Thanks for your reply Mark, very useful, Mark Sapiro wrote: > On 09/25/2016 02:32 AM, Julian H. Stacey wrote: > > > > On mailman lit configs, On event-announce@ I asserted default > > moderated bit on all new & existing members of event-announce@, & > > removed moderated bit on individual organisers. > > > This is not a secure way to restrict posts to event-announce because > anyone can post by spoofing the address of an unmoderated member whose > address is known by virtue of having posted to the list.
Yes; Spoofing hasn't been a problem here so far thanks, (perhaps as most lists for technicaly competent here are open to all members umoderated anyway; Mostly it's just non tech. lists here are announce- only, to block noise many lazy & clueless. I had administrivia filters turned on in majordomo & now with mailman, I needed to add to MJ regexp filters, so if I do with MM, I'll hope to contribute back to MM devs. > See the > sections "How to restrict the list so only authorized persons can post:" > and "How to post to the announcement list:" at > <https://wiki.list.org/x/4030685>. > > However, this may not be viable in your case depending on the logistics > of distributing the lists poster password to the authorized posters. Yes, not viable here, many event organisers on the non tech lists woundn't cope inserting a password in header. So later, if I have to. > > My main problem: > > No one on event-announce@ can now respond to event-org@ with > > "Count me in for event! / Who is organiser next week? etc" > > > Add '@event-announce' to accept_these_nonmembers of the event-org list. > This will allow anyone who is a member of event-announce, and not a > member of event-org to post to event.org without moderation. This will > not affect event-org posts from a member of event-org. OK Found under http://mailman.berklix.org/mailman/admin/event-org/privacy/sender Non-member filters. > > My lesser problem: > > When someone joins event-org@ I have to manually remove moderator > > bit from their personal membership entry in event-announce@ (& > > re-assert if they leave). > > > You could add @event-org to accept_these_nonmembers of the > event-announce list. This would allow any member of event-org to post to > event-announce, but it is subject to the same spoofing vulnerability as > noted for 'un-moderation', and members of event-org who are not members > of event-announce won't receive event-announce posts. OK Thanks, Done, last bit no prob. I have (up to now) required all members of *-org@ to be on *-announce@ (but I think per your post below I'll switch to include event-announce@ traffic to event-org@) I asserted wrong record via wrong box on web form first go, but then confirmed I have right one with this check: cd /usr/local ; \ mailman/bin/dumpdb mailman/lists/event-org/config.pck | grep accept_these { 'accept_these_nonmembers': ['@event', '@event-chat'], > > Are Sibling lists a solution? How please ?, I've never used them yet. > > > Sibling lists may help some of this. If you add event-org@... to > regular_include_lists of event-announce that will solve the potential > issue of event-org members who are not members of event-announce not > receiving event-announce posts. > > So, there are choices depending on whether or not you are concerned > about unauthorized posts to event-announce by spoofing authorized senders. > > If you aren't concerned: > Add '@event-announce' to accept_these_nonmembers of event-org. > Add '@event-org' to accept_these_nonmembers of event-announce. > Add event-org@... to regular_include_lists of event-announce. > Ensure that anyone who is a member of both event-announce and event-org > is not moderated on event-announce or posts to event-announce with an > Approved: <password> header. Easiest is to ensure members of event-org > aren't members of event-announce. > > If you are concerned: > Add '@event-announce' to accept_these_nonmembers of event-org. > Do not add '@event-org' to accept_these_nonmembers of event-announce. > Moderate everyone on event-announce and authorized posters can post to > event-announce with an Approved: <password> header, instructions for > which can be posted to the event-org list if its archives are private. Thanks Mark :-) If you ever visit Munich, there's a bunch of lists on http://berklix.org where you can find me to buy you a beer :-) Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable. http://berklix.eu/brexit/#stolen_votes ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org