[Mailman-Users] Limiting number of failed login attempts

Adam McGreggor adam-mailman at amyl.org.uk
Mon Oct 5 18:10:56 CEST 2015

On Tue, Oct 06, 2015 at 12:07:25AM +0900, Stephen J. Turnbull wrote:
> Perhaps a per-user login attempt limit would work for you.  Each
> (ab)user is different.  But I don't think it's a good idea for a
> supported feature of Mailman, it's too fragile and it would be an
> invitation to an endless series of "improvements" as the admins get in
> arms races with the rogues.

Very much a +1, especially if we're looking at modern design, then
this could (for those wanting it) be a plugin, or shocker, using
something already out there.

> It might be possible to revisit this in Mailman 3 (when we get a
> unified authn/authz story) using a token-based approach where the
> token is acquired somewhere that already has a stronger authentication
> story.  But that will require serious coding.

I think I'd prefer the ability to void/regenerate tokens, rather than
anything else. Although with sophisticated API management tools,
shaping may be an option…

I'm not an advocate for "fixing" things in the application, rather
than at say, transport/network layer; to setup Mailman, one's
in(evit|vari)ably going to need root access anyhow, so one might as
well do things properly.

"Opera, next to Gothic architecture, is one of the strangest
 inventions of Western man. It could not have been foreseen by any
 logical process."
    -- Kenneth Clark

More information about the Mailman-Users mailing list