Subject: The mailing list for listmasters using Sympa
List archive
[sympa-users] mail confirmation is NOT equivalent to password authentication
- From: Peter Farmer<address@concealed>
- To: address@concealed
- Subject: [sympa-users] mail confirmation is NOT equivalent to password authentication
- Date: Tue, 22 Aug 2006 17:11:59 +0200
There appears to be a discrepancy in the documented and actual functionality
of
the authorization rules for send scenarii :
from Section 12 of the manual ( http://www.sympa.org/doc/html/node13.html ) :
<quote>
The authorization process in Sympa (authorization scenarios) refers to
authentication methods. The same authorization scenarios are used for both
and web accesss ; therefore some authentication methods are considered as
equivalent : mail confirmation (on the mail interface) is equivalent to
password authentication (on the web interface) ; S/MIME authentication is
equivalent to HTTPS with client certificate authentication. Each rule in
authorization scenarios requires an authentication method (smtp,md5 or smime)
;
if the required authentication method was not used, a higher authentication
mode can be requested.
</quote>
This seems like 'what you would expect' , but in fact you cannot actually
post
via the web if you only allow md5 authorisation (i.e. 'mail confirmation') in
the scenarii. I tried (many different ways) and failed. I then checked the
code
in sympa.pl v5.2 and the comment above the relevant code says it all :
## Call scenarii : auth_method MD5 do not have any sense in send
## scenarii because auth is perfom by distribute or reject command.
my $action;
my $result;
if ($is_signed->{'body'}) {
$result = $list->check_list_authz('send', 'smime',$context);
$action = $result->{'action'} if (ref($result) eq 'HASH');
}else{
$result = $list->check_list_authz('send', 'smtp',$context);
$action = $result->{'action'} if (ref($result) eq 'HASH');
}
hence for sending messages, mail confirmation (on the mail interface) is NOT
equivalent to password authentication (on the web interface).
consider a scenario where I want to be able to only allow properly
authenticated owners to post :
is_owner([sender]) smtp -> request_auth
is_owner([listname],[sender]) md5,smime -> do_it
true() smtp,md5,smime ->
reject(reason='send_trusted_people')
My issue is why should they have to go through the multi step mail
confirmation
process when they have already authenticated themselves to the appropriate
level ? At the moment they do .
-
[sympa-users] mail confirmation is NOT equivalent to password authentication,
Peter Farmer, 08/22/2006
-
Re: [sympa-users] mail confirmation is NOT equivalent to password authentication,
Olivier Salaün - CRU, 08/22/2006
- Re: [sympa-users] mail confirmation is NOT equivalent to password authentication, Peter Farmer, 08/22/2006
-
Re: [sympa-users] mail confirmation is NOT equivalent to password authentication,
Olivier Salaün - CRU, 08/22/2006
Archive powered by MHonArc 2.6.19+.