Tibor Molnar writes:
> I'm also aware that mailman3 is already query API on localhost and
> that's how it's generating the output for system information but if
> I was going to configure it for remote where else other than
> mailman.cfg do I need to configure this?
You don't want to mess with mailman.cfg. Instead you should reverse
proxy it, the same way that you do for Postorius.
Note that you don't have to open up the whole REST API, you can
restrict to very specific endpoints. For example for nginx, the basic
scheme is
location /REST-API/domains {
proxy_pass http://127.0.0.1:8001/3.1/domains;
}
That particular configuration allows access to domains but not lists.
Still,I recommend strong authentication on those locations. ... There
are probably ways to get at pretty much everything once you have
access to anything. For example, if you can get to a specific list,
you can get its subscriber roster, and I think there's a way to pick a
specific user, so then you can get their addresses and other
subscriptions .... I haven't tried to do that, but I see no good
reason to suppose pretty arbitrary path traversal is impossible.
See
https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/rest/docs/rest.html
for the REST API endpoints.
Steve
_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at:
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/UAOCHBVOAT4CKD2DW52Y2UF6E446CGQH/
This message sent to arch...@mail-archive.com
