Next Previous Contents

8. Restricting message posting to the list.

8.1 Requiring the list address in To:/Cc: headers.

SPAM or junk mail is usually sent by mailing a single message to a large number of (unwilling) recipients. As such, it usually does not contain the E-mail address of all recipients (remember, junk mailers pay for these address lists). By rejecting messages that do not have the list address in the To: or Cc: header(s) a large fraction of spam to the list can be filtered out.

This filter function is activated by default, but will work only if you specify the list directory on the ezmlm-reject(1) command line. To disable this restriction, remove the ``DIR'' argument from the ezmlm-reject(1) command line, or add the ``-T'' switch.

By default, this error is logged, and an error message is sent to the sender. Since virtually all the failures will be SPAM and virtually all spam has a faked SENDER, most of these error messages will go to the postmaster. Thus, you may want to use the ezmlm-reject ``-q'' switch (quiet) to suppress the sender notification.

8.2 Rejecting messages sent from other mailing lists.

ezmlm automatically detects are rejects messages that are sent from other ezmlm mailing lists. Some other mailing list managers do not use a rigorous mechanisms to verify subscribers. Thus, it is possible to subscribe an ezmlm list address to such a mailing list. You can easily block such a list by adding the address to the ``deny'' if you use the ezmlm-make(1) ``-k'' option. However, you can also configure ezmlm-reject(1) to reject messages based on specific headers placed into DIR/headerreject. A set of headers which will catch mailing list managers known to us are listed in the ezmlm-reject(1) man page. To activate this option, you must specify the ``-h'' switch and DIR on the ezmlm-reject(1) line in DIR/editor. Naturally, you can make this the default by editing ezmlmrc(5) (See Customizing ezmlm-make operation).

8.3 Restricting posts based on the Subject line.

ezmlm-reject(1) is by default configured to reject posts with empty subject (``-s'' switch) or with a subject that consists of only an administrative command word (``-c'' switch), such as ``subscribe''. To remove these restrictions, use the ezmlm-reject(1) ``-S'' and ``-C'' switch, respectively. You can also into DIR/editor before the ezmlm-send(1) line add:

        | grep -i 'subject:' | grep -if DIR/bad_words >/dev/null && \
                {echo "bad words found"; exit 100; }
to reject messages that have a line matching ``Subject:'' followed by any bad word listed in DIR/bad_words.

8.4 Restricting the size of posts.

If the ``DIR'' argument is specified on the ezmlm-reject(1) line in DIR/editor and DIR/msgsize exists and contains a number (in bytes) greater than ``0'', then any posts with a body larger than the number specified is rejected. The maximum message size can optionally be followed by ``:'' and a minimum message body size in bytes. For moderated lists, messages that are too large are rejected and not sent to the moderators. This feature can be used to prevent the posting an entire digest to the list by setting DIR/msgsize slightly below the message size set in your ezmlm-tstdig(1) innovation (if any). A minimum size can catch a few administrative request sent to the main list, but is otherwise not that useful. To always configure your lists with a message size restriction, add to ezmlmrc(5):

The ezmlm-make(1) ``-x'' switch adds this with 40000:2.

8.5 Restricting posts based on MIME content-type.

ezmlm-reject(1) will look for DIR/msgsize, DIR/mimereject, and DIR/mimeremove if the ``DIR'' argument is specified (``DIR'' can be left out to conserve resources on lists that do not use these features). Note: The ``DIR'' argument is also required for the the To:/Cc: list address restriction (see Requiring the list address in To:/Cc: headers). If the message contains MIME parts that are of a content-type listed in DIR/mimereject they are rejected. If the message is a simple MIME message of a content-type listed in either DIR/mimereject or DIR/mimeremove it is also rejected.

There is currently no ezmlm-make(1) switch for DIR/mimereject, but it can easily be configured by editing ezmlmrc(5). The ezmlm-make ``-x'' switch configures DIR/mimeremove (see mimeremove) for a list of content-types). Messages consisting solely of these content-types (rare) will be rejected, and the corresponding MIME parts of composite messages will be removed.

8.6 Restricting posts to list subscribers.

Use message moderation. As an alternative, implement a check against SENDER by using ezmlm-issubn(1). The latter is easily defeated by faking SENDER. Also, it prevents posts from legitimate subscribers that are subscribed under a different address than the one they send from. Nevertheless, it may be useful in some situations. Add:

|/usr/local/bin/ezmlm/ezmlm-issubn 'DIR' 'DIR/digest' 'DIR/allow' ||
   { echo "Sorry, you are not allowed to post to this list.";
     exit 100; }
ALL ON ONE LINE to DIR/editor before the ezmlm-send(1) line. ``DIR'' is the main list directory. If your ezmlm binaries live in a different directory, change the ezmlm-issubn(1) path accordingly. If you would like denied posts to be dropped silently rather than bounced, change the exit code to 99.

See Customizing ezmlm-make operation if you want your lists to have some of these features by default or set by specific ezmlm-make(1) switches. The ezmlm-make(1) ``-u'' switch by default sets up restrictions this way.

If you do not want to allow digest subscribers to post, remove DIR/digest/ from the ezmlm-issubn command line. To allow posts from an address that is not a subscriber, simply add it to the addresses in DIR/allow/:

        % ezmlm-sub DIR/allow address@host
The ``allow'' database can be manipulated remotely by sending mail to list-allow-subscribe@listhost, list-allow-unsubscribe@listhost, etc. If configured for the list, the ``-list'' command for remote administrators will work for the ``allow'' database as well.

Please note that this setup is not secure, as it is easy to modify the envelope SENDER. For more secure options, see Restricting posts to an arbitrary set of E-mail addresses (higher security option).

8.7 Restricting posts to an arbitrary set of E-mail addresses (higher security option).

The easiest way to achieve this is to simply set up a message moderated list, and add all the e-mail addresses to the moderator db. Use a custom location, if you want a different set of moderators for subscription moderation/remote admin. If a "moderator" posts, only s/he will get a confirmation request. If anybody else posts, the post will be sent to all moderators.

To directly bounce posts from SENDERs not in the database, use the ezmlm-store ``-P'' (not public) switch. This is more secure than a simple ezmlm-issubn(1) construct, since faking SENDER to a moderator address will result in a confirmation request to that moderator (which s/he will reject/ignore), rather than a direct post. The draw-back is that each post has to be confirmed, but with the speed of ezmlm the request will arrive immediately after the post is made, so the overhead should is The best choice depends on your particular needs in the trade-off between security and convenience.

Setting a list up in this way with only the owner's address gives you a pretty safe owner-only list.

8.8 Completely restricting posts.

To completely prevent posting (for instance a message-of-the-day list), set up a normal list, and just remove ~/.qmail-list and DIR/editor altogether. Make posts from the shell, or from shell scripts or crond, by simply piping a (complete) message to ezmlm-send(1):

% /usr/local/bin/ezmlm/ezmlm-send DIR < message
NOTE: This can be done by any user with write access to files within the list directory, so make sure your file modes are set correctly. The ezmlm-send(1) path may need to be changed to match your ezmlm binary directory. It's also a good idea to not allow others to read your list directory and DIR/subscribers/ and other address lists.

8.9 A general solution to restricting posts based on SENDER.

As discussed above, the security afforded by SENDER checks is minimal, but nevertheless sufficient to keep out most spam and garbage. However, some subscribers post from e-mail addresses other than their subscription address, and users tend to become unfriendly when their posts are denied even though they are subscribers. This is a general solution to this problem which has minimal overhead for the list owner and is essentially completely transparent to the subscriber.

Set up the list with ezmlm-gate(1) in DIR/editor in place of the ezmlm-send(1) line. To the ezmlm-gate(1) command line add the list directory twice, then a digest directory DIR/digest/ (if it exists), then DIR/allow/. Create DIR/modpost. Add the list owner as a message moderator.

With this setup, any message from a SENDER that is a subscriber of the main list, the digest list or added to DIR/allow/, will be posted directly, others will be sent to the list owner for approval. If the list wants to automatically approve posts from that address in future (e.g. it is an alias for a subscriber) s/he just adds it to the database in DIR/allow/. If the owner wants to approve this post, but not necessarily future posts from that address, s/he just accepts the message. To reject the message with a comment is equally easy. If the owner wished to have the option to silently ignore posts (and not have the SENDER notified that the post timed out), just add the ezmlm-clean(1) ``-R'' switch in DIR/editor and DIR/moderator.

In this way, the normal subscriber is always happy and the ``behind the scenes'' work of the owner is minimalized.

ezmlm-make creates lists with this setup if you specify the ``-u'' switch in addition to the ``-m'' switch:

        % ezmlm-make -mu ~/list ~/.qmail-list joe-list host

If you omit the ``-m'' switch, the setup will reject posts from non-subscribers that are not in the ``allow'' database. ezmlm-both(1) uses a set of similar ezmlm-make(1) invocations to create a list with digest, optionally making you a remote admin, list owner, and subscriber to both lists.

Next Previous Contents