9 files changed, 785 insertions, 272 deletions
diff --git a/modules/sympa/templates/auth.conf b/modules/sympa/templates/auth.conf
index 220118b5..854fdf9c 100644
--- a/modules/sympa/templates/auth.conf
+++ b/modules/sympa/templates/auth.conf
@@ -1,13 +1,15 @@
 ldap
-        host                            ldap.<%= domain %>:389
+        host                            ldap.<%= domain %>
         timeout                         30
         suffix                          <%= dc_suffix %>
         get_dn_by_uid_filter            (uid=[sender])
-        get_dn_by_email                 (|(mail=[sender])(mailalternateaddress=[sender]))
+        get_dn_by_email_filter          (|(mail=[sender])(mailalternateaddress=[sender]))
         email_attribute                 mail
         scope                           sub
-	use_ssl                         1
-
-user_table
-        regexp                 .*
+        use_tls                         ldaps
+        ssl_version                     tlsv1_2
+        ca_verify                       none
+        bind_dn                         cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>
+        bind_password                   <%= scope.lookupvar("sympa::server::ldap_password") %>
+        authentication_info_url         <%= authentication_info_url %>
 
diff --git a/modules/sympa/templates/config b/modules/sympa/templates/config
new file mode 100644
index 00000000..4262f3ca
--- /dev/null
+++ b/modules/sympa/templates/config
@@ -0,0 +1,103 @@
+
+archive
+period month
+mail_access owner
+<%- if public_archive and not @critical -%>
+web_access public
+<%- else -%>
+web_access private
+<%- end -%>
+
+visibility noconceal
+
+digest 1,4 13:26
+
+<% if subscriber_ldap_group and not subscription_open %>
+# TODO check scenari
+subscribe    closed
+
+unsubscribe  closed
+<% else %>
+subscribe    open_web_only_notify
+
+unsubscribe  open_web_only_notify
+<% end %>
+
+editor
+email listmaster@<%= domain %>
+reception nomail
+gecos Moderator team
+visibility conceal
+
+editor_include
+reception nomail
+source mga-ml_moderators
+visibility conceal
+
+subject <%= subject %>
+
+custom_subject <%= custom_subject %>
+
+<%- if @critical -%>
+info conceal
+
+subscribe auth owner
+
+unsubscribe auth_notify
+
+invite owner
+<% end %>
+
+lang <%= language %>
+
+owner
+gecos Sysadmin team
+reception nomail
+email postmaster@<%= domain %>
+visibility noconceal
+profile normal
+
+owner_include
+profile normal
+visibility conceal
+source mga-sysadmin
+reception nomail
+
+
+<%- if @reply_to -%>
+reply_to_header
+value other_email
+other_email <%= reply_to %>
+apply forced
+<%- end -%>
+
+
+review owner
+
+<% if topics %>
+topics <%= topics %>
+<% end %>
+
+send restricted_<%= @name %>
+
+<% if subscriber_ldap_group %>
+include_ldap_query
+    timeout 10
+    scope one
+    select first
+    ssl_version tlsv1_2
+    ca_verify none
+    use_tls ldaps
+    attrs mail
+    ssl_ciphers ALL
+    passwd <%= scope.lookupvar("sympa::server::ldap_password") %>
+    user cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>
+    suffix ou=People,<%= dc_suffix %>
+    filter (memberOf=cn=<%= subscriber_ldap_group %>,ou=Group,<%= dc_suffix %>)
+    host ldap.<%= domain %>
+
+<% end %>
+
+process_archive on
+
+status open
diff --git a/modules/sympa/templates/data_sources/ldap_group.incl b/modules/sympa/templates/data_sources/ldap_group.incl
new file mode 100644
index 00000000..609a7e42
--- /dev/null
+++ b/modules/sympa/templates/data_sources/ldap_group.incl
@@ -0,0 +1,17 @@
+include_ldap_2level_query
+        host     ldap.<%= domain %>
+        use_tls  ldaps
+        ssl_version tlsv1_2
+        ca_verify none
+        user     cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>
+        passwd   <%= scope.lookupvar("sympa::server::ldap_password") %>
+        suffix1  ou=Group,<%= dc_suffix %>
+        scope1   one
+        filter1  (&(objectClass=groupOfNames)(cn=<%= name %>))
+        attrs1   member
+        select1  all
+        suffix2  [attrs1]
+        scope2   base
+        filter2  (objectClass=inetOrgPerson)
+        attrs2   mail
+        select2  first
diff --git a/modules/sympa/templates/list.xml b/modules/sympa/templates/list.xml
new file mode 100644
index 00000000..74e4f07f
--- /dev/null
+++ b/modules/sympa/templates/list.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" ?>
+<list>
+        <listname><%= name %></listname>
+        <type>discussion_list</type>
+        <subject><%= subject %></subject>
+        <description/>
+        <status>open</status>
+        <language><%= language %></language>
+        <owner_include multiple="1">
+            <source>mga-sysadmin</source>
+        </owner_include>
+        <editor_include multiple="1">
+            <source>mga-ml_moderators</source>
+        </editor_include>
+        <topic><%= topics %></topic>
+</list>
diff --git a/modules/sympa/templates/scenari/sender.restricted b/modules/sympa/templates/scenari/sender.restricted
new file mode 100644
index 00000000..66139e6c
--- /dev/null
+++ b/modules/sympa/templates/scenari/sender.restricted
@@ -0,0 +1,17 @@
+title.gettext restricted list
+
+<%- if @ldap_group -%>
+search(<%= @ldap_group %>.ldap)  smtp,md5,smime  -> do_it
+<%- end -%>
+<%- if @email -%>
+  <%- for e in @email -%>
+equal([sender], '<%= e %>') smtp,md5,smime -> do_it
+  <%- end -%>
+<%- end -%>
+<%- if allow_subscriber -%>
+equal([sender], 'sysadmin@group.mageia.org') smtp,smime,md5 -> do_it
+match([sender], /@mageia\.org$/)     smtp,smime,md5    -> do_it
+is_subscriber([listname],[sender])   smtp,smime,md5    -> do_it
+true()                               smime,md5         -> do_it
+<%- end -%>
+true()                       smtp,md5,smime -> reject(reason='send_subscriber')
diff --git a/modules/sympa/templates/search_filters/group.ldap b/modules/sympa/templates/search_filters/group.ldap
new file mode 100644
index 00000000..884e0db1
--- /dev/null
+++ b/modules/sympa/templates/search_filters/group.ldap
@@ -0,0 +1,9 @@
+host        ldap.<%= domain %>:636
+bind_dn     cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>
+bind_password <%= scope.lookupvar("sympa::server::ldap_password") %>
+use_tls     ldaps
+ssl_version tlsv1_2
+ca_verify   none
+suffix      ou=People,<%= dc_suffix %>
+filter      (&(mail=[sender])(memberOf=cn=<%= name %>,ou=Group,<%= dc_suffix %>))
+scope       sub
diff --git a/modules/sympa/templates/sympa.conf b/modules/sympa/templates/sympa.conf
index a031da03..edfaba15 100644
--- a/modules/sympa/templates/sympa.conf
+++ b/modules/sympa/templates/sympa.conf
@@ -1,293 +1,627 @@
-###\\\\ Directories and file location ////###
+###\\\\ Service description ////###
 
-## Directory containing mailing lists subdirectories
-home    /var/lib/sympa
+## Primary mail domain name
+domain	<%= vhost %>
 
-## Directory for configuration files ; it also contains scenari/ and templates/ directories
-etc     /etc/sympa
+## Email addresses of listmasters
+## Email addresses of the listmasters (users authorized to perform global
+## server commands). Some error reports may also be sent to these addresses.
+## Listmasters can be defined for each virtual host, however, the default
+## listmasters will have privileges to manage all virtual hosts.
+listmaster	listmaster@<%= vhost %>
 
-## File containing Sympa PID while running.
-## Sympa also locks this file to ensure that it is not running more than once. Caution : user sympa need to write access without special privilegee.
-pidfile /var/run/sympa/sympa.pid
+## Default language
+## This is the default language used by Sympa. One of supported languages
+## should be chosen.
+lang	en-US
 
-pidfile_distribute      /var/run/sympa/sympa-distribute.pid
-
-pidfile_creation        /var/run/sympa/sympa-creation.pid
-
-pidfile_bulk    /var/run/sympa/bulk.pid
-
-## Umask used for file creation by Sympa
-umask   027
-
-## Directory containing available NLS catalogues (Message internationalization)
-localedir       /usr/share/locale
-
-## The main spool containing various specialized spools
-## All spool are created at runtime by sympa.pl
-spool   /var/spool/sympa
-
-## Incoming spool
-queue   /var/spool/sympa/msg
-
-## Bounce incoming spool
-queuebounce     /var/spool/sympa/bounce
-
-## Automatic list creation spool
-queueautomatic  /var/spool/sympa/automatic
-
-## 
-queuedigest     /var/spool/sympa/digest
-
-## 
-queuemod        /var/spool/sympa/moderation
-
-## 
-queuetopic      /var/spool/sympa/topic
-
-## 
-queueauth       /var/spool/sympa/auth
-
-## 
-queueoutgoing   /var/spool/sympa/outgoing
-
-## 
-queuetask       /var/spool/sympa/task
-
-## 
-queuesubscribe  /var/spool/sympa/subscribe
-
-## URL to a virtual host.
-http_host       http://domain.tld
-
-## The directory where Sympa stores static contents (CSS, members pictures, documentation) directly delivered by Apache
-static_content_path     /var/lib/sympa/static_content
-
-## The URL mapped with the static_content_path directory defined above
-static_content_url      /static-sympa
-
-###\\\\ Syslog ////###
-
-## The syslog facility for sympa
-## Do not forget to edit syslog.conf
-syslog  mail
+## Supported languages
+## All supported languages for the user interface. Languages proper locale
+## information not installed are ignored.
+supported_lang	en_US
+
+## Title of service
+## The name of your mailing list service. It will appear in the header of web
+## interface and subjects of several service messages.
+title	Mageia Mailing lists service
+
+## Display name of Sympa
+## This parameter is used for display name in the "From:" header field for the
+## messages sent by Sympa itself.
+gecos	SYMPA
+
+## Support of legacy character set
+## If set to "on", enables support of legacy character set according to
+## charset.conf(5) configuration file.
+## In some language environments, legacy encoding (character set) can be
+## preferred for e-mail messages: for example iso-2022-jp in Japanese
+## language.
+legacy_character_support_feature	off
+
+###\\\\ Database related ////###
+
+## Type of the database
+## Possible types are "MySQL", "PostgreSQL", "Oracle", "Sybase" and "SQLite".
+db_type	PostgreSQL
+
+## Hostname of the database server
+## With PostgreSQL, you can also use the path to Unix Socket Directory, e.g.
+## "/var/run/postgresql" for connection with Unix domain socket.
+db_host	pg.<%= domain %>
+
+## Port of the database server
+db_port	5432/tcp
 
-## Communication mode with syslogd is either unix (via Unix sockets) or inet (use of UDP)
-log_socket_type unix
+## Name of the database
+## With SQLite, this must be the full path to database file. With Oracle
+## Database, this must be Oracle SID.
+db_name	sympa
+
+## User for the database connection
+db_user	sympa
+
+## Password for the database connection
+## What ever you use a password or not, you must protect the SQL server (is it
+## not a public internet service ?)
+db_passwd	<%= scope.lookupvar("sympa::server::pgsql_password") %>
+
+## Environment variables setting for database
+## With Oracle Database, this is useful for defining ORACLE_HOME and NLS_LANG.
+# db_env	NLS_LANG=American_America.AL32UTF8;ORACLE_HOME=/u01/app/oracle/product/11.2.0/server
+
+## Database private extension to subscriber table
+## Adds more fields to "subscriber_table" table. Sympa recognizes fields
+## defined with this parameter. You will then be able to use them from within
+## templates and scenarios:
+## * for scenarios: [subscriber->field]
+## * for templates: [% subscriber.field %]
+## These fields will also appear in the list members review page and will be
+## editable by the list owner. This parameter is a comma-separated list.
+## You need to extend the database format with these fields
+# db_additional_subscriber_fields	billing_delay,subscription_expiration
 
-## Log intensity
-## 0 : normal, 2,3,4 for debug
-log_level       0
+## Database private extension to user table
+## Adds more fields to "user_table" table. Sympa recognizes fields defined
+## with this parameter. You will then be able to use them from within
+## templates: [% subscriber.field %]
+## This parameter is a comma-separated list.
+## You need to extend the database format with these fields
+# db_additional_user_fields	age,address
 
-log_smtp        off
+###\\\\ System log ////###
 
-## Number of months that elapse before a log is expired.
-logs_expiration_period  3
+## System log facility for Sympa
+## Do not forget to configure syslog server.
+syslog	mail
 
-###\\\\ General definition ////###
+## Communication mode with syslog server
+log_socket_type	unix
 
-## Main robot hostname
-domain  ml.<%= domain %>
+## Log verbosity
+## Sets the verbosity of logs.
+## 0: Only main operations are logged
+## 3: Almost everything is logged.
+log_level	0
 
-## Listmasters email list comma separated
-## Sympa will associate listmaster privileges to these email addresses (mail and web interfaces). Some error reports may also be sent to these addresses.
-listmaster      listmaster@ml.<%= domain %>
+###\\\\ Receiving ////###
 
-## Local part of sympa email adresse
-## Effective address will be \[EMAIL\]@\[HOST\]
-email   sympa
+## Default maximum number of list members
+## Default limit for the number of subscribers per list (0 means no limit).
+default_max_list_members	0
 
-## Who is able to create lists
-## This parameter is a scenario, check sympa documentation about scenarios if you want to define one
-create_list     public_listmaster
+## Maximum size of messages
+## Incoming messages smaller than this size is allowed distribution by Sympa.
+max_size	5242880
 
-edit_list       owner
+## Reject mail sent from automated services to list
+## Rejects messages that seem to be from automated services, based on a few
+## header fields ("Content-Identifier:", "Auto-Submitted:").
+## Sympa also can be configured to reject messages based on the "From:" header
+## field value (see "loop_prevention_regex").
+reject_mail_from_automates_feature	off
 
-###\\\\ Tuning ////###
+## Priority for command messages
+## Priority applied to messages sent to Sympa command address.
+sympa_priority	1
 
-## Use of binary version of the list config structure on disk: none | binary_file
-## Set this parameter to "binary_file" if you manage a big amount of lists (1000+) ; it should make the web interface startup faster
-cache_list_config       none
+## Priority for messages bound for list owners
+## Priority for processing of messages bound for "LIST-request" address, i.e.
+## owners of the list
+request_priority	0
 
-## Sympa commands priority
-sympa_priority  1
+## Priority for non-VERP bounces
+## Priority for processing of messages bound for "LIST-owner" address, i.e.
+## non-delivery reports (bounces).
+owner_priority	9
 
 ## Default priority for list messages
-default_list_priority   5
-
-## Default timeout between two scheduled synchronizations of list members with data sources.
-default_ttl     3600
-
-## Default timeout between two action-triggered synchronizations of list members with data sources.
-default_distribution_ttl        300
-
-## Default priority for a packet to be sent by bulk.
-sympa_packet_priority   5
-
-request_priority        0
-
-owner_priority  9
-
-## The minimum number of packets in database before the bulk forks to increase sending rate
-## 
-bulk_fork_threshold     1
-
-## The max number of bulks that will run on the same server.
-## 
-bulk_max_count  3
-
-## the number of seconds a slave bulk will remain running without processing a message before it spontaneously dies.
-## 
-bulk_lazytime   600
-
-## The number of seconds a master bulk waits between two packets number checks.
-## Keep it small if you expect brutal increases in the message sending load.
-bulk_wait_to_fork       10
-
-## the number of seconds a bulk sleeps between starting a new loop if it didn't find a message to send.
+## Priority for processing of messages posted to list addresses.
+default_list_priority	5
+
+###\\\\ Sending related ////###
+
+## Header fields to be removed from incoming messages
+## Use it, for example, to ensure some privacy for your users in case that
+## "anonymous_sender" mode is inappropriate.
+## The removal of these header fields is applied before Sympa adds its own
+## header fields ("rfc2369_header_fields" and "custom_header").
+# was remove_headers ARRAY(0x4116e50)
+remove_headers	X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To
+
+## RFC 2369 header fields
+## Specify which RFC 2369 mailing list header fields to be added.
+## "List-Id:" header field defined in RFC 2919 is always added. Sympa also
+## adds "Archived-At:" header field defined in RFC 5064.
+# was rfc2369_header_fields ARRAY(0x4116c88)
+rfc2369_header_fields	help,subscribe,unsubscribe,post,owner,archive
+
+## Default priority for a packet
+## The default priority set to a packet to be sent by the bulk.
+sympa_packet_priority	5
+
+## Fork threshold of bulk daemon
+## The minimum number of packets before bulk daemon forks the new worker to
+## increase sending rate.
+bulk_fork_threshold	1
+
+## Maximum number of bulk workers
+bulk_max_count	3
+
+## Idle timeout of bulk workers
+## The number of seconds a bulk worker will remain running without processing
+## a message before it spontaneously exists.
+bulk_lazytime	600
+
+## Sleep time of bulk workers
+## The number of seconds a bulk worker sleeps between starting a new loop if
+## it didn't find a message to send.
 ## Keep it small if you want your server to be reactive.
-bulk_sleep      1
-
-## Secret used by Sympa to make MD5 fingerprint in web cookies secure
-## Should not be changed ! May invalid all user password
-#cookie 123456789
-
-## If set to "on", enables support of legacy characters
-## 
-legacy_character_support_feature        off
-
-## The default maximum size (in bytes) for messages (can be re-defined for each list)
-max_size        5242880
-
-## comma separated list of operations for which blacklist filter is applied
-## Setting this parameter to "none" will hide the blacklist feature
-use_blacklist   send,create_list
-
-## Specify which rfc2369 mailing list headers to add
-rfc2369_header_fields   help,subscribe,unsubscribe,post,owner,archive
-
-## Specify header fields to be removed before message distribution
-remove_headers  X-Sympa-To,X-Family-To,Return-Receipt-To,Precedence,X-Sequence,Disposition-Notification-To
-
-bounce_warn_rate        30
+bulk_sleep	1
 
-bounce_halt_rate        50
-
-###\\\\ Internationalization ////###
-
-## Default lang (ca | cs | de | el | es | et_EE | en_US | fr | fi | hu | it | ja_JP | ko | nl | nb_NO | oc | pl | pt_BR | ru | sv | tr | vi | zh_CN | zh_TW)
-## This is the default language used by Sympa
-lang    en_US
-
-## Supported languages
-## This is the set of language that will be proposed to your users for the Sympa GUI. Don't select a language if you don't have the proper locale packages installed.
-supported_lang  ca,cs,de,el,es,et_EE,en_US,fr,fi,hu,it,ja_JP,ko,nl,nb_NO,oc,pl,pt_BR,ru,sv,tr,vi,zh_CN,zh_TW
+## Interval between checks of packet numbers
+## Number of seconds a master bulk daemon waits between two packets number
+## checks.
+## Keep it small if you expect brutal increases in the message sending load.
+bulk_wait_to_fork	10
+
+## Path to sendmail
+## Absolute path to sendmail command line utility (e.g.: a binary named
+## "sendmail" is distributed with Postfix).
+## Sympa expects this binary to be sendmail compatible (exim, Postfix, qmail
+## and so on provide it). Sympa also bundles "sympa_smtpc" program which may
+## be a replacement to sendmail binary.
+sendmail	/usr/sbin/sendmail
+
+## Log invocation of sendmail
+## This can be overwritten by "-m" option for sympa.pl.
+log_smtp	off
+
+## Maximum number of sendmail processes
+## Maximum number of simultaneous child processes spawned by Sympa. This is
+## the main load control parameter.
+## Proposed value is quite low, but you can rise it up to 100, 200 or even 300
+## with powerful systems.
+maxsmtp	40
+
+## Maximum number of recipients per call to sendmail
+## This grouping factor makes it possible for the sendmail processes to
+## optimize the number of SMTP sessions for message distribution. If needed,
+## you can limit the number of recipients for a particular domain. Check the
+## "nrcpt_by_domain.conf" configuration file.
+nrcpt	25
+
+## Maximum number of different mail domains per call to sendmail
+avg	10
+
+###\\\\ Privileges ////###
 
-###\\\\ Errors management ////###
+## Who is able to create lists
+## Defines who can create lists (or request list creation) by creating new
+## lists or by renaming or copying existing lists.
+create_list	forbidden
+
+## Use blacklist
+## List of operations separated by comma for which blacklist filter is
+## applied.  Setting this parameter to "none" will hide the blacklist feature.
+use_blacklist	send,create_list
+
+## List of required domains for list owner addresses
+## Restrict list ownership to addresses in the specified domains. This can be
+## used to reserve list ownership to a group of trusted users from a set of
+## domains associated with an organization, while allowing editors and
+## subscribers from the Internet at large.
+# owner_domain	domain1.tld domain2.tld
+
+## Minimum number of list owners that must match owner_domain restriction
+## Minimum number of list owners that must satisfy the owner_domain
+## restriction.  The default of zero (0) means *all* list owners must match.
+## Setting to 1 requires only one list owner to match owner_domain; all other
+## owners can be from any domain. This setting can be used to ensure that
+## there is always at least one known contact point for a mailing list.
+owner_domain_min	0
+
+###\\\\ Archives ////###
+
+## Store distributed messages into archive
+## If enabled, distributed messages via lists will be archived. Otherwise
+## archiving is disabled.
+## Note that even if setting this parameter disabled, past archives will not
+## be removed and will be accessible according to access settings by each
+## list.
+process_archive on
+
+## Path to MHonArc mail-to-HTML converter
+## This is required for HTML mail archiving.
+mhonarc	/usr/bin/mhonarc
+
+# There is a need to protect Sympa website against spambot
+spam_protection		javascript
+
+# The same as spam_protection, but restricted to the web archive.
+web_archive_spam_protection	cookie
+
+###\\\\ Bounce management and tracking ////###
+
+## Default bounce warn rate
+## The list owner receives a warning whenever a message is distributed and the
+## number (percentage) of bounces exceeds this value.
+bounce_warn_rate	30
+
+## Default bounce halt rate
+## NOT USED YET. If bounce rate reaches the halt_rate, messages for the list
+## will be halted, i.e. they are retained for subsequent moderation.
+bounce_halt_rate	50
+
+## Remove bouncing new subscribers
+## If set to unique, the welcome message is sent using a unique return path in
+## order to remove the subscriber immediately in the case of a bounce.
+welcome_return_path	owner
+
+## Remove subscribers bouncing remind message
+## Same as welcome_return_path, but applied to remind messages.
+remind_return_path	owner
+
+## Task for expiration of old bounces
+## This task resets bouncing information for addresses not bouncing in the
+## last 10 days after the latest message distribution.
+expire_bounce_task	daily
+
+###\\\\ Automatic lists ////###
+
+## Definition of automatic list families
+## Defines the families the automatic lists are based on. It is a character
+## string structured as follows:
+## * each family is separated from the other by a semi-column (;)
+## * inside a family definition, each field is separated from the other by a
+## column (:)
+## * each field has the structure: "<field name>=<filed value>"
+## Basically, each time Sympa uses the automatic lists families, the values
+## defined in this parameter will be available in the family object.
+## * for scenarios: [family->name]
+## * for templates: [% family.name %]
+# automatic_list_families	name=family_one:prefix=f1:display=My automatic lists:prefix_separator=+:classes separator=-:family_owners_list=alist@domain.tld;name=family_two:prefix=f2:display=My other automatic lists:prefix_separator=+:classes separator=-:family_owners_list=anotherlist@domain.tld;
+
+## Parsed files for families
+## comma-separated list of files that will be parsed by Sympa when
+## instantiating a family (no space allowed in file names)
+parsed_family_files	message.footer,message.header,message.footer.mime,message.header.mime,info
+
+###\\\\ Tag based spam filtering ////###
+
+## Header field to tag spams
+## If a spam filter (like spamassassin or j-chkmail) add a header field to tag
+## spams, name of this header field (example X-Spam-Status)
+antispam_tag_header_name	X-Spam-Status
+
+## Regular expression to check header field to tag spams
+## Regular expression applied on this header to verify message is a spam
+## (example Yes)
+antispam_tag_header_spam_regexp	^\s*Yes
+
+## Regular expression to determine spam or ham.
+## Regular expression applied on this header field to verify message is NOT a
+## spam (example No)
+antispam_tag_header_ham_regexp	^\s*No
+
+## Name of header field to inform
+## Messages are supposed to be filtered by an spam filter that add one more
+## headers to messages. This parameter is used to select a special scenario in
+## order to decide the message spam status: ham, spam or unsure. This
+## parameter replace antispam_tag_header_name, antispam_tag_header_spam_regexp
+## and antispam_tag_header_ham_regexp.
+spam_status	x-spam-status
+
+###\\\\ Directories ////###
+
+## List home
+## Base directory of list configurations.
+home	/var/lib/sympa/expl
+
+## Directory for configuration files
+## Base directory of global configuration (except "sympa.conf").
+etc	/etc/sympa
+
+## Base directory of spools
+## Base directory of all spools which are created at runtime. This directory
+## must be writable by Sympa user.
+spool	/var/spool/sympa
+
+## Directory for message incoming spool
+## This spool is used both by "queue" program and "sympa_msg.pl" daemon."
+queue	/var/spool/sympa/msg
+
+## Directory for moderation spool
+queuemod	/var/spool/sympa/moderation
+
+## Directory for digest spool
+queuedigest	/var/spool/sympa/digest
+
+## Directory for held message spool
+## This parameter is named such by historical reason.
+queueauth	/var/spool/sympa/auth
+
+## Directory for archive spool
+## This parameter is named such by historical reason.
+queueoutgoing	/var/spool/sympa/outgoing
+
+## Directory for held request spool
+## This parameter is named such by historical reason.
+queuesubscribe	/var/spool/sympa/subscribe
+
+## Directory for topic spool
+queuetopic	/var/spool/sympa/topic
+
+## Directory for bounce incoming spool
+## This spool is used both by "bouncequeue" program and "bounced.pl" daemon.
+queuebounce	/var/spool/sympa/bounce
+
+## Directory for task spool
+queuetask	/var/spool/sympa/task
+
+## Directory for automatic list creation spool
+## This spool is used both by "familyqueue" program and "sympa_automatic.pl"
+## daemon.
+queueautomatic	/var/spool/sympa/automatic
+
+## Directory for message outgoing spool
+## This parameter is named such by historical reason.
+queuebulk	/var/spool/sympa/bulk
+
+## Directory to cache formatted messages
+## Base directory path of directories where HTML view of messages are cached.
+viewmail_dir	/var/spool/sympa/viewmail
+
+## Directory for storing bounces
+## The directory where bounced.pl daemon will store the last bouncing message
+## for each user. A message is stored in the file: <bounce_path>/<list
+## name>@<mail domain name>/<email address>, or, if tracking is enabled:
+## <bounce_path>/<list name>@<mail domain name>/<email address>_<envelope ID>.
+## Users can access to these messages using web interface in the bounce
+## management page.
+## Don't confuse with "queuebounce" parameter which defines the spool where
+## incoming error reports are stored and picked by bounced.pl daemon.
+bounce_path	/var/lib/sympa/bounce
+
+## Directory for storing archives
+## Where to store HTML archives. This parameter is used by the "archived.pl"
+## daemon. It is a good idea to install the archive outside the web document
+## hierarchy to ensure accesses passing WWSympa's access control will be
+## prevented.
+arc_path	/var/lib/sympa/arc
+
+###\\\\ Miscellaneous ////###
+
+## Local part of Sympa email address
+## Local part (the part preceding the "@" sign) of the address by which mail
+## interface of Sympa accepts mail commands.
+## If you change the default value, you must modify the mail aliases too.
+email	sympa
+
+## Custom robot parameter
+## Used to define a custom parameter for your server. Do not forget the
+## semicolon between the parameter name and the parameter value.
+## You will be able to access the custom parameter value in web templates by
+## variable "conf.custom_robot_parameter.<param_name>"
+# custom_robot_parameter	param_name ; param_value
+
+## Use of binary cache of list configuration
+## binary_file: Sympa processes will maintain a binary version of the list
+## configuration, "config.bin" file on local disk. If you manage a big amount
+## of lists (1000+), it should make the web interface startup faster.
+## You can recreate cache by running "sympa.pl --reload_list_config".
+cache_list_config	none
+
+## Max age of logs in database
+## Number of months that elapse before a log is expired
+logs_expiration_period	3
+
+## Umask
+## Default mask for file creation (see umask(2)). Note that it will be
+## interpreted as an octal value.
+umask	027
+
+## Secret string for generating unique keys
+## This allows generated authentication keys to differ from a site to another.
+## It is also used for encryption of user passwords stored in the database.
+## The presence of this string is one reason why access to "sympa.conf" needs
+## to be restricted to the "sympa" user.
+## Note that changing this parameter will break all HTTP cookies stored in
+## users' browsers, as well as all user passwords and lists X509 private keys.
+## To prevent a catastrophe, Sympa refuses to start if this "cookie" parameter
+## was changed.
+# cookie	123456789
+
+###\\\\ Web interface parameters ////###
+
+## URL prefix of web interface
+## This is used to construct URLs of web interface.
+wwsympa_url	https://<%= vhost %>/l
+
+## URL prefix of WWSympa behind proxy
+#http_host	http://domain.tld
+
+## URL for static contents
+## HTTP server have to map it with "static_content_path" directory.
+static_content_url	/static-sympa
+css_url			/static-sympa/css
+pictures_url		/static-sympa/pictures
+
+## Directory for static contents
+static_content_path	/var/lib/sympa/static_content
+css_path		/var/lib/sympa/static_content/css
+pictures_path		/var/lib/sympa/static_content/pictures
+
+## System log facility for web interface
+## System log facility for WWSympa, archived.pl and bounced.pl. Default is to
+## use value of "syslog" parameter.
+log_facility	LOCAL1
+
+###\\\\ Web interface parameters: Appearances ////###
+
+## Type of main web page
+## "lists" for the page of list of lists. "home" for home page.
+default_home	lists
+
+## Default index organization of web archive
+## thrd: Threaded index.
+## mail: Chronological index.
+archive_default_index	thrd
+
+## Size of review page
+## Default number of lines of the array displaying users in the review page
+review_page_size	25
+
+## Size of viewlogs page
+## Default number of lines of the array displaying the log entries in the logs
+## page.
+viewlogs_page_size	25
+
+###\\\\ Web interface parameters: Miscellaneous ////###
+
+## HTTP cookies validity domain
+## If beginning with a dot ("."), the cookie is available within the specified
+## Internet domain. Otherwise, for the specified host. The only reason for
+## replacing the default value would be where WWSympa's authentication process
+## is shared with an application running on another host.
+cookie_domain	<%= vhost %>
+
+## HTTP cookies lifetime
+## This is the default value when not set explicitly by users. "0" means the
+## cookie may be retained during browser session.
+cookie_expire	0
+
+## Average interval to refresh HTTP session ID.
+cookie_refresh	60
+
+## Use HTML editor
+## If set to "on", users will be able to post messages in HTML using a
+## javascript WYSIWYG editor.
+use_html_editor	0
+
+## URL of HTML editor
+## URL path to the javascript file making the WYSIWYG HTML editor available.
+## Relative path under <static_content_url> or absolute path.
+## Example is for TinyMCE 4 installed under <static_content_path>/js/tinymce/.
+# html_editor_url	js/tinymce/tinymce.min.js
+
+## HTML editor initialization
+## Javascript excerpt that enables and configures the WYSIWYG HTML editor.
+# html_editor_init	tinymce.init({selector:"#body",language:lang.split(/[^a-zA-Z]+/).join("_")});
+
+## Count limit of wrong password submission
+## If this limit is reached, the account is locked until the user renews their
+## password. The default value is chosen in order to block bots trying to log
+## in using brute force strategy. This value should never be reached by real
+## users that will probably uses the renew password service before they
+## performs so many tries.
+max_wrong_password	19
+
+## Password case
+## "insensitive" or "sensitive".
+## If set to "insensitive", WWSympa's password check will be insensitive. This
+## only concerns passwords stored in the Sympa database, not the ones in LDAP.
+## Should not be changed! May invalid all user password.
+password_case	insensitive
+
+###\\\\ S/MIME and TLS ////###
 
-## Bouncing email rate for warn list owner
-#bounce_warn_rate       20
+## Password used to crypt lists private keys
+## If not defined, Sympa assumes that list private keys are not encrypted.
+# key_passwd	your_password
 
-## Bouncing email rate for halt the list (not implemented)
-## Not yet used in current version, Default is 50
-#bounce_halt_rate       50
+## Directory containing user certificates
+ssl_cert_dir	/var/lib/sympa/X509-user-certs
 
-## Task name for expiration of old bounces
-#expire_bounce_task     daily
+###\\\\ Data sources setup ////###
 
-## Welcome message return-path
-## If set to unique, new subcriber is removed if welcome message bounce
-#welcome_return_path    unique
+## Default of SQL fetch timeout
+## Default timeout while performing a fetch with include_sql_query.
+default_sql_fetch_timeout	300
 
-###\\\\ MTA related ////###
+###\\\\ DKIM ////###
 
-## Path to the MTA (sendmail, postfix, exim or qmail)
-## should point to a sendmail-compatible binary (eg: a binary named "sendmail" is distributed with Postfix)
-sendmail        /usr/sbin/sendmail
+## Enable DKIM
+## If set to "on", Sympa may verify DKIM signatures of incoming messages and/
+## or insert DKIM signature to outgoing messages.
+dkim_feature	off
 
-## Maximum number of recipients per call to Sendmail. The nrcpt_by_domain.conf file allows a different tuning per destination domain.
-nrcpt   25
+## Which service messages to be signed
+## Inserts a DKIM signature to service messages in context of robot, list or
+## both
+dkim_add_signature_to	robot,list
 
-## Max. number of different domains per call to Sendmail
-avg     10
+## The "d=" tag as defined in rfc 4871
+## The DKIM "d=" tag, is the domain of the signing entity. Default is virtual
+## host domain name
+dkim_signer_domain	<%= vhost %>
 
-## Max. number of Sendmail processes (launched by Sympa) running simultaneously
-## Proposed value is quite low, you can rise it up to 100, 200 or even 300 with powerfull systems.
-maxsmtp 40
+## Rewrite header for DKIM signed messages and DMARC rejecting domains
+dmarc_protection_mode dkim_signature,dmarc_reject
 
-###\\\\ Plugin ////###
+###\\\\ Antivirus plug-in ////###
 
 ## Path to the antivirus scanner engine
-## supported antivirus : McAfee/uvscan, Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall
-#antivirus_path /usr/local/uvscan/uvscan
-
-## Antivirus pluggin command argument
-#antivirus_args --secure --summary --dat /usr/local/uvscan
+## Supported antivirus: Clam AntiVirus/clamscan & clamdscan, McAfee/uvscan,
+## Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall
+# antivirus_path	/usr/local/bin/clamscan
 
-###\\\\ S/MIME pluggin ////###
+## Antivirus plugin command line arguments
+# antivirus_args	--no-summary --database /usr/local/share/clamav
 
-## Path to OpenSSL
-## Sympa knowns S/MIME if openssl is installed
-#openssl        /usr/bin/ssl
+###\\\\ Password validation ////###
 
-## The directory path use by OpenSSL for trusted CA certificates
-#capath /etc/sympa/ssl.crt
+## Password validation
+## The password validation techniques to be used against user passwords that
+## are added to mailing lists. Options come from Data::Password
+## (https://search.cpan.org/~razinf/Data-Password-1.07/Password.pm#VARIABLES)
+# password_validation	MINLEN=8,GROUPS=3,DICTIONARY=4,DICTIONARIES=/pentest/dictionaries
 
-##  This parameter sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA)
-#cafile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
-
-## User CERTs directory
-ssl_cert_dir    /var/lib/sympa/X509-user-certs
-
-crl_dir /var/lib/sympa/crl
-
-## Password used to crypt lists private keys
-#key_passwd     your_password
-
-###\\\\ Database ////###
-
-## Database type (mysql | Pg | Oracle | Sybase | SQLite)
-## be carefull to the case
-db_type Pg
-
-## Name of the database
-## with SQLite, the name of the DB corresponds to the DB file
-db_name sympa
-
-## The host hosting your sympa database
-db_host pgsql.<%= domain %>
-
-## The database port
-db_port 5432/tcp
-
-## Database user for connexion
-db_user sympa
-
-## Database password (associated to the db_user)
-## What ever you use a password or not, you must protect the SQL server (is it a not a public internet service ?)
-db_passwd       <%= password %>
-
-## Database private extention to user table
-## You need to extend the database format with these fields
-#db_additional_user_fields      age,address
-
-## Database private extention to subscriber table
-## You need to extend the database format with these fields
-#db_additional_subscriber_fields        billing_delay,subscription_expiration
+###\\\\ Authentication with LDAP ////###
 
-###\\\\ Web interface ////###
+## Use canonical email address for LDAP authentication
+## When using LDAP authentication, if the identifier provided by the user was
+## a valid email, if this parameter is set to false, then the provided email
+## will be used to authenticate the user. Otherwise, use of the first email
+## returned by the LDAP server will be used.
+ldap_force_canonical_email	1
 
-## Sympa's main page URL
-wwsympa_url     http://ml.<%= domain %>/
+###\\\\ Obsoleted parameters ////###
 
-## If a spam filter (like spamassassin or j-chkmail) add a smtp headers to tag spams, name of this header (example X-Spam-Status)
-antispam_tag_header_name        X-Spam-Status
+## Default timeout between two scheduled synchronizations of list members with
+## data sources.
+default_ttl	3600
 
-## The regexp applied on this header to verify message is a spam (example \s*Yes)
-antispam_tag_header_spam_regexp ^\s*Yes
+## Default timeout between two action-triggered synchronizations of list
+## members with data sources.
+default_distribution_ttl	300
 
-## The regexp applied on this header to verify message is NOT a spam (example \s*No)
-antispam_tag_header_ham_regexp  ^\s*No
+edit_list	owner
 
-# Disable alias management, already managed in postfix
-sendmail_aliases none
+## Enable FastCGI
+## Is FastCGI module for HTTP server installed. This module provide much
+## faster web interface.
+use_fast_cgi	1
 
+# Upgrade from 6.2.40 to 6.2.42
+# 22 May 2019 at 21:22:06
+shared_feature on
diff --git a/modules/sympa/templates/vhost_ml.conf b/modules/sympa/templates/vhost_ml.conf
index bd98b175..11aa7ae5 100644
--- a/modules/sympa/templates/vhost_ml.conf
+++ b/modules/sympa/templates/vhost_ml.conf
@@ -1,10 +1,20 @@
-<VirtualHost *:80>
-	ServerName ml.<%= domain %>
-<%-
-path_cgi_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/sympa/cgi"
--%>
-	DocumentRoot <%= path_cgi_directory %>
- 	<Location />
-		Allow from all
-	</Location>
-</VirtualHost>
+    RewriteEngine On
+    RewriteRule ^/?$ /l/home [R]
+    RewriteRule ^/l$ /l/
+    RewriteRule ^/l/(.*)$ /wwsympa-wrapper.fcgi/$1
+
+    DocumentRoot <%= lib_dir + "/sympa/cgi" %>
+
+    Alias /static-sympa /var/lib/sympa/static_content
+
+    <Directory /var/lib/sympa/static_content>
+        <IfModule mod_authz_core.c>
+            # Apache 2.4
+            Require all granted
+        </IfModule>
+        <IfModule !mod_authz_core.c>
+            # Apache 2.2
+            Order allow,deny
+            Allow from all
+        </IfModule>
+    </Directory>
diff --git a/modules/sympa/templates/webapp_sympa.conf b/modules/sympa/templates/webapp_sympa.conf
index 84debe38..1a508199 100644
--- a/modules/sympa/templates/webapp_sympa.conf
+++ b/modules/sympa/templates/webapp_sympa.conf
@@ -1,11 +1,16 @@
-<%-
-path_cgi_directory = "/usr/lib" + ( architecture == "x86_64" ? '64' : '') + "/sympa/cgi"
--%>
-<Directory <%= path_cgi_directory %> >
-    Options ExecCGI
-    AddHandler fastcgi-script .fcgi
+<Directory <%= lib_dir + "/sympa/cgi"  %> >
+    SetHandler fcgid-script
+    Options +ExecCGI
+    AddHandler cgi-script .fcgi
     DirectoryIndex wwsympa-wrapper.fcgi
 
-    Order allow,deny
-    Allow from all
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        Require all granted
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order allow,deny
+        Allow from all
+    </IfModule>
 </Directory>