Re: [Mailman-Users] mailman problem after 2.1.5 - 2.1.7 update
Am 26.01.2006 um 19:06 Uhr +0100 schrieb Brad Knowles: At 6:46 PM +0100 2006-01-26, Hauke Fath wrote: I haven't found a way of tweaking this and assume that the list URLs are made up dynamically by the cgi script (rather, binary). Does anybody else see this? Any pointers? The URLs are probably messed up in your mm_cfg.py (mailman configuration) file. Try posting the contents of that file. [...] ### # Here's where we get the distributed defaults. from Defaults import * ## # Put YOUR site-specific settings below this line. # IMPORTANT: Edit the following two definitions to provide the domain # name of your mail lists, and host name of the Web server. # (Leave the add_virtualhost line alone.) # DEFAULT_EMAIL_HOST = 'spg.tu-darmstadt.de' DEFAULT_URL_HOST = 'www.spg.tu-darmstadt.de' add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) DEFAULT_URL_PATTERN = 'https://%s/mailman/' PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s' -- note that the file was not changed since before the update: [EMAIL PROTECTED] /3mailman/Mailman ls -l mm_cfg.py -rw-rw-r-- 1 root mailman 2088 Oct 8 2004 mm_cfg.py hauke -- /~\ The ASCII Ribbon CampaignHauke Fath \ /No HTML/RTF in email Institut für Nachrichtentechnik X No Word docs in email TU Darmstadt / \ Respect for open standards Ruf +49-6151-16-3281 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
At 9:05 PM -0500 2006-01-26, Jim Popovitch wrote: Fortunately, in this case it is a known issue (which others have apparently decided to portray in a very different way), and which has already been addressed (as described by Tokio). OK, but what about the next one? What do Mailman system admins do, wait? Unless you have the Python coding skills necessary to find such bugs, then I don't see that you (or I) have any other choice. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Brad Knowles wrote: There is a QA process that such patches need to go through, even if we're talking about a bug that is being currently being exploited widely. In fact, the more it's being exploited, and the more dangerous it is, I think the more testing needs to be done to make sure that it's caught and completely dealt with, and there aren't any unintended consequences. I guess we just see system administration from different angles, I prefer communication to silence. Here is the scenario that I'd like to see for the next gotcha: Barry/Tokio/Mark: Folks, yesterday we were informed of a serious (i.e. potential for data loss) issue with MM 2.1.5+. The team will need a few days to sort through this and to come back with some recommendations for securing your systems. Secondly, the team will try and produce a patch in 2 weeks time. Users: Great, glad to hear this Barry. Thank you for your hard dedicated work. Please keep us informed of what we can do to help. day+=2: Barry/Tokio/Mark: It looks like this vulnerability is leveraging a (unmentioned) py file. Can users please send us logs showing failed/complete/erroneous attempts to access py files in your systems? Users: Great, thanks again Barry, glad we can help. day++: Barry/Tokio/Mark: OK folks, thanks for being patient with us. Here's what you need to do right now: If you use Apache, add a mod_rewrite entry to prevent access to xyz.py. Also, chmod abc.py to only allow cgi-user access (not the normal mailman user), blah, blah, blah... Finally, please change your site-wide password, and all moderator passwords ASAP. Users: Great Barry. Thanks again for the speedy assistance. day+=10 Barry/Tokio/Mark: Today we are releasing patches for MM 2.1.5, 2.1.6, and 2.1.7 that admins need to apply to their systems. Note: assuming you have taken our prior advice there is no need to rush and apply these patches. Having said that, if you do see entry blah in your mailman mischief log then we recommend that you apply this patch ASAP. Users: Excellent, Thank you again Barry. Two, three, or four days latter, after planned outage notices are sent out and tests have been performed on test systems, people can upgrade their systems with confidence and sanity while working around holidays, sporting events, vacations, etc. Somebody please tell me what is wrong with that level of communication on vulnerability/security issues. -Jim P. (seeking nirvana) -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
At 1:00 AM -0500 2006-01-27, Jim Popovitch wrote: I'm pretty sure that the insiders fix their systems first, then tell the rest of us about the patch, probably at the last minute possible. The insiders here are people like Barry, Tokio, and Mark. I can't speak for what they do on their personal systems, but my recollection is that python.org wasn't updated until the patch was publicly available. And even I don't have access to their internal discussions regarding such matters. So, you're no worse off than I am. I challenge everyone on mailman-secure (or whatever list it is) to NOT touch your public Mailman systems until you notify mailman-users of the solution to the next vulnerability. Deal? They do have to do their development somewhere, right? I mean, you give them that much, I hope. And they do need to do at least some minimal testing on a live production system before they release that to the public, right? I mean, you wouldn't want to try using something that had never been tested anywhere, would you? There is a QA process that such patches need to go through, even if we're talking about a bug that is being currently being exploited widely. In fact, the more it's being exploited, and the more dangerous it is, I think the more testing needs to be done to make sure that it's caught and completely dealt with, and there aren't any unintended consequences. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Weirdness
Team: I have some issues with my mailing list. I have users subscribe to a list but yet I always have to approve their posts for some reason. And when I do have it accept this address for future posts, it still emails me to apporove it. Any ideas??? Thanks, LDB -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Makeshift backup mailman server - are there unforseen probs with this?
I seemed to finally get a decent backup for mailman going. It's not super slick or anything but seems to work pretty decently, but you can never be too sure or ask enough questions when it comes to stuff like thisso any feed back would be appreciated. We are running two linux debian servers, one in City1 and the other in City2. Each night I copy over any CHANGED files in the /var/lib/mailman directory. I do NOT copy /usr/lib/mailman. This works fairly well it seems. We did a test and moved our mailman website to the other server (the website has been made redundant in city2) and everything seemed to line up just fine. I wasn't able to send test messages to all the lists (we can have this!). So my tests are conclusive. But all the unprocessed messages came over with it and were released from the queue on the redundant server. Does anyone see problems with this method backing up mailman? We'll be doing a full systems test in the spring and I need to know my mailman server isn't going to break this way and if it does, what I'll need to do to make it work once we switch to the other server. Thanks in advance, Aaron ~ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] archive is not available
Hello I have newly joined this list. These days I am working on a project that is using mail man on linux. But I am facing a problem here. The messeges I am sending to my mailing list are not available in my lists archive. Kindly help me in solving this problem. - Bring words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Problem with Postfix and default mailbox
-Original Message- From: Matthias Leonhardt Sent: Thursday, January 26, 2006 7:12 PM To: mailman-users@python.org Subject: [Mailman-Users] Problem with Postfix and default mailbox Hi there, I have a working mailman and postfix installation. in my postfix config I have a virtual user alias for my domain which allows me to get all mail which has no explicit EMail-Box goes to one default box [EMAIL PROTECTED]- mailbox1 this is configured in the postfix virtual_maps directive in main.cf You need to have another entry in your virtual map which maps [EMAIL PROTECTED] to a local address (one which is in mydestinations in Postfix). Usually you would put in something like: [EMAIL PROTECTED] [EMAIL PROTECTED] and then have an entry for mylist in the alias map sending the list name to the Mailman scripts. Remember that you will also need to do this for the other aliases which Mailman needs for a list, which varies depending on the version of Mailman which you are using. now I have a mailinglist [EMAIL PROTECTED] |mailman which is configured in the postfix alias_maps directive in main.cf The mailing list only works if I disable the default virtual mailbox entry. Remember to put in the entries, in the virtual map and the alias map, for the other aliases which Mailman needs. So how can I get this work together? It should be working if postfix first looks into the alias table instead of virtual_maps. I hope this helps, Ari Rabinowitz, one of the Email postmasters at Bear Stearns *** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *** -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Problem with Postfix and default mailbox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Ari, [EMAIL PROTECTED] [EMAIL PROTECTED] well - that did it! I inserted a virtual map entry to forward the mailinglist to another locally hosted domain without a default mailbox - so mailman gets the mail in the end. Thanks for your hint. kind regards, Matthias Leonhardt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2jYt0PAecDwsKOERAhxYAKDVZ/4vuKM8d3VjgIg0FSytxqMEtwCeOGsT nMMIo+j7LRWxOaoEFMBmFvI= =DTQF -END PGP SIGNATURE- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] troubles with multiple installations on the same machine
Hi all, I am having troubles installing more than one instance on the same LINUX FEDORA CORE 2 box. The need arises from having to manage lists for more than one domain (e.g. abitipuliti.org liste.cnms.it swazitalia.org ...) I understand that installing multiple instances is the best choiche ... am I right? (FAQ: Multiple installations on the same machine can be used to avoid the list naming restrictions http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.047.htp I accurately ( I hope ) followed the instructions on: http://www.gnu.org/software/mailman/mailman-install/index.html The 1st instance for abitipuliti.org works just fine On the 2nd and 3rd for liste.cnms.it and swazitalia.org I get some PROBLEMS: When I fill in the form on - http://liste.cnms.it/mailman/create(2nd) and on - http://swazitalia.org/mailman/create (3rd) I get *Error: /Unknown virtual host: liste.cnms.it/* *Error: /Unknown virtual host: swazitalia.org/* On both forms it will accept as List creator's (authentication) password the password of the 1st instance!! Also some URLs point erroneusly from 2nd or 3nd web interface to 1st domain. If I create the list from the command line I get the notification of the new list but when click to the URL http://swazitalia.org/mailman/admin/test I get: No such list /test/ CONFIGURATION: 1st instance for abitipuliti.org 2.1.4 $prefix = /var/mailman Apache httpd.conf VirtualHost *:80 ServerName abitipuliti.org ProxyVia on ScriptAlias /mailman/* /var/mailman/cgi-bin/* Alias /pipermail/ /var/mailman/archives/public/ /VirtualHost 2nd instance for liste.cnms.it 2.1.6 $prefix = /data/mailman ./configure --prefix=/data/mailman --with-cgi-gid=apache --with-mailhost=liste.cnms.it --with-urlhost=liste.cnms.it Apache httpd.conf VirtualHost *:80 ServerName liste.cnms.it ProxyVia on ScriptAlias /mailman/* /data/mailman/cgi-bin/* Alias /pipermail/ /data/mailman/archives/public/ /VirtualHost 3rd instance for swazitalia.org 2.1.7 $prefix = /data/mailmanswazitalia ./configure --prefix=/data/mailmanswazitalia --with-cgi-gid=apache --with-mailhost=swazitalia.org --with-urlhost=swazitalia.org Apache httpd.conf VirtualHost *:80 DocumentRoot /data/www/swazitalia ServerName swazitalia.org ProxyVia on ScriptAlias /mailman/* /data/mailmanswazitalia/cgi-bin/* Alias /pipermail/ /data/mailmanswazitalia/archives/public/ /VirtualHost Any hint? Anything I can try to understand where is the configuration error? Alternative configurations? Thanks so much for your patience, Davide -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Mailman Template
I'm working on customizing the Mailman archive templates. I'm customizing the HTML and need to generate dynamic text based on the listname, but when I add a %(list_name)s in places, it doesn't get rendered dynamically. Instead it shows up as %(list_name)s in the final HTML. How can I use the dynamic tags in templates correctly? And is there a guide anywhere explaining the templating system in detail? Jeff Edwards Software Developer CCCI -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Mailman Template
Jeff Edwards wrote: I'm working on customizing the Mailman archive templates. I'm customizing the HTML and need to generate dynamic text based on the listname, but when I add a %(list_name)s in places, it doesn't get rendered dynamically. Instead it shows up as %(list_name)s in the final HTML. How can I use the dynamic tags in templates correctly? Templates are a hodge podge. In some cases you use %(xx)s replacement; in others mm-* tags like MM-List-Name. Also, you can't just use arbitrary names. Each template has an associated dictionary in the code, so even if you are dealing with a template that uses %(name)s replacements, %(list_name)s may not work in that particular template. And is there a guide anywhere explaining the templating system in detail? No, but it's on my To Do list to write a FAQ for this. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Weirdness
Lawrence Bowie wrote: I have users subscribe to a list but yet I always have to approve their posts for some reason. For what reason? Every hold has a reason, what is this one? And when I do have it accept this address for future posts, it still emails me to apporove it. Any ideas??? The check box to accept future posts only applies to non-members. I'm guessing that your new members are moderated because Privacy options...-Sender filters-default_member_moderation is set to Yes. If this is not what you want, set it to No and then on Membership Management...-Membership List under Additional Member Tasks - Set everyone's moderation bit, including those members not currently visible, select No and click Set. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] archive is not available
reema jamil wrote: I am facing a problem here. The messeges I am sending to my mailing list are not available in my lists archive. Kindly help me in solving this problem. Is 'archive' set to Yes on the admin Archiving Options page? Have you set ARCHIVE_TO_MBOX to other than 2 in mm_cfg.py? Do you mean the messages aren't being archived, or you are unable to access the archive via the web? What's in Mailman's 'error' log? -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Regenerate the archives index.html file
Kyle Pinkley wrote: I am working with a server where some of the html pages got defaced via the NeverEverNoSanity (old) worm). One of the pages that got defaced was the index.html page of one of the archives (/mailman/archives/public/list_name). How can I regenerate this file? This file is automatically regenerated each time a post is archived. If you can't wait for a post, run 'bin/arch --help'. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Jim == Jim Popovitch [EMAIL PROTECTED] writes: Jim I guess we just see system administration from different Jim angles, I prefer communication to silence. Of course. So does everybody. Specifically, so do the crackers. Jim Barry/Tokio/Mark: Folks, yesterday we were informed of a Jim serious (i.e. potential for data loss) issue with MM 2.1.5+. That's cheating, man. A potential for data loss issue, as long as it's possible to trigger in normal operation, gets announced immediately. What we're talking about here is a hostile agency that is specifically out to get you, and is quite possibly listening to your broadcasts. Jim Somebody please tell me what is wrong with that level of Jim communication on vulnerability/security issues. 1. The scenario you describe is basically the process that will happen according to the discussions that led up to the security FAQ. In other words, mostly you've already got what you're asking for. 2. Except for the initial broadcast that announces that there is now a race between the hackers and the crackers, and how long the crackers have to exploit the hole. Whether you believe that is a reasonable interpretation or not, many developers do, and they will respond to such a leak by working harder on the problem, at the cost of their own weekends, etc. This did happen the last time there was a security announcement by a third party on Mailman-Users; that's what prompted the posting of the security FAQ. 3. AFAIK none of the Mailman developers get paid for what they do. How about *their* weekends and their regular jobs? 4. Writing such memos is a non-trivial amount of effort. And weekend or not, I'm sure he'd rather be spending the time working on the fix. 5. Security patches are asynchronous, like earthquakes, they happen when they happen. If the patch comes out on Friday at 4:45, I would cancel that dinner date with my daughter. Wouldn't you? What difference would notice on Tuesday that a patch is expected sometime on Friday make to that decision, anyway? In sum, I just don't see what benefit there is to the process you outline relative to current policy. The information doesn't make anyone more secure (unless they're willing to shut down their systems from announcement that we're worried until a workaround or fix is available), communication with users will slow production of the fix but won't reduce the variance on when it gets released, and it's a non-negligible burden on the developers. -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of TsukubaTennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can do free software business; ask what your business can do for free software. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Stephen J. Turnbull wrote: 5. Security patches are asynchronous, like earthquakes, they happen when they happen. Very bad analogy. Hurricanes would be better. There is plenty of potential for user-base warning before a patch is to be released. If the patch comes out on Friday at 4:45, I would cancel that dinner date with my daughter. Wouldn't you? What difference would notice on Tuesday that a patch is expected sometime on Friday make to that decision, anyway? Your daughter would presumably rather know on Tuesday that her Friday dinner with dad is canceled. That way she could make other plans, etc. Change daughter to wife and ask yourself how long your wife would remain if you kept canceling Friday dinner at the last minute. Now look at it from a business standpoint and try and convince my customers that they should expect their service to be down at any point in time to do unplanned system upgrades. In sum, I just don't see what benefit there is to the process you outline relative to current policy. The information doesn't make anyone more secure No one is advocating that more info means more security. More info just means that users aren't the only ones in the dark. If the hack is out and the developers are working on it, who is left to inform... THE USERS OF THE PRODUCT. Why leave us in the dark? (unless they're willing to shut down their systems from announcement that we're worried until a workaround or fix is available) That is an option that I reserve the right to make the decision on. Don't remove my capability to make that decision by hiding the info. communication with users will slow production of the fix but won't reduce the variance on when it gets released, and it's a non-negligible burden on the developers. I don't believe that one bit, certainly not in the scenario that I described. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Confirmation e-mail goes to user that is not admin or moderator
I have set up a list and all the emails that are going to the owner are going to a person that is not on either the admin or moderator list. Any idea why? Using 2.1.6 Mailman Charles -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote: 5. Security patches are asynchronous, like earthquakes, they happen when they happen. Very bad analogy. Hurricanes would be better. There is plenty of potential for user-base warning before a patch is to be released. No, Stephen was right -- the model is Earthquakes. We never know when we'll get a security announcement created by someone we've never heard of before, and where everyone has to stop everything they're doing (like their real job), to work 24x7 on figuring out what is actually happening, and then work to create a patch. Then you have to test the patch and make sure it works as intended. Your daughter would presumably rather know on Tuesday that her Friday dinner with dad is canceled. That assumes that the boss doesn't tell Dad at 4:45pm on Friday afternoon that they just got a new security announcement dumped on them by an organization which no one had ever heard of before. That's what happens to us. That way she could make other plans, etc. Change daughter to wife and ask yourself how long your wife would remain if you kept canceling Friday dinner at the last minute. Right. Now imagine the problem that Barry, Tokio, Mark, and others have when they get a new security announcement dumped on them. No one is advocating that more info means more security. I violently disagree with the concept of security through obscurity. That is one of my biggest hot buttons. However, there is a limit to how much information we can provide when we don't have the information ourselves. And there is a limit to how fast we can provide what information we do have. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 LOPSA member since December 2005. See http://www.lopsa.org/. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Brad Knowles wrote: At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote: 5. Security patches are asynchronous, like earthquakes, they happen when they happen. Very bad analogy. Hurricanes would be better. There is plenty of potential for user-base warning before a patch is to be released. No, Stephen was right -- the model is Earthquakes. No, Stephen specifically said Security patches. Patches don't materialize overnight and surprise *everyone*, sadly just the users. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Confirmation e-mail goes to user that is not adminor moderator
Charles M. Owen wrote: I have set up a list and all the emails that are going to the owner are going to a person that is not on either the admin or moderator list. Any idea why? Did you see the reply to your prior post at http://mail.python.org/pipermail/mailman-users/2006-January/048811.html? -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Domain problem with mailman
I just installed Mailman and it seemed to setup ok, until I tried to create a new list using the web interface. I'm running Fedora Core 3 with all the correct versions of Sendmail, Python, Apache and Mailman. My machine name is server1.my.domain My web page is www.my.domain All email addrs are [EMAIL PROTECTED] DNS is set up for www.my.domain, mail.my.domain and mail2.my.domain. Sendmail is working fine. Mailman wants to use [EMAIL PROTECTED] when it should be [EMAIL PROTECTED] Using the web interface, (http://www.my.domain/mailman), whichever option I select, it requests a page starting Http://server1.my.domain.. If I manually change 'server1' to 'www' it works fine. Anyone care to suggest where I've gone wrong? Thanks. Peter. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Jim Popovitch wrote: Brad Knowles wrote: At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote: 5. Security patches are asynchronous, like earthquakes, they happen when they happen. Very bad analogy. Hurricanes would be better. There is plenty of potential for user-base warning before a patch is to be released. No, Stephen was right -- the model is Earthquakes. No, Stephen specifically said Security patches. Patches don't materialize overnight and surprise *everyone*, sadly just the users. Let me add that this whole issue is getting clouded by side comments unnecessarily. No one is challenging the skill or capability of the MM developers, so there is no need to keep bringing up the pace/rate they work. Secondly, no one is saying give us the keys to the kingdom, what I am saying is please keep us informed about what is coming down the pipe. I don't need specifics or details, just info I can use to plan/schedule. Simply put, don't surprise us with patches/fixes (critical or not). Nothing more, nothing less. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Domain problem with mailman
Peter Russell wrote: I just installed Mailman and it seemed to setup ok, until I tried to create a new list using the web interface. I'm running Fedora Core 3 with all the correct versions of Sendmail, Python, Apache and Mailman. My machine name is server1.my.domain My web page is www.my.domain All email addrs are [EMAIL PROTECTED] DNS is set up for www.my.domain, mail.my.domain and mail2.my.domain. Sendmail is working fine. Mailman wants to use [EMAIL PROTECTED] when it should be [EMAIL PROTECTED] Using the web interface, (http://www.my.domain/mailman), whichever option I select, it requests a page starting Http://server1.my.domain.. If I manually change 'server1' to 'www' it works fine. Anyone care to suggest where I've gone wrong? Check your settings for DEFAULT_EMAIL_HOST, DEFAULT_URL_HOST, DEFAULT_URL_PATTERN in mm_cfg.py. Also, do you have any add_virtualhost statements in mm_cfg? -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Domain problem with mailman
Peter Russell wrote: Mailman wants to use [EMAIL PROTECTED] when it should be [EMAIL PROTECTED] Using the web interface, (http://www.my.domain/mailman), whichever option I select, it requests a page starting Http://server1.my.domain.. If I manually change 'server1' to 'www' it works fine. Anyone care to suggest where I've gone wrong? You have (or had when you created the list) the wrong values for DEFAULT_URL_HOST and DEFAULT_EMAIL_HOST. The values you want are 'www.my.domain' and 'my.domain' respectively. See http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.029.htp for what to do and don't overlook the part about fix_url for existing lists. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Confirmation problems
Niemi Hannu wrote: Is it only this list that fails? It is not likely a virtual host problem as host really isn't involved in processing confirmations. I had to test the others. To be honest I haven't earlier used this kind of user-driven subscription in any of the lists on that server, but have been adding the users on the web form instead. And the result is that (what was exactly what I was afraid of ;)) that at least the one I tested worked... What gives??? Check mailman's 'error' log and also permissions on the list's pending.pck file. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] troubles with multiple installations on the samemachine
Davide Galletti wrote: I am having troubles installing more than one instance on the same LINUX FEDORA CORE 2 box. The need arises from having to manage lists for more than one domain (e.g. abitipuliti.org liste.cnms.it swazitalia.org ...) I understand that installing multiple instances is the best choiche ... am I right? (FAQ: Multiple installations on the same machine can be used to avoid the list naming restrictions http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq04.047.htp I accurately ( I hope ) followed the instructions on: http://www.gnu.org/software/mailman/mailman-install/index.html Multiple instances may be the best choice if you want to be able to have the same list name on more than one host. It you can live with the restriction that all list names must be unique regardless of host, then Mailman virtual hosts may be a better solution. The 1st instance for abitipuliti.org works just fine On the 2nd and 3rd for liste.cnms.it and swazitalia.org I get some PROBLEMS: When I fill in the form on - http://liste.cnms.it/mailman/create(2nd) and on - http://swazitalia.org/mailman/create (3rd) I get *Error: /Unknown virtual host: liste.cnms.it/* *Error: /Unknown virtual host: swazitalia.org/* On both forms it will accept as List creator's (authentication) password the password of the 1st instance!! This is probably because all hosts are using the instance you intend to be for abitipuliti.org, and none are using the others. Also some URLs point erroneusly from 2nd or 3nd web interface to 1st domain. A consequence of the above. If I create the list from the command line I get the notification of the new list but when click to the URL http://swazitalia.org/mailman/admin/test I get: No such list /test/ This is probably because you created the list in the /data/mailmanswazitalia instance, but the web interface is looking only at the /var/mailman instance. See remarks following: CONFIGURATION: 1st instance for abitipuliti.org 2.1.4 $prefix = /var/mailman Apache httpd.conf VirtualHost *:80 ServerName abitipuliti.org ProxyVia on ScriptAlias /mailman/* /var/mailman/cgi-bin/* Alias /pipermail/ /var/mailman/archives/public/ /VirtualHost 2nd instance for liste.cnms.it 2.1.6 $prefix = /data/mailman ./configure --prefix=/data/mailman --with-cgi-gid=apache --with-mailhost=liste.cnms.it --with-urlhost=liste.cnms.it Apache httpd.conf VirtualHost *:80 ServerName liste.cnms.it ProxyVia on ScriptAlias /mailman/* /data/mailman/cgi-bin/* Alias /pipermail/ /data/mailman/archives/public/ /VirtualHost 3rd instance for swazitalia.org 2.1.7 $prefix = /data/mailmanswazitalia ./configure --prefix=/data/mailmanswazitalia --with-cgi-gid=apache --with-mailhost=swazitalia.org --with-urlhost=swazitalia.org Apache httpd.conf VirtualHost *:80 DocumentRoot /data/www/swazitalia ServerName swazitalia.org ProxyVia on ScriptAlias /mailman/* /data/mailmanswazitalia/cgi-bin/* Alias /pipermail/ /data/mailmanswazitalia/archives/public/ /VirtualHost Any hint? Since your virtual hosts seem to use the same IP address (at least the ones I could look up), you need NameVirtualHost directives. See http://httpd.apache.org/docs/1.3/vhosts/name-based.html or http://httpd.apache.org/docs/2.0/vhosts/name-based.html as appropriate. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Weirdness
Mark Sapiro wrote: Lawrence Bowie wrote: I have users subscribe to a list but yet I always have to approve their posts for some reason. For what reason? Every hold has a reason, what is this one? And when I do have it accept this address for future posts, it still emails me to apporove it. Any ideas??? The check box to accept future posts only applies to non-members. I'm guessing that your new members are moderated because Privacy options...-Sender filters-default_member_moderation is set to Yes. If this is not what you want, set it to No and then on Membership Management...-Membership List under Additional Member Tasks - Set everyone's moderation bit, including those members not currently visible, select No and click Set. Thanks for replying. That has already been done. There is something wrong. Everyone is subscribed to the list as memebers and they are posting with the same email as on the membership list. Has anyone seen this before. Very weird ... LDB -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Weirdness
Lawrence Bowie wrote: That has already been done. There is something wrong. Everyone is subscribed to the list as memebers and they are posting with the same email as on the membership list. Has anyone seen this before. Very weird ... I saw it today on a list for one person out of a thousand subscribers. I *think*, but I'm not 100% sure, that this subscriber was pending subscription approval during the upgrade from MM 2.1.5m to 2.1.6. I'm pretty sure the upgrade notes recommend clearing all admin approvals before upgrading, however on my system a few issues slipped through during the upgrade window. On your system is is more like one or two users or more like 90%? Just curious, -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Weirdness
Mark Sapiro wrote: Lawrence Bowie wrote: I have users subscribe to a list but yet I always have to approve their posts for some reason. For what reason? Every hold has a reason, what is this one? And when I do have it accept this address for future posts, it still emails me to apporove it. Any ideas??? The check box to accept future posts only applies to non-members. I'm guessing that your new members are moderated because Privacy options...-Sender filters-default_member_moderation is set to Yes. If this is not what you want, set it to No and then on Membership Management...-Membership List under Additional Member Tasks - Set everyone's moderation bit, including those members not currently visible, select No and click Set. The next time someone posts I can give you that reason. :) So hang a while, please. In the meantime, I have data in /var/lib/mailman/data/ starting with heldmsg-*. Most of it, if not all is SPAM. I can safely get rid of it without adversely affecting the lists, right? Thanks, LDB -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Weirdness
Lawrence Bowie wrote: Mark Sapiro wrote: Lawrence Bowie wrote: I have users subscribe to a list but yet I always have to approve their posts for some reason. For what reason? Every hold has a reason, what is this one? And when I do have it accept this address for future posts, it still emails me to apporove it. Any ideas??? The check box to accept future posts only applies to non-members. I'm guessing that your new members are moderated because Privacy options...-Sender filters-default_member_moderation is set to Yes. If this is not what you want, set it to No and then on Membership Management...-Membership List under Additional Member Tasks - Set everyone's moderation bit, including those members not currently visible, select No and click Set. The next time someone posts I can give you that reason. :) So hang a while, please. In the meantime, I have data in /var/lib/mailman/data/ starting with heldmsg-*. Most of it, if not all is SPAM. I can safely get rid of it without adversely affecting the lists, right? Thanks, LDB -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/ldb%40freestandards.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp nevermind .. dumb question .. LDB -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Confirmation e-mail goes to user that is not admin or moderator
Sorry, I did miss it somehow. I will post against this topic, since it is more appropriate. I am an end-user of a rented server. I do not have access to mailman directly. What is MTA? I did discover three things. 1) The person getting the unwanted message sent me a copy and it was to list-owner@example.com from mailman-bounces@example.com 2) When I added the list through the control panel, it automatically placed a forwarder (only one) in the forwarder list: owner-list@example.com == list-admin@example.com 2) Two people DID GET it that I did not expect and I found both addresses as forwarded from the Default Address Maintenance where All unrouted mail will be sent. SO... I get the message for being in the moderator field as I should and they get it for unrouted mail. list-owner instead of owner-list should be forwarded. This is my working theory!! I have an idea of this is the course of action, but those more familiar can advise. THUS... what do I need to do or get the provider to fix? Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sapiro Sent: Friday, January 27, 2006 4:03 PM To: mailman-users@python.org Subject: Re: [Mailman-Users] Confirmation e-mail goes to user that is notadminor moderator Charles M. Owen wrote: I have set up a list and all the emails that are going to the owner are going to a person that is not on either the admin or moderator list. Any idea why? Did you see the reply to your prior post at http://mail.python.org/pipermail/mailman-users/2006-January/048811.html? -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan Charles M. Owen wrote: One of my users is getting the owner e-mail for some reason I can't figure out. There are only two places (admin Moderator) and He is not there. He gets the request and the confirmation of the subscription. Where do I look? Generally, internally generated Mailman owner notifications are sent to list-owner at example.com and only after being received at that address are they resent to the admin and moderator addresses. So check what the MTA is doing with the list-owner address (aliases, something else?). Also check Mailman's smtp log. You'll normally see two entries with the same message id. The first for 1 recipient (the mail to list-owner) and the second perhaps a couple of seconds later for 'n' recipients which will tell you how many admins/moderators it is sent to. If you send mail directly to list-owner at example.com, does he get it? -- Mark Sapiro msapiro at value.net The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/cmowen%40att.net Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Confirmation e-mail goes to user that is notadmin or moderator
Charles M. Owen wrote: I am an end-user of a rented server. I do not have access to mailman directly. What is MTA? http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.013.htp I did discover three things. 1) The person getting the unwanted message sent me a copy and it was to list-owner@example.com from mailman-bounces@example.com This is how owner notifications should be sent. 2) When I added the list through the control panel, it automatically placed a forwarder (only one) in the forwarder list: owner-list@example.com == list-admin@example.com This is wrong. If the intent of whatever did this is to handle mail to owner-list@example.com by forwarding it to the list owner, it should be forwarded to list-owner@example.com. list-admin@example.com is a deprecated address. It hasn't been actually used since Mailman 2.0.x. In Mailman 2.1.x it is a synonym for list-bounces@example.com. 2) Two people DID GET it that I did not expect and I found both addresses as forwarded from the Default Address Maintenance where All unrouted mail will be sent. SO... I get the message for being in the moderator field as I should and they get it for unrouted mail. list-owner instead of owner-list should be forwarded. This is my working theory!! I have an idea of this is the course of action, but those more familiar can advise. I'm not sure I'm correctly parsing the above, but the owner-list address is not a Mailman address. It is an address that is generically used by some to reach the owner of the list. Thus, with a Mailman list, this address is supported by forwarding to the address that actually reaches the owner. What version of Mailman is this? I've been assuming it is a recent 2.1.x version, but maybe not, so what is it? THUS... what do I need to do or get the provider to fix? Mailman 2.1.x expects 10 addresses per list to be delivered to Mailman in specific ways and to not be 'unknown'. These addresses are list@... list[EMAIL PROTECTED] list[EMAIL PROTECTED] (does not go to the owner, goes to -bounces) list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] Mailman 2.0.x expects only 4 list@... list[EMAIL PROTECTED] (does go to the owner) list[EMAIL PROTECTED] list[EMAIL PROTECTED] -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Confirmation e-mail goes to user that isnotadmin or moderator
It reports to be 2.1.6. I will have to forward your comments to tech support, but I have only one forwarder in my lists that was created by the installation program provided. (You have indicated this forward is wrong, thus unrouted/bad addresses go to the persons designated) If you think of anything, I will also pass my tech supports help if helpful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sapiro Sent: Friday, January 27, 2006 8:50 PM To: mailman-users@python.org Subject: Re: [Mailman-Users] Confirmation e-mail goes to user that isnotadmin or moderator Charles M. Owen wrote: I am an end-user of a rented server. I do not have access to mailman directly. What is MTA? http://www.python.org/cgi-bin/faqw-mm.py?req=showfile=faq01.013.htp I did discover three things. 1) The person getting the unwanted message sent me a copy and it was to list-owner@example.com from mailman-bounces@example.com This is how owner notifications should be sent. 2) When I added the list through the control panel, it automatically placed a forwarder (only one) in the forwarder list: owner-list@example.com == list-admin@example.com This is wrong. If the intent of whatever did this is to handle mail to owner-list@example.com by forwarding it to the list owner, it should be forwarded to list-owner@example.com. list-admin@example.com is a deprecated address. It hasn't been actually used since Mailman 2.0.x. In Mailman 2.1.x it is a synonym for list-bounces@example.com. 2) Two people DID GET it that I did not expect and I found both addresses as forwarded from the Default Address Maintenance where All unrouted mail will be sent. SO... I get the message for being in the moderator field as I should and they get it for unrouted mail. list-owner instead of owner-list should be forwarded. This is my working theory!! I have an idea of this is the course of action, but those more familiar can advise. I'm not sure I'm correctly parsing the above, but the owner-list address is not a Mailman address. It is an address that is generically used by some to reach the owner of the list. Thus, with a Mailman list, this address is supported by forwarding to the address that actually reaches the owner. What version of Mailman is this? I've been assuming it is a recent 2.1.x version, but maybe not, so what is it? THUS... what do I need to do or get the provider to fix? Mailman 2.1.x expects 10 addresses per list to be delivered to Mailman in specific ways and to not be 'unknown'. These addresses are list@... list[EMAIL PROTECTED] list[EMAIL PROTECTED] (does not go to the owner, goes to -bounces) list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] list[EMAIL PROTECTED] Mailman 2.0.x expects only 4 list@... list[EMAIL PROTECTED] (does go to the owner) list[EMAIL PROTECTED] list[EMAIL PROTECTED] -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/cmowen%40att.net Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Weirdness
Mark Sapiro wrote: Lawrence Bowie wrote: I have users subscribe to a list but yet I always have to approve their posts for some reason. For what reason? Every hold has a reason, what is this one? And when I do have it accept this address for future posts, it still emails me to apporove it. Any ideas??? The check box to accept future posts only applies to non-members. I'm guessing that your new members are moderated because Privacy options...-Sender filters-default_member_moderation is set to Yes. If this is not what you want, set it to No and then on Membership Management...-Membership List under Additional Member Tasks - Set everyone's moderation bit, including those members not currently visible, select No and click Set. OK .. Here is the reason it says .. Reason: Post by non-member to a members-only list but he is a member of the list. Are headers necessary for you guys to see? Thanks, LDB -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Jim == Jim Popovitch [EMAIL PROTECTED] writes: Jim Stephen J. Turnbull wrote: 5. Security patches are asynchronous, like earthquakes, they happen when they happen. Jim Very bad analogy. Hurricanes would be better. There is Jim plenty of potential for user-base warning before a patch is Jim to be released. Oh, if you prefer windstorms, hurricane is a bad analogy. Far more accurate is tornado.0.1 wink Let's look at the pragmatics. Are you suggesting that if on Friday at 4:45, a patch is developed 72 hours faster than the estimate, the developers should withhold the patch until the scheduled announcement time? Or that although the developers release the patch, site admins should wait until the scheduled announcement time to apply it? If the patch comes out on Friday at 4:45, I would cancel that dinner date with my daughter. Wouldn't you? What difference would notice on Tuesday that a patch is expected sometime on Friday make to that decision, anyway? Jim Change daughter to wife and ask yourself how long your Jim wife would remain if you kept canceling Friday dinner at the Jim last minute. I thought about issues like that 35 years ago, when I decided to become a professor. This is one reason I don't regret that decision. Now, you may be stuck in your position for financial reasons, or because of the other more attractive aspects it presents, but I don't accept that that gives you a claim on the developers' evenings and weekends, even if users like you outnumber the developers 100:1. Jim Now look at it from a business standpoint and try and Jim convince my customers that they should expect their service Jim to be down at any point in time to do unplanned system Jim upgrades. Um? Redundancy, man. Either your customers pay for reliability, or you don't provide it. (Well, you could take a loss by providing it and not charging, I guess.) In very few cases does a patch-level upgrade to Mailman require stopping for long enough that anybody would notice in the queue slop. Or you can set up other systems to mitigate the vulnerabilities (or not, if that's inconvenient), and do the security update on banker's hours. In sum, I just don't see what benefit there is to the process you outline relative to current policy. The information doesn't make anyone more secure Jim No one is advocating that more info means more security. Jim More info just means that users aren't the only ones in the Jim dark. If the hack is out and the developers are working on Jim it, who is left to inform... THE USERS OF THE PRODUCT. Why Jim leave us in the dark? Because it gives information to the enemy and is only of marginal value to this user; I'm not speaking for anyone else, but I would be surprised if I'm the only one who feels this way. Producing security fixes is done on exactly the kind of off-hours, do-it-now schedule that we all dislike for applying the fixes, and I think it's a good idea to delegate the decision-making to the same experts I trust to do the work. (unless they're willing to shut down their systems from announcement that we're worried until a workaround or fix is available) Jim That is an option that I reserve the right to make the Jim decision on. Don't remove my capability to make that decision Jim by hiding the info. Excuse me, but it is the _volunteers'_ judgment that broadcasting that information will hinder their effectiveness. I value your (and my!) capability to respond to such threats, but I acknowledge that I have no choice but to delegate the matter to the responsible developers. Neither I nor you have any *right* in the matter. See Section 11 of the License under which you received Mailman. If you want that information so badly, there are several ways you can arrange to get it: you can employ the developers, you can follow the security bulletins religiously (and privately ask the the developers what they're doing about it and privately tell those you trust about it), you can become a trusted developer. TANSTAAFL. communication with users will slow production of the fix but won't reduce the variance on when it gets released, and it's a non-negligible burden on the developers. Jim I don't believe that one bit, certainly not in the scenario Jim that I described. I really have to disapprove of the way you consistently deprecate costs that others incur, while inflating those that you face. -- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of TsukubaTennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can do free software business; ask what your business can do for free software. -- Mailman-Users mailing list Mailman-Users@python.org
Re: [Mailman-Users] Weirdness
Lawrence Bowie wrote: OK .. Here is the reason it says .. Reason: Post by non-member to a members-only list but he is a member of the list. Are headers necessary for you guys to see? What is the subscribed address? What are the following headers in the message From: Reply-To: Sender: Return-Path: and the From_ separator in a mailbox file if any. And have you made any changes to the default SENDER_HEADERS = ('from', None, 'reply-to', 'sender') (above from Defaults.py) -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] any info on this reported exploit?
Stephen J. Turnbull wrote: Jim == Jim Popovitch [EMAIL PROTECTED] writes: Oh, if you prefer windstorms, hurricane is a bad analogy. Far more accurate is tornado.0.1 wink Hurricane is the most accurate analogy, because with hurricanes nobody knows about them until the NWS (at least here in the USA) informs them or they hear about it in the Media. Even then, most people don't fully know the specifics of the hurricane, nor do they necessarily posses the skills to understand the dynamics of the hurricane. HOWEVER, with sufficient info from the NWS people can prepare to address the inevitable effects of the hurricane should the need arise. Let's look at the pragmatics. Are you suggesting that if on Friday at 4:45, a patch is developed 72 hours faster than the estimate, the developers should withhold the patch until the scheduled announcement time? Or that although the developers release the patch, site admins should wait until the scheduled announcement time to apply it? No. What I am suggesting/recommending is this: If the developers know on Monday of some super secret issue, and presumably they won't have a robust fully-tested solution until Friday, I want them to tell me in no-detail to alert me to be prepared for a Friday emergency patch. How is that risky? Now, you may be stuck in your position for financial reasons, or because of the other more attractive aspects it presents, but I don't accept that that gives you a claim on the developers' evenings and weekends, even if users like you outnumber the developers 100:1. You mis-characterize (yet again?) what I am saying. I am not advocating for the developers to work more, or differently. I am only asking for a heads up, not a last minute announcement. I don't want to be one of the last people to know of ANY Mailman security issue. As a user of Mailman I expect to be kept in the loop by the vendor. Microsoft gives more patch/release heads up info then Mailman does, think about that for a while. Because it gives information to the enemy and is only of marginal value to this user; I'm not speaking for anyone else, but I would be surprised if I'm the only one who feels this way. Producing security fixes is done on exactly the kind of off-hours, do-it-now schedule that we all dislike for applying the fixes, and I think it's a good idea to delegate the decision-making to the same experts I trust to do the work. My thoughts exactly. I trust them to do the work and produce a fix. Again, all I am advocating is that if they are spending 6 days on a fix, don't wait until the 7th day to fill us in. Let us know up front that they are working a possible fix that may need to be applied. Where's the harm in that? (unless they're willing to shut down their systems from announcement that we're worried until a workaround or fix is available) Jim That is an option that I reserve the right to make the Jim decision on. Don't remove my capability to make that decision Jim by hiding the info. Excuse me, but it is the _volunteers'_ judgment that broadcasting that information will hinder their effectiveness. I value your (and my!) capability to respond to such threats, but I acknowledge that I have no choice but to delegate the matter to the responsible developers. Neither I nor you have any *right* in the matter. See Section 11 of the License under which you received Mailman. Huh? re-read my comments. I reserve the right to shut my Mailman system down, for any reason, at any time, lack-of-a-workaround or not. If you want that information so badly, there are several ways you can arrange to get it: Again, you mis-understand my interests. I don't want info on the hack, I want a heads-up that unidentified fix is in the pipe and sysadmins can expect it late Friday (or whenever). Again, how is that so egregious? you can employ the developers, you can follow the security bulletins religiously (and privately ask the the developers what they're doing about it and privately tell those you trust about it), you can become a trusted developer. Why should Mark/Barry/Tokio trust me anymore then the next guy? Honestly, I expect them NOT to. There is nothing I am asking for that needs to involve trust, or disclosure concerns. TANSTAAFL. communication with users will slow production of the fix but won't reduce the variance on when it gets released, and it's a non-negligible burden on the developers. Jim I don't believe that one bit, certainly not in the scenario Jim that I described. I really have to disapprove of the way you consistently deprecate costs that others incur, while inflating those that you face. You need to re-read what I've been writing. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users
Re: [Mailman-Users] Weirdness
Lawrence Bowie wrote: OK .. Here is the reason it says .. Reason: Post by non-member to a members-only list but he is a member of the list. Are headers necessary for you guys to see? Try unsub'ing and resub'ing him. Alternatively try logging into MM as admin and mod'ing and unmod'ing his address. I think the mod'ing was sufficient for my case, but I never did really check the logs to see if the user sub/unsub'ed himself. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp