[Mailman-Users] Strange problem with password.

Mark Sapiro msapiro at value.net
Mon Jul 10 23:12:26 CEST 2006 

Fabiano Breves wrote:
>
>This problem came out of nowhere. Everything was just fine till today. I
>have a large announce-only list and use the 'Approved: password on the first
>line' method to securely send messages to the list. As I said it was working
>just fine, but today, the user responsable of sending the announces (and I),
>had a surprise - the password was revealed troughout the list. I changed the
>password, no ane had the time to use it to spam into the list (thank God).
>
>I have a test list with just a few internal users, and tried to replicate
>the problem without much success.
>
>The user is sending the message from an Outlook Express client in Rich Text
>format (HTML). This seemed not to be a problem till now.


This is definitely a problem and always has been. See below. If your
Mailman is 2.1.7 or later, it should be OK, but maybe the poster
upgraded OE or something that changed the message format.


>As I couldn't replicate the problem within the test list I'm afraid that the
>password will be revealed again.
>
>I checked the source code of the messages and noticed there are two texts,
>one in plain text format (without the password) and one in HTML format (with
>the password).



This indicates either one of two things.

If you are using a Mailman version prior to 2.1.7, this has always been
the case. The Approved: line is only found in and removed from the
first text/plain part of the message.

If you are using Mailman 2.1.7 or later, we still look for the
Approved: line in the first text/plain part in the message, but if we
find it, we attempt to remove it from all text parts. This may have
failed. If so, please send me (off list) a copy of the message (as an
attachment so I see it exactly with all headers and MIME structure).
Ideally, in this case, I would like to see the post as received by
Mailman, but if this isn't available, the post from the list will do.


>If do not use the password the message can't be send. Did anyone have a
>similar problem ?? Does anyone knows a better way to securely send
>announce-only messages ??


Provide the Approved: line as an actual message header rather than as
the first body line, but that's probably not possible with Outlook
Express. Next best is to post plain text only without any HTML parts.
In this case if the Approved: line isn't found and removed, the post
won't go to the list.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list