[pmwiki-users] RFC -- POP3 to PmWiki

Ben Wilson dausha at gmail.com
Wed Oct 4 10:42:57 CDT 2006

On 10/4/06, Crisses <crisses at kinhost.org> wrote:
> Would everyone agree with subject->pagename?


> It can be:
> Subject: This is the Group.This Would Become The Page Name

What about "Group.PageName?" Rather than just the pagename, use the
full name. When the admin wants to force all emails to a quarantine
group, it could become Group-PageName.

> I can set it up to auto-recognize username from the email when email
> addresses are AVAILABLE (such as in the AuthUserDbase extension I wrote).
> But then what about password?  no one wants their password floating around
> in a plain-text email.
> What about allowing a separate "post by email" password?

Still insecure.


1. Public Key. Have a list of email addresses that can post (e.g.
Site.PostByEmail). If you're not on the list, you're not posting. (I
believe Xes plans this off the AuthUserDbase extension, but it needs
to be available for those who aren't using AUDe.) Authorization to
edit a page is borrowed from the email's user account---if he can't
edit, he can't post.
2. Post-Back. System _always_ sends a reply to the email address with
a link to the new page. This would include a "Did you post this?"
statement which would put the email-editor on notice if somebody is
abusing his email address.
3. Post Limit. System will not post twenty (variable) email postings
sent by the same address within a limited time frame. This helps
mitigate wiki spammers from pummelling the system if they do subvert a
user account.
4. Admin Oversight. Email posts are listed for Admin oversight. This
could either be a page like RecentChanges (or EmailPostings-20061004),
or an email sent to the Admin on a per-email or per-time basis.
5. Restrict Groups. Certain _groups_ can never be emailed to
(definitely Site, and probably PmWiki by default). "Hello
Site.AuthUser. I'm a cracker. I would like to give you a little
pruning. Oh, and Group.RecentChanges, let's just forget I was here."

> How would one encode the password in the body of the email?


> I would recommend that the email address that posts go to NEVER be put on a
> web page.  Otherwise you'll have a lot of spam in the wiki from spammail.

Put the email addresses within a hide block (:if false:). This would
effectively mask email addresses from spammers.

> (:postcode IWantMyMTV:)
> (:postauthor XES:)

Author gleaned from email address. On the odd chance the same email
address has two authors (e.g., husband and wife sharing email account
and having two wiki accounts), then post _both_, and let them sort it

This way, everything in the body of the email is posted. Possible
exception is to look for .sig flags /^--\\n/ and not posting the
information following (or post in some kind of hide block).

> The plan is that if I do this, I will be using a PHP pop3 module for PmWiki.
>  At most, it can be called every time PmWiki is run.  I can have it
> "squelch" checking POP3 so that you can have a minimum time between email
> calls.  I can't rely on people having PHP CLI access, cron, procmail,
> fetchmail, etc.  so I will probably limit the max number of emails it can
> process each time PmWiki is run.

Perhaps the PmWiki mailer's squelch? IIRC it sends based on time last
sent. You could use the same logic, if not the same code.

Ben Wilson
"All this worldly wisdom was once the unamiable heresy of some wise man." HDT

More information about the pmwiki-users mailing list