Mike Brudenell wrote:
>
>All the documentation I've read and help pages I've managed to locate give
>no clue of this behaviour. Instead they strongly imply that by setting the
>umbrella_list setting to YES that "password reminders" are sent to the
>list's owners by adding the specified suffix (typically "-owner") to each
>member's address.
>
>I'm now wondering if this is actually referring only to the "Please remind
>me of my password" link, not the monthly reminder. If so then a huge
>warning needs adding to the FAQ and documentation about umbrella lists
>advising admins NOT to turn on the monthly reminders for umbrella lists in
>order to avoid this big security issue.
>
>Or am I missing something/have something misconfigured?
I think you are correct. I think cron/mailpasswds should be fixed. I
don't know how this has been ignored for so long.
In the mean time, I think the following (Warning - totally untested and
watch out for wrapped lines) patch will fix it.
--- mailpasswds 2006-04-15 17:38:24.000000000 -0700
+++ mailpasswdsx 2006-06-01 07:30:07.843750000 -0700
@@ -162,6 +162,8 @@
optionsurl = mlist.GetOptionsURL(member)
lang = mlist.getMemberLanguage(member)
info = (listaddr, password, optionsurl, lang)
+ if mlist.umbrella_list:
+ member = mlist.GetMemberAdminEmail(member).lower()
userinfo.setdefault(member, []).append(info)
# Now that we've collected user information for this host,
send each
# user the password reminder.
--
Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Security Policy:
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
