[Mailman-Users] Umbrella List + Monthly Password Reminders = List Security Issue?
pmb1 at york.ac.uk
Thu Jun 1 11:59:57 CEST 2006
Can someone help me with this please?
We are using Mailman 2.1.8 under Sun Solaris 10 (SPARC).
We have a small number of umbrella lists, each with (only) other lists
subscribed as their members. A fictional example:
The umbrella list
all-depts at lists.york.ac.uk
astronomy-dept at lists.york.ac.uk
dentistry-dept at lists.york.ac.uk
geography-dept at lists.york.ac.uk
The umbrella list is set up with:
Send password reminders to, eg, "-owner" address instead of directly to
user. (Details for umbrella_list)
Suffix for use when this list is an umbrella for other lists, according
to setting of previous "umbrella_list" setting. (Details for
Posting through the umbrella and member lists is working fine.
However I've just found that the monthly password reminders for the
umbrella lists have been sent out to the subscribed member-list addresses.
I was instead expecting them to go to these list names suffixed "-owner"
and hence to the member-lists' owners only.
This means that every person belonging to, say, astronomy-dept now knows
the membership password used to subscribe it to the all-depts umbrella list!
The monthly reminders are sent out using the Mailman script
cron/mailpasswds and executed from cron.
I'm not a Python programmer (yet) but can manage to read the stuff and, as
far as I can see, there is NOTHING in cron/mailpasswds to spot umbrella
lists and send their monthly reminder to
memberlist-owner at lists.york.ac.uk
instead of the subscribed address
memberlist at lists.york.ac.uk
All the documentation I've read and help pages I've managed to locate give
no clue of this behaviour. Instead they strongly imply that by setting the
umbrella_list setting to YES that "password reminders" are sent to the
list's owners by adding the specified suffix (typically "-owner") to each
I'm now wondering if this is actually referring only to the "Please remind
me of my password" link, not the monthly reminder. If so then a huge
warning needs adding to the FAQ and documentation about umbrella lists
advising admins NOT to turn on the monthly reminders for umbrella lists in
order to avoid this big security issue.
Or am I missing something/have something misconfigured?
The Computing Service, University of York, Heslington, York Yo10 5DD, UK
* Unsolicited commercial e-mail is NOT welcome at this e-mail address. *
More information about the Mailman-Users