build:lists
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
build:lists [2009/03/25 09:00] 167.206.189.6 |
build:lists [2018/05/28 03:00] SLUUG Administration [Mailman TODO:] |
||
|---|---|---|---|
| Line 151: | Line 151: | ||
| ====Tell Apache to use password protection==== | ====Tell Apache to use password protection==== | ||
| - | Edit /etc/apache2/sites-available/000-www.sluug.org and add a new directory section, filling in the directory where the archive is stored, the name of the list for the AuthName, and the file with the password. | + | Edit /etc/apache2/sites-available/000-www.sluug.org and <del>add a new directory section</del>, filling in the directory where the archive is stored, the name of the list for the AuthName, and the file with the password. |
| <code root> | <code root> | ||
| # Define password protection for this list's archives | # Define password protection for this list's archives | ||
| Line 163: | Line 163: | ||
| </code> | </code> | ||
| + | ===Security holes=== | ||
| + | |||
| + | In 2018, on amber, it was found there were two major holes that allowed bots | ||
| + | to access all mailing list contents: | ||
| + | - Each archived posting has two URLs, ''/pipermail/'' and ''/mailman/htdig/'', however only the first is protected. | ||
| + | - The sluug.org and stlwebdev.org archives are defined in separate config files, and only protect the lists defined in each, but all lists are accessible through either domain. | ||
| + | |||
| + | Therefore, the above ''<Directory>'' sections were replaced with | ||
| + | ''<LocationMatch>'' sections that first denied all access to the two URLs, | ||
| + | then allowed password protected access to to selected lists available through | ||
| + | that domain. Also unlimited access to two lists used for announcements. | ||
| + | Any list not overridden by a subsequent section will be blocked by the | ||
| + | first global section. | ||
| + | Using wildcards allowed protecting both URL paths without duplicating all the | ||
| + | password statements. | ||
| + | |||
| + | <code> | ||
| + | # Heavy use of symbolic links in Mailman configuration | ||
| + | <Directory /usr/local/mailman/archives/public> | ||
| + | Options FollowSymlinks | ||
| + | </Directory> | ||
| + | |||
| + | # Block all access to other lists' archives | ||
| + | # Alternate path to same files via htdig search results | ||
| + | <LocationMatch "^(/mailman/htdig|/pipermail)"> | ||
| + | Order allow,deny | ||
| + | Deny from all | ||
| + | </LocationMatch> | ||
| + | |||
| + | # Define password protection for this list's archives | ||
| + | # For all these lists: discuss steercom jobs test* | ||
| + | # Alternate path to same files via htdig search results | ||
| + | <LocationMatch "^(/mailman/htdig/(discuss|steercom|jobs|test)|/pipermail/(discuss|steercom|jobs|test))"> | ||
| + | Allow from all | ||
| + | AuthType Basic | ||
| + | AuthName "SLUUG Discussion Archive Access" | ||
| + | AuthUserFile /etc/apache2/discuss-passwords | ||
| + | Require valid-user | ||
| + | </LocationMatch> | ||
| + | |||
| + | # Define password protection for this list's archives | ||
| + | # For sysadmin list only | ||
| + | # Alternate path to same files via htdig search results | ||
| + | <LocationMatch "^(/mailman/htdig/sysadmin|/pipermail/sysadmin)"> | ||
| + | Allow from all | ||
| + | AuthType Basic | ||
| + | AuthName "SLUUG Sysadmin Archive Access" | ||
| + | AuthUserFile /etc/apache2/sysadmin-passwords | ||
| + | Require valid-user | ||
| + | </LocationMatch> | ||
| + | |||
| + | # No password protection for this list's archives | ||
| + | # For all these lists: announce users | ||
| + | # Alternate path to same files via htdig search results | ||
| + | <LocationMatch "^(/mailman/htdig/(announce|users)|/pipermail/(announce|users))"> | ||
| + | Allow from all | ||
| + | </LocationMatch> | ||
| + | </code> | ||
| + | |||
| + | All common parts of the port 80 and port 443 ''<VirtualHost>'' definitions | ||
| + | were moved to a common file to eliminate complete duplication. | ||
| + | |||
| + | Make similar changes to the stlwebdev web site definition. | ||
| ====Create the password file==== | ====Create the password file==== | ||
| The name of the file matches the AuthUserFile configuration statement. The username for the htpasswd command is whatever is used for that password file. You will be prompted for the password by the htpasswd command. | The name of the file matches the AuthUserFile configuration statement. The username for the htpasswd command is whatever is used for that password file. You will be prompted for the password by the htpasswd command. | ||
| Line 230: | Line 293: | ||
| </code> | </code> | ||
| + | Edit ''crontab'' before or after installation to: | ||
| + | * Comment the ''gate_news'' entry. We are not using any usenet gateway. | ||
| =====Copy Apache Images to Mailman===== | =====Copy Apache Images to Mailman===== | ||
| <code root> | <code root> | ||
| Line 472: | Line 537: | ||
| htdig. I'm not sure how htdig and/or apache will handle the compressed files as currently configured. | htdig. I'm not sure how htdig and/or apache will handle the compressed files as currently configured. | ||
| + | === Spam Subscriptions === | ||
| - | GENERAL MAIL TODO: | + | In 2018, it was discovered that one or more criminals were using a |
| + | bot network to make repeated subscription requests to multiple lists, | ||
| + | with the intent of SLUUG sending thousands of subscription confirmation | ||
| + | e-mails to one address, that would eventually change to the next target. | ||
| + | Looking in the logs, this had been happening for years, with SLUUG sending | ||
| + | over 80k spam confirmations. | ||
| + | This also taxed the SLUUG mail server when hundreds of e-mails were | ||
| + | rejected and sitting in the mail queue for retry. | ||
| + | |||
| + | In response, a local mod was made to ''subscribe.py'' | ||
| + | <code python> | ||
| + | sluug_sub_mod1_value = cgidata.getvalue('sluug_sub_mod1', '') | ||
| + | if not sluug_sub_mod1_value: | ||
| + | syslog('mischief', 'Subscribe w/o local mod form field as: %s: %s', email, remote) | ||
| + | results.append(_('Subscription failed due to internal error!')) | ||
| + | elif sluug_sub_mod1_value != 'sluug_sub_mod1-20180517': | ||
| + | syslog('mischief', 'Subscribe w/ wrong local mod form field value %s as: %s: %s', sluug_sub_mod1_value, email, remote) | ||
| + | results.append(_('Subscription failed due to internal error!')) | ||
| + | </code> | ||
| + | |||
| + | Also modified the generic ''listinfo.html'' template and the customized | ||
| + | version for the announce list (no other customized versions needed changes) | ||
| + | to add: | ||
| + | <code html> | ||
| + | <input type="hidden" name="sluug_sub_mod1" value="sluug_sub_mod1-20180517"> | ||
| + | </code> | ||
| + | |||
| + | The permanent fix to stop all spam subscriptions is to upgrade to a current | ||
| + | release of mailman that includes ''SUBSCRIBE_FORM_SECRET'' and probably other | ||
| + | new features to combat the bots. | ||
| + | |||
| + | === GENERAL MAIL TODO: === | ||
| * We need to get virtual users set up in some way. Craig and I discussed | * We need to get virtual users set up in some way. Craig and I discussed | ||
| Line 497: | Line 594: | ||
| ---- | ---- | ||
| - | |||
| ====== Notes ====== | ====== Notes ====== | ||
build/lists.txt · Last modified: 2018/05/28 03:34 by SLUUG Administration
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
