Hien HUYNH HUU writes: > Hi Stephen, > I can't do that because may be the sender is on another MTA and mailman > server can't force they do an authentication. > Is this a weak point of Mailman ?
No, this is a weak point of your MTA. The MTA has all the information needed, and in principle can force an authentication. Mailman only knows what the MTA tells it. Specifically, the SMTP protocol goes: HELO # the sender MTA identifies itself MAIL FROM # the sender MTA identifies the sender mailbox RCPT TO # the sender MTA identifies the recipients DATA # the sender MTA sends the message text including # header fields QUIT # the sender MTA hangs up, session over Now, the receiver MTA prepends some so-called "trace header" fields, which usually contain the HELO, MAIL FROM, and RCPT TO information in some form, as well as timestamps and queue IDs. It may also transform the Content-Transfer-Encoding of the body (eg, from BASE64 to 8bit or vice versa). *Otherwise it hands Mailman exactly the same DATA that it got.* That DATA could be the truth, it could be a lie, it could be complete garbage. The MTA doesn't care, and Mailman has no way to check. It's true, as Barry says, that you could use signed messages to authenticate, but this is not as good, for three reasons: (1) Mailman as distributed doesn't implement this yet. (2) 3rd party patches are available but they have not been extensively tested. TLS facilities of MTAs are in widespread use and have been thoroughly tested. (3) Having Mailman do the authentication means accepting the mail at the MTA. This opens you up to the annoyance of spam and the danger of a denial-of-service attack (either on your bandwidth or on your disk space). If you really want Mailman to do the authentication, you can either use the Approved header field, which is not very secure, or you can use the 3rd-party patch to use public-key signatures which somebody else mentioned. I'm pretty sure that should work OK because the theory is straightforward, but haven't reviewed it or used it myself, YMMV. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org