[Mailman-Users] Web interface question.

Wed Oct 29 18:57:50 CET 2003

On Wednesday, October 29, 2003, at 04:09  pm, Tussing, Leith wrote:

> If this is a repetitive question I apologize for that.  I looked and 
> was unable to find anything useful on this topic to help me.
>
> We're in the process of setting up a mailman server for some of our 
> clients for the first time.
> Our boss wants to give the clients access to the web interface, but we 
> would prefer not to have users accessing this machine directly at all 
> for anything.  Currently we have mail being smart hosted to it, and 
> the machine locked down so that only the smart host can talk to the 
> mailman server at all.
>
> My question is, is there a way to run the web interface from another 
> web server (preferably not using the NFS method because all of the 
> other machines are Windows machines)?  If someone could point me to 
> any resources about this topic it would be greatly appreciated.  We've 
> thought about writing some web applications that would craft emails in 
> the correct form to be used as a remote web interface, but our boss 
> does not wish us to take the time right now to create such scripts.  
> If someone knew where I could find some scripts already made that 
> would be great as well.
>

Whether what I am about to say is acceptable depends on interpretation 
of your requirement "not to have users accessing this machine directly 
at all for anything".

If you mean that in satisfying a client access to the Mailman web 
interface nothing may execute on the machine running Mailman and a web 
server on it then read no further.

If you are prepared to interpret the requirement as meaning that the 
client's machine may not make a direct HTTP connection to the Mailman 
machine and its web server then read on.

You could take the approach of having your Mailman server "hide" behind 
another machine, capable of proxying HTTP requests, that you are 
prepared to allow your clients to connect to. This would allow the 
Mailman machine to live in a private network and be inaccessible for 
direct connection from machines other than your HTTP proxy server and 
the mail relay through which mail is delivered to it and through which 
the Mailman server directs its outgoing mail.

Using Apache with mod_proxy and mod_rewrite on a publicly visible 
server it is simple to set it up to selectively proxy requests for 
Mailman URLs and make requests to the "hidden" Mailman server on behalf 
of the client browser. You need to set one or two options the right way 
in Mailman's config file and Mailman will not readily be able to 
support multiple virtual domains when operating this way. You would 
need to set:

1. the DEFAULT_URL_HOST to point to the machine proxying for the 
Mailman server so that the URL's generated on Mailman web pages point 
to that machine and NOT the Mailman server itself.

2. the VIRTUAL_HOST_OVERVIEW should be off because Mailman is not 
seeing the original request but the one coming from the proxy server on 
behalf of the user's client browser.

You will also need to be careful about the structure of the URI's on 
the proxy server that map to the URI's on the Mailman machine's web 
server. Ideally, I would use the same URI's to obviate any snags; so if 
the http://proxy.your.public.domain/mailman/listinfo/<listname> would 
map to http://mmserver.your.private.domain/mailman/listinfo/<listname> 
and http://proxy.your.public.domain/pipermail/<listname> to 
http://mmserver.your.private.domain/pipermail/<listname>

Using this approach I run Mailman servers on private IP numbers that 
are publicly inaccessible but whose web interfaces are reached via our 
public web server, which in turn is only reachable through a reverse 
proxying Squid server on the external subnet of our firewall. Mail 
delivery goes through our publicly reachable mail relay which delivers 
to the private IP number Mailman server.

It may be arguable whether this proxying approach really improves 
security. I tend to the view that the fewer machines that have to be 
fully hardened to allow them to be directly accessible from outside the 
firewall the better but that is just one opinion.

I assume from what you have said that the web servers you are prepared 
to let you users communicate with are on some form of Window box. I do 
not know what is involved is setting up an MS web server on such a 
system to do the proxying I am suggesting. Setting up an existing 
Apache server with mod_proxy and mod_rewrite available to it for this 
purpose is really trivial to do with some RewriteRule directives.

> -Leith Tussing
>
-----------------------------------------------------------------------
Richard Barrett                               http://www.openinfo.co.uk