--- - hosts: lilac.mail.einfra.hu gather_subset: min roles: # Exim first, otherwise debian-basic pulls in sendmail - { role: mailman, tags: mailman } - common.debian-basic - common.monitored-server - common.munin-node - common.nevtar - common.sudoers - common.persistent-journal - { role: common.metricbeat, tags: common.metricbeat } - { role: common.journalbeat, tags: common.journalbeat } # The apache role must come late because it # * shares the certificate key with the Debian-exim group and # * configures Munin plugins. And role dependencies lead to repeats. - { role: apache, tags: apache } - { role: common.nftables, tags: common.nftables } vars: - nss_cn: listserv.niif.hu - sudoers: "{{ sudoers_default|union(['aviktor']) }}" - elastic_template_name: mail - list_domain: listserv.niif.hu - munin_extra_packages: - munin-plugins-apache - munin_custom_plugins: apache_accesses: apache_accesses apache_volume: apache_volume apache_process_detail: apache_process_detail entropy: entropy exim_mailstats: exim_mailstats exim_mailqueue: exim_mailqueue - nrpe_custom_checks: check_mail_queue: /usr/lib/nagios/plugins/check_frozen check_Mailman: /usr/bin/sudo -u list /usr/lib/nagios/plugins/check_mailman - accept_tcp: - ssh - https - smtp - submission - reject_tcp: - auth - http tasks: # This enables TAB completion of host names - name: Disable hashing of known hosts by ssh become: yes lineinfile: dest: /etc/ssh/ssh_config regexp: ^[# \t]*HashKnownHosts[ ] line: " HashKnownHosts no" tags: ssh - name: Install Mailman-specific monitoring plugins become: yes apt: name: monitoring-plugins-mailman tags: nrpe - name: Let NRPE daemon run the Mailman check as user list become: yes copy: content: | nagios ALL = (list) NOPASSWD: /usr/lib/nagios/plugins/check_mailman dest: /etc/sudoers.d/60_nagios_ansible owner: root group: root mode: 0440 tags: nrpe # Then: # - add IPv6 entry to /etc/hosts # - set up filesystem for /var/lib/mailman, preferably before installation, # but at least do a systemd daemon-load to enroll it under local-fs.target, # otherwise it gets umounted early and Mailman can't be stopped: # Traceback (most recent call last): # File "/var/lib/mailman/bin/qrunner", line 278, in # main() # File "/var/lib/mailman/bin/qrunner", line 238, in main # qrunner.run() # File "/var/lib/mailman/Mailman/Queue/Runner.py", line 70, in run # File "/var/lib/mailman/Mailman/Queue/Runner.py", line 94, in _oneloop # File "/var/lib/mailman/Mailman/Queue/Switchboard.py", line 194, in files # OSError : [Errno 2] No such file or directory: '/var/lib/mailman/qfiles/commands' # - dpkg-reconfigure mailman, select en,hu (based on current statistics, these are enough) # - sudo adduser wferi list # - /var/lib/mailman/bin/newlist mailman, then as in the old wiki: # - Advertise this list when people ask what lists are on this machine? No # - Who can view subscription list? List members (probably default) # - Is archive file source for public or private archival? private # - sudo systemctl start mailman # - mmsitepass (creates /var/lib/mailman/data/adm.pw) # Migration of the Test list: # - stop exim4, apache2 and mailman services, disable /etc/cron.d/mailman (or do this in the afternoon) # - wferi@listserv2:/var/lib/mailman$ tar -cvzf /tmp/test.tgz archives/private/test archives/private/test.mbox archives/public/test lists/test # - wferi@lilac:/var/lib/mailman$ sudo tar -xvf ~/test.tgz # - no archive regeneration to keep the URLs (in case of past mbox modifications) and to reduce migration load # Planned migration of all lists except test and mailman (run in a screen session): # - wferi@lilac:~$ sudo rsync -vaz --super --exclude /lists/test --exclude /lists/mailman --exclude /archives/private/test --exclude /archives/private/test.mbox --exclude /archives/private/mailman --exclude /archives/private/mailman.mbox listserv2.niif.hu:/var/lib/mailman/archives :/var/lib/mailman/data :/var/lib/mailman/lists /var/lib/mailman 2>&1 | tee >(gzip --stdout > rsync.log.gz) # rsync+sshd saturates CPU on listserv2? # sent 60,490,702 bytes received 99,447,023,926 bytes 2,841,975.66 bytes/sec # total size is 181,666,346,642 speedup is 1.83 # rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1677) [generator=3.1.3] # repeat from at 23:04, result: # -rw-rw-r-- 1 wferi wferi 11525 Jul 8 00:11 rsync.log.2.gz # sent 3,267,532 bytes received 63,007,941 bytes 16,513.14 bytes/sec # total size is 181,679,920,306 speedup is 2,741.28 # rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1677) [generator=3.1.3] # (probably fixed by making nep.mbox.extra readable) # Note: # - the list of lists depends on the used HTTP domain (internal virtual hosting) # - hbone-ticketing@listserv.niif.hu sender whitelist makes no sense (wiki change 32 and 33), omitted # TODO # - check out https://www.msapiro.net/scripts/ # - route local mail to redirector # - Why does this show the mailman role twice? Dependency infelicity... # ansible-playbook -i inventory listserv.yml -K --check --diff # - check that outgoing traffic isn't sent to rspamd # - Namazu # - test@lista.edu.hu? Működik. Érdemes lenne spéci routert csinálni erre a domainre is? # - install auth (ident) daemon # - skip or fail on rspamd failure? # 2021-06-09 12:29:36 1lqvSZ-0000oZ-9V spam acl condition: spamd: failed to connect to any address for rspamd.mail.einfra.hu: Connection timed out # 2021-06-09 12:29:36 1lqvSZ-0000oZ-9V H=noc6.vh.hbone.hu (noc6) [2001:738:0:1:214:22ff:fe13:e172] Warning: ACL "warn" statement skipped: condition test deferred # - why set MAIN_TLS_VERIFY_CERTIFICATES to /dev/null like listserv2? # - check freeze_tell setting (does it work?) # - check mailman-* forwarding to postmaster (me) # - why was the system_aliases router moved forward? # - DEFAULT_CHARSET for the archives # - MX changes: listserv.niif.hu, ipv6forum.hu # Takeover: # wferi@lilac:~$ sudoedit /etc/apache2/apache2.conf # catch-all # wferi@lilac:~$ sudo systemctl reload apache2.service # wferi@listserv2:~$ sudo service exim4 stop # [sudo] password for wferi: # [ ok ] Stopping MTA: exim4_listener. # wferi@listserv2:~$ sudo service apache2 stop # [ ok ] Stopping web server: apache2 ... waiting . # wferi@listserv2:~$ sudo service mailman stop # [ ok ] Stopping Mailman master qrunner: mailmanctl. # wferi@listserv2:/etc/cron.d$ sudo mv mailman mailman.disabled # wferi@lilac:~$ sudo systemctl stop exim4.service # wferi@lilac:~$ sudo systemctl stop mailman.service # wferi@pdns1:~$ pdnsutil edit-zone niif.hu # [...] # -niif.hu 86400 IN SOA ns2.iif.hu hostmaster.iif.hu 2021070501 43200 7200 172800 3600 # +niif.hu 86400 IN SOA ns2.iif.hu hostmaster.iif.hu 2021071301 43200 7200 172800 3600 # -listserv.niif.hu 300 IN A 193.225.14.155 # +listserv.niif.hu 300 IN A 195.111.92.17 # -listserv.niif.hu 300 IN MX 10 listserv2.niif.hu # +listserv.niif.hu 300 IN MX 10 lilac.mail.einfra.hu # -listserv.niif.hu 300 IN AAAA 2001:738:0:701:216:3eff:fe01:0 # +listserv.niif.hu 300 IN AAAA 2001:738:0:415::6 # # RSYNC # # wferi@lilac:~$ sudoedit /etc/apache2/apache2.conf # remove catch-all # wferi@lilac:~$ sudo systemctl reload apache2.service # wferi@lilac:~$ sudo systemctl start mailman.service # wferi@lilac:~$ sudo systemctl start exim4.service # # PROBLEMS # # listserv2 /etc/aliases contains stuff # - abuse list is no more # # Apache inconsistencies - why not the same size? # 193.6.168.233 - - [13/Jul/2021:17:26:52 +0200] "GET /mailman/admindb/fekosz HTTP/1.1" 200 5312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" # 193.6.168.233 - - [13/Jul/2021:17:27:04 +0200] "GET /mailman/admindb/elnokseg HTTP/1.1" 200 1214 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"