[Mailman-Users] Blocking messages from kijiji (SENDER_HEADERS solution interferes with logging?)

Thu Oct 27 16:22:56 CEST 2011

On Thu, Oct 27, 2011 at 10:07 AM, francis picabia <fpicabia at gmail.com> wrote:
> On Thu, Oct 27, 2011 at 9:54 AM, francis picabia <fpicabia at gmail.com> wrote:
>> On Thu, Oct 27, 2011 at 9:37 AM, francis picabia <fpicabia at gmail.com> wrote:
>>> Hello,
>>>
>>> We run a mailing list for staff which should not
>>> receive email from outside of the list membership.
>>>
>>> The only non-member address allowed to post is
>>> another mailing list.
>>>
>>> Today we received a post from post at kijiji.ca
>>> and it made it through to the list.
>>>
>>> I see this in the post log file:
>>>
>>> Oct 26 18:21:41 2011 (2999) post to fyi from post at kijiji.ca,
>>> size=5293, message-id=<1190302152.2079281319664066415.JavaMail.root at kj-classy012>,
>>> success
>>>
>>> We've tested this with a second small membership and restricted
>>> mailing list for our IT staff, and again a post from kijiji gets through.
>>>
>>> If we email from a gmail account or something, it is blocked as expected.
>>>
>>> In kijiji interface, they allow you to set up the sender, and this is
>>> likely passing the test for the sender, but it is only
>>> the sender in the envelope, which isn't reported in mailman
>>> (nor Postfix in what I saw).
>>>
>>> We've been running the same mailman 2.1.9 from Redhat for
>>> a few years and there has never been a problem like this before.
>>>
>>> I think we would prefer if both the sender From: and the envelope
>>> sender had to match, or had to both be allowed to post.
>>>
>>> Adding the post at kijiji.ca address to the rejected senders did not block them,
>>> which isn't surprising as it is looking at the other subscribed sender.
>>>
>>> Anyone else have experiences with that or suggested approaches?
>>>
>>
>> I looked at older postings in this mailing list and it appears this is
>> a solution:
>>
>> Quoting Mark Sapiro:
>>
>>> If this is your Mailman installation, you could try putting
>>>
>>> SENDER_HEADERS = (None,)
>>>
>>> in mm_cfg.py. This would say that the post is considered to be from a
>>> member only if the envelope sender is a member."
>>
>> I'll try this.
>>
>
> On second thought what we needed is similar, but probably:
>
> SENDER_HEADERS = ('from')
>
> Would there be problems "from" this?
>
> For internal emails we already use canonical_maps in
> postfix to standardize the from address into something
> predictable.
>

This works, but of course it has caught someone using another
unconventional list
with a problem of the sort: "but it always worked this way before".

I check out the /var/log/maillog area for signs the user
is caught by this change, but oddly, nothing is
appearing in the logs.  It appears than restricting
the SENDER_HEADERS this way causes no logging
on the mailman end.  Is there a way to fix this?