On 10/17/06, Melinda <gilmore.126@osu.edu> wrote:
Has anyone come up with a good management for passwords. We are about to introduce Mailman to the university and many are concerned about password management and generating a lot of helpdesk calls. We currently are running Listproc on a Solaris. We want to move to Mailman on a RedHat Linux box. Any pointers would be much appreciated. I am also new to this world.
Are you concerned about the mailman passwords?
These passwords are generally understood to be low-security; they are, in fact, re-emailed periodically (if enabled), in plaintext; and since email is largely unencrypted during transport, this makes such emails vulnerable to sniffing attacks.
With all that in mind, mailman passwords shouldn't be used for anything other than mailman. Even in mailman, they're largely 'unimportant,' and provide only an additional layer of security where most MLMs have no security (e.g., with mailman, you give an email AND its password to unsubscribe. Most other MLMs give only the email.)
Unfortunately, if your policies (irrationally) require all passwords to be changed periodically, then I believe you're SOL in this regard. I haven't seen anything with regards to enforcing password policy within mailman, which means there's no expiration (and, thus, no 'your password has expired, please change it now' support), and no strength checking (although this would probably be fairly issue to implement using cracklib, if there are python bindings).
If you're talking about password management in general, and not specific to mailman, this is the wrong place to ask this. Mailman does not handle user passwords for anything except mailman. Authenticating real services against mailman would be a Bad Idea, and quite difficult to implement.
--
- Patrick Bogen