[Mailman-Users] Re: [Mailman-Developers] Looping digest - mailman bug?

Kaja P. Christiansen kaja at daimi.au.dk
Thu Aug 2 15:54:53 CEST 2001

Barry A. Warsaw writes:

 > Okay, several issues going on here.  First, let me ask: why are you
 > using Sendmail.py instead of SMTPDirect.py?

I have no weighty reason, I'm afraid. I experimented with both, in early 
Mailman installations, and recall that there was some problem with getting 
SMTPDirect to work; setup with Sendmail was fine so I settled for that.

 > The former has well known
 > adverse security holes, including being able to trick the shell used
 > during the os.popen() to do evil things.  I include your mailbomb
 > example as another security hole in Sendmail.py.  I'm strongly
 > considering removing Sendmail.py from MM2.1, but I want to know why
 > some people seem to prefer to use it instead of SMTPDirect.py first.

I no longer have the older versions of Mailman, but current Defaults.py 
and Sendmail.py do have warning about perils. Maybe one could add it to
README.SENDMAIL as well? It would make people stop and reconsider the setup.

Thank you for your letter. I made a test configuration of Mailman with 
SMTPDirect module and there was no trouble at all.


More information about the Mailman-Users mailing list