Ok... thanks to all!!!
But, I've a last doubt: Which the advantage in keep the creation of lists open for the world? what would be the real advantage? I need to understand before block the access.
THANKS!!!!!
On Mon, Jan 5, 2009 at 2:50 PM, Barry Warsaw <barry@list.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Jan 5, 2009, at 11:48 AM, Mark Sapiro wrote:
I think Barry misunderstood which links you are talking about.
Yep. Thanks, I just re-read the OP (in post-coffee mode :), so now I get it.
The links on the list admin overview page to lists really reveal
nothing but the names of public lists on the server. These are already available on the listinfo overview page and anyone who knows even a little bit about Mailman can easily construct admin or admindb links from the listinfo links. If you are concerned about revealing this, make all your lists advertised = No.
An random example: The official MailMan mailing list. Follow my
steps:
1 - Open this link: http://mail.python.org/mailman/admin
2 - After, click in "create a new mailing list"
Likewise, anyone with even a little knowledge of Mailman can figure out the URL to the create CGI.
The answer is to use strong passwords, and if you are really concerned, don't advertise any lists and remove Mailman's cgi-bin/create wrapper so lists can't be created from the web, or alternatively just don't set site admin or list creator passwords or remove data/adm.pw and data/creator.pw to remove those set previously.
Mark's suggestions are spot on.
- -Barry
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkliOl0ACgkQ2YZpQepbvXF2yACfa9jcidXxfax6sLze5CJV4uXP 5qAAoK5gZzSRoCgdmpuvDrO8Jy79BdIT =A81I -----END PGP SIGNATURE-----
-- Atenciosamente,
Edilson Azevedo (19) 3787-3312 (12) 8156-5590 Mail / Gtalk: eazevedo@bsd.com.br