Wayne Cook wcook@mycoachonline.com wrote:
Here's my first post to this list :)
I'm setting up a mailing list and I only want the list administrator
to be able to post messages to the list, can this be set as some kind
of default setting?Thanks Wayne
Change the list configuration so that all subscribers are moderated. And then set each current subscriber to "moderated" via one click on the membership admin web page.
Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: BSFinkel@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994
On Wed, 16 Dec 2009, Barry Finkel wrote:
I'm setting up a mailing list and I only want the list administrator to be able to post messages to the list, can this be set as some kind of default setting?
Change the list configuration so that all subscribers are moderated. And then set each current subscriber to "moderated" via one click on the membership admin web page.
And of course unmoderate the list admin and anyone else you want to be able to post.
You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post.
Geoff.
Geoff Shang wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
This is not good advice. Everyone should be moderated and posters should use an Approved: <password> header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently.
You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post.
Yes. This is all covered in the FAQ at http://wiki.list.org/x/3YA9.
Hi,
You're right in that I did forget the Approved: approach, as I didn't iknow about it until recently.
Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access.
Geoff.
----- Original Message ----- From: "Mark Sapiro" mark@msapiro.net To: "Geoff Shang" geoff@QuiteLikely.com; Mailman-Users@python.org Sent: Wednesday, 16 December, 2009 8:22 PM Subject: Re: [Mailman-Users] Hello List
Geoff Shang wrote:
And of course unmoderate the list admin and anyone else you want to be able to post.
This is not good advice. Everyone should be moderated and posters should use an Approved: <password> header to post. Otherwise, it's too easy for an unauthorized poster to spoof an authorized address. Spammers even do it accidently.
You should also probably set the list to reject posts from moderated members, otherwise you'll need to manually process posts from anyone who tries to post.
Yes. This is all covered in the FAQ at http://wiki.list.org/x/3YA9.
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote:
Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access.
Is there some reason that you, as admin, can't just un-set their moderation flag?
Hi,
Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead.
Geoff.
----- Original Message ----- From: "Lindsay Haisley" fmouse@fmp.com To: mailman-users@python.org Sent: Friday, 18 December, 2009 6:22 PM Subject: Re: [Mailman-Users] Hello List
On Fri, 2009-12-18 at 18:17 +0200, Geoff Shang wrote:
Howver, thinking about it further, there's one thing I don't like about it. It's OK if the people posting are list admins or moderators, but if you have othwers who should be able to post to the list, you don't necessarily want to give them all the admin or moderator password. An additional password for this purpose would perhaps be called for here, one that's only used to allow posts through without granting any other access.
Is there some reason that you, as admin, can't just un-set their moderation flag?
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead.
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
http://www.fmp.com |
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead.
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
http://www.fmp.com |
Lindsay Haisley wrote:
On Fri, 2009-12-18 at 18:34 +0200, Geoff Shang wrote:
Yes I can clear their moderation flag, and in fact this is what I first suggested, but my message was in response to a message from Mark who was putting forward the position that this was a bad idea and that it's better to post using the Approved: header instead.
I don't entirely agree with Mark on this. I generally offer my customers the option of using either mechanism, with the caveat that using the mod flag is potentially less secure.
FWIW, I was recommending the Approved: <password> approach in the context of a reply where the OP said "I only want the list administrator to be able to post messages to the list".
I agree that in the case where you have authorized posters who are not necessarily admins or moderators that controlling posting by unmoderating posters and/or accept_these_nonmembers is appropriate although still subject to spoofing. It all depends on the list.
You have two moderation passwords, one for "administrators" and one for "moderators". Either will work in an "Approved" header or pseudo- header. If you don't designate any moderators, then only the administrator password is effective. There's no reason you couldn't designate a group of moderators and give them the password, and then change it administratively if their service is no longer needed.
Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers.
It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page.
See the FAQ at http://wiki.list.org/x/5YA9.
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote:
Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers.
It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page.
I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/
I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an "Approved:" [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so.
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
On Fri, 2009-12-18 at 11:00 -0800, Mark Sapiro wrote:
Just to be clear, the presence or absence of an email address in the owner or moderator attributes of a list has nothing to do with who can do what. It only controls where notices are sent and what appears in web page footers.
It is quite possible to set a moderator password without adding any addresses to 'moderator', and anyone who knows that password can post an Approved: or Urgent: message and log in to the admindb page.
I'm aware of this, but it does bring up another question, which, in my own cowardly way, I was trying to avoid dealing with ;-/
I assume that if one sets up a new list and doesn't set a moderator password, then only the administrator can use an "Approved:" [pseudo]header and there's no default moderator password. If one sets up a moderator password then either will work. I (naively) assumed that deleting all moderator email addresses _might_ thereby render the moderator password ineffective, but in my guts, I knew it probably wasn't so.
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
Lindsay Haisley wrote:
Is there any way to nullify the moderator password altogether? Does submitting the passwords page with an empty field for the mod pw accomplish this?
You can't remove a moderator password through the GUI. You could always enter some obscure string that you will immediately forget, and that's probably as good, but if you really want to remove it, you have to set
mod_password = None
via bin/withlist or bin/config_list.
participants (6)
-
b19141@anl.gov -
Geoff Shang -
Geoff Shang
-
Lindsay Haisley -
Lindsay Haisley -
Mark Sapiro