Before starting I assume that you have:
* Lighttpd setup and working
* Postfix setup to handle mail from one domain
* MX records setup for the subdomain you want to use for lists

First, we need to install mailman, but before we do that we need to make sure it uses the right UID and GID (lighttpd) instead of apache, which is the default. To do this append

MAILMAN_CGIGID="lighttpd"
MAILMAN_CGIUID="lighttpd"

to /etc/make.conf and then proceed to install mailman:

# emerge mailman

Now it’s time to configure lighttpd. This we do by adding the following to /etc/lighttpd/lighttpd.conf:

alias.url += (
          "/services/mailman/mailman-icons" => "/usr/lib64/mailman/icons/",
          "/services/mailman/pipermail" => "/var/lib/mailman/archives/public/",
          "/services/mailman" => "/usr/lib64/mailman/cgi-bin/",
)

$HTTP["url"] =~ "^/services/mailman" {
        cgi.assign = (
                "/admin" => "",
                "/admindb" => "",
                "/confirm" => "",
                "/create" => "",
                "/edithtml" => "",
                "/listinfo" => "",
                "/options" => "",
                "/private" => "",
                "/rmlist" => "",
                "/roster" => "",
                "/subscribe" => "")
        server.indexfiles = ("listinfo", "index.html")
}
$HTTP["url"] =~ "^/services/mailman/pipermail/" {
             dir-listing.activate = "enable"
             dir-listing.hide-dotfiles = "enable"
             server.follow-symlink = "enable"
}

I choose not to serve mailman from a vhost, if you want to do that you’ll need to change the above accordingly. Otherwise you’ll just have to change the url matches and aliases to reflect from where you want to host mailman. You will also need to make sure that the alias and cgi modules are enabled (located at the top of lighttpd.conf).

The next thing to configure is mailman itself. Append the following to /etc/mailman/mm_cfg.py:

MTA = 'Postfix'
DEFAULT_EMAIL_HOST = 'lists.example.tld'
DEFAULT_URL_HOST = 'example.tld'
DEFAULT_URL_PATTERN = 'http://%s/services/mailman/'
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
IMAGE_LOGOS = '/services/mailman/mailman-icons/' 

POSTFIX_STYLE_VIRTUAL_DOMAINS = [DEFAULT_EMAIL_HOST]

PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/services/mailman/pipermail/%(listname)s'

You should set DEFAULT_EMAIL_HOST to the subdomain you want your lists to use, DEFAULT_URL_HOST to the host from which you will serve the mailman web pages, and change DEFAULT_URL_PATTERN, IMAGE_LOGOS, PUBLIC_ARCHIVE_URL so that they are consistent with your settings in lighttpd.conf. The call to add_virtualhost is need when you change either of the _HOST variables like this.

Continuing, there is a few things we need to do as the mailman user. First install the cron jobs:

# su - mailman
mailman $ cd cron
mailman $ crontab crontab.in
mailman $ cd ..

Then set the site password:

mailman $ bin/mmsitepass

The site password works instead of any other password in the mailman installation, and is used to adminstrate it.

Next we create the site-wide mailing list, which is needed for proper operation of mailman:

mailman $ bin/newlist mailman

And logout from the mailman account and continue…

…with configuring postfix. This is as simple as adding the following two lines to /etc/postfix/main.cf:

virtual_alias_domains = lists.example.tld
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman

Once again replacing lists.example.tld with the subdomain you want your lists to use.

Now we only need to reload postfix, start mailman and add it to the default runlevel:

# /etc/init.d/postfix reload
# /etc/init.d/mailman start
# rc-update add mailman default

Congratulations, you should now have a working mailman install!

So I wrote up ebuilds for yubico-pam and its dependency yubico-c-client. You can get them here.

Just extract the tarball into your portage overlay and emerge pam_yubico. If you don’t have an overlay, then just do this (as root):

mkdir /usr/local/portage/
echo 'PORTDIR_OVERLAY="/usr/local/portage/"' >> /etc/make.conf
tar xvzf pam_yubico-ebuildstar.gz -C /usr/local/portage/
emerge pam_yubico

For myself I configured sshd to be able to login using either my yubikey or a normal password. I will describe how to do that – if you need some other configuration have a look at the PAM module’s site (mentioned above).

1. You will need to get your yubico client id. The only way I know of to do this is through the YMS.
2. Configure PAM to make ssh use the newly installed module. This by prepending auth sufficient pam_yubico.so id=16 try_first_pass to /etc/pam.d/sshd. Be sure to change 16 to the ID you aquired in step 1.
3. Add your yubikey id to the file pam_yubico looks in, namely ~/.yubico/authorized_yubikeys. Create the file with and add the line user:yubikey_id. The yubikey id is the first 12 characters from the OTPs it generates.

And that’s it. You should now be able to log in over SSH using either your regular password or your yubikey.