[Mailman-Users] Re: [Mailman-Developers] Looping digest - mailman bug?
Kaja P. Christiansen
kaja at daimi.au.dk
Thu Aug 2 15:54:53 CEST 2001
Barry A. Warsaw writes:
> Okay, several issues going on here. First, let me ask: why are you
> using Sendmail.py instead of SMTPDirect.py?
I have no weighty reason, I'm afraid. I experimented with both, in early
Mailman installations, and recall that there was some problem with getting
SMTPDirect to work; setup with Sendmail was fine so I settled for that.
> The former has well known
> adverse security holes, including being able to trick the shell used
> during the os.popen() to do evil things. I include your mailbomb
> example as another security hole in Sendmail.py. I'm strongly
> considering removing Sendmail.py from MM2.1, but I want to know why
> some people seem to prefer to use it instead of SMTPDirect.py first.
I no longer have the older versions of Mailman, but current Defaults.py
and Sendmail.py do have warning about perils. Maybe one could add it to
README.SENDMAIL as well? It would make people stop and reconsider the setup.
Thank you for your letter. I made a test configuration of Mailman with
SMTPDirect module and there was no trouble at all.
More information about the Mailman-Users