[Mailman-Users] How to turn off plain text passwords?
C Nulk
CNulk at scu.edu
Wed Nov 2 19:37:23 CET 2011
On 11/2/2011 6:15 AM, Jeffrey Walton wrote:
> On Wed, Nov 2, 2011 at 7:40 AM, Larry Stone <lstone19 at stonejongleux.com> wrote:
>> Jeffrey Walton writes:
>>
[Snip]
>> . I was very naive.
>> Mailman works with Mail. SMTP mail is very insecure with headers, etc. easily spoofed (by design - just as I can easily spoof the sender on a piece of paper mail I drop in a mailbox). What good does high security on Mailman do if it's trivial to step around the gate?
>>
> Agreed. I have no expectation that my messages to the list will be
> private, or my email will be private. An attacker gains nothing from
> reading my messages posted to a public mailing list.
>
> But the password database used by Mailman is not a public database.
> Users have a reasonable expectation of security surrounding it. An
> attacker gains a list of {user name, email, password} when the system
> is compromised.
I agree users have a reasonable expectation of security surrounding
their password. However, when the user is informed about the level of
security being used, the user's reasonable expectation shouldn't exceed
what they were told. I have a reasonable expectation of security when I
am told I can use a locker to put my equipment in. But when I am told
the locker has no locks on it, my reasonable expectation of security for
that locker is much, much lower than if it had a lock.
>
>>> Confer: list managers did not fix Mailman 2 (nor did they use other
>>> software which was secure). Why would you expect them to research
>>> and securely configure Mailman 3?
>> List managers have nothing to do with this. Us "list managers" did not write the software. We're just higher level users of Mailman than the reader of a mailing list that uses Mailman. But we're still just users.
> Both are at fault. First are the developers for using an insecure
> system, and second are the folks who use it in production. In this
> case "crowd security" failed - more eyeballs were not better and did
> not lead to improvements.
>
>> If Mailman does not meet your needs due to it failing to meet the security requirements you personally have, don't use it.
> Unrealistic. I have no control over what software a particular mailing
> list uses. Its kind of like saying, "if you don't like the smog, don't
> breathe the air".
It isn't necessarily unrealistic, a bit abrupt maybe. You can also make
changes to the source to increase the security requirement. I have had
to make some minor modifications to Mailman for it to do what is
required where I work. And, as some on this list can probably attest, I
am not a Python coder. So, if Mailman doesn't meet your needs, you can
use it as is and suffer, make any changes you feel necessary, or not use
it.
>
> Jeff
Thanks,
Chris
More information about the Mailman-Users
mailing list