[Mailman-Users] Mailman integration with Google Groups:allowGroups Subscribers post directly

Sat Apr 16 21:01:18 CEST 2011

anatoly techtonik wrote:

>On Tue, Mar 29, 2011 at 9:49 AM, Mark Sapiro <mark at msapiro.net> wrote:
>> anatoly techtonik wrote:
>>>
>>>- how can I setup Mailman, so it can accept mails sent through Google
>>>Groups proxy automatically? -
>>
>> The envelope sender of a google groups post is
>> <group_name+some_token at googlegroups.com>. If that address were a
>> member of the mailman list with no password reminders and no mail
>> delivery, the posts would be accepted as member posts. The problem is
>> the +some_token suffix to the local part of the address. The
>> Mailman.Message.get_senders() method doesn't treat +some_token as a
>> suffix and since it is variable, it is not possible to subscribe all
>> the possible<group_name+some_token at googlegroups.com> addresses to the
>> list.
>
>Am I right that "envelope sender" is just a relay proxy address, so
>To: field will still contain my email?

The envelope sender is set by Google Groups to an address to whih
undeliverable type notices will be returned. If I understand correctly
what you're doing, the To: header will contain the address of the
Google Group. The recipient address (the Mailman list which is a
member of the Google Group) will not appear in headers other than
perhaps Received:.

>Is it possible to add an option to Mailman itself to strip +token
>before processing email addresses?

Only by modifying code.

>Does email standard allow to use +token addresses for multiple users?

I do not understand the question. There will be one message from the
Google Group to the Mailman list. That message's envelope sender will
have a unique token so if it bounces, Google can easily tell which
recipient bounced. The messages from the Google Group to other Google
Group members will each have their own unique token.

>> Thus you are left with a couple of other options. If the Google group
>> is set to include a Reply-To: <group_name at googlegroups.com> header in
>> delivered posts, and if <group_name at googlegroups.com> is a member of
>> the mailman list (with no password reminders and no mail delivery),
>> Mailman.Message.get_senders() will return that address in the senders
>> list and Mailman will consider the post from a member.
>
>Seems easy, but isn't it possible to forge Reply-To: address to spam
>Mailman lists?

Yes, and one can almost as easily forge From: for the same purpose.

>I'd like to ensure there is some kind protection to
>avoid spam that pretends to be from the Group. The same concern is
>about X-BeenThere header solution.

It doesn't take much sophistication to craft and send an email message
with anything one wants in the headers. People who want to can already
easily spoof the address of any list member in the From: header of a
message to fool Mailman into accepting the post as from a list member.

If you are truly concerned about this, you have to moderate all members
to hold all posts and approve them manually.

>> So, if you add <group_name at googlegroups.com> as a member of the mailman
>> list (with no password reminders and no mail delivery), and either set
>> the google group "Replies to messages" =C2=A0to "Replies are sent to the
>> whole group" or add the above SENDER_HEADERS line to mm_cfg.py, posts
>> arriving via the group will be seen as member posts.
>
>If I set "no mail delivery" then how the Group receive messages for
>reading from the web?

No mail delivery is a per user option. You set no mail delivery and no
password reminders for only the Google Groups address which is a
member of the Mailman list so that Mailman doesn't send the post back
to the Google Group. Delivery to other members of the Mailman list is
unaffected by this.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan