[Mailman-Users] Another question.. hopefully more interesting :)

Richard Barrett r.barrett at openinfo.co.uk
Sat Jul 26 10:46:02 CEST 2003 

On Saturday, July 26, 2003, at 01:45 AM, Glenn Sieb wrote:

> Hi everyone...
>
> I currently run Mailman (2.1) (which I love.. great job, guys!), and 
> use
> it to run a few private lists behind SSL. I have recently been asked 
> to do
> some virtual domain hosting for some friends, and would like to provide
> them with their own Mailman lists, should they wish.
>

Before commenting on the detail of what you do I make the observation 
that using Secure HTTP and private mail archives are not the same topic.

Mailman's private archive feature is based on a cookie based 
authentication scheme and the delivery of private archive pages via one 
of Mailman's CGI scripts (while public archive pages are delivered by 
the web server without the use of a MM VGI script).

Secure HTTP is a means of:

a. preventing snooping of HTTP request/response content in 
communication between the client and server.

b. authenticating the server to the client via the server-side 
certificates.

c. much less frequently used: authenticating the client to the server 
(and potentially the user) via client-side certificates.

Using HTTPS can prevent user credentials being snooped when using low 
security authentication schemes such as HTTP's Basic Authentication or 
cookie based authentication.

But MM's list archive privacy does not require HTTPS; use of HTTPS 
merely 'hardens' the protection the list privacy scheme offers.

The converse is also true; using HTTPS is not a constraint on reaching 
public archive pages.

> In mm_cfg.py I have:

Commenting on this mm_cfg.py:

You should read the comments in $prefix/Mailman/Defaults.py.

> DEFAULT_EMAIL_HOST = 'lists.wingfoot.org'
> DEFAULT_URL_HOST = 'www.wingfoot.org'
> DEFAULT_URL_PATTERN = 'https://%s/mailman/'

DEFAULT_URL is obsolete and only for compatibility reasons, is defined 
as None in Defaults.py  and should not be defined in mm_cfg.py.

> DEFAULT_URL         = 'https://www.wingfoot.org/mailman/'
> PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'

There is not such animal as PRIVATE_ARCHIVE_URL in the MM lexicon. This 
variable is being completely ignored.

Private archives are served by a Mailman CGI script in file 
$prefix/Mailman/Cgi/private.py which is invoked (assuming a default 
install) by the URI /mailman/private

The URL for private archive access is formed from the virtual hostname 
(the url host that is) using the DEFAULT_URL_PATTERN. The ScriptAlias 
you put in your httpd.conf file associates that URL with the Mailman 
CGI program.

> PRIVATE_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
>
> VIRTUAL_HOSTS = {'www.wingfoot.org':'lists.wingfoot.org',
>                 'www.domain2.org':'lists.domain2.org',
>                 'www.domain3.com':'lists.domain3.com',
>                 'www.domain4.org':'lists.domain4.org'}
> add_virtualhost(DEFAULT_URL_HOST,DEFAULT_EMAIL_HOST)
> add_virtualhost('www.domain2.org','lists.domain2.org')
> add_virtualhost('www.domain3.com','lists.domain3.com')
> add_virtualhost('www.domain4.org','lists.domain4.org')
>
> Now.. when I create a list under Wingfoot, it has all the
> https://www.wingfoot.org/mailman/listinfo stuff all correct. Since, 
> that's
> how I access my listserver, this is the expected behavior... :)
>
> When I create one, say, from domain2, it *also* gets
> https://www.domain2.org/mailman/listinfo stuff... even though the URL 
> to
> access that list is in http://www.domain2.org/mailman/listinfo :-/
>

This is no surprise as URLs for all Mailman CGI programs are formed 
from DEFAULT_URL_PATTERN

> I have tried commenting out the DEFAULT_URL_PATTERN to no avail. If I
> change it to http://%s/etc that works.. but then lists on Wingfoot 
> break.
>

Which is a pretty good hint that you do not want to do this. Again read 
the comments in Defaults.py before you mess with this stuff.

btw: I assume you are restarting mailmanctl running fix_url.py after 
fixing your mm_cfg.py.

> Is what I'm trying to do possible with one instance of Mailman? Should 
> I
> install a 2nd instance? Can I even do that?
>

If you want to use HTTPS for private archives and HTTP for public 
archives, the simplest approach is to say:

DEFAULT_URL = None
PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s'
DEFAULT_URL_PATTERN = 'https://%s/mailman/'

With this, all access to Mailman CGI scripts, not just 
/mailman/private,  will go via HTTPS but the links to  public list 
archives will go via HTTP.

You could do some cute stuff with httpd.conf RewriteRules but it isn't 
really necessary to have a working solution.

As a matter of interest, what do you have in your httpd.conf for 
handling Mailman related access, thatis what Alias, ScriptAlias and 
such did you add to httpd.conf for MM.

> Hopefully this is chewy-good-for-thought stuff and not a "You idjit! 
> Read
> the archives!" (I checked, but didn't see anything that screamed
> "Conclusive".)
>
> Thanks guys.. and again, I appreciate all the help you've been over the
> past  not-quite-year, and all your hard work and effort into the 
> Mailman
> project. :)
>
> Thanks,
> Glenn
> ---
> The original portions of this message are the copyright of the author
> (c)1998-2002 Glenn E. Sieb.    ICQ UIN: 300395    IRC Nick: Rainbear
> "All acts of Love and Pleasure are Her rituals"-Charge of the Goddess

More information about the Mailman-Users mailing list