[Mailman-Users] Strange problem with password.

Tue Jul 11 19:23:31 CEST 2006

On 7/10/06, Mark Sapiro <msapiro at value.net> wrote:

> Fabiano Breves wrote:
> >
> >This problem came out of nowhere. Everything was just fine till today. I
> >have a large announce-only list and use the 'Approved: password on the
> first
> >line' method to securely send messages to the list. As I said it was
> working
> >just fine, but today, the user responsable of sending the announces (and
> I),
> >had a surprise - the password was revealed troughout the list. I changed
> the
> >password, no ane had the time to use it to spam into the list (thank
> God).
> >
> >I have a test list with just a few internal users, and tried to replicate
> >the problem without much success.
> >
> >The user is sending the message from an Outlook Express client in Rich
> Text
> >format (HTML). This seemed not to be a problem till now.
>
>
> This is definitely a problem and always has been. See below. If your
> Mailman is 2.1.7 or later, it should be OK, but maybe the poster
> upgraded OE or something that changed the message format.

Sorry I did not told what version (2.1.8rc1) we are using. After a little
more digging I tihink the problem is the Outlook Express but I need more
time to be sure and I'm not in the office right now.

> >As I couldn't replicate the problem within the test list I'm afraid that
> the
> >password will be revealed again.
> >
> >I checked the source code of the messages and noticed there are two
> texts,
> >one in plain text format (without the password) and one in HTML format
> (with
> >the password).
>
>
>
> This indicates either one of two things.
>
> If you are using a Mailman version prior to 2.1.7, this has always been
> the case. The Approved: line is only found in and removed from the
> first text/plain part of the message.

As I'm in 2.1.8rc1 I think we don't need to worry about this firt one.

> If you are using Mailman 2.1.7 or later, we still look for the
> Approved: line in the first text/plain part in the message, but if we
> find it, we attempt to remove it from all text parts. This may have
> failed. If so, please send me (off list) a copy of the message (as an
> attachment so I see it exactly with all headers and MIME structure).
> Ideally, in this case, I would like to see the post as received by
> Mailman, but if this isn't available, the post from the list will do.

As soon I get to the office (probably tomorrow) I'll send to your e-mail the
message.

> >If do not use the password the message can't be send. Did anyone have a
> >similar problem ?? Does anyone knows a better way to securely send
> >announce-only messages ??
>
>
> Provide the Approved: line as an actual message header rather than as
> the first body line, but that's probably not possible with Outlook
> Express. Next best is to post plain text only without any HTML parts.
> In this case if the Approved: line isn't found and removed, the post
> won't go to the list.

We have a web application that can send mail to lists. Maybe I can change
the way the poster sends the announce message. The aplication is based on
ASP language. What header should I use and how I use it. Send msgs with this
method seems to be the solution because I can take out the responsability of
putting the password of the poster.

Thanks for your help.

> --
> Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>

-- 
Fabiano de Carvalho Breves
fabiano.breves at gmail.com