techstdout/ MailmanPrivacy

Mailman privacy

  1. Context
  2. Various kind of logs
    1. SMTP-related logs : =post, smtp, smtp-failure
    2. Other faulty files
    3. Log files to examin further
    4. Clean log files
  3. A few possible (or not) solutions
    1. Patch Mailman to avoid writting such data in the first place
    2. Patch Mailman so that it uses syslog
    3. Symlink the faulty log files to /dev/null, or put the whole /var/log/mailman onto a ramdisk

Context

  • Big brother is watching your /var/log/ ; have a look to http://dev.riseup.net/privacy/.
  • Mailman default configuration logs every e-mail/subscription to any list.
  • Mailman does not use syslog, but writes his logs himself to /var/log/mailman (on a Debian system at least), using the Mailman/Logging Python code
  • This is applicable to Mailman 2.1.5. At least.

Various kind of logs

SMTP-related logs : =post, smtp, smtp-failure

Mailman default configuration logs many e-mail addresses and message IDs (which often more or less disclose the sender's e-mail address).

The SMTP-related Mailman logging format is defined by a few configuration variables, defined in Defaults.py, and that can be overriden by values assigned in /etc/mailman/mm_cfg.py without any patching.

Example privacy-aware values (of course, privacy-awareness depends on your context, and the following values may not suit yours) :

SMTP_LOG_EVERY_MESSAGE = (
    'smtp',
    'smtp for %(#recips)d recips, completed in %(time).3f seconds')
SMTP_LOG_SUCCESS = (
    'post',
    'post to %(listname)s, size=%(size)d, success')
SMTP_LOG_REFUSED = (
    'post',
    'post to %(listname)s, size=%(size)d, %(#refused)d failures')
SMTP_LOG_EACH_FAILURE = (
    'smtp-failure',
    'delivery to %(recipient)s failed with code %(failcode)d: %(failmsg)s')

Other faulty files

bounce

At least Queue/BounceRunner.py and Bouncer.py write e-mail addresses and message IDs to this log file.

error

A few bits of code, such as Deliverer.py, write at least e-mail addresses to this log file.

mischief

At least Cgi/subscribe.py, Cgi/options.py and Deliverer.py write e-mail addresses to this log file.

subscribe

At least Bouncer.py and MailList.py write e-mail addresses to this log file.

vette

At least Handlers/Hold.py, Handlers/SpamAssassin.py, Queue/CommandRunner.py, Queue/IncomingRunner.py, ListAdmin.py and MailList.py write e-mail addresses and message IDs to this log file.

Log files to examin further

locks

Dunno. Mine is empty.

qrunner

Dunno.

Clean log files

These log files do not contain any privacy-sensitive data, according to our own definition of "privacy-sensitive data" :

A few possible (or not) solutions

Patch Mailman to avoid writting such data in the first place

Would take tons of energy. Too much energy.

Patch Mailman so that it uses syslog

This way, the privacy-enabled syslog-ng would be able to strip any undesired data from these log files. And optionnally write a non-stripped version to a ramdisk, if needed.

Should be feasible quite quickly and cleanly. Might even be implemented in Mailman v3 devel branch ?

Symlink the faulty log files to /dev/null, or put the whole /var/log/mailman onto a ramdisk

Why not, he he. TODO : check that Mailman does not need to retrieve any information from these log files, and test these solutions.