Mailman 3 September 2021 - Mailman-Developers

before next release: disable backscatter in default installation
by Jo Rhett Nov. 7, 2022

Nov. 7, 2022

Hi. There's a fairly simple problem here that needs to be addressed. And it's mostly a documentation/install problem. I'm hoping we can get this resolved before the next release. PROBLEM: Mailman comes out of the box ready to backscatter spam people. Yes, it's easy enough to fix. But because it comes stock this way, and is documented to install this way, most people install it to do this. Those of us who work in abuse departments are tired of hearing "well that's how Mailman works". We also object to having to teach people how to fix their mailman installations because it's not documented in the current manual. This is *exactly* like Sendmail 14 years ago. We didn't accept it then, and Sendmail fixed the problem. RESOLUTION: Mailman default installation should not backscatter in a default configuration. 1. Don't create backscatter aliases for subscribe/unsubscribe/etc by default. Nearly everyone uses web based signup. 2. Discard or hold messages from non-subscribers by default. I would think that it would be perfectly reasonable to have documentation on how to enable the 1980s-style -request / -subscribe etc aliases. However this documentation should have a note that this is against the AUP of nearly every network provider, and enabling it will likely cause them to get listed in various blacklists as a backscatter source. FYI: I know that this goes against the instincts of many old-time mailing list advocates here. But after dealing with a 10k/hour backscatter DoS my tolerance for this problem is understandably limited. Yes, it was a sweet day back in the 1980s. I was running a mailing list server and several UUCP gateways at the time, so I remember them well. But those days are past, and we need to deal with the reality of today. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness

21 168

Ann: Postorius 1.3.6b1 is now out
by Abhilash Raj Sept. 29, 2021

Sept. 29, 2021

Hey Everyone, I am pleased to announce that Postorius 1.3.6b1 is now out. This is the first pre-release for 1.3.6, which is slated to release next week soon after Mailman Core 3.3.5 release. This release requires Mailman Core 3.3.5 release, so if you are trying out this release, please also upgrade Mailman Core to 3.3.5rc1 (which was just released today). This release includes several new features and bug fixes. A full list of changes is available here[1]. With this release, we have also improved on the localization of the interface, if you want to help out before the release of the stable 1.3.6, please see the instructions for translators here[2]. We use Weblate for translations, so if you are familiar with that, you can directly head over there[3]. Since this is a pre-release version, you can install this using pip via: $ pip install --upgrade --pre postorius django-mailman3 mailmanclient Please also ensure to run the post-install commands as per the upgrade documentation[4] (commands _after_ pip install, needs a post-install heading/anchor in there :-). A release tarball is available on PyPI: https://pypi.org/project/postorius/1.3.6b1/#files Finally, thanks to all the folks who helped with this release in any capacity and made it possible. [1]: https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-6 [2]: https://docs.mailman3.org/en/latest/translation.html [3]: https://hosted.weblate.org/projects/gnu-mailman/postorius/ [4]: https://docs.mailman3.org/en/latest/upgrade-3.2.html#virtualenv-install thanks, Abhilash

1 1

Ann: Mailman Core 3.3.5b1 is out
by Abhilash Raj Sept. 29, 2021

Sept. 29, 2021

Hello Everyone, I am pleased to announce that Mailman Core 3.3.5b1 is now out. It is a pre-release for 3.3.5, which is slated to come out in 3 weeks from now. I am planning for a 2 week beta period, after which I'll release the first RC and then stable a week after. Right now I am not planning to release a second beta version, but if there are several changes in Core in the next week or so, then I might. This release includes a lot of bug fixes and some new features. It also includes a security enhancement that improves the authentication of REST API by adding resistance to some timing channel attacks. A full list of changes in this version can be found here[1]. [1]: https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/docs/NEWS.… We have also made improvements in the i18n workflow and now the email templates are updated from the translated messages in the .po files that we get from Weblate. Documentation for translators is available here[2] if you want to help translate Mailman into your native language. [2]: https://docs.mailman3.org/en/latest/translation.html This is a pre-release version, if you want to test it with your setup, you can install it using: $ pip install --pre mailman==3.3.5b1 If you want to download a release tarball, you can do so from here: https://pypi.org/project/mailman/3.3.5b1/#files This release received a lot of contributions from community, which I am really happy about! I'd like to thank everyone who made this release possible! -- thanks, Abhilash Raj (maxking)

1 2

Docker-mailman 0.4.0 release
by Abhilash Raj Sept. 23, 2021

Sept. 23, 2021

Hey Everyone, I tagged and released 0.4.0 version of container images for Mailman. This release includes several fixes that have been accumulating in the repo for how Mailman is setup in the containers. This release does not include any mailman component version bump from 0.3.12 release. More specifically, the major change is that we no longer require static IP configuration in the container images (like previously) and can handle dynamic addresses that are allocated to the containers by Docker. This should help simplify the setup for folks using Kubernetes or other setup than the provided docker-compose files. The migration steps are documented here[1]. Please checkout the release in Github[2] for more details on the changes made in this release. If you are having issues with upgrading your setup to this release, please open an issue on the issue tracker[3] for help. [1]: https://asynchronous.in/docker-mailman/news/#upgrading-to-040-release [2]: https://github.com/maxking/docker-mailman/releases/tag/v0.4.0 [3]: https://github.com/maxking/docker-mailman/issues -- thanks, Abhilash Raj (maxking)

1 0

Django primer for Mailman admins
by Abhilash Raj Sept. 20, 2021

Sept. 20, 2021

Hey Everyone, This weekend I wrote some documentation[1] that I thought would be useful for Mailman admins when dealing with Django, since it is a frequent topic on -users list. The intent was to add only required information for admins to work with Mailman installs and provide enough pointers to right places, wherein more information can be found instead of duplicating them in Mailman's docs since it it often goes stale. Since the most common theme of questions are configuration (settings), management commands and deployment (running), I distributed the whole page in those three sections. If you as a system admin had to spend some time figuring out certain things about Django, it would be good to respond on this thread or just open a MR with additions to the page[1]. [1]: https://docs.mailman3.org/en/latest/django-primer.html I also made a small architecture diagram of the various components in a typical Mailman 3 install[2] since we didn't had any such existing diagram. Suggestions to this are also welcome. [2]: https://docs.mailman3.org/en/latest/architecture.html -- thanks, Abhilash Raj (maxking)

1 0

Freenode or Libera for IRC?
by Damian Johnson Sept. 16, 2021

Sept. 16, 2021

Hi all. I'm a prospective new contributor [1] presently running through the onboard process. Wikipedia transitioned from Freenode to Libera [2] which is run by Freenode's former operators [3]. I haven't paid further attention to their breakup drama, but Andrew Lee's post about a "Joseon Empire" on Freenode's frontpage [4] doesn't fill me with confidence. Just food for thought but has Mailman considered moving to Libera [5]? Cheers! -Damian [1] https://blog.atagar.com/ [2] https://meta.wikimedia.org/wiki/IRC/Migrating_to_Libera_Chat [3] https://www.kline.sh/ [4] https://freenode.net/ [5] https://libera.chat/

3 3

Mailman container images 0.3.12 is now out
by Abhilash Raj Sept. 5, 2021

Sept. 5, 2021

Hey Everyone, I have just tagged release 0.3.12 on Github for container images for Mailman 3[1]. This release includes the fix for CVE-2021-40347 that was announced earlier today. For the folks using 0.3 or 0.3.11 release tags, it is highly recommended that you upgrade to this release. This release also bumps the version of Mailman Core to 3.3.4, Mailmanclient to 3.3.3 and Django-mailman3 to 1.3.7. Note that is since the main and v0.3.12 branches are different in many ways, the default documentation[2] and the docker-compose.yaml files in the main branch aren't accurate if you are using the stable release. Please refer to the README[3] at v0.3.12 tag in the Github repo for more accurate docker-compose.yaml and documentation. The project has grown large enough that we need to start versioning the documentation, if someone has experience with versioning docs using Github pages and mkdocs, then I very much need some help here! For those of you who are using the rolling release, it is recommended that you **don't** upgrade to this stable release. The fixes have been pulled into the rolling tags too, so just make sure that you upgrade to the latest published version of rolling release, which as of this writing should be based off on fda837f8d15540e190992c30f7971f50fca54dac commit[4]. This might not be the latest by the time you upgrade if I add a new commit, so look for versions published after 4:00 PM PST 9/5/2021. I am also working on cutting a new release, 0.4.0, which is backwards incompatible with the setup required to talk to web server and MTA (hence the minor version bump!). That should bring the rolling releases and stable releases closer to each other and add improvements around not needing static IPs in the docker network anymore, plus several bug fixes. If someone wants to test the upgrade to 0.4.0 from 0.3 release and is willing to try out the instructions at [5], it would give me some confidence in cutting out the release sooner. The only thing stopping the release of 0.4.0 images is that I haven't verified if the upgrade from 0.3 is documented enough or not. For all the registries listed in README[6], I am still trying to push to Quay (maybe I need to just skip pushing to Quay :-). So, just use the other two to pull the images, Github (ghcr.io) has more generous pull download policy for un-authenticated users though. [1]: https://github.com/maxking/docker-mailman/releases/tag/v0.3.12 [2]: https://asynchronous.in/docker-mailman/ [3]: https://github.com/maxking/docker-mailman/tree/v0.3.12 [4]: https://github.com/maxking/docker-mailman/commit/fda837f8d15540e190992c30f7… [5]: https://asynchronous.in/docker-mailman/news/#upgrading-to-040-release [6]: https://github.com/maxking/docker-mailman#container-registries -- thanks, Abhilash Raj (maxking)

1 0

New vulnerability in Hyperkitty master branch
by Abhilash Raj Sept. 5, 2021

Sept. 5, 2021

Hey Everyone, A new vulnerability was reported against Hyperkitty’s git master branch branch which can expose the archives of a private Mailing List through the new Feeds API that was added to Hyperkitty recently to someone who isn't a member or logged-in. Thanks to Ngo Wei Lin for reporting this vulnerability. This bug does not affect any stable released version of Hyperkitty and only affects installations from source (1.3.5b1 version). To differentiate from the vulnerable version, I have bumped the version in master branch to 1.3.5b2, so if you have 1.3.5b1 installed, you should upgrade! The fix for this bug has been committed to master branch[1][2] less than an hour ago as of this writing. If you are using git branches to install Hyperkitty, you can upgrade using the following command: $ pip install --upgrade git+https://gitlab.com/mailman/hyperkitty@master I have also triggered a build for Mailman container images[3] with this changes, so if you are using the rolling container images (which are the only affected ones), then you should upgrade to the latest one when the build[1] finishes (approximately in next 30mins). Do note that this version of rolling release of mailman-web image also includes the fix for the vulnerability announced against Postoruis earlier today. You can verify that you have the fixed version of Hyperkitty in the image by running: $ docker run -it --entrypoint bash maxking/mailman-web:rolling bash-5.0# pip list | grep HyperKitty HyperKitty 1.3.5b2 Ensure that you get 1.3.5b2 version. [1]: https://gitlab.com/mailman/hyperkitty/-/merge_requests/362 [2]: https://gitlab.com/mailman/hyperkitty/-/commit/ed086015acbf66ba377e2af7f6e7… [3]: https://github.com/maxking/docker-mailman/runs/3519658592 -- thanks, Abhilash Raj (maxking)

1 0

CVE-2021-40347: New security release for Postorius
by Abhilash Raj Sept. 5, 2021

Sept. 5, 2021

Everyone, A security vulnerability was reported against Postorius recently which allows any logged-in user to unsubscribe any other member on any other list on same Mailman installation using a specially crafted POST request due to a missing ownership check. This has been assigned CVE-2021-40347. This affects all past versions of Postorius including 1.0.0. Thanks to Kunal Mehta for the security report and a quick patch to fix the vulnerability. I am also attaching a minimal patch that fixes it along with this email, without tests and NEWS so that it applies to older versions of Postorius easily (I have tested the included patch with 1.3.3, 1.3.2 git tags). Upgrading to 1.3.5 release is highly recommended and it mostly includes the fix for this vulnerability (and a small compatibility fix for django-mailman3 1.3.6) so it shouldn’t introduce any other bugs. You can upgrade to this release by running: $ pip install postorius==1.3.5 A full change log is available here[1] as usual and can be downloaded from PyPI[2]. [1]: https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-5 [2]: https://pypi.org/project/postorius/1.3.5/ Since there aren't many changes, this release requires 3.5+ like 1.3.4. Although, note that the next release will drop support for 3.5 and will support 3.6 only. For those of you who use container images, I am working on 0.3.12 of container images right now, so look out for that announcement. For those of you using the rolling releases, you can already upgrade to the latest version of the rolling release as it has the fix. -- thanks, Abhilash Raj (maxking)

1 0