Updating mailman on Centos 5 due to DMARC

Recently, some major service providers (notably Yahoo, Comcast and AOL) decided to bounce email that did not conform to the DMARC standard. As a side effect, this broke many long-standing configurations for mailing lists. Full details on this can be read elsewhere:

If you’re like me, you have a CentOS 5 machine running mailman. Newer versions of mailman do have patches for this issue, but they seem to be unported to the CentOS 5 line. Version 2.1.9 of mailman is what is available in yum. I do not have the luxury to completely upgrade this box at this time.

So the solution seems to be upgrading mailman by hand. As there don’t seem to be any FAQs on this out there, here is how I did it:

Step 1 – Backup Mailman Content

Stop email and backup your mailman content. Thankfully mailman saves all the “important” stuff is saved in a directory structure that is portable and easily backed up:

service postfix stop
service mailman stop
cd /var/lib/mailman/
tar cvf ~/mailman-archive.tar lists archives data
tar cvf ~/mailman-config.tar /etc/mailman /etc/aliases

If you have made a custom apache configuration for your mailman by editing the mailman.conf dropped into apache’s cond.d directory, you will want to back that up too.

Step 2 – Remove existing mailman

Here’s where I say “have a backup” and you nod your head without listening. Yum will remove the outdated version of mailman and its configs. But it will leave all the list data in place.

yum remove mailman

In my case, nothing depended on mailman. So it only removed mailman.

If this is not true for you and it want’s to removed other things
, I would use rpm with “–nodeps” as the removal command.
Be very careful with nodeps. It is an antipattern. Make sure you know what you are doing.

Step 3 – Download and install mailman

Newer versions of mailman have a dependency on dnspython, and that is not available as a yum package. So you will need to download and compile it:

yum install unzip wget
wget --no-check-certificate https://pypi.python.org/packages/source/d/dnspython/dnspython-1.11.1.zip
unzip dnspython-1.11.1.zip
cd dnspython-1.11.1
python setup.py install

Download mailman; compile and install it with CentOs-like settings:

wget http://ftp.gnu.org/gnu/mailman/mailman-2.1.18.tgz
tar xzf mailman-2.1.18.tgz 
cd mailman-2.1.18
./configure --prefix=/var/lib/mailman/ --with-cgi-gid=apache --with-mail-gid=nobody
make
make install

This installs ALL of mailman into /var/lib/mailman.

Previously, CentOs put the binaries in /usr/lib and a few other places and /var/lib/mailman was only the content of the lists. I am putting it everything in /var/lib/mailman so it will be easier to remove if they ever upgrade the yum version of mailman and I want to use that.

So, symlink the old path so everything still works out fine:

cd /usr/lib
ln -s /var/lib/mailman

Step 4 – Permissions, Init.d, and Cron

Check file permissions using mailman’s provided utility:

/usr/lib/mailman/bin/check_perms

If there are file errors, you can use the same util to fix them:

/usr/lib/mailman/bin/check_perms -f

Install and configure the init.d script:

cp -v /var/lib/mailman/scripts/mailman /etc/init.d/
chkconfig mailman on

Install and configure the cron jobs:

cp -v /usr/lib/mailman/cron/crontab.in /etc/cron.d/mailman

Step 5 – Configure Apache
Edit /etc/httpd/conf.d/mailman.conf to look something like this:

ScriptAlias /mailman/ /var/lib/mailman/cgi-bin/
<Directory /var/lib/mailman/cgi-bin/>
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

Alias /pipermail/ /var/lib/mailman/archives/public/
<Directory /var/lib/mailman/archives/public>
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

# Uncomment the following line, replacing www.example.com with your server's
# name, to redirect queries to /mailman to the listinfo page (recommended).

# RedirectMatch ^/mailman[/]*$ http://www.example.com/mailman/listinfo

Step 7 – Log in and configure your lists for DMARC

Restart apache to pick up the new config:

service apache restart

At this point you should be able to access your lists, see archives, etc from the web interface.

As with some mailman upgrades, your admin password may have been reset. You can set it by using the command line:

/var/lib/mailman/bin/mmsitepass NEWPASSWORD

You will need to log into each list’s admin page, and for the option of “from_is_list” select “Munge From.” This will change how the mailing list handles the “From” of each email. Rather than making it appear like the person sent the email as the list, it will say something like “Person Name as List Name” or such. Which is accepted as legal as it does not mangle the DMARC checksum.

Step 6 – Restart mail

Restart mailman and your MTA:

service mailman start
service postfix start

At this point, your mailing list should be functional. Send a test message and watch maillog to see if it is delivered to any Yahoo receipients.

I hope this helps.

3 Responses to “Updating mailman on Centos 5 due to DMARC”

  1. Joe Pruett says:

    thanks for going through the steps on this. one issue i’ve found is that the crontab has to be changed to include the mailman username, like:

    0 8 * * * mailman /usr/bin/python -S /usr/local/mailman/cron/checkdbs

  2. Joe Pruett says:

    and if you’re running sendmail, the –with-mail-gid should be mail, not nobody.

  3. Phil says:

    Thanks for the heads-up!

    I’ve got a fairly complex virtualized mail setup, so in some cases I am not running on the default users anymore. Great info.

Leave a Response