[Mailman-Users] How do I run 2.x mailman more securely?

Grant Taylor gtaylor at tnetconsulting.net
Thu May 31 14:25:13 EDT 2018

I feel like I'm missing something and as such have some questions.

On 05/31/2018 11:42 AM, incoming-pythonlists at rjl.com wrote:
> Depending on where your users are coming from, it might be easier to
> limit access to the GUI using a firewall.

Why are you using a firewall instead of leveraging the web server's 
ability to filter by IP?

> What I do, is to run the mailman GUI on a non-standard https port.

Okay.  (Additional) security through obscurity.  Sure.  I do similar 
with various things.

> I then create webserver URL rewrites that redirect url access to that 
> port.

Why?  I feel like this voids hiding the Mailman Web UI on an alternate port?

> I use my firewall (IPTABLES), to control who can access the GUI.  If all 
> of your users come from a LAN inside an office, you can easily restrict 
> access to only those on the LAN.

Or is this purely so that you can protect the Mailman Web UI via the 
firewall without impacting other web resources running on the default ports?

> I've also used thing like GEOIP, and other tools to limit access to 
> specific countries or specific geographic areas or specific service 
> providers.  Alot of attacks come from outside countries and limiting 
> access substantially reduces attacks on my servers.

I've not messed with GeoIP filters in a long time.  I don't know how 
IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP 
feature set.

> You could also require users to use a VPN or fwknop in order to access
> the GUI.  This is easy if your users already access your site over a VPN.

I can see a VPN for corporate users.  I think it's a high bar for most 
public mailing lists.  Maybe not for the (few) administrator(s).

I feel like port knocking is a REALLY HIGH BAR for most public mailing 

Grant. . . .
unix || die

More information about the Mailman-Users mailing list