[Mailman-Users] Siblings list usage ?
Julian H. Stacey
jhs at berklix.com
Mon Sep 26 15:11:01 EDT 2016
Thanks for your reply Mark, very useful,
Mark Sapiro wrote:
> On 09/25/2016 02:32 AM, Julian H. Stacey wrote:
> >
> > On mailman lit configs, On event-announce@ I asserted default
> > moderated bit on all new & existing members of event-announce@, &
> > removed moderated bit on individual organisers.
>
>
> This is not a secure way to restrict posts to event-announce because
> anyone can post by spoofing the address of an unmoderated member whose
> address is known by virtue of having posted to the list.
Yes; Spoofing hasn't been a problem here so far thanks,
(perhaps as most lists for technicaly competent here are
open to all members umoderated anyway; Mostly it's just non
tech. lists here are announce- only, to block noise many
lazy & clueless. I had administrivia filters turned on in
majordomo & now with mailman, I needed to add to MJ regexp
filters, so if I do with MM, I'll hope to contribute back
to MM devs.
> See the
> sections "How to restrict the list so only authorized persons can post:"
> and "How to post to the announcement list:" at
> <https://wiki.list.org/x/4030685>.
>
> However, this may not be viable in your case depending on the logistics
> of distributing the lists poster password to the authorized posters.
Yes, not viable here, many event organisers on the non tech lists
woundn't cope inserting a password in header. So later, if I have to.
> > My main problem:
> > No one on event-announce@ can now respond to event-org@ with
> > "Count me in for event! / Who is organiser next week? etc"
>
>
> Add '@event-announce' to accept_these_nonmembers of the event-org list.
> This will allow anyone who is a member of event-announce, and not a
> member of event-org to post to event.org without moderation. This will
> not affect event-org posts from a member of event-org.
OK Found under
http://mailman.berklix.org/mailman/admin/event-org/privacy/sender
Non-member filters.
> > My lesser problem:
> > When someone joins event-org@ I have to manually remove moderator
> > bit from their personal membership entry in event-announce@ (&
> > re-assert if they leave).
>
>
> You could add @event-org to accept_these_nonmembers of the
> event-announce list. This would allow any member of event-org to post to
> event-announce, but it is subject to the same spoofing vulnerability as
> noted for 'un-moderation', and members of event-org who are not members
> of event-announce won't receive event-announce posts.
OK Thanks, Done, last bit no prob. I have (up to now) required
all members of *-org@ to be on *-announce@ (but I think per your post
below I'll switch to include event-announce@ traffic to event-org@)
I asserted wrong record via wrong box on web form first go,
but then confirmed I have right one with this check:
cd /usr/local ; \
mailman/bin/dumpdb mailman/lists/event-org/config.pck | grep accept_these
{ 'accept_these_nonmembers': ['@event', '@event-chat'],
> > Are Sibling lists a solution? How please ?, I've never used them yet.
>
>
> Sibling lists may help some of this. If you add event-org at ... to
> regular_include_lists of event-announce that will solve the potential
> issue of event-org members who are not members of event-announce not
> receiving event-announce posts.
>
> So, there are choices depending on whether or not you are concerned
> about unauthorized posts to event-announce by spoofing authorized senders.
>
> If you aren't concerned:
> Add '@event-announce' to accept_these_nonmembers of event-org.
> Add '@event-org' to accept_these_nonmembers of event-announce.
> Add event-org at ... to regular_include_lists of event-announce.
> Ensure that anyone who is a member of both event-announce and event-org
> is not moderated on event-announce or posts to event-announce with an
> Approved: <password> header. Easiest is to ensure members of event-org
> aren't members of event-announce.
>
> If you are concerned:
> Add '@event-announce' to accept_these_nonmembers of event-org.
> Do not add '@event-org' to accept_these_nonmembers of event-announce.
> Moderate everyone on event-announce and authorized posters can post to
> event-announce with an Approved: <password> header, instructions for
> which can be posted to the event-org list if its archives are private.
Thanks Mark :-) If you ever visit Munich, there's a bunch of lists
on http://berklix.org where you can find me to buy you a beer :-)
Cheers,
Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich
Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
http://berklix.eu/brexit/#stolen_votes
More information about the Mailman-Users
mailing list