mark at msapiro.net
Mon Feb 9 00:49:58 CET 2009
Barry Warsaw wrote:
>Does anybody set USE_ENVELOPE_SENDER to Yes these days?
There are potential issues with this with umbrella lists. Perhaps
Mailman 3 will handle these differently, but here is the issue.
There are two message methods, get_sender() and get_senders().
USE_ENVELOPE_SENDER only affects get_sender(). With
USE_ENVELOPE_SENDER false, get_sender() returns the first address
found in From:, Sender: and unixfrom (envelope sender). With
USE_ENVELOPE_SENDER true, the order is Sender:, From: and unixfrom, so
it doesn't even really do what it claims.
get_senders() returns a list of addresses found in those headers
defined in SENDER_HEADERS. The default searches From:, unixfrom,
Reply-To: and Sender: in that order and returns all addresses found.
The Moderate handler first checks the get_senders() list to see if any
address is a list member. The first hit determines whether the post is
from a moderated member. If there are no hits, Moderate goes on the
search *_these_nonmembers for the one address returned by get_sender()
The potential issue is if you want posts to the umbrella list to be
accepted by the child lists without being held, one technique is to
put the umbrella's listname-bounces address in accept_these_nonmembers
of the children, and this requires USE_ENVELOPE_SENDER to be true in
order to work.
There are other ways to accomplish this that don't require
USE_ENVELOPE_SENDER. E.g. subscribing the umbrella's listname-bounces
address to the child lists with delivery (and password reminders)
disabled; using appropriate @listname entries in
accept_these_nonmembers, or making the umbrella anonymous and putting
the umbrella's posting address in the children's
Some of this is in the FAQ at <http://wiki.list.org/x/boA9>.
>I'm considering removing the equivalent of this from Mailman 3.0 and
>I'd like to know if that would be a hardship for anyone. If you don't
>know what this value is (which in Mailman 2 lives in Defaults.py),
>then you probably won't miss its demise in Mailman 3.
>This flag controls whether the Sender: header is considered before the
>From: header for purposes of trying to determine the email address of
>the message's author. At one time in the distant past, this flag was
>added because it was observed that some MTAs put the RFC 2821 MAIL
>FROM value into this header, and this was considered less spoofable
>than the From: header. I think these assumptions are outdated and
>this workaround is either unnecessary or hurts more than it helps.
I agree that the use of USE_ENVELOPE_SENDER as an anti-spoof is
outdated, particularly because it doesn't even come into play for the
>BTW, the default value is No, which tells Mailman to use the From:
>header first. I propose hardwiring that default value.
>Let me know if this would cause you pain.
I think it will impact some users with umbrella lists depending on how
(or if) umbrella lists are handled in Mailman 3.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Developers