I have been on mailman lists, like Fedora Linux, for ages and any
command that a user or other can do with the "password" that is sent
through mail is also verified by an email. So, someone could try to make
your list user recieve a digest or quit the list, etc. but it wouldn't
happen if you didn't verify it.
On 03/24/2016 11:58 AM, Andromeda Yelton wrote:
On Thu, Mar 24, 2016 at 10:39 AM, Ranti Junus <ranti.ju...@gmail.com> wrote:
Thank you, Eric, for the heads up and your guardianships...
Mailman is easy to administer, but it has a huge caveat: when a user
request a password (reminder, etc.), it sends it as an email in plain text.
Yikes!
However, this is no longer true in mailman 3 (if heavily-developed-alpha is
an okay answer); passwords are sha512-hashed and *maybe* also salted,
though the docs are sparse on that front.
(See, e.g.,
https://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/utilities/passwords.py
,
https://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/config/passlib.cfg
,
https://pythonhosted.org/passlib/lib/passlib.context.html#passlib.context.CryptContext.encrypt
.)
