Add mailman3.

states/email/aliases/aliases

@@ -0,0 +1,44 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+www-data: root
+ftp: root
+abuse: root
+noc: root
+security: root
+
+root:jim@lunch.org.uk
+
+alexandra: alex
+alexandra.hague: alex
+bunny: alex
+ali: alex
+ali.hague: alex
+jim.hague: jim
+heather.james: heather
+chrissie: chrissy
+christina: chrissy
+christina.hague: chrissy
+toby: jim
+fitzroy: jim
+nthague: jim
+
+hannah.farncombe: hannah
+#hannah: hjfarncombe@me.com
+
+wpcc: jim
+
+ryman: jim
+
+parents: jim,heather
+
+jenkins: jim
+
+clamav: root
+monit: root

states/email/aliases/aliases.cowboybuilder.org.uk

@@ -0,0 +1,11 @@
+# This is the aliases file for cryhavoc.org.uk. It does not permit
+# file aliases.
+
+postmaster: root
+root: jim@lunch.org.uk
+mailer-daemon: postmaster
+mail: postmaster
+webmaster: root
+admin: root
+
+woody: jim

states/email/aliases/aliases.cryhavoc.org.uk

@@ -0,0 +1,23 @@
+# This is the aliases file for cryhavoc.org.uk. It does not permit
+# file aliases.
+
+postmaster: root
+root: jim@lunch.org.uk
+mailer-daemon: postmaster
+mail: postmaster
+webmaster: root
+admin: root
+
+info: jim
+
+www-data: jim@lunch.org.uk
+jim: jim@lunch.org.uk
+wiki: jim@lunch.org.uk
+
+bag: louisthurman@gmail.com, jim@lunch.org.uk
+foreman: jim@lunch.org.uk
+dottes: jim@lunch.org.uk
+squire: jim@lunch.org.uk
+treasurer: phm.day202@btinternet.com
+
+privacy: squire,bag

states/email/aliases/aliases.lunch.org.uk

@@ -0,0 +1,77 @@
+# This is the aliases file for lunch.org.uk. It does not permit
+# file and pipe aliases.
+
+postmaster: root
+root: jim
+mailer-daemon: postmaster
+mail: postmaster
+webmaster: root
+
+nas: jim
+
+alexandra: alex
+alexandra.hague: alex
+ali: alex
+bunny: alex
+jim.hague: jim
+heather.james: heather
+chrissie: chrissy
+christina: chrissy
+christina.hague: chrissy
+toby: jim
+fitzroy: jim
+santa: jim
+joybear: jim
+
+#OxLUG
+#oxlug: jim@lunch.org.uk,
+#	leonard.ian@gmail.com,
+#	ian@smallworld.cx,
+#	phil@kantaka.co.uk,
+#	hubert@oxyware.com,
+#	tim.pizey@gmail.com,
+#	entity@danny.id.au,
+#	robertbentall@gmail.com,
+#	chris@griggs.me.uk,
+#	nicholas.cole@history.ox.ac.uk,
+#	dom@earth.li,
+#	deya_sanchez@oslerdiagnostics.com,
+#	james@inkblotsoftware.com
+
+# MHCC 
+mhcc-all: jim@bear-cave.org.uk,
+		MarlbHCricket@aol.com,
+		martin@italy-update.demon.co.uk,
+		em_dom@hotmail.com,
+		gurmej.lal@siemens.com,
+		Huw.Leggate@Jet.uk,
+		Karen.Carroll@oxmhc-tr.nhs.uk,
+		jondunkley@aol.com,
+		Marni786ms@hotmail.com,
+		Mike.Reeves@wallingfordsoftware.com,
+		mitchell_fraser-jones@hen.invesco.com,
+		Sally.Moore@oxon.blackwellpublishing.com,
+		sureshp@sterilox.com,
+		mshelloxford@yahoo.com,
+		owenslat@hotmail.com,
+		sundancekid69@Hotmail.com,
+		bigash51@yahoo.co.uk,
+		andrewlines@O2.co.uk,
+		willsyboy3@hotmail.com,
+		Richard.Body@WallingfordSoftware.com,
+		abastin@oxford.gov.uk,
+		Andrew.Land@atkinsglobal.com,
+		gwyn.jones@aeat.co.uk,
+		Paul.Henley@Man.ac.uk,
+		alberto.behar@nuffield.oxford.ac.uk,
+		jeremy.bowell@oup.com,
+		richard.coggins@magdalen.oxford.ac.uk,
+		gwyn.jones@aeat.co.uk,
+		alistair.james@eng.ox.ac.uk
+
+
+# MHCC SMS
+mhcc-sms: bcb7049f07f4c44cbc6497aa81f92b@dist.aql.com
+
+jane: janestannard@hotmail.com
+#jane: jim@lunch.org.uk, janestannard@hotmail.com

states/email/dovecot_local.conf

@@ -18,3 +18,10 @@ protocol imap {
   mail_max_userip_connections = 40
 }
 
+# Allow client auth to exim4.
+service auth {
+    unix_listener auth-client {
+    mode = 0660
+    group = Debian-exim
+  }
+}

states/email/exim4/conf.d/router/180_srs

@@ -1,20 +1,40 @@
-  outbound:
+fdef SRS_SECRET
+
+  .ifdef DCconfig_internet
+
+  outbound_srs:
+    debug_print = "R: SRS outbound for $local_part@$domain original $original_local_part@$original_domain"
     driver =    dnslookup
     # if outbound, and forwarding has been done, use an alternate transport
     domains =   ! +local_domains
-    transport = ${if eq {$local_part@$domain} \
+    condition = ${if !eq {$local_part@$domain} \
-                        {$original_local_part@$original_domain} \
+                         {$original_local_part@$original_domain}}
-                     {remote_smtp} {remote_forwarded_smtp}}
+    transport = {remote_forwarded_smtp}
 
+  .elifdef DCconfig_smarthost DCconfig_satellite
+
+  outbound_srs_smarthost:
+    debug_print = "R: SRS outbound smarthost for $local_part@$domain original $original_local_part@$original_domain"
+    driver =    dnslookup
+    # if outbound, and forwarding has been done, use an alternate transport
+    domains =   ! +local_domains
+    condition = ${if !eq {$local_part@$domain} \
+                         {$original_local_part@$original_domain}}
+    transport = {remote_forwarded_smtp_smarthost}
+
+  .endif
+  
   inbound_srs:
+    debug_print = "R: inbound_srs for $local_part@$domain"
     driver =    redirect
     senders =   :
     domains =   +local_domains
     # detect inbound bounces which are SRS'd, and decode them
     condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
     data =      $srs_recipient
-
+  
   inbound_srs_failure:
+    debug_print = "R: inbound_srs_failure for $local_part@$domain"
     driver =    redirect
     senders =   :
     domains =   +local_domains
@@ -22,3 +42,5 @@
     condition = ${if inbound_srs {$local_part} {}}
     allow_fail
     data =      :fail: Invalid SRS recipient address
+
+.endif

states/email/exim4/conf.d/transport/32_srs

@@ -1,7 +0,0 @@
-  # transport; should look like the non-forward outbound
-  # one, plus the max_rcpt and return_path options
-  remote_forwarded_smtp:
-    driver =              smtp
-    # modify the envelope from, for mails that we forward
-    max_rcpt =            1
-    return_path =         ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}

states/email/exim4/conf.d/transport/32_srs_remote_smtp

@@ -0,0 +1,62 @@
+# transport; should look like the non-forward outbound
+# one, plus the max_rcpt and return_path options
+remote_forwarded_smtp:
+  debug_print = "T: remote_forwarded_smtp for $local_part@$domain original domain $original_domain"
+  driver =              smtp
+  # modify the envelope from, for mails that we forward
+  max_rcpt =            1
+  return_path =         ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
+.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef REMOTE_SMTP_INTERFACE
+  interface = REMOTE_SMTP_INTERFACE
+.endif
+.ifdef DKIM_DOMAIN
+dkim_domain = DKIM_DOMAIN
+.endif
+.ifdef DKIM_SELECTOR
+dkim_selector = DKIM_SELECTOR
+.endif
+.ifdef DKIM_PRIVATE_KEY
+dkim_private_key = DKIM_PRIVATE_KEY
+.endif
+.ifdef DKIM_CANON
+dkim_canon = DKIM_CANON
+.endif
+.ifdef DKIM_STRICT
+dkim_strict = DKIM_STRICT
+.endif
+.ifdef DKIM_SIGN_HEADERS
+dkim_sign_headers = DKIM_SIGN_HEADERS
+.endif
+.ifdef DKIM_TIMESTAMPS
+dkim_timestamps = DKIM_TIMESTAMPS
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif

states/email/exim4/conf.d/transport/32_srs_remote_smtp_smarthost

@@ -0,0 +1,51 @@
+# transport; should look like the non-forward outbound
+# one, plus the max_rcpt and return_path options
+remote_forwarded_smtp_smarthost:
+  debug_print = "T: remote_forwarded_smtp_smarthost for $local_part@$domain original domain $original_domain"
+  driver =              smtp
+  # modify the envelope from, for mails that we forward
+  max_rcpt =            1
+  return_path =         ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
+  multi_domain
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
+  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
+        {\
+        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
+        }\
+        {} \
+      }
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif

states/email/init.sls

@@ -2,3 +2,4 @@ include:
   - email/dovecot
   - email/rspamd
   - email/exim4
+  - email/mailboxes

states/email/mailboxes.sls

@@ -0,0 +1,48 @@
+# Mailboxes that need to exist, and supporting files.
+
+heather:
+  group.present:
+    - gid: 1001
+  user.present:
+    - fullname: 'Heather James'
+    - home: /home/heather
+    - shell: /bin/bash
+    - uid: 1001
+    - gid: 1001
+
+alex:
+  group.present:
+    - gid: 1002
+  user.present:
+    - fullname: 'Alexandra Hague'
+    - home: /home/alex
+    - shell: /bin/bash
+    - uid: 1002
+    - gid: 1002
+
+chrissy:
+  group.present:
+    - gid: 1003
+  user.present:
+    - fullname: 'Christina Hague'
+    - home: /home/chrissy
+    - shell: /bin/bash
+    - uid: 1003
+    - gid: 1003
+
+hannah:
+  group.present:
+    - gid: 1007
+  user.present:
+    - fullname: 'Hannah Farncombe'
+    - home: /home/hannah
+    - shell: /bin/bash
+    - uid: 1005
+    - gid: 1007
+
+email_aliases:
+  file.recurse:
+    - name: /etc
+    - file_mode: '0644'
+    - source: salt://email/aliases
+

states/mailman/etc/mailman-web.py

@@ -0,0 +1,190 @@
+# This file is imported by the Mailman Suite. It is used to override
+# the default settings from /usr/share/mailman3-web/settings.py.
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'PMjOqXpDCJkloOvDJoutsV4ZqNNzI8hXyLN6KCLalLresPaA'
+
+ADMINS = (
+     ('Mailman Suite Admin', 'root@localhost'),
+)
+
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
+# Set to '*' per default in the Deian package to allow all hostnames. Mailman3
+# is meant to run behind a webserver reverse proxy anyway.
+ALLOWED_HOSTS = [
+    #"localhost",  # Archiving API from Mailman, keep it.
+    # "lists.your-domain.org",
+    # Add here all production URLs you may have.
+    '*'
+]
+
+# Mailman API credentials
+MAILMAN_REST_API_URL = 'http://localhost:8001'
+MAILMAN_REST_API_USER = 'restadmin'
+MAILMAN_REST_API_PASS = 'JLXqquLV2xJyuC9XpwuGrg9wVnrADgc8LA4UKdGXFudEJ5FM'
+MAILMAN_ARCHIVER_KEY = 'yecyDwdMl5Sl5LnIfQbLWdhlpEeNGSUx'
+MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1')
+
+# Application definition
+
+INSTALLED_APPS = (
+    'hyperkitty',
+    'postorius',
+    'django_mailman3',
+    # Uncomment the next line to enable the admin:
+    'django.contrib.admin',
+    # Uncomment the next line to enable admin documentation:
+    # 'django.contrib.admindocs',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.sites',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'rest_framework',
+    'django_gravatar',
+    'compressor',
+    'haystack',
+    'django_extensions',
+    'django_q',
+    'allauth',
+    'allauth.account',
+    'allauth.socialaccount',
+    #'django_mailman3.lib.auth.fedora',
+    #'allauth.socialaccount.providers.openid',
+    #'allauth.socialaccount.providers.github',
+    #'allauth.socialaccount.providers.gitlab',
+    #'allauth.socialaccount.providers.google',
+    #'allauth.socialaccount.providers.facebook',
+    #'allauth.socialaccount.providers.twitter',
+    #'allauth.socialaccount.providers.stackexchange',
+)
+
+
+# Database
+# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        # Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
+        'ENGINE': 'django.db.backends.sqlite3',
+        #'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        #'ENGINE': 'django.db.backends.mysql',
+        # DB name or path to database file if using sqlite3.
+        'NAME': '/var/lib/mailman3/web/mailman3web.db',
+        # The following settings are not used with sqlite3:
+        'USER': '',
+        'PASSWORD': '',
+        # HOST: empty for localhost through domain sockets or '127.0.0.1' for
+        # localhost through TCP.
+        'HOST': '',
+        # PORT: set to empty string for default.
+        'PORT': '',
+        # OPTIONS: Extra parameters to use when connecting to the database.
+        'OPTIONS': {
+            # Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See
+            # https://docs.djangoproject.com/en/1.11/ref/
+            #     databases/#setting-sql-mode
+            #'init_command': "SET sql_mode='STRICT_TRANS_TABLES'",
+        },
+    }
+}
+
+
+# If you're behind a proxy, use the X-Forwarded-Host header
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
+USE_X_FORWARDED_HOST = True
+
+# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
+# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
+
+# Other security settings
+# SECURE_SSL_REDIRECT = True
+# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
+# contains at least this line:
+# SECURE_REDIRECT_EXEMPT = [
+#     "archives/api/mailman/.*",  # Request from Mailman.
+#     ]
+# SESSION_COOKIE_SECURE = True
+# SECURE_CONTENT_TYPE_NOSNIFF = True
+# SECURE_BROWSER_XSS_FILTER = True
+# CSRF_COOKIE_SECURE = True
+# CSRF_COOKIE_HTTPONLY = True
+# X_FRAME_OPTIONS = 'DENY'
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/1.8/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+USE_L10N = True
+USE_TZ = True
+
+
+# Set default domain for email addresses.
+EMAILNAME = 'localhost.local'
+
+# If you enable internal authentication, this is the address that the emails
+# will appear to be coming from. Make sure you set a valid domain name,
+# otherwise the emails may get rejected.
+# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
+# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
+DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME)
+
+# If you enable email reporting for error messages, this is where those emails
+# will appear to be coming from. Make sure you set a valid domain name,
+# otherwise the emails may get rejected.
+# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
+# SERVER_EMAIL = 'root@your-domain.org'
+SERVER_EMAIL = 'root@{}'.format(EMAILNAME)
+
+
+# Django Allauth
+ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
+
+
+#
+# Social auth
+#
+SOCIALACCOUNT_PROVIDERS = {
+    #'openid': {
+    #    'SERVERS': [
+    #        dict(id='yahoo',
+    #             name='Yahoo',
+    #             openid_url='http://me.yahoo.com'),
+    #    ],
+    #},
+    #'google': {
+    #    'SCOPE': ['profile', 'email'],
+    #    'AUTH_PARAMS': {'access_type': 'online'},
+    #},
+    #'facebook': {
+    #   'METHOD': 'oauth2',
+    #   'SCOPE': ['email'],
+    #   'FIELDS': [
+    #       'email',
+    #       'name',
+    #       'first_name',
+    #       'last_name',
+    #       'locale',
+    #       'timezone',
+    #       ],
+    #   'VERSION': 'v2.4',
+    #},
+}
+
+# On a production setup, setting COMPRESS_OFFLINE to True will bring a
+# significant performance improvement, as CSS files will not need to be
+# recompiled on each requests. It means running an additional "compress"
+# management command after each code upgrade.
+# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
+COMPRESS_OFFLINE = True
+
+POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'

states/mailman/etc/mailman.cfg

@@ -0,0 +1,272 @@
+# Copyright (C) 2008-2017 by the Free Software Foundation, Inc.
+#
+# This file is part of GNU Mailman.
+#
+# GNU Mailman is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# GNU Mailman is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# GNU Mailman.  If not, see <http://www.gnu.org/licenses/>.
+
+# This file contains the Debian configuration for mailman.  It uses ini-style
+# formats under the lazr.config regime to define all system configuration
+# options.  See <https://launchpad.net/lazr.config> for details.
+
+
+[mailman]
+# This address is the "site owner" address.  Certain messages which must be
+# delivered to a human, but which can't be delivered to a list owner (e.g. a
+# bounce from a list owner), will be sent to this address.  It should point to
+# a human.
+site_owner: postmaster@lunch.org.uk
+
+# This is the local-part of an email address used in the From field whenever a
+# message comes from some entity to which there is no natural reply recipient.
+# Mailman will append '@' and the host name of the list involved.  This
+# address must not bounce and it must not point to a Mailman process.
+#noreply_address: noreply
+noreply_address: postmaster
+
+# The default language for this server.
+default_language: en
+
+# Membership tests for posting purposes are usually performed by looking at a
+# set of headers, passing the test if any of their values match a member of
+# the list.  Headers are checked in the order given in this variable.  The
+# value From_ means to use the envelope sender.  Field names are case
+# insensitive.  This is a space separate list of headers.
+sender_headers: from from_ reply-to sender
+
+# Mail command processor will ignore mail command lines after designated max.
+email_commands_max_lines: 10
+
+# Default length of time a pending request is live before it is evicted from
+# the pending database.
+pending_request_life: 3d
+
+# How long should files be saved before they are evicted from the cache?
+cache_life: 7d
+
+# A callable to run with no arguments early in the initialization process.
+# This runs before database initialization.
+pre_hook:
+
+# A callable to run with no arguments late in the initialization process.
+# This runs after adapters are initialized.
+post_hook:
+
+# Which paths.* file system layout to use.
+# You should not change this variable.
+layout: debian
+
+# Can MIME filtered messages be preserved by list owners?
+filtered_messages_are_preservable: no
+
+# How should text/html parts be converted to text/plain when the mailing list
+# is set to convert HTML to plaintext?  This names a command to be called,
+# where the substitution variable $filename is filled in by Mailman, and
+# contains the path to the temporary file that the command should read from.
+# The command should print the converted text to stdout.
+html_to_plain_text_command: /usr/bin/lynx -dump $filename
+
+# Specify what characters are allowed in list names.  Characters outside of
+# the class [-_.+=!$*{}~0-9a-z] matched case insensitively are never allowed,
+# but this specifies a subset as the only allowable characters.  This must be
+# a valid character class regexp or the effect on list creation is
+# unpredictable.
+listname_chars: [-_.0-9a-z]
+
+
+[shell]
+# `mailman shell` (also `withlist`) gives you an interactive prompt that you
+# can use to interact with an initialized and configured Mailman system.  Use
+# --help for more information.  This section allows you to configure certain
+# aspects of this interactive shell.
+
+# Customize the interpreter prompt.
+prompt: >>>
+
+# Banner to show on startup.
+banner: Welcome to the GNU Mailman shell
+
+# Use IPython as the shell, which must be found on the system.  Valid values
+# are `no`, `yes`, and `debug` where the latter is equivalent to `yes` except
+# that any import errors will be displayed to stderr.
+use_ipython: no
+
+# Set this to allow for command line history if readline is available.  This
+# can be as simple as $var_dir/history.py to put the file in the var directory.
+history_file:
+
+
+[paths.debian]
+# Important directories for Mailman operation.  These are defined here so that
+# different layouts can be supported.   For example, a developer layout would
+# be different from a FHS layout.  Most paths are based off the var_dir, and
+# often just setting that will do the right thing for all the other paths.
+# You might also have to set spool_dir though.
+#
+# Substitutions are allowed, but must be of the form $var where 'var' names a
+# configuration variable in the paths.* section.  Substitutions are expanded
+# recursively until no more $-variables are present.  Beware of infinite
+# expansion loops!
+#
+# This is the root of the directory structure that Mailman will use to store
+# its run-time data.
+var_dir: /var/lib/mailman3
+# This is where the Mailman queue files directories will be created.
+queue_dir: $var_dir/queue
+# This is the directory containing the Mailman 'runner' and 'master' commands
+# if set to the string '$argv', it will be taken as the directory containing
+# the 'mailman' command.
+bin_dir: /usr/lib/mailman3/bin
+# All list-specific data.
+list_data_dir: $var_dir/lists
+# Directory where log files go.
+log_dir: /var/log/mailman3
+# Directory for system-wide locks.
+lock_dir: $var_dir/locks
+# Directory for system-wide data.
+data_dir: $var_dir/data
+# Cache files.
+cache_dir: $var_dir/cache
+# Directory for configuration files and such.
+etc_dir: /etc/mailman3
+# Directory containing Mailman plugins.
+ext_dir: $var_dir/ext
+# Directory where the default IMessageStore puts its messages.
+messages_dir: $var_dir/messages
+# Directory for archive backends to store their messages in.  Archivers should
+# create a subdirectory in here to store their files.
+archive_dir: $var_dir/archives
+# Root directory for site-specific template override files.
+template_dir: $var_dir/templates
+# There are also a number of paths to specific file locations that can be
+# defined.  For these, the directory containing the file must already exist,
+# or be one of the directories created by Mailman as per above.
+#
+# This is where PID file for the master runner is stored.
+pid_file: /run/mailman3/master.pid
+# Lock file.
+lock_file: $lock_dir/master.lck
+
+
+[database]
+# The class implementing the IDatabase.
+class: mailman.database.sqlite.SQLiteDatabase
+#class: mailman.database.mysql.MySQLDatabase
+#class: mailman.database.postgresql.PostgreSQLDatabase
+
+# Use this to set the Storm database engine URL.  You generally have one
+# primary database connection for all of Mailman.  List data and most rosters
+# will store their data in this database, although external rosters may access
+# other databases in their own way.  This string supports standard
+# 'configuration' substitutions.
+url: sqlite:///$DATA_DIR/mailman.db
+#url: mysql+pymysql://mailman3:mmpass@localhost/mailman3?charset=utf8&use_unicode=1
+#url: postgres://mailman3:mmpass@localhost/mailman3
+
+debug: no
+
+
+[logging.debian]
+# This defines various log settings.  The options available are:
+#
+# - level     -- Overrides the default level; this may be any of the
+#                standard Python logging levels, case insensitive.
+# - format    -- Overrides the default format string
+# - datefmt   -- Overrides the default date format string
+# - path      -- Overrides the default logger path.  This may be a relative
+#                path name, in which case it is relative to Mailman's LOG_DIR,
+#                or it may be an absolute path name.  You cannot change the
+#                handler class that will be used.
+# - propagate -- Boolean specifying whether to propagate log message from this
+#                logger to the root "mailman" logger.  You cannot override
+#                settings for the root logger.
+#
+# In this section, you can define defaults for all loggers, which will be
+# prefixed by 'mailman.'.  Use subsections to override settings for specific
+# loggers.  The names of the available loggers are:
+#
+# - archiver        --  All archiver output
+# - bounce          --  All bounce processing logs go here
+# - config          --  Configuration issues
+# - database        --  Database logging (SQLAlchemy and Alembic)
+# - debug           --  Only used for development
+# - error           --  All exceptions go to this log
+# - fromusenet      --  Information related to the Usenet to Mailman gateway
+# - http            --  Internal wsgi-based web interface
+# - locks           --  Lock state changes
+# - mischief        --  Various types of hostile activity
+# - runner          --  Runner process start/stops
+# - smtp            --  Successful SMTP activity
+# - smtp-failure    --  Unsuccessful SMTP activity
+# - subscribe       --  Information about leaves/joins
+# - vette           --  Message vetting information
+format: %(asctime)s (%(process)d) %(message)s
+datefmt: %b %d %H:%M:%S %Y
+propagate: no
+level: info
+path: mailman.log
+
+[webservice]
+# The hostname at which admin web service resources are exposed.
+hostname: localhost
+
+# The port at which the admin web service resources are exposed.
+port: 8001
+
+# Whether or not requests to the web service are secured through SSL.
+use_https: no
+
+# Whether or not to show tracebacks in an HTTP response for a request that
+# raised an exception.
+show_tracebacks: yes
+
+# The API version number for the current (highest) API.
+api_version: 3.1
+
+# The administrative username.
+admin_user: restadmin
+
+# The administrative password.
+admin_pass: JLXqquLV2xJyuC9XpwuGrg9wVnrADgc8LA4UKdGXFudEJ5FM
+
+[mta]
+# The class defining the interface to the incoming mail transport agent.
+incoming: mailman.mta.exim4.LMTP
+#incoming: mailman.mta.postfix.LMTP
+
+# The callable implementing delivery to the outgoing mail transport agent.
+# This must accept three arguments, the mailing list, the message, and the
+# message metadata dictionary.
+outgoing: mailman.mta.deliver.deliver
+
+# How to connect to the outgoing MTA.  If smtp_user and smtp_pass is given,
+# then Mailman will attempt to log into the MTA when making a new connection.
+smtp_host: localhost
+smtp_port: 25
+smtp_user:
+smtp_pass:
+
+# Where the LMTP server listens for connections.  Use 127.0.0.1 instead of
+# localhost for Postfix integration, because Postfix only consults DNS
+# (e.g. not /etc/hosts).
+lmtp_host: 127.0.0.1
+lmtp_port: 8024
+
+# Where can we find the mail server specific configuration file?  The path can
+# be either a file system path or a Python import path.  If the value starts
+# with python: then it is a Python import path, otherwise it is a file system
+# path.  File system paths must be absolute since no guarantees are made about
+# the current working directory.  Python paths should not include the trailing
+# .cfg, which the file must end with.
+configuration: python:mailman.config.exim4
+#configuration: python:mailman.config.postfix

states/mailman/exim4/conf.d/main/04_local_mailman_macros

@@ -0,0 +1,19 @@
+# The colon-separated list of domains served by Mailman.
+domainlist mm_domains=lunch.org.uk:cryhavoc.org.uk
+
+MM3_LMTP_PORT=8024
+
+# MM3_HOME must be set to mailman's var directory, wherever it is
+# according to your installation.
+MM3_HOME=/var/lib/mailman3
+MM3_UID=list
+MM3_GID=list
+
+################################################################
+# The configuration below is boilerplate:
+# you should not need to change it.
+
+# The path to the list receipt (used as the required file when
+# matching list addresses)
+MM3_LISTCHK=MM3_HOME/lists/${local_part}.${domain}
+

states/mailman/exim4/conf.d/router/970_local_mailman

@@ -0,0 +1,12 @@
+mailman3_router:
+  driver = accept
+  domains = +mm_domains
+  require_files = MM3_LISTCHK
+  local_part_suffix_optional
+  local_part_suffix = \
+     -bounces   : -bounces+* : \
+     -confirm   : -confirm+* : \
+     -join      : -leave     : \
+     -owner     : -request   : \
+     -subscribe : -unsubscribe
+  transport = mailman3_transport

states/mailman/exim4/conf.d/transport/40_local_mailman

@@ -0,0 +1,7 @@
+mailman3_transport:
+  driver = smtp
+  protocol = lmtp
+  allow_localhost
+  hosts = localhost
+  port = MM3_LMTP_PORT
+  rcpt_include_affixes = true

states/mailman/init.sls

@@ -0,0 +1,72 @@
+mailman3:
+  pkg.installed:
+    - pkgs:
+      - mailman3-full
+      - libapache2-mod-proxy-uwsgi
+
+mailman3_conf:
+  file.managed:
+    - names:
+      - /etc/mailman3/mailman.cfg:
+        - source: salt://mailman/etc/mailman.cfg
+        - group: list
+        - mode: 0640
+      - /etc/mailman3/mailman-web.py:
+        - source: salt://mailman/etc/mailman-web.py
+        - group: www-data
+        - mode: 0640
+    - require:
+      - pkg: mailman3
+      - sls: apache
+  service.running:
+    - name: mailman3
+    - restart: true
+    - watch:
+      - file: mailman3_conf
+
+mailman3_exim4_conf:
+  file.recurse:
+    - name: /etc/exim4
+    - dir_mode: '0755'
+    - file_mode: '0644'
+    - source: salt://mailman/exim4
+    - require:
+      - sls: email/exim4
+
+mailman3_exim4_update_conf:
+  cmd.run:
+    - name: update-exim4.conf
+    - onchanges:
+      - file: mailman3_exim4_conf
+
+mailman3_exim4_service:
+  service.running:
+    - name: exim4
+    - reload: true
+    - watch:
+      - cmd: mailman3_exim4_update_conf
+
+mailman3_apache_uwsgi:
+  apache_module.enabled:
+    - name: proxy_uwsgi
+    - require:
+      - pkg: mailman3
+
+mailman3_apache_web:
+  file.managed:
+    - require:
+      - sls: apache
+      - sls: certificates
+    - names:
+      - /etc/apache2/sites-available/lists.lunch.org.uk.conf:
+        - source: salt://mailman/lists.lunch.org.uk.conf
+  apache_site.enabled:
+    - require:
+      - file: /etc/apache2/sites-available/lists.lunch.org.uk.conf
+    - name: lists.lunch.org.uk
+  service.running:
+    - name: apache2
+    - reload: true
+    - watch:
+      - file: /etc/apache2/sites-available/lists.lunch.org.uk.conf
+

states/mailman/lists.lunch.org.uk.conf

@@ -0,0 +1,75 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+        ServerName lists.cryhavoc.org.uk
+
+        ErrorLog /var/log/apache2/lists-error.log
+        CustomLog /var/log/apache2/lists-access.log combined
+
+        RemoteIPProxyProtocol On
+
+	Alias /mailman3/favicon.ico /var/lib/mailman3/web/static/postorius/img/favicon.ico
+	Alias /mailman3/static      /var/lib/mailman3/web/static
+
+	<Directory "/var/lib/mailman3/web/static">
+        	Require all granted
+	</Directory>
+
+	<IfModule mod_proxy_uwsgi.c>
+        	ProxyPass /mailman3/favicon.ico !
+        	ProxyPass /mailman3/static !
+        	ProxyPass / unix:/run/mailman3-web/uwsgi.sock|uwsgi://localhost/
+	</IfModule>
+
+        SSLEngine on
+        SSLCertificateFile /var/local/certificates/lists.lunch.org.uk/fullchain.pem
+        SSLCertificateKeyFile /var/local/certificates/lists.lunch.org.uk/privkey.pem
+</VirtualHost>
+</IfModule>
+
+<VirtualHost *:443>
+        ServerName lists.lunch.org.uk
+
+        ErrorLog /var/log/apache2/lists-error.log
+        CustomLog /var/log/apache2/lists-access.log combined
+
+        RemoteIPProxyProtocol On
+
+        <IfModule rewrite_module>
+                #
+                # This redirects all accesses to the HTTPS version of the site.
+                #
+                RewriteEngine On
+                RewriteRule ^/?(.*) https://lists.cryhavoc.org.uk/$1 [R=301,L]
+        </IfModule>
+
+        SSLEngine on
+        SSLCertificateFile /var/local/certificates/lists.lunch.org.uk/fullchain.pem
+        SSLCertificateKeyFile /var/local/certificates/lists.lunch.org.uk/privkey.pem
+</VirtualHost>
+
+<VirtualHost *:80>
+        ServerName lists.cryhavoc.org.uk
+        ServerAlias lists.lunch.org.uk
+
+        ErrorLog /var/log/apache2/lists-error.log
+        CustomLog /var/log/apache2/lists-access.log combined
+
+        RemoteIPProxyProtocol On
+
+        <Directory /var/www-cryhavoc>
+                Options Indexes FollowSymLinks MultiViews
+                AllowOverride All
+                Order allow,deny
+                allow from all
+                Require all granted
+        </Directory>
+
+        <IfModule rewrite_module>
+                #
+                # This redirects all accesses to the HTTPS version of the site.
+                #
+                RewriteEngine On
+
+                RewriteRule ^/?(.*) https://lists.cryhavoc.org.uk/$1 [R=301,L]
+        </IfModule>
+</VirtualHost>

states/top.sls

@@ -28,5 +28,6 @@ base:
     - gitea
     - jenkins
     - jenkins/worker
+    - mailman
     - mercurial
     - webmail

states/webmail/roundcube_config.inc.php

@@ -53,7 +53,7 @@ $config['smtp_server'] = 'tls://mail.lunch.org.uk';
 
 // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
 // deprecated SSL over SMTP (aka SMTPS))
-$config['smtp_port'] = 587;
+$config['smtp_port'] = 465;
 
 // SMTP username (if required) if you use %u as the username Roundcube
 // will use the current username for login