Mailman list configuration settings
Over several years of refining listhelper and working with
GNU Mailman, we've
gradually learned about the effects of different mailman configuration
settings. (“We” being Bob Proulx and Karl Berry.)
This list goes through the mailman list configuration pages in the
order they appear in the web interface. We distinguish between those
settings mandatory for listhelper to work at all, and those which are
the best practices we've found and recommend. For plenty of the settings
we have nothing to add to the mailman description, and so those are
omitted here.
For mailman administrators looking for scripts to help with general
tasks, we recommend Mark
Sapiro's page; full of good stuff. (By the way, although the
scripts say they have to be installed in the mailman bin directory, in
our experience it suffices to set PYTHONPATH.)
If you have questions, suggestions, criticisms, or other comments, email
us.
The most important settings
Before we get to the exegesis, a brief summary of the most
important settings.
Settings strongly recommended for all lists (yes, every single
one):
Settings required to use listhelper (in addition
to the above):
Details follow.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
General Options
- real_name
-
Mailman's default is to capitalize the first letter. This usually looks
weird to us, and we downcase our own lists. Just a personal preference.
- owner
-
These addresses are listed on the public web pages for the list. If you
don't want an address to be harvested by spammers, don't put it here.
For lists using listhelper, we offer a generic address
listhelper-moderate@nongnu.org that can be used.
- moderator
-
These addresses are not listed publicly. The public (or not)
listing is the only difference between the owner and
moderator fields; they both receive exactly the same
notifications from mailman. There is no reason to list the same address
in both fields, though there's no harm in it, either.
Contrary to the implications of the mailman documentation for these
fields, neither of these fields are relevant to who can
administer/moderate the list. That is controlled solely by the password used to log in to the list's admin web
interface.
listhelper lists must include listhelper@nongnu.org
or listhelper@gnu.org here.
- info
-
We recommend at least giving a url to the package home page; often that
is all we put here.
- subject_prefix
-
If you downcase the list name, you'll presumably want to
downcase this prefix, too.
- reply_goes_to_list
-
We agree with mailman's recommendation of Poster for nearly all
lists, since this avoids the trap of people thinking they are replying
to the sender only and broadcasting their private thoughts to the list;
there is no fix for that, while the reverse problem is easily remedied
by resending the msg.
Furthermore, many lists are public and can be posted to by anyone.
With This list, a non-subscriber who posts is not
automatically included in replies.
The only exception to Poster that we've found is for private
lists, i.e., those which are not advertised and never used by anyone not
on the list. In that case, This list is reasonable and
more convenient.
Some lists are technically public but rarely posted to by
non-members. It is tempting to use This list for them,
but in our experience this is a mistake; the chances are far too great
that the replies to those seldom outside posters will not go to them and
not be noticed. What's needed for such lists is an option to
“reply to list and poster (if not on the list)”. The
mailman maintainers rejected
this idea, but a contributor wrote a patch,
which unfortunately does not work in current mailman. We would welcome
a fixed version.
- admin_immed_notify
-
This must be set to Yes for listhelper lists. If a list owner
finds the notifications problematic, the choices are (a) don't use
listhelper; (b) don't include the list owner's address in either
the owner or moderator fields; or (c) filter them out of the
incoming mail, with a pattern like this:
^Subject: confirm [a-f0-9]{40}
- admin_notify_mchanges
-
This is purely at the list owners' discretion. To minimize
administrative notifications (as we usually want for our own lists), set
it to No.
- respond_to_post_requests
-
This should always be set to No, due to
backscatter.
- max_message_size
-
Mailman's default is 40, which is usually too small. For lists with
many members, we sometimes set this to 100 or 400(k), to avoid huge
attachments being needlessly broadcast. But often we just use 0 and
let the MTA do any size filtering.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Passwords
These passwords are the one and only determining factor of who can
log in to the administrative interface (and do what). The email
addresses listed in the owner and moderator fields are immaterial, as described above. This separation is a good thing,
since it means people can be given admin access without also having to
receive mailman notifications.
Also, there is no password recovery mechanism for administrative
passwords. For lists hosted on lists.(non)gnu.org, you can ask
listhelper-moderate@nongnu.org for help.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Non-digest options
-
We recommend making this empty, which is the default for
lists.(non)gnu.org. Mailman's default is a verbose and not especially
informative three-line footer.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Privacy options…
- private_roster
-
For protection against spammers, set this to
List admin only; this is the default for all lists.
The setting Anyone is certainly too generous in any case.
Spammers have worked out the automated mailman subscription process.
We haven't seen incontrovertible evidence that they've harvested
addresses by getting the list members after subscribing, but it's almost
certain. Although it is potentially useful for list members to see the
subscribers, it does not seem worth the risk of harvesting.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Privacy…Sender filters
This is arguably the single most important configuration page.
- default_member_moderation
-
We've found that it's best to set this to Yes, for two reasons.
First, spammers have worked out the automated mailman subscription
process and then posted their junk. Second, even legitimate members
sometimes set up an automated vacation reply or blast invitations to
their address book that wrongly go to lists they are on, and moderating
by default provides a chance to remove those posts before they reach the
list. We've seen all of this.
- dmarc_moderation_action
-
We recommend setting this to Munge From (the default for
lists.(non)gnu.org), to appease DMARC. It is the best available
way to minimize mail failures and unsubscriptions.
- accept_these_nonmembers
-
When a legitimate message is sent from a given address for the first
time, we routinely approve the address for all future posts, so this
field tends to grow large. It would be unbearable for every post to be
delayed for human approval, so we just have to put up with the
occasional spam or automated msg from such addresses (e.g., when forged).
By the way, with this and all the fields
which are lists of email addresses, Mailman unfortunately accepts
addresses from the ‘Tend to pending moderator requests’ page
which it will later reject when the field is edited by hand: addresses
with leading and trailing spaces, without an @, binary
characters, and more. We sometimes just clear the field instead of
trying to track down the address. It's not a bad thing if older
addresses are not accepted forever, anyway.
- hold_these_nonmembers
-
With our recommended configuration (below), there's no reason to use
this field. Occasionally addresses are added to it by mistake while
tending to requests. There's no harm in that, but we keep it empty when
we notice.
- reject_these_nonmembers
-
This should stay empty, to avoid backscatter.
- discard_these_nonmembers
-
This should stay empty, to avoid accidental discards of real mail, as
described below under
forward_auto_discards.
- generic_nonmember_action
-
We believe Hold is always the best setting here. Since
this is such an important setting, here's a discussion of all the
alternatives:
- Accept -
Accepting mail from everyone is clearly a nonstarter, since then spam
would just sail right through.
- Hold -
We believe this is the best setting for all lists. It must be used for
lists using listhelper.
- Reject -
Should not be used, since it causes backscatter.
- Discard -
People send real mail from multiple email addresses, while subscribing
from only one. Therefore using Discard runs a significant
risk of losing messages. Beyond that, this is not an effective means
of controlling spam, since email addresses are arbitrary and spammers
hardly ever reuse old addresses.
- forward_auto_discards
-
This should stay set to Yes, so that real mail from addresses
accidentally added to discard_these_nonmembers will be
noticed.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Privacy…Recipient filters
- acceptable_aliases
-
If the same list has a (regular) alias, it should be listed here. For
example, bug-gnu-util is an alias for the
bug-gnu-utils list.
- max_num_recipients
-
Mailman's default 10 is usually fine. Occasionally there is a long
thread where people do not clean up the list of recipients and it grows
to more than this, causing messages to be held. In that case, there's
no harm in increasing the value. Spammers rarely blast to lots of
recipients in one message any more.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Privacy…Spam filters
-
Some GNU mailing lists are still connected to Usenet groups, such as
help-gnu-emacs (gnu.emacs.help) and bug-gnu-utils (gnu.utils.bug). Lists
with an associated Usenet group have the mailman attribute
linked_newsgroup set.
By default, mailman passes through all newsgroup posts to the mailing
list, without all the normal filtering. The settings in the
Mail<->News gateways section do not help. What does help is a
one-line
change to Moderate.py, which makes newsgroup posts have the
same moderation as normal posts.
(Historical: before we got that assistance, we set Spam Filter
Regexp to the value Newsgroups:, with
Action=Hold. This has the undesirable side effect of forcing
manual approval of every real message posted to the newsgroup and then
gatewayed to the mailing list, even if the sender address is already
approved. But letting spam through at will seemed worse.)
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Bounce processing
- bounce_processing
-
Usually Yes is highly desirable (and is the default), but in
the case of small private lists where all members are known, you may
want to consider No, to avoid accidental unsubscription.
- bounce_unrecognized_goes_to_list_owner
-
We use Yes here, because these bounces are usually a result of
mail being sent to a list member who has discontinued or changed their
email address, and it's good to be able to correct that. Mailman's
bounce detector is quite good in our experience, so these messages are
generated only rarely.
- bounce_notify_owner_on_disable
-
To minimize administrative email, we use No. Generally, we
don't feel the need to keep tabs on (un)subscriptions, so if a
subscriber's email has stopped working, we're not going to do anything
about it anyway. Thus, if you set admin_notify_mchanges to Yes,
it would make sense to set this to Yes too, and probably not
otherwise.
- bounce_notify_owner_on_removal
-
Same as previous item.
In addition to the options here, if you have
access to the system, we suggest adding a simple archive to each
LIST-bounces address. It is common for users to wonder why they were
bounces. mailman swallows bounces after processing, and so there is no
good record of what happened without an independent archive. For
example:
mm-bounces: /home/mailman/bounces/archive
...
list1-bounces: "|/usr/lib/mailman/mail/mailman bounces list1",mm-bounces
...
list2-bounces: "|/usr/lib/mailman/mail/mailman bounces list2",mm-bounces
...
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Archiving options
We recommend leaving archiving enabled. On the few occasions when
we've disabled it, we always found, sooner or later, that we wished we
had the archive.
archive_volume_frequency
Traffic permitting, consider reducing the frequency to
Quarterly or even Yearly from the default of
Monthly. Mailing lists often live for many years, and the
list of months on the archive page can get long and painful to peruse.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Content filtering
We recommend not enabling content filtering, that is, leaving
filter_content=No. It is too unreliable to guess what
legitimate/spam messages might/might not include. Better to leave it to
other levels of mail delivery.
On the other hand, you may want to enable
convert_html_to_plaintext, especially if a given list regularly
receives HTML-only messages. Messages more typically have both HTML and
plain text parts, but there are no rules.
For this, you'll need to set filter_content=Yes. In this
case, we strongly recommend clearing all the other values, most
importantly pass_mime_types and
filter_filename_extensions (which have non-empty defaults).
Otherwise, mailman could unexpectedly remove useful attachments and/or
discard messages.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Tend to pending moderator requests
Our process here:
- For real messages, of course accept them, and enable the address for
future postings: clear the moderation bit or add to the sender filter
Accepts, as needed.
- Occasionally, a real message from a member will not have any option
to unmoderate. This usually happens when the sender is subscribed to the
list under another address, which is moderated, and the message headers
are unusually crafted; the most common case is people reading lists
through gmane. The answer is to look in the headers for the gmane or
whatever other addresses the sender is using, and unmoderate whatever is
subscribed.
- For spam, just discard with no further action.
- For the occasional real message which needs to be redirected to be
edited (e.g., an excessively huge attachment), we usually reject it from
the “View all messages” link, with a handwritten note,
including our email address so the sender can correspond.
- For the occasional real message that needs to be redirected to
another list (e.g., it was sent to an announcement-only list), we either
reject it as in the previous item, or do it ourselves by forwarding it
to our own mailbox and then resending it, depending on how much trouble
we want to take.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
Backscatter
“Backscatter” is one common name for what happens when a
spammer forges a sender address and a mail server bounces the mail back
to that (real) address. Example: spammer sends junk mail to a bogus
address, with a From: address of karl@gnu.org. Result: karl receives
the bounce, including the original spam message, as if he had actually
sent it.
In general, this can happen with any kind of automated reply, such as
vacation messages. Therefore we recommend (with regret) against ever
using such things. For mailman, this means setting respond_to_post_requests to
No, keeping reject_these_nonmembers empty,
and never using Reject for generic_nonmember_action.
For a more comprehensive discussion, see the Wikipedia entry
on backscatter.
General Options -
Passwords -
Non-digest options -
Privacy options -
Privacy…Sender -
Privacy…Recipient -
Privacy…Spam -
Bounce processing -
Archiving options -
Content filtering -
Tend to pending requests
(See intro at top for general comments and contact address.)
$Date: 2020/12/17 23:50:07 $