[Mailman-Users] Siblings list usage ?

Mark Sapiro mark at msapiro.net
Sun Sep 25 11:10:44 EDT 2016 

On 09/25/2016 02:32 AM, Julian H. Stacey wrote:
> 
> On mailman lit configs, On event-announce@ I asserted default
> moderated bit on all new & existing members of event-announce@, &
> removed moderated bit on individual organisers.


This is not a secure way to restrict posts to event-announce because
anyone can post by spoofing the address of an unmoderated member whose
address is known by virtue of having posted to the list. See the
sections "How to restrict the list so only authorized persons can post:"
and "How to post to the announcement list:" at
<https://wiki.list.org/x/4030685>.

However, this may not be viable in your case depending on the logistics
of distributing the lists poster password to the authorized posters.


> My main problem:
>   No one on event-announce@ can now respond to event-org@ with 
>  "Count me in for event! / Who is organiser next week? etc"


Add '@event-announce' to accept_these_nonmembers of the event-org list.
This will allow anyone who is a member of event-announce, and not a
member of event-org to post to event.org without moderation. This will
not affect event-org posts from a member of event-org.


> My lesser problem:
>   When someone joins event-org@ I have to manually remove moderator
>   bit from their personal membership entry in event-announce@ (&
>   re-assert if they leave).


You could add @event-org to accept_these_nonmembers of the
event-announce list. This would allow any member of event-org to post to
event-announce, but it is subject to the same spoofing vulnerability as
noted for 'un-moderation', and members of event-org who are not members
of event-announce won't receive event-announce posts.


> Are Sibling lists a solution? How please ?, I've never used them yet.


Sibling lists may help some of this. If you add event-org at ... to
regular_include_lists of event-announce that will solve the potential
issue of event-org members who are not members of event-announce not
receiving event-announce posts.

So, there are choices depending on whether or not you are concerned
about unauthorized posts to event-announce by spoofing authorized senders.

If you aren't concerned:
Add '@event-announce' to accept_these_nonmembers of event-org.
Add '@event-org' to accept_these_nonmembers of event-announce.
Add event-org at ... to regular_include_lists of event-announce.
Ensure that anyone who is a member of both event-announce and event-org
is not moderated on event-announce or posts to event-announce with an
Approved: <password> header. Easiest is to ensure members of event-org
aren't members of event-announce.

If you are concerned:
Add '@event-announce' to accept_these_nonmembers of event-org.
Do not add '@event-org' to accept_these_nonmembers of event-announce.
Moderate everyone on event-announce and authorized posters can post to
event-announce with an Approved: <password> header, instructions for
which can be posted to the event-org list if its archives are private.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list