman/ /usr/share/images/mailman/ +Alias /pipermail/ /var/lib/mailman/archives/public/ + + + + order allow,deny + allow from all + + = 2.4> + Require all granted + + + + order allow,deny + allow from all + + order allow,deny + allow from all + + = 2.4> + Require all granted + + + + + ServerName mailman.localdomain + DocumentRoot "/usr/share/alternc-mailman/www" + AssignUserId www-data www-data + + ScriptAlias /cgi /usr/lib/cgi-bin/ + + + php_admin_flag engine off + Options +MultiViews -FollowSymLinks + AllowOverride none + + + + +# Global configuration applied to *ALL VHOSTS* +# This effectively PROXIES every request to mailman +# to the VirtualHost above, +# which is using uid/gid of www-data +# which makes mailman cgi pages happy \o/ + + + order allow,deny + allow from all + + = 2.4> + Require all granted + + +ProxyRequests Off +ProxyPreserveHost Off +ProxyPassReverse /cgi-bin/mailman/ http://mailman.localdomain/cgi/mailman/ From 53c4c176c863b8e4a727ec94ebd2e6c19e6545b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Grenier?= Date: Sat, 23 Jun 2018 00:04:29 -0300 Subject: [PATCH 3/8] =?UTF-8?q?la=20conf=20d'apache=20a=20besoin=20de=20pr?= =?UTF-8?q?oxypass=20sinon,=20=C3=A7a=20passe=20pas?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- alternc-mailman.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alternc-mailman.conf b/alternc-mailman.conf index f78c05f..c5a4aa5 100644 --- a/alternc-mailman.conf +++ b/alternc-mailman.conf @@ -57,4 +57,4 @@ Alias /pipermail/ /var/lib/mailman/archives/public/ ProxyRequests Off ProxyPreserveHost Off -ProxyPassReverse /cgi-bin/mailman/ http://mailman.localdomain/cgi/mailman/ +ProxyPass /cgi-bin/mailman/ http://mailman.localdomain/cgi/mailman/ From 2f85d89c86874bd2741aae703b8c28cdc07601bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Grenier?= Date: Sat, 23 Jun 2018 00:09:27 -0300 Subject: [PATCH 4/8] =?UTF-8?q?-=20Assumons=20que=20l'acces=20aux=20listes?= =?UTF-8?q?=20est=20en=20httpS=20-=20Commentaire=20sur=20la=20configuratio?= =?UTF-8?q?n=20sp=C3=A9cifi=C3=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- mm_cfg.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm_cfg.py b/mm_cfg.py index 025e867..78f4084 100644 --- a/mm_cfg.py +++ b/mm_cfg.py @@ -71,7 +71,7 @@ ACCEPTABLE_LISTNAME_CHARACTERS ='[-+_.= a-z0-9@]' DEFAULT_HOST_NAME = '%%fqdn%%' -DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/' +DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/' IMAGE_LOGOS = '/images/mailman/' USE_ENVELOPE_SENDER = 0 DEFAULT_SEND_REMINDERS = 0 @@ -92,4 +92,6 @@ # Alternc-mailman does the job of creating aliases for us. MTA = None # So that mailman skips aliases generation -VIRTUAL_HOST_OVERVIEW = False +# When set to No, all advertised (i.e. public) lists are included in the +# overview. +VIRTUAL_HOST_OVERVIEW = No From ae3d3c1395d59ecfe9893c0f902637b1a19fb9ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Grenier?= Date: Sat, 23 Jun 2018 09:38:04 -0300 Subject: [PATCH 5/8] =?UTF-8?q?-=20clarification=20sur=20le=20commentaire?= =?UTF-8?q?=20de=20compatibilit=C3=A9=20-=20respectons=20la=20condition=20?= =?UTF-8?q?du=20if=20pour=20l'activation=20de=20la=20conf.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- alternc-mailman-install | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/alternc-mailman-install b/alternc-mailman-install index c77ab57..b552f54 100644 --- a/alternc-mailman-install +++ b/alternc-mailman-install @@ -27,15 +27,15 @@ then echo "Upgrading AlternC-mailman" /usr/share/alternc/install/upgrade_mailman_check.sh - echo "ensuring apache2 symlink is setup in /etc/apache2/conf.d/" - # compatibility with both Apache 2.2 and 2.4 makes it Wheezy AND Jessie-compliant : + echo "Activating configuration in Apache2" + # trying to be compliant with Apache2.2 and 2.4 in Wheeze/Jessie/Stretch if [ -d "/etc/apache2/conf.d" ] then ln -sf /etc/alternc/alternc-mailman.conf /etc/apache2/conf.d/mailman.conf fi if [ -d "/etc/apache2/conf-available" ] then - ln -sf /etc/alternc/alternc-mailman.conf /etc/apache2/conf-enabled/mailman.conf + ln -sf /etc/alternc/alternc-mailman.conf /etc/apache2/conf-available/mailman.conf a2enconf mailman.conf fi fi From 35271341c445a457e2f87ccd457506057aa6bea5 Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Sat, 23 Jun 2018 10:57:55 -0400 Subject: [PATCH 6/8] Switch default URL back to HTTP HTTP is a good default to avoid dependencies on alternc-ssl (or the new version of the AlternC which includes SSL built-in). When SSL is configured a site administrator can change the template. --- mm_cfg.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm_cfg.py b/mm_cfg.py index 77a807a..382a914 100644 --- a/mm_cfg.py +++ b/mm_cfg.py @@ -71,7 +71,7 @@ ACCEPTABLE_LISTNAME_CHARACTERS ='[-+_.= a-z0-9@]' DEFAULT_HOST_NAME = '%%fqdn%%' -DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/' +DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/' IMAGE_LOGOS = '/images/mailman/' USE_ENVELOPE_SENDER = 0 DEFAULT_SEND_REMINDERS = 0 From 28e972630142b98b51e40a471a5568748c924844 Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Sat, 23 Jun 2018 11:00:32 -0400 Subject: [PATCH 7/8] Fix typo in comments about subscription attacks --- mm_cfg.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm_cfg.py b/mm_cfg.py index 382a914..da6a8f7 100644 --- a/mm_cfg.py +++ b/mm_cfg.py @@ -99,5 +99,5 @@ # Once set to a random string, will make Mailman embed a CSRF token into the # subscription form and also enforce that the form must be submitted at least # five seconds after it was generated. It's a countermeasure in case of -# subcription attack. +# subscription attack. SUBSCRIBE_FORM_SECRET = '%%mailman_form_secret%%' From e8d59dfbea05ccd5f439df2438cd764471bd94a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Grenier?= Date: Thu, 12 Jul 2018 23:48:20 -0300 Subject: [PATCH 8/8] not needed anymore in apache2.4 --- debian/dirs | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/dirs b/debian/dirs index 93cfded..ae58593 100644 --- a/debian/dirs +++ b/debian/dirs @@ -12,5 +12,4 @@ usr/share/alternc/panel/class usr/share/alternc/panel/locales/en_US/LC_MESSAGES usr/share/alternc/panel/locales/fr_FR/LC_MESSAGES usr/lib/mailman/bin -etc/apache2/conf.d var/lib/alternc/backups