Has anyone come up with a good management for passwords. We are about to introduce Mailman to the university and many are concerned about password management and generating a lot of helpdesk calls. We currently are running Listproc on a Solaris. We want to move to Mailman on a RedHat Linux box. Any pointers would be much appreciated. I am also new to this world.
Mindy
On 10/17/06, Melinda <gilmore.126@osu.edu> wrote:
Has anyone come up with a good management for passwords. We are about to introduce Mailman to the university and many are concerned about password management and generating a lot of helpdesk calls. We currently are running Listproc on a Solaris. We want to move to Mailman on a RedHat Linux box. Any pointers would be much appreciated. I am also new to this world.
Are you concerned about the mailman passwords?
These passwords are generally understood to be low-security; they are, in fact, re-emailed periodically (if enabled), in plaintext; and since email is largely unencrypted during transport, this makes such emails vulnerable to sniffing attacks.
With all that in mind, mailman passwords shouldn't be used for anything other than mailman. Even in mailman, they're largely 'unimportant,' and provide only an additional layer of security where most MLMs have no security (e.g., with mailman, you give an email AND its password to unsubscribe. Most other MLMs give only the email.)
Unfortunately, if your policies (irrationally) require all passwords to be changed periodically, then I believe you're SOL in this regard. I haven't seen anything with regards to enforcing password policy within mailman, which means there's no expiration (and, thus, no 'your password has expired, please change it now' support), and no strength checking (although this would probably be fairly issue to implement using cracklib, if there are python bindings).
If you're talking about password management in general, and not specific to mailman, this is the wrong place to ask this. Mailman does not handle user passwords for anything except mailman. Authenticating real services against mailman would be a Bad Idea, and quite difficult to implement.
--
- Patrick Bogen
On Tue, Oct 17, 2006 at 12:55:52PM -0500, Patrick Bogen wrote:
On 10/17/06, Melinda <gilmore.126@osu.edu> wrote:
Has anyone come up with a good management for passwords. We are about to introduce Mailman to the university and many are concerned about password management and generating a lot of helpdesk calls. We currently are running Listproc on a Solaris. We want to move to Mailman on a RedHat Linux box. Any pointers would be much appreciated. I am also new to this world.
Are you concerned about the mailman passwords?
These passwords are generally understood to be low-security; they are, in fact, re-emailed periodically (if enabled), in plaintext; and since email is largely unencrypted during transport, this makes such emails vulnerable to sniffing attacks.
That is not the point. The problems are:
- that mailman passwords are locked away in python pickles .. this makes them difficult to access/maintain through scripts written in other languages.
- if you are subscribed to several lists, then you have a different password for each list, or you need to change each of them every time that you change.
With all that in mind, mailman passwords shouldn't be used for anything other than mailman. Even in mailman, they're largely 'unimportant,' and provide only an additional layer of security where most MLMs have no security (e.g., with mailman, you give an email AND its password to unsubscribe. Most other MLMs give only the email.)
No: they are not meant to he high security, but it would be nice to use the same one as with various other services on the same box.
[23~-- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
At 8:21 PM +0100 10/17/06, Alain Williams wrote:
- that mailman passwords are locked away in python pickles .. this makes them difficult to access/maintain through scripts written in other languages.
There's a variety of reasons why passwords are being eliminated from future versions of Mailman. This is another good one.
However, you shouldn't need to access the passwords from other languages -- if the users have forgotten their password, they can always have a new one generated and then sent out to them by e-mail.
- if you are subscribed to several lists, then you have a different password for each list, or you need to change each of them every time that you change.
Not necessarily. If they use the same e-mail address, they can log into their user page with the address and password for one list, then globally change their password for all lists. It's a more complex process, but it does work.
Of course, we recognize that it's a more complex process and probably too much to expect for most users, which is part of why passwords are being eliminated.
No: they are not meant to he high security, but it would be nice to use the same one as with various other services on the same box.
Mailman was not designed to integrate with other services on the same box. However, if you program in Python, it's not hard to access the same pickles in other packages. But that's more of a Python programming thing, not a Mailman thing.
If you'd like to have better integration between Mailman and other services on the same box, we would welcome your patches. Please feel free to upload those via the SourceForge patch tracker for Mailman at <http://sourceforge.net/tracker/?group_id=103&atid=300103>.
Otherwise, please feel free to file your Request for Enhancement on the SourceForge RFE tracker for Mailman at <http://sourceforge.net/tracker/?group_id=103&atid=350103>, or via the Mailman wiki at <http://wiki.list.org/>.
We are working on this issue, but it's a slow process. Among other things, there are a virtually infinite variety of other potential services you might want to integrate with.
-- Brad Knowles, <brad@shub-internet.org>
Trend Micro has announced that they will cancel the stop.mail-abuse.org mail forwarding service as of 15 November 2006. If you have an old e-mail account for me at this domain, please make sure you correct that with the current address.
Alain Williams writes:
- that mailman passwords are locked away in python pickles .. this makes them difficult to access/maintain through scripts written in other languages.
Not at all. Just write a python script to get the passwords out, then call that script. Inefficient? Of course---but if this facility is being used more than once or twice a day for the whole box, you're probably a customer for MemberAdapter or something like that. (MemberAdapter is a technology to interface Mailman to mailing lists kept in LDAP or SQL databases. I don't know any more than the name and that it requires substantial set up effort by the site admin, but you can find it in the FAQ I believe.)
- if you are subscribed to several lists, then you have a different password for each list, or you need to change each of them every time that you change.
I think you're a candidate for MemberAdapter, although dealing with helpdesk calls for the "more complex procedure" Brad describes might be cheaper.
Specifically, IIRC MemberAdapter is cantankerous and being deprecated; "something better" will be in later versions of Mailman. OTOH, since it's "something better" and you'll have the basic database side already set up, you can hope it will be easy to migrate to the new technology. YMMV, of course.
Yahoo! Mail has not been nice to our domain lately. Since early November any messages (including all the ones sent from our Mailman system) to people with Yahoo email addresses have bounced--rejected by the Yahoo! Mail servers.
I lodged a complaint with Yahoo... it didn't seem like we had done anything wrong on our end. Not an open relay, etc., etc. They acknowledged there was a problem, and day after day the problem continued. The more of our lists an individual with a Yahoo address was on, the quicker he or she exceeded the bounce limit. As of today 45 people have the "nomail" box checked because of bounces.
But it now looks like Yahoo has finally fixed the problem on their end that caused our mail to get rejected. That's good news! But I've already emailed all the people who have stopped getting mail from us via Mailman (I wrote them from a Gmail account since I couldn't get to them from my prin.edu account), and have suggested they get another email address and change it in Mailman. That was yesterday. And now that Yahoo is receiving mail from us again, I'm going to tell all those people "Never mind."
Here's my question: how do I uncheck "nomail" for all those people that Mailman didn't think we could communicate with? Do I need to go in to each one and manually do it? Also, should I reset the bounce count for those folks? If so, how is that done?
Thank you!
Allan Trick
Allan Trick wrote:
Here's my question: how do I uncheck "nomail" for all those people that Mailman didn't think we could communicate with? Do I need to go in to each one and manually do it? Also, should I reset the bounce count for those folks? If so, how is that done?
Re-enabling delivery will reset the bounce count.
See <http://mail.python.org/pipermail/mailman-users/2006-February/049447.html> for how.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (7)
-
Alain Williams
-
Allan Trick
-
Brad Knowles
-
Mark Sapiro
-
Melinda
-
Patrick Bogen
-
stephen@xemacs.org