On Aug 24, 2020, at 3:24 PM, webmaster@PROTECTED webmaster@PROTECTED [Dada Mail Developers] dadadev@PROTECTED wrote:From: webmaster@PROTECTED
I think the below settings under MAILING LIST/Options essentially do that.
Well, that's security through obscurity. All that really does is hide what the list short name is, but that can be found easily through the email headers that are sent through the discussion list - it's literally this line:
List: dadadev
Then since you know the list short name, you can just log in as normal.
What I'm proposing is not allowing anyone to log in at all. You'd have to flip a global config variable to allow it. When I'm thinking security, I'm not really just thinking of subscribers snooping around looking for a way to log in; I'm thinking bad actors that are going to log in, then send out spam using your mailing list (or steal information, like your subscription list).
My Joomla extension interfaces to Dada Mail through MySQL database queries. The only “accounts” are my website member accounts, and those authorize the members to utilize the email lists.
Which is a little dangerous, as it does circumvent all sorts of safety checks like: are you saving a setting that actually exists? Is it a valid value for the setting? Stuff like that. It works - and if it works for your use, fine with me, but it isn't a robust solution - I'm not guaranteeing that method your using will work in the next release (but it has for forever). Your plugin isn't something that's even publicly available atm, is it?
And that is the part of the application I am wondering if I can safely remove somehow; the templates, the editors, the themes, the Captcha stuff, you know…all the stuff needed to support securely editing and sending emails from a web browser.
Things are written in the opposite way. Bridge is the add-on plugin, not the other way around. So thinking one can just turn things inside out is a little unrealistic.
--
Justin J: Lead Dadaist.url: http://dadamailproject.com email: justin@PROTECTED twitter: @dadamail skype: leaddadaist
Dada Mail Announcements:http://dadamailproject.com/cgi-bin/dada/mail.cgi/list/dada_announce/
On Aug 24, 2020, at 3:24 PM, webmaster@PROTECTED webmaster@PROTECTED [Dada Mail Developers] dadadev@PROTECTED wrote:
From: webmaster@PROTECTED
I think the below settings under MAILING LIST/Options essentially do that. I don’t publish the link to the web interface, and nobody in my HOA cares to visit yet another website and do yet another login if they can just check a box in their profile on our HOA site. And since I don’t create “accounts” for each user in the sense Dada Mail knows about them, there is no way for a regular user to login through the web interface even if they found their way to it. My Joomla extension interfaces to Dada Mail through MySQL database queries. The only “accounts” are my website member accounts, and those authorize the members to utilize the email lists.
The admin part of the web interface is still quite essential, but if the web interface isn’t being used to send any messages and our list members don’t beg to access the archives, I have no dire need for it. And that is the part of the application I am wondering if I can safely remove somehow; the templates, the editors, the themes, the Captcha stuff, you know…all the stuff needed to support securely editing and sending emails from a web browser. At one point in the distant past I actually had a working Joomla extension to browse through the archived messages, but displaying the emails as they were seen by recipients was a difficult undertaking. Nobody was clamoring for it, so I abandoned that effort.
I figured Justin would say it is a big effort, but it was certainly worth asking. It all works beautifully just as it is.
Cheers,
Bruce
From: dadadev@PROTECTED dadadev@PROTECTED Sent: Monday, August 24, 2020 2:27 PM To: Dada Mail Developers Subscriber webmaster@PROTECTED Subject: Re: [dadadev] Dada Mail Lite - Bridge-only version
From: justin@PROTECTED Thinks Absentmindedly
Maybe one easy thing to do is simply have an option in the app to simply not allow log ins to the list control panel for any mailing lists. That could help with keeping things sealed up until you absolutely have to log in to do $stuff. I'd be game to implement that.
--
Justin J: Lead Dadaist.url: http://dadamailproject.com email: justin@PROTECTED twitter: @dadamail skype: leaddadaist
Dada Mail Announcements:http://dadamailproject.com/cgi-bin/dada/mail.cgi/list/dada_announce/
On Aug 24, 2020, at 12:16 PM, Justin J justin@PROTECTED [Dada Mail Developers] dadadev@PROTECTED wrote:
From: justin@PROTECTED
On Aug 24, 2020, at 11:33 AM, Bruce Scherzinger webmaster@PROTECTED [Dada Mail Developers] dadadev@PROTECTED wrote:
From: webmaster@PROTECTED
So my idea is an installation option that allows you to choose a Bridge-only configuration that would install only what is needed. Would that be doable?
It's probably a project that's over and above what I'm willing to commit to taking on myself. The benefit just may be too small, as the way you're using the app is somewhat of a minority.
If there were more mature front ends to Dada Mail to swap out, or if Dada Mail's own front end system/API for manipulating list settings was more modular, it would be a realistic project. The code that lights up when Bridge handles a message is probably quite extensive, so there isn't going to be a huge win when it comes to memory use or processing needs. There's always going to be room for improvement in the future, but something your proposing is probably far, far off.
One of the big projects I have announced that I'd like to chip away at - it's a big one, is to make the build system for Dada Mail a little more open and malleable, since right now, you can't actually build Dada Mail from source - I and I alone have the build scripts. This wasn't something I intended, but little utility scripts just became large build systems in of themselves, which is not good. Part of that project will be options like, "hey write and add in the documentation" (or not!), "Use this as a source for all the email template layouts", etc - and maybe when this all gets mature, you'll be able to say which giant pieces of the app will be part of the distribution you're building. That's a far ways off.
--
Justin J: Lead Dadaist.url: http://dadamailproject.com email: justin@PROTECTED twitter: @dadamail skype: leaddadaist
Dada Mail Announcements:http://dadamailproject.com/cgi-bin/dada/mail.cgi/list/dada_announce/
On Aug 24, 2020, at 11:33 AM, Bruce Scherzinger webmaster@PROTECTED [Dada Mail Developers] dadadev@PROTECTED wrote:
From: webmaster@PROTECTED
Hey Justin,
Just an idea that's been rattling around in my head for a few years. As you may recall, I manage subscriptions to my Dada lists entirely through Joomla website accounts using an extension I wrote many years ago. All my lists are "closed" as far as Dada knows and the user portions of the web interface are not public. All email traffic is handled by Bridge. That means a fairly large amount of code in the full Dada package isn't really needed for my case.
Is there a clean delineation of files that can be omitted/removed and allow DM to function properly the way I'm using it? I read things about security vulnerabilities in code I don't need but which is installed and wonder if I can get rid of it and those vulnerabilities.
So my idea is an installation option that allows you to choose a Bridge-only configuration that would install only what is needed. Would that be doable?
Hope you are well, my friend.
Thanks,Bruce
On August 24, 2020 1:17:55 PM "Justin J justin@PROTECTED [Dada Mail Developers]" dadadev@PROTECTED wrote:
From: justin@PROTECTED
Howdy everyone,
v11.11.1 is out! A few bug fixes - most notably getting those tracker analytic emails actually go out, and some security holes closed up. (There's been no actual security exploits found)
Download and install:
https://dadamailproject.com/d/install_dada_mail.pod.html
Changelog (and below):
https://dadamailproject.com/d/changes_11_x.pod.html#pod11.11.1
Focus
This is mostly a bug-fix release for issues found in the v11.11.0 release of Dada Mail. There's also places we've tightened up some potential security exploits regarding the file browser/uploaders we ship with Dada Mail.
Changes
Directories managed in the, "dada_mail_support_files" directory will now have their permissions changed when not in use
Files and directories in the, dada_mail_support_files directory are ones that are served directly by the webserver. Items like images, javascript files, etc, are found here. The file managers/uploaders that are shipped with Dada Mail are installed here too. These are third-party apps in of themselves, and we don't have complete control over their development. Historically, security issues crop up in these apps, either in current or in past versions - it happens, and since their job is to upload files onto the web server, this can really cause chaos on a web hosting account.
To keep the attack surface as small as possible, Dada Mail will now always change the permissions of directories that are not in use to, 0644, rather than the more open, 0755. This will disallow access to the directory via something like a web browser.
Option to install no file manager uploader
Dada Mail has the option to install one of three bundled file managers: KCFinder, Rich FileManager, and Core 5 Filemanager. But it never had the option to install no file manager at all. This version adds the ability to select "Don't Install a File Browser/Uploader"
Bugfixes
"Send message tracker analytics report a few days after a mass mailing was sent " doesn't work - query is incorrect
https://github.com/justingit/dada-mail/issues/956
TinyMCE Vulnerability should be fixed in Dada Mail
https://github.com/justingit/dada-mail/issues/955
"Recent Activity" chart not loading
https://github.com/justingit/dada-mail/issues/954
--
Justin J: Lead Dadaist.url: http://dadamailproject.com email: justin@PROTECTED twitter: @dadamail skype: leaddadaist
Dada Mail Announcements:http://dadamailproject.com/cgi-bin/dada/mail.cgi/list/dada_announce/
Dada Mail Developers Post to: Dada Mail Developers ( dadadev@PROTECTED )Manage Your Subscription Unsubscribe
Dada Mail Developers Post to: Dada Mail Developers ( dadadev@PROTECTED )Manage Your Subscription Unsubscribe
Dada Mail Developers Post to: Dada Mail Developers ( dadadev@PROTECTED )Manage Your Subscription Unsubscribe
Dada Mail Developers
Post to: Dada Mail Developers ( dadadev@PROTECTED )
Manage Your Subscription
Unsubscribe
Dada Mail Developers Post to: Dada Mail Developers ( dadadev@PROTECTED )Manage Your Subscription Unsubscribe
Start a new thread, email: dadadev@dadamailproject.com
This is the developer discussion mailing list for Dada Mail.
If you are just looking for support Dada Mail, consult the message boards at:
https://forum.dadamailproject.com
Documentation for Dada Mail:
Specifically, see the Error FAQ:
https://dadamailproject.com/d/FAQ-errors.pod.html
To post to this list, send a message to:
mailto:dadadev@dadamailproject.com
All subscribers of this list may post to the list itself.
Topics that are welcome:
Dada Mail is on Github:
https://github.com/justingit/dada-mail/
If you would like to fork, branch, send over PRs, open up issues, etc.
This Privacy Policy is for this mailing list, and this mailing list only.
Email addresses collection through this mailing list are used explicitly to work within this email discussion list.
We only collect email addresses through our Closed-Loop Opt-In system.
We don't use your email address for any other purpose.
We won't be sharing your email address with any other entity.
Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.
All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.
All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.