Valid E-mails Rejected as Invalid

Bug #266288 reported by Krellis
Affects Status Importance Assigned to Milestone
GNU Mailman

Bug Description

I ran into a problem recently with sync_members. I was
attempting to add a list of addresses that included
"---<email address hidden>", but this address was rejected:

bin/sync_members -a=no -f
Invalid : ---<email address hidden>
You must fix the preceding invalid addresses first.

While this is an ODD address, it is perfectly legal,
per section 3.4 of RFC 2822
( Rejecting a
valid address like this seems like a pretty major
problem to me.

This was with MailMan 2.1.6 on FreeBSD 4. If there is
any more information I can provide, please let me know.

Tim Wilde


Related branches

Revision history for this message
Krellis (krellis) wrote :

This appears to be a problem with line 210 of, in
the ValidateEmail function:

    if or s[0] == '-':
        raise Errors.MMHostileAddress, s

MailMan is explicitly rejecting e-mails that start with a
hyphen. Why? This is a perfectly legal e-mail address. If
MailMan is using e-mail addresses in such an unsafe way that
they could be interpreted as command line arguments, that's
just absurd. I can't see any other reason to forbid a
leading hyphen, though.

Can anyone tell me if I will be safe removing this check, or
if MailMan will blow up elsewhere?

Revision history for this message
M-a (m-a) wrote :

Mailman is not alone in rejecting messages that start with a
"-" - some MTAs also do that, for instance, Postfix (but see
Postfix's "allow_min_user" option).

The reason is that too many sites mistake such addresses for
sendmail command-line options, because most sendmail users
are clueless and forget the "--" before the addresses.

For that reason, it is rather unwise to use mail addresses
that start with a "-" - while legal, it's not universally

Revision history for this message
Mark Sapiro (msapiro) wrote :

This was fixed in Mailman 2.1.18, but updating this bug was overlooked at the time.

Changed in mailman:
milestone: 2.1-stable → 2.1.18
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers