FAQ
Background:
Currently majordomo, but rapid switch to Mailman being considered.
About 20,000 users.
Over 2,000 lists, the majority being "announcement" with very limited
numbers of permitted senders.
Have been majordomo-based for many years.
Recent spoof email jumped the priority of a potential majordomo->Mailman
transition to very high.
Installed Mailman 2.1.5 (that version simply for local proof-of-concept
convenience).
Would anticiapate running latest stable version.
Very new to running a Mailman service (be gentle!).

Executive summary of query:

The existing "Approved:" mechanism needs a password shared in common
across multiple people (which feels poor and doesn't scale well) and
across multiple lists (again, scaling problems). Is there a facility, or
plans for such, for each permitted sender to have (optionally) their own
password, useable across many lists? (Note the numbers, and high
proportion of limited access "annnouncement" lists in the above.)


Details of query:

I've read the FAQ. The nearest items to my query seem to be 3.11, 3.34,
3.46 etc.

Our recent problem was a spoof email through Majordomo, via a small number
of large lists to the entire institution, spoofing the "From:" of a valid
Majordomo "posters" email address. The Mailman "Approved:" mechanism
looks as if it should address much of this (but not as much as might be
possible: see below).

With Mailman, I've done an "Approved:" proof-of-concept demo: two lists,
same list password; moderation switched on for everybody. Proved the
working of:
Approved: <list password>

(1) being able to bypass the moderation function (good);
(2) its absence or error being diverted to moderator (good).

So our genuine posters can use "Approved:" and the email would go straight
through, whereas the spoofer wouldn't be able to do this and the request
would be diverted (very good!) to the various list moderators.

BUT...

... in the environment described above we can see major benefits of a
somewhat different authorisation slant.

Problem: A spoof to many lists would go to many moderators within a list
and across lists, requiring coordination of moderators within a list, and
consistent action of one or more moderators per list across the lists.
Very poor scaling at a large site (with many clusters of many lists).

Suggestion: An approval process to allow a sender-based password. So
something like:

From: permitted.poster.1 at our.site # may or may not be spoofed
To: list1 at our.site, list2 at our.site, list3 at our.site, ...

Approved: <pw belonging to "permitted.poster.1">

and also that pw being potentially shareable across multiple lists.



This doesn't seem possible at present (v 2.1.5). But it seems related
to FAQ 3.46, in particular section "A password scheme could potentially
be implemented ...".

Is it yet possible?

(Assuming not, then ...)

List subscribers can already have passwords attached to their membership
of a particular list, but this is (I understand) only for subscription
maintenance, not for posting authorisation. So the concept of password
linked to email address is already present in Mailman.

It would seem reasonable to extend Mailman to have a variant of the
"Approved:" scheme (albeit with its inherent weak authentication) in which
the password is associated with each "permitted.poster.1" sender name
to discriminate a real sender from the spoofer.



Does that seem reasonable? What are the drawbacks (those that would have
significantly worse problems/weaknesses than existing mechanisms)?
Comments?

If it is possible now (i.e. I have overlooked the relevant documentation),
please point me in the correct direction, to documentation etc.

If not yet possible, but acceptable in theory (perhaps with amendments),
then we would hope to consider volunteering some effort into coding it.

--

: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: Durham University :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham DH1 3LE :
: Phone: +44 191 334 2752 U.K. :

Search Discussions

  • Brad Knowles at May 15, 2006 at 2:31 pm

    At 10:01 AM +0100 2006-05-15, David Lee wrote:

    Is there a facility, or
    plans for such, for each permitted sender to have (optionally) their own
    password, useable across many lists?
    This is a very good question. I'm glad you brought it to this list.


    I'm pretty sure that there is no facility in Mailman today to
    achieve what you're looking for. I see no problem with the concept,
    but I will let others answer the technical issues of how it might be
    done, etc....

    If you haven't done so already, I would encourage you to file
    this as a Request For Enhancement on the Mailman SourceForge page at
    <http://sourceforge.net/tracker/?group_id3&atid50103>.
    Problem: A spoof to many lists would go to many moderators within a list
    and across lists, requiring coordination of moderators within a list, and
    consistent action of one or more moderators per list across the lists.
    Very poor scaling at a large site (with many clusters of many lists).
    Yup. Getting the list moderators/admins to act in a consistent
    manner is an issue regardless of the size of the list or the number
    of lists.


    We have similar issues with just the mailman-users and
    mailman-developers lists on python.org, and they are much less
    numerous than what you're talking about, and the lists are also much
    smaller. Sometimes I'll approve a post for the mailman-developers
    list that I think is marginal as to whether or not it belongs on that
    list and sometimes I'll let it sit for a few days and see if one of
    the other moderators/admins will take a decision.

    I try to follow the guidelines that we've agreed for moderating
    and administering the lists, but I don't always remember what they
    are, and I don't always make the decision in a way that the other
    moderators/admins would have agreed with.


    I'm not convinced that having per-user approval passwords would
    help the moderators act in a more consistent manner, but it certainly
    wouldn't hurt.
    This doesn't seem possible at present (v 2.1.5). But it seems related
    to FAQ 3.46, in particular section "A password scheme could potentially
    be implemented ...".

    Is it yet possible?
    Not so far as I know, and I'm not aware of it being on the
    official plan of things to be fixed in the upcoming versions (either
    2.2 or Mailman3), but certainly something that could potentially be
    done.
    Does that seem reasonable?
    I think so. It would reduce the probability of someone being
    able to guess the list approval password, which can sometimes leak
    out via unexpected channels.
    What are the drawbacks (those that would have
    significantly worse problems/weaknesses than existing mechanisms)?
    About the only thing I can think of that might be an issue would
    be that there would now be more data to manage, and of course the
    problem of feeping creaturism.
    If not yet possible, but acceptable in theory (perhaps with amendments),
    then we would hope to consider volunteering some effort into coding it.
    If you code such a feature (or have it done for you), and then
    upload that to the Mailman patch page on SourceForge at
    <http://sourceforge.net/tracker/?group_id3&atid00103>, you would
    be much more likely to get this feature incorporated into a future
    version of Mailman.

    This isn't to say that you would be guaranteed to get this
    feature incorporated, as there are many patches which have been
    uploaded that have not found their way into the main code base. But
    uploading your patch would greatly increase your chances.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    LOPSA member since December 2005. See <http://www.lopsa.org/>.
  • David Lee at May 15, 2006 at 4:59 pm

    On Mon, 15 May 2006, Brad Knowles wrote:
    At 10:01 AM +0100 2006-05-15, David Lee wrote:

    Is there a facility, or
    plans for such, for each permitted sender to have (optionally) their own
    password, useable across many lists?
    This is a very good question. I'm glad you brought it to this list.


    I'm pretty sure that there is no facility in Mailman today to
    achieve what you're looking for. I see no problem with the concept,
    but I will let others answer the technical issues of how it might be
    done, etc....
    Glad it seems reasonable. Thanks.

    If you haven't done so already, I would encourage you to file
    this as a Request For Enhancement on the Mailman SourceForge page at
    <http://sourceforge.net/tracker/?group_id3&atid50103>.
    Thanks. Done.

    I'm not convinced that having per-user approval passwords would
    help the moderators act in a more consistent manner, but it certainly
    wouldn't hurt.
    Hm? The idea is that the genuine sender should be able to avoid
    moderation in the first place.

    As an aside, is there a way to do "Approved:" as a header (rather than as
    first line of message-body) if the client is Outlook? OWA?

    What are the drawbacks (those that would have
    significantly worse problems/weaknesses than existing mechanisms)?
    About the only thing I can think of that might be an issue would
    be that there would now be more data to manage, and of course the
    problem of feeping creaturism.
    Thanks. Being new to Mailman (although with (too) many years' worth of
    Majordomo behind me) I wanted to do a basic sanity-check of the idea
    itself.

    If not yet possible, but acceptable in theory (perhaps with amendments),
    then we would hope to consider volunteering some effort into coding it.
    If you code such a feature (or have it done for you), and then
    upload that to the Mailman patch page on SourceForge at
    <http://sourceforge.net/tracker/?group_id3&atid00103>, you would
    be much more likely to get this feature incorporated into a future
    version of Mailman.
    Thanks.

    The big question is: which version should we base it on? We would be
    looking to put into into local production (assuming we did it) fairly
    soon, but also be looking to get it incorporated into future versions.
    So Mm 2.1.x? 2.2.x? How different are those two versions? (I'm assuming
    not 3.x because that seems to be some way off yet.)

    Thanks again.

    --

    : David Lee I.T. Service :
    : Senior Systems Programmer Computer Centre :
    : Durham University :
    : http://www.dur.ac.uk/t.d.lee/ South Road :
    : Durham DH1 3LE :
    : Phone: +44 191 334 2752 U.K. :
  • Brad Knowles at May 15, 2006 at 6:46 pm

    At 5:59 PM +0100 2006-05-15, David Lee wrote:

    I'm not convinced that having per-user approval passwords would
    help the moderators act in a more consistent manner, but it certainly
    wouldn't hurt.
    Hm? The idea is that the genuine sender should be able to avoid
    moderation in the first place.
    That's not what I was referring to. I was referring to the
    things that would wind up in the moderator queue (potentially due to
    lack of appropriate password), and how those might be handled in an
    inconsistent manner.


    Whether it's a per-sender approval password or a per-list
    approval password, once you're past the automated system and your
    post is approved, then the moderators aren't going to see or touch it.

    However, while I see some advantages to allowing this route as an
    optional alternative, I think the bigger problem is the inconsistency
    in the way the moderators will tend to handle the stuff that gets
    dumped into their queue.

    Unfortunately, I'm not sure there's much you can do to try to
    solve that part of the problem. ;)
    As an aside, is there a way to do "Approved:" as a header (rather than as
    first line of message-body) if the client is Outlook? OWA?
    I'm not familiar with those clients. Others on the list might be
    more familiar with them, but you might also want to see if there are
    other mailing lists, forums, FAQs, etc... that would be oriented
    towards the specific clients you're interested in.
    The big question is: which version should we base it on?
    Start with the latest current version -- 2.1.8. If the feature
    is going to be incorporated into a future version then Tokio, Mark,
    or Barry can do any necessary work that might be required to bring it
    into whatever version they're working on.

    But I would strongly encourage you to make sure you follow the
    same style and programming methods, so that the amount of work needed
    to integrate your suggested feature would be minimized.
    We would be
    looking to put into into local production (assuming we did it) fairly
    soon, but also be looking to get it incorporated into future versions.
    Understood.
    So Mm 2.1.x? 2.2.x? How different are those two versions? (I'm assuming
    not 3.x because that seems to be some way off yet.)
    I think 2.2.x is still in fairly formative stages right now, and
    anything that would be required to bring the code up from the 2.1.8
    baseline to 2.2.x should be something that Tokio, Mark, or Barry can
    do as needed.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    LOPSA member since December 2005. See <http://www.lopsa.org/>.
  • Patrick Bogen at May 15, 2006 at 3:15 pm

    On 5/15/06, David Lee wrote:
    List subscribers can already have passwords attached to their membership
    of a particular list, but this is (I understand) only for subscription
    maintenance, not for posting authorisation. So the concept of password
    linked to email address is already present in Mailman.

    It would seem reasonable to extend Mailman to have a variant of the
    "Approved:" scheme (albeit with its inherent weak authentication) in which
    the password is associated with each "permitted.poster.1" sender name
    to discriminate a real sender from the spoofer.
    On the surface, this seems pretty reasonable. It ought to be easy to
    amend the bits that checked Approved: against the moderator/admin
    password to also check against the user password.

    For your purposes (*all* users must include a pssword), I think, this
    is trivial:

    in Mailman/Handlers/Approve.py, on or about line 108, change:

    if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator,
    mm_cfg.AuthListAdmin),
    passwd):

    to:
    --BEGIN--
    if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator,
    mm_cfg.AuthListAdmin,
    mm_cfg.AuthUser),
    passwd,
    msg.get_sender()):
    --END--

    (without, of course --BEGIN-- and --END--). That said, I don't really
    know Python, nor am I intimately familiar with the Mailman codebase,
    so you might want to wait for someone more knowledgable to vette this
    'solution.'

    And, of course, when/if you upgrade, you'll need to re-do this, since
    Approve.py will get overwritten.

    --
    - Patrick Bogen

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMay 15, '06 at 9:01a
activeMay 15, '06 at 6:46p
posts5
users3
websitelist.org

People

Translate

site design / logo © 2022 Grokbase