Re: [Mailman-Users] Some detail questions about migrating lists
Mark Sapiro wrote:
But here's the thing: the only occurrence of "frank.griffin@selectbs.com" on the fresh system is a .forward file in /root, /var/spool/postfix, and /home/ftg. The test message is sent from the 'ftg' ID whose home directory is /home/ftg.
Do you guys follow or look at .forward files ? If not, I can't imagine how mailman is getting hold of this address.
No. MDAs look at .forward files. Mailman doesn't know anything about them.
End of mystery.
My test machines all use a third-party relay server which requires "From:" to be one of a fixed set of pre-registered values. I handle this by using Postfix's "generic" file to rewrite the sender on outbound messages to the 'frank.griffin' address above. Apparently, it also rewrites the "Reply-To:" address.
Mailman was correctly setting "Reply-To:" to "listname<listaddress>". Postfix was rewriting "listaddress" to the fixed address from the "generic" file, thus causing the error I saw.
This won't affect the machines on which I actually run Mailman for production, so it appears that the porting procedure (augmented by fix_url) is successful. However, this can easily bite anyone who runs a server-type system at home and needs to conform to the sending policies of a commercial relay server.
Maybe worth an entry in the FAQ ?
Mark, thanks for your time and help in resolving this.
On 3/17/2008, Frank Griffin (ftg@roadrunner.com) wrote:
My test machines all use a third-party relay server which requires "From:" to be one of a fixed set of pre-registered values. I handle this by using Postfix's "generic" file to rewrite the sender on outbound messages to the 'frank.griffin' address above. Apparently, it also rewrites the "Reply-To:" address.
Yuck... why? Worst case is they should require secure smtp auth (with TLS), which does NOT require rewriting the headers.
--
Best regards,
Charles
Charles Marcus wrote:
On 3/17/2008, Frank Griffin (ftg@roadrunner.com) wrote:
My test machines all use a third-party relay server which requires "From:" to be one of a fixed set of pre-registered values. I handle this by using Postfix's "generic" file to rewrite the sender on outbound messages to the 'frank.griffin' address above. Apparently, it also rewrites the "Reply-To:" address.
Yuck... why? Worst case is they should require secure smtp auth (with TLS), which does NOT require rewriting the headers.
It's their billing model. Most ISPs refuse to support secure SMTP because of the perceived cost of encryption. The relayer does, but charges you twice as much for using TLS (actually, mails/bytes are billed against your account limit at 2x their value). But that's unrelated to...
the fixed-address stuff: they sell allowable addresses in blocks of 15, probably figuring that if you're representing more than 15 mail addresses, you're really a business and should be paying more. A real nuisance for Linux systems where every daemon and his brother sends mail with a different "From:" address.
On 3/17/2008, Frank Griffin (ftg@roadrunner.com) wrote:
It's their billing model. Most ISPs refuse to support secure SMTP because of the perceived cost of encryption. The relayer does, but charges you twice as much for using TLS (actually, mails/bytes are billed against your account limit at 2x their value). But that's unrelated to...
Most ISPs in the US simply allow relaying on their IP blocks...
But, they don't absolutely need to support *secure* smtp auth - basic smtp auth would be much better than using and easily forged 'From:' header...
I'd find another ISP/3rd party relay service...
--
Best regards,
Charles
Charles Marcus wrote:
Most ISPs in the US simply allow relaying on their IP blocks...
But, they don't absolutely need to support *secure* smtp auth - basic smtp auth would be much better than using and easily forged 'From:' header...
I'd find another ISP/3rd party relay service...
Relaying on their IP blocks isn't the problem. The problem is laptops when you travel outside of their IP blocks and still want to run your system in production mode, i.e. having daemons send email back home. That's when they shut you down. They don't seem to want the risk of basic SMTP auth being cracked or sniffed, so they just refuse to relay for anything outside their IP block, period, no matter what.
Since I don't want to have to reconfigure may laptop every time I leave home, I need the relay service. Because of that, it's also more convenient for use on my home machines, since the relayer is more lenient about what it thinks is spam or oversized mails. All my systems pretty much use the same configuration model that way.
On 3/17/2008, Frank Griffin (ftg@roadrunner.com) wrote:
They don't seem to want the risk of basic SMTP auth being cracked or sniffed, so they just refuse to relay for anything outside their IP block, period, no matter what.
<snip>
Since I don't want to have to reconfigure may laptop every time I leave home, I need the relay service.
I'm confused... above you say that they don't allow relaying from outside their network 'no matter what'... then you say you need their relay service while outside their IP block...
You appear to be saying that it is when sending from outside their IP block that they do this relay filtering based on an easily forged 'From: header.
What I'm saying is that it is *much* easier to spook a 'From:' header that to sniff/crack an unsecured smtp_auth session. Not that its *hard* to sniff a plain text smtp_auth session - just that its harder than spoofing a 'From:' header.
Any ISP that doesn't allow the use of TLS for sending while outside their networks is not to be trusted, so my original comment stands - I'd get another ISP if possible.
This has gone way OT for mailman though... sorry...
--
Best regards,
Charles
Charles Marcus wrote:
I'm confused... above you say that they don't allow relaying from outside their network 'no matter what'... then you say you need their relay service while outside their IP block...
The ISP and the third-party relayer are two different companies. I need the relay service because the ISP won't relay from outside their own block. The relayer doesn't have an IP block; you sign up, get an ID, pay, and do basic auth SMTP from anywhere.
You appear to be saying that it is when sending from outside their IP block that they do this relay filtering based on an easily forged 'From: header.
No, they use basic auth.
Any ISP that doesn't allow the use of TLS for sending while outside their networks is not to be trusted, so my original comment stands - I'd get another ISP if possible.
Unfortunately, in the US, if you want cable (as opposed to satellite or DSL), you are at the mercy of whichever cable ISP owns the fiber to your house.
participants (2)
-
Charles Marcus -
Frank Griffin