--On 8 June 2006 16:54:40 +0100 David Lee <t.d.lee@durham.ac.uk> wrote:
[...] It's far better to insist on authenticated SMTP for ALL message submission.
That would, indeed, probably be the ideal. But that would itself mean that all paths by which the Mailman machine might be reached would have to be known to have an enforced mechanism for authenticated SMTP. (And what about (say) "cron" jobs generating email which might legitimately go through lists?)
Well, I guess that a typical Message Submission Agent would require authenticated SMTP *except* for a list of specificed (host IP, sender email address) pairs.
An insitution's (university's) "smtphost" service might naturally restrict access to its own users and thus the authentication could use, say, its central NIS/AD/LDAP-like user-base. But its Mailman service might extend considerably beyond those bounds to include collaboration with other places, for which a much wider user-base would be needed. (Suppose, for instance, that this very "mailman-developers" list were hosted at your own university?)
True. But are you really asking people to email secrets around? If you are, them I presume you're going to encrypt communication between your MTAs? Otherwise none of this is going to gain you anything.
I presume you're going to have Mailman remove those tokens before delivery? Otherwise spoofing will be just as easy as before. To be honest, I'm skeptical about all of this. Do you have a history of people spoofing to your lists?
Even if those problems could be overcome, one would still need to ensure that Mailman can know for certain that authenticated SMTP had been used. Which takes us off to another branch (about Mailan API, milters, etc.) of this fragmenting discussion!...
-- Ian Eiloart IT Services, University of Sussex