I will write and publish a patch which integrates PGP signature
validation and re-encryption of encrypted posts to mailman. Specs are:
- A post will be distributed only if the PGP signature on the post is from
one of the list members.
- For sending encrypted email, a list member encrypts to the public key of
the list. The post will be decrypted and re-encrypted to the public keys
of all list members.
(Later, the patch will handle RFC 2633 (S/MIME) messages too, next to
RFC 2440 (OpenPGP)).
I've taken a look at the NAH6 secure list patch #646989 at
and at Ben Laurie's patch #645297 at
, but I believe none of these completely implements the listed
requirements (although these will help me implementing, of course). I
am asking you to take a look at my plan for implementation. Am I on the
So, the plan:
I think one way to implement it would be to add two modules to
GLOBAL_PIPELINE: in front, before SpamDetect, there would be 'PGPCheck'.
PGPCheck would check wether the message is encrypted, and, if so, make a
temporary decrypted copy in order to verify with which key is was
signed. If the message is unencrypted, it would check the signature.
It would store this information in new properties of the Mailman Message
A second new module in GLOBAL_PIPELINE would be 'PGPRecrypt', to be
called after CookHeaders' and before 'ToDigest'. This would, if needed,
decrypt the message and reencrypt it to all recipients, and would sign
If for instance a list member erroneously signs a post with a wrong
public key, and encrypts the message, this message should be handled
carefully. I believe the Hold module should be adapted for this. A
copy of the original encrypted message should be kept. The message
should be decrypted, signed with the listkey, encrypted to the list
moderator key, and sent for acknowledgement. If the moderator chooses
to deny the message, the poster should get her original message back.
For all PGP handling, I plan to use Frank J. Tobin's GnuPGInterface (
http://py-gnupg.sourceforge.net/ ). I plan to write the patch against
current stable Mailman.
Any insight to share on this?
Joost van Baal http://abramowitz.uvt.nl/
j.e.vanbaal(a)uvt.nl The Netherlands
It is a problem that some people think it is cool to automatically
generate "out of office" messages when they are away, especially when they
are subscribed to high-volume lists. Is there an easy way to have Mailman
temporarily unsubscribe them when it receives one of those messages?
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
> -----Original Message-----
> From: mailman-developers-bounces+john.airey=rnib.org.uk(a)python.org
> Behalf Of Tollef Fog Heen
> Sent: Monday, 06 September 2004 16:47
> To: mailman-developers(a)python.org
> Subject: Re: [Mailman-Developers] Min requirements for
> running Mailman?
> * Nigel Metheringham
> | I'd tend to take this as:-
> | * Mailman is a bitch to package
> Not really. It's fairly well-behaved in my experience. It's a
> semi-large web application with some requirements, but nothing
> | * RH have packaged it for a while
> | * RH found a good few of the gotchas in packaging Mailman
> | * RH have subsequently learnt from their mistakes and recently
> | have produced good packages.
> | * Other distros may do better, or may yet have to
> learn from their
> | mistakes :-)
> Mailman has been in Debian since June 1998 (1.0b4), so we've been
> working on it for a while as well. I think our packages are of good
> quality (far from perfect, but making perfect packages is _a lot_ of
> work. ;)
Just to throw my tuppence worth in...
I've used mailman since Red Hat 7.2. I found that the version that came with
Red Hat 9.0 wouldn't work for me (ie I couldn't upgrade to it) so I stuck
with the 7.2 version (2.0.13) till the end of Red Hat 9 support.
We are now running the 2.1.5 version that comes with Fedora but running it
on Red Hat Enterprise Linux (RHEL). I did however have to recreate all the
lists by hand in an overnight shift (what fun that was...) a few days before
leaving the country (hence the rush). At that time I didn't know I could
export the configuration (Doh!).
Red Hat have taken some packages out of RHEL eg arpwatch and mysql-server
(although this is in the "extras" channel) even though these are in the
source RPM. Mailman is currently not included but might be being put back in
to RHEL 4.0. I would like to hope so, as I find 2.1.5 far superior to
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey(a)rnib.org.uk
To truly believe in Evolution requires complete faith that life has no
meaning. Fortunately there are billions of people who aren't that stupid.
NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.
RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.
RNIB Registered Charity Number: 226227
On behalf of the development team, I'm pleased to announce the release
of GNU Mailman 2.1.6. This is a significant release, which includes
three important security patches, updated Chinese (zh_TW and zh_CN)
support, better compatibility with Python 2.4, a few new features, and
many bug fixes.
Mailman is free software for managing email mailing lists and
This release fixes CAN-2005-0202, a reported vulnerability in path
traversal in the private archive script. This release also provides an
option for sites to produce more cryptographically secure auto-generated
passwords, and it closes a potential cross-site scripting hole. Because
of the security (and other) fixes, it is highly recommended that all
sites upgrade to 2.1.6.
For more information, please see:
On a personal note, I owe a debt of gratitude to Tokio Kikuchi, who
served as release manager for 2.1.6, integrated countless patches, and
coordinated the Chinese language updates for this release. Please join
me in thanking him for helping out so much.
For links to download the Mailman 2.1.6 source tarball, see:
I want to know when the mbox archive is created for a list (in
/I have still ask this question in the mailman-users list but noboby has
Jean-Philippe Giola - 6577
I'm running mailing lists for a nonprofit organization. We'd like to create
a customized newsletter. The idea is that subscribers would visit a
configuration page, and check off the topics that they're interested in.
Then, monthly or so, a customized newsletter would be generated for each
subscriber and mailed out.
Since I'm already administering a Mailman server, it struck me that
extending Mailman was the way to go. I'm only slightly familiar with
Python, but it would be my seventh or eighth language, so that doesn't
What I'd like to do is write a plugin. However, I have been unable to find
a description of a Mailman plugin API in dozens of web searches using
multiple engines. I find *references* to such an API going back four years,
but no actual documentation of one.
So: does the current Mailman support plugins? If not, what do you, the
Mailman developers, think of extending the package to support custom
newsletters? Any suggestions on where to start?
Thanks for reading.
Carl Fink postmaster(a)iconsf.org
I-Con System Administrator and Postmaster
The Mailman system I'm putting together has lists automatically
created/deleted depending on another database (i.e. the university
database defines what lists exist, and who owns them, and Mailman should
then match this).
I need to be able to store information about when the list was created
(this is used in the synchronization procedure). I could save this in
another text file, but that is something else to go wrong / get out of
synch. Therefore, is the following safe to do, (assuming I use a
variable that is unlikely to be used by Mailman itself)? Is there a
place I should be using instead of this (i.e. a dictionary in the object
m = MailList.MailList(listname, lock=1)
m.uol_createddate = "something"
Matthew Newton <mcn4(a)le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
On Wed, 2005-05-18 at 09:49, Graham Klyne wrote:
> This comment surprises me a little, as I am using postfix and I was
> experiencing access-related problems. However, following my initial
> installation, I did find that I had to change the file protection on the
> alias files [*], otherwise I was unable to use Mailman to create new
> mailing lists, so maybe that was my problem all along? (This being after
> encountering the previous problem and applying the "patch".)
Yes, you need to have both the aliases and the aliases.db file writable
by group mailman, and group owned by mailman. However, additionally,
the aliases.db file must be /user/ owned by mailman in order for Postfix
to execute the scripts with the proper permissions.
If that's not clear in the documentation (and enforced by check_perms)
then you should file a bug report so we can make sure those issues are
I'm using the latest release candidate of Mailman and have a problem
with the search function. When the result from the search is more than
could be viewed on one page the result is divided into several pages
depending on the beginning character of the email address... but when I
want to view the results from the search beginning with anything other
than A (for example B) the search is forgotten and all members beginning
with B is shown instead of the ones I searched for. The problem is that
the links for the different characters only contain the get variable
"letter" and not "findmember" which is the variable posted by the search
Have anyone else had the same problem? Would be nice with a fix for this.