[Mailman-Users] access scrubbed attachments of private lists without password?

Steffen Kaiser vm3112870680488272v at vmail.inf.h-brs.de
Fri Jul 22 16:23:11 CEST 2011

On Thu, 21 Jul 2011, Mark Sapiro wrote:

>On 7/20/2011 1:53 AM, Steffen Kaiser wrote:
>> is it possible to access scrubbed attachments of private lists without a
>> password?
>No. Scrubbed attachments are stored in the list's archive file hierarchy
>and have to be accessed as anything else in the list's archives. If the
>archive is private, this requires a password.
>Also, in general, it seems to me that if a list's archives are private,
>it would not be a good idea to make attachments to list posts publicly

That depends on the view :-)

MIMEDefang (www.mimedefang.org) has a feature to replace attachments with 
links. The URLs are using a SHA1-based hash of the content of the file. 
The idea is: if someone gained access to the message, s/he would have 
access to the attachment, if it had not been removed. The URL is obscured 
in such a way, that one would need the content of the file to guess the 
URL to it. No need to protect the attachment any further.

Or one could think of the SHA1-based URL as the password to the file.

Such URL could look like:

or one uses: sha1hash/sanitisedFilename.pdf

or something like that.

Of course, I do not know how the Mailman password stuff works in detail, 
so one could place appropriate links into https://host/pipermail/list/ or 
yet another base path.

Kind regards,

Steffen Kaiser

More information about the Mailman-Users mailing list