diff --git a/comanage-registry-mailman/README.md b/comanage-registry-mailman/README.md
index bdaba4f..2b4e1fd 100644
--- a/comanage-registry-mailman/README.md
+++ b/comanage-registry-mailman/README.md
@@ -37,7 +37,7 @@ deployment. The suite of services include:
 
 1. **postfix**: MTA needed for sending and receiving mail.
 
-1. **nginx**: Web proxy for GNU Mailman 3 REST and web interface.
+1. **apache**: Apache HTTP Server with Shibboleth SP as a web proxy for GNU Mailman 3 REST and web interface.
 
 ## How To
 
@@ -59,15 +59,15 @@ cd comanage-registry-docker
 
 ```
 pushd comanage-registry-mailman/core
-docker build -t sphericalcowgroup/mailman-core:0.1.7 .
+docker build -t sphericalcowgroup/mailman-core:0.2.1 .
 popd
 
 pushd comanage-registry-mailman/web
-docker build -t sphericalcowgroup/mailman-web:0.1.7 .
+docker build -t sphericalcowgroup/mailman-web:0.2.1 .
 popd
 
-pushd comanage-registry-mailman/nginx
-docker build -t sphericalcowgroup/mailman-core-nginx .
+pushd comanage-registry-mailman/apache-shib
+docker build -t sphericalcowgroup/mailman-core-apache-shib .
 popd
 
 pushd comanage-registry-mailman/postfix
@@ -87,17 +87,11 @@ to substitute your own secrets and do not use the examples below):
 
   * A password for the GNU Mailman 3 REST user, eg. `K6gfcC9uHQMXr448Kmdi`.
 
-  * An X.509 certificate for HTTPS for Nginx. The server certificate and any subordinate
+  * An X.509 certificate for HTTPS for Apache HTTP Server (Apache). The server certificate and any subordinate
 CA signing certificates (except for the trust root) should be in a single file, eg. `fullchain.pem`.
 
   * The associated private key for the X.509 HTTPS certificate, eg. `privkey.pem`.
 
-  * A DH parameters file for Nginx. You can generate one by doing
-
-```
-openssl dhparam -out dhparam.pem 2048
-```
-
 * Create the directory structure on the Docker engine hosts needed for the services 
 to save local state, eg.
 
@@ -105,7 +99,7 @@ to save local state, eg.
 mkdir -p /opt/mailman/core
 mkdir -p /opt/mailman/web
 mkdir -p /opt/mailman/database
-mkdir -p /opt/mailman/nginx
+mkdir -p /opt/mailman/shib
 ```
 
 * If you are using Docker Compose to deploy the service stack copy the file
@@ -141,9 +135,8 @@ echo "HbTKLdrhRxUX96f5bD2g" | docker secret create hyperkitty_api_key -
 echo "K6gfcC9uHQMXr448Kmdi" | docker secret create mailman_rest_password -
 echo "fPe7d9e0PKF8ryySOow0" | docker secret create mailman_web_secret_key -
 echo "gECPnaqXVID80TlRS5ZG" | docker secret create postgres_password -
-docker secret create nginx_https_cert_file fullchain.pem
-docker secret create nginx_https_key_file privkey.pem
-docker secret create nginx_dh_param_file dhparam.pem
+docker secret create https_cert_file fullchain.pem
+docker secret create https_key_file privkey.pem
 ```
 
 Additionally you MUST also make at least the following changes to the stack compose file `mailman-stack.yml`:
@@ -165,47 +158,40 @@ docker stack deploy --compose-file mailman-stack.yml mailman
 ```
 
 * It can take as long as 30 seconds for the GNU Mailman 3 core service to be ready. The other
-services wait until detecting that core is ready. Monitor the `nginx` service with
+services wait until detecting that core is ready. Monitor the `apache` service with
 
 ```
-docker-compose logs -f --tail=100 nginx
+docker-compose logs -f --tail=100 apache
 ```
 
 or
 
 ```
-docker service logs --tail=100 -f mailman_nginx
+docker service logs --tail=100 -f mailman_apache
 ```
 
-until Nginx is ready. You should see something like
+until Apache is ready. You should see something like
 
 ```
-mailman-nginx   | Waiting for Mailman core container...
-mailman-nginx   | Waiting for Mailman core container...
-mailman-nginx   | Waiting for Mailman core container...
-mailman-nginx   | Waiting for Mailman core container...
-mailman-nginx   | 2018/04/23 18:07:27 [notice] 1#1: using the "epoll" event method
-mailman-nginx   | 2018/04/23 18:07:27 [notice] 1#1: nginx/1.10.3
-mailman-nginx   | 2018/04/23 18:07:27 [notice] 1#1: OS: Linux 4.9.0-6-amd64
-mailman-nginx   | 2018/04/23 18:07:27 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
-mailman-nginx   | 2018/04/23 18:07:27 [notice] 1#1: start worker processes
-mailman-nginx   | 2018/04/23 18:07:27 [notice] 1#1: start worker process 48
+2019-04-03 12:27:55,389 CRIT Set uid to user 0
+2019-04-03 12:27:55,391 INFO supervisord started with pid 1
+2019-04-03 12:27:56,394 INFO spawned: 'shibd' with pid 8
+2019-04-03 12:27:56,399 INFO spawned: 'apache2' with pid 9
+Waiting for Mailman core container...
+2019-04-03 12:27:57,491 INFO success: shibd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
+2019-04-03 12:27:57,492 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
+Waiting for Mailman core container...
+Waiting for Mailman core container...
+Waiting for Mailman core container...
+Waiting for Mailman web container...
+Waiting for Mailman web container...
+Waiting for Mailman web container...
+[Wed Apr 03 13:48:41.263252 2019] [mpm_event:notice] [pid 9:tid 140569797922880] AH00489: Apache/2.4.38 (Unix) OpenSSL/1.1.0j configured -- resuming normal operations
+[Wed Apr 03 13:48:41.284857 2019] [core:notice] [pid 9:tid 140569797922880] AH00094: Command line: 'httpd -D FOREGROUND'
 ```
 
-* Browse to port 443 on the host. 
-
-* Click `Login` and then `Forgot Password?`. Enter the email address you injected as the first
-Mailman 3 administrator and then click `Reset My Password`.
-
-* You will receive an email at that administrator password with a link. Follow the link to reset
-the administrator password.
-
-* Browse again to port 443 on the host and click `Login`. Enter the administrator name you injected
-and the password you just set. Click `Sign In`. You will be sent another email with a link in it to verify the account.
-Follow the link to verify the account.
-
-* Browse again to port 443 on the host and click `Login`. Enter the administrator name and password
-you just verified. Click `Sign In`.
+* Browse to port 443 on the host and authenticate using an identity provider (IdP) federated
+with the Shibboleth SP.
 
 * Visit the [COmanage wiki](https://spaces.internet2.edu/display/COmanage/Mailman+Provisioning+Plugin)
 to learn how to enable and configure the Mailman Provisioning Plugin for COmanage Registry.
@@ -237,7 +223,7 @@ docker-compose logs mailman-web
 
 docker-compose logs postfix
 
-docker-compose logs nginx
+docker-compose logs apache
 
 docker-compose logs -f --tail=100 mailman-core
 
@@ -247,7 +233,7 @@ docker-compose logs -f --tail=100 mailman-web
 
 docker-compose logs -f --tail=100 postfix
 
-docker-compose logs -f --tail=100 nginx
+docker-compose logs -f --tail=100 apache
 
 docker-compose down
 ```
@@ -267,7 +253,7 @@ docker service logs mailman_mailman-core
 
 docker service logs mailman_mailman-web
 
-docker service logs mailman_nginx
+docker service logs mailman_apache
 
 docker service logs mailman_database
 
@@ -277,7 +263,7 @@ docker service logs --tail=100 -f mailman_mailman-core
 
 docker service logs --tail=100 -f mailman_mailman-web
 
-docker service logs --tail=100 -f mailman_nginx
+docker service logs --tail=100 -f mailman_apache
 
 docker service logs --tail=100 -f mailman_postfix
 
diff --git a/comanage-registry-mailman/apache-shib/Dockerfile b/comanage-registry-mailman/apache-shib/Dockerfile
new file mode 100644
index 0000000..56b9bb8
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/Dockerfile
@@ -0,0 +1,66 @@
+# COmanage Registry Dockerfile
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+ARG COMANAGE_REGISTRY_VERSION=develop
+ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1
+ARG COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION="3.0.4"
+ARG COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION=1
+
+FROM comanage-registry-shibboleth-sp-base:${COMANAGE_REGISTRY_SHIBBOLETH_SP_VERSION}-${COMANAGE_REGISTRY_SHIBBOLETH_SP_BASE_IMAGE_VERSION} AS shib-base
+
+FROM comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} AS comanage-registry-base
+
+FROM httpd:2.4
+
+RUN apt-get update && apt-get install -y \
+         curl \
+         libssl1.0.2 \
+         netcat-traditional \
+         procps \
+         supervisor \
+      && apt-get clean \
+      && mkdir -p /var/log/supervisor
+
+COPY --from=shib-base /opt/shibboleth-sp /opt/shibboleth-sp/
+
+RUN /usr/sbin/useradd --system _shibd \
+      && mkdir -p /var/run/shibboleth \
+      && chown _shibd:_shibd /var/run/shibboleth \
+      && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+      && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \
+      && rm -f /etc/shibboleth/shibboleth2.xml \
+      && chown _shibd:_shibd /etc/shibboleth/sp-signing-cert.pem \
+      && chown _shibd:_shibd /etc/shibboleth/sp-signing-key.pem \
+      && chown _shibd:_shibd /etc/shibboleth/sp-encrypt-cert.pem \
+      && chown _shibd:_shibd /etc/shibboleth/sp-encrypt-key.pem \
+      && cd /opt/shibboleth-sp/etc \
+      && rm -rf shibboleth \
+      && ln -s /etc/shibboleth shibboleth
+
+COPY --chown=_shibd:_shibd shibd.logger /etc/shibboleth/shibd.logger
+COPY --chown=_shibd:_shibd native.logger /etc/shibboleth/native.logger
+
+COPY --from=comanage-registry-base /usr/local/lib/comanage_shibboleth_sp_utils.sh /usr/local/lib/comanage_shibboleth_sp_utils.sh
+
+COPY supervisord.conf /usr/local/etc/supervisord.conf
+
+COPY httpd.conf /usr/local/apache2/conf/
+COPY start.sh /usr/local/bin/apache-httpd-start.sh
+COPY shibd-start.sh /usr/local/bin/shibd-start.sh
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/usr/local/etc/supervisord.conf"]
diff --git a/comanage-registry-mailman/apache-shib/httpd.conf b/comanage-registry-mailman/apache-shib/httpd.conf
new file mode 100644
index 0000000..c33363d
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/httpd.conf
@@ -0,0 +1,184 @@
+ServerRoot "/usr/local/apache2"
+
+Listen 80
+
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule substitute_module modules/mod_substitute.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
+
+<IfModule unixd_module>
+User daemon
+Group daemon
+</IfModule>
+
+ServerAdmin you@example.com
+
+ServerName http://${VIRTUAL_HOST_FQDN}:80
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "/usr/local/apache2/htdocs"
+
+<Directory "/usr/local/apache2/htdocs">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog /proc/self/fd/2
+
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    CustomLog /proc/self/fd/1 common
+
+</IfModule>
+
+
+<IfModule mime_module>
+    TypesConfig conf/mime.types
+
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+</IfModule>
+
+<VirtualHost _default_:80>
+ServerName http://${VIRTUAL_HOST_FQDN}:80
+UseCanonicalName On
+
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+</VirtualHost>
+
+Listen 443
+
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLHonorCipherOrder on 
+SSLProtocol all -SSLv3
+SSLPassPhraseDialog  builtin
+SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
+SSLSessionCacheTimeout  300
+
+<VirtualHost _default_:443>
+
+DocumentRoot "/usr/local/apache2/htdocs"
+
+ServerName https://${VIRTUAL_HOST_FQDN}:443
+
+ServerAdmin you@example.com
+
+ErrorLog /proc/self/fd/2
+TransferLog /proc/self/fd/1
+
+SSLEngine on
+SSLCertificateFile "/usr/local/apache2/conf/server.crt"
+SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
+
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+CustomLog /proc/self/fd/1 \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+RedirectMatch "^/$" "https://${VIRTUAL_HOST_FQDN}/postorius/lists/"
+
+Alias "/static/" "/opt/mailman-web-data/static/"
+<Directory "/opt/mailman-web-data/static">
+Require all granted
+</Directory>
+
+<Location "/Shibboleth.sso">
+SetHandler shib
+</Location>
+
+<Location "/api/">
+ProxyPass http://mailman-core:8001/
+ProxyPassReverse http://mailman-core:8001/
+
+RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+RequestHeader set "Host" expr=%{HTTP_HOST}
+
+AddOutputFilterByType SUBSTITUTE application/json
+Substitute "s|\"self_link\": \"http://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:8001|\"self_link\": \"https://${VIRTUAL_HOST_FQDN}/api|"
+</Location>
+
+<Location "/postorius/">
+AuthType Shibboleth
+ShibRequestSetting requireSession 1
+ShibUseHeaders On
+Require shib-attr mail ${MAILMAN_ADMIN_EMAIL}
+
+ProxyPass http://mailman-web:8000/postorius/
+ProxyPassReverse http://mailman-web:8000/postorius/
+
+RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+RequestHeader set "Host" expr=%{HTTP_HOST}
+
+</Location>
+
+<Location "/hyperkitty/">
+AuthType Shibboleth
+ShibRequestSetting requireSession 1
+ShibUseHeaders On
+Require shib-session
+
+ProxyPass http://mailman-web:8000/hyperkitty/
+ProxyPassReverse http://mailman-web:8000/hyperkitty/
+
+RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+RequestHeader set "Host" expr=%{HTTP_HOST}
+</Location>
+
+</VirtualHost>                                  
+
+<IfModule ssl_module>
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+</IfModule>
+
diff --git a/comanage-registry-mailman/apache-shib/native.logger b/comanage-registry-mailman/apache-shib/native.logger
new file mode 100644
index 0000000..f8300c8
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/native.logger
@@ -0,0 +1,32 @@
+# set overall behavior
+log4j.rootCategory=INFO, native_log
+
+# fairly verbose for DEBUG, so generally leave at WARN/INFO
+log4j.category.XMLTooling.XMLObject=WARN
+log4j.category.XMLTooling.KeyInfoResolver=WARN
+log4j.category.Shibboleth.IPRange=WARN
+log4j.category.Shibboleth.PropertySet=WARN
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=WARN
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.ConsoleAppender
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=native_log %p %c %x: %m%n
diff --git a/comanage-registry-mailman/apache-shib/shibd-start.sh b/comanage-registry-mailman/apache-shib/shibd-start.sh
new file mode 100755
index 0000000..28dc7b6
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/shibd-start.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# COmanage Registry Shibboleth SP Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source /usr/local/lib/comanage_shibboleth_sp_utils.sh
+
+comanage_shibboleth_sp_utils::exec_shibboleth_sp_daemon
diff --git a/comanage-registry-mailman/apache-shib/shibd.logger b/comanage-registry-mailman/apache-shib/shibd.logger
new file mode 100644
index 0000000..5fd332b
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/shibd.logger
@@ -0,0 +1,57 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+log4j.ownAppenders.XMLTooling.Signature.Debugger=true
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+log4j.ownAppenders.Shibboleth-TRANSACTION=true
+
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.ConsoleAppender
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=shibd_log %d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.tran_log=org.apache.log4j.ConsoleAppender
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=tran_log %d{%Y-%m-%d %H:%M:%S}|%c|%m%n
+
+log4j.appender.sig_log=org.apache.log4j.ConsoleAppender
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=sig_log %m
diff --git a/comanage-registry-mailman/apache-shib/start.sh b/comanage-registry-mailman/apache-shib/start.sh
new file mode 100755
index 0000000..b03b276
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/start.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+# Nginx for GNU Mailman 3 Core for COmanage Registry Dockerfile entrypoint
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Configuration details that may be injected through environment
+# variables or the contents of files.
+
+injectable_config_vars=( 
+    MAILMAN_CORE_HOST
+    MAILMAN_CORE_PORT
+    MAILMAN_WEB_HOST
+    MAILMAN_WEB_PORT
+)
+
+# Default values.
+MAILMAN_CORE_HOST="mailman-core"
+MAILMAN_CORE_PORT="8001"
+MAILMAN_WEB_HOST="mailman-web"
+MAILMAN_WEB_PORT="8000"
+
+# If the file associated with a configuration variable is present then 
+# read the value from it into the appropriate variable. 
+
+for config_var in "${injectable_config_vars[@]}"
+do
+    eval file_name=\$"${config_var}_FILE";
+
+    if [ -e "$file_name" ]; then
+        declare "${config_var}"=`cat $file_name`
+    fi
+done
+
+# Copy HTTPS certificate and key into place.
+if [ -n "${HTTPS_CERT_FILE}" ] && [ -n "${HTTPS_KEY_FILE}" ]; then
+    cp "${HTTPS_CERT_FILE}" /usr/local/apache2/conf/server.crt
+    cp "${HTTPS_KEY_FILE}" /usr/local/apache2/conf/server.key
+    chmod 644 /usr/local/apache2/conf/server.crt
+    chmod 600 /usr/local/apache2/conf/server.key
+fi
+
+# Wait for the mailman core container to be ready.
+until nc -z -w 1 "${MAILMAN_CORE_HOST}" "${MAILMAN_CORE_PORT}"
+do
+    echo "Waiting for Mailman core container..."
+    sleep 1
+done
+
+# Wait for the mailman web container to be ready.
+until nc -z -w 1 "${MAILMAN_WEB_HOST}" "${MAILMAN_WEB_PORT}"
+do
+    echo "Waiting for Mailman web container..."
+    sleep 1
+done
+
+# Start Apache HTTP Server
+exec "$@"
diff --git a/comanage-registry-mailman/apache-shib/supervisord.conf b/comanage-registry-mailman/apache-shib/supervisord.conf
new file mode 100644
index 0000000..c373a01
--- /dev/null
+++ b/comanage-registry-mailman/apache-shib/supervisord.conf
@@ -0,0 +1,36 @@
+; COmanage Registry Docker supervisord configuration
+; 
+; Portions licensed to the University Corporation for Advanced Internet
+; Development, Inc. ("UCAID") under one or more contributor license agreements.
+; See the NOTICE file distributed with this work for additional information
+; regarding copyright ownership.
+; 
+; UCAID licenses this file to you under the Apache License, Version 2.0
+; (the "License"); you may not use this file except in compliance with the
+; License. You may obtain a copy of the License at:
+; 
+; http://www.apache.org/licenses/LICENSE-2.0
+; 
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+
+[supervisord]
+nodaemon=true
+user=root
+
+[program:apache2]
+command=/usr/local/bin/apache-httpd-start.sh httpd-foreground
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:shibd]
+command=/usr/local/bin/shibd-start.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
diff --git a/comanage-registry-mailman/mailman-stack.yml b/comanage-registry-mailman/mailman-stack.yml
index afe7e7e..da8d801 100644
--- a/comanage-registry-mailman/mailman-stack.yml
+++ b/comanage-registry-mailman/mailman-stack.yml
@@ -1,30 +1,16 @@
-# Docker Swarm stack compose file for Mailman 3 for COmanage Registry
-#
-# Portions licensed to the University Corporation for Advanced Internet
-# Development, Inc. ("UCAID") under one or more contributor license agreements.
-# See the NOTICE file distributed with this work for additional information
-# regarding copyright ownership.
-#
-# UCAID licenses this file to you under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with the
-# License. You may obtain a copy of the License at:
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# This is an example compose file. Be sure to modify it as necessary
-# for your own deployment.
+version: '3.3'
 
-version: '3.2'
+networks:
+    default:
+        driver: overlay
+        ipam:
+            driver: default
+            config:
+                - subnet: 10.1.0.0/24
 
 services:
     mailman-core:
-        image: sphericalcowgroup/mailman-core:0.1.7
+        image: sphericalcowgroup/mailman-core:0.2.1
         volumes:
             - /srv/docker/mailman/core:/opt/mailman/
         environment:
@@ -43,18 +29,21 @@ services:
             - hyperkitty_api_key
             - mailman_database_url
             - mailman_rest_password
+        deploy:
+            endpoint_mode: dnsrr
 
     mailman-web:
-        image: sphericalcowgroup/mailman-web:0.1.7
+        image: sphericalcowgroup/mailman-web:0.2.1
         volumes:
             - /srv/docker/mailman/web:/opt/mailman-web-data
+            - /srv/docker/mailman/settings.py:/opt/mailman-web/settings.py
         environment:
             - MAILMAN_DATABASE_URL_FILE=/run/secrets/mailman_database_url
             - MAILMAN_DATABASE_TYPE=postgres
             - HYPERKITTY_API_KEY_FILE=/run/secrets/hyperkitty_api_key
-            - SERVE_FROM_DOMAIN=lists-dev.sphericalcowgroup.com
-            - MAILMAN_ADMIN_USER=mailman_admin
-            - MAILMAN_ADMIN_EMAIL=admin@local
+            - SERVE_FROM_DOMAIN=
+            - MAILMAN_ADMIN_USER=
+            - MAILMAN_ADMIN_EMAIL=
             - MAILMAN_WEB_SECRET_KEY_FILE=/run/secrets/mailman_web_secret_key
             - MAILMAN_REST_USER=restadmin
             - MAILMAN_REST_PASSWORD_FILE=/run/secrets/mailman_rest_password
@@ -67,6 +56,8 @@ services:
             - mailman_database_url
             - mailman_rest_password
             - mailman_web_secret_key
+        deploy:
+            endpoint_mode: dnsrr
 
     database:
         image: postgres:9.6
@@ -80,30 +71,49 @@ services:
             - default
         secrets:
             - postgres_password
+        deploy:
+            endpoint_mode: dnsrr
 
     postfix:
-        image: sphericalcowgroup/mailman-postfix
+        image: sphericalcowgroup/mailman-postfix:2
         volumes:
             - /srv/docker/mailman:/opt/mailman
         environment:
-            - POSTFIX_MAILNAME=lists-dev.sphericalcowgroup.com
+            - POSTFIX_MYHOSTNAME=lists-dev.sphericalcowgroup.com
+            - POSTFIX_MYNETWORKS=!10.255.0.0/16 10.1.0.0/24
         ports:
-            - "25:25"
+            - target: 25
+              published: 25
+              # 'host' mode is necessary for Postfix to receive the connection IP address
+              # instead of the ingress network IP address. This is only a useful workaround
+              # when not truly leveraging the load balancing capabilities of swarm mode.
+              # Normally with more than a single mode swarm the upstream load balancer in
+              # front of the swarm would be used for the definitive access log.
+              # See discussion at https://github.com/moby/moby/issues/25526 .
+              mode: host
         networks:
             - default
+        deploy:
+            endpoint_mode: dnsrr
 
-    nginx:
-        image: sphericalcowgroup/mailman-core-nginx
+    apache:
+        image: sphericalcowgroup/mailman-core-apache-shib:1
         volumes:
             - /srv/docker/mailman/web:/opt/mailman-web-data
+            - /srv/docker/mailman/shib/etc/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
+            - /srv/docker/mailman/shib/etc/attribute-map.xml:/etc/shibboleth/attribute-map.xml
         environment:
-            - NGINX_HTTPS_CERT_FILE=/run/secrets/nginx_https_cert_file
-            - NGINX_HTTPS_KEY_FILE=/run/secrets/nginx_https_key_file
-            - NGINX_DH_PARAM_FILE=/run/secrets/nginx_dh_param_file
+            - HTTPS_CERT_FILE=/run/secrets/https_cert_file
+            - HTTPS_KEY_FILE=/run/secrets/https_key_file
+            - MAILMAN_ADMIN_EMAIL=
+            - SHIBBOLETH_SP_ENCRYPT_CERT=/run/secrets/shibboleth_sp_encrypt_cert
+            - SHIBBOLETH_SP_ENCRYPT_PRIVKEY=/run/secrets/shibboleth_sp_encrypt_privkey
+            - VIRTUAL_HOST_FQDN=
         secrets:
-            - nginx_https_cert_file
-            - nginx_https_key_file
-            - nginx_dh_param_file
+            - https_cert_file
+            - https_key_file
+            - shibboleth_sp_encrypt_cert
+            - shibboleth_sp_encrypt_privkey
         networks:
             - default
         ports:
@@ -123,8 +133,13 @@ services:
               mode: host
         deploy:
             replicas: 1
+            endpoint_mode: dnsrr
 
 secrets:
+    https_cert_file:
+        external: true
+    https_key_file:
+        external: true
     hyperkitty_api_key:
         external: true
     mailman_database_url:
@@ -133,11 +148,9 @@ secrets:
         external: true
     mailman_web_secret_key:
         external: true
-    nginx_https_cert_file:
-        external: true
-    nginx_https_key_file:
+    postgres_password:
         external: true
-    nginx_dh_param_file:
+    shibboleth_sp_encrypt_cert:
         external: true
-    postgres_password:
+    shibboleth_sp_encrypt_privkey:
         external: true
diff --git a/comanage-registry-mailman/web/Dockerfile b/comanage-registry-mailman/web/Dockerfile
index 95c082a..25a493f 100644
--- a/comanage-registry-mailman/web/Dockerfile
+++ b/comanage-registry-mailman/web/Dockerfile
@@ -44,11 +44,16 @@ RUN apt-get update \
         xapian-haystack \
     && adduser --system --no-create-home --group mailman
 
+COPY django-mail-header /tmp/django-mail-header
+RUN pip install /tmp/django-mail-header \
+    && rm -rf /tmp/django-mail-header
+
 # Add needed files for uwsgi server + settings for django
 COPY mailman-web /opt/mailman-web
 
-# Overlay customized template for Postorius login
-#COPY login.html /usr/local/lib/python2.7/site-packages/django_mailman3/templates/account/
+# Overlay modified templates
+COPY postorius.base.html /usr/local/lib/python3.6/site-packages/postorius/templates/postorius/base.html
+COPY hyperkitty.base.html /usr/local/lib/python3.6/site-packages/hyperkitty/templates/hyperkitty/base.html
 
 RUN chown -R mailman:mailman /opt/mailman-web/ \
     && chmod u+x /opt/mailman-web/manage.py
diff --git a/comanage-registry-mailman/web/django-mail-header/setup.py b/comanage-registry-mailman/web/django-mail-header/setup.py
new file mode 100644
index 0000000..b002890
--- /dev/null
+++ b/comanage-registry-mailman/web/django-mail-header/setup.py
@@ -0,0 +1,15 @@
+import setuptools
+
+setuptools.setup(
+    name="django-mail-header",
+    version="1.0.0",
+    author="Scott Koranda",
+    author_email="skoranda@gmail.com",
+    description="Custom HTTP_MAIL header for Django authentication",
+    packages=setuptools.find_packages('src'),
+    package_dir={'': 'src'},
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "Operating System :: OS Independent",
+    ],
+)
diff --git a/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/__init__.py b/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/__init__.py
new file mode 100644
index 0000000..5becc17
--- /dev/null
+++ b/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/__init__.py
@@ -0,0 +1 @@
+__version__ = "1.0.0"
diff --git a/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/backends.py b/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/backends.py
new file mode 100644
index 0000000..efda55a
--- /dev/null
+++ b/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/backends.py
@@ -0,0 +1,16 @@
+"""
+Django backend that uses the RemoteUserBackend as a base
+class and that sets the email field on the user model
+to be the same as the username field each time a new
+user is created.
+"""
+
+from django.contrib.auth.backends import RemoteUserBackend
+
+class MailHeaderBackend(RemoteUserBackend):
+    def configure_user(self, user):
+        username = user.get_username()
+        user.email = username;
+        user.save()
+
+        return user
diff --git a/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/middleware.py b/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/middleware.py
new file mode 100644
index 0000000..4426532
--- /dev/null
+++ b/comanage-registry-mailman/web/django-mail-header/src/django_mail_header/middleware.py
@@ -0,0 +1,10 @@
+"""
+Django middleware that builds on the RemoteUserMiddleware
+base class and sets the header to inspect for the username
+to HTTP_MAIL.
+"""
+
+from django.contrib.auth.middleware import RemoteUserMiddleware
+
+class MailHeaderMiddleware(RemoteUserMiddleware):
+    header = 'HTTP_MAIL'
diff --git a/comanage-registry-mailman/web/hyperkitty.base.html b/comanage-registry-mailman/web/hyperkitty.base.html
new file mode 100644
index 0000000..950956d
--- /dev/null
+++ b/comanage-registry-mailman/web/hyperkitty.base.html
@@ -0,0 +1,209 @@
+{% load i18n %}
+{% load compress %}
+{% load static %}
+{% load gravatar %}
+<!DOCTYPE HTML>
+<html>
+    <head>
+        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <meta name="ROBOTS" content="INDEX, FOLLOW" />
+        <title>{% block head_title %}{{ site_name }}{% endblock %}</title>
+        <meta name="author" content="" />
+        <meta name="dc.language" content="en" />
+        <link rel="shortcut icon" href="{% static 'hyperkitty/img/favicon.ico' %}" />
+        <link rel="stylesheet" href="{% static 'hyperkitty/libs/jquery/smoothness/jquery-ui-1.10.3.custom.min.css' %}" type="text/css" media="all" />
+        <link rel="stylesheet" href="{% static 'hyperkitty/libs/fonts/font-awesome/css/font-awesome.min.css' %}" type="text/css" media="all" />
+        {% compress css %}
+        <link rel="stylesheet" href="{% static 'hyperkitty/libs/fonts/icomoon/icomoon.css' %}" type="text/css" media="all" />
+        <link rel="stylesheet" href="{% static 'hyperkitty/libs/fonts/droid/droid.css' %}" type="text/css" media="all" />
+        <link rel="stylesheet" href="{% static 'django-mailman3/css/main.css' %}" />
+        <link rel="stylesheet" type="text/x-scss" media="all" href="{% static 'hyperkitty/sass/hyperkitty.scss' %}" />
+        {% endcompress %}
+        {% block additional_stylesheets %} {% endblock %}
+        {% include 'hyperkitty/headers.html' %}
+    </head>
+
+    <body>
+
+    {% include 'hyperkitty/top.html' %}
+
+    <nav class="navbar navbar-fixed-top navbar-default">
+        <div class="container">
+            <div class="navbar-header col-md"> <!--part of navbar that's always present-->
+                <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target=".navbar-collapse">
+                    <span class="icon-bar"></span>
+                    <span class="icon-bar"></span>
+                    <span class="icon-bar"></span>
+                </button>
+                {% include 'hyperkitty/navbar-brand.html' %}
+            </div> <!-- /navbar-header -->
+
+            <div class="navbar-collapse collapse"> <!--part of navbar that's collapsed on small screens-->
+                <!-- show dropdown for smaller viewports b/c login name/email may be too long -->
+                <!-- only show this extra button/dropdown if we're in small screen sizes -->
+                <div class="nav navbar-nav navbar-right auth dropdown navbar-form hidden-tn hidden-xs hidden-md hidden-lg">
+                    <button type="button" class="btn dropdown-toggle" id="loginDropdownMenu" data-toggle="dropdown">
+                        {% if user.is_authenticated %}
+                            {% gravatar user.email 20 %}
+                        {% else %}
+                            <span class="fa fa-bars"></span>
+                        {% endif %}
+                    </button>
+                    <ul class="dropdown-menu" role="menu" aria-labelledby="loginDropdownMenu">
+                        {% if user.is_authenticated %}
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="{% url 'mm_user_profile' %}">
+                                <span class="fa fa-user"></span>
+                                {% trans 'Account' %}
+                            </a></li>
+                            {% if 'postorius' in INSTALLED_APPS %}
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="{% url 'ps_user_profile' %}">
+                                <span class="fa fa-cog"></span>
+                                {% trans 'Mailman settings' %}
+                            </a></li>
+                            {% endif %}
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="{% url 'hk_user_profile' %}">
+                                <span class="fa fa-comments"></span>
+                                {% trans 'Posting activity' %}
+                            </a></li>
+                            <li role="separator" class="divider"></li>
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="{% url LOGOUT_URL %}?next={% url 'hk_root' %}">
+                                <span class="fa fa-sign-out"></span>
+                                {% trans "Logout" %}
+                            </a></li>
+                        {% else %}
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="{% url LOGIN_URL %}?next={{next|default:request.path|urlencode}}">
+                                <span class="fa fa-sign-in"></span>
+                                {% trans "Sign In" %}
+                            </a></li>
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="{% url 'account_signup' %}?next={{next|default:request.path|urlencode}}">
+                                <span class="fa fa-user-plus"></span>
+                                {% trans "Sign Up" %}
+                            </a></li>
+                        {% endif %}
+                    </ul>
+                </div>
+                <!-- larger viewports -->
+                <ul class="nav navbar-nav navbar-right hidden-sm auth">
+                    {% if user.is_authenticated %}
+                        <li class="dropdown">
+                            <a href="#" class="dropdown-toggle" data-toggle="dropdown"
+                               role="button" aria-haspopup="true" aria-expanded="false">
+                                {% gravatar user.email 20 %}
+                                {{ user.username|truncatechars:"35" }}
+                                <span class="caret"></span>
+                            </a>
+                            <ul class="dropdown-menu">
+                                {% if 'postorius' in INSTALLED_APPS %}
+                                <li><a href="{% url 'ps_user_profile' %}">
+                                    <span class="fa fa-cog"></span>
+                                    {% trans 'Mailman settings' %}
+                                </a></li>
+                                {% endif %}
+                                <li><a href="{% url 'hk_user_profile' %}">
+                                    <span class="fa fa-comments"></span>
+                                    {% trans 'Posting activity' %}
+                                </a></li>
+                                <li role="separator" class="divider"></li>
+                            </ul>
+                        </li>
+                    {% else %}
+                        <li><a href="{% url LOGIN_URL %}?next={{next|default:request.path|urlencode}}">
+                            <span class="fa fa-sign-in"></span>
+                            {% trans "Sign In" %}
+                        </a></li>
+                        <li><a href="{% url 'account_signup' %}?next={{next|default:request.path|urlencode}}">
+                            <span class="fa fa-user-plus"></span>
+                            {% trans "Sign Up" %}
+                        </a></li>
+                    {% endif %}
+                </ul>
+
+                {% if 'postorius' in INSTALLED_APPS %}
+                <ul class="nav navbar-nav navbar-right"><li>
+                    {% if mlist %}
+                    <a href="{% url 'list_summary' mlist.list_id %}">
+                        <span class="fa fa-cog"></span>
+                        {% trans 'Manage this list' %}
+                    </a>
+                    {% else %}
+                    <a href="{% url 'list_index' %}">
+                        <span class="fa fa-cog"></span>
+                        {% trans 'Manage lists' %}
+                    </a>
+                    {% endif %}
+                </li></ul>
+                {% endif %}
+
+                <form name="search" method="get" action="{% url 'hk_search' %}" class="navbar-form navbar-right" role="search">
+                    {% if mlist %}<input type="hidden" name="mlist" value="{{ mlist.name }}" />{% endif %}
+                    <div class="form-group">
+                        <div class="input-group">
+                            <input name="q" type="text" class="form-control"
+                                   placeholder="Search {% if mlist %}this list{% else %}all lists{% endif %}"
+                                   {% if query %}value="{{ query }}"{% endif %}
+                                   />
+                            <span class="input-group-btn">
+                                <button class="btn btn-default" type="submit"><span class="fa fa-search"></span></button>
+                            </span>
+                        </div>
+                    </div>
+                </form>
+
+            </div> <!--/navbar-collapse -->
+        </div> <!-- /container for navbar -->
+    </nav>
+
+    {% if messages %}
+    <div class="flashmsgs">
+    {% for msg in messages %}
+        <div class="flashmsg-wrapper">
+            <!--<div class="alert alert-{{ msg.level_tag }} {{ msg.extra_tags }}">-->
+            <div class="alert {{ msg.tags }}
+                {% if msg.level == DEFAULT_MESSAGE_LEVELS.SUCCESS %}
+                ">
+                {% else %}
+                alert-dismissible">
+                <button type="button" class="close" data-dismiss="alert">&times;</button>
+                {% endif %}
+            {{ msg }}
+            </div>
+        </div>
+    {% endfor %}
+    </div>
+    {% endif %}
+
+    <div class="container">
+
+        {% block content %} {% endblock %}
+
+    </div> <!-- /container for content -->
+
+    <footer class="footer">
+      <div class="container">
+        <p class="text-muted">
+            Powered by <a href="http://hyperkitty.readthedocs.org">HyperKitty</a> version {{ HYPERKITTY_VERSION }}.
+        </p>
+      </div>
+    </footer>
+
+    <script src="{% static 'hyperkitty/libs/jquery/jquery-1.10.1.min.js' %}"></script>
+    <script src="{% static 'hyperkitty/libs/jquery/jquery-ui-1.10.3.custom.min.js' %}"></script>
+    {% compress js %}
+    <script type="text/javascript" src="{% static 'hyperkitty/libs/bootstrap/javascripts/bootstrap.min.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/libs/jquery.expander.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/libs/d3.v2.min.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/libs/jquery.hotkeys.js' %}" />
+    <script type="text/javascript" src="{% static 'django-mailman3/js/main.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/js/hyperkitty-common.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/js/hyperkitty-index.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/js/hyperkitty-overview.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/js/hyperkitty-thread.js' %}" />
+    <script type="text/javascript" src="{% static 'hyperkitty/js/hyperkitty-userprofile.js' %}" />
+    {% endcompress %}
+    {% block additionaljs %} {% endblock %}
+
+    {% include 'hyperkitty/bottom.html' %}
+
+    </body>
+</html>
diff --git a/comanage-registry-mailman/web/login.html b/comanage-registry-mailman/web/login.html
deleted file mode 100644
index afbfc4e..0000000
--- a/comanage-registry-mailman/web/login.html
+++ /dev/null
@@ -1,29 +0,0 @@
-{% extends "account/base.html" %}
-
-{% load i18n %}
-{% load account socialaccount %}
-{% load bootstrap_tags %}
-
-{% block head_title %}{% trans "Sign In" %}{% endblock %}
-
-{% block content %}
-
-<h1>{% trans "Sign In" %}</h1>
-
-{% include "django_mailman3/login_extra_top.html" %}
-
-<form class="login form-horizontal" method="POST" action="{% url 'account_login' %}">
-  {% bootstrap_form_horizontal form 2 4 %}
-  {% if redirect_field_value %}
-  <input type="hidden" name="{{ redirect_field_name }}" value="{{ redirect_field_value }}" />
-  {% endif %}
-  <div class="form-group">
-    <div class="col-md-offset-2 col-md-4">
-      <button class="btn btn-primary" type="submit">{% trans "Sign In" %}</button>
-      &nbsp;
-      <a href="{% url 'account_reset_password' %}">{% trans "Forgot Password?" %}</a>
-    </div>
-  </div>
-</form>
-
-{% endblock %}
diff --git a/comanage-registry-mailman/web/mailman-web/settings.py b/comanage-registry-mailman/web/mailman-web/settings.py
index 6bc7bcc..4a05496 100644
--- a/comanage-registry-mailman/web/mailman-web/settings.py
+++ b/comanage-registry-mailman/web/mailman-web/settings.py
@@ -111,6 +111,7 @@
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django_mail_header.middleware.MailHeaderMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django.middleware.security.SecurityMiddleware',
@@ -253,8 +254,7 @@
 # Social auth
 #
 AUTHENTICATION_BACKENDS = (
-    'django.contrib.auth.backends.ModelBackend',
-    'allauth.account.auth_backends.AuthenticationBackend',
+    'django_mail_header.backends.MailHeaderBackend',
 )
 
 # Django Allauth
diff --git a/comanage-registry-mailman/web/postorius.base.html b/comanage-registry-mailman/web/postorius.base.html
new file mode 100644
index 0000000..ca17daf
--- /dev/null
+++ b/comanage-registry-mailman/web/postorius.base.html
@@ -0,0 +1,123 @@
+{% load i18n %}
+{% load staticfiles %}
+{% load gravatar %}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>{% block head_title %}{{ site_name }}{% endblock %}</title>
+    <link rel="shortcut icon" href="{% static 'postorius/img/favicon.ico' %}">
+    <link rel="stylesheet" href="{% static 'postorius/libs/bootstrap/css/bootstrap.min.css' %}">
+    <link rel="stylesheet" href="{% static 'django-mailman3/css/main.css' %}">
+    <link rel="stylesheet" href="{% static 'postorius/css/style.css' %}">
+    {% block additionalcss %}{% endblock %}
+    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
+    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
+    <!--[if lt IE 9]>
+      <script src="{% static 'postorius/libs/html5shiv/html5shiv.min.js' %}"></script>
+      <script src="{% static 'postorius/libs/respond/respond.min.js' %}"></script>
+    <![endif]-->
+</head>
+<body>
+
+    <nav class="navbar navbar-default">
+        <div class="container">
+            <div class="navbar-header">
+                <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
+                    <span class="sr-only">Toggle navigation</span>
+                    <span class="icon-bar"></span>
+                    <span class="icon-bar"></span>
+                    <span class="icon-bar"></span>
+                </button>
+                <a class="navbar-brand" href="{% url 'list_index' %}"><span><img src="{% static 'postorius/img/mailman_logo_small_trans.png' %}" alt="{% trans 'Mailman logo' %}"/> Postorius</span></a>
+            </div>
+            <div class="collapse navbar-collapse" id="header-nav">
+                <ul class="nav navbar-nav">
+                    <li><a href="{% url 'list_index' %}">
+                        <span class="glyphicon glyphicon-envelope"></span>
+                        {% trans 'Lists' %}
+                    </a></li>
+                    {% if user.is_superuser %}
+                        <li><a href="{% url 'domain_index' %}">
+                            <span class="glyphicon glyphicon-globe"></span>
+                            {% trans 'Domains' %}
+                        </a></li>
+                        <li>
+                            <a href="{% url 'system_information' %}">
+                                <span class="glyphicon glyphicon-list-alt"></span>
+                                {% trans 'System Information' %}
+                            </a>
+                        </li>
+                    {% endif %}
+                    {% if 'hyperkitty' in INSTALLED_APPS %}
+                        <li><a href="{% url 'hk_root' %}">
+                            <span class="glyphicon glyphicon-comment"></span>
+                            {% trans 'Archives' %}
+                        </a></li>
+                    {% endif %}
+                </ul>
+                <ul class="nav navbar-nav navbar-right">
+                    {% if user.is_authenticated %}
+                        <li class="dropdown">
+                            <a href="#" class="dropdown-toggle" data-toggle="dropdown"
+                               role="button" aria-haspopup="true" aria-expanded="false">
+                                {% gravatar user.email 20 %}
+                                {{ user.username|truncatechars:"35" }}
+                                <span class="caret"></span>
+                            </a>
+                            <ul class="dropdown-menu">
+                                <li><a href="{% url 'ps_user_profile' %}">
+                                    <span class="glyphicon glyphicon-cog"></span>
+                                    {% trans 'Mailman settings' %}
+                                </a></li>
+                                {% if 'hyperkitty' in INSTALLED_APPS %}
+                                <li><a href="{% url 'hk_user_profile' %}">
+                                <span class="glyphicon glyphicon-comment"></span>
+                                    {% trans 'Posting activity' %}
+                                </a></li>
+                                {% endif %}
+                            </ul>
+                        </li>
+                    {% else %}
+                        <li><a href="{% url LOGIN_URL %}?next={{ next|default:request.path|urlencode }}">
+                            <span class="glyphicon glyphicon-log-in"></span>
+                            {% trans 'Login' %}
+                        </a></li>
+                        <li><a href="{% url 'account_signup' %}?next={{next|default:request.path|urlencode}}">
+                            <span class="glyphicon glyphicon-plus-sign"></span>
+                            {% trans 'Sign Up' %}
+                        </a></li>
+                    {% endif %}
+                </ul>
+            </div>
+        </div>
+    </nav>
+
+    <div class="container" role="main">
+        {% for message in messages %}
+            <div class="alert alert-{{ message.tags }}">{{ message }}</div>
+        {% endfor %}
+        {% block content %}{% endblock content %}
+    </div>
+
+    <footer class="footer">
+        <div class="container">
+            <p class="text-center">
+                <a href="https://postorius.readthedocs.org">{% trans 'Postorius Documentation' %}</a>
+                &bull;
+                <a href="http://list.org">GNU Mailman</a>
+                &bull;
+                {% trans 'Postorius Version' %} {{ POSTORIUS_VERSION }}
+            </p>
+        </div>
+    </footer>
+
+    <script src="{% static 'postorius/libs/jquery/jquery-1.11.3.min.js' %}"></script>
+    <script src="{% static 'postorius/libs/bootstrap/js/bootstrap.min.js' %}"></script>
+    <script src="{% static 'django-mailman3/js/main.js' %}"></script>
+    <script src="{% static 'postorius/js/script.js' %}"></script>
+    {% block additionaljs %}{% endblock %}
+</body>
+</html>