I am still fairly new to Mailman but I have been a long time Sendmail
user.I like to know how things work.Partly out of security paranoia and
partly out of curiosity I started hacking around the MTA interface.
One of the things I now see is that Mailman depends on a group for
access(vs. setuid).Sendmail does not like group accessible things files
or directories based on a long history of security problems.Somewhere
there has to be a bridge between the Mailman security model and Sendmail
(or any other MTA).
Back in 2004 the approach was to create a shell scriptThat script would
get executed as root.More on that later.
Another approach was mm-handler.Mm-handler handles the security bridge
by calling back Mailman after it has switched to UID/GID:
mailman/mailman.An elegant solution.The v3 version
<http://sw.ziobro.info/mm-handler/>optionally allows mail not destined
for a mailing list to be delivered locally.Thus mm-handler could be used
to implement mailing lists in front of an existing mail domain.It looks
like the mm-handler could be integrated into Postfix and probably other
MTAs.I suspect passing all mail through mm-handler would be a
performance drag for a busy mail system.It looks like leaving MTA set to
‘Manual’ is best but that generates a little irrelevant text.
If you want to mix Mailman mailing lists in with your regular mailboxes
and aliases then the classic method of using the aliases file as
generated by Mailman seems best.The 2004 instructions suggested using a
shell script to copy the Mailman generated aliases file into /etc/mail/
configuration directory for Sendmail.See:
https://mail.python.org/pipermail/mailman-users/2004-June/037518.html
Current distributions of Sendmail contain a file /etc/mail/make which is
an appropriate place for such customization.The /etc/mail/make script
gets executed every time Sendmail restarts.It is called once as “make
aliases” and again as just “make” before Sendmail restarts.Instead of
creating a shell script you could just edit the /etc/mail/make file so
the makealiasesdb function reads:
makealiasesdb() {
/usr/bin/cp /etc/mailman/aliases /etc/mail/mailman-aliases/usr/bin/newaliases >
/dev/null
}
I started wondering where the interface between Mailman and MTA should
be defined.For example if I am using MTA=’Manual’ then I could setup my
/etc/mail/make as:
makealiasesdb() {
/usr/lib/mailman/bin/genaliases > /etc/mail/mailman-aliases
/usr/bin/newaliases > /dev/null
}
But the ‘Manual’ mailer has no capability of signaling the MTA that the
mailing lists have been updated.If I use MTA=’Postfix’ then genaliases
has no output.Apparently the genaliases program is a function of the MTA
setting.So I rolled my own aliases with a perl program:
#!/usr/bin/perl -w
# create the Mailman aliases file
open(A,"/usr/lib/mailman/bin/list_lists -b|") ||
exit(1);
my @e= qw(admin bounces confirm join leave owner request subscribe unsubscribe);
while(<A>){
chop;
print "$_:\"|mailman post $_\"\n";
foreach my $x (@e){
print "$_-$x:\"|mailman $x $_\"\n";
}
print "owner-$_:$_-owner\n"; # Majordomo fans
}
The perl program can be stuffed into one line in the make shell script
like this:
makealiasesdb() {
# genaliasesinto /etc/mail/mailman-aliases
/usr/bin/perl -e ' open(A,"/usr/lib/mailman/bin/list_lists -b|") ||
exit(1); my @e=qw(admin bounces confirm join leave owner request
subscribe unsubscribe); while(<A>){ chop; print "$_:\"|mailman post
$_\"\n"; foreach my $x (@e){ print "$_-$x:\"|mailman $x $_\"\n"; } print
"owner-$_:$_-owner\n"; }' > /etc/mail/mailman-aliases
/usr/bin/newaliases > /dev/null }
Once the need for genaliases is gone I could simplify the
MTA/Sendmail.py create function to:
def create(mlist, cgi=False, nolock=False, quiet=False):
# restart the mail program so new aliases are active
msg = 'command failed: %s (status: %s, %s)'
if not nolock:# NOT genaliases
acmd = mm_cfg.RESTART_MAILER_CMDstatus = (os.system(acmd) >> 8) & 0xffif
status:errstr = os.strerror(status)syslog('error', msg, acmd, status, errstr)raise
RuntimeError, msg % (acmd, status, errstr)
The RESTART_MAILER_CMD configuration will Default to:
RESTART_MAILER_CMD = ‘sudo systemctl restart sendmail’
On older systems it might be: ‘sudo /etc/init.d/sendmail restart’
By moving the responsibility to create aliases out of Mailman the
Mailman code base shrinks a lot.Smaller is better.It works for me.
Is the directory “/etc/mailman” group-writable only to support the
creation of an aliases file?I would feel more confident if /etc/mailman
was only writable by root.
This is where I am now.I cut and paste Python code but don’t necessarily
understand it.If someone could give the Python code a look over then
I’ll organize it a little better for a release.
This got a little long. Thanks for your attention!
Ciao,
//Z\\
Jim Ziobro
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
