[Mailman-Users] Fake Email

Stephen J. Turnbull stephen at xemacs.org
Sat Oct 31 06:28:45 CET 2009

Hien HUYNH HUU writes:

 >    I recognize that mailman can accept a fake sender . Example, I
 >    have a maillist with only an email account (xyz at abc.com) can
 >    send messages to all emails in the list. But , if someone can
 >    send a fake "From address" is xyz at abc.com, mailman will delivery
 >    messages to the list . This is a security problem. Can we
 >    prevent this from happening ?

Mailman is too far "downstream" to do this very effectively.  It is
possible to set up Mailman so that all posts will be moderated except
those containing an "Approved: PASSWORD" header.  This header is then
stripped from the distributed version.  However, such passwords can be
leaked in various ways or sniffed from the mail in the transport
between the sender and Mailman.  It's not terribly secure.

A better way to do this would be to set up the MTA on Mailman's host
to only deliver to the list address (ie, Mailman) if the sender has
been authenticated (eg, with TLS).

More information about the Mailman-Users mailing list