12 files changed, 76 insertions, 20 deletions
diff --git a/examples/README.unsubscribe b/examples/README.unsubscribe
index 3e80e838..3b407960 100644
--- a/examples/README.unsubscribe
+++ b/examples/README.unsubscribe
@@ -3,10 +3,9 @@ Unsubscribe endpoints for mlmmj users (and possibly Mailman, too)
  * examples/unsubscribe.milter filters outgoing messages
    and appends an HTTPS URL to the List-Unsubscribe header.
    This List-Unsubscribe header should point to the PSGI
-  described below.
-  Currently, this is only active for a whitelist of test
-  addresses in /etc/unsubscribe-milter.whitelist
-  with one email address per line.
+  described below.  You may edit the archive_addr sub
+  to disable List-Unsubscribe headers for well-known archiver
+  addresses to prevent saboteurs from stopping archival.
  
  * examples/unsubscribe.psgi is a PSGI which needs to run
    as the mlmmj user with permission to run mlmmj-unsub.
@@ -36,5 +35,5 @@ in /etc/postfix/main.cf:
    # This is not needed for mlmmj since mlmmj uses SMTP:
    # non_smtpd_milters = local:/var/spool/postfix/unsubscribe/unsubscribe.sock
  
-Copyright (C) 2016-2021 all contributors <meta@public-inbox.org>
+Copyright (C) all contributors <meta@public-inbox.org>
  License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
diff --git a/examples/grok-pull.post_update_hook.sh b/examples/grok-pull.post_update_hook.sh
index 77489472..4d303c03 100755
--- a/examples/grok-pull.post_update_hook.sh
+++ b/examples/grok-pull.post_update_hook.sh
@@ -111,7 +111,7 @@ case $cfg_dir in
                          "publicinbox.$inbox_name.infourl" "$url"
          done
          curl -sSfv "$remote_inbox_url"/description >"$inbox_dir"/description
-        echo "I: $inbox_name at $inbox_dir ($addresses) $local_url"
+        echo "# $inbox_name at $inbox_dir ($addresses) $local_url"
          ;;
  esac
  
diff --git a/examples/logrotate.conf b/examples/logrotate.conf
index 4ce08843..fad40cfc 100644
--- a/examples/logrotate.conf
+++ b/examples/logrotate.conf
@@ -18,7 +18,7 @@
                  # systemd users do not need PID files,
                  # only signal the @1 process since the @2 is short-lived
                  # For systemd users, assuming you use two services
-                systemctl kill -s SIGUSR1 public-inbox-httpd@1.service
-                systemctl kill -s SIGUSR1 public-inbox-nntpd@1.service
+                systemctl kill -s SIGUSR1 --kill-who=main \
+                                public-inbox-netd@1.service
          endscript
  }
diff --git a/examples/nginx_proxy b/examples/nginx_proxy
index d8d1e6df..754a4931 100644
--- a/examples/nginx_proxy
+++ b/examples/nginx_proxy
@@ -1,8 +1,14 @@
  # Example NGINX configuration to proxy-pass requests
-# to public-inbox-httpd or to a standalone PSGI/Plack server.
+# to varnish, public-inbox-(httpd|netd) or any PSGI/Plack server.
  # The daemon is assumed to be running locally on port 8001.
  # Adjust ssl certificate paths if you use any, or remove
  # the ssl configuration directives if you don't.
+#
+# Note: public-inbox-httpd and -netd both support HTTPS, but they
+# don't support caching which Varnish provides.  The recommended
+# setup is currently:
+#
+#   (nginx|any-HTTPS-proxy) <-> varnish <-> public-inbox-(httpd|netd)
  server {
          server_name _;
          listen 80;
@@ -14,6 +20,7 @@ server {
                  proxy_set_header    HOST $host;
                  proxy_set_header    X-Real-IP $remote_addr;
                  proxy_set_header    X-Forwarded-Proto $scheme;
+                proxy_buffering off; # lowers response latency
                  proxy_pass          http://127.0.0.1:8001$request_uri;
          }
  
diff --git a/examples/public-inbox-httpd@.service b/examples/public-inbox-httpd@.service
index 73731533..ca68fc7e 100644
--- a/examples/public-inbox-httpd@.service
+++ b/examples/public-inbox-httpd@.service
@@ -19,13 +19,13 @@ After = public-inbox-httpd.socket
  Environment = PI_CONFIG=/home/pi/.public-inbox/config \
  PATH=/usr/local/bin:/usr/bin:/bin \
  TZ=UTC \
+MALLOC_MMAP_THRESHOLD_=131072 \
  PERL_INLINE_DIRECTORY=/tmp/.pub-inline
  
  LimitNOFILE = 30000
  ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.pub-inline
  ExecStart = /usr/local/bin/public-inbox-httpd \
  -1 /var/log/public-inbox/httpd.out.log
-StandardError = syslog
  
  # NonBlocking is REQUIRED to avoid a race condition if running
  # simultaneous services
@@ -33,8 +33,8 @@ NonBlocking = true
  Sockets = public-inbox-httpd.socket
  
  KillSignal = SIGQUIT
-User = nobody
-Group = nogroup
+User = news
+Group = ssl-cert
  ExecReload = /bin/kill -HUP $MAINPID
  TimeoutStopSec = 86400
  KillMode = process
diff --git a/examples/public-inbox-imapd@.service b/examples/public-inbox-imapd@.service
index 300019a8..1aede65d 100644
--- a/examples/public-inbox-imapd@.service
+++ b/examples/public-inbox-imapd@.service
@@ -16,6 +16,8 @@ After = public-inbox-imapd.socket
  [Service]
  Environment = PI_CONFIG=/home/pi/.public-inbox/config \
  PATH=/usr/local/bin:/usr/bin:/bin \
+TZ=UTC \
+MALLOC_MMAP_THRESHOLD_=131072 \
  PERL_INLINE_DIRECTORY=/tmp/.pub-inline
  
  LimitNOFILE = 30000
@@ -24,7 +26,6 @@ ExecStart = /usr/local/bin/public-inbox-imapd -W0 \
  -1 /var/log/public-inbox/imapd.out.log \
  --cert /etc/ssl/certs/news.example.com.pem \
  --key /etc/ssl/private/news.example.com.key
-StandardError = syslog
  
  # NonBlocking is REQUIRED to avoid a race condition if running
  # simultaneous services
@@ -33,7 +34,7 @@ NonBlocking = true
  Sockets = public-inbox-imapd.socket
  
  KillSignal = SIGQUIT
-User = nobody
+User = news
  Group = ssl-cert
  ExecReload = /bin/kill -HUP $MAINPID
  TimeoutStopSec = 86400
diff --git a/examples/public-inbox-netd@.service b/examples/public-inbox-netd@.service
index de5feea6..2e8797ed 100644
--- a/examples/public-inbox-netd@.service
+++ b/examples/public-inbox-netd@.service
@@ -12,9 +12,17 @@ Wants = public-inbox-netd.socket
  After = public-inbox-netd.socket
  
  [Service]
+
+# Setting MALLOC_MMAP_THRESHOLD_=131072 reduces fragmentation by
+# disabling the sliding mmap window in glibc malloc.  For 64-bit systems,
+# LD_PRELOAD for libjemalloc may be added here, instead.  jemalloc is more
+# resistant to fragmentation in long-lived daemons than unconfigured glibc
+# malloc on systems with large VM space.  32-bit systems may be better
+# off sticking with glibc and MALLOC_MMAP_THRESHOLD_.
  Environment = PI_CONFIG=/home/pi/.public-inbox/config \
  PATH=/usr/local/bin:/usr/bin:/bin \
  TZ=UTC \
+MALLOC_MMAP_THRESHOLD_=131072 \
  PERL_INLINE_DIRECTORY=/tmp/.netd-inline
  
  LimitNOFILE = 30000
diff --git a/examples/public-inbox-nntpd@.service b/examples/public-inbox-nntpd@.service
index 56e1cc8f..556cb76f 100644
--- a/examples/public-inbox-nntpd@.service
+++ b/examples/public-inbox-nntpd@.service
@@ -16,6 +16,8 @@ After = public-inbox-nntpd.socket
  [Service]
  Environment = PI_CONFIG=/home/pi/.public-inbox/config \
  PATH=/usr/local/bin:/usr/bin:/bin \
+TZ=UTC \
+MALLOC_MMAP_THRESHOLD_=131072 \
  PERL_INLINE_DIRECTORY=/tmp/.pub-inline
  
  LimitNOFILE = 30000
@@ -24,7 +26,6 @@ ExecStart = /usr/local/bin/public-inbox-nntpd \
  -1 /var/log/public-inbox/nntpd.out.log \
  --cert /etc/ssl/certs/news.example.com.pem \
  --key /etc/ssl/private/news.example.com.key
-StandardError = syslog
  
  # NonBlocking is REQUIRED to avoid a race condition if running
  # simultaneous services
@@ -33,7 +34,7 @@ NonBlocking = true
  Sockets = public-inbox-nntpd.socket
  
  KillSignal = SIGQUIT
-User = nobody
+User = news
  Group = ssl-cert
  ExecReload = /bin/kill -HUP $MAINPID
  TimeoutStopSec = 86400
diff --git a/examples/public-inbox-watch.service b/examples/public-inbox-watch.service
index abb41469..0e4860f7 100644
--- a/examples/public-inbox-watch.service
+++ b/examples/public-inbox-watch.service
@@ -9,8 +9,6 @@ Environment = PI_CONFIG=/home/pi/.public-inbox/config \
  PATH=/usr/local/bin:/usr/bin:/bin
  ExecStart = /usr/local/bin/public-inbox-watch
  
-StandardOutput = syslog
-StandardError = syslog
  ExecReload = /bin/kill -HUP $MAINPID
  # this user must have read access to Maildirs it watches
  User = pi
diff --git a/examples/unsubscribe-milter@.service b/examples/unsubscribe-milter@.service
index eb5dcbe4..a68e6e81 100644
--- a/examples/unsubscribe-milter@.service
+++ b/examples/unsubscribe-milter@.service
@@ -24,7 +24,13 @@ Sockets = unsubscribe-milter.socket
  
  # the corresponding PSGI app needs permissions to modify the
  # mlmmj spool, so we might as well use the same user since
+# they both need to read /home/mlmmj/.unsubscribe.key
  User = mlmmj
  
+# only kill the parent process when using the default Sendmail::PMilter
+# postfork dispatcher, children will die naturally when they're done
+# with a given message.
+KillMode = process
+
  [Install]
  WantedBy = multi-user.target
diff --git a/examples/unsubscribe.milter b/examples/unsubscribe.milter
index 216b0ddd..8c682012 100644
--- a/examples/unsubscribe.milter
+++ b/examples/unsubscribe.milter
@@ -27,6 +27,28 @@ my $crypt = Crypt::CBC->new(-key => $key,
                          -cipher => 'Blowfish');
  $fh = $iv = $key = undef;
  
+my $allow_domains = '/etc/unsubscribe-milter.allow_domains';
+my $ALLOW_DOMAINS;
+if (open my $fh, '<', $allow_domains) {
+        local $/ = "\n";
+        chomp(my @l = <$fh>);
+        die "close: $!" unless eof($fh) && close($fh);
+        my %l = map { lc($_) => 1 } @l;
+        $ALLOW_DOMAINS = \%l;
+} else {
+        warn <<EOM;
+W: open $allow_domains: $! (all domains allowed)
+W: all mlmmj-looking messages will have List-Unsubscribe added,
+W: this is probably not what you want.
+EOM
+}
+
+# only allow users hitting SMTP server locally:
+# Is a config file necessary?  Regexps are ugly for IP addresses
+# but Net::Patricia (or similar) seems like overkill.  Ugly it is:
+my @ALLOW_ADDR = (qr/\A::1\z/, qr/\A127\./);
+my $ALLOW_ADDR = join('|', @ALLOW_ADDR);
+
  my %cbs;
  $cbs{connect} = sub {
          my ($ctx) = @_;
@@ -88,10 +110,24 @@ $cbs{eom} = sub {
          eval {
                  my $priv = $ctx->getpriv;
                  $ctx->setpriv({ header => {}, envrcpt => {} });
-                my @rcpt = keys %{$priv->{envrcpt}};
+
+                # XXX my postfix (3.5.18-0+deb11u1) + Sendmail::PMilter
+                # instance doesn't seem to get {client_addr}, but
+                # {daemon_addr} seems to make sense since I only want it
+                # to apply to users connecting to postfix locally:
+                if ($ALLOW_ADDR) {
+                        my $x = $ctx->getsymval('{daemon_addr}');
+                        return SMFIS_CONTINUE if $x && $x !~ /$ALLOW_ADDR/;
+                }
  
                  # one recipient, one unique HTTP(S) URL
+                my @rcpt = keys %{$priv->{envrcpt}};
                  return SMFIS_CONTINUE if @rcpt != 1;
+                if ($ALLOW_DOMAINS) {
+                        my $addr = $ctx->getsymval('{mail_addr}');
+                        my (undef, $d) = split /\@/, $addr;
+                        return SMFIS_CONTINUE if !$ALLOW_DOMAINS->{$d};
+                }
                  return SMFIS_CONTINUE if archive_addr(lc($rcpt[0]));
  
                  my $unsub = $priv->{header}->{'list-unsubscribe'} || [];
diff --git a/examples/varnish-4.vcl b/examples/varnish-4.vcl
index 5fc202ed..624f6013 100644
--- a/examples/varnish-4.vcl
+++ b/examples/varnish-4.vcl
@@ -28,7 +28,7 @@ sub vcl_recv {
  }
  
  sub vcl_pipe {
-        # By default Connection: close is set on all piped requests by varnish,
+        # By default, Connection: close is set on all piped requests by varnish,
          # but public-inbox-httpd supports persistent connections well :)
          unset bereq.http.connection;
          return (pipe);