[ mailman-Bugs-1263239 ] Mailman on SSL sends passwords in plain text

SourceForge.net noreply at sourceforge.net
Mon Nov 7 03:16:43 CET 2005

Bugs item #1263239, was opened at 2005-08-18 10:25
Message generated for change (Comment added) made by msapiro
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web/CGI
Group: None
>Status: Closed
Resolution: None
Priority: 8
Submitted By: Daniel (doolyo)
Assigned to: Nobody/Anonymous (nobody)
Summary: Mailman on SSL sends passwords in plain text

Initial Comment:
I have tried putting Mailman on a secure path of my 
server on an https url. It seemed to work approximately 
when adding the following directive in apache:

RewriteCond          %{HTTPS} !=on
RewriteRule     /mailman/(.*) 
https://www\.mysite\.com/mailman/$1 [R]

However, I have sniffed the TCP/HTTP traffic during a list 
creation and I have seen that all the form is posted IN 
CLEAR. This is normal in fact as we send that to the 
http link first (see Bug Request #1263219). Therefore 
the whole test is sent in clear and only afterwards the 
client receives back the document move to https from 
apache to redirect to the proper page.

I think that this could be solved if all links of the 
mailman binaries (admin, create and so forth) are taking 
dynamically the link specified in the mm_cfg.py, in the 

However maybe there is another clean way of putting 
that on a secure url. If so I would be interested in how to 
do that because I didn't find anything about that subject 
appart people doing all like I did.



>Comment By: Mark Sapiro (msapiro)
Date: 2005-11-06 18:16

Logged In: YES 

I am closing this because it seems to be a misconfiguration.

If you make DEFAULT_URL_PATTERN = 'https://%s/mailman/' or
similar (with https) in mm_cfg.py, the create page link from
the admin overview will have https as will the action=
attribute of the form element on the create page.

As you note, you must run fix_url.py to fix list specific
URLs after making this change, but generic urls are changed
without further action.

Also note that DEFAULT_URL_HOST should be just the fully
qualified domain name. The rest of the URL comes from
substituting the host name in DEFAULT_URL_PATTERN.


Comment By: Daniel (doolyo)
Date: 2005-08-18 11:09

Logged In: YES 

I have seen that we can use fix_url.py to fix the URL for a 
specific list. However, it does not seem to fix the links 
of /mailman/create and the others and thus does not solve 
the problem, as I want to have the SSL on that page.


You can respond by visiting: 

More information about the Mailman-coders mailing list