Andrew Stuart writes:
Right now I’m aiming for super simple.
This worries me. Nothing in security is simple (except for the "Orange Book" and "RMS" models: the former being "it can't be attacked if you don't plug it in" and the latter being "password communism" a la Stallman).
At present, we just don't much care because historically the subscriber database and archives rarely required much if any security, and when such security was needed we simply did a "deny all" except for root on the server, which of course was a single host.
But with the advent of DMARC (and the "4/14 Debacle" at Yahoo! and AOL), I suspect that the price of "known good" address lists is rising in the underworld, and there will be attacks on Mailman security just to get addresses. We're also trying to make it easier to access and mutate enterprise databases through the Mailman APIs. That could make Mailman a vector for attacks on those databases.
As it turns out, the core doesn't have a lot of need for this, which is another reason I've so far resisted tightly integrating it with the core.
I'm afraid that is changing, Mr. General FLUFL Sir. The core is concerned with mail distribution, which historically has been the no-security SMTP protocol. If your core product *can't* be secure, I would expect that you have little need for security, and what security you do need can be implemented simply by hiding everything else in a server on a single host with only root access to anything. Especially with the various expanded roles that are already appearing in Postorius and HyperKitty, is that going to be true going forward?
Of course in current Mailman practice, all this is FUD. But the fear is real, even if the threats are (so far) unrealized. And of course the cost of a flexible and tight security model is high, both in design effort and in complexity of the resulting system.