[Mailman-Users] rejecting messages *to* non-members

[Adam McGreggor]

On Wed, Nov 25, 2009 at 08:42:50AM -0800, glen martin wrote:
> I've got some rude users who occasionally cc non-list members on their 
> messages to a restricted list that is actually intended to be private 
> (membership by invitation only).  

Suspend 'em from posting to the list for a breach of list protocol?

> Then, as you might expect, when the 
> non-member replies, that message is rejected or held for approval.  This 
> doesn't seem friendly.
> 
> The mailing list discussions around non-members seem to have been 
> dominated by discussion of messages from them, not to them.
> 
> Is there such an option, to reject messages that are {to,cc} 
> non-members? Or suggestions?

Bit tricky, that one, as presumably, you're not in charge of the
sending-mail machine.

what I would do is something like an ACL at SMTP time on the Mailman
machine, to the effect of determining:
    * is the sender a list-member
    * is there any address that's not the list address in the to/cc
      header

and if both conditions are true, then send an appropriate SMTP error
to the sender, discarding the mail.

Now, as for the first part, how you implement that will probably
depend on the size of the list, and which MTA you're using; you might
find periodically dumping the output of list_members for that/those
lists into a directory and searching through that, or dynamically
checking against the list (config/membership info), or using a wrapper
or some other method.

The second condition is trivial, with any knowledge of your MTA's
ACLs.

As for the not-friendly aspect, one approach might be to test inbound
mail, destined for the lists, for the existance of appropriate
headers (perhaps In-Reply-To:/Message-ID:), and verify those that
*you* use (or, indeed, add an X-Originated-From-FooBaa.com: header),
and if that condition is met, and the sender's not a member of the
list, to automagically add the Sender/From &c address to the allowed
senders array for the list. Spoofing headers won't really help, but we
all know that, anyhow, yes?

This last 'idea' ( ^^^ )doesn't necessarily help in user-education,
unless your list-members have the "X-Don't-Be-A-Dimwit:" header on
display ;)

[ ok, so how many of you went and checked ;) ]

Those said, I do perverse things with mail-servers...

(Exim is my MTA of preference, I think a few others prefer Postfix)

-- 
"what was asked of the Director in this case was not a statement of
prosecuting policy but a proleptic grant of immunity from prosecution.
That, I am quite satisfied, the Director had no power to give.”
    -- Bingham of Cornhill, R (Pretty) v DPP [2002] 1 AC 800