Barry Warsaw wrote: >Does anybody set USE_ENVELOPE_SENDER to Yes these days?
There are potential issues with this with umbrella lists. Perhaps Mailman 3 will handle these differently, but here is the issue. There are two message methods, get_sender() and get_senders(). USE_ENVELOPE_SENDER only affects get_sender(). With USE_ENVELOPE_SENDER false, get_sender() returns the first address found in From:, Sender: and unixfrom (envelope sender). With USE_ENVELOPE_SENDER true, the order is Sender:, From: and unixfrom, so it doesn't even really do what it claims. get_senders() returns a list of addresses found in those headers defined in SENDER_HEADERS. The default searches From:, unixfrom, Reply-To: and Sender: in that order and returns all addresses found. The Moderate handler first checks the get_senders() list to see if any address is a list member. The first hit determines whether the post is from a moderated member. If there are no hits, Moderate goes on the search *_these_nonmembers for the one address returned by get_sender() The potential issue is if you want posts to the umbrella list to be accepted by the child lists without being held, one technique is to put the umbrella's listname-bounces address in accept_these_nonmembers of the children, and this requires USE_ENVELOPE_SENDER to be true in order to work. There are other ways to accomplish this that don't require USE_ENVELOPE_SENDER. E.g. subscribing the umbrella's listname-bounces address to the child lists with delivery (and password reminders) disabled; using appropriate @listname entries in accept_these_nonmembers, or making the umbrella anonymous and putting the umbrella's posting address in the children's accept_these_nonmembers. Some of this is in the FAQ at <http://wiki.list.org/x/boA9>. >I'm considering removing the equivalent of this from Mailman 3.0 and >I'd like to know if that would be a hardship for anyone. If you don't >know what this value is (which in Mailman 2 lives in Defaults.py), >then you probably won't miss its demise in Mailman 3. > >This flag controls whether the Sender: header is considered before the >From: header for purposes of trying to determine the email address of >the message's author. At one time in the distant past, this flag was >added because it was observed that some MTAs put the RFC 2821 MAIL >FROM value into this header, and this was considered less spoofable >than the From: header. I think these assumptions are outdated and >this workaround is either unnecessary or hurts more than it helps. I agree that the use of USE_ENVELOPE_SENDER as an anti-spoof is outdated, particularly because it doesn't even come into play for the member/nonmember decision. >BTW, the default value is No, which tells Mailman to use the From: >header first. I propose hardwiring that default value. > >Let me know if this would cause you pain. I think it will impact some users with umbrella lists depending on how (or if) umbrella lists are handled in Mailman 3. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
