How to approve moderated messages via email?
What is the protocol to approve moderated messages via email? I hope I asking the question correctly.
-- Brian Carpenter Harmonylists.com Emwd.com
On 1/22/21 11:16 AM, Brian Carpenter wrote:
What is the protocol to approve moderated messages via email? I hope I asking the question correctly.
You can't. See <https://gitlab.com/mailman/mailman/-/issues/169>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thanks Mark.
On 1/22/21 3:45 PM, Mark Sapiro wrote:
On 1/22/21 11:16 AM, Brian Carpenter wrote:
What is the protocol to approve moderated messages via email? I hope I asking the question correctly.
You can't. See <https://gitlab.com/mailman/mailman/-/issues/169>
-- Brian Carpenter Harmonylists.com Emwd.com
Brian Carpenter writes:
What is the protocol to approve moderated messages via email? I hope I asking the question correctly.
Is this capability important to you or your clients? If so, what is the context? I ask because, as you know, email is rather insecure by default. Making it highly secure would require a lot of effort and sophistication for the moderator, eg, PGP signatures, but there might be intermediate levels that would be appropriate for many lists.
For example, the Mailman 2 mechanism. I forget exactly what Mailman 2 does, but if the post to be approved were identified by a one-time key, then a spammer would have to have both the moderation password and the key (presumably by intercepting the moderation email) to approve their own spam. That's still a plausible scenario in principle[1] so I don't much like it (and I bet that's why Barry didn't implement it), but it would be straightforward to implement.
Footnotes: [1] Ie, a moderator falls for a phish; then Ms. Cantor[2] probably got everything she needs to spoof approvals. It's questionable whether a spammer would go to the trouble of identifying a moderator, phishing them, reading their mail, and using the email approval to spam for profit, of course. But I can easily imagine it if somebody hates you. On the other hand, if they have your Gmail password, and you use your Gmail account to authenticate to Postorius, they can do it by web, so disallowing email approvals is no help. Security is hard ....
Maybe we should implement 2FA for privileged roles.
[2] Original "Green Card Lawyer".
On 1/23/21 4:33 AM, Stephen J. Turnbull wrote:
Is this capability important to you or your clients? If so, what is the context? I ask because, as you know, email is rather insecure by default. Making it highly secure would require a lot of effort and sophistication for the moderator, eg, PGP signatures, but there might be intermediate levels that would be appropriate for many lists.
For example, the Mailman 2 mechanism. I forget exactly what Mailman 2 does, but if the post to be approved were identified by a one-time key, then a spammer would have to have both the moderation password and the key (presumably by intercepting the moderation email) to approve their own spam. That's still a plausible scenario in principle[1] so I don't much like it (and I bet that's why Barry didn't implement it), but it would be straightforward to implement. Hi Steve,
Happy New Year! I hope you are doing well.
The question was asked of me by a new client coming from Mailman 2 into Mailman 3. I wasn't sure what the current mechanism in place was and according to Mark, none. Honestly I don't think it is a big deal.
Thank you for answering.
-- Brian Carpenter Harmonylists.com Emwd.com
Brian Carpenter writes:
Happy New Year! I hope you are doing well.
Yes, thank you!
The question was asked of me by a new client coming from Mailman 2 into Mailman 3. I wasn't sure what the current mechanism in place was and according to Mark, none. Honestly I don't think it is a big deal.
OK, good.
Steve
participants (3)
-
Brian Carpenter -
Mark Sapiro -
Stephen J. Turnbull