FAQ
Hi All,

I have seen many questions related to this in the archives, and from what I
can tell, my configuration is complete and correct. But I cannot seem to
get my public archives to be viewable. I wonder if someone knowledgeable
could look over the following configs and point me in the right direction.
We recently upgraded to RHEL, Apache 2.0.52, Mailman 2.1.5. We have around
80 lists, but only a handful require public archives.

check_perms returns no errors. We do have a few virtual hosts in apache
with IP access restrictions, but mailman has no such restrictions. (Allow
from all)

All access attempts return:
Forbidden
You don't have permission to access /pipermail/xxxxx on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an
ErrorDocument to handle the request.
Apache/2.0.52 (Red Hat) Server xxxxxxxxxxxxxxx Port 80

Apache reads mailman.conf on startup. Would it make a difference if I put
this information into httpd.conf instead?

# mailman.conf #######################
ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
<Directory /usr/lib/mailman/cgi-bin/>
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

Alias /pipermail/ /var/lib/mailman/archives/public/
<Directory /var/lib/mailman/archives/public>
Options Indexes MultiViews FollowSymLinks
# Options FollowSymlinks ExecCGI -Indexes -Includes
AllowOverride None
Order allow,deny
Allow from all
</Directory>

[root at othello mailman]# ls -l /var/lib/mailman
total 68
drwxrwsr-x 5 mailman mailman 4096 May 19 11:43 archives
drwxrwsr-x 2 mailman mailman 16384 May 26 09:45 data
drwxrwsr-x 72 mailman mailman 4096 May 22 16:03 lists
drwxrwsr-x 3 mailman mailman 4096 Apr 17 11:35 locks
drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:15 logs
drwxrwsr-x 11 mailman mailman 4096 Apr 17 11:16 qfiles
drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:14 spam

[root at othello archives]# ls -l /var/lib/mailman/archives/
total 32
drwxrws--x 198 mailman mailman 12288 May 22 16:03 private
drwxrwsr-x 2 mailman mailman 4096 May 22 16:03 public

I really appreciate anyone taking the time to look these over. Please let
me know if I forgot to include something.

Thanks much,
Michael
---
MINITEX Library Information Network / MnLINK
University of Minnesota

Search Discussions

  • Mark Sapiro at May 26, 2006 at 3:41 pm

    Michael Berkowski wrote:
    All access attempts return:
    Forbidden
    You don't have permission to access /pipermail/xxxxx on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an
    ErrorDocument to handle the request.
    Apache/2.0.52 (Red Hat) Server xxxxxxxxxxxxxxx Port 80

    What is in the Apache error_log relating to this?

    Apache reads mailman.conf on startup. Would it make a difference if I put
    this information into httpd.conf instead?

    Probably not.

    # mailman.conf #######################
    ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
    <Directory /usr/lib/mailman/cgi-bin/>
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
    </Directory>

    Presumably, the above is working, but it has no effect on public
    archive access.

    Alias /pipermail/ /var/lib/mailman/archives/public/
    <Directory /var/lib/mailman/archives/public>
    Options Indexes MultiViews FollowSymLinks
    # Options FollowSymlinks ExecCGI -Indexes -Includes
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>

    The above looks OK to me.

    [root at othello mailman]# ls -l /var/lib/mailman
    total 68
    drwxrwsr-x 5 mailman mailman 4096 May 19 11:43 archives
    drwxrwsr-x 2 mailman mailman 16384 May 26 09:45 data
    drwxrwsr-x 72 mailman mailman 4096 May 22 16:03 lists
    drwxrwsr-x 3 mailman mailman 4096 Apr 17 11:35 locks
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:15 logs
    drwxrwsr-x 11 mailman mailman 4096 Apr 17 11:16 qfiles
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:14 spam

    [root at othello archives]# ls -l /var/lib/mailman/archives/
    total 32
    drwxrws--x 198 mailman mailman 12288 May 22 16:03 private
    drwxrwsr-x 2 mailman mailman 4096 May 22 16:03 public

    Permissions look OK too.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Michael Berkowski at May 26, 2006 at 3:59 pm
    Hi Mark,

    Thanks for responding so quickly.

    All access attempts return:
    Forbidden
    You don't have permission to access /pipermail/xxxxx on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use
    an
    ErrorDocument to handle the request.
    Apache/2.0.52 (Red Hat) Server xxxxxxxxxxxxxxx Port 80

    What is in the Apache error_log relating to this?
    Apache's error log shows this:
    [root at othello httpd]# tail -n 4 error_log

    [Fri May 26 10:30:33 2006] [error] [client 160.94.15.144] (13)Permission
    denied: access to /pipermail/minitex-news denied
    [Fri May 26 10:39:25 2006] [error] [client 160.94.15.144] (13)Permission
    denied: access to /pipermail/minitex-news denied
    [Fri May 26 10:44:05 2006] [error] [client 160.94.15.144] (13)Permission
    denied: access to /pipermail/minitex-news denied
    [Fri May 26 10:44:05 2006] [error] [client 160.94.15.144] (13)Permission
    denied: access to /pipermail/minitex-news denied

    Apache reads mailman.conf on startup. Would it make a difference if I
    put
    this information into httpd.conf instead?

    Probably not.

    # mailman.conf #######################
    ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
    <Directory /usr/lib/mailman/cgi-bin/>
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
    </Directory>

    Presumably, the above is working, but it has no effect on public
    archive access.

    Alias /pipermail/ /var/lib/mailman/archives/public/
    <Directory /var/lib/mailman/archives/public>
    Options Indexes MultiViews FollowSymLinks
    # Options FollowSymlinks ExecCGI -Indexes -Includes
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>

    The above looks OK to me.

    [root at othello mailman]# ls -l /var/lib/mailman
    total 68
    drwxrwsr-x 5 mailman mailman 4096 May 19 11:43 archives
    drwxrwsr-x 2 mailman mailman 16384 May 26 09:45 data
    drwxrwsr-x 72 mailman mailman 4096 May 22 16:03 lists
    drwxrwsr-x 3 mailman mailman 4096 Apr 17 11:35 locks
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:15 logs
    drwxrwsr-x 11 mailman mailman 4096 Apr 17 11:16 qfiles
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:14 spam

    [root at othello archives]# ls -l /var/lib/mailman/archives/
    total 32
    drwxrws--x 198 mailman mailman 12288 May 22 16:03 private
    drwxrwsr-x 2 mailman mailman 4096 May 22 16:03 public

    Permissions look OK too.

    Thanks,
    -Michael
  • Mark Sapiro at May 26, 2006 at 4:28 pm

    Michael Berkowski wrote:
    Apache's error log shows this:
    [root at othello httpd]# tail -n 4 error_log

    [Fri May 26 10:30:33 2006] [error] [client 160.94.15.144] (13)Permission
    denied: access to /pipermail/minitex-news denied

    There is a permissions issue somewhere?

    [root at othello mailman]# ls -l /var/lib/mailman
    total 68
    drwxrwsr-x 5 mailman mailman 4096 May 19 11:43 archives
    drwxrwsr-x 2 mailman mailman 16384 May 26 09:45 data
    drwxrwsr-x 72 mailman mailman 4096 May 22 16:03 lists
    drwxrwsr-x 3 mailman mailman 4096 Apr 17 11:35 locks
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:15 logs
    drwxrwsr-x 11 mailman mailman 4096 Apr 17 11:16 qfiles
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:14 spam

    [root at othello archives]# ls -l /var/lib/mailman/archives/
    total 32
    drwxrws--x 198 mailman mailman 12288 May 22 16:03 private
    drwxrwsr-x 2 mailman mailman 4096 May 22 16:03 public

    Permissions look OK too.

    What are the permissions on /var/lib/mailman? Are you running SeLinux
    or any other 'extra' access controls?

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Michael Berkowski at May 26, 2006 at 5:44 pm
    Hi again Mark,
    [root at othello httpd]# tail -n 4 error_log

    [Fri May 26 10:30:33 2006] [error] [client 160.94.15.144] (13)Permission
    denied: access to /pipermail/minitex-news denied

    There is a permissions issue somewhere?

    [root at othello mailman]# ls -l /var/lib/mailman
    total 68
    drwxrwsr-x 5 mailman mailman 4096 May 19 11:43 archives
    drwxrwsr-x 2 mailman mailman 16384 May 26 09:45 data
    drwxrwsr-x 72 mailman mailman 4096 May 22 16:03 lists
    drwxrwsr-x 3 mailman mailman 4096 Apr 17 11:35 locks
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:15 logs
    drwxrwsr-x 11 mailman mailman 4096 Apr 17 11:16 qfiles
    drwxrwsr-x 2 mailman mailman 4096 Apr 17 11:14 spam

    [root at othello archives]# ls -l /var/lib/mailman/archives/
    total 32
    drwxrws--x 198 mailman mailman 12288 May 22 16:03 private
    drwxrwsr-x 2 mailman mailman 4096 May 22 16:03 public

    Permissions look OK too.

    What are the permissions on /var/lib/mailman? Are you running SeLinux
    or any other 'extra' access controls?
    SELinux is running and /var/lib/mailman looks like:
    drwxrwsr-x 9 mailman mailman 4096 Apr 17 15:17 mailman

    I'm pretty well stumped now. I suspect it may have something to do with the
    security on our blogs virtual host. Our head sysad is on vacation this week
    and I've sort of reached my limit of fumbling around. I think I'll just
    have to wait until next week to work it out with him, rather than to begin
    eliminating security features, etc. Anyway, our public archive is rarely
    accessed by anyone -- it can wait.

    Thanks for all your help,
    Michael
    --
    MINITEX Library Information Network
    University of Minnesota
  • Todd Zullinger at May 26, 2006 at 6:03 pm

    Michael Berkowski wrote:
    What are the permissions on /var/lib/mailman? Are you running
    SeLinux or any other 'extra' access controls?
    SELinux is running and /var/lib/mailman looks like:
    drwxrwsr-x 9 mailman mailman 4096 Apr 17 15:17 mailman
    With SELinux, you also often want to see the security context. The -Z
    option to ls does this. On my FC5 system, /var/lib/mailman has:

    drwxrwsr-x root mailman system_u:object_r:mailman_data_t /var/lib/mailman/

    And to check if SELinux is the reason you're getting errors, you need
    to look in /var/log/messages (or /var/log/audit/audit.log if the audit
    daemon is installed)

    Of course, reading the avc denial messages is the kind of black voodoo
    that makes Apache's mod_rewrite look like it was written for 5 year
    olds. :)

    When I'm in doubt, I turn off SELinux and try the action I was having
    problems with. If it works you found you problem. From there you'd
    have to modify the SELinux policy or file a bug to have that done.
    I've only just started toying with it, so I'm a long way from knowing
    how to modify policy properly. Anyway, you can use setenforce 0 to
    turn off selinux temporarily if you want to check that.

    - --
    Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
    ======================================================================
    Ever notice that even the busiest people are never too busy to tell
    you just how busy they are?
  • Mark Sapiro at May 26, 2006 at 7:06 pm

    Michael Berkowski wrote:
    SELinux is running and /var/lib/mailman looks like:
    drwxrwsr-x 9 mailman mailman 4096 Apr 17 15:17 mailman
    I think it may involve the SeLinux security policies. You can check
    this out by temporarily turning off SeLinux. You can find information
    on this by searching the archives of this list for 'selinux' (see
    <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.018.htp>).

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Michael Berkowski at May 26, 2006 at 8:39 pm
    Hi Mark,

    You're right, SELinux is the cause. Disabling it allows access to the
    public archives. I'll have to find out if Red Hat has an updated security
    policy to deal with this, or I'll have to start rolling my own.

    Thanks again,
    Michael
    ---
    MINITEX Library Information Network / MnLINK
    University of Minnesota
    -----Original Message-----
    From: Mark Sapiro [mailto:msapiro at value.net]
    Sent: Friday, May 26, 2006 2:06 PM
    To: Michael Berkowski; mailman-users at python.org
    Subject: RE: [Mailman-Users] Permissions on public archives (apache 403)

    Michael Berkowski wrote:
    SELinux is running and /var/lib/mailman looks like:
    drwxrwsr-x 9 mailman mailman 4096 Apr 17 15:17 mailman
    I think it may involve the SeLinux security policies. You can check
    this out by temporarily turning off SeLinux. You can find information
    on this by searching the archives of this list for 'selinux' (see
    <http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.018.htp>).

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Steve Quezadas at May 29, 2006 at 6:06 pm
    Hello,

    I notice that when I send an email to mailman, it adds an extra "Cc:"
    header to the mail. I am looking under the options in the mailman
    configurator and can't seem to find a way to remove this. I can't use
    maildrop/xfilter/reformail either to remove the header because it adds
    the header AFTER my mta transfers the message to mailman.

    Any way to remove this line?

    - Steve
  • Mark Sapiro at May 29, 2006 at 7:03 pm

    Steve Quezadas wrote:
    I notice that when I send an email to mailman, it adds an extra "Cc:"
    header to the mail. I am looking under the options in the mailman
    configurator and can't seem to find a way to remove this. I can't use
    maildrop/xfilter/reformail either to remove the header because it adds
    the header AFTER my mta transfers the message to mailman.

    Any way to remove this line?

    This is a bug that was fixed in 2.1.6. If you are running pre-2.1.6
    Mailman and are unable to upgrade, you can fix this by changing the
    last few lines of Mailman/Handlers/AvoidDuplicates.py from

    # RFC 2822 specifies zero or one CC header
    del msg['cc']
    msg['Cc'] = COMMASPACE.join([formataddr(i) for i in
    ccaddrs.values()])

    to

    # RFC 2822 specifies zero or one CC header
    del msg['cc']
    if ccaddrs:
    msg['Cc'] = COMMASPACE.join([formataddr(i) for i in
    ccaddrs.values()])


    Note in each of the above fragments, the last line is wrapped by my MUA.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMay 26, '06 at 3:13p
activeMay 29, '06 at 7:03p
posts10
users4
websitelist.org

People

Translate

site design / logo © 2022 Grokbase