[Mailman-Users] Replies from non-members getting posted to listset to allow posts by subscribers only
Anthony R. Thompson
athomps at adf.org
Tue Jun 22 22:25:03 CEST 2010
On 6/22/2010 10:04 AM, Mark Sapiro wrote:
> As I implied but didn't explicitly state in my initial response in this
> thread
> <http://mail.python.org/pipermail/mailman-users/2010-June/069770.html>,
> the places in an incoming message that are checked for a member
> address to determine if a post is from a member are controlled by the
> Defaults.py/mm_cfg.py setting SENDER_HEADERS. The default setting
> checks the following in order:
> - the From: header,
> - the envelope sender,
> - the Reply-To: header and
> - the Sender: header.
Mark, you are correct, I apologize for not understanding what you had
written in the first place. I read Stephen's reply, read yours, then
re-read Stephen's and only on that second re-reading did I realize that
I had set the Reply-To on that account.
> If you have write access to mm_cfg.py, you can set SENDER_HEADERS to a
> list which doesn't include Reply-To (see the documentation in
> Defaults.py)
I do have write access, but will have to do some thinking about whether
I want to deviate from the standard configuration.
I've often found that things are set "that way" for a reason, and I
usually don't "know better" than the folks who determined the default
installation settings :)
If someone were ever to use the Reply-To header to actually send
something to a private list of ours, I'd probably revisit the decision,
but for right now I think I'll leave it.
> but as Stephen said, it is almost as easy to spoof the
> From: or even the envelope sender as it is to set the Reply-To:.
Yes, you (and Stephen) are right. I've even done that myself,
telnetting to the local SMTP server etc.
That's become a little more difficult recently, with many open relays
being gone, so I guess I felt it was harder for many people to casually
spoof the From address than the Reply-To. But you're right, either is
hackable.
thanks again,
Anthony
More information about the Mailman-Users
mailing list