On 1/28/25 13:04, Jeremy Stanley wrote:
tl;dr: Is there a way to have VERP probe messages not include copies of the bounce message that triggered them?
Currently you'd need to patch code. This would do it. ``` --- a/src/mailman/model/bounce.py +++ b/src/mailman/model/bounce.py @@ -231,7 +231,7 @@ class BounceProcessor: # Try to get the dsn from the message store. It should be there. msg = getUtility(IMessageStore).get_message_by_id(event.message_id) if as_boolean(config.mta.verp_probes): - send_probe(member, msg=msg, message_id=event.message_id) + send_probe(member, message_id=event.message_id) action = 'sending probe' else: # Bounce score is reset by sending a probe but needs to be ``` You could submit an issue at https://gitlab.com/mailman/mailman/-/issues/new to make this configurable. ...
This behavior raises a more significant concern as well. The MTA on the Mailman server in this case (Exim if it matters) wants to perform batch deliveries when there are multiple subscribers who all share the same remote MTAs. If multiples of those reject a list post, then the NDR back to Mailman aggregates those multiple rejections into a single message. If that incident triggers a VERP probe, the bulk NDR enumerating the addresses of all the subscribers who were rejected gets forwarded along as part of the VERP probe, disclosing a potentially sensitive litany of random subscriber addresses to other subscribers within that batch. I don't know whether this is a misconfiguration, or an unintended consequence of the intersection of Mailman and MTA features.
I'm sure you can configure Exim to not do that. For Postfix it's ``` smtp_destination_recipient_limit = 1 ``` Also if you configure Mailman to VERP all deliveries ``` [mta] verp_confirmations: yes verp_personalized_deliveries: yes verp_delivery_interval: 1 ``` each recipient will be sent separately with a different envelope sender so the MTA can't combine them. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan