On 09/25/2016 02:32 AM, Julian H. Stacey wrote: > > On mailman lit configs, On event-announce@ I asserted default > moderated bit on all new & existing members of event-announce@, & > removed moderated bit on individual organisers.
This is not a secure way to restrict posts to event-announce because anyone can post by spoofing the address of an unmoderated member whose address is known by virtue of having posted to the list. See the sections "How to restrict the list so only authorized persons can post:" and "How to post to the announcement list:" at <https://wiki.list.org/x/4030685>. However, this may not be viable in your case depending on the logistics of distributing the lists poster password to the authorized posters. > My main problem: > No one on event-announce@ can now respond to event-org@ with > "Count me in for event! / Who is organiser next week? etc" Add '@event-announce' to accept_these_nonmembers of the event-org list. This will allow anyone who is a member of event-announce, and not a member of event-org to post to event.org without moderation. This will not affect event-org posts from a member of event-org. > My lesser problem: > When someone joins event-org@ I have to manually remove moderator > bit from their personal membership entry in event-announce@ (& > re-assert if they leave). You could add @event-org to accept_these_nonmembers of the event-announce list. This would allow any member of event-org to post to event-announce, but it is subject to the same spoofing vulnerability as noted for 'un-moderation', and members of event-org who are not members of event-announce won't receive event-announce posts. > Are Sibling lists a solution? How please ?, I've never used them yet. Sibling lists may help some of this. If you add event-org@... to regular_include_lists of event-announce that will solve the potential issue of event-org members who are not members of event-announce not receiving event-announce posts. So, there are choices depending on whether or not you are concerned about unauthorized posts to event-announce by spoofing authorized senders. If you aren't concerned: Add '@event-announce' to accept_these_nonmembers of event-org. Add '@event-org' to accept_these_nonmembers of event-announce. Add event-org@... to regular_include_lists of event-announce. Ensure that anyone who is a member of both event-announce and event-org is not moderated on event-announce or posts to event-announce with an Approved: <password> header. Easiest is to ensure members of event-org aren't members of event-announce. If you are concerned: Add '@event-announce' to accept_these_nonmembers of event-org. Do not add '@event-org' to accept_these_nonmembers of event-announce. Moderate everyone on event-announce and authorized posters can post to event-announce with an Approved: <password> header, instructions for which can be posted to the event-org list if its archives are private. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
