You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Mailman: Difference between revisions
imported>John F. Lewis |
imported>Nemo bis (Undo revision 202127 by John F. Lewis (talk)) |
||
| Line 27: | Line 27: | ||
# Also add a "terse phrase" for the list (which will show up in the main list directory at [https://lists.wikimedia.org/mailman/listinfo https://lists.wikimedia.org/mailman/listinfo]). | # Also add a "terse phrase" for the list (which will show up in the main list directory at [https://lists.wikimedia.org/mailman/listinfo https://lists.wikimedia.org/mailman/listinfo]). | ||
# Add the list to [[m:Mailing lists/Overview]], or tell the requester to. | # Add the list to [[m:Mailing lists/Overview]], or tell the requester to. | ||
# If the list | # If the list's archives are public, [http://gmane.org/subscribe.php add it to Gmane] (this needs to be done before the first message is sent to the list otherwise the mbox needs to submitted from the lists server); group name must be under [http://dir.gmane.org/index.php?prefix=gmane.org.wikimedia gmane.org.wikimedia], or [http://dir.gmane.org/index.php?prefix=gmane.science.linguistics.wikipedia gmane.science.linguistics.wikipedia] for Wikipedia language communities' lists. | ||
# If the list was requested to be set as '''private''', you need to ensure the archives are private and that the subscription rules are changed to "Confirm and approve". | # If the list was requested to be set as '''private''', you need to ensure the archives are private and that the subscription rules are changed to "Confirm and approve". | ||
# Inform the lists' administrators of the [https://lists.wikimedia.org/mailman/listinfo/listadmins listadmins mailing list] where all notifications and changes will be announced if they are liable to impact mailman. | # Inform the lists' administrators of the [https://lists.wikimedia.org/mailman/listinfo/listadmins listadmins mailing list] where all notifications and changes will be announced if they are liable to impact mailman. | ||
Revision as of 07:31, 14 November 2015
See also
How To
Create a mailing list
There are 2 ways to create a mailing list:
- Via the web interface at http://lists.wikimedia.org/mailman/create - a list's creator password is needed. The site password works as well.
- Via shell on the mailing lists server (fermium). As root, run newlist.
In both cases, it's not necessary to add e-mail aliases anywhere! These are handled automatically by mailman with the mail transfer agent configured (exim). When creating a new mailing list, make sure it follows the Naming scheme.
Step-by-step procedure
When you create a new mailing list for someone that could potentially not be experienced with Mailman administration, there's a few things that you need to do:
- Set yourself to be the initial list administrator, which means that you'll get an email with the list admin password.
- This will allow you to adjust settings for the list (if you don't have the site password) and also send the list password in one email to two or more list admins.
- Set "Auto-generate initial list password" to Yes.
- If relevant, also add any extra "Initial list of supported languages". For example, if you're creating a list for Wikimedia Israel, then add Hebrew as an extra supported language.
- Enter the list creator's or site password in the box at the bottom and hit "Create List".
- Now that you've created the list, login to the admin interface using the password sent to you in an email or the site admin password. Add the list admins' email addresses in the relevant field in the admin interface.
- Also add a "terse phrase" for the list (which will show up in the main list directory at https://lists.wikimedia.org/mailman/listinfo).
- Add the list to m:Mailing lists/Overview, or tell the requester to.
- If the list's archives are public, add it to Gmane (this needs to be done before the first message is sent to the list otherwise the mbox needs to submitted from the lists server); group name must be under gmane.org.wikimedia, or gmane.science.linguistics.wikipedia for Wikipedia language communities' lists.
- If the list was requested to be set as private, you need to ensure the archives are private and that the subscription rules are changed to "Confirm and approve".
- Inform the lists' administrators of the listadmins mailing list where all notifications and changes will be announced if they are liable to impact mailman.
- Now you can send an email to the list owners letting them know that the list has been created. Here's a template email that you can use (adjusting as appropriate):
Disable or re-enable a mailing list
Sometimes a mailing list may be requested to be removed but not deleted from the server because the archives may still be used such as old announcement lists. Disabling and re-enabling a list can be done through the mailman interface by list administrators but usually it is easier for someone who is experienced to handle it due to the complexity of mailman configuration.
A shell script exists on the lists server under /usr/local/sbin/ called disable_list. The script can be used to disable and enable lists easily and consistently.
# Usage: ./disable_list [-e|--enable] <listname>
Commands
The shell script simply does the following to disable a list:
# list=LISTNAME # echo "advertised=0" | config_list -i /dev/stdin $list # echo "emergency=1" | config_list -i /dev/stdin $list # echo "member_moderation_action=2" | config_list -i /dev/stdin $list # echo "generic_nonmember_action=2" | config_list -i /dev/stdin $list # echo "ban_list=[^.*@.*]" | config_list -i /dev/stdin $list # rm /var/lib/mailman/data/heldmsg-$list-*.pck
And to re-enable a list, it does the opposite of the above.
# list=LISTNAME # echo "advertised=1" | config_list -i /dev/stdin $list # echo "emergency=0" | config_list -i /dev/stdin $list # echo "member_moderation_action=0" | config_list -i /dev/stdin $list # echo "generic_nonmember_action=1" | config_list -i /dev/stdin $list # echo "ban_list=[]" | config_list -i /dev/stdin $list
Remove a mailing list
Removing a mailing list should only be done if the list will not be used at all and archives don't need to be public (otherwise see above). To remove a list but keep the archives stored, run (on the lists server):
# rmlist listname
To also remove all archives, use:
# rmlist -a listname
Remove a message from the mailing list archives
Sometimes you are forced to remove a message from mailing list archive by court order or other 'command' (such as request from legal). The linked instructions tell why it is a procedure best avoided but also how to do it if legally obligated.
Wikimedia's mailing list archives, though public, are no longer indexed by search engines as they are excluded in robots.txt, other archives (such as Gmane) are indexed.
Export a listing of all subscribers to a mailing list
- Login to the mailing list server and run:
/var/lib/mailman/bin/list_members -f -o <file to write to> <list name>
Remove an individual from all mailing lists
Occasionally we need to remove an individual from every mailing list we have, such as when an email address no longer works but we don't want mailman to turn it off due to bounce detection. The remove_members command is the solution - this is a command line utility to remove one or more email addresses from a specific list or from all lists.
- remove an individual from a specific list:
/var/lib/mailman/bin/remove_members mylist user@example.com
- remove two addresses from all lists:
/var/lib/mailman/bin/remove_members --nouserack --fromall user1@example.com user2@example.com
- remove from all private lists:
/var/lib/mailman/bin/remove_from_private.sh <email>
Rename a mailing list
Renaming a mailing list in the past was a fairly hands-on approach and required confidence with mailman at each stage. While this has not changed, a shell script has been made which makes the process more easier and more streamlined and reduces the risk of things going wrong within mailman itself. Although this is true, renames should be avoided without someone who is confident with mailman on-hand just in case any sort of issues pop up. Tailing the error and bounce logs as well before and after would be ideal.
The script can be ran on the lists server by running:
/usr/local/sbin/rename_list <old list> <new list>
The password and email address of the list can be set to anything (preferable not the list administrator's address) as it will be overwritten later on by the script.
Manual
The manual process is documented below (and may be out of date as new optimisations are found) which can be done if the script does not work or the list is 'weird' in one way or another. It is best to avoid the manual method as it introduces more risks and human errors.
- Before you begin, verify that the requester is actually an administrator of the mailman list.
- Send an email to the -owner address of the list that you plan to rename a list.
- Create a new list.
- Use the mailman master password as creator's (authentication) password.
- Follow the standardized naming scheme where possible.
- Use your email as the initial list creator and receive auto-created password (will be overwritten by the move).
- Log into the administrative interface (https://lists.wikimedia.org/mailman/admin/<listname>) with the generated password or the site password.
- Before the next step be prepared to change the "real_name" value of the list in the interface, but don't send it yet. Have the mailman master password ready.
- Go to the lists server shell and copy the config.pck (this includes all settings, users, passwords!) and others (pending.pck, request.pck files) from old to the new list.
- Reload the administrative interface link and be logged out, because you have just overwritten the users and passwords as well, use the mailman master password and login again.
- Immediately change the real_name in the administrative interface.
- You should now see other users as list administrators and members, and now you can take your time and adjust other settings like the description field and "Prefix for subject line of list postings" and update the name there as well or let others do it.
- Copy the archive mbox from the old to new .mbox directory and rename it to reflect the new list name.
- Fix permissions (chown list:list *.mbox, chmod 664 *.mbox)
- Use arch to recreate all html files from mbox to fix archive links.
- Decide if you want to keep old archives in place, you probably do. Don't break URLs.
- Add the old list email address to "acceptable aliases" on the new list administrative interface
- Merge a mail alias to redirect mail to the old list.
- Merge an url redirect for the old listinfo page.
- Merge on palladium, run puppet on the mailing lists server. Apache and exim should automatically pick the change up.
- Test URL redirect.
- Test mail by announcing the change to the old list address.
Add a list to Gmane
A new list can be added to Gmane very easily if the first message has not already been sent or history is not important (see creation steps above, #8). If the history needs to be imported, a ticket should be file in Phabricator with projects 'Wikimedia-Mailing-list' and 'operations' (easy link stating which list needs to imported and to which Gmane group if it exists already.
Alter arbcom-l archive access list
After a previous data leak, the English Wikipedia Arbitration Committee requested a high level of security for access to arbcom-l archives. We now have a second layer of password authentication in addition to Mailman's controls, implemented in Apache. Using HTTP authentication allows each user's page views to be tracked in the apache access logs.
To add a user:
- Have the user generate a GPG private key, and have them establish a link between their public key and their Wikipedia user account by posting the public key on Wikipedia. For Windows users, this can be done by following this tutorial.
- Generate a password for them, for example using tr -cd [:alnum:] < /dev/urandom | head -c10
- Choose a username.
- Update the htdigest file in the puppet private repo using htdigest ~/private/files/lighttpd/htdigest 'arbcom-l archive' <username>
- Push the update out to the mailing lists server in the usual way.
- Send the new password to the user using encrypted email.
To do other things:
- Edit palladium:~/private/files/lighttpd/htdigest and push the file out to the list servers.
Need to check the above and update it for Apache now. Since this refers to palladium and private a bit!
Docs and links
Authorized recipients for ops@lists.wikimedia.org
Anyone with a signed NDA can be on the ops@lists.wikimedia.org mailing list. For a list of signed NDAs for staff/contractors there is T83783, WMF-NDA and ldap/nda (or ldap/wmf).
Configuration details
The new Mailman setup lives on fermium, and uses the standard Debian package mailman. The mailing list state is under /var/lib/mailman/, the global configuration is in /etc/mailman/.
The mail server used is Exim, the web server used is Apache.
Mailman setup
The local mailman configuration file is available to see on Diffusion. Configuration is mostly default version config with few changes (L96 and below are non-default).
Mail server setup
Near the top of the exim4.conf file, there are several macros related to Mailman. These define system-specific settings/locations used by the router(s) and transport(s) in the rest of the configuration file. For a Debian/Ubuntu Mailman package, the following macro's are accurate:
# Mailman MAILMAN_HOME = /usr/lib/mailman MAILMAN_LISTS_HOME = /var/lib/mailman MAILMAN_WRAP = MAILMAN_HOME/mail/mailman MAILMAN_UID = list MAILMAN_GID = list
There's a domain list that contains a list of all domains that can "contain" mailing lists, i.e. the domains for which the Mailman router(s) should run. This list is also used as part of the "local domains" list, the list for which this mail server accepts mail and handles it locally.
domainlist mailman_domains = lists.wikimedia.org domainlist local_domains = +system_domains : +mailman_domains
Main configuration
Several tweaks have been made to the main configuration to make Mailman delivery go smooth.
In case of high load / lots of incoming connections, mail from the local host (including Mailman) and other Wikimedia servers are given preference:
smtp_reserve_hosts = <; 127.0.0.1 ; ::1 ; +wikimedia_nets
For big mailing lists, Mailman needs to send a lot of recipients per mail / connection. Per default, Exim only queues mails that have > 10 recipients, to be delivered by a subsequent queue runner, which can cause significant delays. The default Mailman limit is 500 recipients per connection, so make Exim accept that:
smtp_accept_queue_per_connection = 500
Allow Exim to do 50 deliveries to remote hosts in parallel (this means 50 processes):
remote_max_parallel = 50
Routers
In Exim, the routers determine if a certain e-mail address is accepted for delivery or mail transport, and how it's going to be handled (routed). For Mailman, the following list router accepts a recipient that:
- has a domain in the domain list mailman_domains
- has a Mailman configuration file matching the local part (i.e. the mailing list exists)
Certain postfixes of the localpart, e.g. "-bounces" are accepted as well.
When the router accepts the recipient address, it's set up for delivery using the list transport (see below).
# Mailman list handling. Test the mailing list address without suffix
# first, as a mailing list like wikifi-admin is a valid list name.
list:
driver = accept
domains = +mailman_domains
require_files = MAILMAN_LISTS_HOME/lists/$local_part/config.pck
transport = list
list_suffix:
driver = accept
domains = +mailman_domains
require_files = MAILMAN_LISTS_HOME/lists/$local_part/config.pck
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin : \
-subscribe : -unsubscribe
transport = list
If the conditions for this router fail (i.e. the router is not run) then the no_more makes sure that no subsequent routers will be tried (in the current configuration there are none that might accept), and the recipient address is failed.
Transports
An Exim transport configures a way of transporting a message, e.g. over the network (SMTP), to a file (MBOX/Maildir/etc) or using a pipe to a process. The following transport sets up delivery to Mailman:
# Mailman pipe transport
list:
driver = pipe
command = MAILMAN_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MAILMAN_LISTS_HOME
home_directory = MAILMAN_LISTS_HOME
user = MAILMAN_UID
group = MAILMAN_GID
For content scanning, temporary mbox files are written to /var/spool/exim4/scan, and deleted after scanning. Similarly, Exim keeps "hints" databases in /var/spool/exim4/db, which are non-essential caches. To improve performance somewhat, these directory is mounted as a tmpfs filesystem, using the following line in /etc/fstab:
tmpfs /var/spool/exim4/scan tmpfs defaults 0 0 tmpfs /var/spool/exim4/db tmpfs defaults 0 0
Mailing list privacy protection
It has happened in the past that by hitting on the Reply All button in one's e-mail client, private info from an internal list leaked to a public mailing list because it was listed in the CC list, and the imprudent sender did not notice. In order to try to catch these incidents, a little filter has been implemented.
- If the To: or CC: of a message body matches an item in a list of private mailing list addresses, and
- the list of recipients as known by the mailing list server contains a Wikimedia mailing list that's not a private mailing lists, then
- the message is bounced with the message Message rejected for privacy protection: The list of recipients contains both private and public lists.
It's possible to circumvent this restriction by sending to the private list as a BCC, Blind Carbon Copy.
This filter is implemented using an Exim system filter:
This filter is enabled in the configuration file using
system_filter = CONFDIR/system_filter
Address header rewriting
It turned out that, after the migration, many users kept sending mails to both the old and the new mailing list addresses, thereby causing duplicate messages. To reduce this, Exim has been configured to rewrite the old mailing list addresses to the new ones in the To: and CC: headers, using the following option on the list transport:
Web server setup
To get Mailman running with Apache the puppet class role::lists is applied which uses module mailman. Puppet module mailman uses puppet module Apache which sets up Apache and the site config is in the template lists.wikimedia.org.erb.
See also http://www.gnu.org/software/mailman/mailman-install/node10.html
SpamAssassin
SpamAssassin is installed using the default Ubuntu spamassassin package. A couple of configuration changes were made.
By default, spamd, if enabled, runs as root. To change this:
# adduser --system --home /var/lock/spamassassin --group --disabled-password --disabled-login spamd
The following settings were modified in /etc/default/spamassassin:
# Change to one to enable spamd ENABLED=1
User preferences are disabled, spamd listens on the loopback interface only, and runs as user/group spamd:
OPTIONS="--max-children 5 --nouser-config --listen-ip=127.0.0.1 -u spamd -g spamd"
Run spamd with nice level 10:
# Set nice level of spamd NICE="--nicelevel 10"
Fighting spam in mailman
All list mail is sent through spamassassin which adds headers with a spam status and score.
This does not mean though that it automatically discards any messages. Only messages with a really high spam socre (>= 12) are discarded immediately, below that messages are just tagged with a header. What actions to take based on this information is left to the list admins.
The mailman UI supports this via the configuration variable header_filter_rules aka. 'Spam Filter Regexp' (description: Filter rules to match against the headers of a message.).
This can be found in the administrative interface in Privacy options...-> [Spam filters] -> Spam Filter Regexp.
You can just rely on spam-status:
x-spam-status: yes
or you can filter by score, example regex from mailman docs:
X-Spam-Score: [*]{3,5}
This line will match from 3 to 5 stars in the value of this field.
another example could be:
X-Spam-Score: [+]{5,}
if the X-Spam-Score is indicated with pluses (+) insted of stars (*), this line matches when 5 or more pluses are encountered on the same line.
Additionally you have to pick an action for that which can be one of:
Defer Hold Reject Discard Accept
If you use "Hold" you will have to manually check the moderation queue every once in a while, but can avoid possible false positives, if you use "Discard" you don't have to do anything but _might_ discard some ham without noticing, though that is unlikely.
Backups
fermium is backed up to helium using Bacula. The path on the source is /var/lib/mailman. The path on the target is whatever you choose in bconsole.
Tested failure modes
Because mail delivery and transport should be reliable, I have tested what happens in certain failure modes, e.g. when SpamAssassin's spamd daemon is not running.
Spamd not running
Because of the /defer_ok modifiers in the Exim ACLs, Exim will act as if no spam filtering attempts are made when spamd is not running, and will accept the message. The following lines are logged:
spam acl condition: warning - spamd connection to 127.0.0.1, port 783 failed: Connection refused spam acl condition: all spamd servers failed H=xxx.xxxxxxx.xx [xx.xx.xx.xx]:xxxx I=[145.97.39.157]:25 U=exim Warning: ACL "warn" statement skipped: condition test deferred
Mailman not running
If the Mailman queue runner daemons are not running, incoming messages will still get delivered to the Mailman queue by Exim. However, nothing else will happen until the Mailman processes are started.
Who has the passwords?
The following people have the master (site) password that can be used to login to the admin interface of all lists.
- all members of the operations team or users with root access on the ops bastion host
- James Alexander
- (probably / planned): Maggie Dennis
The following people have the list creator password that can be used to create new lists but not login to existing lists.
- all members of the operations team or users with root access on the ops bastion host
- John F. Lewis
The following people have shell access on the list server. They can run mailman binaries which includes changing list configs and passwords.
- all members of the operations team or users with root access on the ops bastion host
- John F. Lewis