Re: [Mailman-Users] Emergency mail to everyone?
Paul Tomblin wrote: And so one thing i'm looking at would be a way to send an announcement to all the lists on my server. I understand that you can send mail to a list with an x-approved with the list password, but can you do the same with the admin password? If by admin password, you mean the site password, then No. You can include an Approve: or Approved: (not X-Approved:) header with either the list admin or list moderator password to get the message unconditionally accepted. You cannot use the site password for this. This is intentional to discourage sending the site password in the clear in email. You can also include an Urgent: header with the list admin or list moderator password to cause the message to be sent to all list members, digest and regular, without regard for nodups, not metoo, disabled delivery or topics. The message will still appear in the digest and will still be subject to holds unless Approved: is also included, -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
Quoting Mark Sapiro ([EMAIL PROTECTED]): Paul Tomblin wrote: And so one thing i'm looking at would be a way to send an announcement to all the lists on my server. I understand that you can send mail to a list with an x-approved with the list password, but can you do the same with the admin password? If by admin password, you mean the site password, then No. You can include an Approve: or Approved: (not X-Approved:) header with either the list admin or list moderator password to get the message unconditionally accepted. You cannot use the site password for this. This is intentional to discourage sending the site password in the clear in email. You mean that if people used the Approve: header that Mailman doesn't strip it out before it sends it? That seems like a huge security hole. Is there a command line tool to approve messages? -- Paul Tomblin [EMAIL PROTECTED] http://blog.xcski.com/ All life is transitory. A dream. We all come together in the same place at the end of time. If I don't see you again here, I will see you in a little while in the place where no shadows fall. - Delenn -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
Paul Tomblin wrote: You mean that if people used the Approve: header that Mailman doesn't strip it out before it sends it? That seems like a huge security hole. No I don't mean that. It is removed whether or not the password is valid. When I said This is intentional to discourage sending the site password in the clear in email. I meant in the email TO the list. The header won't be in the mail FROM the list. Is there a command line tool to approve messages? No, but it would be pretty simple to modify bin/discard to make one. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
Quoting Mark Sapiro ([EMAIL PROTECTED]): Paul Tomblin wrote: You mean that if people used the Approve: header that Mailman doesn't strip it out before it sends it? That seems like a huge security hole. No I don't mean that. It is removed whether or not the password is valid. When I said This is intentional to discourage sending the site password in the clear in email. I meant in the email TO the list. The header won't be in the mail FROM the list. Well, that wouldn't be a problem in this case because it would be a user or script running on the same box as mailman. Is there a command line tool to approve messages? No, but it would be pretty simple to modify bin/discard to make one. I'll look into that, thanks. -- Paul Tomblin [EMAIL PROTECTED] http://blog.xcski.com/ Dumbass PowarRanger Voltron is like the original PowarRanger Voltron, except no one can agree who forms the head, so all you're left with is five assholes. - siln -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
Quoting Paul Tomblin ([EMAIL PROTECTED]): My wife is asking what she needs to do with all my servers if i'm incapacitated or dead. One of the things that would need to be turned over to somebody else are all my mailman lists. And so one thing i'm looking at would be a way to send an announcement to all the lists on my server. I understand that you can send mail to a list with an x-approved with the list password, but can you do the same with the admin password? If my wife started asking me questions like this I'd hire a food taster. dd -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
On Wed, 17 Jan 2007, Mark Sapiro wrote: Paul Tomblin wrote: You mean that if people used the Approve: header that Mailman doesn't strip it out before it sends it? That seems like a huge security hole. No I don't mean that. It is removed whether or not the password is valid. When I said This is intentional to discourage sending the site password in the clear in email. I meant in the email TO the list. The header won't be in the mail FROM the list. But it also minimizes the risk of accidental disclosure of the site password. I assume if Approved was misspelled in a header or as the first line of the message, it would be included in the message if it was susequently approved by a moderator or met other critieria for not needing moderation. -- Larry Stone [EMAIL PROTECTED] -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
Larry Stone wrote: But it also minimizes the risk of accidental disclosure of the site password. I assume if Approved was misspelled in a header or as the first line of the message, it would be included in the message if it was susequently approved by a moderator or met other critieria for not needing moderation. You are correct that the password could be accidently sent to the list if Approve(d) was misspelled. The risk of this is small as presumably the Approve(d) header/line wouldn't be included in the first place if the message wouldn't otherwise be held, but there is still the risk of someone approving the held post. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
On Wed, 17 Jan 2007, Mark Sapiro wrote: Paul Tomblin wrote: You mean that if people used the Approve: header that Mailman doesn't strip it out before it sends it? That seems like a huge security hole. No I don't mean that. It is removed whether or not the password is valid. When I said This is intentional to discourage sending the site password in the clear in email. I meant in the email TO the list. The header won't be in the mail FROM the list. A slight caution there. If the inbound email contains not only the plain text message but also its equivalent in HTML and if the Approved: is specified as the first line of the body rather than as a header then the password is in danger of leaking outbound, being stripped only from the plain version but not from the HTML version where it could persist. endif For lists on which body-based Approved and HTML-ising senders are likely, it is worth investigating the collapse_alternatives and convert_html_to_plaintext settings. (I'm willing to be corrected on any of that!) -- : David LeeI.T. Service : : Senior Systems ProgrammerComputer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/South Road: : Durham DH1 3LE: : Phone: +44 191 334 2752 U.K. : -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Emergency mail to everyone?
David Lee wrote: If the inbound email contains not only the plain text message but also its equivalent in HTML and if the Approved: is specified as the first line of the body rather than as a header then the password is in danger of leaking outbound, being stripped only from the plain version but not from the HTML version where it could persist. endif This was bug 1181161 which was fixed in Mailman 2.1.7, but there can still be problems if 'Approved: password' gets split across lines in quoted printable encoded alternative parts or gets base64 encoded. It's on my list to fix these issues. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
