Re: [Mailman-Users] Non-members allowed to post!
On 3/8/2005 20:27, Larry Stone [EMAIL PROTECTED] wrote: On 3/8/05 8:45 PM, David Gibbs at [EMAIL PROTECTED] wrote: Sorry if this is a dumb question ... but what header indicates the envelope sender? None. The envelope sender is the return address (MAIL FROM: command) in the dialogue between the upstream mail server and your mail server. Then, think of your mail server as being a very efficient clerk. It receives the mail, opens the envelope, puts what's in the envelope in your inbox, and throws away the envelope. Unfortunately by doing so, the envelope is no longer available to see. Just as the From: header in a message can be easily forged, so can the Envelope Sender. Some (but not all) mail servers will added a pseudo-header before the real header that shows the envelope sender or an additional header with it. I run Postfix and I see it adds both the pseudo-header first (a From line with no colon after From) plus a Return-Path: header which also has the envelope sender in it. Looking at my mailman archives, the pseudo-From is there but not the Return-Path: header. The pseudo-From is part of the mbox file format in which the raw messages are accumulated for the archive. The blank line in front of one of them plus the From (no colon) line itself mark the start of a new message (so does beginning of file being a From (no colon) line). [That mechanism is rather fragile...and is the reason you sometimes see message lines start with From rather than From in your mail stream...some overly protective programs don't like any F at the start of a line.] Whether the MTA adds a Return-Path: (or other) header is configurable in most MTAs...I don't know how to set up Postfix to add it to messages sent to the Mailman input CGI. One could configure most MTAs to reject mail from Gmane addressed to the list posting addresses (I also don't know how to do that with Postfix). That might violate one's agreement with Gmane (I've never seen the agreement). --John (who doesn't manage any Postfix servers, only Exim) -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
John W. Baxter wrote: Whether the MTA adds a Return-Path: (or other) header is configurable in most MTAs...I don't know how to set up Postfix to add it to messages sent to the Mailman input CGI. It doesn't seem that it should be configurable. Quoting from RFC 2821, sec 4.4 When the delivery SMTP server makes the final delivery of a message, it inserts a return-path line at the beginning of the mail data. This use of return-path is required; mail systems MUST support it. The return-path line preserves the information in the reverse- path from the MAIL command. Here, final delivery means the message has left the SMTP environment. Normally, this would mean it had been delivered to the destination user or an associated mail drop, but in some cases it may be further processed and transmitted by another mail system. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
At 8:04 AM -0800 2005-03-09, John W. Baxter wrote: One could configure most MTAs to reject mail from Gmane addressed to the list posting addresses (I also don't know how to do that with Postfix). That's easy. See http://www.postfix.org/SMTPD_ACCESS_README.html#global. That might violate one's agreement with Gmane (I've never seen the agreement). Does any Mailman administrator have any agreement with Gmane, or is it just the users. -- Brad Knowles, [EMAIL PROTECTED] Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See http://www.sage.org/ for more info. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
On 3/9/2005 8:29, Mark Sapiro [EMAIL PROTECTED] wrote: John W. Baxter wrote: Whether the MTA adds a Return-Path: (or other) header is configurable in most MTAs...I don't know how to set up Postfix to add it to messages sent to the Mailman input CGI. It doesn't seem that it should be configurable. Quoting from RFC 2821, sec 4.4 My error...my mind slipped over to another header. Thank you for the correction. --John -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
On 3/9/2005 10:27, Brad Knowles [EMAIL PROTECTED] wrote: That might violate one's agreement with Gmane (I've never seen the agreement). Does any Mailman administrator have any agreement with Gmane, or is it just the users. If one has to take action to get a list into Gmane, then that individual presumably is agreeing to something. If the administrator running the MTA then frustrates that agreement, I wonder what the outcome is. --John -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
David Gibbs wrote:
I did a bit more digging ... it seems that mail coming in from the GMane
system is not being parsed correctly by Mailman.
Maybe, but maybe not.
As a somewhat knee-jerk reaction, I turned on the moderation flag for
all subscribers to stop the unauthorized posting.
A few minutes ago I got a moderation notification that indicated that a
message was being posted from '[EMAIL PROTECTED]'.
As list administrator, your authorization is requested for the
following mailing list posting:
List:[EMAIL PROTECTED]
From:[EMAIL PROTECTED]
Subject: Re: Making Triggers Resilient
Reason: Post to moderated list
The message, however, had not been submitted BY [EMAIL PROTECTED], it
was submitted from a normal subscriber.
Here's the headers from the message (somewhat scrubbed to protect
privacy)...
To: [EMAIL PROTECTED]
From: Buck Calabro [EMAIL PROTECTED]
Subject: Re: Making Triggers Resilient
Date: Wed, 2 Mar 2005 14:43:43 -0500
Lines: 16
Message-ID: [EMAIL PROTECTED]
X-Complaints-To: [EMAIL PROTECTED]
X-Gmane-NNTP-Posting-Host: 209-23-60-152.tvc-ip.com
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.50.4922.1500
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4925.2800
Sender: news [EMAIL PROTECTED]
X-Gmane-MailScanner: Found to be clean
X-Gmane-MailScanner: Found to be clean
X-MailScanner-From: [EMAIL PROTECTED]
X-MailScanner-To: [EMAIL PROTECTED]
The only place that [EMAIL PROTECTED] shows up is in the
'X-MailScanner-From:' header.
It appears that Mailman is picking up the 'From:' information from the
wrong header.
How about the envelope sender? You can't tell from those headers what
that was, but I'm guessing that it too is [EMAIL PROTECTED]
Is this a problem with Gmane or Mailman?
I'd say it's probably Gmane doing this. I guess the first question is
is [EMAIL PROTECTED] a list member and if so, why?
You might also check for USE_ENVELOPE_SENDER settings in mm_cfg.py. The
default in Defaults.py should be USE_ENVELOPE_SENDER = No. Also in
Defaults.py, you should have SENDER_HEADERS = ('from', None,
'reply-to', 'sender').
If you remove any USE_ENVELOPE_SENDER = Yes from mm_cfg.py and put
SENDER_HEADERS = ('from', 'reply-to', 'sender')
into mm_cfg.py, then envelope sender won't be used at all. That might
help.
--
Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Security Policy:
http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
Mark Sapiro wrote: I'd say it's probably Gmane doing this. I guess the first question is is [EMAIL PROTECTED] a list member and if so, why? I just happened to notice a link to http://gmane.org/ in the headers of another post and followed it. It seems that one of Gmane's purposes is to allow non members to post to lists via Gmane. Check it out. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
Mark Sapiro wrote:
The only place that [EMAIL PROTECTED] shows up is in the
'X-MailScanner-From:' header.
It appears that Mailman is picking up the 'From:' information from the
wrong header.
How about the envelope sender? You can't tell from those headers what
that was, but I'm guessing that it too is [EMAIL PROTECTED]
Sorry if this is a dumb question ... but what header indicates the
envelope sender?
As far as I could tell from the headers I saw, the *ONLY* place that
[EMAIL PROTECTED] showed up was in the X-MailScanner-From header.
I'd say it's probably Gmane doing this. I guess the first question is
is [EMAIL PROTECTED] a list member and if so, why?
Yes, [EMAIL PROTECTED] is a list member ... because that's how gmane
receives list messages to process them into it's news server.
You might also check for USE_ENVELOPE_SENDER settings in mm_cfg.py. The
default in Defaults.py should be USE_ENVELOPE_SENDER = No. Also in
Defaults.py, you should have SENDER_HEADERS = ('from', None,
'reply-to', 'sender').
I actually changed that in my mm_cfg.py file after this problem started
in hopes that it would help. The original value was No, I changed it to
Yes.
Now the messages are held because '[EMAIL PROTECTED]' is not a member
of the list.
david
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
On 3/8/05 8:45 PM, David Gibbs at [EMAIL PROTECTED] wrote: Sorry if this is a dumb question ... but what header indicates the envelope sender? None. The envelope sender is the return address (MAIL FROM: command) in the dialogue between the upstream mail server and your mail server. Then, think of your mail server as being a very efficient clerk. It receives the mail, opens the envelope, puts what's in the envelope in your inbox, and throws away the envelope. Unfortunately by doing so, the envelope is no longer available to see. Just as the From: header in a message can be easily forged, so can the Envelope Sender. Some (but not all) mail servers will added a pseudo-header before the real header that shows the envelope sender or an additional header with it. I run Postfix and I see it adds both the pseudo-header first (a From line with no colon after From) plus a Return-Path: header which also has the envelope sender in it. Looking at my mailman archives, the pseudo-From is there but not the Return-Path: header. -- Larry Stone [EMAIL PROTECTED] http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] Non-members allowed to post!
David Gibbs wrote: Yes, [EMAIL PROTECTED] is a list member ... because that's how gmane receives list messages to process them into it's news server. And as I gather from their web site, it's also how Gmane allows non list member Gmane users to post back to the list through Gmane. Posts that come through Gmane to your list apparently are sent from Gmane with the SMTP command MAIL FROM [EMAIL PROTECTED] which makes that address the envelope sender and therefore, allows anyone to post to your list via Gmane according to their rules, not yours. This appears to be the price you pay for archiving your list with Gmane. -- Mark Sapiro [EMAIL PROTECTED] The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
[Mailman-Users] Non-members allowed to post!
Folks: I have a serious problem here that I can't seem to figure out. I've been running Mailman for a very long time and have never seen this behavior before. A person is posting messages via GMane, but they are not subscribed to the list. However, their messages are being allowed to post! I have my list configured with ... generic_nonmember_action = hold accept_these_nonmembers = empty default_member_moderation = yes member_moderation_action = hold As you can see from this post log entry, the posting was accepted ... Mar 02 09:26:10 2005 (28195) post to rpg400-l from [EMAIL PROTECTED], size=2570, message-id=[EMAIL PROTECTED], success But '[EMAIL PROTECTED]' is not subscribed to any of my lists. If I send a message from one of my own email addresses that isn't subscribed, it's held as it should be. Any thoughts on how this can happen? Thanks! david -- David Gibbs [EMAIL PROTECTED] Receipt of this message does not grant you permission to send me Unsolicited Commercial Email -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
