Mailman on Mavericks

Question

Level 1

41 points

Mailman on Mavericks

I'm trying to configure mailman on Mavericks Server and am running into a few conceptual and technical difficulties. Any help would be greatly appreciated.

First, the easy part: installation and web server. I used Macports, 'sudo port install mailman', created a site password with 'sudo /opt/local/share/mailman/bin/mmsitepass', then I set up an apache mailman.conf file to create the virtual domain lists.mydomain.private pointed at the correct cgi-bin in the mailman distribution under /opt/local/var/mailman. That all works fine.

What doesn't work are my attempts at interfacing with Server postfix.

Mailman has several configuration options, and I'm trying to use the one that uses the file postfix-to-mailman.py to avoid messing with aliases in /etc/aliases.

When I add mailman aliases with pipe commands, I get the error

The mail system <mailman-owner@mydomain.com>: Command died with status 2:

"/opt/local/libexec/mailman/mail/mailman owner mailman". Command output: Group mismatch error. Mailman expected the mail wrapper script to be executed as group "_mailman", but the system's mail server executed the mail script as group "nobody". Try tweaking the mail server to run the script as group "_mailman", or re-run configure, providing the command line option `--with-mail-gid=nobody'.

So I tried using postfix-to-mailman.py along with its configuration instructions, which involve configuring postfix to use mail sent to lists.mydomain.com as a transport.

But I can't get OS X Server Mail to accept mail sent to user@lists.mydomain.com. I did the obvious virtual domain configuration in Server.app, and set up DNS so that lists.mydomain.com has an A record and an MX record, both pointing to the server.

So I'm stuck—what's a decent/working mailman configuration on OS X Server?

P.S. This link <https://discussions.apple.com/thread/4161671> has expired.

OS X Mavericks (10.9), OS X Server, EyeTV HD, Turbo.264 HD

Posted on Dec 29, 2013 1:58 PM

Reply

Answer 1

Dec 29, 2013 9:28 PM in response to essandess

I installed mailman from the source tree on mailman's website. I untarred it and followed the instructions in the readme. I got the same error that you got regarding it running with the wrong gid, so I re-ran the configure with --with-mail-gid=nobody, and it worked.

I use macports for almost everything, but for some reason I just got the regular package and all worked pretty smoothly.

You have to have xcode installed and the command line tools, as well.

-Cameron

Reply

Answer 2

essandess Author

Level 1

41 points

Dec 30, 2013 7:01 AM in response to cjmandrake

Thanks for your response. From the documentation and googling I see, it is unnecessary and undesirable to add mailman aliases to /etc/aliases, as mailman should generate these automatically in data/aliases (/opt/local/var/mailman/data/aliases for macports). And the mailmain executable has its sticky bit set so that it is run as the group _mailman:

ls -l /opt/local/libexec/mailman/mail/mailman

-rwxr-sr-x 1 root _mailman 15492 Dec 20 12:30 /opt/local/libexec/mailman/mail/mailman

I'd like to configure mailman to interact with postfix as designed, and avoid any possible secuity issues allowing code to be run as nobody. (For the same reasons, using postfix-to-mailman.py should be unnecessary and undesirable.)

It appears that there should be a way to edit /etc/postfix/main.cf and set the alias_maps or virtual_alias_maps variables. But I don't see clear instructions how to accomplish this.

Should the virtual mail domain lists.mydomain.com be setup in postfix first so that mail to user@lists.mydomain.com is redirected to user@mail.mydomain.com. Or will this break the mailman setup, which will want to eat all mail sent to lists.mydomain.com?
How does one configure the mailman aliases. I don't have a mailman alias file /opt/local/var/mailman/data/aliases . Did I miss some configuration step? Googling around shows something about setting the variable MTA='Postfix' in mm_cfg.py (/opt/local/share/mailman/Mailman/mm_cfg.py).
Is it also necessary to use Server.app's virtual mail domains? Are local DNS MX entries necessary, or will postfix just handle everything submitted to smtp?

Reply

Answer 3

Dec 30, 2013 9:01 AM in response to essandess

The main.cf that you are looking for is in /Library/Server/Mail/Config/postfix. The alias_maps are commented out as the default is /etc/aliases. You can add or edit one of the current lines to say...

alias_maps = hash:/etc/aliases, hash:/opt/local/var/mailman/data/aliases

Then restart postfix.

You shouldn't have to add an MX record for lists.yourdmain.com as long as there is an MX record for yourdomain.com.

Not sure why you don't have an aliases file for mailman. I used the fresh source from mailman's website, and my aliases are there. I didn't even realize it made this file, so I've been using /etc/aliases.

You might do a 'sudo /usr/libexec/locate.updatedb' and wait for it to finish and then use...

locate aliases.db

To see if mailman is storing them elsewhere. Otherwise, you may just have to use the /etc/aliases file, or create your own for just mailman and add it to the alias_maps line in main.cf in the /Library/Server heirarchy.

My mailman is running without doing editing of postfix configs except /etc/aliases. I didn't have to edit any virtual mail domains, since the aliases are pipes to the mailman program, the list email address is one of the options in the mailman administration interface for each list.

As for your execution problem, have you tried "sudo /usr/share/mailman/bin/check_perms -f"?

Hope this helps.

-Cameron

Reply

Answer 4

essandess Author

Level 1

41 points

Dec 31, 2013 11:53 AM in response to cjmandrake

Thanks. Getting closer -- mailman creates the ./data/aliases database, but OS X Server postfix isn't accepting mail sent to mailman, e.g. mailman-request@mydomain.com.

I added these lines to mm_cfg.py (/opt/local/share/mailman/Mailman/mm_cfg.py)

POSTFIX_STYLE_VIRTUAL_DOMAINS=['lists.mydomain.com']

MTA='Postfix'

add_virtualhost('lists.mydomain.com')

MAILMAN_SITE_LIST='mailman'

And this line to main.cf (both in /Library/Server/Mail/Config/postfix/main.cf and /etc/postfix/main.cf because I'm never sure which file OS X Server uses)

alias_maps = hash:/etc/aliases, hash:/opt/local/var/mailman/data/aliases

Both aliases files exist, and have the correct permissions and entries.

I've also restarted mail, run newaliases, and checked permissions, as well as checking that postfix can read the aliases:

sudo -u _mailman /opt/local/share/mailman/bin/check_perms -f

sudo serveradmin stop mail && sudo serveradmin start mail

sudo newaliases

sudo postmap -q mailman-request hash:/opt/local/var/mailman/data/aliases

All looks to be setup correctly, yet mail sent to mailman, e.g. mailman-request@mydomain.com bounces with a 550 smtp error "Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)".

My guess is that mailman is configured correctly, but OS X Server postfix isn't.

Any suggestions for the cause of bounced email sent to mailman aliases?

Reply

Answer 5

Dec 31, 2013 12:10 PM in response to essandess

Look in the directory with the mailman aliases file and make sure there is a corresponding aliases.db file. Newaliases and postmap might just be hashing the /etc/aliases file, so you might have to do it by hand.

Also, what are the log entries when the mail bounces? They might reveal more clues.

You can also check your Defaults.py for DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST.

As a test, copy one of the mailing list alias blocks to /etc/aliases and do a newaliases and see if the mailserver will accept from that list. If it does, then you know that postfix is ignoring the mailman aliases file.

Reply

Answer 6

essandess Author

Level 1

41 points

Dec 31, 2013 12:45 PM in response to cjmandrake

Look in the directory with the mailman aliases file and make sure there is a corresponding aliases.db file. Newaliases and postmap might just be hashing the /etc/aliases file, so you might have to do it by hand.

Thanks again and Happy New Year. Both aliases and aliases.db both exist.

Also, what are the log entries when the mail bounces? They might reveal more clues.

Thanks -- looking in /var/log/mail.log, I see "fatal: open database /opt/local/var/mailman/data/aliases.db: Permission denied" so I ran

sudo chmod o+r /opt/local/var/mailman/data/aliases*

sudo chown root /opt/local/var/mailman/data/aliases*

sudo /opt/local/share/mailman/bin/check_perms -f

I ended up with these permissions:

ls -l /opt/local/var/mailman/data/aliases*

-rw-rw-r-- 1 root _mailman 1238 Dec 31 12:16 /opt/local/var/mailman/data/aliases

-rw-rw-r-- 1 _mailman _mailman 16384 Dec 31 12:16 /opt/local/var/mailman/data/aliases.db

But mail keeps bouncing.

You can also check your Defaults.py for DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST.

Changed those to match mm_cfg.py as well. Still bouncing mail.

copy one of the mailing list alias blocks to /etc/aliases and do a newaliases and see if the mailserver will accept from that list. If it does, then you know that postfix is ignoring the mailman aliases file.

I added to /etc/aliases the line and sent mail to mailman-request@mydomain.com:

mailman-request: "|/opt/local/libexec/mailman/mail/mailman request mailman"

Rather than a 550 bounce, I get the "group mismatch error" failure: "<mailman-request@mydomain.com> Command died with status 2:

"/opt/local/libexec/mailman/mail/mailman request mailman". Command output:

Group mismatch error. Mailman expected the mail wrapper script to be

executed as group "_mailman", but the system's mail server executed the

mail script as group "nobody". Try tweaking the mail server to run the

script as group "_mailman", or re-run configure, providing the command

line option `--with-mail-gid=nobody'."

Now postfix knows about the alias, but is trying to run mailman as nobody rather than _mailman. Postfix obviously isn't getting the ./mailman/data/aliases file, which it needs to run with the correct permissions. There's probably some missing directive or variable in main.cf.

Reply

Answer 7

Dec 31, 2013 1:46 PM in response to essandess

Okay, I found some clues...

Mailman runs the pipe as the group of the owner of the aliases.db file. So, if it is not accessing its own aliases file, and it is getting the information from /etc/aliases, it sees the aliases file owned by root.wheel, which it will interpret to run as 'nobody'.

So, the solution is to figure out why postfix is not seeing the mailman aliases file. Once you get it seeing that aliases file, you can make sure that the aliases.db file created by mailman is owned my mailman and the group set to mailman, as well.

Did you restart postfix after changing the aliases line in the config?

Reply

Answer 8

Dec 31, 2013 2:33 PM in response to cjmandrake

Another thing to try is to use serveradmin to change the settings in the config. That way, you know it is putting the setting in the proper place.

sudo serveradmin set mail:postfix:alias_maps="hash:/etc/aliases, hash:/opt/local/mailman/data/aliases"

You'll need to restart the mail service after executing the command.

Reply

Answer 9

essandess Author

Level 1

41 points

Jan 1, 2014 6:14 AM in response to cjmandrake

Thanks again. Getting very close, but still no cigar. Mail TO mailmail is delivered, but mail FROM mailman is rejected with the error "Relay access denied".

I use my ISP's outgoing mailserver proxy, but I thought that OS X Server would handle this automatically. Must mailman also (somehow?) be configured to use the relay?

Here are the logs for mail sent to mailman-request@mydomain.com:

Jan 1 07:21:05 host.mydomain.com postfix/postscreen[76484]: CONNECT from [103.9.98.131]:47821 to [10.0.1.3]:25

Jan 1 07:21:05 host.mydomain.com postfix/postscreen[76484]: PASS OLD [103.9.98.131]:47821

Jan 1 07:21:06 host.mydomain.com postfix/smtpd[76486]: connect from h1.dnsmail.com[103.9.98.131]

Jan 1 07:21:07 host.mydomain.com postfix/smtpd[76486]: DC5A1502368F: client=h1.dnsmail.com[103.9.98.131]

Jan 1 07:21:07 host.mydomain.com postfix/cleanup[76496]: DC5A1502368F: message-id=<98B0F190-1668-4FFB-9836-B5B4676F8DA2@me.com>

Jan 1 07:21:07 host.mydomain.com postfix/smtpd[76486]: disconnect from h1.dnsmail.com[103.9.98.131]

Jan 1 07:21:07 host.mydomain.com postfix/qmgr[75596]: DC5A1502368F: from=<me@me.com>, size=1566, nrcpt=1 (queue active)

Jan 1 07:21:11 host.mydomain.com postfix/smtpd[76510]: connect from localhost[127.0.0.1]

Jan 1 07:21:12 host.mydomain.com postfix/smtpd[76510]: AE7FE5F842AC: client=localhost[127.0.0.1]

Jan 1 07:21:12 host.mydomain.com postfix/cleanup[76496]: AE7FE5F842AC: message-id=<98B0F190-1668-4FFB-9836-B5B4676F8DA2@me.com>

Jan 1 07:21:12 host.mydomain.com postfix/qmgr[75596]: AE7FE5F842AC: from=<me@me.com>, size=2054, nrcpt=1 (queue active)

Jan 1 07:21:12 host.mydomain.com postfix/smtp[76497]: DC5A1502368F: to=<mailman-request@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.5, delays=1.3/0.11/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AE7FE5F842AC)

Jan 1 07:21:12 host.mydomain.com postfix/qmgr[75596]: DC5A1502368F: removed

Jan 1 07:21:12 host.mydomain.com postfix/local[76513]: AE7FE5F842AC: to=<mailman-request@mydomain.com>, relay=local, delay=1.1, delays=0.38/0.19/0/0.51, dsn=2.0.0, status=sent (delivered to command: /opt/local/libexec/mailman/mail/mailman request mailman)

Jan 1 07:21:12 host.mydomain.com postfix/qmgr[75596]: AE7FE5F842AC: removed

Jan 1 07:21:14 host.mydomain.com postfix/postscreen[76484]: CONNECT from [::1]:54514 to [::1]:25

Jan 1 07:21:14 host.mydomain.com postfix/postscreen[76484]: PASS OLD [::1]:54514

Jan 1 07:21:14 host.mydomain.com postfix/smtpd[76486]: connect from localhost[::1]

Jan 1 07:21:16 host.mydomain.com postfix/smtpd[76486]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 <me@me.com>: Relay access denied; from=<mailman-bounces@mydomain.com> to=<me@me.com> proto=ESMTP helo=<host.mydomain.com>

Reply

Answer 10

essandess Author

Level 1

41 points

Jan 1, 2014 6:39 AM in response to essandess

Or possibly I must configure mailman to authenticate into my own smtp server?

Reply

Answer 11

essandess Author

Level 1

41 points

Jan 1, 2014 7:29 AM in response to essandess

I tried adding these variables to mm_cfg.py for BOTH my own SMTP server and external relay, but I'm still getting the same "Relay access denied error".

I'm stuck at this step.

SMTPHOST = 'smtp.comcast.net'

SMTPPORT = 587

SMTP_AUTH = Yes

SMTP_USERNAME = 'username'

SMTP_PASSWORD = 'password'

DELIVERY_MODULE = 'ASMTPDirect'

Error log:

postfix/smtpd[9887]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 <me@me.com>: Relay access denied; from=<mailman-bounces@mydomain.com> to=<me@me.com> proto=ESMTP helo=<host.mydomain.com>

Reply

Answer 12

essandess Author

Level 1

41 points

Jan 1, 2014 7:50 AM in response to essandess

More diagnostic test, following this thread. I tried adding my server's LAN IP to postfix's $mynetworks variable, to no avail (followed by 'sudo postfix reload', of course). I'm still getting the "Relay access denied" error.

mynetworks = 127.0.0.0/8, 10.0.1.3

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit

Reply

Answer 13

Jan 1, 2014 8:34 AM in response to essandess

Your mailman is trying to connect via ipv6 and not ipv4, so you need to add your ipv6 localhost to mynetworks. Your ipv6 localhost is ::1.

Reply

Answer 14

essandess Author

Level 1

41 points

Jan 1, 2014 8:45 AM in response to cjmandrake

Woohoo! That's it! I added the following line to main.cf and have everything working end-to-end now. I'll hammer on this a little and post summary configuration notes after I think it's solid.

mynetworks = 127.0.0.0/8, [::1]

Reply

Answer 15

essandess Author

Level 1

41 points

Jan 2, 2014 8:04 PM in response to essandess

Here's some installation notes, in case this this is useful to others. Everything appears to be working correctly.

Mailman on Mavericks With Macports

sudo port install mailman

sudo port notes mailman

# Follow the notes:

# mailman python config file

sudo vi /opt/local/share/mailman/Mailman/mm_cfg.py

:

DEFAULT_EMAIL_HOST = ‘mydomain.com' # Match Server.app mail domain

DEFAULT_URL_HOST = 'lists.mydomain.com'

add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)

MTA='Postfix'

sudo vi /opt/local/share/mailman/Mailman/Defaults.py

:

DEFAULT_EMAIL_HOST = 'mydomain.com'

DEFAULT_URL_HOST = 'lists.mydomain.com'

DEFAULT_URL_PATTERN = 'https://%s/mailman/' # use HTTPS for lists

# apache config file

# manage this the way you like on your server; here’s what I do:

sudo mkdir /Library/Server/Web/Config/apache2/mydomain

sudo cp /Library/Server/Web/Config/apache2/httpd_server_app.conf /Library/Server/Web/Config/apache2/httpd_server_app.conf.orig

sudo vi /Library/Server/Web/Config/apache2/httpd_server_app.conf

:

# Server-specific configuration

Include /Library/Server/Web/Config/apache2/mydomain/*.conf

sudo cp /opt/local/etc/httpd/mailman.conf /Library/Server/Web/Config/apache2/mydomain

# Only do this to create a test virtual domain at lists.mydomain.private

# Uncomment the VirtualHost stuff / comment out for live hosting at lists.mydomain.com

sudo vi /Library/Server/Web/Config/apache2/mydomain/mailman.conf

# <VirtualHost *:80>

# ServerAdmin webmaster@mydomain.com

# ServerName lists.mydomain.private

# DocumentRoot "/opt/local/libexec/mailman/cgi-bin/"

# ErrorLog /var/log/apache2/lists-error.log

# CustomLog /var/log/apache2/lists-access.log combined

ORIGINAL Macports mailman.conf stuff GOES HERE

# </VirtualHost>

# mailman cron maintenance

cd /opt/local/share/mailman/cron

sudo crontab -u mailman crontab.in

# DNS

Use your DNS hosting service (internet) and Server.app (LAN) to create an alias (A record) of lists.mydomain.com. If you want a LAN test before going live, use Server.app to create a CNAME record of lists.mydomain.private.

# Postfix configuration

sudo serveradmin set mail:postfix:alias_maps="hash:/etc/aliases, hash:/opt/local/var/mailman/data/aliases"

sudo vi /Library/Server/Mail/Config/postfix/main.cf

:

mynetworks = 127.0.0.0/8, [::1]

# Site password

sudo /opt/local/share/mailman/bin/mmsitepass

# Fix permissions

sudo chown _www /opt/local/var/mailman/archives/private # needed to see archives; not sure if this is a bug

sudo chmod o+r /opt/local/var/mailman/data/aliases*

sudo chown root /opt/local/var/mailman/data/aliases*

sudo /opt/local/share/mailman/bin/check_perms -f

sudo -u _mailman /opt/local/share/mailman/bin/check_perms -f

# Assorted useful commands to fix permissions, reload postfix, remove lists, etc.

sudo /opt/local/share/mailman/bin/newlist mailman

sudo postmap -q mailman-request hash:/opt/local/var/mailman/data/aliases

sudo postfix reload

sudo /opt/local/share/mailman/bin/rmlist -a test

sudo postmap hash:/opt/local/var/mailman/data/aliases # should be automatic

# Launch it all

sudo port load mailman

Server.app to restart Mail, Web

# Notes on configuring the mail relay by hand — I messed up my setup because the Server.app doesn’t have the necessary fields.

Server.app to add mail relay

sudo vi /Library/Server/Mail/Config/postfix/main.cf

:

relayhost = smtp.comcast.net:587

smtpd_use_tls = yes

smtp_sasl_auth_enable = yes

sudo vi /Library/Server/Mail/Config/postfix/sasl/passwd

smtp.comcast.net:587 myname@comcast.net:mypassword

sudo postmap hash:/Library/Server/Mail/Config/postfix/sasl/passwd

# sanity check permissions on cleartext password file

ls -l /Library/Server/Mail/Config/postfix/sasl/passwd*

-rw-r----- 1 root mail 61 Jan 1 09:09 /Library/Server/Mail/Config/postfix/sasl/passwd

-rw-r----- 1 root wheel 16384 Jan 1 09:11 /Library/Server/Mail/Config/postfix/sasl/passwd.db

# Create a new list

https://lists.mydomain.com/mailman/admin.cgi/

Reply