Anonymous lists can expose the sending domain.

Bug #1444673 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Medium
Mark Sapiro

Bug Description

Headers DKIM-Signature:, DomainKey-Signature: and Authentication-Results: are not removed by default from mail to an anonymous list. These headers can reveal the sending domain.

Related branches

Revision history for this message
Mark Sapiro (msapiro) wrote :

There is a work around for Mailman 2.1.17 and newer (older versions don't have ANONYMOUS_LIST_KEEP_HEADERS). Copy ANONYMOUS_LIST_KEEP_HEADERS from Defaults.py to mm_cfg.py if it's not already there. You will then have something like the following (possibly edited by you already).

ANONYMOUS_LIST_KEEP_HEADERS = ['^(?!x-)', '^x-mailman-',
                               '^x-content-filtered-by:', '^x-topics:',
                               '^x-ack:', '^x-beenthere:',
                               '^x-list-administrivia:', '^x-spam-',
                              ]

In this list, replace the first line with

ANONYMOUS_LIST_KEEP_HEADERS = [
                       '^((?!x-)(?!dkim)(?!authentication)(?!domainkey))',
                       '^x-mailman-',

and keep the next 4 lines as is. I.e., you are just replacing '^(?!x-)' with '^((?!x-)(?!dkim)(?!authentication)(?!domainkey))'

description: updated
Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
milestone: 2.1.21 → 2.1.21rc1
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.