[Mailman-Users] How do I run 2.x mailman more securely?

Mark Sapiro mark at msapiro.net
Thu May 31 12:52:27 EDT 2018

On 05/31/2018 08:10 AM, Carl Zwanzig wrote:
> I'm sure Mark has more complete answers, but diving in anyways :)

Carl's answers are good, but to add a bit ...

> On 5/30/2018 2:36 PM, Parker, Michael D. wrote:
>> Some of the initial items that have been directed my way:
>> 1.       Can archiving be totally and permanently be eliminated?
> More than turning it off on a per-list basis? (This doesn't "secure"
> mailman, it only makes archives unusable. You'd be better off to hide
> them behind a web page requiring web-server authentication.) Won't stop
> users from keeping their own archives, of course. (Or change the code to
> disable them.)

To disable archiving completely, you could add to mm_cfg.py


>> 2.       How and where are the passwords stored?
> IIRC users' list passwords are stored in the list config 'pickle' in the
> lists/ directory; see the comments in "Mailman/SecurityManager.py".


>> 3.       Can user passwords be eliminated and have the list
>> administrator make any user adjustments which should not be necessary?
> At a great loss of utility, sure. This would require a code change.

The code changes to do it right would not be simple.

>> 4.       Does the website have to run in http: since passwords are
>> entered at points in the interactions?
> No, the FAQ describes to to enable HTTPS.

Specifically <https://wiki.list.org/x/17892007>.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list