[Mailman-Users] Problem solved: it was the MTA

Wed Mar 12 19:02:16 CET 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Elena Fraboschi wrote:
> and there I learned that the makers of mailman, in an over-protective
> move, commented out "Sendmail" as the Delivery_Module, and put
> "SMTPDirect" instead.  All that is fine, except that there should
> be a warning about this somewhere in the INSTALL docs.

There isn't a warning because you the Sendmail DELIVERY_MODULE is not
supposed to be used in a production environment.  The comments in Default.py
direct you to read Mailman/Handlers/Sendmail.py if you want to use it.  When
you read that file, you see this:

    WARNING WARNING WARNING: This module is provided for example
    purposes only.  It should not be used in a production environment
    for reasons described below.  Because of this, you must
    explicitly enable it with by editing the code.  See the WARN
    section in the process() function.

    This module delivers the message via the command line interface
    to the sendmail program.  It should work for sendmail clones like
    Postfix.  It is expected that sendmail handles final delivery,
    message queueing, etc.  The recipient list is only trivially
    split so that the command line is less than about 3k in size.

    SECURITY WARNING: Because this module uses os.popen(), it goes
    through the shell.  This module does not scan the arguments for
    potential exploits and so it should be considered unsafe for
    production use.  For performance reasons, it's not recommended
    either -- use the SMTPDirect delivery module instead, even if
    you're using the sendmail MTA.

    DUPLICATES WARNING: Using this module can cause duplicates to be
    delivered to your membership, depending on your MTA!  E.g. It is
    known that if you're using the sendmail MTA, and if a message
    contains a single dot on a line by itself, your list members will
    receive many duplicates.

That's a pretty strong warning against using this in production.

> I do know about the security problems with Sendmail, and I am
> applying myself to patching my installation this afternoon.

There is nothing wrong with using sendmail as your MTA with mailman.  Lots
of people do this (despite sendmail's horrid .cf file, IMO ;).

The DELIVERY_MODULE setting simply changes the method by which mail gets
from mailman to your MTA.  The default (and preferred) way is to use SMTP to
talk to your MTA.  Changing the DELIVERY_MODULE to Sendmail.py uses the
command line interface to any sendmail compatible MTA (like Postfix).

> But, from the point of view of mailman, once the correct
> Delivery_Module was specified in Defaults.py, it works fast
> as a whistle.

I might not understand completely what problems you were having, but if the
default DELIVERY_MODULE setting wasn't working, is it possible that you
didn't have your MTA running or configured to accept mail from mailman?

> I am glad: the work paid off.  I am mad:  I hate it when something
> as basic as 'Sendmail' is commented out because "You shouldn't be
> running sendmail in the first place."  Fine, but tell me about it
> in the README file.  I say it here in case another newbie writes
> in the future with the same difficulty.

It's not in the README because it's considered experimental and unsecured.
The mailman developers aren't trying to be mean or shove their views down
users throats.  In fact, the developers I've seen all seem like really nice
folks. :)

- -- 
Todd              OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
============================================================================
Ammunition beats persuasion when you are looking for freedom.
    -- Will Rogers

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iD8DBQE+b3Youv+09NZUB1oRAkAPAJ9hz9bQlzaNR0SRM4KHYCtJx1T1oQCg9zrj
XGWCC30btIl81W2KkNWaNog=
=3NF2
-----END PGP SIGNATURE-----