The mailing list for listmasters using Sympa

[qt4x11 <address@concealed>]

Is this true?  Our system uses LDAP for authentication.  The create list form is located at

https://servername.com/sympa/create_list_request
 
This
page is not even visible unless you are logged in with your LDAP name
and password.  How could someone not in our LDAP directory submit a
request to create a new list?

Also, newly created lists on our system - whether they are
created by a spammer, or by a user in our LDAP directory - are subject
to listmaster approval before they can be used.  I have verified this.

On 6/13/07, Thomas Berry <address@concealed > wrote:

qt4x11 wrote:
> We are using Sympa 5.2.3.  It seems like a new list was created on our
> system without proper authentication.  This list has been sending out
> spam to users in our domain.
>
> We enable wwsympa.fcgi to run under the sympa user uid/gid by setting
> User sympa and Group sympa in our /etc/httpd/conf/httpd.conf file.
>
> The new list does not appear in /etc/mail/sympa_aliases.  We received a
> new list creation request for the new list, the list creation request
> was ignored.  It seems the list was created without listmaster
> approval.  Our sympa.conf looks like
>
> ## Who is able to create lists
> ## This parameter is a scenario, check sympa documentation about
> scenarios if you want to define one
> create_list     public_listmaster

This setting allows anyone (public) to create a list without authentication.

>
> -does this not mean that a person needs to be authenticated before the
> list is created?  The user who created the list is unknown to us.

You'll need to build a create_list scenari(o) file that requires
authentication.  There are two available files included with Sympa:
create_list.listmaster and create_list.public_listmaster.  I'd look at
one of the other auth scenari(o) files to determine how to create your
own create_list.auth_listmaster file.

We created our own "intranet" restricted file:

title.gettext anyone from local domain

is_listmaster([sender])             md5,smime -> do_it
match([sender],/([conf->host])|(.*.local_domain)|(local_domain)$/)
     smime,md5    -> listmaster,notify
true()                smtp,md5,smime ->
reject(reason='create_list_local_user')
# end

>
> There are a few more lists that were created without proper
> authentication in our /home/sympa/expl folder.  We have not had any
> further reports of spam being sent from these lists.  It appears that
> these unauthorized lists on our system have spam-sending scripts in
> their /home/sympa/expl/<listname>/expl/shared folders.
>
> I have a two part question - what is the proper way to close and delete
> these unauthorized lists?  What do I need to change in my configuration
> to avoid getting them again?

We do this as listmaster using the Sympa web interface, Under Admin in
in the list "info", Select "Remove List". Then, purge the list(s) using
the "Closed lists" button under the "Sympa admin" tab in the Sympa web
interface.

>
> Thanks.