[Mailman-Users] approval password linked to sender rather than list?
t.d.lee at durham.ac.uk
Mon May 15 11:01:25 CEST 2006
Currently majordomo, but rapid switch to Mailman being considered.
About 20,000 users.
Over 2,000 lists, the majority being "announcement" with very limited
numbers of permitted senders.
Have been majordomo-based for many years.
Recent spoof email jumped the priority of a potential majordomo->Mailman
transition to very high.
Installed Mailman 2.1.5 (that version simply for local proof-of-concept
Would anticiapate running latest stable version.
Very new to running a Mailman service (be gentle!).
Executive summary of query:
The existing "Approved:" mechanism needs a password shared in common
across multiple people (which feels poor and doesn't scale well) and
across multiple lists (again, scaling problems). Is there a facility, or
plans for such, for each permitted sender to have (optionally) their own
password, useable across many lists? (Note the numbers, and high
proportion of limited access "annnouncement" lists in the above.)
Details of query:
I've read the FAQ. The nearest items to my query seem to be 3.11, 3.34,
Our recent problem was a spoof email through Majordomo, via a small number
of large lists to the entire institution, spoofing the "From:" of a valid
Majordomo "posters" email address. The Mailman "Approved:" mechanism
looks as if it should address much of this (but not as much as might be
possible: see below).
With Mailman, I've done an "Approved:" proof-of-concept demo: two lists,
same list password; moderation switched on for everybody. Proved the
Approved: <list password>
(1) being able to bypass the moderation function (good);
(2) its absence or error being diverted to moderator (good).
So our genuine posters can use "Approved:" and the email would go straight
through, whereas the spoofer wouldn't be able to do this and the request
would be diverted (very good!) to the various list moderators.
... in the environment described above we can see major benefits of a
somewhat different authorisation slant.
Problem: A spoof to many lists would go to many moderators within a list
and across lists, requiring coordination of moderators within a list, and
consistent action of one or more moderators per list across the lists.
Very poor scaling at a large site (with many clusters of many lists).
Suggestion: An approval process to allow a sender-based password. So
From: permitted.poster.1 at our.site # may or may not be spoofed
To: list1 at our.site, list2 at our.site, list3 at our.site, ...
Approved: <pw belonging to "permitted.poster.1">
and also that pw being potentially shareable across multiple lists.
This doesn't seem possible at present (v 2.1.5). But it seems related
to FAQ 3.46, in particular section "A password scheme could potentially
be implemented ...".
Is it yet possible?
(Assuming not, then ...)
List subscribers can already have passwords attached to their membership
of a particular list, but this is (I understand) only for subscription
maintenance, not for posting authorisation. So the concept of password
linked to email address is already present in Mailman.
It would seem reasonable to extend Mailman to have a variant of the
"Approved:" scheme (albeit with its inherent weak authentication) in which
the password is associated with each "permitted.poster.1" sender name
to discriminate a real sender from the spoofer.
Does that seem reasonable? What are the drawbacks (those that would have
significantly worse problems/weaknesses than existing mechanisms)?
If it is possible now (i.e. I have overlooked the relevant documentation),
please point me in the correct direction, to documentation etc.
If not yet possible, but acceptable in theory (perhaps with amendments),
then we would hope to consider volunteering some effort into coding it.
: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: Durham University :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham DH1 3LE :
: Phone: +44 191 334 2752 U.K. :
More information about the Mailman-Users