Getting started

SMTP service integration

The debops.mailman role provides configuration variable for debops.postfix Ansible role which are used in the example playbook. The role supports two modes of integration:

  • virtual: messages to Mailman are passed using a Postfix transport, entire installation uses virtual mail.
  • local: messages to Mailman are passed using local mail aliases.

The virtual mode is used by default. Role does not support changing the mode after a deployment.

Refer to debops.postfix documentation for more details.

HTTP service integration

The role provides configuration for debops.nginx role which will configure the Mailman web interface using nginx and fcgiwrap instance (using debops.fcgiwrap Ansible role). The webserver will be configured with a restricted list of allowed referers, to prevent hijacking of the web interface forms by other sites.

Backscatter prevention

The default Mailman installation is very prone to backscatter attacks. Therefore, debops.mailman will try to reduce this possibility by taking a few measures:

  • some of the mailing list aliases will be disabled by a patch, only -bounces, -confirm, -owner and -request aliases will be present.
  • commands from somebody not on the list sent by e-mail will be silently discarded using a patch. Unfortunately, this prevents registration via e-mail subscribe message, but it was determined that the benefits outweigh the lost functionality. Please, use the webinterface for subscription.
  • monthly reminders about the mailing list membership are disabled.

Mailman source code modifications

This role will configure GNU Mailman on the host using the APT mailman package. The version provided in Debian Wheezy and Debian Jessie packages requires some additional modifications that are provided as source code patches. They will be applied automatically in the source code located in /usr/lib/mailman/ directory (this can be disabled by setting the mailman__patch variable to False).

Modification of the package source code might cause issues during updates, therefore automatic upgrades of the mailman package will be disabled in the unattended-upgrades package using debops.unattended_upgrades Ansible role, if patching is enabled.

To apply the patches manually after an upgrade, you can use the provided Ansible tags, for example:

user@controller:~$ debops service/mailman --tags role::mailman:patch

The above command will check the status of the patches in Mailman source code and apply them if necessary.

Language pack support

The role contains a Bash language pack conversion script which will be executed on changes in language pack configuration. Some of the language packs provided by Debian are stored in wrong encoding (on Debian Wheezy) or contain incorrect encoding information. The script will try to fix that in the enabled languages after language packs are generated; however subsequent mailman package updates will most likely override these changes. To apply them again you can use the provided Ansible tags:

user@controller:~$ debops service/mailman --tags role::mailman:lang

This will re-configure the language pack support in mailman package and apply the conversion script changes if necessary.

Example inventory

To configure Mailman on a host, you need to add it to [debops_service_mailman] Ansible inventory group. Example inventory:

# inventory/hosts

Example playbook

The debops.mailman uses a set of other roles to configure additional services like HTTP and SMTP server. Here's an example playbook with all of the required DebOps services:


- name: Manage Mailman service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_mailman' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'


    - import_role:
        name: 'postfix'
        tasks_from: 'main_env'
      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]


    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
        - '{{ nginx__keyring__dependent_apt_keys }}'

    - role: secret
      tags: [ 'role::secret', 'role::postfix' ]
        - '{{ postfix__secret__directories }}'

    - role: fcgiwrap
      tags: [ 'role::fcgiwrap', 'skip::fcgiwrap' ]
        - '{{ mailman__fcgiwrap__instance }}'

    - role: unattended_upgrades
      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
      unattended_upgrades__dependent_blacklist: '{{ mailman__unattended_upgrades__dependent_blacklist }}'

    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
        - '{{ mailman__apt_preferences__dependent_list }}'
        - '{{ nginx__apt_preferences__dependent_list }}'

    - role: ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
        - '{{ postfix__ferm__dependent_rules }}'
        - '{{ nginx__ferm__dependent_rules }}'

    - role: python
      tags: [ 'role::python', 'skip::python' ]
        - '{{ nginx__python__dependent_packages3 }}'
        - '{{ nginx__python__dependent_packages2 }}'

    - role: postfix
      tags: [ 'role::postfix', 'skip::postfix' ]
        - role: 'mailman'
          config: '{{ mailman__postfix__dependent_maincf }}'

    - role: nginx
      tags: [ 'role::nginx', 'skip::nginx' ]
      nginx__servers: '{{ mailman__nginx__servers }}'

    - role: mailman
      tags: [ 'role::mailman', 'skip::mailman' ]