[Mailman-Developers] The Approved: header in MM3

Barry Warsaw barry at list.org
Wed Oct 3 05:07:37 CEST 2007

Hash: SHA1

Those of you who have been watching the commit messages can see I've  
been making some good progress.  I'm actually hoping to have a  
Mailman 3.0 alpha some time RSN which will almost allow you to run  
the system from the command line, but without a web u/i.

So one of the things I'm looking at is the MM2.1 concept of an  
Approved header.  If a message comes into a list with an Approved  
header (or an Approved line at the start of the message body), and  
that header has a password that matches the list admin or moderator  
password, the message is pre-approved and short-circuits the posting  

The concept doesn't translate well in a Mailman 3 world where there  
is no shared admin or moderator password.  Web access will be control  
via roles and protected by user authentication much like any modern  
web application.

So the question is, what do we do about the Approved header?

1. We can drop the concept altogether.  This means there'd be no way  
to post a message as coming from an approved source, with a bypass of  
the posting filters.  Maybe because few people have MUAs that support  
adding custom headers, this feature just isn't used much in the real  
world these days.  You'd still have the moderation bit for announce- 
only lists though.

2. Replace the concept with some other email authentication  
mechanism, e.g. something more secure like a signature check.  The  
problem with this is that I still don't think message signing is  
common practice outside our small community of geeks.

3. Allow an owner or moderator to use their own password in the  
Approved header.  I'm not crazy about this because it has to be sent  
in the clear and if (when?) it gets compromised, their account is  
compromised, and this includes their administration of the mailing list.

4. Add a new shared password just for this purpose.  You'd still have  
to communicate it to all your moderators, probably via the web page,  
but at least this password wouldn't have any other purpose so if  
(when?) it gets compromised, the only asset it protects is approved  
postings.  Bad yes, if a spammer gets it, but easily changed and  
hopefully fairly limited in the damage it can do.

5. Your suggestion.

Comments?  I think my preference would be for #1 with future support  
for #2 and just accepting the fact that message signatures are for  
power users.  Maybe that set is pretty close to the set of people  
currently using Approved anyway.

- -Barry

Version: GnuPG v1.4.7 (Darwin)


More information about the Mailman-Developers mailing list