Re: [Mailman-Users] approval password linked to sender rather than list?

[Brad Knowles]

At 5:59 PM +0100 2006-05-15, David Lee wrote:

>>  I'm not convinced that having per-user approval passwords would
>>  help the moderators act in a more consistent manner, but it certainly
>>  wouldn't hurt.
>
>  Hm?  The idea is that the genuine sender should be able to avoid
>  moderation in the first place.

That's not what I was referring to.  I was referring to the 
things that would wind up in the moderator queue (potentially due to 
lack of appropriate password), and how those might be handled in an 
inconsistent manner.


Whether it's a per-sender approval password or a per-list 
approval password, once you're past the automated system and your 
post is approved, then the moderators aren't going to see or touch it.

However, while I see some advantages to allowing this route as an 
optional alternative, I think the bigger problem is the inconsistency 
in the way the moderators will tend to handle the stuff that gets 
dumped into their queue.

Unfortunately, I'm not sure there's much you can do to try to 
solve that part of the problem.  ;)

>  As an aside, is there a way to do "Approved:" as a header (rather than as
>  first line of message-body) if the client is Outlook?  OWA?

I'm not familiar with those clients.  Others on the list might be 
more familiar with them, but you might also want to see if there are 
other mailing lists, forums, FAQs, etc... that would be oriented 
towards the specific clients you're interested in.

>  The big question is: which version should we base it on?

Start with the latest current version -- 2.1.8.  If the feature 
is going to be incorporated into a future version then Tokio, Mark, 
or Barry can do any necessary work that might be required to bring it 
into whatever version they're working on.

But I would strongly encourage you to make sure you follow the 
same style and programming methods, so that the amount of work needed 
to integrate your suggested feature would be minimized.

>We would be
>  looking to put into into local production (assuming we did it) fairly
>  soon, but also be looking to get it incorporated into future versions.

Understood.

>  So Mm 2.1.x?  2.2.x?  How different are those two versions?  (I'm assuming
>  not 3.x because that seems to be some way off yet.)

I think 2.2.x is still in fairly formative stages right now, and 
anything that would be required to bring the code up from the 2.1.8 
baseline to 2.2.x should be something that Tokio, Mark, or Barry can 
do as needed.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

 -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
 Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See .
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] approval password linked to sender rather than list?

[David Lee]

On Mon, 15 May 2006, Brad Knowles wrote:

> At 10:01 AM +0100 2006-05-15, David Lee wrote:
>
> >Is there a facility, or
> >  plans for such, for each permitted sender to have (optionally) their own
> >  password, useable across many lists?
>
>   This is a very good question.  I'm glad you brought it to this list.
>
>
>   I'm pretty sure that there is no facility in Mailman today to
> achieve what you're looking for.  I see no problem with the concept,
> but I will let others answer the technical issues of how it might be
> done, etc

Glad it seems reasonable.  Thanks.


>   If you haven't done so already, I would encourage you to file
> this as a Request For Enhancement on the Mailman SourceForge page at
> .

Thanks.  Done.


>   I'm not convinced that having per-user approval passwords would
> help the moderators act in a more consistent manner, but it certainly
> wouldn't hurt.

Hm?  The idea is that the genuine sender should be able to avoid
moderation in the first place.

As an aside, is there a way to do "Approved:" as a header (rather than as
first line of message-body) if the client is Outlook?  OWA?


>
> >  What are the drawbacks (those that would have
> >  significantly worse problems/weaknesses than existing mechanisms)?
>
>   About the only thing I can think of that might be an issue would
> be that there would now be more data to manage, and of course the
> problem of feeping creaturism.

Thanks.  Being new to Mailman (although with (too) many years' worth of
Majordomo behind me) I wanted to do a basic sanity-check of the idea
itself.


>
> >  If not yet possible, but acceptable in theory (perhaps with amendments),
> >  then we would hope to consider volunteering some effort into coding it.
>
>   If you code such a feature (or have it done for you), and then
> upload that to the Mailman patch page on SourceForge at
> , you would
> be much more likely to get this feature incorporated into a future
> version of Mailman.

Thanks.

The big question is: which version should we base it on?  We would be
looking to put into into local production (assuming we did it) fairly
soon, but also be looking to get it incorporated into future versions.
So Mm 2.1.x?  2.2.x?  How different are those two versions?  (I'm assuming
not 3.x because that seems to be some way off yet.)

Thanks again.

-- 

:  David LeeI.T. Service  :
:  Senior Systems ProgrammerComputer Centre   :
:   Durham University :
:  http://www.dur.ac.uk/t.d.lee/South Road:
:   Durham DH1 3LE:
:  Phone: +44 191 334 2752  U.K.  :
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] approval password linked to sender rather than list?

[Brad Knowles]

At 10:01 AM +0100 2006-05-15, David Lee wrote:

>Is there a facility, or
>  plans for such, for each permitted sender to have (optionally) their own
>  password, useable across many lists?

This is a very good question.  I'm glad you brought it to this list.


I'm pretty sure that there is no facility in Mailman today to 
achieve what you're looking for.  I see no problem with the concept, 
but I will let others answer the technical issues of how it might be 
done, etc

If you haven't done so already, I would encourage you to file 
this as a Request For Enhancement on the Mailman SourceForge page at 
.

>  Problem: A spoof to many lists would go to many moderators within a list
>  and across lists, requiring coordination of moderators within a list, and
>  consistent action of one or more moderators per list across the lists.
>  Very poor scaling at a large site (with many clusters of many lists).

Yup.  Getting the list moderators/admins to act in a consistent 
manner is an issue regardless of the size of the list or the number 
of lists.


We have similar issues with just the mailman-users and 
mailman-developers lists on python.org, and they are much less 
numerous than what you're talking about, and the lists are also much 
smaller.  Sometimes I'll approve a post for the mailman-developers 
list that I think is marginal as to whether or not it belongs on that 
list and sometimes I'll let it sit for a few days and see if one of 
the other moderators/admins will take a decision.

I try to follow the guidelines that we've agreed for moderating 
and administering the lists, but I don't always remember what they 
are, and I don't always make the decision in a way that the other 
moderators/admins would have agreed with.


I'm not convinced that having per-user approval passwords would 
help the moderators act in a more consistent manner, but it certainly 
wouldn't hurt.

>  This doesn't seem possible at present (v 2.1.5).  But it seems related
>  to FAQ 3.46, in particular section "A password scheme could potentially
>  be implemented ...".
>
>  Is it yet possible?

Not so far as I know, and I'm not aware of it being on the 
official plan of things to be fixed in the upcoming versions (either 
2.2 or Mailman3), but certainly something that could potentially be 
done.

>  Does that seem reasonable?

I think so.  It would reduce the probability of someone being 
able to guess the list approval password, which can sometimes leak 
out via unexpected channels.

>  What are the drawbacks (those that would have
>  significantly worse problems/weaknesses than existing mechanisms)?

About the only thing I can think of that might be an issue would 
be that there would now be more data to manage, and of course the 
problem of feeping creaturism.

>  If not yet possible, but acceptable in theory (perhaps with amendments),
>  then we would hope to consider volunteering some effort into coding it.

If you code such a feature (or have it done for you), and then 
upload that to the Mailman patch page on SourceForge at 
, you would 
be much more likely to get this feature incorporated into a future 
version of Mailman.

This isn't to say that you would be guaranteed to get this 
feature incorporated, as there are many patches which have been 
uploaded that have not found their way into the main code base.  But 
uploading your patch would greatly increase your chances.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

 -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
 Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See .
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] approval password linked to sender rather than list?

[Patrick Bogen]

On 5/15/06, David Lee <[EMAIL PROTECTED]> wrote:
> List subscribers can already have passwords attached to their membership
> of a particular list, but this is (I understand) only for subscription
> maintenance, not for posting authorisation.  So the concept of password
> linked to email address is already present in Mailman.
>
> It would seem reasonable to extend Mailman to have a variant of the
> "Approved:" scheme (albeit with its inherent weak authentication) in which
> the password is associated with each "permitted.poster.1" sender name
> to discriminate a real sender from the spoofer.
>

On the surface, this seems pretty reasonable. It ought to be easy to
amend the bits that checked Approved: against the moderator/admin
password to also check against the user password.

For your purposes (*all* users must include a pssword), I think, this
is trivial:

in Mailman/Handlers/Approve.py, on or about line 108, change:

if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator,
 mm_cfg.AuthListAdmin),
passwd):

to:
--BEGIN--
if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator,
 mm_cfg.AuthListAdmin,
 mm_cfg.AuthUser),
 passwd,
 msg.get_sender()):
--END--

(without, of course --BEGIN-- and --END--). That said, I don't really
know Python, nor am I intimately familiar with the Mailman codebase,
so you might want to wait for someone more knowledgable to vette this
'solution.'

And, of course, when/if you upgrade, you'll need to re-do this, since
Approve.py will get overwritten.

-- 
- Patrick Bogen
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

[Mailman-Users] approval password linked to sender rather than list?

[David Lee]

Background:
  Currently majordomo, but rapid switch to Mailman being considered.
  About 20,000 users.
  Over 2,000 lists, the majority being "announcement" with very limited
numbers of permitted senders.
  Have been majordomo-based for many years.
  Recent spoof email jumped the priority of a potential majordomo->Mailman
transition to very high.
  Installed Mailman 2.1.5 (that version simply for local proof-of-concept
convenience).
  Would anticiapate running latest stable version.
  Very new to running a Mailman service (be gentle!).

Executive summary of query:

The existing "Approved:" mechanism needs a password shared in common
across multiple people (which feels poor and doesn't scale well) and
across multiple lists (again, scaling problems).  Is there a facility, or
plans for such, for each permitted sender to have (optionally) their own
password, useable across many lists?  (Note the numbers, and high
proportion of limited access "annnouncement" lists in the above.)


Details of query:

I've read the FAQ. The nearest items to my query seem to be 3.11, 3.34,
3.46 etc.

Our recent problem was a spoof email through Majordomo, via a small number
of large lists to the entire institution, spoofing the "From:" of a valid
Majordomo "posters" email address.  The Mailman "Approved:" mechanism
looks as if it should address much of this (but not as much as might be
possible: see below).

With Mailman, I've done an "Approved:" proof-of-concept demo: two lists,
same list password;  moderation switched on for everybody. Proved the
working of:
   Approved: 

(1) being able to bypass the moderation function (good);
(2) its absence or error being diverted to moderator (good).

So our genuine posters can use "Approved:" and the email would go straight
through, whereas the spoofer wouldn't be able to do this and the request
would be diverted (very good!) to the various list moderators.

BUT...

... in the environment described above we can see major benefits of a
somewhat different authorisation slant.

Problem: A spoof to many lists would go to many moderators within a list
and across lists, requiring coordination of moderators within a list, and
consistent action of one or more moderators per list across the lists.
Very poor scaling at a large site (with many clusters of many lists).

Suggestion:  An approval process to allow a sender-based password.  So
something like:

   From:  [EMAIL PROTECTED]   # may or may not be spoofed
   To:  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], ...

   Approved: 

and also that pw being potentially shareable across multiple lists.



This doesn't seem possible at present (v 2.1.5).  But it seems related
to FAQ 3.46, in particular section "A password scheme could potentially
be implemented ...".

Is it yet possible?

(Assuming not, then ...)

List subscribers can already have passwords attached to their membership
of a particular list, but this is (I understand) only for subscription
maintenance, not for posting authorisation.  So the concept of password
linked to email address is already present in Mailman.

It would seem reasonable to extend Mailman to have a variant of the
"Approved:" scheme (albeit with its inherent weak authentication) in which
the password is associated with each "permitted.poster.1" sender name
to discriminate a real sender from the spoofer.



Does that seem reasonable?  What are the drawbacks (those that would have
significantly worse problems/weaknesses than existing mechanisms)?
Comments?

If it is possible now (i.e. I have overlooked the relevant documentation),
please point me in the correct direction, to documentation etc.

If not yet possible, but acceptable in theory (perhaps with amendments),
then we would hope to consider volunteering some effort into coding it.

-- 

:  David LeeI.T. Service  :
:  Senior Systems ProgrammerComputer Centre   :
:   Durham University :
:  http://www.dur.ac.uk/t.d.lee/South Road:
:   Durham DH1 3LE:
:  Phone: +44 191 334 2752  U.K.  :
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp