Mark Sapiro writes:
On 5/22/22 00:17, Jayson Smith wrote:
I run a Mailman 2 list for an organization of writers with disabilities. Recently our president has become concerned that some people wanting to join the group may not be responding to the standard Mailman subscription confirmation message
@Jayson Is this especially a problem for people with disabilities, as compared to new subscribers in general?
In fact, I expect the answer is "no". But I think it's worth trying to improve this in Mailman 3 for the general population, too, and if we can improve this in a more accessible way I would like to be aware of it.
By default, confirmation requests are sent with From: and Subject: like
From: listname-request@example.com Subject: confirm+the_hex_tokenIf you, or the installation sets
VERP_CONFIRMATIONS = Yesin mm_cfg.py, they will be sent like
From: listname-confirm+the_hex_token
@Mark This is "From: listname-confirm+the_hex_token@EXAMPLE.COM", right? I'm not sure that's much better, especially in Jayson's situation where the email address and the organization are hard to associate with each other.
Not really. Person C can still send email to person B spoofing person A. In your scenario, upon receiving email allegedly from person A, person B would need to respond to person A asking for confirmation and receive confirmation from person A before adding person A to the list.
Note that the point of this multipart handshake is that email itself is insecure; it is rather easy to fake authorship of an email message well enough to get past someone who is not well-versed in email arcana. It is much harder to fake the ability to read from a mailbox.
So it's really not possible to omit the "send token" and "receive confirmation" steps if you want to be sure the person who requests a subscription has the right to request people send stuff to the mailbox.
Steve