[Mailman-Users] Mailman Security.
John Buttery
john at io.com
Wed Feb 5 12:27:19 CET 2003
* dino <dinouk at orange.net> [2003-02-05 10:32:16 -0000]:
> I was just wondering what kind of security mailman offers, as far as
> protecting user passwords goes?
Pretty much none. It emails them cleartext once a month, for
starters. The list signup page explicitly instructs subscribers not to
use important passwords (even in bold!). The intent of the password
system in Mailman (this is my interpretation, not backed up with any
actual information) is to protect against malicious [un]subscriptions of
others by casual idiots on the Net, not against determined attackers.
> A techy friend of mine has just kindly emailed me a list of all users
> and their passwords! Looking at my server logs it would appear that he
> snuck in somehow via anonymous ftp.
Then you have an incorrectly installed/configured/patched ftp server
problem, not a mailman problem. :)
> Would closing the anon. ftp service stop mailman working in anyway, or
> dya reckon he got in some place else?
I don't see why stopping an ftpd would affect mailman...
--
------------------------------------------------------------------------
John Buttery
(Web page temporarily unavailable)
------------------------------------------------------------------------
More information about the Mailman-Users
mailing list