Mailman3 - CSRF verification failed. Request aborted.

Using Django Getting Started
1

I have installed mailman3 on Ubuntu 24. The web pages seem to be working except when I try to log on as a user or superuser. When I enter the credentials I get the error page:

CSRF verification failed. Request aborted.

Mailman3 support is stumped as to why this is happening and suggested I try here. I am totally unfamiliar with Django so to start I need some advice as to what data to collect and how. The page says to use “DEBUG=True” but it is not obvious where to put that. I tried putting it in gunicorn.conf but that does not produce anything in the debug.log file. Can someone help me get started debugging this problem? TIA

2

With the caveat that I haven’t used mailman…

DEBUG=True goes in the Django project’s settings.py file.

NOTE: Don’t set DEBUG=True on a live deployment of your site - only on your local development version.

You can see the contents of mailman’s default settings.py here: Virtualenv Installation — Mailman Suite 3.3 documentation

You can see a setting in there for CSRF_TRUSTED_ORIGINS which might help.

3

How did you install Mailman4, from sources or from a deb package?

4

I used this:

5

Well, than you Django settings should be in /etc/mailman3/settings.py. This is where you need to configure CSRF_TRUSTED_ORIGINS.

N.B.: this needs to be a lit of domains, not URLs.

6

OK. adding CSRF_TRUSTED_ORIGINS worked for one particular host but that seems impractical. I can't add every possible domain that might access the page. Is there some way to use a wild card so any host can access the page? As far as mailman is concerned there is no security risk since this is happening on a login page.

7

Don’t you just list the domains that you’re submitting the POST form from? i.e., your site’s domain(s)?

Here are the docs for that setting, in case you haven’t found them: Settings | Django documentation | Django

8

I don’t think I understand. When I list the host from which I am doing the post, it works. If I just list my local host, it does not. I’m supposed to list the trusted domains using “http://host.example.com”. The confusing part is listing hosts rather than just domains. In any case the documentation is not clear what I’m supposed to use.

9

I don’t understand what the problem is from your description, sorry.

If the form is on a page at something like https://www.mydomain.com/login/ then you add https://www.mydomain.com to CSRF_TRUSTED_ORIGINS.

10

That is the problem. The form is on the page https://myhost.mydomain.com/accounts/login. Adding that host does not work. What does work is adding https://postinghost.someotherdomain.com. Obviously I can’t add every possible host that might access the page.

Just to be clear the CSRF error does not occur until I enter my credentials and click the submit button.

11

I’m not clear where https://postinghost.someotherdomain.com/ is involved in this?

12

That is the host from which I am trying to log into the mailman-web host.