I have been on mailman lists, like Fedora Linux, for ages and any
command that a user or other can do with the "password" that is sent
through mail is also verified by an email. So, someone could try to make
your list user recieve a digest or quit the list, etc. but it wouldn't
happen if you didn't verify it.
On 03/24/2016 11:58 AM, Andromeda Yelton wrote:
> On Thu, Mar 24, 2016 at 10:39 AM, Ranti Junus <[log in to unmask]> wrote:
>
>> Thank you, Eric, for the heads up and your guardianships...
>>
>> Mailman is easy to administer, but it has a huge caveat: when a user
>> request a password (reminder, etc.), it sends it as an email in plain text.
>
>
> Yikes!
>
> However, this is no longer true in mailman 3 (if heavily-developed-alpha is
> an okay answer); passwords are sha512-hashed and *maybe* also salted,
> though the docs are sparse on that front.
>
> (See, e.g.,
> https://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/utilities/passwords.py
> ,
> https://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/config/passlib.cfg
> ,
> https://pythonhosted.org/passlib/lib/passlib.context.html#passlib.context.CryptContext.encrypt
> .)
>
|