Hello,
We would like to integrate Mailman with a spam quarantine system. List admin(s) will need to login to manage quarantined messages, and we would like this login to use the list admin password. I'd like some feedback on the best way to accomplish this, with Mailman.
I can think of two ways to accomplish this -
1. Mailman consults LDAP for the list admin password, and is able to also set that password (for the web UI and the change_pw script). Mailing lists are already defined in LDAP for our MTAs.
2. The Mailman list admin passwords are stored in an unencrypted form, which we regularly sync to LDAP, for the quarantine system to use.
IT seems like option 2 would be simpler in terms of code, although less ideal (because the password wouldn't be encrypted).
Which method (or is there a third way?) is going to make the most sense for seamless integration with Mailman?
Thanks,
Ivan.
Ivan Fetch wrote:
We would like to integrate Mailman with a spam quarantine system. List admin(s) will need to login to manage quarantined messages, and we would like this login to use the list admin password. I'd like some feedback on the best way to accomplish this, with Mailman.
I can think of two ways to accomplish this -
Mailman consults LDAP for the list admin password, and is able to also set that password (for the web UI and the change_pw script). Mailing lists are already defined in LDAP for our MTAs.
The Mailman list admin passwords are stored in an unencrypted form, which we regularly sync to LDAP, for the quarantine system to use.
IT seems like option 2 would be simpler in terms of code, although less ideal (because the password wouldn't be encrypted).
Which method (or is there a third way?) is going to make the most sense for seamless integration with Mailman?
I suggest a third method.
Do not change Mailman at all.
Periodically, via cron and/or on demand, retrieve the list's 'password' attribute from lists/listname/config.pck. This can be done with a Python program using the Mailman API to instantiate the list and get the password, or it could be done with a withlist script whose process was simply
def get_list_pw(mlist): print mlist.password
or it could be done, e.g., by
/path/to/bin/dumpdb /path/to/lists/$listname/config.pck |
grep \'password\' | sed -e s'/^.*: .//' -e 's/.,$//'
This is the encrypted password. Store that in LDAP and have your quarantine system validate a password by encrypting it using Mailman's algorithm (a 40-hex-digit representation of a SHA1 hash of the plaintext) and comparing that to the list's encrypted password.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hello,
On Thu, 8 Jul 2010, Mark Sapiro wrote:
Ivan Fetch wrote:
We would like to integrate Mailman with a spam quarantine system. List admin(s) will need to login to manage quarantined messages, and we would like this login to use the list admin password. I'd like some feedback on the best way to accomplish this, with Mailman.
I can think of two ways to accomplish this -
Mailman consults LDAP for the list admin password, and is able to also set that password (for the web UI and the change_pw script). Mailing lists are already defined in LDAP for our MTAs.
The Mailman list admin passwords are stored in an unencrypted form, which we regularly sync to LDAP, for the quarantine system to use.
IT seems like option 2 would be simpler in terms of code, although less ideal (because the password wouldn't be encrypted).
Which method (or is there a third way?) is going to make the most sense for seamless integration with Mailman?
I suggest a third method.
Do not change Mailman at all.
Periodically, via cron and/or on demand, retrieve the list's 'password' attribute from lists/listname/config.pck. This can be done with a Python program using the Mailman API to instantiate the list and get the password, or it could be done with a withlist script whose process was simply
def get_list_pw(mlist): print mlist.password
or it could be done, e.g., by
/path/to/bin/dumpdb /path/to/lists/$listname/config.pck |
grep \'password\' | sed -e s'/^.*: .//' -e 's/.,$//'This is the encrypted password. Store that in LDAP and have your quarantine system validate a password by encrypting it using Mailman's algorithm (a 40-hex-digit representation of a SHA1 hash of the plaintext) and comparing that to the list's encrypted password.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Great - makes very good sense, thank you. We have tested this by getting the list's admin password, removing the hexification (with binascii.unhexlify) which leaves the password in SHA1 digest form, then base64 encoding the password, and putting it into LDAP.
How much difference in eficiency is there, between runnig dumpdb vs. using python code to only get a list's password? I know dumpdb is doing more (because it dumps the entire pck), but is it going to be enough to matter?
The script we'll write, will probably run every 5 minutes, iterating through all lists, and setting password attributes in LDAP for passwords which have changed. I'd like to have minimal impact on Mailman (RE: using dumpdb).
- Ivan
Ivan Fetch wrote:
How much difference in eficiency is there, between runnig dumpdb vs. using python code to only get a list's password? I know dumpdb is doing more (because it dumps the entire pck), but is it going to be enough to matter?
I don't think it's enough to worry about. If anything, bin/dumpdb does less work to read the config.pck and unpickle the list object than any Mailman process which actually instantiates the list. In return, it does extra to format and print the output, but I don't think there will be enough difference to matter.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Ivan Fetch -
Mark Sapiro