[Mailman-Users] Mailman Security
Barry Warsaw
barry at python.org
Thu Apr 17 05:49:48 CEST 2003
On Wed, 2003-04-16 at 19:29, Staven Bruce wrote:
> I have a quick question for anyone who knows...
>
> We are going live to the public with our Mailman server. It is a RedHat 8.0
> server with Mailman 2.0.13 running on top of the latest Sendmail MTA.
>
> I am trying to ensure the server is as locked down as possible. I was
> wondering if anyone could tell me how secure the password protected area for
> the administrative interface really is? Is there a "hack" or "back door" I
> should know about and protect against? Is the Mailman application security
> here as good as the Operating System's Security? Any info would help.
List owner and site admin passwords are kept on disk in hashed format,
so they cannot be read, even by someone with appropriate shell access.
Of course, if they have shell access and permission, they can still
/change/ such passwords.
Member passwords are kept in the database in the clear, in order to
support password reminders.
I can guarantee that there are no known backdoors, at least in the
source distribution that I make available. Mailman should be as secure
as your communication channels. Note that by default passwords can fly
over both http and email in the clear.
-Barry
More information about the Mailman-Users
mailing list