Anonymous lists can expose the sending domain.

Bug #1444673 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Medium
Mark Sapiro

Bug Description

Headers DKIM-Signature:, DomainKey-Signature: and Authentication-Results: are not removed by default from mail to an anonymous list. These headers can reveal the sending domain.

Related branches

Revision history for this message
Mark Sapiro (msapiro) wrote :

There is a work around for Mailman 2.1.17 and newer (older versions don't have ANONYMOUS_LIST_KEEP_HEADERS). Copy ANONYMOUS_LIST_KEEP_HEADERS from Defaults.py to mm_cfg.py if it's not already there. You will then have something like the following (possibly edited by you already).

ANONYMOUS_LIST_KEEP_HEADERS = ['^(?!x-)', '^x-mailman-',
                               '^x-content-filtered-by:', '^x-topics:',
                               '^x-ack:', '^x-beenthere:',
                               '^x-list-administrivia:', '^x-spam-',
                              ]

In this list, replace the first line with

ANONYMOUS_LIST_KEEP_HEADERS = [
                       '^((?!x-)(?!dkim)(?!authentication)(?!domainkey))',
                       '^x-mailman-',

and keep the next 4 lines as is. I.e., you are just replacing '^(?!x-)' with '^((?!x-)(?!dkim)(?!authentication)(?!domainkey))'

description: updated
Mark Sapiro (msapiro)
Changed in mailman:
status: In Progress → Fix Committed
Mark Sapiro (msapiro)
Changed in mailman:
milestone: 2.1.21 → 2.1.21rc1
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers