[Mailman-Users] list address in From: line post message to closed list

Steve Lindemann steve at marmot.org
Fri Apr 4 01:10:39 CEST 2008 

Steve Lindemann wrote:
> Dragon wrote:
>> Steve Lindemann sent the message below at 14:43 4/3/2008:
>>> Dragon wrote:
>>>> Steve Lindemann sent the message below at 12:18 4/3/2008:
>>>>> The problem - when the list email address is (spoofed) in the From: line
>>>>> (as well as being on the To: line) the message posts to the list.  The
>>>>> ability to post to the list is supposed to be restricted to only list
>>>>> members.  The list address is not in the list of list members.
>>>>>
>>>>> Is this normal?  I checked the config and there did see anything to
>>>>> allow this behavior there.  Is the list email address automatically
>>>>> considered to be a member of the list?  I can always block it in
>>>>> "privacy options->sender filters", but should that even be necessary?  Help!
>>>> ---------------- End original message. ---------------------
>>>> This seemed rather strange to me too so I decided to test it on my 
>>>> server. I have 2.1.10b3 installed from source on a Redhat machine. 
>>>> My list is configured for posts from non-members to be discarded.
>>>> I sent a message to one of my lists using the list address in the 
>>>> From: header. The message was discarded as I expected it would be 
>>>> and I confirmed this by an entry in the vette log.
>>>> So it works on my installation as I expect it would. The question 
>>>> now is, what is the difference between my source install and your 
>>>> installation. Are you using a cPanel or Plesk version, or a version 
>>>> installed from somebody else's package maybe through yum or something similar?
>>>> Are you certain that the message was distributed via the list?
>>>> Is it in the list archive?
>>>> Can you match the message ID to one in the post log?
>>>> If you can see it in the archive and post log then it did get 
>>>> processed through mailman. If not, perhaps it was BCC'ed to your 
>>>> address or there is something else going on with your MTA.
>>>> Dragon
>>> I'm running version 2.1.9, installed from a tarball on a Dell server 
>>> running CentOS 5.  I administer from the command line and thru the 
>>> web interface.  It's a pretty basic install.
>> Now when you say it's from a tarball, is it a binary install or did 
>> you compile it (configure, make, make install, etc.)?
>>
>> Where did you obtain this version?
>>
>> If it isn't from one of the links on the page linked below, it may 
>> have been altered in some way by somebody else to conform to some 
>> distribution specific criteria.
>>
>> http://www.gnu.org/software/mailman/mailman.html
>>
>>
>>> I went thru the logs and saw the message hit our email server 
>>> (originally from 5850-260-1-62.dialup.samtel.ru), it gets passed to 
>>> mailman and I see the  post entry showing it's arrival into mailman 
>>> then then smtp entry showing it's delivery back to the email 
>>> server.  I confirmed the delivery to the 144 recipients (fortunately 
>>> this is a small list) in the mail log.  I am one of the recipients 
>>> on this list, but in my case spamassassin flagged the message and it 
>>> gets filtered away.
>>>
>>> I just widened my search thru the mailman logs and noticed some 
>>> other lists (in the vette log) holding messages for moderation with 
>>> the list email in the From: line.  So it does appear to be something 
>>> in this specific list that's misconfigured.  I'm off to poke around 
>>> the config again but I'd be very interested in any suggestions about 
>>> what I might be looking for!?  My first pass thru the config I was 
>>> looking for something that would allow this to happen and didn't see it.
>> If this is a stock install from the mailman source, I've pretty much 
>> exhausted my ideas. The only settings I know that should affect the 
>> ability to deliver an e-mail are:
>>
>> accept_these_nonmembers
>> generic_nonmember_action
>> header_filter_rules
>>
>> I've looked through all the other options and don't see anything 
>> there that would possibly allow something through. The only other 
>> thing I can think of is that this mail might have been held and 
>> accidentally accepted or it might have been sent with an Approved: 
>> header with the list or site password.
>>
>> Dragon
> 
> acquired the software with:
> wget 
> http://openwebmail.org/openwebmail/download/release/openwebmail-2.52.tar.gz
> 
> followed by many wget's of required perl modules and such
> and installed the lot.  I recall rounds of configure,make,make test,make 
> install for the perl modules.  I don't recall doing that for the 
> openwebmail, I do remember "./openwebmail-tool.pl --init" after some 
> config file changes.

OOPS... never mind that.  My notes only say I went to the mailman 
website and downloaded mailman-2.1.9.tgz... from there the notes get 
more involved but it boils down to: unpacked it, went thru the make/make 
install routine, ended up with a working copy.

I really need to pay attention to which question I working on... I was 
also dealing with an openwebmail issue at the same time (not much of an 
excuse but it's all I have 8^)  ...sorry for the confusion!!

> I'll check those specific settings.
> 
> If the message had been held I should have seen an entry for it in the 
> vette log and there wasn't one.  I checked the message header for an 
> Approved line and (fortunately) didn't find it.  I'd be very 
> "disappointed" to find that password in a message header.
> 
> I'll keep poking at this end.  I'd love to hear any other ideas...
> --
> Steve

More information about the Mailman-Users mailing list