Most relevant bit found among Debian bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669813#36 The new apache security model requires adding this to the Directory stanza for mailman: Require all granted
But that's not particularly detailed, most notably omits mention of /etc/mailman/apache.conf and the <Directory /var/lib/mailman/archives/public/> section within.
Recommended to (mostly) fix mailman 1:2.1.18-2+deb8u1 amd64:
$ diff -U 5 etc/mailman/apache.conf.bug_669813 etc/mailman/apache.conf --- etc/mailman/apache.conf.bug_669813 2016-09-14 23:05:02.000000000 -0700 +++ etc/mailman/apache.conf 2017-07-11 07:01:29.116879436 -0700 @@ -26,10 +26,11 @@ <Directory /var/lib/mailman/archives/public/> Options FollowSymlinks AllowOverride None Order allow,deny Allow from all + Require all granted </Directory> <Directory /usr/share/images/mailman/> AllowOverride None Order allow,deny Allow from all $
At least that's the case for Jessie (presently oldstable) ( Debian GNU/Linux 8.8 (jessie) x86_64 mailman 1:2.1.18-2+deb8u1 amd64 apache2 2.4.10-10+deb8u9 amd64 )
I haven't (at least yet) checked to see if there's patch applied yet for newer than mailman 1:2.1.18-2+deb8u1 amd64 that may cover that fix.
In the meantime, for work-around for at least those versions, in Apache configuration, in addition to (which I added): Include ../mailman/apache.conf (or Include /etc/mailman/apache.conf or equivalent ) also add (and if the above is used via Include, use this *after* the above): <Directory /var/lib/mailman/archives/public/> Options FollowSymlinks AllowOverride None Order allow,deny Allow from all Require all granted </Directory>
From: "Michael Paoli" Michael.Paoli@cal.berkeley.edu Subject: Archives now working: BALUG-Test list Date: Tue, 11 Jul 2017 00:36:28 -0700
Archives are now working. Relevant bit ... I ought (when I get around to it) check if there's bug filed (it may already be fixed even - but not yet to stable).
The missing bit ... I'd (rather than redundantly copied/maintain) used: (relative to /etc/apache2): Include ../mailman/apache.conf in file sites-available/Include/temp.balug.org that was almost all well fine and good (I'd reviewed ./mailman/apache.conf earlier). But it left out one key needed bit, it has: <Directory /var/lib/mailman/archives/public/> Options FollowSymlinks AllowOverride None Order allow,deny Allow from all
</Directory> but needs: <Directory /var/lib/mailman/archives/public/> Options FollowSymlinks AllowOverride None Order allow,deny Allow from all Require all granted </Directory> My relatively simple fix, add to file sites-available/Include/temp.balug.org <Directory /var/lib/mailman/archives/public/> Options FollowSymlinks AllowOverride None Order allow,deny Allow from all Require all granted </Directory> after: Include ../mailman/apache.conf ... Apache doesn't seem to care about the same <Directory /var/lib/mailman/archives/public/> appearing twice, and seems in that case to just use the latter fine,
So ... /etc/mailman/apache.conf should have included but failed to include, in it's section: <Directory /var/lib/mailman/archives/public/> the line: Require all granted So ... I think I'd call that a "bug" - even if it's documentation errata. Might be a Debian specific patch needed, as other distributions and/or Apache may have different defaults on that security.
https://temp.balug.org/pipermail/balug-test/2017-July/000004.html temp.balug.org will in future be moved to lists.balug.org, so that will become: https://lists.balug.org/pipermail/balug-test/2017-July/000004.html