When a user at a p=reject signs up for a list, you demand an OAUTH API token if the the provider supports it, otherwise their host system password.
-1 on the password thing. It's too close to phishing, imposes serious privacy issues on Mailman hosts, and makes them targets for attack.
Honestly, Tough Noogies. Let list managers make their own security decisions. AOL and Yahoo want all mail from their users to be authenticated. Well, OK, this will do it.
I'm fine with annoying the hell out of Yahoo! and AOL users with an OAuth request on every post.
My Yahoo contact tells me they eventually plan to do OAuth submission which should have long lived tokens. But in the meantime, the submit hack should work everywhere.
Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.