[Mailman-Developers] 2.1.8 documentation mismatch

David Lee t.d.lee at durham.ac.uk
Thu Jun 8 17:54:40 CEST 2006 

On Thu, 8 Jun 2006, Ian Eiloart wrote:

> --On 8 June 2006 12:39:22 +0100 David Lee <t.d.lee at durham.ac.uk> wrote:
>
> >  The incoming email
> > would carry a header (of first line in body) of something like:
> >    Authorised:  sender-pw
> >
> > where "sender-pw" is associated with the (claimed) From-address.  This is
> > different from, but complementary to, "Approved: list-pw".
>
> That's neither approval nor authorisation, it's authentication - proving
> that the person who used the email address also knew the password
> associated with it. [...]

Thanks, Ian.  I agree with that technical view.  That suggests that the
header (of first line of body) would need to be something like:
   Authenticated:  sender-pw

To the average non-techie managerial type, what terminology (Authorised?
Authenticated? etc.) is preferable?


> [...] It's far better to insist on authenticated SMTP for ALL
> message submission.

That would, indeed, probably be the ideal.  But that would itself mean
that all paths by which the Mailman machine might be reached would have to
be known to have an enforced mechanism for authenticated SMTP.  (And what
about (say) "cron" jobs generating email which might legitimately go
through lists?)

An insitution's (university's) "smtphost" service might naturally restrict
access to its own users and thus the authentication could use, say, its
central NIS/AD/LDAP-like user-base.  But its Mailman service might extend
considerably beyond those bounds to include collaboration with other
places, for which a much wider user-base would be needed.  (Suppose, for
instance, that this very "mailman-developers" list were hosted at your own
university?)

Even if those problems could be overcome, one would still need to ensure
that Mailman can know for certain that authenticated SMTP had been used.
Which takes us off to another branch (about Mailan API, milters, etc.)
of this fragmenting discussion!...


>
> >
> > Given that I'm just about to start on implementing this, it would be nice
> > to establish whether this sender-related word "Authorised" is the
> > appropriate word, or if there is something better.
> >
>
> I've had a look through that thread, and I'm not sure what you're trying to
> achieve. Generally, there are two aspects to deciding whether someone can
> post to a list: "authorisation" and "authentication".
>
> Passwords are usually used for both, but it's far better to separate the
> functions. Knowledge of a personal password serves to authenticate you, but
> not to authorise you. Knowledge of a shared password is sometimes used for
> authorisation, but can't be used for authentication. Even for
> authorisation, passwords are extremely weak.

Agreed.  That earlier thread was simply setting the ball rolling.

The problem that precipitated that thread was an incident in which two
emails went through our majordomo lists to the whole university (20,000
accounts), because those emails spoofed the "From" to match an entry in
the "posters" file of those lists.  So we are looking towards protecting
these potentially massive distributions with a "From+verification"
concept.  (Hence our looking at Mailman, which looks much closer than
majordomo to being able to offer that, especially as it is being actively
developed.)

Thanks again.

-- 

:  David Lee                                I.T. Service          :
:  Senior Systems Programmer                Computer Centre       :
:                                           Durham University     :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham DH1 3LE        :
:  Phone: +44 191 334 2752                  U.K.                  :

More information about the Mailman-Developers mailing list