Hi Stephen, I can't do that because may be the sender is on another MTA and mailman server can't force they do an authentication. Is this a weak point of Mailman ? Best regards, Huu Hien
From: Stephen J. Turnbull [stephen@xemacs.org] Sent: Saturday, October 31, 2009 12:28 PM To: Hien HUYNH HUU Cc: mailman-users@python.org Subject: [Mailman-Users] Fake Email
Hien HUYNH HUU writes:
I recognize that mailman can accept a fake sender . Example, I have a maillist with only an email account (xyz@abc.com) can send messages to all emails in the list. But , if someone can send a fake "From address" is xyz@abc.com, mailman will delivery messages to the list . This is a security problem. Can we prevent this from happening ?
Mailman is too far "downstream" to do this very effectively. It is possible to set up Mailman so that all posts will be moderated except those containing an "Approved: PASSWORD" header. This header is then stripped from the distributed version. However, such passwords can be leaked in various ways or sniffed from the mail in the transport between the sender and Mailman. It's not terribly secure.
A better way to do this would be to set up the MTA on Mailman's host to only deliver to the list address (ie, Mailman) if the sender has been authenticated (eg, with TLS).