Re: [Mailman-Developers] Mailing lists exploited

On Wed 2017-05-17 09:20:21 +0100, Jonathan Knight wrote: > The attack we're trying to defend against is a scripted one which grabs a > list of all the mailing lists, then harvests the administrator email and > then tries to spam each list using the administrator as a sender address. > > If the arch

Re: [Mailman-Developers] Mailing lists exploited

On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote: > I think the real name if its available and the list owner address if not. > If you use the local part (e.g. j.knight) would still make it possible to > guess the @keele.ac.uk if the mailing lists are all hosted on > maillists.keele.ac.uk.

Re: [Mailman-Developers] MIME footers

On Fri 2015-02-27 15:07:52 -0500, Barry Warsaw wrote: > The biggest downside, and probably the main reason we append the footer text > in the text/plain-compatible-charset case is because of crappy MUAs. I think > we *still* get complaints about the MIME composition not being rendered very > well.

Re: [Mailman-Developers] MIME footers

Hi Murray-- On Fri 2015-02-27 14:46:40 -0500, Murray S. Kucherawy wrote: > Sorry, by "sign" I meant "add a footer". I probably said "sign" because > this is related to some DKIM work I've been planning, and the morning's > caffeine was already wearing off. :) > Thanks for that detailed answer (

Re: [Mailman-Developers] [GSoC14] Full Anonymization Project Idea

On Sat 2015-02-21 08:49:49 -0500, "Stephen J. Turnbull" wrote: > You can say "I know that". The problem is that your users frequently > will not, and may read more into "*full* anonymization" than can > possibly be delivered. If we're going to deliver this feature as part > of Mailman, it's rea

Re: [Mailman-Developers] Mailman introducing spurious References: or In-Reply-To: headers?

On 10/27/2014 02:33 PM, Mark Sapiro wrote: > On 10/27/2014 06:59 AM, Daniel Kahn Gillmor wrote: >> >> over on dns-priv...@ietf.org, one of the participants (Hosnieh Rafiee, >> cc'ed here) suggests that mailman appears to be introducing spurious >> References: a

[Mailman-Developers] Mailman introducing spurious References: or In-Reply-To: headers?

hi mailman folks-- over on dns-priv...@ietf.org, one of the participants (Hosnieh Rafiee, cc'ed here) suggests that mailman appears to be introducing spurious References: and In-Reply-To: headers (see the attached message below for some of the discussion. Can you confirm whether this is a functio

[Mailman-Developers] OT: Re: user table in Mailman3 with PostgreSQL

On 07/16/2014 10:34 AM, ML mail wrote: > Thanks for the trick with the double quotes to escape reserved keywords. It's probably worth reading the PostgreSQL documentation for this sort of thing: http://www.postgresql.org/docs/9.3/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS > Actually

Re: [Mailman-Developers] user table in Mailman3 with PostgreSQL

On 07/15/2014 06:16 AM, ML mail wrote: > Hello, > > I am not sure it is a good idea to name the user table "user". As you can see > in PostgreSQL "user" is a reserved word: > > \c mailman > > select * from user; > current_user > -- > postgres > > (1 row) > > Any ideas how I can

Re: [Mailman-Developers] PGP-signed message verification using the email module (and in Mailman)

On 01/08/2014 12:35 PM, Paul Boddie wrote: > Of course, RFC 3156 warns about the pitfalls of encoding the part that is to > be signed, It doesn't just warn about the pitfalls. it states that: Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the

Re: [Mailman-Developers] Testing different email structures with MUAs

On 09/13/2013 12:29 AM, Daniel Kahn Gillmor wrote: > http://dkg.fifthhorseman.net/src/mailman/multisigned-images/ I've added a fourth message, with a variant on the content wrapping structure stephen and i were just talking about: └┬╴multipart/signed 11903 bytes ├┬╴multipart/mixed 85

Re: [Mailman-Developers] Testing different email structures with MUAs

On 09/11/2013 04:58 AM, Abhilash Raj wrote: > I have attached all 3 type of message, each in a different file. Please > can you place it in your maildir and check how your MUAs respond to it > and report here? The message signature will not be verified(the > signature text is actually gibberish),

Re: [Mailman-Developers] Testing different email structures with MUAs

On 09/12/2013 03:11 AM, Stephen J. Turnbull wrote: > So you're proposing this, I guess: > > multipart/signed > multipart/mixed > text/whatever # optional mailman header > multipart/signed > text/whatever # original signed

Re: [Mailman-Developers] Testing different email structures with MUAs

On 09/11/2013 08:44 PM, Stephen J. Turnbull wrote: > Abhilash Raj writes: > > > I have attached all 3 type of message, each in a different file. Please > > can you place it in your maildir and check how your MUAs respond to it > > and report here? The message signature will not be verified(the

Re: [Mailman-Developers] Testing different email structures with MUAs

On 09/11/2013 06:57 AM, Adam McGreggor wrote: > On Wed, Sep 11, 2013 at 02:28:21PM +0530, Abhilash Raj wrote: >> I have attached all 3 type of message, each in a different file. Please >> can you place it in your maildir and check how your MUAs respond to it >> and report here? The message signatur

Re: [Mailman-Developers] GSoC Updates

On 08/30/2013 12:56 AM, Stephen J. Turnbull wrote: > The last time I looked (~10 days ago), that was the implementation: > look only at the message-level Content-Type, ensure it's > multipart/signed, check that there are exactly two parts and that the > second is "application/pgp-signature". hum,

Re: [Mailman-Developers] GSoC Updates

Hi Abhilash-- I haven't looked at the code much yet, but this is a pretty exciting report! I'm glad to hear everything you've done. On 08/28/2013 09:37 PM, Abhilash Raj wrote: > 1) There is a 'signature rule'[1] that can verify signature from the > users whose public key is stored in 'var/gpg'

Re: [Mailman-Developers] Fwd: Re: GSoC Updates

On 08/22/2013 02:45 PM, Barry Warsaw wrote: > On Aug 16, 2013, at 03:12 PM, Abhilash Raj wrote: > >> 2) RSA or DSA keys? >> >> DSA can only be used for signing but is faster than RSA, although for >> now our scope is limited to signing later on we "will" add encryption so >> I think we should stic

Re: [Mailman-Developers] GSoC Updates

On 08/14/2013 04:35 AM, Stephen J. Turnbull wrote: > Abhilash Raj writes: > > > After midterm evaluations I have been working on signing the message > > using one the keys associated with the list, now since `python-gnupg` > > does not allow selecting keys with key credentials( like address or

Re: [Mailman-Developers] Some Doubts for GSoC Project

On 08/19/2013 10:52 PM, Stephen 'Humble is my middle name' Turnbull wrote: > Barry Warsaw writes: > > > If I read the correct response from Steve, I don't think he was > > adamant about it. He basically said that he associates keys more > > with people than bots, but OTOH, -owner isn't really

Re: [Mailman-Developers] GSOC Midterm Report

On 08/02/2013 01:18 PM, Barry Warsaw wrote: > On Aug 02, 2013, at 05:49 PM, Abhilash Raj wrote: > >> Now as the signing part is almost done except for to-be-able-to-select >> the key for signing(now python-gnupg signs using the first found key in >> the secret keyring) we need the proper infrastru

Re: [Mailman-Developers] GSOC Midterm Report

I'm excited to see this work, Abhilash! Do you have a demonstration instance of this code up and running anywhere? On 07/31/2013 02:43 AM, Abhilash Raj wrote: > * Signature verification using `python-gnupg` was a PITA to me for > sometime. The way it accepts the string and signature for detached

Re: [Mailman-Developers] A list of discussion topics: GSoC OpenPGP Integration

On 07/01/2013 01:58 AM, Stephen J. Turnbull wrote: > > 2) subscribers to an OpenPGP-enabled mailman mailing list subscribe, > > unsubscribe, receive, and send mails as usual (though messages not > > signed with valid keys will not be re-sent to the list). > > Not necessarily. It may be necess

Re: [Mailman-Developers] A list of discussion topics: GSoC OpenPGP Integration

On 06/29/2013 12:49 AM, Stephen J. Turnbull wrote: > Daniel Kahn Gillmor writes: > > OpenPGP certifications should attest to people's identities; those > > identities should have permissions in mailman the same way that > > non-cryptographically-verifiable iden

Re: [Mailman-Developers] A list of discussion topics: GSoC OpenPGP Integration

On 06/28/2013 10:11 AM, Barry Warsaw wrote: > Another complication is that keys will probably be attached to users, but > users have relationships with list across the entire Mailman installation. So > if it were list owners that were responsible for key management, how does that > cross list bou

Re: [Mailman-Developers] A list of discussion topics: GSoC OpenPGP Integration

On 06/28/2013 12:03 AM, Stephen J. Turnbull wrote: > Daniel Kahn Gillmor writes: > > > I think Abhilash's question above is a really important question, > > It is. > > > and one that really should be addressed by this GSoC project. > > Vetoed (I'm t

Re: [Mailman-Developers] A list of discussion topics: GSoC OpenPGP Integration

On Sat 2013-06-15 12:48:34 -0400, Stephen J. Turnbull wrote: > Abhilash Raj writes: > > > * How to ensure the keys belong the email it says it does? > > This is not in scope for your project. Key upload is for > bootstrapping strong authentication, therefore you should assume there > is no stron

Re: [Mailman-Developers] OpenPGP Mailman integration discussion [was: Re: GSoc - Requirement from Mentor to complete the project]

On 05/26/2013 12:57 PM, Stephen J. Turnbull wrote: > > > sure, but the From: header is forgeable, right? so if Alice knows > > > that Bob was subscribed to list X in the past, and is subscribed to > > > list Y today, then she could dig up his old posts in list X, and > > > forward them (From:

Re: [Mailman-Developers] OpenPGP Mailman integration discussion [was: Re: GSoc - Requirement from Mentor to complete the project]

On 05/23/2013 12:06 PM, Abhilash Raj wrote: > For the encrypted lists yes, the key will be marked as 'encryption > capable'. The list owner has to upload the public-private keypair for > the list. > >> [dkg wrote:] >> ***SIGNED_POSTS*** >> >> Might there be a reason for the list to have a keypair

Re: [Mailman-Developers] OpenPGP Mailman integration discussion [was: Re: GSoc - Requirement from Mentor to complete the project]

On 05/11/2013 03:17 AM, Abhilash Raj wrote: > After the Barry's comment on my proposal I decided to cut down the > proposal to implement use of OpenPGP signatures for posting > privileges instead of both signed and encrypted list. > Most of the infrastructure for encrypted list will be created al

Re: [Mailman-Developers] GSoC Project Discussion - Web Posting Interface.

Hi Mark-- On 05/09/2013 01:06 PM, Mark Sapiro wrote: > Go to > > and look at the mailto: link under 'dkg at fifthhorseman.net'. wow, great! I have never looked at this link before because i always assumed it was a link to

[Mailman-Developers] OpenPGP Mailman integration discussion [was: Re: GSoc - Requirement from Mentor to complete the project]

As i about this, i wonder if the OpenPGP integration project shouldn't be broken into two phases, so that the tricky nuances could be handled more simply. I'm imagining a first phase ("message authentication") would not expect or handle encrypted messages, but would just use cryptographic signatur

Re: [Mailman-Developers] GSoC Project Discussion - Web Posting Interface.

On 05/09/2013 12:28 PM, Barry Warsaw wrote: > The real power here would be for someone who is reading the archives to "jump > into" a discussion, potentially long after the fact. Imagine you've done a > web search for a particular problem you're having and it lands you on a page > in an archive.

Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration

On 04/27/2013 12:45 PM, Stephen J. Turnbull wrote: > Stefan Schlott writes: > > > 2. Your list has elevated security requirements. In this case, you can > > use gpg-agent to manage the secret key (and its passphrase). > > I don't understand what threat you propose to address in this way. > It's

Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration

On 04/27/2013 01:36 PM, Stephen J. Turnbull wrote: > without a complete redesign starting > from the assumption of encrypted messages whose plain text must > be exposed as briefly as possible. At least one project suggests that it may be possible to operate an encrypted mailing list such that the

Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration

On 04/25/2013 04:36 PM, Stefan Schlott wrote: > On 25.04.2013 00:14, Abhilash Raj wrote: > >> 1) When a message is decrypted and then passed on between the queues, it >> creates a security threat for the cleartext message is being held in >> memory, even for a small time in between the runners. >

Re: [Mailman-Developers] OpenPGP Integration on GSoC

On 04/11/2013 09:13 AM, Stefan Schlott wrote: > True, the PGP file structure encapsulates the signature within the > encryption (in contrast to S/MIME, which does it vice versa). But the > standard PGP binary will strip both in one step, so keeping the > signature won't work out of the box (at lea

Re: [Mailman-Developers] OpenPGP Integration on GSoC

On 04/09/2013 07:55 PM, Marcos Chavarría Teijeiro wrote: > The problem is that I'm not sure if I understand the idea. This is how I > see it: > 1) Users summit their public key to MailMan server when they register to > mail list. > 2) The user can get MailMan Server public key > 3) When an user

Re: [Mailman-Developers] GSOC Project idea: OpenPGP integration

On 04/06/2013 06:53 PM, Paul Wise wrote: > On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote: > >> I am a undergrad student interested in OpenPGP integration in mailman as a >> GSOC project this summer. neat, i'm glad to hear it! > I'm not sure about the scope of your project but you may want t

Re: [Mailman-Developers] Mockup for New Design

On 06/21/2011 11:46 AM, Andrew wrote: > On 21/06/11 09:31, David Andrews wrote: >> I presume the page is "graphical" because as a blind, screen reader >> using person, I got nothing out of it. Remember accessibility! > > Sure absolutely, this is just a image mockup to see what everyone > thinks,

Re: [Mailman-Developers] Proposal for a new menu grouping in MM3 webUI

On 05/27/2011 05:09 PM, Barry Warsaw wrote: > One other thing I've been thinking about is a kind of "debug" option where a > fake message could be injected into the system, with the appropriate headers, > and out would come some debugging information about which rules got hit, and > exactly why a m

[Mailman-Developers] mailman breaking PGP/MIME-signed messages (was: Re: My First Signed email)

On Sun, 15 May 2011 13:11:36 -0400, "Robert J. Hansen" wrote: > http://sixdemonbag.org/pgpmime.zip > > Contains the good message (taken from my outbox), the bad message (as > received from the list), and a diff between the two (as computed by > Cygwin's diff). Knock yourself out. This is clear