Hmmm, I got two copies of this with two msg ID numbers... Anyway,
Harshul Nayak (ealcatraz) wrote:
> Dear all,
> detail of the setup are-
> ::setup::
> the setup consists of a dual processor red hat 7.1 Linux box running
> majordomo version 1.94.5
Your linux is a little old, but as long as it serves it's purpose on
the hardware it's running on (securely), why upgrade?. OK, moving on.
>
> The list (mylist) is used to distribute info to it's members. Only admin is
> allowed to post .
Basically an announcement list. OK...
>
> following are some of the paramaters configured.
> get_access = list
> index_access = open
> info_access = open
> intro_access = list
> moderate = no
> moderator =
> mungedomain = no
> restrict_post = mylist.restrict
> sender = owner-mylist
> subscribe_policy = closed+confirm
For extra security, why not add suppor@mydomain.com as the moderator
and turn on moderate? The only difference, is the moderator must add
the approve: password to the announcement's headers.
>
> Now we gave the email address (support@mydomain.com) in the mylist.restrict
> file. Other posts by members are bounced to the mylist-owner.
Who are the non-member posts bounced to. :) Sorry.
>
> my majordomo.aliases settings:
> mylist: "|/usr/local/majordomo-1.94.5/wrapper resend -l mylist
> mylist-list"
If you have a nobody: /dev/null alias, you might add ",nobody" to
your alias for the list. This prevents sendmail from disclosing
the mylist-list alias in the outgoing message headers.
> mylist-list: :include:/usr/local/majordomo-1.94.5/lists/mylist
> owner-mylist: root,
> mylist-owner: root
I really have a bad feeling about using root or postmaster as the
owner of anything in majordomo. Majordomo has specific rules about
not replying to mailer-daemon or postmaster, which both end up
pointing to root. No sense in creating a gap for confusion.
> mylist-approval: harshul@ealcatraz.com
> mylist-request: "|/usr/local/majordomo-1.94.5/wrapper majordomo -l mylist"
>
> ::problem::
> 1)anyone who can spoof the email address to (support@mydomain.com) can post
> messages to the list. we need to restrict it. Some recepient mail servers
> who bounce back the message do format the mail with the original header
> values.
This is why I recommend moderate to be turned on for announcement lists.
The password requirement helps prevent the spoofing.
>
> 2)is it possible to restrict the posting from a single ipaddress, (that's
> our ip address)
This can be done with sendmail, not majordomo. Majordomo is not a mail
transport agent, it is a list manager. It is up to the MTA to determine
what message is accepted or rejected. Majordomo can only make decisions
after the MTA has accepted the message and shoved it onto majordomo's
plate.
If your list-owner, moderator, announcer, or whoever has majordomo machine
level access, and creates or posts the message from that machine, yes.
You can tell sendmail to reject all messages to the list address/alias,
then only the locally created messages to that address are delivered. If
a message comes in on an SMTP connection, the message is not local, and
therefore rejected.
If you have a domain name that you can dedicate to your announcement list,
you can reject ALL incoming mail, except from your IP space. Be careful
here though. RFCs state that you must be able to accept mail at the
postmaster address for any machine operating a mail server, should accept
mail to abuse, noc, and security, and must have -request addresses for
every mailing list you operate. I do not recall the should/must wording
for accepting bounces for undeliverable messages from your domain.
Dan Liston
References:
|
|
