[Mailman-Users] Problems with SMTPDirect / Security Bug?

[Pablo Alsina]

Hi!
	First off all, I want to congratulate all Mailman developers, they
are doing a great job!! I'm trying to find something to replace my old
majordomo, and Mailman seems like an excelent alternative.

	I've installed Mailman and I have been using it for several
months with small lists without problems. But a few weeks ago I ported a
3000+ subscriber list from majordomo to Mailman, and it is not working
yet.

	Using SMTPDirect as delivery module just times out, not sending
any mail out. I used Sendmail as MTA, and saw a few messages on this board
suggesting that Postfix was faster, so I replaced sendmail with Postfix.

	Using Postfix and SMTPDirect the results are the same. After some
minutes, the browsers says "Document contained no data" and Postfix says
"lost connection after RCPT from ...". I tried to limit the ceiling on the
numbers of recipients on a single SMPT transaction (SMTP_MAX_RCPTS) but it
is seems like it is not used anywhere in the code (is that OK?). Any
suggestion on this will be apreciated.

	So I tried using Postfix and Sendmail.py as delivery module. It
made the delivery to aprox. 30% of the list, and then hit a bug with
"SendmailHandlerError: 127". After several hours of logswatching, I saw
that one of the recipients was an email like 'ping&pong at host.name.com',
including the &, but postfix received only 'ping' as recipient of the
mail.

	Looking at the code, I see that the recipient list is not
sanatized before invoking the shell. Unless I'm wrong, one could subscribe
an 'larry;command_here;@none.com' and make the command_here to get
executed!

	I'm going to try to patch the Sendmail.py to put each recipient
between '' to avoid shell expansion. Hope that will do.

Best regards
	Pablo