[Mailman-Users] Non-member posting to the list

[Mark Sapiro]

Will Yardley wrote:

>On Tue, Nov 13, 2012 at 04:03:32PM -0200, Rodrigo Abrantes Antunes wrote:
>> In my case, I found that the return-path header is the address of the
>> original sender, so how could I add a rule in mailman to deny posts with
>> return-path's address that are not members?
>
>The envelope-sender can also be spoofed trivially.
>
>If you want to prevent someone from sending email as someone who *is*
>approved to post to the list, I think your safest bet is to require
>approval for all posts to the list -- in other words, set the action for
>posts by moderated members allowed to post to 'hold', and have the
>moderate bit set even for users who are allowed to post.


Yes. As indicated in the FAQ I referred to in my original reply, the
safe way to do this is to moderate everyone or otherwise arrange for
all list posts to be held. Then authorized posts can be sent with an
Approved: <password> header or first body line pseudo-header to bypass
the hold. <password> is the list admin password, the moderator
password or, beginning in Mailman 2.1.15, the special list poster
password.

If you are the site admin, you can require that only the envelope
sender (the address reflected in Return-Path:) be recognized in
determining list membership by putting

SENDER_HEADERS = (None,)

in mm_cfg.py. See the documentation for this setting in Defaults.py.

It would probably also be possible to create a regexp for
header_filter_rules that would match only when the Return-Path:
address and the From: address were different and to use that to deal
with such posts. But, that wouldn't handle the case where both From:
and envelope sender were spoofed with the same address.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan