From: "Andreas Tille" <tillea@rki.de>
On my live system I define certain roles in the /Influenza folder and some users who get these roles (but not the 'Manager' role!). They are perfectly able to send mails without beeing 'Manager' and there is certainly no reason to have this role just to send mails.
If that is the only role who has the 'Use mailhost services' permission in the root, it is. And that is the default setting. And since you define your roles lower than where MailHost is located, you can't set that permission on these roles either. Maybe if you set "Authenticated" so it had 'Use mailhost services' it might work. I'm not sure if you are "Authenticated" above where you are created. Do on no accounts give the right to "Anonymous". If you do people can use your system to send spam. I don't think this has ever actually happened with Zope and MailHost, but it it theoretically possible. Similar exploits have been used with some infamous PHP scripts.