I have been on mailman lists, like Fedora Linux, for ages and any
command that a user or other can do with the "password" that is sent
through mail is also verified by an email. So, someone could try to make
your list user recieve a digest or quit the list, etc. but it wouldn't
happen if you didn't verify it.
On 03/24/2016 11:58 AM, Andromeda Yelton wrote:
> On Thu, Mar 24, 2016 at 10:39 AM, Ranti Junus <[log in to unmask]> wrote:
>> Thank you, Eric, for the heads up and your guardianships...
>> Mailman is easy to administer, but it has a huge caveat: when a user
>> request a password (reminder, etc.), it sends it as an email in plain text.
> However, this is no longer true in mailman 3 (if heavily-developed-alpha is
> an okay answer); passwords are sha512-hashed and *maybe* also salted,
> though the docs are sparse on that front.
> (See, e.g.,