[Mailman-Developers] USE_ENVELOPE_SENDER

Ian Eiloart iane at sussex.ac.uk
Mon Feb 9 11:43:55 CET 2009 

I'm not sure whether I do use it, but I think I should.

Most of our list users are in our own domain. That domain certainly is less 
spoofable in the envelope, because we don't accept mail from our domain 
unless it's been through our servers. We don't get spam with sussex.ac.uk 
in the envelope sender domain.

With SPF records now widely published, including by several large free 
email service providers, it's certainly within the power of sites to 
validate the envelope sender address of much of their inbound email. Losing 
this facility now would be a great shame.

I certainly don't see how having the option can do much harm.

It might be worth adding code to support BATV, if it isn't there already.

--On 8 February 2009 18:12:33 -0500 Barry Warsaw <barry at list.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Does anybody set USE_ENVELOPE_SENDER to Yes these days?
>
> I'm considering removing the equivalent of this from Mailman 3.0 and I'd
> like to know if that would be a hardship for anyone.  If you don't know
> what this value is (which in Mailman 2 lives in Defaults.py), then you
> probably won't miss its demise in Mailman 3.
>
> This flag controls whether the Sender: header is considered before the
> From: header for purposes of trying to determine the email address of the
> message's author.  At one time in the distant past, this flag was added
> because it was observed that some MTAs put the RFC 2821 MAIL FROM value
> into this header, and this was considered less spoofable than the From:
> header.  I think these assumptions are outdated and this workaround is
> either unnecessary or hurts more than it helps.
>
> BTW, the default value is No, which tells Mailman to use the From: header
> first.  I propose hardwiring that default value.
>
> Let me know if this would cause you pain.
>
> Barry
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
>
> iEYEARECAAYFAkmPZuIACgkQ2YZpQepbvXHsbQCgl78AxhkBTbATQbV7jab+P8a+
> F10An3skXX9Am4+BOk8gCqNaNiiVU1Vg
> =Ddit
> -----END PGP SIGNATURE-----
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives:
> http://www.mail-archive.com/mailman-developers%40python.org/
> Unsubscribe:
> http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.a
> c.uk
>
> Security Policy: http://wiki.list.org/x/QIA9



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Mailman-Developers mailing list