On 11/6/22 14:36, mirabilos mirabilos wrote:
So, when is this going to be fixed in Mailman 3?
We have the end of 2022, and this bug from 2008 is still unfixed. I was able to generate backscatter to arbitrary addresses (Envelope-FROM) by sending (Envelope-RCPT) to an eMail address whose localpart is a nōn-existent list and whose domain is a server running Mailman 3 (stock from Debian).
Thanks to this, the list server was just blacklisted by its provider, which is a very unfortunate situation.
So, what can be done about this? Why can Mailman not just generate a list of valid addresses, which Postfix can then use? Ideally even via PostgreSQL to avoid the need for reloads (AIUI).
Mailman does this. Mail to an invalid address does not get delivered to Mailman because the invalid address is not in Mailman's generated aliases for Postfix or recognized by the recommended mailman router for Exim.
Why in your example did Postfix treat the RCPT TO that was not a valid list address differently than any other invalid address in RCPT TO? I.e. Postfix should be rejecting that RCPT TO at SMTP time with "unknown user" or some similar error. What did Postfix do in your case.
Also, beginning in Mailman 3.3.6, even in unusual configurations where
an MTA might deliver an invalid recipient to Mailman's LMTP runner, The
runner will reject the invalid RCPT TO during LMTP. See New Features
at
https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/docs/NEWS.h...
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan