Mailing List Archive: exim: users

Exim & Mailman

Index | Next | Previous | View Threaded

exim-users-20070913 at djce

Nov 14, 2007, 12:09 PM

Post #1 of 9 (707 views)
Permalink

Exim & Mailman

On Wed, Nov 14, 2007 at 05:51:57PM +0100, Magnus Holmgren wrote:
> > lol .. How on earth did this end up on the list? Did the spammer really
> > subscribe to the mailing list first? That's one hell of a step up from
> > the usual crap :P
>
> Judging from the Received: timestamps a moderator slipped.

Speaking of which, does anyone have any good tips to share on how to write
an ACL for incoming Mailman traffic, which (say) rejects post-DATA for
messages which are not from list members? (Obviously only for
listname [at] domai; not for -owner nor -request, for example).

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey

Attachments:

signature.asc (0.18 KB)

odhiambo at gmail

Nov 14, 2007, 11:39 PM

Post #2 of 9 (666 views)
Permalink

Re: Exim & Mailman [In reply to]

On Nov 14, 2007 11:09 PM, Dave Evans <exim-users-20070913 [at] djce> wrote:
> On Wed, Nov 14, 2007 at 05:51:57PM +0100, Magnus Holmgren wrote:
> > > lol .. How on earth did this end up on the list? Did the spammer really
> > > subscribe to the mailing list first? That's one hell of a step up from
> > > the usual crap :P
> >
> > Judging from the Received: timestamps a moderator slipped.
>
> Speaking of which, does anyone have any good tips to share on how to write
> an ACL for incoming Mailman traffic, which (say) rejects post-DATA for
> messages which are not from list members? (Obviously only for
> listname [at] domai; not for -owner nor -request, for example).

Mailman should do that if properly configured, no?
There must be information from the Mailman FAQ (and even tips on the
net) on how to properly configure Mailman lists to prevent abuse.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

"Oh My God! They killed init! You Bastards!"
--from a /. post

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

Nov 15, 2007, 12:48 AM

Post #3 of 9 (661 views)
Permalink

Re: Exim & Mailman [In reply to]

Odhiambo Washington wrote:
> On Nov 14, 2007 11:09 PM, Dave Evans <exim-users-20070913 [at] djce> wrote:
>> On Wed, Nov 14, 2007 at 05:51:57PM +0100, Magnus Holmgren wrote:
>>>> lol .. How on earth did this end up on the list? Did the spammer really
>>>> subscribe to the mailing list first? That's one hell of a step up from
>>>> the usual crap :P
>>> Judging from the Received: timestamps a moderator slipped.
>> Speaking of which, does anyone have any good tips to share on how to write
>> an ACL for incoming Mailman traffic, which (say) rejects post-DATA for
>> messages which are not from list members? (Obviously only for
>> listname [at] domai; not for -owner nor -request, for example).
>
> Mailman should do that if properly configured, no?

Definitely so. This list is a living example.

> There must be information from the Mailman FAQ (and even tips on the
> net) on how to properly configure Mailman lists to prevent abuse.
>
>

If you don't mind letting Exim have read-access to the lists, you can make
Exim+Ecartis reject *during* smtp session. Ergo can probably do the same just as
easily with Mailman.

That said, experiments aside, I don't bother - just silently blackhole Ecartis
post-smtp response to those and use an errors_to = /dev/null on the routers.

The admins still see the reports, so 'good enough' to catch honest errors, less
work, and lower risk of backscatter.

Not much point in respecting RFC sensitivity with a zombot.

HTH

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jethro.binks at strath

Nov 15, 2007, 12:48 AM

Post #4 of 9 (664 views)
Permalink

Re: Exim & Mailman [In reply to]

On Thu, 15 Nov 2007, Odhiambo Washington wrote:

> > Speaking of which, does anyone have any good tips to share on how to
> > write an ACL for incoming Mailman traffic, which (say) rejects
> > post-DATA for messages which are not from list members? (Obviously
> > only for listname [at] domai; not for -owner nor -request, for example).
>
> Mailman should do that if properly configured, no? There must be
> information from the Mailman FAQ (and even tips on the net) on how to
> properly configure Mailman lists to prevent abuse.

It doesn't reject at SMTP-time, but if a list is configured appropriately,
messages not from list members can be automatically accepted, discarded,
rejected with message, or held for moderation. In the latter case, the
moderator can choose to accept, discard or reject. So what happens is
down to how the list server manager and list owner have configured and
operate the list.

Back to the original question, Mailman stores its list memberships in
python pickles, but I suppose you could periodically dump a text file out
of them and consult on a per-list basis at SMTP time before accepting a
message. If the list membership changes rapidly, you'd need to dump out
text file correspondingly. Or I imagine you could interface something to
Exim that will read the pck file directly, but you'd need to be aware that
you are bypassing the mechanisms built into Mailman itself.

Of course all this has the fundamental flaw that authentication to send to
the list is done by sending email address, which of course is trivially
forgeable. Certain members of this list will testify to this, having
suffered the indignity of seeing fraudelent messages 'from' them on the
list.

There are a few other potential mechanisms if you are determined to let
list members be able to post to a list without moderation oversight; a
'secret' list posting address known only to members, a 'secret' list
password which must be used when posting, or each member has their own
'secret' address which they must use to post to the list. None are
implemented widely, probably mostly because it just makes list posting
more tedious, and apart from occasional incidents, we mostly get along
fine without the obstructions.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users-20070913 at djce

Nov 15, 2007, 12:59 AM

Post #5 of 9 (666 views)
Permalink

Re: Exim & Mailman [In reply to]

On Thu, Nov 15, 2007 at 10:39:48AM +0300, Odhiambo Washington wrote:
> On Nov 14, 2007 11:09 PM, Dave Evans <exim-users-20070913 [at] djce> wrote:
> > Speaking of which, does anyone have any good tips to share on how to write
> > an ACL for incoming Mailman traffic, which (say) rejects post-DATA for
> > messages which are not from list members? (Obviously only for
> > listname [at] domai; not for -owner nor -request, for example).
>
> Mailman should do that if properly configured, no?
> There must be information from the Mailman FAQ (and even tips on the
> net) on how to properly configure Mailman lists to prevent abuse.

Not AFAIK. Much of mailman's configuration, to the best of my knowledge,
takes effect after the MTA has already accepted the message.

Having said that, I think I may have just found an answer to my question
elsewhere, so I'll go and have a play with that.

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey

Attachments:

signature.asc (0.18 KB)

iane at sussex

Nov 15, 2007, 3:51 AM

Post #6 of 9 (652 views)
Permalink

Re: Exim & Mailman [In reply to]

--On 15 November 2007 08:59:10 +0000 Dave Evans
<exim-users-20070913 [at] djce> wrote:

> On Thu, Nov 15, 2007 at 10:39:48AM +0300, Odhiambo Washington wrote:
>> On Nov 14, 2007 11:09 PM, Dave Evans <exim-users-20070913 [at] djce>
>> wrote:
>> > Speaking of which, does anyone have any good tips to share on how to
>> > write an ACL for incoming Mailman traffic, which (say) rejects
>> > post-DATA for messages which are not from list members? (Obviously
>> > only for listname [at] domai; not for -owner nor -request, for example).
>>
>> Mailman should do that if properly configured, no?
>> There must be information from the Mailman FAQ (and even tips on the
>> net) on how to properly configure Mailman lists to prevent abuse.
>
> Not AFAIK. Much of mailman's configuration, to the best of my knowledge,
> takes effect after the MTA has already accepted the message.

Actually, all of it. Email addressed to a non-existant list won't be routed
to that list, of course. Nothing else is considered at SMTP time, though.

Where the Mailman config says "reject", it means "generate a bounce
message".

> Having said that, I think I may have just found an answer to my question
> elsewhere, so I'll go and have a play with that.

I've a python script (attached) that attempts to reproduce the logic, but I
think it's not quite accurate. I'm not an experienced python coder, and
I've guessed the logic based on configuration options, not on existant
code. I've never integrated it to Exim.

The script always allows owners and moderators and to post (because we
don't care too much if they get bounce messages), and people listed in
accept_these_nonmembers

It always rejects email from people listed in reject_these_nonmembers

Then it checks whether generic_nonmember_action is set to "2" - the current
value for "reject". NB this isn't future proof, it's hard coded and
shouldn't be. If it is, the sender address is compared with the catenation
of the lists of regular members and digest members.

Everything else is accepted.

--
Ian Eiloart
IT Services, University of Sussex
x3148

Attachments:

check_sender.py (5.18 KB)

exim-users-20070913 at djce

Nov 15, 2007, 4:15 AM

Post #7 of 9 (651 views)
Permalink

Re: Exim & Mailman [In reply to]

On Thu, Nov 15, 2007 at 11:51:33AM +0000, Ian Eiloart wrote:
> I've a python script (attached) that attempts to reproduce the logic, but I
> think it's not quite accurate. I'm not an experienced python coder, and
> I've guessed the logic based on configuration options, not on existant
> code. I've never integrated it to Exim.

Looks like a good start - I'll have a play. Thanks!

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey

Attachments:

signature.asc (0.18 KB)

jwblist3 at olympus

Nov 15, 2007, 10:31 AM

Post #8 of 9 (664 views)
Permalink

Re: Exim & Mailman [In reply to]

On 11/15/07 3:51 AM, "Ian Eiloart" <iane [at] sussex> wrote:

> Then it checks whether generic_nonmember_action is set to "2" - the current
> value for "reject". NB this isn't future proof, it's hard coded and
> shouldn't be.

The value 2 is unlikely to change before an upcoming major revision to
Mailman kills Ian's program anyhow.

Mailman 2.2 is a significant revision, and will among other things eliminate
the piping of messages into Mailman (substituting LMTP delivery, I think,
although I dropped off their developer mailing list about when that was
close to being finalized). Mailman 3 changes nearly everything.

The pickles are going away--I've forgotten whether it is in 2.2 or in 3.0

--John

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

iane at sussex

Nov 16, 2007, 3:51 AM

Post #9 of 9 (645 views)
Permalink

Re: Exim & Mailman [In reply to]

--On 15 November 2007 10:31:54 -0800 "John W. Baxter"
<jwblist3 [at] olympus> wrote:

> On 11/15/07 3:51 AM, "Ian Eiloart" <iane [at] sussex> wrote:
>
>> Then it checks whether generic_nonmember_action is set to "2" - the
>> current value for "reject". NB this isn't future proof, it's hard coded
>> and shouldn't be.
>
> The value 2 is unlikely to change before an upcoming major revision to
> Mailman kills Ian's program anyhow.
>
> Mailman 2.2 is a significant revision, and will among other things
> eliminate the piping of messages into Mailman (substituting LMTP
> delivery, I think, although I dropped off their developer mailing list
> about when that was close to being finalized).

that would be nice - provided that they're actually going to be able to
reject the messages at LMTP time, and not bounce them. I've had this debate
with developers of Mailman and other mailing list managers, and failed to
convince them of the necessity. :(

> Mailman 3 changes nearly
> everything.

I think you have the tense wrong there :) It will change everything.
Probably before the end of the century.

>
> The pickles are going away--I've forgotten whether it is in 2.2 or in 3.0
>
> --John

--
Ian Eiloart
IT Services, University of Sussex
x3148

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads