[Mailman-Users] How to turn off plain text passwords?

Larry Stone lstone19 at stonejongleux.com
Wed Nov 2 12:40:55 CET 2011

Jeffrey Walton writes:

> The best I can tell, Mailman 2 did the wrong thing.

The best I can tell, your expectations for Mailman's security and the software authors' expectations are completely different. As has already been explained, it is a low level of security designed to prevent (maybe I should just say discourage) mischief. It is not intended to be as secure as what secures your bank accounts. If your Mailman password is compromised, what is the most damage that can be done? Very little.

Mailman works with Mail. SMTP mail is very insecure with headers, etc. easily spoofed (by design - just as I can easily spoof the sender on a piece of paper mail I drop in a mailbox). What good does high security on Mailman do if it's trivial to step around the gate?

A good comparison would be the lock on most home bathrooms. It is designed to prevent someone from accidently walking in on you. It is not designed to prevent someone who is determined to get in that bathroom even though it is locked. You normally do not use the same types of locks on a bathroom as you use on your front door.

Heck, a bank does not secure their lobby as tightly as they secure their vault. Are they wrong for doing that?

> Confer: list managers did not fix Mailman 2 (nor did they use other
> software which was secure). Why would you expect them to research
> and securely configure Mailman 3?

List managers have nothing to do with this. Us "list managers" did not write the software. We're just higher level users of Mailman than the reader of a mailing list that uses Mailman. But we're still just users.

If Mailman does not meet your needs due to it failing to meet the security requirements you personally have, don't use it. If you're just a reader of a list run through Mailman, then use a password you don't care about (by default, Mailman generates random passwords. I don't even bother to save them as I know I can recover it easily in the unlikely event I actually ever need it).

Larry Stone
lstone19 at stonejongleux.com

More information about the Mailman-Users mailing list