[Mailman-Users] password management

[Patrick Bogen]

On 10/17/06, Melinda <gilmore.126 at osu.edu> wrote:
> Has anyone come up with a good management for passwords.  We are about to
> introduce Mailman to the university and many are concerned about password
> management and generating a lot of helpdesk calls.  We currently are running
> Listproc on a Solaris.   We want to move to Mailman on a RedHat Linux box.
> Any pointers would be much appreciated.   I am also new to this world.

Are you concerned about the mailman passwords?

These passwords are generally understood to be low-security; they are,
in fact, re-emailed periodically (if enabled), in plaintext; and since
email is largely unencrypted during transport, this makes such emails
vulnerable to sniffing attacks.

With all that in mind, mailman passwords shouldn't be used for
anything other than mailman. Even in mailman, they're largely
'unimportant,' and provide only an additional layer of security where
most MLMs have no security (e.g., with mailman, you give an email AND
its password to unsubscribe. Most other MLMs give only the email.)

Unfortunately, if your policies (irrationally) require all passwords
to be changed periodically, then I believe you're SOL in this regard.
I haven't seen anything with regards to enforcing password policy
within mailman, which means there's no expiration (and, thus, no 'your
password has expired, please change it now' support), and no strength
checking (although this would probably be fairly issue to implement
using cracklib, if there are python bindings).


If you're talking about password management in general, and not
specific to mailman, this is the wrong place to ask this. Mailman does
not handle user passwords for anything except mailman. Authenticating
real services against mailman would be a Bad Idea, and quite difficult
to implement.

-- 
- Patrick Bogen