[Mailman-Users] Password in clear text

Stephen J. Turnbull stephen at xemacs.org
Thu Jul 3 06:51:56 CEST 2014

Mark Sapiro writes:
 > On 07/02/2014 03:58 AM, Henrik Rasmussen wrote:

 > > I know this has been asked before, but I haven't found anything
 > > about whether or not this will be a future change or how to work
 > > around it.

 > You can always remove cron/mailpasswds from Mailman's crontab to avoid
 > sending monthly reminders all together regardless of list or user
 > settings. Users will still be able to request a reminder from the
 > options login page.

A more complicated option is to use MemberAdapter and handle
authentication entirely yourself.

IMHO, for anybody who has done the work ensuring the security of the
accompanying system (TLS/SASL for all communications, encrypted hard
drives for all stored traffic including users' archives, etc),
MemberAdapter will be a snap. :-)

Of course in security every little bit matters, and the design
decision in Mailman 3 to never store unencrypted (or decryptable, for
that matter) passwords was the correct one.  But given how leaky the
mail system is by default, I think the incremental benefit to the vast
majority of our users to trying to plug this hole ex post design of
Mailman 2 is too small to justify the effort.

More information about the Mailman-Users mailing list