Nginx securiy problem

[Michael Shadle]

Note this has gotten wayyyy OT.

On Sat, Dec 5, 2009 at 3:20 AM, Steve <steeeeeveee at gmx.net> wrote:

>> mailman is a pain in the ass to install,
>>
> Mailman is not hard to install. Normally you just execute one command from your distro and the package is installed. Configuration is another issue.

Sorry you're right. "Installing" it to me means not just unpacking or
apt-getting but also getting it initially setup.

> And why is that an issue? You normally don't mess with the installed files. You just edit mm_cfg.py and that's it.

Whenever you need to migrate? Ever had to migrate a mailman install
from one server to another? What about one distro to another? With
different paths on each machine?

> All fine and dandy for a web application. But mailman can run without a web server.

Sure, it can, as will mine. But the easiest way to manage everything
will be from a web UI, and nowadays, who really makes a fuss about
having to use a web UI? :)

>> upload the files, run an installer, MySQL as a backend for the user
>> list, configuration details, etc.
>>
> I like the approach from mailman. I can just install it and configure with a simple text file all my initial options, then just glue it together with my MTA of choice and that's it. Okay. Doing the whole user management and list management and configuration management from the command line is not the best choice but it's possible. I do use both. And to be honest: Once you have configured mailman then you don't touch the configuration in years. You just manage every thing from the web interface. So be honest: How many times have you needed to go on the server and change options in the command line for mailman after you have installed and configured it?

Well, I've had to run it in a "high-security" mode where I stripped
out attachments and some other stuff and the options to do this were
quite confusing. I was almost too scared to allow it to be used, as it
could have cost all of us our jobs for using it if any confidential
document got attached and somehow snuck through.

However yes all that was done before deployment, but it also did not
give me a lot of confidence if post-deployment we found a small glitch
and had to go into panic mode to see if it could be fixed.

Regarding the one file of changes, I have tried that route and it
still didn't seem to get it all right for me. Maybe I was doing it
wrong but that's the whole point of it. Why would something as simple
as editing a configuration file be difficult or wrong?

> Oh boy. If command line is an problem for you then I ask my self how you manage to use nginx? Or things like Postfix, Dovecot, Cyrus, Courier, Sendmail, QMail, etc... Are you aiming to get those web based as well?

Honestly, I've thought about a web-based nginx UI, mainly to make it
easier to manage clusters. But think about it this way. Do you need to
run a bunch of command line tools to make postfix work? or nginx? Not
really, install, configure a couple config files, and you can start it
up and it's useful. Not some bin/newlist and then weird bin/withlist
-i -l stuff to alter it later. Depending on the distro, the binaries
are in different places, etc.

> Don't get me wrong. If you redo mailman in PHP and make it sexy, fast, AJAX GUI, etc... I am sure going to use it. But I my self would not invest time in doing that. Mailman just works and I don't see any significant benefit in having it in PHP and using a super duper Web UI. It would probably look nicer but it would not reduce my list management time by factors. Maybe today I have about 1 to 15 minutes that I need for managing the hand full of lists that I do manage. And I don't think a modern Web UI for mailman would reduce that.

I'm glad you'll be a user. :)

It sounds like you have a fine grip on mailman, but I am tired of
having to deal with the pain of configuration and such and the little
tweaks here and there. I would like to re-work it to emulate a more
modern style of package like WP, Drupal, phpList, etc.

I understand it takes effort. I have already listed the job on a
couple freelance sites. I believe I already have an extremely talented
coder who is familiar with mailman and MTAs and everything in between
and would love to get some open source credibility. So the main thing
for me is - do I want to invest my own personal money into the
project? I think so. There's a decent sized market and not a lot of
options, that short list I made a couple of the options haven't even
been touched in years. Since then there's been adaptations of things
like SPF records and domain keys and such which may or may not be
useful things to be implemented.

Also the source code will be freely available and written in PHP,
which will have a large audience of people who can contribute and
enhance it and keep it alive. Worst case, it goes nowhere, but at
least I'm giving it a shot. I know a few places I can implement it
quite easily and it will help gain some traction immediately.

Funny, when looking at it quick, I just noticed this bug with mailman:
https://bugs.launchpad.net/mailman/+bug/490114
:)