[Mailman-Users] New Mailman user - Contribs.Org (SME/E-Smith) addon - 2.1.3 Bug?

Tue Nov 23 05:12:38 CET 2004

  Hey all...

Long story short.  Friend of mine has been dealing with cancer for the 
past 5 years (two distinct types / diagnosis)  He has been chronicling 
his story to fellow cyclists and friends via self built distribution 
lists using the built in mail client that comes with his windows 
machine.  Needless to say, he has spent quite a bit of time in and out 
of hospitals for various surgeries, treatments, etc...  mail is 
something that he has come to value.  Cutting to the chase - I built him 
a server (contribs.org - formerly known as mitel / e-smith) that is imap 
capable.  Centralized mail down - with a web interface.  He can get to 
his mail when he doesn't have access to his laptop and his isp 
connection at home.  Now...  I mention to him that I ~believe~ that I 
can turn this same machine into a private list server as the folks that 
maintain the server (contribs.org) also maintain a fine collection of 
user contributed (hence the name) of rpm's for use as add-on packages.  
It is quite nice.

Fast forwarding...  Indeed I do find a contrib - mailman - cool!  I get 
it setup and installed per some documentaton that I found, get a list 
all configured and ready to roll.  I e-mail Dave (my friend) to let him 
know that I feel that we are 'ready' to go live with this thing after 
having been testing / playing with it for a week or so to ensure that it 
is behaving the way that we want it to.  It's private, reply to address 
has been altered to someone else other than the list, no-one can post to 
the list except the list owner and delegated moderators, list is kept 
private - only list owner can view subscribers, etc...  it appears to be 
working perfectly.  ;)

Then I find out that there was, at some point in the past, some bug that 
was discovered that would allow for e-mail addresses to be viewed / 
obtained in some fashion.  Something about v2.1.3?  Anyway...  I start 
googling (quite a bit)...  I do see information (although not much) 
about the purported issue and how it was patched with some back level 
patches or something to that effect.  I discovered this list via 
aformention googling, and sure enough, I even came across another sme 
user who posted with a question back on the 4th of this month (Nov. '04 
-- link here:  
http://mail.python.org/pipermail/mailman-users/2004-November/040616.html)  
Kind of panicky, and by no means any kind of *nix "guru" I ssh into the 
box running the list and 'locate' the mailman binaries (I had no idea 
where it installed itself to).  Turns out to be /opt/mailman/bin - don't 
know if this is typical or not.  I find a "version" fle in there, that 
judging by its "green" color is executable.  I run it and it tells me 
that the version that I have is this:

[root at gateway bin]# ./version
Using Mailman version: 2.1.3

2.1.3 - ;(  Do I have an issue?

Privacy on this list is something that Dave holds very dear due to the 
personal nature of the illness that I suspect many of his recipients are 
also dealing with.  (he currently uses "bcc" for the bulk of the people 
that he posts to)  Is there a means of testing this box to see if the 
existing list of addresses can be "harvested"  There are only three 
addresses in it @present - mine as builder, Dave's as site owner and my 
wife ( we needed a guinea pig tester to ensure that she could not post 
back to the list, reveal e-mail address, etc...  lol )  I don't care if 
those addresses get "harvested" as they are well known anyway.

Ok - so this wasn't so short.  Sorry.  Again - I'm no *nix guy.  I'm 
just a guy who rides and races a bike (as in pedal variety)  and happens 
to know a ~little~ bit about computers.  I offered to help out a good 
friend of mine, and the local cycling club in general, and I would just 
like to make sure that this thing will be "ok" (ie; secure).  (( 
realizing that secure and a forward facing gizmo on the public internet 
is kind of an oxymoron - but ya gotta at least do the best ya can, 'eh? ))

Thanks all.

-=- jd -=-

ps - Dave's site that another cyclist from the Syracuse, NY area put up 
for him is here (if anyone curious):
http://www.veloweb.org/davepanella