Shams Fantar | 1 May 10:14 2008

Re: installing mailman and sendmail


Hank van Cleef wrote:

> I'm going to jump in here as I run Mailman with sendmail on a Solaris
> system.  I can't comment on pecuiliarities of a Linux precompiled
> distribution.
> 
> The Mailman installation manual goes through the steps of enabling 
> a link to smrsh.
> http://www.gnu.org/software/mailman/mailman-install/node32.html
> 
> Additionally, you'll need to enable the sendmail smrsh capability.
> You need to do this by adding a line in the main.mc file for sendmail
> and rerunning the M4 process to recreate the sendmail.cf file.
> The line to add is:
> 
> FEATURE(smrsh, /usr/lib/smrsh)dnl
> 
> This assumes that the smrsh executable is in /usr/lib.

Apparently, I have to put the "FEATURE..." in  /etc/mail/sendmail.mc

> 
> If you are trying to run with a precompiled sendmail, you'll need to
> configure main.mc for a variety of things that generally aren't in
> default installations; the line above in "in addition to" selecting
> things like relay control, masquerading, access_db, virtusertable etc. etc.  

> 
> Hank
(Continue reading)

Bill Honneus (honneus | 1 May 15:42 2008
Picon

Integrating mailman with Sendmail

Hi,

I'm a little confused about something regarding setting up Mailman to
run using Sendmail.  The following are instructions for how to create
the mailman user.  My first question is, why is the user created with no
shell and no home?  The documentation does not explain the reason why
this is needed.

% groupadd mailman
% useradd -c''GNU Mailman'' -s /no/shell -d /no/home -g mailman mailman

Second, in Ed Greenbergs workaround for integrating with Sendmail
without mm-handler (I am doing this b/c I need to run with both
maillists and individual users), the following instructions are given.

5. As mailman, run /home/mailman/bin/genaliases
Check for a file /home/mailman/data/aliases and
also TWO files /etc/mailman.aliases and /etc/mailman.aliases.db

6. Test creating a list using /home/mailman/bin/newlist
Check for the appearance of aliases for that list in
/etc/mailman.aliases
Add some users and test the list

First, I don't see how to login or sudo as mailman if the user is set up
without a shell.  Second, both steps refer to a home directory that does
not exist if the user is set up with no home.  In other words, the
instructions seem to contradict the basic instruction for how to set up
the mailman user.

(Continue reading)

Dragon | 1 May 17:13 2008

Re: Integrating mailman with Sendmail

Bill Honneus (honneus) wrote:
>Hi,
>
>I'm a little confused about something regarding setting up Mailman to
>run using Sendmail.  The following are instructions for how to create
>the mailman user.  My first question is, why is the user created with no
>shell and no home?  The documentation does not explain the reason why
>this is needed.
>
>% groupadd mailman
>% useradd -c''GNU Mailman'' -s /no/shell -d /no/home -g mailman mailman
>

This is a standard security tactic for user accounts that are there 
for the sole purpose of running daemon processes. It helps prevent an 
attacker from usurping control under that user name.

I would seriously suggest following the convention as it is an added 
layer of protection against malicious access.

>Second, in Ed Greenbergs workaround for integrating with Sendmail
>without mm-handler (I am doing this b/c I need to run with both
>maillists and individual users), the following instructions are given.
>
>5. As mailman, run /home/mailman/bin/genaliases
>Check for a file /home/mailman/data/aliases and
>also TWO files /etc/mailman.aliases and /etc/mailman.aliases.db
>
>6. Test creating a list using /home/mailman/bin/newlist
>Check for the appearance of aliases for that list in
(Continue reading)

Brad Knowles | 1 May 17:29 2008

Re: Integrating mailman with Sendmail

Bill Honneus (honneus) wrote:

> I'm a little confused about something regarding setting up Mailman to
> run using Sendmail.  The following are instructions for how to create
> the mailman user.  My first question is, why is the user created with no
> shell and no home?  The documentation does not explain the reason why
> this is needed.

Because Mailman doesn't need the shell or the home directory, and they pose 
a potential security risk if they are present.  So, leave them out and you 
avoid the potential security risk.

> First, I don't see how to login or sudo as mailman if the user is set up
> without a shell.

Neither sudo nor a plain "su" need to have a shell for the user.  All you're 
changing is your effective UID (EUID), but the rest of your environment 
comes from your real UID that you used to log in with.

>                   Second, both steps refer to a home directory that does
> not exist if the user is set up with no home.

You're confusing the root of the directory structure where the Mailman code 
is installed with the /etc/passwd concept of "home directory".  You can have 
/usr/local/mailman be the root of the directory structure for Mailman (and 
called the "Mailman home directory"), without having a home directory 
specified in /etc/passwd for this user.

Yes, this can be confusing.

(Continue reading)

Dragon | 1 May 17:43 2008

Re: Integrating mailman with Sendmail

Brad Knowles wrote:

>Neither sudo nor a plain "su" need to have a shell for the 
>user.  All you're changing is your effective UID (EUID), but the 
>rest of your environment comes from your real UID that you used to log in with.
---------------- End original message. ---------------------

Hmm... maybe on some flavors of *nix, but on my server, if there is 
no shell set for a user, you can't sudo or su to that user ID. At 
least not while I am logged in under my account.

I just tried it to confirm, I also tried it while running as root 
with the same result "This account is currently not available."

I'm running an RHEL 5 box.

As I stated in my earlier reply, I do have my account set up as part 
of the mailman group. I can run mailman scripts with no problem 
without having to sudo to anything else.

Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Brad Knowles | 1 May 18:07 2008

Re: Integrating mailman with Sendmail

Dragon quoted me:

>> Neither sudo nor a plain "su" need to have a shell for the user.  All 
>> you're changing is your effective UID (EUID), but the rest of your 
>> environment comes from your real UID that you used to log in with.
> ---------------- End original message. ---------------------
> 
> Hmm... maybe on some flavors of *nix, but on my server, if there is no 
> shell set for a user, you can't sudo or su to that user ID. At least not 
> while I am logged in under my account.

Hmm.  On all the OSes I have experience with, you only need a shell for the 
user in question if you're doing an "su -", which would set up everything 
exactly as if you had logged in as that user from the login screen.

> As I stated in my earlier reply, I do have my account set up as part of 
> the mailman group. I can run mailman scripts with no problem without 
> having to sudo to anything else.

And you can always run them as root, too.

--

-- 
Brad Knowles <brad <at> shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>

Mark Sapiro | 1 May 18:09 2008
Picon

Re: installing mailman and sendmail

Shams Fantar wrote:
>
>Hank van Cleef wrote:
>
[...]
>> Additionally, you'll need to enable the sendmail smrsh capability.
>> You need to do this by adding a line in the main.mc file for sendmail
>> and rerunning the M4 process to recreate the sendmail.cf file.
>> The line to add is:
>> =
>
>> FEATURE(smrsh, /usr/lib/smrsh)dnl
>> =
>
>> This assumes that the smrsh executable is in /usr/lib.
>
>Apparently, I have to put the "FEATURE..." in  /etc/mail/sendmail.mc

You do not want to do this. Enabling smrsh in sendmail is not going to
solve any of your problem - if anything, it will only make things
worse.

--

-- 
Mark Sapiro <mark <at> msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

Hans Gubitz | 1 May 18:25 2008
Picon

Re: local ip in links

On Wed, Apr 30, 2008 at 01:37:15PM -0700, Mark Sapiro wrote:
> Hans Gubitz wrote:
> >
> >Overview of all ... mailing links
> >points here to the local ip of the server, where all other links point
> >to the right url.
> 
> 
> If you mean the actual target of that link contains the IP, I don't
> understand because this is generated the same way as all the other
> links, e.g the "<listname> administrative interface" link right above
> it.

The are generated in different ways.

In HTMLFormatter.py I read, that the first two lines of the footer use
MailList.GetScriptURL() which returns Utils.ScriptURL, that includes
self.web_page_url

The third line - my problem - uses Utils.ScriptURL with exactly one
parameter. So web_page_url==None and it is set by get_domain().

That is my problem. get_domain() returns the local ip of my listserver
which is a virtual host. May be apache is not configured the right way.

My workaround: 
Utils.get_domain():
   return mm_cfg.DEFAULT_URL_HOST

Hans
(Continue reading)

Mark Sapiro | 1 May 18:46 2008
Picon

Re: local ip in links

Hans Gubitz wrote:
>
>On Wed, Apr 30, 2008 at 01:37:15PM -0700, Mark Sapiro wrote:
>> Hans Gubitz wrote:
>> >
>> >Overview of all ... mailing links
>> >points here to the local ip of the server, where all other links point
>> >to the right url.
>>
>>
>> If you mean the actual target of that link contains the IP, I don't
>> understand because this is generated the same way as all the other
>> links, e.g the "<listname> administrative interface" link right above
>> it.
>
>
>The are generated in different ways.

All the links are generated by mlist.GetScriptURL()

>In HTMLFormatter.py I read, that the first two lines of the footer use
>MailList.GetScriptURL() which returns Utils.ScriptURL, that includes
>self.web_page_url
>
>The third line - my problem - uses Utils.ScriptURL with exactly one
>parameter. So web_page_url==None and it is set by get_domain().
>
>That is my problem. get_domain() returns the local ip of my listserver
>which is a virtual host. May be apache is not configured the right way.

(Continue reading)

NFN Smith | 1 May 19:22 2008

Mail/News duplicates problem

I'm not sure if this is a problem with Mailman or INN, but I'll start
on the Mailman side.  If it's an INN problem, I'll be happy to
redirect my question to the appropriate forum.

I'm in the process of adding a news/mail gateway to a server that's
running Mailman 2.1.9-7 on a Debian 4.0 box.  I'm adding INN 2.4.3-1 .
Both Mailman and INN are installed from the Debian Stable channel.

Where I'm having problems is with messages posted from the news side
-- they're gated into Mailman, and distributed correctly to mailing
list subscribers, but then a copy of the message goes back through to
the INN server, and INN isn't recognizing the message as having been
seen, and the result is that the news side of thing sees a duplicate
copy of the message.

On further inspection, the duplicate message has clearly been
submitted to news by Mailman, and includes lots of Mailman-specific
headers.  In particular, the Message-ID: header is rewritten by
Mailman, and I'm assuming that INN relies on Message-ID: to track what
has been seen or not.

This is happening with nearly all the mailing lists configured to be
gated to news on this server, with the exception of one list, where
I'm not getting dupes.  This implies that the difficulty is specific
to the configuration of individual lists, but I can't see any
difference in configurations on either Mailman or INN between the
list/newsgroups that are getting duplicates, and the one that isn't.

It looks like I'm missing something small, but I'm not seeing it.

(Continue reading)


Gmane