Will Yardley wrote:
On Tue, Nov 13, 2012 at 04:03:32PM -0200, Rodrigo Abrantes Antunes wrote:
In my case, I found that the return-path header is the address of the original sender, so how could I add a rule in mailman to deny posts with return-path's address that are not members?
The envelope-sender can also be spoofed trivially.
If you want to prevent someone from sending email as someone who *is* approved to post to the list, I think your safest bet is to require approval for all posts to the list -- in other words, set the action for posts by moderated members allowed to post to 'hold', and have the moderate bit set even for users who are allowed to post.
Yes. As indicated in the FAQ I referred to in my original reply, the safe way to do this is to moderate everyone or otherwise arrange for all list posts to be held. Then authorized posts can be sent with an Approved: <password> header or first body line pseudo-header to bypass the hold. <password> is the list admin password, the moderator password or, beginning in Mailman 2.1.15, the special list poster password.
If you are the site admin, you can require that only the envelope sender (the address reflected in Return-Path:) be recognized in determining list membership by putting
SENDER_HEADERS = (None,)
in mm_cfg.py. See the documentation for this setting in Defaults.py.
It would probably also be possible to create a regexp for header_filter_rules that would match only when the Return-Path: address and the From: address were different and to use that to deal with such posts. But, that wouldn't handle the case where both From: and envelope sender were spoofed with the same address.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan