approval password linked to sender rather than list?
Background: Currently majordomo, but rapid switch to Mailman being considered. About 20,000 users. Over 2,000 lists, the majority being "announcement" with very limited numbers of permitted senders. Have been majordomo-based for many years. Recent spoof email jumped the priority of a potential majordomo->Mailman transition to very high. Installed Mailman 2.1.5 (that version simply for local proof-of-concept convenience). Would anticiapate running latest stable version. Very new to running a Mailman service (be gentle!).
Executive summary of query:
The existing "Approved:" mechanism needs a password shared in common across multiple people (which feels poor and doesn't scale well) and across multiple lists (again, scaling problems). Is there a facility, or plans for such, for each permitted sender to have (optionally) their own password, useable across many lists? (Note the numbers, and high proportion of limited access "annnouncement" lists in the above.)
Details of query:
I've read the FAQ. The nearest items to my query seem to be 3.11, 3.34, 3.46 etc.
Our recent problem was a spoof email through Majordomo, via a small number of large lists to the entire institution, spoofing the "From:" of a valid Majordomo "posters" email address. The Mailman "Approved:" mechanism looks as if it should address much of this (but not as much as might be possible: see below).
With Mailman, I've done an "Approved:" proof-of-concept demo: two lists, same list password; moderation switched on for everybody. Proved the working of: Approved: <list password>
(1) being able to bypass the moderation function (good); (2) its absence or error being diverted to moderator (good).
So our genuine posters can use "Approved:" and the email would go straight through, whereas the spoofer wouldn't be able to do this and the request would be diverted (very good!) to the various list moderators.
BUT...
... in the environment described above we can see major benefits of a somewhat different authorisation slant.
Problem: A spoof to many lists would go to many moderators within a list and across lists, requiring coordination of moderators within a list, and consistent action of one or more moderators per list across the lists. Very poor scaling at a large site (with many clusters of many lists).
Suggestion: An approval process to allow a sender-based password. So something like:
From: permitted.poster.1@our.site # may or may not be spoofed To: list1@our.site, list2@our.site, list3@our.site, ...
Approved: <pw belonging to "permitted.poster.1">
and also that pw being potentially shareable across multiple lists.
This doesn't seem possible at present (v 2.1.5). But it seems related to FAQ 3.46, in particular section "A password scheme could potentially be implemented ...".
Is it yet possible?
(Assuming not, then ...)
List subscribers can already have passwords attached to their membership of a particular list, but this is (I understand) only for subscription maintenance, not for posting authorisation. So the concept of password linked to email address is already present in Mailman.
It would seem reasonable to extend Mailman to have a variant of the "Approved:" scheme (albeit with its inherent weak authentication) in which the password is associated with each "permitted.poster.1" sender name to discriminate a real sender from the spoofer.
Does that seem reasonable? What are the drawbacks (those that would have significantly worse problems/weaknesses than existing mechanisms)? Comments?
If it is possible now (i.e. I have overlooked the relevant documentation), please point me in the correct direction, to documentation etc.
If not yet possible, but acceptable in theory (perhaps with amendments), then we would hope to consider volunteering some effort into coding it.
--
: David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. :
At 10:01 AM +0100 2006-05-15, David Lee wrote:
Is there a facility, orplans for such, for each permitted sender to have (optionally) their own password, useable across many lists?
This is a very good question. I'm glad you brought it to this list.
I'm pretty sure that there is no facility in Mailman today to achieve what you're looking for. I see no problem with the concept, but I will let others answer the technical issues of how it might be done, etc....
If you haven't done so already, I would encourage you to file this as a Request For Enhancement on the Mailman SourceForge page at <http://sourceforge.net/tracker/?group_id=103&atid=350103>.
Problem: A spoof to many lists would go to many moderators within a list and across lists, requiring coordination of moderators within a list, and consistent action of one or more moderators per list across the lists. Very poor scaling at a large site (with many clusters of many lists).
Yup. Getting the list moderators/admins to act in a consistent manner is an issue regardless of the size of the list or the number of lists.
We have similar issues with just the mailman-users and mailman-developers lists on python.org, and they are much less numerous than what you're talking about, and the lists are also much smaller. Sometimes I'll approve a post for the mailman-developers list that I think is marginal as to whether or not it belongs on that list and sometimes I'll let it sit for a few days and see if one of the other moderators/admins will take a decision.
I try to follow the guidelines that we've agreed for moderating and administering the lists, but I don't always remember what they are, and I don't always make the decision in a way that the other moderators/admins would have agreed with.
I'm not convinced that having per-user approval passwords would help the moderators act in a more consistent manner, but it certainly wouldn't hurt.
This doesn't seem possible at present (v 2.1.5). But it seems related to FAQ 3.46, in particular section "A password scheme could potentially be implemented ...".
Is it yet possible?
Not so far as I know, and I'm not aware of it being on the official plan of things to be fixed in the upcoming versions (either 2.2 or Mailman3), but certainly something that could potentially be done.
Does that seem reasonable?
I think so. It would reduce the probability of someone being able to guess the list approval password, which can sometimes leak out via unexpected channels.
What are the drawbacks (those that would havesignificantly worse problems/weaknesses than existing mechanisms)?
About the only thing I can think of that might be an issue would be that there would now be more data to manage, and of course the problem of feeping creaturism.
If not yet possible, but acceptable in theory (perhaps with amendments), then we would hope to consider volunteering some effort into coding it.
If you code such a feature (or have it done for you), and then upload that to the Mailman patch page on SourceForge at <http://sourceforge.net/tracker/?group_id=103&atid=300103>, you would be much more likely to get this feature incorporated into a future version of Mailman.
This isn't to say that you would be guaranteed to get this feature incorporated, as there are many patches which have been uploaded that have not found their way into the main code base. But uploading your patch would greatly increase your chances.
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755LOPSA member since December 2005. See <http://www.lopsa.org/>.
On Mon, 15 May 2006, Brad Knowles wrote:
At 10:01 AM +0100 2006-05-15, David Lee wrote:
Is there a facility, orplans for such, for each permitted sender to have (optionally) their own password, useable across many lists?
This is a very good question. I'm glad you brought it to this list.
I'm pretty sure that there is no facility in Mailman today to achieve what you're looking for. I see no problem with the concept, but I will let others answer the technical issues of how it might be done, etc....
Glad it seems reasonable. Thanks.
If you haven't done so already, I would encourage you to file this as a Request For Enhancement on the Mailman SourceForge page at <http://sourceforge.net/tracker/?group_id=103&atid=350103>.
Thanks. Done.
I'm not convinced that having per-user approval passwords would help the moderators act in a more consistent manner, but it certainly wouldn't hurt.
Hm? The idea is that the genuine sender should be able to avoid moderation in the first place.
As an aside, is there a way to do "Approved:" as a header (rather than as first line of message-body) if the client is Outlook? OWA?
What are the drawbacks (those that would havesignificantly worse problems/weaknesses than existing mechanisms)?
About the only thing I can think of that might be an issue would be that there would now be more data to manage, and of course the problem of feeping creaturism.
Thanks. Being new to Mailman (although with (too) many years' worth of Majordomo behind me) I wanted to do a basic sanity-check of the idea itself.
If not yet possible, but acceptable in theory (perhaps with amendments), then we would hope to consider volunteering some effort into coding it.
If you code such a feature (or have it done for you), and then upload that to the Mailman patch page on SourceForge at <http://sourceforge.net/tracker/?group_id=103&atid=300103>, you would be much more likely to get this feature incorporated into a future version of Mailman.
Thanks.
The big question is: which version should we base it on? We would be looking to put into into local production (assuming we did it) fairly soon, but also be looking to get it incorporated into future versions. So Mm 2.1.x? 2.2.x? How different are those two versions? (I'm assuming not 3.x because that seems to be some way off yet.)
Thanks again.
--
: David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. :
At 5:59 PM +0100 2006-05-15, David Lee wrote:
I'm not convinced that having per-user approval passwords would help the moderators act in a more consistent manner, but it certainly wouldn't hurt.
Hm? The idea is that the genuine sender should be able to avoid moderation in the first place.
That's not what I was referring to. I was referring to the things that would wind up in the moderator queue (potentially due to lack of appropriate password), and how those might be handled in an inconsistent manner.
Whether it's a per-sender approval password or a per-list approval password, once you're past the automated system and your post is approved, then the moderators aren't going to see or touch it.
However, while I see some advantages to allowing this route as an optional alternative, I think the bigger problem is the inconsistency in the way the moderators will tend to handle the stuff that gets dumped into their queue.
Unfortunately, I'm not sure there's much you can do to try to solve that part of the problem. ;)
As an aside, is there a way to do "Approved:" as a header (rather than as first line of message-body) if the client is Outlook? OWA?
I'm not familiar with those clients. Others on the list might be more familiar with them, but you might also want to see if there are other mailing lists, forums, FAQs, etc... that would be oriented towards the specific clients you're interested in.
The big question is: which version should we base it on?
Start with the latest current version -- 2.1.8. If the feature is going to be incorporated into a future version then Tokio, Mark, or Barry can do any necessary work that might be required to bring it into whatever version they're working on.
But I would strongly encourage you to make sure you follow the same style and programming methods, so that the amount of work needed to integrate your suggested feature would be minimized.
We would belooking to put into into local production (assuming we did it) fairly soon, but also be looking to get it incorporated into future versions.
Understood.So Mm 2.1.x? 2.2.x? How different are those two versions? (I'm assuming not 3.x because that seems to be some way off yet.)
I think 2.2.x is still in fairly formative stages right now, and anything that would be required to bring the code up from the 2.1.8 baseline to 2.2.x should be something that Tokio, Mark, or Barry can do as needed.
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755LOPSA member since December 2005. See <http://www.lopsa.org/>.
On 5/15/06, David Lee <t.d.lee@durham.ac.uk> wrote:
List subscribers can already have passwords attached to their membership of a particular list, but this is (I understand) only for subscription maintenance, not for posting authorisation. So the concept of password linked to email address is already present in Mailman.
It would seem reasonable to extend Mailman to have a variant of the "Approved:" scheme (albeit with its inherent weak authentication) in which the password is associated with each "permitted.poster.1" sender name to discriminate a real sender from the spoofer.
On the surface, this seems pretty reasonable. It ought to be easy to amend the bits that checked Approved: against the moderator/admin password to also check against the user password.
For your purposes (*all* users must include a pssword), I think, this is trivial:
in Mailman/Handlers/Approve.py, on or about line 108, change:
if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin), passwd):
to: --BEGIN-- if passwd is not missing and mlist.Authenticate((mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin, mm_cfg.AuthUser), passwd, msg.get_sender()): --END--
(without, of course --BEGIN-- and --END--). That said, I don't really know Python, nor am I intimately familiar with the Mailman codebase, so you might want to wait for someone more knowledgable to vette this 'solution.'
And, of course, when/if you upgrade, you'll need to re-do this, since Approve.py will get overwritten.
--
- Patrick Bogen
participants (3)
-
Brad Knowles -
David Lee -
Patrick Bogen