On Jun 14, 2014, at 10:15 PM, John Levine wrote:
AOL and Yahoo both have OAUTH APIs, but they are not the same, and I see no likelihood that the APIs will converge, or that the next large webmail provider to DMARC us will be compatible with either. But everyone has a SUBMIT server.
Mailman has always been about adhering to standards, preferably RFCs, but de facto standards are acceptable when it makes sense. OAUTH submission could make sense, but I'm not in favor of a supporting a proliferation of incompatible hacks. If this is going to be A Thing, then these webmail providers need to get together and agree on some standard. Otherwise, what Mailman should do IMHO, is support a framework for supporting the feature in general, and leave it to third parties to support their email providers of choice.
At least one of the large providers has told me they plan to do OAUTH submission, presumably with long lived tokens, which would greatly mitigate the security issues. It is my impression that if word got back that lists were considering doing the submit trick, it would motivate them to get OAUTH submission working sooner.
It's the least crappy solution (so far) to a problem of their making, but please get them to agree on some kind of common API.
-Barry