On Jun 15, 2000 Marilyn Davis <marilyn@???> wrote:
> I run majordomo/exim for Zapatistas and am trying to be as secure
> as possible. We get attacked.
>
> Using majordomo,
Make sure that you set the "auth" hash seed in the majordomo
configuration. If not the "auth" codes for some addresses are extremely
easy to work out, making it possible for people to subscribe other's
addresses.
Even with setting the hash prefix (I forget what it is called, but read
the majordomo configuration carefully) the auth code generating is open
to attack. It can be fairly easily reverse engineered. It might be worth
patching majordomo to use an MD5 hash or the like for authorization codes.
I haven't looked at that myself, but you may wish to ask on the majordomo
lists.
> even with the confirmation feature happening, someone
> managed to put this onto the list of addresses:
>
> "Someone" Someone@???
>
> which exim didn't like. I think it wants:
>
> "Someone" <Someone@???>
Yes.
> [...]
> The majordomo people wonder why it is that exim then fails to send any
> messages to the list
> Is there an option where I can direct exim to go ahead and send the
> message to all the valid addresses and bounce or freeze just the one
> bad address?
skip_syntax_errors
in the appropriate director.
--
Jeffrey Goldberg
Note: I am moving and changing many addresses, please see
http://www.goldmark.org/jeff/contact.html
Relativism is the triumph of convention over truth, authority over justice
