Thomas Ward via Mailman-users writes:
> Has *anyone* seen any cases like this before?
Something like it is common. A member forwards a non-member's message
to the list, so that the envelope from (and often Sender) are set to
that member's address. You will see only the header From, so it
appears that the post was by a non-member.
> If this is repeatable or a known issue, it deserves a CVE security
> bug because this is a **severe** problem.
Members-only for posting is a best-effort, use at your own risk,
feature, because all of the addresses used for identifying members are
easily spoofable. Of them only the header From is normally visible to
end users. It's standard in stock Mailman because in practice it's an
excellent defense against spam. It is not otherwise a reliable
security measure, and the default configuration is quite loose. It
allows users to forward messages for others and to use various
addresses for the author headers. It allows the apparent author to be
different from the user who injects the message to the Internet mail
system.
In practice, header From is fairly reliable if all of your members
have addresses with DMARC policy "p=reject" and your MTA does reject
when From alignment fails. But to depend on DMARC processing, you
need to remove Sender, Reply-To, and envelope From (From_, I think is
the configuration notation) from the member identification
configuration. Also note that the purpose of DMARC is primarily to
protect the sending organization, not the receiver, so this use case
depends on trusting the sending organization to do the authentication.
--
GNU Mailman consultant (installation, migration, customization)
Sirius Open Source https://www.siriusopensource.com/
Software systems consulting in Europe, North America, and Japan
_______________________________________________
Mailman-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at:
https://lists.mailman3.org/archives/list/[email protected]/message/D72SPJD4J4SWPFX6SIA3F2V7CC6YTTJU/
This message sent to [email protected]
