[Mailman-Users] list address in From: line post message to closed list
steve at marmot.org
Fri Apr 4 00:59:51 CEST 2008
> Steve Lindemann sent the message below at 14:43 4/3/2008:
>> Dragon wrote:
>>> Steve Lindemann sent the message below at 12:18 4/3/2008:
>>>> The problem - when the list email address is (spoofed) in the From: line
>>>> (as well as being on the To: line) the message posts to the list. The
>>>> ability to post to the list is supposed to be restricted to only list
>>>> members. The list address is not in the list of list members.
>>>> Is this normal? I checked the config and there did see anything to
>>>> allow this behavior there. Is the list email address automatically
>>>> considered to be a member of the list? I can always block it in
>>>> "privacy options->sender filters", but should that even be necessary? Help!
>>> ---------------- End original message. ---------------------
>>> This seemed rather strange to me too so I decided to test it on my
>>> server. I have 2.1.10b3 installed from source on a Redhat machine.
>>> My list is configured for posts from non-members to be discarded.
>>> I sent a message to one of my lists using the list address in the
>>> From: header. The message was discarded as I expected it would be
>>> and I confirmed this by an entry in the vette log.
>>> So it works on my installation as I expect it would. The question
>>> now is, what is the difference between my source install and your
>>> installation. Are you using a cPanel or Plesk version, or a version
>>> installed from somebody else's package maybe through yum or something similar?
>>> Are you certain that the message was distributed via the list?
>>> Is it in the list archive?
>>> Can you match the message ID to one in the post log?
>>> If you can see it in the archive and post log then it did get
>>> processed through mailman. If not, perhaps it was BCC'ed to your
>>> address or there is something else going on with your MTA.
>> I'm running version 2.1.9, installed from a tarball on a Dell server
>> running CentOS 5. I administer from the command line and thru the
>> web interface. It's a pretty basic install.
> Now when you say it's from a tarball, is it a binary install or did
> you compile it (configure, make, make install, etc.)?
> Where did you obtain this version?
> If it isn't from one of the links on the page linked below, it may
> have been altered in some way by somebody else to conform to some
> distribution specific criteria.
>> I went thru the logs and saw the message hit our email server
>> (originally from 5850-260-1-62.dialup.samtel.ru), it gets passed to
>> mailman and I see the post entry showing it's arrival into mailman
>> then then smtp entry showing it's delivery back to the email
>> server. I confirmed the delivery to the 144 recipients (fortunately
>> this is a small list) in the mail log. I am one of the recipients
>> on this list, but in my case spamassassin flagged the message and it
>> gets filtered away.
>> I just widened my search thru the mailman logs and noticed some
>> other lists (in the vette log) holding messages for moderation with
>> the list email in the From: line. So it does appear to be something
>> in this specific list that's misconfigured. I'm off to poke around
>> the config again but I'd be very interested in any suggestions about
>> what I might be looking for!? My first pass thru the config I was
>> looking for something that would allow this to happen and didn't see it.
> If this is a stock install from the mailman source, I've pretty much
> exhausted my ideas. The only settings I know that should affect the
> ability to deliver an e-mail are:
> I've looked through all the other options and don't see anything
> there that would possibly allow something through. The only other
> thing I can think of is that this mail might have been held and
> accidentally accepted or it might have been sent with an Approved:
> header with the list or site password.
acquired the software with:
followed by many wget's of required perl modules and such
and installed the lot. I recall rounds of configure,make,make test,make
install for the perl modules. I don't recall doing that for the
openwebmail, I do remember "./openwebmail-tool.pl --init" after some
config file changes.
I'll check those specific settings.
If the message had been held I should have seen an entry for it in the
vette log and there wasn't one. I checked the message header for an
Approved line and (fortunately) didn't find it. I'd be very
"disappointed" to find that password in a message header.
I'll keep poking at this end. I'd love to hear any other ideas...
More information about the Mailman-Users