Mark,
Thanks for the quick response. From what I can see in Defaults.py in my
installation of Mailman, one could 'break' Mailman the same way Kavi's ezmlm
installation is broken by merely setting USE_ENVELOPE_SENDER=yes.
(excerpt from Defaults.py)
# When allowing only members to post to a mailing list, how is the sender of
# the message determined? If this variable is set to Yes, then first the
# message's envelope sender is used, with a fallback to the sender if there is
# no envelope sender. Set this variable to No to always use the sender.
#
# The envelope sender is set by the SMTP delivery and is thus less easily
# spoofed than the sender, which is typically just taken from the From: header
# and thus easily spoofed by the end-user. However, sometimes the envelope
# sender isn't set correctly and this will manifest itself by postings being
# held for approval even if they appear to come from a list member. If you
# are having this problem, set this variable to No, but understand that some
# spoofed messages may get through.
USE_ENVELOPE_SENDER = No
# Membership tests for posting purposes are usually performed by looking at a
# set of headers, passing the test if any of their values match a member of
# the list. Headers are checked in the order given in this variable. The
# value None means use the From_ (envelope sender) header. Field names are
# case insensitive.
SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
(And continuing the OT discussion, in a ezmlm/qmail environment, qmail passes
the envelope sender address via $SENDER to ezmlm, and ezmlm uses this to check
list membership. I don't see a way in qmail/ezmlm to emulate
USE_ENVELOPE_SENDER = No. Three cheers for Mailman!)
Adam Goldberg
AGP, LLC
+1-202-507-9900
-----Original Message-----
From: Mailman-Users [mailto:mailman-users-bounces+adam=agp-llc....@python.org]
On Behalf Of Mark Sapiro
Sent: Tuesday, January 03, 2017 3:17 PM
To: mailman-users@python.org
Subject: Re: [Mailman-Users] Envelope address vs. From: header addresses
On 01/03/2017 11:03 AM, Adam Goldberg wrote:
>
> WS6 uses mailman. I believe that mailman doesn't suffer from this problem
> (that is, mailman checks list membership based on the header From: address,
> not the envelope from address).
>
> Can someone verify with authority that this is the case?
When Mailman checks list membership, it tests the things listen in the
installation's config (mm_cfg.py) setting for SENDER_HEADERS, the default for
which is
From:
envelope sender
Reply-To:
Sender:
in that order. If one of those contains a list member address, the first member
address found is considered the poster for list membership/moderation purposes.
Otherwise the post is from a non-member.
> (and OT for this list, Does anyone have any insight into why Kavi's ezmlm
> implementation is acting this way? FYI, email sent via Amazon AWS SES is
> sent with an envelope address unique per email (it's explicitly different
> from the From: header address)).
Some things use envelope sender for verification as it is (or once was)
considered more difficult to spoof.
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy:
http://wiki.list.org/x/QIA9 Searchable Archives:
http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/adam%40agp-llc.com
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
