Re: [Mailman-Users] Blocking messages from kijiji (SENDER_HEADERS solution interferes with logging?)
On Thu, Oct 27, 2011 at 10:07 AM, francis picabia <fpicabia@gmail.com> wrote:
On Thu, Oct 27, 2011 at 9:54 AM, francis picabia <fpicabia@gmail.com> wrote:
On Thu, Oct 27, 2011 at 9:37 AM, francis picabia <fpicabia@gmail.com> wrote:
Hello,
We run a mailing list for staff which should not receive email from outside of the list membership.
The only non-member address allowed to post is another mailing list.
Today we received a post from post@kijiji.ca and it made it through to the list.
I see this in the post log file:
Oct 26 18:21:41 2011 (2999) post to fyi from post@kijiji.ca, size=5293, message-id=<1190302152.2079281319664066415.JavaMail.root@kj-classy012>, success
We've tested this with a second small membership and restricted mailing list for our IT staff, and again a post from kijiji gets through.
If we email from a gmail account or something, it is blocked as expected.
In kijiji interface, they allow you to set up the sender, and this is likely passing the test for the sender, but it is only the sender in the envelope, which isn't reported in mailman (nor Postfix in what I saw).
We've been running the same mailman 2.1.9 from Redhat for a few years and there has never been a problem like this before.
I think we would prefer if both the sender From: and the envelope sender had to match, or had to both be allowed to post.
Adding the post@kijiji.ca address to the rejected senders did not block them, which isn't surprising as it is looking at the other subscribed sender.
Anyone else have experiences with that or suggested approaches?
I looked at older postings in this mailing list and it appears this is a solution:
Quoting Mark Sapiro:
If this is your Mailman installation, you could try putting
SENDER_HEADERS = (None,)
in mm_cfg.py. This would say that the post is considered to be from a member only if the envelope sender is a member."
I'll try this.
On second thought what we needed is similar, but probably:
SENDER_HEADERS = ('from')
Would there be problems "from" this?
For internal emails we already use canonical_maps in postfix to standardize the from address into something predictable.
This works, but of course it has caught someone using another unconventional list with a problem of the sort: "but it always worked this way before".
I check out the /var/log/maillog area for signs the user is caught by this change, but oddly, nothing is appearing in the logs. It appears than restricting the SENDER_HEADERS this way causes no logging on the mailman end. Is there a way to fix this?
On Thu, Oct 27, 2011 at 11:22 AM, francis picabia <fpicabia@gmail.com> wrote:
On Thu, Oct 27, 2011 at 10:07 AM, francis picabia <fpicabia@gmail.com> wrote:
On Thu, Oct 27, 2011 at 9:54 AM, francis picabia <fpicabia@gmail.com> wrote:
On Thu, Oct 27, 2011 at 9:37 AM, francis picabia <fpicabia@gmail.com> wrote:
Hello,
We run a mailing list for staff which should not receive email from outside of the list membership.
The only non-member address allowed to post is another mailing list.
Today we received a post from post@kijiji.ca and it made it through to the list.
I see this in the post log file:
Oct 26 18:21:41 2011 (2999) post to fyi from post@kijiji.ca, size=5293, message-id=<1190302152.2079281319664066415.JavaMail.root@kj-classy012>, success
We've tested this with a second small membership and restricted mailing list for our IT staff, and again a post from kijiji gets through.
If we email from a gmail account or something, it is blocked as expected.
In kijiji interface, they allow you to set up the sender, and this is likely passing the test for the sender, but it is only the sender in the envelope, which isn't reported in mailman (nor Postfix in what I saw).
We've been running the same mailman 2.1.9 from Redhat for a few years and there has never been a problem like this before.
I think we would prefer if both the sender From: and the envelope sender had to match, or had to both be allowed to post.
Adding the post@kijiji.ca address to the rejected senders did not block them, which isn't surprising as it is looking at the other subscribed sender.
Anyone else have experiences with that or suggested approaches?
I looked at older postings in this mailing list and it appears this is a solution:
Quoting Mark Sapiro:
If this is your Mailman installation, you could try putting
SENDER_HEADERS = (None,)
in mm_cfg.py. This would say that the post is considered to be from a member only if the envelope sender is a member."
I'll try this.
On second thought what we needed is similar, but probably:
SENDER_HEADERS = ('from')
Would there be problems "from" this?
For internal emails we already use canonical_maps in postfix to standardize the from address into something predictable.
This works, but of course it has caught someone using another unconventional list with a problem of the sort: "but it always worked this way before".
I check out the /var/log/maillog area for signs the user is caught by this change, but oddly, nothing is appearing in the logs. It appears than restricting the SENDER_HEADERS this way causes no logging on the mailman end. Is there a way to fix this?
I've now removed the SENDER_HEADERS configuration. It was interfering with too much delivery to our lists which should have gone through, and without logging in mailman, I don't know why.
francis picabia wrote:
On second thought what we needed is similar, but probably:
SENDER_HEADERS = ('from')
Would there be problems "from" this?
It should be
SENDER_HEADERS = ('from',)
The comma is important. It makes SENDER_HEADERS a tuple with one member. Without the comma, SENDER_HEADERS would be the string 'from' and the code which looks at all the headers in SENDER_HEADERS would look at the 'f', 'r', 'o' and 'm' headers and would find no senders so all posts would be non-member posts.
For internal emails we already use canonical_maps in postfix to standardize the from address into something predictable.
This works, but of course it has caught someone using another unconventional list with a problem of the sort: "but it always worked this way before".
I check out the /var/log/maillog area for signs the user is caught by this change, but oddly, nothing is appearing in the logs. It appears than restricting the SENDER_HEADERS this way causes no logging on the mailman end. Is there a way to fix this?
The post should have been handled via generic_nonmember_action and whatever action was taken, it should have been logged in Mailman's 'vette' log, unless there was some other problem causing an exception logged with a traceback in Mailman's 'error' log.
I've now removed the SENDER_HEADERS configuration. It was interfering with too much delivery to our lists which should have gone through, and without logging in mailman, I don't know why.
If you put the correct
SENDER_HEADERS = ('from',)
in mm_cfg.py, it should work.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
francis picabia -
Mark Sapiro