Re: [Mailman-Users] Approved: password header!
On 8/6/09 9:08 PM, Mark Sapiro m...@msapiro.net wrote: Thus, the idea of allowing [Approved: password] in the subject header and removing only that text from the subject has appeal because it doesn't depend on any characteristics of the message body. Won't work in an environment in which the message arrives with a DKIM signature including the Subject: header and when enforces valid DKIM headers inbound. (Or for a list going to outside subscribers, if any of them insist on DKIM validation.) Of course, it's very unlikely that approved header as first line of first text part works in that environment either. But Mailman already (by common configuration) munges Subject: headers. When Office 2010 public beta arrives (or before if someone here has earlier access) it would be nice to check whether Outlook 2010 has learned a rational way to add custom headers. --John -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
On Aug 7, 2009, at 12:08 AM, Mark Sapiro wrote: The idea is to require the square brackets so a mere approved: in the subject (such as this message) doesn't trigger a match. We only match if we find Approve: or Approved: followed by a single word inside the square brackets and then we remove the brackets and their contents. As a comparison, Launchpad's code review process allows for commands in the body of the message. It looks for specific commands prepended by a space. I don't particularly like that approach though because the space can be hard to see. Wrapping the Approve pseudo-header in brackets might be okay, though ideally, I think Mailman should maintain a set of OpenPGP public keys and do approval matching based on that. Yes, I know that signing messages is problematic for a lot of people, but it would certainly be less ambiguous on Mailman's side. I think anytime Mailman has to go trolling inside the body of the message, we're in trouble. -Barry PGP.sig Description: This is a digitally signed message part -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
Barry Warsaw ba...@python.org wrote: As a comparison, Launchpad's code review process allows for commands in the body of the message. It looks for specific commands prepended by a space. I don't particularly like that approach though because the space can be hard to see. Would it find a command that is at the beginning of a line (and thus not preceeded by a space)? -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
WOWZERS.. I never knew I'd result in such a big fuss.. well I'm sorry I didn't quite understand, what should I do with this file you sent me (approve.patch.txt) ?? where should I put it and what to name it and what to do with its permissions n stuff? I'm sorry I'm still zero in tghis stuff.. Thanks .. Date: Thu, 6 Aug 2009 13:59:49 -0700 From: m...@msapiro.net To: khillo...@hotmail.com; mailman-users@python.org Subject: Re: [Mailman-Users] Approved: password header! Khalil Abbas wrote: my suggestion is, before I had the honor to use outlook I had Smartermail .. they have a cool feature of approving messages with passwords is to use it in the subject line itself : [password: PASSWORD] Subject bla bla bla.. then it removes the password part of course .. why don't you guys do the same? it sure beats adding a custom header and stuff .. because in html messages it's really hard to do that !! We do. Just not in the subject. As long as the incoming message has a text/plain part (i.e. is either a text/plain message or a multipart/alternative message with a text/plain alternative, we recognize and delete Approved: passord if it is the first non-blank line of the body. We also attempt to delete the line from any other body parts in which it appears, but in pathological cases, this may fail, so test first. If your clients insist on posting HTML only messages and can't add an actual Approved: header to the message, then you can try patching Mailman/Handlers/Approve.py to recognize [Approved: password] in the Subject: header. The attached Approve.patch.txt file contains a patch that might do it. I'll consider this as a feature for Mailman 2.2 -- Mark Sapiro m...@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan _ With Windows Live, you can organize, edit, and share your photos. http://www.microsoft.com/middleeast/windows/windowslive/products/photo-gallery-edit.aspx -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
Khalil Abbas wrote: well I'm sorry I didn't quite understand, what should I do with this file you sent me (approve.patch.txt) ?? where should I put it and what to name it and what to do with its permissions n stuff? I probably shouldn't tell you because if you don't know how to apply a patch, you probably shouldn't do it, but 1) make a backup copy of Mailman/Handlers/Approve.py 2) give the command patch /path/to/Mailman/Handlers/Approve.py approve.patch.txt 3) restart Mailman 4) If any problems result, restore Mailman/Handlers/Approve.py from your backup and restart Mailman -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
On Aug 7, 2009, at 10:59 AM, Barry Finkel wrote: Barry Warsaw ba...@python.org wrote: As a comparison, Launchpad's code review process allows for commands in the body of the message. It looks for specific commands prepended by a space. I don't particularly like that approach though because the space can be hard to see. Would it find a command that is at the beginning of a line (and thus not preceeded by a space)? Sorry, my explanation was incomplete. Launchpad code review commands must begin at the start of the line, with a preceding space, e.g. review approve status approve I think command messages must also be signed. Also, there are only a limited number of email commands available. In MM3, I plan on allowing for extensions via a pluggable architecture. -Barry PGP.sig Description: This is a digitally signed message part -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Users] Approved: password header!
Dear Mailman admins, I have a suggestion for you .. I'm running 42 lists for my clients, I let them use microsoft outlook to send their newletters to their customers and I do the management part .. since someone hacked into one of my lists and started posting to it using the modertor's email address (I posted a message about this before) and you suggested the : 'Approved: Password' header and I seached all over to see how to add a custom header to the damn outlook in vain .. so every day have to approve messages for my clients which is a real pain in the act! my suggestion is, before I had the honor to use outlook I had Smartermail .. they have a cool feature of approving messages with passwords is to use it in the subject line itself : [password: PASSWORD] Subject bla bla bla.. then it removes the password part of course .. why don't you guys do the same? it sure beats adding a custom header and stuff .. because in html messages it's really hard to do that !! Thanks .. _ With Windows Live, you can organize, edit, and share your photos. http://www.microsoft.com/middleeast/windows/windowslive/products/photo-gallery-edit.aspx -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
Khalil Abbas wrote: my suggestion is, before I had the honor to use outlook I had Smartermail .. they have a cool feature of approving messages with passwords is to use it in the subject line itself : [password: PASSWORD] Subject bla bla bla.. then it removes the password part of course .. why don't you guys do the same? it sure beats adding a custom header and stuff .. because in html messages it's really hard to do that !! We do. Just not in the subject. As long as the incoming message has a text/plain part (i.e. is either a text/plain message or a multipart/alternative message with a text/plain alternative, we recognize and delete Approved: passord if it is the first non-blank line of the body. We also attempt to delete the line from any other body parts in which it appears, but in pathological cases, this may fail, so test first. If your clients insist on posting HTML only messages and can't add an actual Approved: header to the message, then you can try patching Mailman/Handlers/Approve.py to recognize [Approved: password] in the Subject: header. The attached Approve.patch.txt file contains a patch that might do it. I'll consider this as a feature for Mailman 2.2 -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan --- Approve.py 2009-08-01 16:54:01.561348900 -0700 +++ Approvex.py 2009-08-06 13:33:24.0 -0700 @@ -25,8 +25,10 @@ import re +from email.Header import Header from email.Iterators import typed_subpart_iterator +from Mailman import Utils from Mailman import mm_cfg from Mailman import Errors @@ -38,6 +40,7 @@ False = 0 NL = '\n' +PWDRE = re.compile(r'\[Approved?:\s*([^\]\s]+)\s*\]', re.IGNORECASE) @@ -57,6 +60,23 @@ missing = [] passwd = msg.get('approved', msg.get('approve', missing)) if passwd is missing: +# Try the Subject header first +subj = Utils.oneline(msg.get('subject'), 'utf-8') +if subj: +mo = PWDRE.search(subj) +if mo: +passwd = mo.group(1) +del msg['subject'] +subj = PWDRE.sub('', subj) +try: +# Is the subject ascii? +unicode(subj, 'us-ascii') +except UnicodeError: +# It's not, encode it +msg['Subject'] = Header(subj, 'utf-8') +else: +msg['Subject'] = subj +if passwd is missing: # Find the first text/plain part in the message part = None stripped = False -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
Mark Sapiro writes: If your clients insist on posting HTML only messages and can't add an actual Approved: header to the message, then you can try patching Mailman/Handlers/Approve.py to recognize [Approved: password] in the Subject: header. The attached Approve.patch.txt file contains a patch that might do it. I'll consider this as a feature for Mailman 2.2 I think this is unwise. The subject header is read by everybody, and you can't just delete it, so you have to munge it. More complexity. It's not so hard to add an Approved pseudo-header. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
on 8/6/09 9:14 PM, Stephen J. Turnbull said: I'll consider this as a feature for Mailman 2.2 I think this is unwise. The subject header is read by everybody, and you can't just delete it, so you have to munge it. More complexity. It's not so hard to add an Approved pseudo-header. Some people really, really don't know what their software can do, and can't be taught how to make use of advanced features. Others may be able to learn how to use advanced features, but they are forced to use software that is locked down into a configuration that they can't change. So, the question becomes this -- at what point do you stop bending over backwards to try to make seriously broken MUAs (or seriously un-savvy MUA users) be able to have some sort of minimal functionality, and at what point do you decide that it's too much work or opens too large of a security hole? That's not a question I can answer. -- Brad Knowles b...@shub-internet.org LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Approved: password header!
Brad Knowles wrote: on 8/6/09 9:14 PM, Stephen J. Turnbull said: I'll consider this as a feature for Mailman 2.2 I think this is unwise. The subject header is read by everybody, and you can't just delete it, so you have to munge it. More complexity. It's not so hard to add an Approved pseudo-header. Some people really, really don't know what their software can do, and can't be taught how to make use of advanced features. Others may be able to learn how to use advanced features, but they are forced to use software that is locked down into a configuration that they can't change. So, the question becomes this -- at what point do you stop bending over backwards to try to make seriously broken MUAs (or seriously un-savvy MUA users) be able to have some sort of minimal functionality, and at what point do you decide that it's too much work or opens too large of a security hole? That's not a question I can answer. But it is a good question, and I'm not sure I know the answer either. I know from experience with users, that it isn't always easy or obvious how to get MS Outlook/Exchange to even send a multipart/alternative message instead of just text/html. In that case, an Approved: pseudo header won't be found because it is only looked for in the first text/plain part of the message. Even when it is found, it's removal from other 'fancy' parts of a multipart/alternative part is on a 'best effort' basis and isn't guaranteed. And then there's the issue of corporate mail environments that wrap messages in disclaimers possibly adding an initial text/plain part preceding the part with the pseudo header, thus hiding it from our search. Thus, the idea of allowing [Approved: password] in the subject header and removing only that text from the subject has appeal because it doesn't depend on any characteristics of the message body. The idea is to require the square brackets so a mere approved: in the subject (such as this message) doesn't trigger a match. We only match if we find Approve: or Approved: followed by a single word inside the square brackets and then we remove the brackets and their contents. The patch which I attached to my earlier reply does this and also deals with RFC2047 encoded subjects and encodes the result as utf-8 if and only if it contains non-ascii. I'm not completely comfortable with this approach, but neither am I completely comfortable with the pseudo header in the body of a multipart/alternative message. I always recommend a true Approved: header for this purpose, but I've googled more than once trying to find how to do this with Outlook, and I haven't found a straight forward way to do it. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9