[Mailman-Users] How do I run 2.x mailman more securely?
Mark Sapiro
mark at msapiro.net
Thu May 31 12:52:27 EDT 2018
On 05/31/2018 08:10 AM, Carl Zwanzig wrote:
> I'm sure Mark has more complete answers, but diving in anyways :)
Carl's answers are good, but to add a bit ...
> On 5/30/2018 2:36 PM, Parker, Michael D. wrote:
>
>> Some of the initial items that have been directed my way:
>> 1. Can archiving be totally and permanently be eliminated?
> More than turning it off on a per-list basis? (This doesn't "secure"
> mailman, it only makes archives unusable. You'd be better off to hide
> them behind a web page requiring web-server authentication.) Won't stop
> users from keeping their own archives, of course. (Or change the code to
> disable them.)
To disable archiving completely, you could add to mm_cfg.py
GLOBAL_PIPELINE.remove('ToArchive')
>> 2. How and where are the passwords stored?
> IIRC users' list passwords are stored in the list config 'pickle' in the
> lists/ directory; see the comments in "Mailman/SecurityManager.py".
Correct.
>> 3. Can user passwords be eliminated and have the list
>> administrator make any user adjustments which should not be necessary?
> At a great loss of utility, sure. This would require a code change.
The code changes to do it right would not be simple.
>> 4. Does the website have to run in http: since passwords are
>> entered at points in the interactions?
> No, the FAQ describes to to enable HTTPS.
Specifically <https://wiki.list.org/x/17892007>.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list