[Mailman-Users] Roster security

Robert Heller heller at deepsoft.com
Sun May 20 14:56:58 EDT 2018

At Sun, 20 May 2018 08:26:38 -0700 Mark Sapiro <mark at msapiro.net> wrote:

> On 05/20/2018 07:32 AM, Rubén Fernández Asensio wrote:
> > Is this by design, or is this a bug in my Mailman installation? Is there
> > any way of making the roster visible to subscribers without giving
> > access to personal option pages through it?
> One user does not have access to another user's options unless
> authenticated with a list admin password. If an ordinary user clicks
> another user's link, she only gets the options login page which can be
> gotten for any address just by knowing the address no matter how you get
> there.
> By making the roster visible to members you are exposing the addresses.
> Anyone can go to a url like
> http://example.com/mailman/options/listname/user@example.net to get to
> the options login page for user at example.net.

And yes the "options login page" also contains an "unsubscribe" button.  But 
as Mark says, you need the user's list password for anything to actually 

> That's how mailman works. There's nothing magic about coming from the
> roster. You can't get past the login page without proper authentication.

Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the Mailman-Users mailing list