[Mailman-Users] Replies from non-members getting posted to listset to allow posts by subscribers only

Mark Sapiro mark at msapiro.net
Tue Jun 22 16:04:00 CEST 2010

Anthony R. Thompson wrote:
>Is there something I'm missing here - is this normal behavior?
>It doesn't seem to me like someone should be able to post a message to a 
>private list just by changing the Reply-To field to an address they know 
>is on the private list.

As I implied but didn't explicitly state in my initial response in this
the places in an incoming message that are checked for a member
address to determine if a post is from a member are controlled by the
Defaults.py/mm_cfg.py setting SENDER_HEADERS. The default setting
checks the following in order:
- the From: header,
- the envelope sender,
- the Reply-To: header and
- the Sender: header.

Order is significant because the first member address found (if any)
will determine if the post is from a moderated member.

If you have write access to mm_cfg.py, you can set SENDER_HEADERS to a
list which doesn't include Reply-To (see the documentation in
Defaults.py), but as Stephen said, it is almost as easy to spoof the
From: or even the envelope sender as it is to set the Reply-To:.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list