mailman list questions about password and bounces-back for invalid emails
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I have 2 simple questions about mailman mail lists:
1). I can see there is an option to receive monthly reminder of password, and the password is sent in plain text. Is the password in plain text visible to the mail list owner / administrator? Or mailman stores a secure hash of the password like sha-256 or ripemd-160? If the password is stored in hash format, how come I can receive it monthly in plain text?
2). If an email address works for some time but becomes suddenly invalid (e.g. server down, domain cancelled, etc.) and when messages are being sent to that address they bounce back with permanent failure, will mailman remove these email addresses automatically? If yes, after how many attempts of sending? What if the email address server is just down for a day or something.
Thank you!
s7r@sky-ip.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJTD4uhAAoJEIN/pSyBJlsRsKQH/ROdvGA5V8lL723yC+sP4ZZB w/DEalwQ0Em7JFnfgjG+Pzic5g+65+3vXEmG5SNXGk3IFjuo5Nlpd5N5Jdiw+62A kEr4YRTRl8jb1JxDidmiksV/Czu31kTsJmKB3YcXHCu6e3jQrXVCTJF0CD3b+yoR zWfv8RUtpY9XhEkmSk0pBJXXd2nFyLEuipkYL09VB6TGQWPMam+BWkoW+YFM6tCQ 8h8kzhvzZRSTVf7VIZ8GFYwK2T/rBZb43aXSWKSh7YKqvDxoa8RxdzGA83UK/oXQ zVpY/CiJU+hX344F1m6A5knTFcepJY8aRgXpvhOKkAuCs5Fy8m4FujIA9xIsJTM= =s8Lp -----END PGP SIGNATURE-----
On 02/27/2014 11:01 AM, s7r wrote:
I have 2 simple questions about mailman mail lists:
1). I can see there is an option to receive monthly reminder of password, and the password is sent in plain text. Is the password in plain text visible to the mail list owner / administrator? Or mailman stores a secure hash of the password like sha-256 or ripemd-160? If the password is stored in hash format, how come I can receive it monthly in plain text?
List member passwords, as opposed to list owner, list moderator and site passwords, are stored in plain text, but there is no UI for the list owner to see them. The site admins can always see them by dumping the list's config.pck file with Mailman's bin/dumpdb.
2). If an email address works for some time but becomes suddenly invalid (e.g. server down, domain cancelled, etc.) and when messages are being sent to that address they bounce back with permanent failure, will mailman remove these email addresses automatically? If yes, after how many attempts of sending? What if the email address server is just down for a day or something.
See the list's web admin Bounce processing page for the settings that control this and their documention (ignore what it says about "soft bounces" - all failures are scored as 1.0).
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 2/27/2014 1:01 PM, s7r wrote:
Hi,
I have 2 simple questions about mailman mail lists:
1). I can see there is an option to receive monthly reminder of password, and the password is sent in plain text. Is the password in plain text visible to the mail list owner / administrator? Or mailman stores a secure hash of the password like sha-256 or ripemd-160? If the password is stored in hash format, how come I can receive it monthly in plain text?
2). If an email address works for some time but becomes suddenly invalid (e.g. server down, domain cancelled, etc.) and when messages are being sent to that address they bounce back with permanent failure, will mailman remove these email addresses automatically? If yes, after how many attempts of sending? What if the email address server is just down for a day or something.
Thank you!
s7r@sky-ip.org
The answer to 2) is contained in the bounce score values that have been set for the list. Each subscriber has a bounce score of 0. For each bounce, the bounce score is updated by 1, but only one bounce a day increases the score. When the score reaches the pre-set limit (default 5), the subscriber is set to NOMAIL (due to bounces). Then once per week, an e-mail is sent to the subscriber telling him/her that the list subscription has been disabled. If there is no response after the third notification, then the subscriber is unsubscribed. Only the last bounce message is sent to the list owner. The list owner controls the bounce parameters.
When I was in charge of a Mailman system, I ran a bounce report every morning so that I could see all bounce scores > 0 for all lists on the server. I had lists built from external sources (i.e., an HR Database), and I needed to know what addresses in the HR Database were bad. This report came from Mark Sapiro's collection of useful Mailman programs.
As for passwords, I disabled the monthly password reminders. Many of my lists were auto-subscribe lists (from HR), and the subscriber almost never needed his/her password. I do not remember a case where a subscriber needed assistance with a list password.
--Barry Finkel
On Fri, Feb 28, 2014 at 10:11:22AM -0600, Barry S. Finkel wrote:
As for passwords, I disabled the monthly password reminders. Many of my lists were auto-subscribe lists (from HR), and the subscriber almost never needed his/her password. I do not remember a case where a subscriber needed assistance with a list password.
+1.
When setting up a new Mailman (2) instance, one of the things I do is to remove that line from the crontab.
If users want a password reset, they can trigger it themselves. I've never known anyone to think "oh, I had a mail on the 1st, I'll check that…".
-- "How can you make good ideas sound so bad?" "I'm an engineer." -- Scott Adams
On 2/28/14, 12:21 PM, Adam McGreggor wrote:
On Fri, Feb 28, 2014 at 10:11:22AM -0600, Barry S. Finkel wrote:
As for passwords, I disabled the monthly password reminders. Many of my lists were auto-subscribe lists (from HR), and the subscriber almost never needed his/her password. I do not remember a case where a subscriber needed assistance with a list password. +1.
When setting up a new Mailman (2) instance, one of the things I do is to remove that line from the crontab.
If users want a password reset, they can trigger it themselves. I've never known anyone to think "oh, I had a mail on the 1st, I'll check that…".
Where I find it very useful is when subscribers forget what address they are subscribed with. Now and then someone forgets that they have a forwarding going on, or that their mail server changed its name (but still takes email from the old domain). This might have happened a while in the past, but just now they are needing to log into the option page or trying to post. Being able to refer them to the monthly subscription reminder is very helpful for this. If it is just a domain change, I can usually find the old address in the members list, but if someone set up a forwarding for them that they forgot about, it isn't so easy.
-- Richard Damon
participants (5)
-
Adam McGreggor -
Barry S. Finkel -
Mark Sapiro -
Richard Damon -
s7r