[Mailman-Users] Password in clear text
Stephen J. Turnbull
stephen at xemacs.org
Thu Jul 3 06:51:56 CEST 2014
Mark Sapiro writes:
> On 07/02/2014 03:58 AM, Henrik Rasmussen wrote:
> > I know this has been asked before, but I haven't found anything
> > about whether or not this will be a future change or how to work
> > around it.
> You can always remove cron/mailpasswds from Mailman's crontab to avoid
> sending monthly reminders all together regardless of list or user
> settings. Users will still be able to request a reminder from the
> options login page.
A more complicated option is to use MemberAdapter and handle
authentication entirely yourself.
IMHO, for anybody who has done the work ensuring the security of the
accompanying system (TLS/SASL for all communications, encrypted hard
drives for all stored traffic including users' archives, etc),
MemberAdapter will be a snap. :-)
Of course in security every little bit matters, and the design
decision in Mailman 3 to never store unencrypted (or decryptable, for
that matter) passwords was the correct one. But given how leaky the
mail system is by default, I think the incremental benefit to the vast
majority of our users to trying to plug this hole ex post design of
Mailman 2 is too small to justify the effort.
More information about the Mailman-Users