>>>>> "TD" == Teresa Downey <Teresa.Downey@SLAC.Stanford.EDU> writes:
TD> This seems pretty weak security.
Majordomo was not designed from the ground up to run mailing lists under
the iron clad reign of the list owner. It was designed to do the job that
it does cleanly. The resend functionality came somewhat later in the
game. To one who understands the mail system, it's somewhat obvious that
for Majordomo to fulfill its goal of not doing delivery, it must rely in
the facilities of the MTA to do so. For sendmail, this basically requires
an outgoing alias.
TD> I'm very surprised Brent Chapman would leave such a wide-open hole to
TD> be able to get around the 'restrict_post' specifications.
You really should learn more about the intent and history of the software
before you claim to understand any of Brent's goals. Do you even realize
that Brent has had very little to do with the code for some years now?
TD> Is this going to be fixed in next version?
Don't know; it depends on what the next version is. My development sources
don't have such a "hole"; the cost is a loss of simplicity; Majordomo
becomes an SMTP client in its own right.
TD> BTW, when might the next version come out???
Not determined. When it's ready.
TD> I cannot turn off EXPN here since that would cause us to lose potential
TD> forgery alerts for ALL email.
OK; I run completely secure lists with EXPN turned on.
TD> Is this actually the only way to secure a list from being posted to by
TD> unauthorized people?
No. Doesn't the FAQ have details on this?
- J<
References:
|
|
