On 6/22/2010 10:04 AM, Mark Sapiro wrote:
As I implied but didn't explicitly state in my initial response in this thread <http://mail.python.org/pipermail/mailman-users/2010-June/069770.html>, the places in an incoming message that are checked for a member address to determine if a post is from a member are controlled by the Defaults.py/mm_cfg.py setting SENDER_HEADERS. The default setting checks the following in order: - the From: header, - the envelope sender, - the Reply-To: header and - the Sender: header.
Mark, you are correct, I apologize for not understanding what you had written in the first place. I read Stephen's reply, read yours, then re-read Stephen's and only on that second re-reading did I realize that I had set the Reply-To on that account.
If you have write access to mm_cfg.py, you can set SENDER_HEADERS to a list which doesn't include Reply-To (see the documentation in Defaults.py)
I do have write access, but will have to do some thinking about whether I want to deviate from the standard configuration.
I've often found that things are set "that way" for a reason, and I usually don't "know better" than the folks who determined the default installation settings :)
If someone were ever to use the Reply-To header to actually send something to a private list of ours, I'd probably revisit the decision, but for right now I think I'll leave it.
but as Stephen said, it is almost as easy to spoof the From: or even the envelope sender as it is to set the Reply-To:.
Yes, you (and Stephen) are right. I've even done that myself, telnetting to the local SMTP server etc.
That's become a little more difficult recently, with many open relays being gone, so I guess I felt it was harder for many people to casually spoof the From address than the Reply-To. But you're right, either is hackable.
thanks again, Anthony ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
