Envelope address vs. From: header addresses
Hi,
Several organizations I participate in use Kavi as the "collaborative" platform, which includes email reflectors (see www.kavi.com). Kavi is in the middle of transitioning between two versions (Kavi Workspace 5 (WS5) to Kavi Workspace 6 (WS6)).
WS5 uses a modified version of ezmlm for its reflectors. Either ezmlm or the modifications done to it use the "envelope address" (the operand of the SMTP MAIL FROM: command) to verify that the sender is a member of the list. If the envelope address is not a list member, it generates a reject/bounce message which (oddly) uses the operand of the From: header in creating text along the lines of "<so-and-so> is not a member of this list."
WS6 uses mailman. I believe that mailman doesn't suffer from this problem (that is, mailman checks list membership based on the header From: address, not the envelope from address).
Can someone verify with authority that this is the case?
(and OT for this list, Does anyone have any insight into why Kavi's ezmlm implementation is acting this way? FYI, email sent via Amazon AWS SES is sent with an envelope address unique per email (it's explicitly different from the From: header address)).
Thanks.
Adam Goldberg AGP, LLC +1-202-507-9900
On 01/03/2017 11:03 AM, Adam Goldberg wrote:
WS6 uses mailman. I believe that mailman doesn't suffer from this problem (that is, mailman checks list membership based on the header From: address, not the envelope from address).
Can someone verify with authority that this is the case?
When Mailman checks list membership, it tests the things listen in the installation's config (mm_cfg.py) setting for SENDER_HEADERS, the default for which is
From: envelope sender Reply-To: Sender:
in that order. If one of those contains a list member address, the first member address found is considered the poster for list membership/moderation purposes. Otherwise the post is from a non-member.
(and OT for this list, Does anyone have any insight into why Kavi's ezmlm implementation is acting this way? FYI, email sent via Amazon AWS SES is sent with an envelope address unique per email (it's explicitly different from the From: header address)).
Some things use envelope sender for verification as it is (or once was) considered more difficult to spoof.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark,
Thanks for the quick response. From what I can see in Defaults.py in my installation of Mailman, one could 'break' Mailman the same way Kavi's ezmlm installation is broken by merely setting USE_ENVELOPE_SENDER=yes.
(excerpt from Defaults.py) # When allowing only members to post to a mailing list, how is the sender of # the message determined? If this variable is set to Yes, then first the # message's envelope sender is used, with a fallback to the sender if there is # no envelope sender. Set this variable to No to always use the sender. # # The envelope sender is set by the SMTP delivery and is thus less easily # spoofed than the sender, which is typically just taken from the From: header # and thus easily spoofed by the end-user. However, sometimes the envelope # sender isn't set correctly and this will manifest itself by postings being # held for approval even if they appear to come from a list member. If you # are having this problem, set this variable to No, but understand that some # spoofed messages may get through. USE_ENVELOPE_SENDER = No
# Membership tests for posting purposes are usually performed by looking at a # set of headers, passing the test if any of their values match a member of # the list. Headers are checked in the order given in this variable. The # value None means use the From_ (envelope sender) header. Field names are # case insensitive. SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
(And continuing the OT discussion, in a ezmlm/qmail environment, qmail passes the envelope sender address via $SENDER to ezmlm, and ezmlm uses this to check list membership. I don't see a way in qmail/ezmlm to emulate USE_ENVELOPE_SENDER = No. Three cheers for Mailman!)
Adam Goldberg AGP, LLC +1-202-507-9900
-----Original Message----- From: Mailman-Users [mailto:mailman-users-bounces+adam=agp-llc.com@python.org] On Behalf Of Mark Sapiro Sent: Tuesday, January 03, 2017 3:17 PM To: mailman-users@python.org Subject: Re: [Mailman-Users] Envelope address vs. From: header addresses
On 01/03/2017 11:03 AM, Adam Goldberg wrote:
WS6 uses mailman. I believe that mailman doesn't suffer from this problem (that is, mailman checks list membership based on the header From: address, not the envelope from address).
Can someone verify with authority that this is the case?
When Mailman checks list membership, it tests the things listen in the installation's config (mm_cfg.py) setting for SENDER_HEADERS, the default for which is
From: envelope sender Reply-To: Sender:
in that order. If one of those contains a list member address, the first member address found is considered the poster for list membership/moderation purposes. Otherwise the post is from a non-member.
(and OT for this list, Does anyone have any insight into why Kavi's ezmlm implementation is acting this way? FYI, email sent via Amazon AWS SES is sent with an envelope address unique per email (it's explicitly different from the From: header address)).
Some things use envelope sender for verification as it is (or once was) considered more difficult to spoof.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/adam%40agp-llc.com
On 01/03/2017 01:27 PM, Adam Goldberg wrote:
Thanks for the quick response. From what I can see in Defaults.py in my installation of Mailman, one could 'break' Mailman the same way Kavi's ezmlm installation is broken by merely setting USE_ENVELOPE_SENDER=yes.
Actually no, for two reasons.
USE_ENVELOPE_SENDER is a misnomer in the first place. It is used by the Mailman.Message.get_sender() method which returns a single address as the sender of the message. It returns the first address found by looking in order at
From: Sender: envelope sender
if USE_ENVELOPE_SENDER is false and
Sender: From: envelope sender
if USE_ENVELOPE_SENDER is true, so in most cases there won't be a Sender: header and the From: value will be returned. Only if there is a Sender: header does USE_ENVELOPE_SENDER make a difference and even then the result is the Sender: header value, not the envelope sender.
The other reason is the get_sender() method is not used to determine list membership for posts[1]. That uses the get_senders() method (note senders, not sender) which returns all the addresses from the headers defined by SENDER_HEADERS.
If you wanted to force Mailman to use the envelope sender only for membership tests you would put
SENDER_HEADERS = [None]
in mm_cfg.py.
[1] The address returned by get_sender() is used for things like displaying in the admindb UI the sender of a held post and various other purposes, but not for membership tests on incoming posts.
(And continuing the OT discussion, in a ezmlm/qmail environment, qmail passes the envelope sender address via $SENDER to ezmlm, and ezmlm uses this to check list membership. I don't see a way in qmail/ezmlm to emulate USE_ENVELOPE_SENDER = No. Three cheers for Mailman!)
MTAs (qmail) for the most part only deal with things defined in SMTP such as the envelope sender and recipients. With few exceptions, the message which contains the headers is just a blob of data. Thus if you're relying on the MTA to tell you who sent the message, you're going to see the envelope sender. Mailman actually parses the message and looks at the headers to determine the sender(s).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 01/03/2017 11:03 AM, Adam Goldberg wrote:
WS6 uses mailman. I believe that mailman doesn't suffer from this problem (that is, mailman checks list membership based on the header From: address, not the envelope from address).
Can someone verify with authority that this is the case?
When Mailman checks list membership, it tests the things listen in the installation's config (mm_cfg.py) setting for SENDER_HEADERS, the default for which is
From: envelope sender Reply-To: Sender:
in that order. If one of those contains a list member address, the first member address found is considered the poster for list membership/moderation purposes. Otherwise the post is from a non-member.
(and OT for this list, Does anyone have any insight into why Kavi's ezmlm implementation is acting this way? FYI, email sent via Amazon AWS SES is sent with an envelope address unique per email (it's explicitly different from the From: header address)).
Some things use envelope sender for verification as it is (or once was) considered more difficult to spoof.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark,
Thanks for the quick response. From what I can see in Defaults.py in my installation of Mailman, one could 'break' Mailman the same way Kavi's ezmlm installation is broken by merely setting USE_ENVELOPE_SENDER=yes.
(excerpt from Defaults.py) # When allowing only members to post to a mailing list, how is the sender of # the message determined? If this variable is set to Yes, then first the # message's envelope sender is used, with a fallback to the sender if there is # no envelope sender. Set this variable to No to always use the sender. # # The envelope sender is set by the SMTP delivery and is thus less easily # spoofed than the sender, which is typically just taken from the From: header # and thus easily spoofed by the end-user. However, sometimes the envelope # sender isn't set correctly and this will manifest itself by postings being # held for approval even if they appear to come from a list member. If you # are having this problem, set this variable to No, but understand that some # spoofed messages may get through. USE_ENVELOPE_SENDER = No
# Membership tests for posting purposes are usually performed by looking at a # set of headers, passing the test if any of their values match a member of # the list. Headers are checked in the order given in this variable. The # value None means use the From_ (envelope sender) header. Field names are # case insensitive. SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
(And continuing the OT discussion, in a ezmlm/qmail environment, qmail passes the envelope sender address via $SENDER to ezmlm, and ezmlm uses this to check list membership. I don't see a way in qmail/ezmlm to emulate USE_ENVELOPE_SENDER = No. Three cheers for Mailman!)
Adam Goldberg AGP, LLC +1-202-507-9900
-----Original Message----- From: Mailman-Users [mailto:mailman-users-bounces+adam=agp-llc.com@python.org] On Behalf Of Mark Sapiro Sent: Tuesday, January 03, 2017 3:17 PM To: mailman-users@python.org Subject: Re: [Mailman-Users] Envelope address vs. From: header addresses
On 01/03/2017 11:03 AM, Adam Goldberg wrote:
WS6 uses mailman. I believe that mailman doesn't suffer from this problem (that is, mailman checks list membership based on the header From: address, not the envelope from address).
Can someone verify with authority that this is the case?
When Mailman checks list membership, it tests the things listen in the installation's config (mm_cfg.py) setting for SENDER_HEADERS, the default for which is
From: envelope sender Reply-To: Sender:
in that order. If one of those contains a list member address, the first member address found is considered the poster for list membership/moderation purposes. Otherwise the post is from a non-member.
(and OT for this list, Does anyone have any insight into why Kavi's ezmlm implementation is acting this way? FYI, email sent via Amazon AWS SES is sent with an envelope address unique per email (it's explicitly different from the From: header address)).
Some things use envelope sender for verification as it is (or once was) considered more difficult to spoof.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/adam%40agp-llc.com
On 01/03/2017 01:27 PM, Adam Goldberg wrote:
Thanks for the quick response. From what I can see in Defaults.py in my installation of Mailman, one could 'break' Mailman the same way Kavi's ezmlm installation is broken by merely setting USE_ENVELOPE_SENDER=yes.
Actually no, for two reasons.
USE_ENVELOPE_SENDER is a misnomer in the first place. It is used by the Mailman.Message.get_sender() method which returns a single address as the sender of the message. It returns the first address found by looking in order at
From: Sender: envelope sender
if USE_ENVELOPE_SENDER is false and
Sender: From: envelope sender
if USE_ENVELOPE_SENDER is true, so in most cases there won't be a Sender: header and the From: value will be returned. Only if there is a Sender: header does USE_ENVELOPE_SENDER make a difference and even then the result is the Sender: header value, not the envelope sender.
The other reason is the get_sender() method is not used to determine list membership for posts[1]. That uses the get_senders() method (note senders, not sender) which returns all the addresses from the headers defined by SENDER_HEADERS.
If you wanted to force Mailman to use the envelope sender only for membership tests you would put
SENDER_HEADERS = [None]
in mm_cfg.py.
[1] The address returned by get_sender() is used for things like displaying in the admindb UI the sender of a held post and various other purposes, but not for membership tests on incoming posts.
(And continuing the OT discussion, in a ezmlm/qmail environment, qmail passes the envelope sender address via $SENDER to ezmlm, and ezmlm uses this to check list membership. I don't see a way in qmail/ezmlm to emulate USE_ENVELOPE_SENDER = No. Three cheers for Mailman!)
MTAs (qmail) for the most part only deal with things defined in SMTP such as the envelope sender and recipients. With few exceptions, the message which contains the headers is just a blob of data. Thus if you're relying on the MTA to tell you who sent the message, you're going to see the envelope sender. Mailman actually parses the message and looks at the headers to determine the sender(s).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Adam Goldberg -
Mark Sapiro