[Mailman-Users] Siblings list usage ?

Julian H. Stacey jhs at berklix.com
Mon Sep 26 15:11:01 EDT 2016 

Thanks for your reply Mark, very useful,

Mark Sapiro wrote:
> On 09/25/2016 02:32 AM, Julian H. Stacey wrote:
> > 
> > On mailman lit configs, On event-announce@ I asserted default
> > moderated bit on all new & existing members of event-announce@, &
> > removed moderated bit on individual organisers.
> 
> 
> This is not a secure way to restrict posts to event-announce because
> anyone can post by spoofing the address of an unmoderated member whose
> address is known by virtue of having posted to the list.

Yes; Spoofing hasn't been a problem here so far thanks,
	(perhaps as most lists for technicaly competent here are
	open to all members umoderated anyway; Mostly it's just non
	tech. lists here are announce- only, to block noise many
	lazy & clueless. I had administrivia filters turned on in
	majordomo & now with mailman, I needed to add to MJ regexp
	filters, so if I do with MM, I'll hope to contribute back
	to MM devs.


> See the
> sections "How to restrict the list so only authorized persons can post:"
> and "How to post to the announcement list:" at
> <https://wiki.list.org/x/4030685>.
> 
> However, this may not be viable in your case depending on the logistics
> of distributing the lists poster password to the authorized posters.

Yes, not viable here, many event organisers on the non tech lists
woundn't cope inserting a password in header.  So later, if I have to.


> > My main problem:
> >   No one on event-announce@ can now respond to event-org@ with 
> >  "Count me in for event! / Who is organiser next week? etc"
> 
> 
> Add '@event-announce' to accept_these_nonmembers of the event-org list.
> This will allow anyone who is a member of event-announce, and not a
> member of event-org to post to event.org without moderation. This will
> not affect event-org posts from a member of event-org.

OK Found under 
	http://mailman.berklix.org/mailman/admin/event-org/privacy/sender
	Non-member filters. 

> > My lesser problem:
> >   When someone joins event-org@ I have to manually remove moderator
> >   bit from their personal membership entry in event-announce@ (&
> >   re-assert if they leave).
> 
> 
> You could add @event-org to accept_these_nonmembers of the
> event-announce list. This would allow any member of event-org to post to
> event-announce, but it is subject to the same spoofing vulnerability as
> noted for 'un-moderation', and members of event-org who are not members
> of event-announce won't receive event-announce posts.

OK Thanks, Done, last bit no prob. I have (up to now) required
all members of *-org@ to be on *-announce@ (but I think per your post
below I'll switch to include event-announce@ traffic to event-org@)

I asserted wrong record via wrong box on web form first go,
but then confirmed I have right one with this check:
cd /usr/local ; \
  mailman/bin/dumpdb mailman/lists/event-org/config.pck | grep accept_these
	{   'accept_these_nonmembers': ['@event', '@event-chat'],


> > Are Sibling lists a solution? How please ?, I've never used them yet.
> 
> 
> Sibling lists may help some of this. If you add event-org at ... to
> regular_include_lists of event-announce that will solve the potential
> issue of event-org members who are not members of event-announce not
> receiving event-announce posts.
> 
> So, there are choices depending on whether or not you are concerned
> about unauthorized posts to event-announce by spoofing authorized senders.
> 
> If you aren't concerned:
> Add '@event-announce' to accept_these_nonmembers of event-org.
> Add '@event-org' to accept_these_nonmembers of event-announce.
> Add event-org at ... to regular_include_lists of event-announce.
> Ensure that anyone who is a member of both event-announce and event-org
> is not moderated on event-announce or posts to event-announce with an
> Approved: <password> header. Easiest is to ensure members of event-org
> aren't members of event-announce.
> 
> If you are concerned:
> Add '@event-announce' to accept_these_nonmembers of event-org.
> Do not add '@event-org' to accept_these_nonmembers of event-announce.
> Moderate everyone on event-announce and authorized posters can post to
> event-announce with an Approved: <password> header, instructions for
> which can be posted to the event-org list if its archives are private.

Thanks Mark :-) If you ever visit Munich, there's a bunch of lists
on http://berklix.org where you can find me to buy you a beer :-)

Cheers,
Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#stolen_votes

More information about the Mailman-Users mailing list