![](https://secure.gravatar.com/avatar/73941c04c594d6b5c44af7120f07a616.jpg?s=120&d=mm&r=g)
My last majordomo user has decided to move their lists to Mailman. Yea! However they had some questions I couldn't answer.
First, Mailman doesn't seem to allow a user to type Approved: Password
as the first line of the mail to the list to bypass the approval by the administrator. The user doesn't want to maintain the list of posters that bypass approval. So this is holding up the migration of 3 lists.
Is this not supported?
Thanks. Jamest
->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<
![](https://secure.gravatar.com/avatar/92f5a450a976e327149e8367ffad0947.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 08:46:42AM -0600, James Thompson wrote:
No. Mailman doesn't use an Approved header, so adding one has no effect. (Incidentally, what you describe seems like a very ugly, labor-intensive, insecure, and just plain *wrong* way of allowing multiple people to post to a moderated list. I can't see how allowing list members to bypass moderation could be a Good Thing. Shame on majordomo!)
To achieve a similar effect in Mailman, go to the "Privacy Options" page and add the implictly-approved users' addresses to the "Addresses of members accepted for posting to this list without implicit approval requirement" box. (Yes, I know you said the user doesn't want to maintain that list. It should be a more-or-less one-shot deal, though - if the list of approved posters is changing constantly, I would suspect that it would be more reasonable to either unmoderate the list or let the messages be held and apporved manually.)
-- SGI products are used to create the 'Bugs' that entertain us in theatres and at home. - SGI job posting Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
![](https://secure.gravatar.com/avatar/d9257aa6d4b59f83970ee7dbb0b0f189.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 09:11:14AM -0600, Dave Sherohman wrote:
No, this is not the case. Approved headers, while perhaps slightly inelegant, are more secure (FSVO "secure") than simply allowing a set of posters to post. Anyone can trivially fake a "From" header in an email address, whereas with an approved header you need to know the password.
-- Dominic Hargreaves | http://dom.magd.ox.ac.uk/ You can get my PGP key from my web site. "Only two things are infinite: the Universe and human stupidity, and I'm not sure about the former" - Albert Einstein
![](https://secure.gravatar.com/avatar/92f5a450a976e327149e8367ffad0947.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 04:01:25PM +0000, Dominic Hargreaves wrote:
Does majordomo remove the Approved header while forwarding messages? If not, finding out the password is even more trivial than forging From:.
-- SGI products are used to create the 'Bugs' that entertain us in theatres and at home. - SGI job posting Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
![](https://secure.gravatar.com/avatar/d9257aa6d4b59f83970ee7dbb0b0f189.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 02:24:07PM -0600, Dave Sherohman wrote:
Yes, it does.
-- Dominic Hargreaves | http://dom.magd.ox.ac.uk/ You can get my PGP key from my web site. "Only two things are infinite: the Universe and human stupidity, and I'm not sure about the former" - Albert Einstein
![](https://secure.gravatar.com/avatar/92f5a450a976e327149e8367ffad0947.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 08:26:33PM +0000, Dominic Hargreaves wrote:
In that case, I stand corrected. Thanks for straightening me out.
-- SGI products are used to create the 'Bugs' that entertain us in theatres and at home. - SGI job posting Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
![](https://secure.gravatar.com/avatar/73941c04c594d6b5c44af7120f07a616.jpg?s=120&d=mm&r=g)
For what it's worth. The Approve.py handler in mailman does seem to check for the Approved: header and will compare it's value to the mail list admin password. It looks like this should work fine from what I've found in the source. However, it doesn't seem to.
Is there any way to make mailman produce some type of debugging output?
Take Care, James
->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<
![](https://secure.gravatar.com/avatar/cb6b2a19d7ea20358a4c4f0332afc3ef.jpg?s=120&d=mm&r=g)
"JT" == James Thompson <jamest@math.ksu.edu> writes:
JT> For what it's worth. The Approve.py handler in mailman does
JT> seem to check for the Approved: header and will compare it's
JT> value to the mail list admin password. It looks like this
JT> should work fine from what I've found in the source. However,
JT> it doesn't seem to.
JT> Is there any way to make mailman produce some type of
JT> debugging output?
James, did you ever get more information about this problem? Mailman definitely supports Approved: headers and it works fine for me testing against MM2.0.1 and the current CVS snapshot.
-Barry
![](https://secure.gravatar.com/avatar/92f5a450a976e327149e8367ffad0947.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 08:46:42AM -0600, James Thompson wrote:
No. Mailman doesn't use an Approved header, so adding one has no effect. (Incidentally, what you describe seems like a very ugly, labor-intensive, insecure, and just plain *wrong* way of allowing multiple people to post to a moderated list. I can't see how allowing list members to bypass moderation could be a Good Thing. Shame on majordomo!)
To achieve a similar effect in Mailman, go to the "Privacy Options" page and add the implictly-approved users' addresses to the "Addresses of members accepted for posting to this list without implicit approval requirement" box. (Yes, I know you said the user doesn't want to maintain that list. It should be a more-or-less one-shot deal, though - if the list of approved posters is changing constantly, I would suspect that it would be more reasonable to either unmoderate the list or let the messages be held and apporved manually.)
-- SGI products are used to create the 'Bugs' that entertain us in theatres and at home. - SGI job posting Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
![](https://secure.gravatar.com/avatar/d9257aa6d4b59f83970ee7dbb0b0f189.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 09:11:14AM -0600, Dave Sherohman wrote:
No, this is not the case. Approved headers, while perhaps slightly inelegant, are more secure (FSVO "secure") than simply allowing a set of posters to post. Anyone can trivially fake a "From" header in an email address, whereas with an approved header you need to know the password.
-- Dominic Hargreaves | http://dom.magd.ox.ac.uk/ You can get my PGP key from my web site. "Only two things are infinite: the Universe and human stupidity, and I'm not sure about the former" - Albert Einstein
![](https://secure.gravatar.com/avatar/92f5a450a976e327149e8367ffad0947.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 04:01:25PM +0000, Dominic Hargreaves wrote:
Does majordomo remove the Approved header while forwarding messages? If not, finding out the password is even more trivial than forging From:.
-- SGI products are used to create the 'Bugs' that entertain us in theatres and at home. - SGI job posting Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
![](https://secure.gravatar.com/avatar/d9257aa6d4b59f83970ee7dbb0b0f189.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 02:24:07PM -0600, Dave Sherohman wrote:
Yes, it does.
-- Dominic Hargreaves | http://dom.magd.ox.ac.uk/ You can get my PGP key from my web site. "Only two things are infinite: the Universe and human stupidity, and I'm not sure about the former" - Albert Einstein
![](https://secure.gravatar.com/avatar/92f5a450a976e327149e8367ffad0947.jpg?s=120&d=mm&r=g)
On Fri, Feb 02, 2001 at 08:26:33PM +0000, Dominic Hargreaves wrote:
In that case, I stand corrected. Thanks for straightening me out.
-- SGI products are used to create the 'Bugs' that entertain us in theatres and at home. - SGI job posting Geek Code 3.1: GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+ !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+
![](https://secure.gravatar.com/avatar/73941c04c594d6b5c44af7120f07a616.jpg?s=120&d=mm&r=g)
For what it's worth. The Approve.py handler in mailman does seem to check for the Approved: header and will compare it's value to the mail list admin password. It looks like this should work fine from what I've found in the source. However, it doesn't seem to.
Is there any way to make mailman produce some type of debugging output?
Take Care, James
->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<
![](https://secure.gravatar.com/avatar/cb6b2a19d7ea20358a4c4f0332afc3ef.jpg?s=120&d=mm&r=g)
"JT" == James Thompson <jamest@math.ksu.edu> writes:
JT> For what it's worth. The Approve.py handler in mailman does
JT> seem to check for the Approved: header and will compare it's
JT> value to the mail list admin password. It looks like this
JT> should work fine from what I've found in the source. However,
JT> it doesn't seem to.
JT> Is there any way to make mailman produce some type of
JT> debugging output?
James, did you ever get more information about this problem? Mailman definitely supports Approved: headers and it works fine for me testing against MM2.0.1 and the current CVS snapshot.
-Barry
participants (4)
-
barry@digicool.com
-
Dave Sherohman
-
Dominic Hargreaves
-
James Thompson