[Mailman-Users] How do I run 2.x mailman more securely?

Grant Taylor gtaylor at tnetconsulting.net
Thu May 31 21:24:48 EDT 2018

On 05/31/2018 06:37 PM, incoming-pythonlists at rjl.com wrote:
> Both are valid alternatives.  There may be performance advantages, 
> to stopping attacks at the firewall level instead of higher up in the 
> application stack.

Agreed, on both accounts.

Firewalls also have a tendency to protect multiple machines, not just 
one. (I'm referring to network appliance type firewalls, not host based.)

> No, this is not security through obscurity.  It runs on a different 
> port so I can add firewall rules that effect only mailman service and 
> not other web applications.

Fair enough.

> I need to give my users a url that they can easily remember.  It's too 
> complex to have to give them urls with port numbers in them, and since 
> this is not security through obscurity, it is not a problem.


> yes


> There are many ways to implement the same thing.  Before there were 
> modules in the kernel for this, I simply pulled lists of address blocks 
> out of databases and incorporated them into my IPtables lists.  There are 
> better tools to do this today.


I'm curious, did you use IPSets or just a rule per network / IP?

> It was unclear from the OPs initial posting whether it was a private 
> or a public mailing list.  What I describe here probably would not be 
> appropriate for a public list and the best solution there is probably to 
> upgrade to mailman 3 if they need a more secure interface that is wide 
> open to the public.  VPN and/or fwknop (which is primarily SPA though the 
> older port knocking is still supported) are more suitable if you have 
> a private list where user membership must be approved anyway and your 
> moderators and admins might use these tools to have access to mailman, 
> but the web GUI would be blocked from public access.
> Certainly adding web server based username authentication sounds pretty 
> cumbersome to me because users would have to login twice,

Maybe, maybe not.

I've seen applications that can re-use the web server's authentication 
mechanism.  This would likely be a code change to Mailman.  (I have no 
idea how big.)

> though from a security standpoint it would help protect from 
> vulnerabilities in the mailman web GUI.


> There's no one answer to solving these problems.  I'm only sharing 
> ideas that have worked for me.  The less of the public Internet that 
> can apply brute force attacks on your web interface, the less likely 
> you are to have a compromise.  Also, the less junk in your log files, 
> the easier it is to monitor the logs.

Nope.  Hence my interest in what others have done and why the did it. 
I'm always interested in observing and hopefully learning.

> I plan to go to mailman 3, but in the meantime I have minimal issues with 
> attacks on my mailman GUI.  Maybe not the perfect solution for everyone, 
> but it is effective.

If it does what you need it to and you feel comfortable maintaining it, 
then more power to you.

Grant. . . .
unix || die

More information about the Mailman-Users mailing list