[Mailman-Users] Confirmation logging

Stephen J. Turnbull stephen at xemacs.org
Wed Jul 3 05:41:36 CEST 2013

Kip Warner writes:

 > Apparently Mailman doesn't handle opt-in confirmations in a way that is
 > compliant with it. Specifically, it doesn't log new subscriptions or the
 > IP addresses of the confirmation. Is this correct?

Each step of a subscription is logged.  IP addresses of web requests
are logged, both in logs/subscribe and by the webserver.

IP addresses of the last remote MTA for a request by mail are logged
by the local MTA.  IP address of the source MTA or MUA cannot be
reliably determined in malicious cases, and even for honest messages,
the source IP is both expensive to compute accurately and less than
100% reliable.  I don't think Mailman even tries to log these, but I
don't have an actual case to hand in my own logs -- everybody uses the
web interface.

It seems to me that you can probably comply with DreamHost's
requirements simply by disabling processing of admin commands by
mail.  Caveat: I haven't read DreamHost's policy so I don't know for
sure.  Most likely very few people will be bothered.  You'll also want
to edit the "please confirm" message to remove the reference to
confirm by mail.  You could also achieve the same effect by requiring
confirmation by mail, but this might require more invasive changes to
the code.

I'm not sure how to disable admin-by-mail offhand, but Mark can
probably help.

More information about the Mailman-Users mailing list