Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Mark Dale 
> And what is the error in Mailman's error log.


GLOBAL_BAN_LIST = ['^[0-9a-z.]{6,}\+[0-9a-z]{4,}@gmail\.com$']

D'oh. My apologies. The error was not from the trailing '$' but 
from not having the quotes in place originally. All is now well 
(with the above).

Thanks,
Mark

2018/06/04 10:33:14 [error] 17956#17956: *4956 FastCGI sent in 
stderr: "[Mailman: low level unrecoverable exception]" while 
reading response header from upstream, client: 68.235.48.108, 
server: mailmanlists.sg, request: "GET /mailman/listinfo 
HTTP/1.1", upstream: 
"fastcgi://unix:///var/run/fcgiwrap.socket:", host: 
"www.mailmanlists.sg"
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Mark Sapiro 
On 06/03/2018 05:58 PM, Mark Dale wrote:
> 
> I can't see why either, but with the '$' left in place, the 
> Mailman Web UI displayed the error "Sorry, we hit a bug..."


And what is the error in Mailman's error log.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Cascading lists

2018-06-03 Thread Mark Sapiro 
On 06/02/2018 11:53 PM, Rubén Fernández Asensio wrote:
> Hello all,
> I'm a new list administrator and a bit lost among Mailman's many
> features. Could you please give some advice?
> I'm trying to implement an announcement list and an unmoderated
> discussion list, and having the second receive all mail sent to the
> first one. The announcement list will prevent everybody but a few
> addresses to post, and will attach a personalized footer to every post
> with a link to the subscriber's option page. The discussion list will
> attach its own generalized footer.


See this FAQ article for advice on setting up an announcement list
.


> In sum, I want a single place to manage permissions to send
> announcements to both lists. I don't care about duplicates, as I want
> people to actively unsubscribe from the announcement list if they've
> joined both by mistake. However, it would be nice if the announcements
> received by the discussion list wouldn't have any personalized footer.


OK.


> Also, I want subscribers of the discussion list to be able to send
> replies to the announcement into the discussion list itself, whereas
> subscribers of the announcement list will get their own 'Reply-to' heading.
> What's the best setup to achieve this? Umbrella lists, sibling lists, or
> something else?


There are pluses and minuses to both umbrella lists and sibling lists.
There are FAQs you should read if you haven't already. They are
 and .

I'm going to assume that neither list will have digest members. That
adds an additional complication.

Your choices are:

1) Add the discussion list address to regular_include_lists of the
announce list. If you do this everyone will get announcement list posts
from the announcement list. These will have the announcement list's
footer. The members of the discussion list who aren't members of the
announce list will get the post from the announce list. It appears that
you want to munge Reply-To: in some way on both lists (I'll refrain from
giving my opinion on this). Here, the message received by the discussion
list members who aren't announce list members will have the footer and
Reply-To: of the announce list. You probably don't want that.

2) Subscribe the discussion list to the announce list. This means
members of either list will receive the posts to the announce list from
their own list with its footer and Reply-To: and members of both lists
will receive the post from both lists. This seems more like what you
want, but there are two kinds of issues.

Issue #1 is acceptance of posts to the announce list by the discussion
list. This is discussed in the FAQ at .

Issue #2 is an Umbrella list is a list whose members are all other
lists. Lists with both individuals and one or more lists as members are
an in between configuration that isn't well supported. Your issue is
whether or not to set the announce list as an umbrella list. If you
don't, anyone can request a password reminder and it will be sent to the
entire discussion list. Because of this, you can set the announce list
umbrella_list to Yes. This, at least with default umbrella_member_suffix
will send these to the owner of the discussion list instead, but it also
means that individual members of the announce list can't get password
reminders or subscription confirmation requests.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Grant Taylor via Mailman-Users 

On 06/03/2018 04:11 PM, Mark Sapiro wrote:

Ban list regexps are case insensitive.


Thank you for the clarification Mark.


The fact that the ones I saw never had periods following the plus sign.


ACK



--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Mark Dale 
> >> ^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$
> > 
> > I'm getting errors with the above however it seems to do the job 
> > if I enclose it in quotes and remove the trailing $ - like so:
> > 
> > GLOBAL_BAN_LIST = ['^[0-9a-z.]{6,}\+[0-9a-z]{4,}@gmail\.com']

-
 
> What you have done is correct. I don't know why you would have needed to
> remove the '$'. Did you get an error and if so, what?.

I can't see why either, but with the '$' left in place, the 
Mailman Web UI displayed the error "Sorry, we hit a bug..."

-

> Also, it doesn't matter in this case because \+ and \. are not
> meaningful string metacharacters, but it never hurts to define them as
> raw strings like, e.g.,

Understood. Thanks.
 
> GLOBAL_BAN_LIST = [r'^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$']

The 'r' that precedes the first quote - is that correct?

-

Cheers.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Mark Sapiro 
On 06/03/2018 04:28 PM, Mark Dale wrote:
> 
>> I use this regexp in the GLOBAL_BAN_LIST
>>
>> ^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$
> 
> I'm getting errors with the above however it seems to do the job 
> if I enclose it in quotes and remove the trailing $ - like so:
> 
> GLOBAL_BAN_LIST = ['^[0-9a-z.]{6,}\+[0-9a-z]{4,}@gmail\.com']


What you have done is correct. I don't know why you would have needed to
remove the '$'. Did you get an error and if so, what?.

The regexp I gave was just intended to be an example regexp. The
BAN_LIST is actually a list of strings so regexps in the BAN_LIST have
to be quoted and enclosed in [] and comma separated if more than one.

Also, it doesn't matter in this case because \+ and \. are not
meaningful string metacharacters, but it never hurts to define them as
raw strings like, e.g.,

GLOBAL_BAN_LIST = [r'^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$']

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Mark Dale 


> I use this regexp in the GLOBAL_BAN_LIST
> 
> ^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$

I'm getting errors with the above however it seems to do the job 
if I enclose it in quotes and remove the trailing $ - like so:

GLOBAL_BAN_LIST = ['^[0-9a-z.]{6,}\+[0-9a-z]{4,}@gmail\.com']

Am I missing something?

Cheers,
Mark
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Fail2ban on the Mailman web interface

2018-06-03 Thread Mark Sapiro 
On 06/03/2018 09:52 AM, Henrique Fagundes wrote:
> 
> My idea is that when the attacker / attacker incorrectly enters the
> password of the login field in the web interface, it is blocked. But for
> this to work, it is necessary for MailMan to report unsuccessful login
> attempts in its log.


Mailman reports all authentication failures to the web server with a 401
status. Here are some typical messages from the Apache access log.

45.24.217.241 - - [03/Jun/2018:15:41:23 -0700] "POST
/mailman/options/LISTNAME HTTP/1.1" 401 4532
"https://www.example.com/mailman/options/LISTNAME; "Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

45.24.217.241 - - [03/Jun/2018:15:40:46 -0700] "POST
/mailman/admindb/LISTNAME HTTP/1.1" 401 2715
"https://www.example.com/mailman/admindb/LISTNAME; "Mozilla/5.0 (X11;
Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

You should be able to recognize those with fail2ban without any
modification to Mailman's logging.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Mark Sapiro 
On 06/03/2018 09:53 AM, Grant Taylor via Mailman-Users wrote:
> On 06/02/2018 09:29 PM, Mark Sapiro wrote:
>> I use this regexp in the GLOBAL_BAN_LIST
>>
>> ^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$
> 
> Are you not looking for capital letters?


Ban list regexps are case insensitive.


> I can see how the period in the first class would work, but I don't see
> that in the second class.
> 
> What am I missing?


The fact that the ones I saw never had periods following the plus sign.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Fail2ban on the Mailman web interface

2018-06-03 Thread Jim Popovitch via Mailman-Users 
On June 3, 2018 5:44:17 PM UTC, Henrique Fagundes  
wrote:
>Dear,
>
>Where should I put this file?
>First I put it in "/ etc / mailman", and it did not work.
>

It's intended to be an example of modifications that can be made to Utils.py in 
order to get better logging.  If you look in the mischief log there should 
already be some errors related to failures.   I don't use fail2ban, but there 
should be examples in /etc/fail2ban/scripts.d (I think that's the dir) that you 
can modify to process /car/log/mailman/mischief.

-Jim P.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Fail2ban on the Mailman web interface

2018-06-03 Thread Henrique Fagundes 

Dear,

Where should I put this file?
First I put it in "/ etc / mailman", and it did not work.

Then I tried to add the contents of it to the file 
"/usr/lib/mailman/Mailman/Utils.py" also did not work.


I use Mailman in version 2.1.23, installed in Debian 9 through "apt-get".

I'll be grateful if you can help.

Atenciosamente,

Henrique Fagundes
Analista de Suporte Linux
supo...@aprendendolinux.com
Skype: magnata-br-rj
Linux User: 475399

https://www.aprendendolinux.com
https://www.facebook.com/AprendendoLinux
https://youtube.com/AprendendoLinux
https://twitter.com/AprendendoLinux
https://telegram.me/AprendendoLinux
__
Participe do Grupo Aprendendo Linux
https://listas.aprendendolinux.com/listinfo/aprendendolinux

Ou envie um e-mail para:
aprendendolinux-subscr...@listas.aprendendolinux.com

BRASIL acima de tudo, DEUS acima de todos!

Em 03/06/2018 14:04, Jim Popovitch via Mailman-Users escreveu:

On Sun, 2018-06-03 at 13:52 -0300, Henrique Fagundes wrote:

Dear Colleagues,

Good afternoon!

I begin by apologizing for the fact that this text is difficult to
interpret because I am Brazilian and I do not have many English
language
skills.

I'm having a hard time using Fail2Ban along with MailMan mailing
list
management software.

My idea is that when the attacker / attacker incorrectly enters the
password of the login field in the web interface, it is blocked. But
for
this to work, it is necessary for MailMan to report unsuccessful
login
attempts in its log.

I have already checked to see if there is a plugin or extension
(just
like it exists for Wordpress and PHPMyAdmin), but it seems like there
is
nothing developed for this.

So I would like to know if anyone has ever had the need to do this
implementation, so I can have some way.

If anyone can help me, I will be very grateful.


Hello,

I use the attached patch for Mailman/Utils.py to log the listname and
remoteIP to the mischief log.

Mark, if you think this should be in the regular release let me know
and I'll submit a merge request.

-Jim P.



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/suporte%40aprendendolinux.com



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Fail2ban on the Mailman web interface

2018-06-03 Thread Jim Popovitch via Mailman-Users 
On Sun, 2018-06-03 at 13:52 -0300, Henrique Fagundes wrote:
> Dear Colleagues,
> 
> Good afternoon!
> 
> I begin by apologizing for the fact that this text is difficult to 
> interpret because I am Brazilian and I do not have many English
> language 
> skills.
> 
> I'm having a hard time using Fail2Ban along with MailMan mailing
> list 
> management software.
> 
> My idea is that when the attacker / attacker incorrectly enters the 
> password of the login field in the web interface, it is blocked. But
> for 
> this to work, it is necessary for MailMan to report unsuccessful
> login 
> attempts in its log.
> 
> I have already checked to see if there is a plugin or extension
> (just 
> like it exists for Wordpress and PHPMyAdmin), but it seems like there
> is 
> nothing developed for this.
> 
> So I would like to know if anyone has ever had the need to do this 
> implementation, so I can have some way.
> 
> If anyone can help me, I will be very grateful.

Hello,

I use the attached patch for Mailman/Utils.py to log the listname and
remoteIP to the mischief log.

Mark, if you think this should be in the regular release let me know
and I'll submit a merge request.

-Jim P.

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2015-09-17 17:11:08 +
+++ Mailman/Utils.py	2015-10-20 13:36:09 +
@@ -104,7 +104,11 @@
 # But first ensure the list name doesn't contain a path traversal
 # attack.
 if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
-syslog('mischief', 'Hostile listname: %s', listname)
+remote = os.environ.get('HTTP_FORWARDED_FOR',
+ os.environ.get('HTTP_X_FORWARDED_FOR',
+ os.environ.get('REMOTE_ADDR',
+'unidentified origin')))
+syslog('mischief', 'Hostile listname: listname=%s remote=%s', listname, remote)
 return False
 basepath = Site.get_listpath(listname)
 for ext in ('.pck', '.pck.last', '.db', '.db.last'):



signature.asc
Description: This is a digitally signed message part
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Spam Subscriptions

2018-06-03 Thread Grant Taylor via Mailman-Users 

On 06/02/2018 09:29 PM, Mark Sapiro wrote:

I use this regexp in the GLOBAL_BAN_LIST

^[0-9a-z.]{8,}\+[0-9a-z]{4,}@gmail\.com$


Are you not looking for capital letters?

I can see how the period in the first class would work, but I don't see 
that in the second class.


What am I missing?



--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Fail2ban on the Mailman web interface

2018-06-03 Thread Henrique Fagundes 

Dear Colleagues,

Good afternoon!

I begin by apologizing for the fact that this text is difficult to 
interpret because I am Brazilian and I do not have many English language 
skills.


I'm having a hard time using Fail2Ban along with MailMan mailing list 
management software.


My idea is that when the attacker / attacker incorrectly enters the 
password of the login field in the web interface, it is blocked. But for 
this to work, it is necessary for MailMan to report unsuccessful login 
attempts in its log.


I have already checked to see if there is a plugin or extension (just 
like it exists for Wordpress and PHPMyAdmin), but it seems like there is 
nothing developed for this.


So I would like to know if anyone has ever had the need to do this 
implementation, so I can have some way.


If anyone can help me, I will be very grateful.

Regards,

Henrique Fagundes
Linux Support Analyst
supo...@aprendendolinux.com
Skype: magnata-br-rj
Linux User: 475399

https://www.aprendendolinux.com
https://www.facebook.com/AprendendoLinux
https://youtube.com/AprendendoLinux
https://twitter.com/AprendendoLinux
https://telegram.me/AprendendoLinux
__
Join the Learning Linux Group
https://listas.aprendendolinux.com/listinfo/aprendendolinux

Or send an email to:
aprendendolinux-subscr...@listas.aprendendolinux.com

BRASIL acima de tudo, DEUS acima de todos!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Cascading lists

2018-06-03 Thread Rubén Fernández Asensio 

Hello all,
I'm a new list administrator and a bit lost among Mailman's many 
features. Could you please give some advice?
I'm trying to implement an announcement list and an unmoderated 
discussion list, and having the second receive all mail sent to the 
first one. The announcement list will prevent everybody but a few 
addresses to post, and will attach a personalized footer to every post 
with a link to the subscriber's option page. The discussion list will 
attach its own generalized footer.
In sum, I want a single place to manage permissions to send 
announcements to both lists. I don't care about duplicates, as I want 
people to actively unsubscribe from the announcement list if they've 
joined both by mistake. However, it would be nice if the announcements 
received by the discussion list wouldn't have any personalized footer. 
Also, I want subscribers of the discussion list to be able to send 
replies to the announcement into the discussion list itself, whereas 
subscribers of the announcement list will get their own 'Reply-to' heading.
What's the best setup to achieve this? Umbrella lists, sibling lists, or 
something else?


Thanks in advance,
Rubén Fernández
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org