[Mailman-Users] Mailman security question

Stephen J. Turnbull stephen at xemacs.org
Tue May 7 03:40:36 CEST 2013

Lindsay Haisley writes:

 > Is there any support in any version of Mailman for total end to end
 > message security?

Not in a distributed version, although as mentioned in another post
there's a patch.  There's a GSoC proposal to implement some such thing
for Mailman 3, with a reasonable UI for handling user pubkey and such,
but I can't say at this point whether that project will be approved
(Google rules).

Also, "total end to end security" is a fantasy.  The attack surface in
the mail system is huge, even if the messages are encrypted in
transport.  Without specifying what the "ends" are (workstations? 
MTAs? users?) and whether traffic analysis or a court-authorized
"wiretap" at the Mailman site is considered a threat, I can't help you
on whether any given system might be considered "secure" or not.

 > It would also, in the current political climate, doubtless be deemed to
 > be something close to a national security threat,

AFAIK PGP-style encryption is no longer considered munitions.  As long
as the crypto stuff is done by third-party modules, Mailman has no
problem, I think.  (We can distribute a ROT13 implementation without
bothering even a member of the Bush family, let alone sophisticated
Dems like Al Gore, The Father of the Internet as We Know It.... :-)


More information about the Mailman-Users mailing list