[Mailman-Users] Fake Email

Hien HUYNH HUU hien.hh at sbsc.com.vn
Sun Nov 1 16:34:46 CET 2009

Hi Stephen, 
   I can't do that because may be the sender is on another MTA and mailman server can't force they do an authentication.
   Is this a weak point of Mailman ?
   Best regards,
   Huu Hien

From: Stephen J. Turnbull [stephen at xemacs.org]
Sent: Saturday, October 31, 2009 12:28 PM
Cc: mailman-users at python.org
Subject: [Mailman-Users] Fake Email

Hien HUYNH HUU writes:

 >    I recognize that mailman can accept a fake sender . Example, I
 >    have a maillist with only an email account (xyz at abc.com) can
 >    send messages to all emails in the list. But , if someone can
 >    send a fake "From address" is xyz at abc.com, mailman will delivery
 >    messages to the list . This is a security problem. Can we
 >    prevent this from happening ?

Mailman is too far "downstream" to do this very effectively.  It is
possible to set up Mailman so that all posts will be moderated except
those containing an "Approved: PASSWORD" header.  This header is then
stripped from the distributed version.  However, such passwords can be
leaked in various ways or sniffed from the mail in the transport
between the sender and Mailman.  It's not terribly secure.

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).

More information about the Mailman-Users mailing list