I have been on mailman lists, like Fedora Linux, for ages and any command that a user or other can do with the "password" that is sent through mail is also verified by an email. So, someone could try to make your list user recieve a digest or quit the list, etc. but it wouldn't happen if you didn't verify it.

On 03/24/2016 11:58 AM, Andromeda Yelton wrote:
On Thu, Mar 24, 2016 at 10:39 AM, Ranti Junus <ranti.ju...@gmail.com> wrote:

Thank you, Eric, for the heads up and your guardianships...

Mailman is easy to administer, but it has a huge caveat: when a user
request a password (reminder, etc.), it sends it as an email in plain text.


Yikes!

However, this is no longer true in mailman 3 (if heavily-developed-alpha is
an okay answer); passwords are sha512-hashed and *maybe* also salted,
though the docs are sparse on that front.

(See, e.g.,
https://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/utilities/passwords.py
,
https://bazaar.launchpad.net/~mailman-coders/mailman/3.0/view/head:/src/mailman/config/passlib.cfg
,
https://pythonhosted.org/passlib/lib/passlib.context.html#passlib.context.CryptContext.encrypt
.)

Reply via email to