Re: [Mailman-Users] Hello List
Hi, You're right in that I did forget the Approved: approach, as I didn't iknow about it until recently. Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access. Geoff. - Original Message - From: Mark Sapiro m...@msapiro.net To: Geoff Shang ge...@quitelikely.com; Mailman-Users@python.org Sent: Wednesday, 16 December, 2009 8:22 PM Subject: Re: [Mailman-Users] Hello List Geoff Shang wrote: And of course unmoderate the list admin and anyone else you want to be able to post. This is not good advice. Everyone should be moderated and posters should use an Approved: password header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently. You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post. Yes. This is all covered in the FAQ at http://wiki.list.org/x/3YA9. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan __ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote: Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access. Is there some reason that you, as admin, can't just un-set their moderation flag? -- Lindsay Haisley |Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |http://pubkeys.fmp.com http://www.fmp.com| dandelions | | (Pamela Jones) | -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
Hi, Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead. Geoff. - Original Message - From: Lindsay Haisley fmo...@fmp.com To: mailman-users@python.org Sent: Friday, 18 December, 2009 6:22 PM Subject: Re: [Mailman-Users] Hello List On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote: Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access. Is there some reason that you, as admin, can't just un-set their moderation flag? -- Lindsay Haisley |Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |http://pubkeys.fmp.com http://www.fmp.com| dandelions | | (Pamela Jones) | -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/geoff%40quitelikely.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4699 (20091218) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote: Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead. I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure. You have two moderation passwords, one for administrators and one for moderators. Either will work in an Approved header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed. -- Lindsay Haisley | Never expect the people who caused a problem FMP Computer Services | to solve it. - Albert Einstein 512-259-1190 | http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote: Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead. I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure. You have two moderation passwords, one for administrators and one for moderators. Either will work in an Approved header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed. -- Lindsay Haisley | Never expect the people who caused a problem FMP Computer Services | to solve it. - Albert Einstein 512-259-1190 | http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
Lindsay Haisley wrote: On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote: Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead. I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure. FWIW, I was recommending the Approved: password approach in the context of a reply where the OP said I only want the list administrator to be able to post messages to the list. I agree that in the case where you have authorized posters who are not necessarily admins or moderators that controlling posting by unmoderating posters and/or accept_these_nonmembers is appropriate although still subject to spoofing. It all depends on the list. You have two moderation passwords, one for administrators and one for moderators. Either will work in an Approved header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed. Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers. It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page. See the FAQ at http://wiki.list.org/x/5YA9. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote: Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers. It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page. I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/ I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an Approved: [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so. Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this? -- Lindsay Haisley | The difference between | PGP public key FMP Computer Services | a duck is because one | available at 512-259-1190 | leg is both the same | http://pubkeys.fmp.com http://www.fmp.com| - Anonymous | -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote: Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers. It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page. I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/ I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an Approved: [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so. Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this? -- Lindsay Haisley | The difference between | PGP public key FMP Computer Services | a duck is because one | available at 512-259-1190 | leg is both the same | http://pubkeys.fmp.com http://www.fmp.com| - Anonymous | -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
Lindsay Haisley wrote: Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this? You can't remove a moderator password through the GUI. You could always enter some obscure string that you will immediately forget, and that's probably as good, but if you really want to remove it, you have to set mod_password = None via bin/withlist or bin/config_list. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Hello List
Here's my first post to this list :) I'm setting up a mailing list and I only want the list administrator to be able to post messages to the list, can this be set as some kind of default setting? Thanks Wayne -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Tue, Dec 15, 2009 at 08:11:22PM -0600, Wayne Cook wrote: Here's my first post to this list :) I'm setting up a mailing list and I only want the list administrator to be able to post messages to the list, can this be set as some kind of default setting? http://wiki.list.org/x/3YA9 (searching for announcement gave that as the first result) -- I only can properly enjoy carol services if I am having an illicit affair with someone in the congregation. Why is this? Perhaps because they are essentially pagan, not Christian, celebrations. (Alan Clark's 'Diaries') -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
Wayne Cook wrote: I'm setting up a mailing list and I only want the list administrator to be able to post messages to the list, can this be set as some kind of default setting? See the FAQ at http://wiki.list.org/x/3YA9 for how to set this up. If you want this to be the default for newly created lists, some of these settings can be made defaults in the site's mm_cfg.py. See Defaults.py for the descriptions of the available settings. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
Wayne Cook wc...@mycoachonline.com wrote: Here's my first post to this list :) I'm setting up a mailing list and I only want the list administrator to be able to post messages to the list, can this be set as some kind of default setting? Thanks Wayne Change the list configuration so that all subscribers are moderated. And then set each current subscriber to moderated via one click on the membership admin web page. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
On Wed, 16 Dec 2009, Barry Finkel wrote: I'm setting up a mailing list and I only want the list administrator to be able to post messages to the list, can this be set as some kind of default setting? Change the list configuration so that all subscribers are moderated. And then set each current subscriber to moderated via one click on the membership admin web page. And of course unmoderate the list admin and anyone else you want to be able to post. You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post. Geoff. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Hello List
Geoff Shang wrote: And of course unmoderate the list admin and anyone else you want to be able to post. This is not good advice. Everyone should be moderated and posters should use an Approved: password header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently. You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post. Yes. This is all covered in the FAQ at http://wiki.list.org/x/3YA9. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org