[Mailman-Developers] Re: [Mailman-Users] posting restrictions still confusing to me (or not

Barry A. Warsaw bwarsaw@cnri.reston.va.us (Barry A. Warsaw)
Tue, 9 Mar 1999 13:58:28 -0500 (EST)

About posting that are held for approval even thought they seem to be
coming from a list member when member_posting_only is set to true...

Here's what I'm seeing.  I put the following in Mailman/MailList.py
inside the Post() method:

        sys.stderr.write('envsend: %s, sender: %s\n' %
                         (msg.GetEnvelopeSender(), msg.GetSender()))

This will write the envelope sender and `header' sender to logs/error, 
which you can tail as you send messages to the list.  For me, envelope 
sender is always None, so the test falls through to msg.GetSender(),
which is taken from my spoofable From: header.

Back in November, Scott added the use of GetEnvelopeSender() before
GetSender() because he'd been hit by a spam getting through that
should have been held for approval, but IIRC, Scott's also been
backing away from using the envelope sender in some situations.  Maybe 
Scott is able to elaborate.

rfc822.py gets the envelope sender as the unixfrom attribute on the
message object.  This it gets from the "From " line in the message.  I 
don't understand why you're getting something different from me (I'm
using sendmail 8.9.something).

Anyway, here's what I propose.  I'll add a variable to
Defaults.py/mm_cfg.py called, say APPROVE_WITH_ENVELOPE_SENDER which
will be set to true by default.  You set it to false and Mailman will
only use the sender.  I'll add info to the FAQ and such explaining
that this is easier to spoof, but may work around problems where the
envelope sender isn't getting set correctly.

If anybody can debug this further, I'd appreciate it.