Is it possible to secure Mailman admin page with Let's Encrypt certificate in Plesk?

Follow

Comments

13 comments

  • Avatar
    b_p (Edited )

    Well, this should be added as a feature similar to securing webmail subdomains. Thus, it should not be too difficult to get this implemented...

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @b_p Currently, it is not planned to add Mailman support to Let's Encrypt. However, it may be changed in case of votes for this feature on https://plesk.uservoice.com/forums/184549-feature-suggestions

    0
    Comment actions Permalink
  • Avatar
    b_p

    Well, currently, if you use Let's Encrypt on the main domain as well as for Plesk Panel, this makes it imossible to access the Mailman page!

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @b_p, could you please clarify the issue in details?

    0
    Comment actions Permalink
  • Avatar
    Nick Andriopoulos

    Assuming @b_p has the same issue as me:

    Enviroment:
    - Latest Onyx release
    - Server hostname myplesk.com
    - Domain example.com
    - Letsencrypt certificate installed for domain and webmail
    - Redirect to HTTPS is enabled
    - Mailman installed an several mailing lists present under example.com

    When accessing the domain lists.example.com, I get redirected to the SSL version, which is broken since I am presented with the LetsEncrypt certificate for the server hostname ( myplesk.com ) instead of the domain ( since lists.example.com is not included as a SAN there ), so I get a net::ERR_CERT_COMMON_NAME_INVALID error and broken SSL icon.

    However, I can move on from that, and use most of the mailman admin interface... until we get to held message moderation. There, the form for moderation has method set to POST, and action set to the plain HTTP version of the page. Thus, when I use the radio buttons to accept/reject messages, the form is submitted to the HTTP endpoint, get 301'd to the HTTPS version, losing the POST data on the way, and no action is actually registered, making the mailman moderation queue unsusable.

    There are hackish ways to go about that (from tampering with mailman config files to injecting browser scripts) but this really should be dealt with by Parallels if you want to actually include Mailman in your offering -- otherwise it's a broken feature.

    0
    Comment actions Permalink
  • Avatar
    Nick Plekhov (Edited )

    Hello, @Nick Andriopoulos.

    This feature is not implemented yet, however, there is a feature request on our User Voice Portal.
    Feel free to vote for it, the top-ranked suggestions are likely to be implemented in future releases of Plesk.

    I have updated the article with the link to User Voice Portal so everybody has an opportunity to vote for it.

    0
    Comment actions Permalink
  • Avatar
    Ray Lutz

    Nick Andriopoulos

    I found the way to fix this. I changed
    absolute=1
    to
    absolute=0

    /usr/lib/mailman/Mailman/Cgi/admin.py
    def membership_options(mlist, subcat, cgidata, doc, form):
    # Show the main stuff
    adminurl = mlist.GetScriptURL('admin', absolute=0) #1) RCL 2019-11-26

    0
    Comment actions Permalink
  • Avatar
    Ralf Göldner

    It is possible to srecure the Mailman pages!

    OK little weird way - but possible:

    1. install mailman via plesk 
    2. activate mailling list functionality for your specific domain -> in this case called "ml-domain.com"
    3. remove "lists" CNAME for that domain in DNS config
    4. create new domain with lists.ml-domain.com
    5. secure that domain with e.g. letsencrypt
    6. delete domain files in filemanager for that ne created domain and create a html-file with a meta redirect
      read here to learn how to: https://www.rapidtables.com/web/dev/html-redirect.html
    7. as target for that redirect well use again the example domain mentioned above:
      https://lists.ml-domain.com/cgi-bin/mailman/listinfo

    Remember to exchange ml-domain.com with your domain you like to secure your mailman instance!

    ... done ;-)

    -1
    Comment actions Permalink
  • Avatar
    UK Uryu (Edited )

    Why don't you try this, it seems working.

    1. Install Let's Encrypt wildcard certificates.
    2. Go to Home > Subscriptions > example.com > Websites & Domains > Apache & nginx Settings
    3. Add following directives in "Additional Apache directives" and "Additional nginx directives" fields.

    "Additional Apache directives" > "Additional directives for HTTPS"*

    ServerAlias "lists.example.com"
    ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/"
    Alias "/icons/" "/usr/lib/mailman/icons/"
    Alias "/pipermail/" "/var/lib/mailman/archives/public/"

     

    "Additional nginx directives"

    server_name lists.example.com;

     

    *If you are using nginx, you may not need to set the apache part.

    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello UK Uryu

    Thank you for sharing an idea.

    It should be helpful for other Pleskians.

    0
    Comment actions Permalink
  • Avatar
    Ayk (Edited )

    UK Uryu 's solution above has successefully worked for me, only with minor adjustments:

    All I had to do was change some of the paths containing `/usr/lib/mailman/...`  into `/var/lib/mailman/...`

    This is because, on my system (Ubuntu 16 LTS),  the `mailman` suite is split into different locations; and `/var/lib/mailman/` contains symlinks to the actual locations of various types of resources (such as icons, binaries, cgi-bin, ...) in addition to actual variable data, as below:

    So here's what I ended up for the "Apache directives for HTTPS":

    ```apache

    ServerAlias "lists.example.com"
    ScriptAlias "/mailman/" "/var/lib/mailman/cgi-bin/"
    Alias "/icons/" "/var/lib/mailman/icons/"
    Alias "/pipermail/" "/var/lib/mailman/archives/public/"

    ```

    and the "Additional nginx directives" are the same as given by UK Uryu.

    ```

    server_name lists.example.com;

    ```

     

    0
    Comment actions Permalink
  • Avatar
    Ayk

    BTW, thanks a lot UK Uryu

    You have just saved me (and perhaps many others) several hours of head scratching at least!

     

    0
    Comment actions Permalink
  • Avatar
    Ayk

    Ooops. I have spoken too early!

    While, UK Uryu's suggestion surely helped, it only solved half of the equation.

    The other half still needed a solution. So I first tried Ray Lutz's suggestion above (namely, absolute=0). That would have been an easy way out (though quite fragile as it would be overwritten by updates to mailman).

    Anyhow, that didn't work for me.

    So, I still had to follow part of the instructions on GNU mailman wiki (https://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20using%20Secure%20HTTP-SSL%20%28HTTPS%29?action=show&redirect=DOC%2F4.27+Securing+Mailman%27s+web+GUI+by+using+Secure+HTTP-SSL).

    In what follows "$mm_prefix" refers to the mailman installation (which may differ from distro to distro). On my system, I have got:

     mm_prefix='/var/lib/mailman/'

    Following that guide, I have:

      1) skipped step 1 -- since  I already had the redirection happening after following Uryu's solution and also setting up my domain 'example.com' to redirect http traffic to https (Plesk's SSL-It has that option)

     2) followed step 2, and made the following change in "$mm_prefix/Mailman/mm_cfg.py"

    changed this:

     DEFAULT_URL_PATTERN = 'http://%s/mailman/'

    to:

     DEFAULT_URL_PATTERN = 'https://%s/mailman/'

     

      3) followed step 3, for each list on the system:

     $mm_prefix/bin/withlist -l -r fix_url listname -u list_web_domain

    (this regenerates the web templates for the given list)

    where listname is the name of the list.

    and list_web_domain reflects Plesk's convention, i.e. something like : <lists.example.com> 

    Note that, while the above withlist command (in step 3) has a way of being invoked for all lists (by omiiting the listname and the list_web_domain given by the -u option), that does NOT work when those lists belong to anywhere but the default hostname. Therefore, that's no good for the typical scenario under Plesk, where lists are created under each customer domain.

      FINALLY) restarted related services:

    $ sudo /etc/init.d/mailman restart
    $ sudo /etc/init.d/apache2 restart
    $ sudo /etc/init.d/nginx restart

    ---

    For now, things appear to work as expected, including the aspects mentioned in @Nick Andriopoulos' post.

    That being said, this should just work out of the box with Plesk, or be added as an option to SSL-It (just like for webmail).

     

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request