Michael Bakonyi writes:
allright, thx a lot for your quick answer! After fiddling around some more time, I guess I had some misunderstandings regarding the REST-API. I guess if we reach the API correctly, we will not be confronted with the CSRF-Error. We will continue to try but nevertheless: What would be a cleaner approach to reach the API from an external IP? I didn't found any examples in the web so far.
If you mean the core REST API, you won't find any useful examples on the Internet. Anything you do find should be considered a form of self-harm and/or an insider threat. Access to the REST API is not securely authenticated, and therefore should never be exposed to the Internet. This API is expected to be contained either to localhost, or to a subnet behind a firewall that prohibits access to that port except from the host(s) serving HyperKitty and/or Postorius. If that's what you're trying to do, I would suggest a secure tunnel (not a generic VPN, but a specific tunnel to the API port).
If you're talking about the Django administrative API to Postorius, you'll probably get a better answer faster from Django channels. Mark may know but he won't be available until mid-September most likely. As I wrote earlier, as far as I know you need to access the Postorius port, provide credentials, get the CSRF token, and then access Django.