Installing Mailman To Use HTTPS On CentOS 5.1

March 30th, 2008 · 3 Comments

In starting up my new Python web-app project that I’ve blogged a bit about, I realized that I needed to setup a mailing list or two in order to keep the few people working on it all on the same page. Besides just having a list for development discussions among a distributed group of people, it is very handy to have SVN send out e-mail notices to everyone about commits. I could have used something like Majordomo or ezmim, but I like the features of Mailman – primarily the ability for users to subscribe, unsubscribe, etc. via a web page as well as through e-mail. I could have also just used an alias in the MTA config, but that doesn’t allow new developers to sign up on their own.

The following documents my notes along the way to installing and configuring Mailman on a CentOS 5.1 box such that its web pages are accessible only through https. It is important to note that I’m talking about an installation from scratch here. If you’re upgrading a previous installation from either an older mailman, or an older version of CentOS, then the following is NOT for you.

  1. As I had hoped, the CentOS base repo provides an RPM for the latest release of Mailman which, according to the GNU webpage for Mailman is version 2.1.9. You can install this as:
    $ sudo yum install mailman-2.1.9-2

    If you read the description of this package, you’ll see that it installs a special install instructions file into /usr/share/doc/mailman-2.1.9/INSTALL.REDHAT. You might want to read this yourself, but basically, it leads you through the following steps if you’re running your MTA (i.e. mailserver) on the same host as your web (httpd) server. You should note that the RedHat RPM does NOT install Mailman such that its configuration pages are accessible only through HTTPS. The following instructions include extra steps to make sure that this is true.

  2. Edit the newly installed file /etc/httpd/conf.d/mailman.conf to customize it for your host. In particular, edit the last line and replace the http://www.example.com with your own site’s hostname after an https:// prefix. It should end up looking something like this:
    RedirectMatch ^/mailman[/]*$ https://davmp.kimanddave.com/mailman/listinfo
  3. You’ll need to insert two RewriteRule lines in your httpd config files to redirect all non-https requests for Mailman features to the https site. And if you don’t have any rewrite features setup elsewhere, you’ll need a couple of other lines. You can find out the most about this process by reading the Apache docs for the RewriteEngine here. But, since I’ve already got a virtual host file that represents the config I want to have Mailman show up as a part of, I simply added lines like the following:
    <virtualhost _default_:80>
       ...
       RewriteEngine        on
       RewriteCond          %{HTTPS} !=on
       RewriteRule          ^/mailman/(.*) https://davmp.kimanddave.com/mailman/$1 [L,R]
       RewriteRule          ^/pipermail/(.*) https://davmp.kimanddave.com/pipermail/$1 [L,R]
    </virtualhost>
    
    <virtualhost *:443>
       ...
       Include "conf.d/mailman.conf.include"
    </virtualhost>

    And then renamed /etc/httpd/conf.d/mailman.conf to /etc/httpd/conf.d/mailman.conf.include. These settings prevent Apache from allowing these URLs to work for any other virtual hosts.

  4. Test your configuration changes by running
    $ apachectl -t

    This will print out <code>Ok</code> if everything is syntactically correct. Once you’ve fixed any issues, go ahead and restart the webserver via a command of:

    $ sudo /sbin/service httpd restart
  5. Create your site password for mailman by running
    $ sudo /usr/lib/mailman/bin/mmsitepass

    Contrary to the RedHat instructions, you do not need to type a password on the command line as you will be prompted for it. Clearly it is safer to type it at the prompt.

    Running this command sets the site password in to /etc/mailman/adm.pw so you do need to run it as sudo — don’t forget that the first password prompt will be for your sudo request if you haven’t run anything else sudo in a while. 🙂 This password will be accepted anywhere an individual user or mailman administrator password would be accepted, so make sure you’ll remember this in case you need to reset other passwords in your Mailman installation.

  6. (OPTIONAL) Setup the site-wide “list creator” role password by doing
    $ sudo /usr/lib/mailman/bin/mmsitepass -c

    This password can be given to those whom you want to have the ability to create and delete mailing lists through the web but without the risk of letting them change the mailman config itself.

  7. Edit /etc/mailman/mm_cfg.py. There is code in here to try and autodetect your domain names, but it’s probably safest to make it explicit. To do that, start with the line from socket import * and comment out (prepend with an #) all lines down to the one that sets the DEFAULT_MAIL_HOST variable. Then insert two lines to set up your explicit values. You should end up with something like this:
    #from socket import *
    #try:
    #    fqdn = getfqdn()
    #except:
    #    fqdn = 'mm_cfg_has_unknown_host_domains'
    #
    #DEFAULT_URL_HOST   = fqdn
    #DEFAULT_EMAIL_HOST = fqdn
    DEFAULT_URL_HOST   = "davmp.kimanddave.com"
    DEFAULT_EMAIL_HOST = "kimanddave.com"
  8. Ensure that Mailman renders its own URLs with the https scheme by appending the following line to the /etc/mailman/mm_cfg.py file.
    DEFAULT_URL_PATTERN = 'https://%s/mailman/'
  9. (ASIDE) If you had previous mailing lists configured, this is where you’d update Mailman’s files to use this new info by running
    $ sudo /usr/lib/mailman/bin/update

    but we can skip that since we’re a new install.

  10. Create the “site-wide” mailing list, also known as the one that Mailman password reminders come from. Usually this is called mailman but you can use any value you want as long as you set MAILMAN_SITE_LIST to the same value in /etc/mailman/mm_cfg.py. Let’s use this default and set this up by running
    $ sudo /usr/lib/mailman/bin/newlist mailman

    and then follow the prompts. Note that this MUST be done prior to starting up the Mailman daemon.

    Also note that this command will output a list of mail aliases after you answer a few prompts. Copy and paste these lines into your MTA’s aliases configuration. The simplest way to do that is to edit /etc/aliases (because most MTA’s respect the contents of that file) and append these lines to the end, then, after saving that file, run the newaliases command.

  11. It is now time to start the Mailman daemon! Do this with a command like:
    $ sudo /sbin/service mailman start

    Its important to note that the RedHat packagers do not ship RPMs that enable services as part of the installation, so you’ll need to enable the service as well if you want mailman to work after a reboot. You can do this with a command like:

    $ sudo /sbin/chkconfig --level 345 mailman on
  12. Add yourself to your new mailman mailing list. Do this by visiting your host’s mailman list info page at https://your.host.name/mailman, click the Mailman link at the bottom left, and use the resulting form to subscribe your e-mail address.
  13. If you want your mailing lists to be completely public, you’re done. You do NOT need to follow the remaining steps!
  14. If you want to limit who can access your mailing list web pages, then I recommend editing the /etc/httpd/conf.d/mailman.conf.include configuration file to put in lines to require authentication. Something like this would be a very basic authentication requirement, though you could also use LDAP, MySQL, etc. databases but setting those up are a whole separate topic.
    AuthType Basic
    AuthName "mysite"
    AuthUserFile /etc/httpd/auth/passwords
    AuthGroupFile /etc/httpd/auth/groups
    Require group mailman

    Of course, you’ll need to read up on using authentication files with Apache here.

Tags: IT/Network · Uncategorized

3 responses so far ↓

  • 1 Adam // Nov 5, 2008 at 1:02 pm

    This is a good tut for mailman running ssl. I followed the most part to setup mine. If you use postfix and you want to make the aliases creation automated you should do:

    Add this to the bottom of /etc/mailman/mm_cfg.py file: MTA = ‘Postfix’

    cd /usr/lib/mailman
    bin/genaliases
    chown mailman:mailman /etc/mailman/aliases*
    chmod g+w /etc/mailman/aliases*
    vim /etc/postfix/main.cf
    search for alias_maps and find the one that is not commented out and add:
    hash:/etc/mailman/aliases so it should look like:
    alias_maps = hash:/etc/aliases,hash:/etc/mailman/aliases

  • 2 Rizwan // Jun 10, 2009 at 5:49 am

    Very useful, good

  • 3 Dave // Oct 11, 2009 at 9:46 am

    Great write up! Thanks for the detailed instructions.. Worked like a charm.

Leave a Comment