[Mailman-Users] Apache 2.4 and Mailman

Stephen J. Turnbull stephen at xemacs.org
Sat Dec 6 03:50:11 CET 2014 

Lindsay Haisley writes:

 > Recent Ubuntu server installs of Apache 2.4 need "Require all granted"
 > in place of, or in addition to "Allow from all" to grant access

The old "allow from ..." syntax has been deprecated in favor of the
"require ... granted" syntax for quite a while.  Recent Apache has
changed that from "deprecated" to "invalid".

I'm personally not in favor of adding all of this upstream stuff to
distributed Mailman docs.  I think it's obnoxious of Apache to
gratuitously break existing installations without any warning[1] this
way.

I wouldn't be averse to adding it to the FAQ, though.

 > This seems to be in line with a policy of hardening Apache2 server
 > security,

It has nothing to do with "hardening".  The semantics is exactly
equivalent, only the syntax has changed.  That's what pisses me off.
It's "purity before practicality".

 > Someone with less experience might spend a lot more time
 > troubleshooting this, and a note in the documentation might help.
 > Keeping up with the times is good :)

Sure, but for gratuitous stuff that screws all the users of the
cooperating software (I noticed it not because of Mailman but because
my whole website suddenly stopped working!), I'd be in favor of not
adding specifics, and giving general debugging information, like:

    Mailman bugs do manifest occasionally out of the blue.  However,
    if
      - you haven't touched Mailman or it's a brand new install, and
      - a bug suddenly occurs (or on first installation), and
      - Mailman's own debugging scripts don't identify or solve the
        problem,
    it's at least as likely to be an issue with cooperating software,
    often to be resolved by reconfiguration.  (See mailman/bin for the
    scripts; they're mostly named check_* or fix*.)

    The most likely candidates are your MTA (typically Postfix, Exim,
    or Sendmail, though there are others) if mail receipt or delivery
    is the issue.  Or, if the problem is with the website (archives
    and administration), with your webserver (typically Apache but
    there is wide variation here).  Another common culprit is
    operating system security (eg, SELinux).  Check the configuration
    files for such software.  (Often software provides a configuration
    checker assistant that is stricter than the actual application is
    about configuration issues.)

    In all cases, check for distribution updates (recent, causing the
    issue, or available, resolving the issue) in these areas, and look
    for changes in "permission" or "capability" defaults or even in
    syntax of related directives.  Sometimes there's an outright bug,
    but that's less likely these days (Mailman does not exercise the
    "latest and greatest" features of that software).

    Another possibility is a Python upgrade or a change in the default
    version in your distribution.  This is not very likely but has
    been known to happen in the past.

    In all of the cases described above, you are most likely to find
    information in your distribution's issue tracker or FAQ, followed
    by upgrade notes (sometimes a few upgrades back!)  Next, check the
    associated software's resources.  Often such issues will not be
    mentioned in Mailman resources -- people who install the newest
    Mailman from source typically also are keeping up with changes in
    cooperating software and don't report issues to Mailman which are
    not Mailman issues.  On the other hand, the distributions are
    pretty good about correct configuration; users of Mailman etc from
    a distribution are well-protected from these issues.  So we're
    often the last to know!

 > I went to the Launchpad bug database for Mailman and it looks like
 > it's ages out of date,

Yeah, almost all the "bugs" that occur these days are configuration
issues.  I would guess that most "bugs" (for 2.1.x) on Launchpad are
actually nonbugs now, but nobody has gone through, checked, and closed
the resolved or irreproducible issues.

 > so I thought I'd pass this on here, and y'all can run with it to
 > the developers list or wherever.

This is probably the best place (high visibility) to report it.  As
you see, it's not obvious that the developers will run with it at all! 
:-/

I think the best place for it is the FAQ.


Footnotes: 
[1]  Maybe there's something in the logs about deprecated
configuration syntax.  But nothing "in your face".  Granted, it's hard
to do that with daemon software.

More information about the Mailman-Users mailing list