[Mailman-Users] How do I run 2.x mailman more securely?

Dimitri Maziuk dmaziuk at bmrb.wisc.edu
Thu May 31 15:18:29 EDT 2018


On 05/31/2018 01:25 PM, Grant Taylor via Mailman-Users wrote:
> On 05/30/2018 03:36 PM, Parker, Michael D. wrote:
>> I've been assigned the task of attempting to secure our current
>> implementation of GNU MailMan.
> 
> One thing that I've not seen (or missed) in this thread is the idea of
> leveraging HTTPS usernames and passwords to protect the web interface.

Yeah, I too once thought that was a good idea. And then heartbleed came
along, and our knee-jerk security department cut off everyone who hasn't
patched in 24 hours -- *at the gateway*. As Murphy would have it, I was
traveling across the Atlantic and our other IT guy was driving across
North America. And of course cut-off at the gateway meant no mail, no
ssh, no way to know what happened and no way to fix it.

This stuff sounds like it's coming from the same security experts.
Proper answer with those guys is don't run mailman. Export the
subscribers and use it as CC list in Orifice'365: you can't go wrong
with "industry standard".

-- 
Dimitri Maziuk
Programmer/sysadmin
BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20180531/8d9dc208/attachment-0001.sig>


More information about the Mailman-Users mailing list