sceneri that check subscriber/editor/owner/listmaster should require auth
Created by: taggart
Many of the existing sceneri do checks for is_subscriber/is_editor/is_owner/is_listmaster and blindly trust smtp requests, which can be forged. One can generate a list of potential ones with:
default/scenari$ grep is_ * |grep smtp |grep do_it
(these are always wrong, but in some cases an earlier line might be firing and preventing from getting here, still it should be fixed).
It's far too easy to forge email and any assumptions made in the past about a sympa server only being for private use are no longer valid, even private servers have to be secure against attackers these days. So it's time for the unauthenticated sceneri to go away.
In the past, many sceneri had both a non-authenticated version and an authenticated version, currently there are 19 different ones with 'auth' in the name. And 'auth' in the name usually meant it did a request_auth, although in some cases dkim or smime was also acceptable to establish a legit request.
One thing complicating the problem is that it's difficult to rename or remove scenari because once you have existing lists pointing to a particular name in their config you will need to migrate them to something else before making changes. However it's possible to change the content of scenari and leave the name the same. I think it might be possible to update all the non-auth versions of sceneri to use auth (probably resulting in them being identical to the auth versions). Then maybe the sympa upgrade script could make one a symlink, or migrate existing lists away from one name or the other. New installs could get a smaller set of sceneri.
Version
6.2.32 and older.