The mailing list for listmasters using Sympa

[Courtney Banks Schley <address@concealed>]

Thank you for responding, Wolfgang. Sorry, I should have clarified my question. In the list configuration, there are 3 options:

1. Invite disabled

2. Only admin can invite

3. Anyone can invite

For options 2. and 3., it says this opens a security hole for private lists and is therefore not recommended. I understand why having it configured so anyone can invite would be a security problem, but it's not clear what the issue is if only admin can invite subscribers?

Thank you again.

2014-09-01 10:22 GMT-04:00 Zeikat, Wolfgang <address@concealed>:

Hello,

if subscribers can invite anyone else to a private list, it wouldn't be a private list anymore, would it.

I think that's meant by "Invitation is disabled by default because it opens a major security hole for private lists."

Hope this helps,

wolfgang

----- Original Message -----
From: "Courtney Banks Schley" <address@concealed>
To: address@concealed
Sent: Monday, 1 September, 2014 4:07:33 PM
Subject: [sympa-users] INVITE command and security flaw?


Hello,

I'm running a list on Riseup.net. In their help documentation, it notes that the INVITE command (to add users to a list by emailing address@concealed with:
INVITE list-name email-to-invite QUIT) is automatically disabled for private lists, because it would open the list to a security hole. (see here: https://help.riseup.net/en/lists/list-admin/faq#how-do-i-invite-someone-to-my-list )

I can’t find further info on what the security hole is. I’m not sure if this is specific to riseup.net lists, but haven’t gotten any responses from their help desk. I just wanted to ask if any SYMPA users here are familiar with what the security hole is, so I can determine whether I want to enable INVITE on my private list.

Thanks!

Courtney