Thomas Ward via Mailman-users writes:
Has *anyone* seen any cases like this before?
Something like it is common. A member forwards a non-member's message to the list, so that the envelope from (and often Sender) are set to that member's address. You will see only the header From, so it appears that the post was by a non-member.
�> If this is repeatable or a known issue, it deserves a CVE security �> bug because this is a **severe** problem.
Members-only for posting is a best-effort, use at your own risk, feature, because all of the addresses used for identifying members are easily spoofable. Of them only the header From is normally visible to end users. It's standard in stock Mailman because in practice it's an excellent defense against spam. It is not otherwise a reliable security measure, and the default configuration is quite loose. It allows users to forward messages for others and to use various addresses for the author headers. It allows the apparent author to be different from the user who injects the message to the Internet mail system.
In practice, header From is fairly reliable if all of your members have addresses with DMARC policy "p=reject" and your MTA does reject when From alignment fails. But to depend on DMARC processing, you need to remove Sender, Reply-To, and envelope From (From_, I think is the configuration notation) from the member identification configuration. Also note that the purpose of DMARC is primarily to protect the sending organization, not the receiver, so this use case depends on trusting the sending organization to do the authentication.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan