Brian Carpenter writes:
What is the protocol to approve moderated messages via email? I hope I asking the question correctly.
Is this capability important to you or your clients? If so, what is the context? I ask because, as you know, email is rather insecure by default. Making it highly secure would require a lot of effort and sophistication for the moderator, eg, PGP signatures, but there might be intermediate levels that would be appropriate for many lists.
For example, the Mailman 2 mechanism. I forget exactly what Mailman 2 does, but if the post to be approved were identified by a one-time key, then a spammer would have to have both the moderation password and the key (presumably by intercepting the moderation email) to approve their own spam. That's still a plausible scenario in principle[1] so I don't much like it (and I bet that's why Barry didn't implement it), but it would be straightforward to implement.
Footnotes: [1] Ie, a moderator falls for a phish; then Ms. Cantor[2] probably got everything she needs to spoof approvals. It's questionable whether a spammer would go to the trouble of identifying a moderator, phishing them, reading their mail, and using the email approval to spam for profit, of course. But I can easily imagine it if somebody hates you. On the other hand, if they have your Gmail password, and you use your Gmail account to authenticate to Postorius, they can do it by web, so disallowing email approvals is no help. Security is hard ....
Maybe we should implement 2FA for privileged roles.
[2] Original "Green Card Lawyer".