[Mailman-Developers] Envelope from, sender, from, etc.

[Per Starback]

In 1.0rc1 USE_ENVELOPE_SENDER = 0 by default, but still it didn't work
for me.  After investigating it turned out that the documentation
misled me.  I think the documentation or the function should be
changed, preferrably the latter.

According to the section in NEWS where USE_ENVELOPE_SENDER is added:

# With this variable set to true, the envelope sender (e.g. Unix
# "From_" header) is used to match addresses, otherwise the From:
# header is used.

The FAQ also speaks about the difference being between using envelope
from and From:.

The comments in Defaults.py indicate that this is perhaps not the
whole truth as they say

# The envelope sender is set by the SMTP delivery and is thus less easily
# spoofed than the sender, which is typically just taken from the From: header 

"Typically" is the key word here.  The actual code uses GetSender
which prefers to use Sender: but uses From: if there is no Sender:.
So my messages which said

	 From: starback@ling.uu.se
	 Sender: starback@objekt.ling.uu.se

where rejected when only "starback@ling.uu.se" was a subscriber.

Am I missing something here?  It seems to me that the point of
USE_ENVELOPE_SENDER=0 is that we are willing to accept the lesser
security we get when we just accept who the sender says they are
and don't insist that the "technical stuff" (envelope from) has to
match.  Why then refuse because of a Sender: header that probably
echoes what was in envelope from?

-- 
Per Starback <starback@ling.uu.se> <http://stp.ling.uu.se/~starback/me.html>
 "Life is but a gamble!  Let flipism chart your ramble!"