[Mailman-Users] listname-request who command
oxelson at unidata.ucar.edu
Wed Mar 21 18:32:31 CET 2007
Sending email to the listname-request alias, I'm able to verify that I
can everyone who is on a mailing list by supplying the list
administrator or moderator password to retrieve the roster (I have the
list roster is limited to list administrators and moderators only).
The issue is I can send the 'who' email command with the admin password
from /*any*/ email address (not even subscribed) and get the roster...
is this right? Wouldn't it be better if the 'who' command only worked
for email addresses corresponding to list admins/moderators when the
list roster is configured to be only available to these privileged
users? (Or am I being overly paranoid?)
More information about the Mailman-Users