[Mailman-Users] chroot, OpenBSD, Apache, and Mailman
David Newman
dnewman at networktest.com
Sat Apr 19 01:03:19 CEST 2008
Greetings. Apologies if this has been answered before but I didn't find
a direct answer in the archives or FAQ.
Is there a howto for installing Mailman from source inside the Apache
chroot on OpenBSD?
I'm struggling with this, using Mailman 2.1.19, Postfix 2.4.3, and
OpenBSD 4.2. There's a list of installation steps pasted below.
I suspect a permissions problem. Mailman would not serve up pages when
all files were owned by group mailman, so I did 'chgrp -R www
/var/www/mailman'. But after trying to create a list, the
aliases file is mode 660, owned by root:www.
This is the error in /var/www/mailman/logs/error that results from
trying to create a new list:
Apr 18 11:21:00 2008 admin(1925):
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin(1925): [----- Mailman Version: 2.1.9 -----]
admin(1925): [----- Traceback ------]
admin(1925): Traceback (most recent call last):
admin(1925): File "/var/www/mailman/scripts/driver", line 101, in run_main
admin(1925): main()
admin(1925): File "/var/www/mailman/Mailman/Cgi/create.py", line 56,
in main
admin(1925): process_request(doc, cgidata)
admin(1925): File "/var/www/mailman/Mailman/Cgi/create.py", line 238,
in proce
ss_request
admin(1925): sys.modules[modname].create(mlist, cgi=1)
admin(1925): File "/var/www/mailman/Mailman/MTA/Postfix.py", line 232,
in crea
te
admin(1925): _update_maps()
admin(1925): File "/var/www/mailman/Mailman/MTA/Postfix.py", line 53,
in _upda
te_maps
admin(1925): raise RuntimeError, msg % (acmd, status, errstr)
admin(1925): RuntimeError: command failed: /usr/local/sbin/postalias
/var/www/mailman/data/aliases (status: 1, Operation not permitted)
I've also tried putting postalias inside the chroot jail but the error
above persists.
Thanks in advance for clues on getting this working.
dn
PROCEDURE FOR INSTALLING MAILMAN IN OPENBSD 4.2 APACHE CHROOT
1. Read all of the installation manual, or at least up to chapter 6,
before proceeding:
http://mailman.sourceforge.net/mailman-install/index.html
2. Grab mailman source and unpack:
tar xzvf mailman-2.1.19.tgz
3. Add user mailman with UID/GID 91. Run adduser and follow the prompts.
Set the shell to nologin and set the password to blank, and then say yes
when asked if the user shouldn't be able to log in.
4. Create the /var/www/mailman directory where everything will go, and
set permissions and ownership:
mkdir /var/www/mailman
chgrp mailman /var/www/mailman
chmod a+rx,g+ws /var/www/mailman
5. If it's not there already, install python:
pkg_add python-2.4.4p4
and create the appropriate symlinks to make this the default:
ln -s /usr/local/bin/python2.4 /usr/local/bin/python
ln -s /usr/local/bin/pydoc2.4 /usr/local/bin/pydoc
Now we need to get python into the chroot. First let's find out what
dependencies python has:
#ldd /usr/local/bin/python
/usr/local/bin/python:
Start End Type Open Ref GrpRef Name
00000000 00000000 exe 1 0 0 /usr/local/bin/python
05054000 25096000 rlib 0 1 0
/usr/local/lib/libpython2.4.so.0.0
068bd000 268c1000 rlib 0 1 0 /usr/lib/libutil.so.11.0
05b7c000 25ba2000 rlib 0 1 0 /usr/lib/libstdc++.so.42.0
070f2000 270f9000 rlib 0 1 0 /usr/lib/libm.so.2.3
0b296000 2b29f000 rlib 0 1 0 /usr/lib/libpthread.so.8.0
05d9d000 25dd1000 rlib 0 1 0 /usr/lib/libc.so.41.0
0a739000 0a739000 rtld 0 1 0 /usr/libexec/ld.so
OK, so all of these files and directories need to go into the chroot jail:
mkdir -p /var/www/usr/lib
mkdir -p /var/www/usr/libexec
mkdir -p /var/www/usr/local/bin
mkdir -p /var/www/usr/local/lib
cp /usr/local/bin/python /var/www/usr/local/bin
cp /usr/local/lib/libpython2.4.so.0.0 /var/www/usr/local/lib
cp /usr/lib/libutil.so.11.0 /var/www/usr/lib
cp /usr/lib/libstdc++.so.42.0 /var/www/usr/lib
cp /usr/lib/libm.so.2.3 /var/www/usr/lib
cp /usr/lib/libpthread.so.8.0 /var/www/usr/lib
cp /usr/lib/libc.so.41.0 /var/www/usr/lib
cp /usr/libexec/ld.so /var/www/usr/libexec
And you'll also need some stuff from /etc in the chroot jail for UIDs
and GIDs to work:
mkdir -p /var/www/etc/
cp /etc/group /var/www/etc/
cp /etc/localtime /var/www/etc/
cp /etc/login.conf /var/www/etc/
cp /etc/passwd /var/www/etc/
cp /etc/pwd.db /var/www/etc/
mkdir -p /var/www/usr/share
cp -R /usr/share/nls /var/www/usr/share
6. If it's not there already (try "cc" from the command line), install
the compilers package:
tar -C / -xzphf ${RELEASEPATH}/comp42.tar.gz
7. From the directory where you unpacked Mailman, configure and install
the Mailman software:
./configure --prefix=/var/www/mailman --with-cgi-gid=67 \
--with-mail-gid=201
make
make install
Assuming this goes well:
make clean
8. Check file permissions
/var/www/mailman/bin/check_perms -f
Keep repeating this step until there are no errors.
9. (Optional) Make private archives private
cd /var/www/mailman/archives
chown www private
chmod o-x private
10. Now configure the web server to use Mailman. Open
/var/www/conf/httpd.conf and add this:
ScriptAlias /mailman/ /var/www/mailman/cgi-bin/
Alias /pipermail/ /var/www/mailman/archives/public/
<Directory "/var/www/mailman/archives/public/">
AddDefaultCharset Off
</Directory>
If you're using VirtualHosts, then the lines above belong inside each
VirtualHost directive too, at least for the vhosts using Mailman.
And copy the Mailman icons into place:
cp /var/www/mailman/icons/*.{jpg,png} /var/www/icons/
Then restart Apache:
apachectl graceful
11. Now we set up Postfix to work with Mailman.
First, in /etc/postfix/main.cf, the GNUC docs say to change:
unknown_local_recipient_reject_code = 550
from its current setting of 450.
Also, it says to set:
recipient_delimiter = +
even though the current setting is:
recipient_delimiter = -
I'm not making this change for now, and sticking with the '-' setting.
12. Then proceed directly to section 6.1.2 of the docs to set up virtual
domains. We'll come back to section 6.1.1 on Postfix-Mailman integration
in a few minutes.
Specifically you want to add a pointer to the end of the
virtual_alias_maps parameter in /etc/postfix/main.cf. For example:
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/forwardings.cf
proxy:mysql:/etc/postfix/sql/email2email.cf
hash:/var/www/mailman/data/virtual-mailman
13. Now put the following at the end of
/usr/local/lib/mailman/Mailman/mm_cfg.py, replacing 'domain1.tld' and
'domain2.tld' as appropriate with your domain names:
MTA = 'Postfix'
MAILMAN_SITE_LIST = 'mailman'
DEFAULT_EMAIL_HOST = 'domain1.tld'
DEFAULT_URL_HOST = 'domain1.tld'
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
IMAGE_LOGOS = '/icons/'
MTA = 'Postfix'
POSTFIX_ALIAS_CMD = '/usr/local/sbin/postalias'
POSTFIX_MAP_CMD = '/usr/local/sbin/postmap'
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['domain2.tld', 'domain1.tld' ]
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
add_virtualhost('domain2.tld', 'domain2.tld')
14. Set up a site-wide mailing list called 'mailman'. Mailman MUST see
this list to start:
/var/www/mailman/bin/newlist mailman
Fill out the admin's email address and choose a password.
15. Set up Mailman maintenance as a crontab run by the mailman user:
chown -R mailman:mailman /var/www/mailman
cd /var/www/mailman/cron
crontab -u mailman crontab.in
16. Now start the mailman daemon:
/var/www/mailman/bin/mailmanctl start
After starting the program the admin named for the 'mailman' list should
get an email.
17. To start mailman every time the system starts, add these lines to
the end of /etc/rc.local:
# Mailman startup
if [ -x /var/www/mailman/bin/mailmanctl ]; then
echo -n ' mailman'
/var/www/mailman/bin/mailmanctl -s -q start
fi
18. Create site and list creator passwords. You want to read chapter 12
of the GNU docs carefully; these are like being root within Mailman!
/var/www/mailman/bin/mmsitepass
/var/www/mailman/bin/mmsitepass -c
19. Add mailman to www group. I don't know if this is a good security
practice (I suspect it's a bad idea) but I was unable to get Mailman to
work without this step.
In /etc/group and /var/www/etc/group:
www:*:67:mailman
and restart Apache and mailman:
apachectl restart
/var/www/mailman/bin/mailmanctl restart
20. (Necessary?) Find which postalias stuff needs to go into the chroot
jail:
ldd /usr/local/sbin/postalias
/usr/local/sbin/postalias:
Start End Type Open Ref GrpRef Name
00000000 00000000 exe 1 0 0 /usr/local/sbin/postalias
015ad000 215b8000 rlib 0 2 0 /usr/lib/libssl.so.11.0
0a28e000 2a2bd000 rlib 0 2 0 /usr/lib/libcrypto.so.13.0
00eaf000 20ebb000 rlib 0 1 0
/usr/local/lib/libpcre.so.1.1
0688d000 26893000 rlib 0 1 0
/usr/local/lib/libsasl2.so.2.22
03e8c000 23eba000 rlib 0 1 0
/usr/local/lib/libmysqlclient.so.18.0
00a26000 20a5a000 rlib 0 1 0 /usr/lib/libc.so.41.0
08a55000 28a5d000 rlib 0 1 0 /usr/lib/libz.so.4.1
08e39000 28e40000 rlib 0 1 0 /usr/lib/libm.so.2.3
0d23a000 0d23a000 rtld 0 1 0 /usr/libexec/ld.so
And copy over the files:
mkdir /var/www/usr/local/sbin
cp /usr/local/sbin/postalias /var/www/usr/local/sbin/postalias
cp /usr/lib/libssl.so.11.0 /var/www/usr/lib/libssl.so.11.0
cp /usr/lib/libcrypto.so.13.0 /var/www/usr/lib/libcrypto.so.13.0
cp /usr/local/lib/libpcre.so.1.1 /var/www/usr/local/lib/libpcre.so.1.1
cp /usr/local/lib/libsasl2.so.2.22 /var/www/usr/local/lib/libsasl2.so.2.22
cp /usr/local/lib/libmysqlclient.so.18.0
/var/www/usr/local/lib/libmysqlclient.so.18.0
cp /usr/lib/libc.so.41.0 /var/www/usr/lib/libc.so.41.0
cp /usr/lib/libz.so.4.1 /var/www/usr/lib/libz.so.4.1
cp /usr/lib/libz.so.4.1 /var/www/usr/lib/libm.so.2.3
cp /usr/libexec/ld.so /var/www/usr/libexec/ld.so
More information about the Mailman-Users
mailing list