[Mailman-Developers] Two more DMARC mitigations
Barry Warsaw
barry at list.org
Fri Jun 13 16:21:45 CEST 2014
On Jun 13, 2014, at 12:11 AM, John R Levine wrote:
>> > When a user at a p=reject signs up for a list, you demand an OAUTH API
>> > token if the the provider supports it, otherwise their host system
>> > password.
>>
>> -1 on the password thing. It's too close to phishing, imposes serious
>> privacy issues on Mailman hosts, and makes them targets for attack.
>
>Honestly, Tough Noogies. Let list managers make their own security
>decisions. AOL and Yahoo want all mail from their users to be authenticated.
>Well, OK, this will do it.
This is a really bad idea. In MM3, we've already eliminated the need for
keeping clear text passwords, and almost gotten rid of any user passwords at
all. OAUTH tokens are a little better, but no way do I want to hold a clear
text password for users.
-Barry
More information about the Mailman-Developers
mailing list