Mark Sapiro writes: > On 5/22/22 00:17, Jayson Smith wrote: > > I run a Mailman 2 list for an organization of writers with disabilities. > > Recently our president has become concerned that some people wanting to > > join the group may not be responding to the standard Mailman > > subscription confirmation message
@Jayson Is this especially a problem for people with disabilities, as compared to new subscribers in general? In fact, I expect the answer is "no". But I think it's worth trying to improve this in Mailman 3 for the general population, too, and if we can improve this in a more accessible way I would like to be aware of it. > By default, confirmation requests are sent with From: and Subject: like > ``` > From: listname-requ...@example.com > Subject: confirm+the_hex_token > ``` > If you, or the installation sets > ``` > VERP_CONFIRMATIONS = Yes > ``` > in mm_cfg.py, they will be sent like > ``` > From: listname-confirm+the_hex_token @Mark This is "From: listname-confirm+the_hex_to...@example.com", right? I'm not sure that's much better, especially in Jayson's situation where the email address and the organization are hard to associate with each other. > Not really. Person C can still send email to person B spoofing person A. > In your scenario, upon receiving email allegedly from person A, person B > would need to respond to person A asking for confirmation and receive > confirmation from person A before adding person A to the list. Note that the point of this multipart handshake is that email itself is insecure; it is rather easy to fake authorship of an email message well enough to get past someone who is not well-versed in email arcana. It is much harder to fake the ability to read from a mailbox. So it's really not possible to omit the "send token" and "receive confirmation" steps if you want to be sure the person who requests a subscription has the right to request people send stuff to the mailbox. Steve ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
