[Mailman-Users] Web interface question.
r.barrett at openinfo.co.uk
Wed Oct 29 18:57:50 CET 2003
On Wednesday, October 29, 2003, at 04:09 pm, Tussing, Leith wrote:
> If this is a repetitive question I apologize for that. I looked and
> was unable to find anything useful on this topic to help me.
> We're in the process of setting up a mailman server for some of our
> clients for the first time.
> Our boss wants to give the clients access to the web interface, but we
> would prefer not to have users accessing this machine directly at all
> for anything. Currently we have mail being smart hosted to it, and
> the machine locked down so that only the smart host can talk to the
> mailman server at all.
> My question is, is there a way to run the web interface from another
> web server (preferably not using the NFS method because all of the
> other machines are Windows machines)? If someone could point me to
> any resources about this topic it would be greatly appreciated. We've
> thought about writing some web applications that would craft emails in
> the correct form to be used as a remote web interface, but our boss
> does not wish us to take the time right now to create such scripts.
> If someone knew where I could find some scripts already made that
> would be great as well.
Whether what I am about to say is acceptable depends on interpretation
of your requirement "not to have users accessing this machine directly
at all for anything".
If you mean that in satisfying a client access to the Mailman web
interface nothing may execute on the machine running Mailman and a web
server on it then read no further.
If you are prepared to interpret the requirement as meaning that the
client's machine may not make a direct HTTP connection to the Mailman
machine and its web server then read on.
You could take the approach of having your Mailman server "hide" behind
another machine, capable of proxying HTTP requests, that you are
prepared to allow your clients to connect to. This would allow the
Mailman machine to live in a private network and be inaccessible for
direct connection from machines other than your HTTP proxy server and
the mail relay through which mail is delivered to it and through which
the Mailman server directs its outgoing mail.
Using Apache with mod_proxy and mod_rewrite on a publicly visible
server it is simple to set it up to selectively proxy requests for
Mailman URLs and make requests to the "hidden" Mailman server on behalf
of the client browser. You need to set one or two options the right way
in Mailman's config file and Mailman will not readily be able to
support multiple virtual domains when operating this way. You would
need to set:
1. the DEFAULT_URL_HOST to point to the machine proxying for the
Mailman server so that the URL's generated on Mailman web pages point
to that machine and NOT the Mailman server itself.
2. the VIRTUAL_HOST_OVERVIEW should be off because Mailman is not
seeing the original request but the one coming from the proxy server on
behalf of the user's client browser.
You will also need to be careful about the structure of the URI's on
the proxy server that map to the URI's on the Mailman machine's web
server. Ideally, I would use the same URI's to obviate any snags; so if
the http://proxy.your.public.domain/mailman/listinfo/<listname> would
map to http://mmserver.your.private.domain/mailman/listinfo/<listname>
and http://proxy.your.public.domain/pipermail/<listname> to
Using this approach I run Mailman servers on private IP numbers that
are publicly inaccessible but whose web interfaces are reached via our
public web server, which in turn is only reachable through a reverse
proxying Squid server on the external subnet of our firewall. Mail
delivery goes through our publicly reachable mail relay which delivers
to the private IP number Mailman server.
It may be arguable whether this proxying approach really improves
security. I tend to the view that the fewer machines that have to be
fully hardened to allow them to be directly accessible from outside the
firewall the better but that is just one opinion.
I assume from what you have said that the web servers you are prepared
to let you users communicate with are on some form of Window box. I do
not know what is involved is setting up an MS web server on such a
system to do the proxying I am suggesting. Setting up an existing
Apache server with mod_proxy and mod_rewrite available to it for this
purpose is really trivial to do with some RewriteRule directives.
> -Leith Tussing
Richard Barrett http://www.openinfo.co.uk
More information about the Mailman-Users