FAQ
Hello all!,

I spent most of the day wrestling mailman and postfix into a multi site
installation and now I have it working, except there are a few issues I
am still trying to work out.

The first is that even though I have "VIRTUAL_HOST_OVERVIEW = Yes" in
my Mailman/mm_cfg.py file I am still able to disclose other lists on
other domains through the url:
http://<virtual_domain>/mailman/listinfo/<list_name_not_in_virtual_domain>.
There must be a another way around this, if not it should be considered
a minor security flaw. Can anyone point me in the right direction for
preventing this?

The second issue is that all emails from the list are coming with links
from the wrong domain. How can I get these links to reflect the domain
that the lists are for?

Thanks in advance.
-Dennis

Search Discussions

  • Mark Sapiro at Apr 16, 2010 at 3:19 pm

    Dennison Williams wrote:
    The first is that even though I have "VIRTUAL_HOST_OVERVIEW = Yes" in
    my Mailman/mm_cfg.py file I am still able to disclose other lists on
    other domains through the url:
    http://<virtual_domain>/mailman/listinfo/<list_name_not_in_virtual_domain>.
    There must be a another way around this, if not it should be considered
    a minor security flaw. Can anyone point me in the right direction for
    preventing this?

    VIRTUAL_HOST_OVERVIEW controls what it's name implies, i.e. what lists
    appear on the listinfo and admin overview page. It is true, that by
    trying URLs such as you give above, that one could confirm the
    existence of a list in another domain and find its domain name from
    its listinfo page. If this is really a security issue for you, there
    are two choices.

    1) Modify all the Mailman/Cgi/*.py modules along the lines of the
    attached listinfo.patch.txt, or

    2) Install a separate Mailman instance for each domain.

    The second issue is that all emails from the list are coming with links
    from the wrong domain. How can I get these links to reflect the domain
    that the lists are for?

    Web links or email links? If the web links are wrong, the lists must
    also appear on the wrong listinfo overview page. In any case, make
    sure every host has a correct

    add_virtualhost('hosts.web.domain', 'hosts.email.domain')

    in mm_cfg.py. Then run Mailman's

    bin/withlist -l -r fix_url listname -u web.host.for.this.list

    for every list. This will fix both web and email domains. Or, if the
    problem is only email domains, you can go to the web admin General
    Options page for every list and set the correct host_name attribute
    near the bottom of the page.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan

    -------------- next part --------------
    An embedded and charset-unspecified text was scrubbed...
    Name: listinfo.patch.txt
    URL: <http://mail.python.org/pipermail/mailman-users/attachments/20100416/e25bb48f/attachment.txt>
  • Dennison Williams at Apr 16, 2010 at 6:01 pm
    Thanks for your prompt response and your work on mailman.

    Mark Sapiro wrote:
    Dennison Williams wrote:
    The first is that even though I have "VIRTUAL_HOST_OVERVIEW = Yes" in
    my Mailman/mm_cfg.py file I am still able to disclose other lists on
    other domains through the url:
    http://<virtual_domain>/mailman/listinfo/<list_name_not_in_virtual_domain>.
    There must be a another way around this, if not it should be considered
    a minor security flaw. Can anyone point me in the right direction for
    preventing this?

    VIRTUAL_HOST_OVERVIEW controls what it's name implies, i.e. what lists
    appear on the listinfo and admin overview page. It is true, that by
    trying URLs such as you give above, that one could confirm the
    existence of a list in another domain and find its domain name from
    its listinfo page. If this is really a security issue for you, there
    are two choices.

    1) Modify all the Mailman/Cgi/*.py modules along the lines of the
    attached listinfo.patch.txt, or

    2) Install a separate Mailman instance for each domain.

    OK. I think the proper method for this installation is separate mailman
    installations.
    The second issue is that all emails from the list are coming with links

    from the wrong domain. How can I get these links to reflect the domain
    that the lists are for?

    Web links or email links? If the web links are wrong, the lists must
    also appear on the wrong listinfo overview page. In any case, make
    sure every host has a correct

    add_virtualhost('hosts.web.domain', 'hosts.email.domain')

    in mm_cfg.py. Then run Mailman's

    bin/withlist -l -r fix_url listname -u web.host.for.this.list

    for every list. This will fix both web and email domains. Or, if the
    problem is only email domains, you can go to the web admin General
    Options page for every list and set the correct host_name attribute
    near the bottom of the page.
    The issue was the link supplied in the bottom of emails from lists.
    Your advise partially helped me fix it. The pointer to use seperate
    email domains though is the solution that will properly solve this for
    me. Thanks again.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedApr 16, '10 at 6:08a
activeApr 16, '10 at 6:01p
posts3
users2
websitelist.org

2 users in discussion

Dennison Williams: 2 posts Mark Sapiro: 1 post

People

Translate

site design / logo © 2022 Grokbase