On Thu, 25 Apr 2002 06:11:10 -0400 Carson Gaspar <carson@taltos.org> wrote:

Speaking as someone who has just a few years of computer security experience, the above proposal accomplishes just about nothing, security-wise. If the mail list system in the DMZ can get the subscriber data from the system inside your firewall, then so can any attacker that compromises the mail list system. If you have some sort of read-only access to the datastore, then you may be protected from corruption, but not disclosure.

You have to think about in terms of threat vectors and risk containment.

With Mailman storing the membership roster locally, the only thing required to expose the roster is compromise of the Mailman box (it can then be copied off at leisure). With the membership roster stored remotely, exposure of the membership roster requires compromise both of the Mailman box and of the authentication/access controls for the membership roster (assuming a reasonably constrained ACL/capability system). That need not be a trivial second step.

Further, Chuq's rosters are likely approaching large enough that he needs to keep them under an external DB. In such case, moving that DB off the Mailman box gives various advantages and disadvantages, primary among which are reduced complexity on the mailman box, no need for external access/export of the DB to other systems (eg marketing), better segmentation of risks, and reduced exposure to same-network-segment (as the mailman server) system compromise.

-- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. claw@kanga.nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.