[Mailman-Users] Replies from non-members getting posted to listset to allow posts by subscribers only

[Anthony R. Thompson]

On 6/22/2010 10:04 AM, Mark Sapiro wrote:
> As I implied but didn't explicitly state in my initial response in this
> thread
> <http://mail.python.org/pipermail/mailman-users/2010-June/069770.html>,
> the places in an incoming message that are checked for a member
> address to determine if a post is from a member are controlled by the
> Defaults.py/mm_cfg.py setting SENDER_HEADERS. The default setting
> checks the following in order:
> - the From: header,
> - the envelope sender,
> - the Reply-To: header and
> - the Sender: header.

Mark, you are correct, I apologize for not understanding what you had 
written in the first place.  I read Stephen's reply, read yours, then 
re-read Stephen's and only on that second re-reading did I realize that 
I had set the Reply-To on that account.

> If you have write access to mm_cfg.py, you can set SENDER_HEADERS to a
> list which doesn't include Reply-To (see the documentation in
> Defaults.py)

I do have write access, but will have to do some thinking about whether 
I want to deviate from the standard configuration.

I've often found that things are set "that way" for a reason, and I 
usually don't "know better" than the folks who determined the default 
installation settings :)

If someone were ever to use the Reply-To header to actually send 
something to a private list of ours, I'd probably revisit the decision, 
but for right now I think I'll leave it.

> but as Stephen said, it is almost as easy to spoof the
> From: or even the envelope sender as it is to set the Reply-To:.

Yes, you (and Stephen) are right.  I've even done that myself, 
telnetting to the local SMTP server etc.

That's become a little more difficult recently, with many open relays 
being gone, so I guess I felt it was harder for many people to casually 
spoof the From address than the Reply-To.  But you're right, either is 
hackable.

thanks again,
Anthony