Kip Warner writes: > Apparently Mailman doesn't handle opt-in confirmations in a way that is > compliant with it. Specifically, it doesn't log new subscriptions or the > IP addresses of the confirmation. Is this correct?
Each step of a subscription is logged. IP addresses of web requests are logged, both in logs/subscribe and by the webserver. IP addresses of the last remote MTA for a request by mail are logged by the local MTA. IP address of the source MTA or MUA cannot be reliably determined in malicious cases, and even for honest messages, the source IP is both expensive to compute accurately and less than 100% reliable. I don't think Mailman even tries to log these, but I don't have an actual case to hand in my own logs -- everybody uses the web interface. It seems to me that you can probably comply with DreamHost's requirements simply by disabling processing of admin commands by mail. Caveat: I haven't read DreamHost's policy so I don't know for sure. Most likely very few people will be bothered. You'll also want to edit the "please confirm" message to remove the reference to confirm by mail. You could also achieve the same effect by requiring confirmation by mail, but this might require more invasive changes to the code. I'm not sure how to disable admin-by-mail offhand, but Mark can probably help. ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
