Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

On 05/31/2018 09:33 PM, incoming-pythonli...@rjl.com wrote:
I wrote scripts that read the list and generated a rule per network. 
It can be slow, but has worked reliably for many years.  Since it is a 
mailserver, performance has not been a big issue.  I am in the process 
of designing a replacement.  If you enter your list of networks  as a 
separate iptables list, then you only need to call that list when the 
traffic is on the relevant port(s), so you avoid traversing the list 
for other services.


*nod*

Thank you for sharing.

I've done something similar with IPSets and recently using routing with 
reverse path filtering.


I've found all of the above to be quite effective.



--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[incoming-pythonlists]

On 05/31/2018 06:24 PM, Grant Taylor via Mailman-Users wrote:
>
>> There are many ways to implement the same thing.  Before there were
>> modules in the kernel for this, I simply pulled lists of address
>> blocks out of databases and incorporated them into my IPtables
>> lists.  There are better tools to do this today.
>
> ACK
>
> I'm curious, did you use IPSets or just a rule per network / IP?

I wrote scripts that read the list and generated a rule per network.  It
can be slow, but has worked reliably for many years.  Since it is a
mailserver, performance has not been a big issue.  I am in the process
of designing a replacement.  If you enter your list of networks  as a
separate iptables list, then you only need to call that list when the
traffic is on the relevant port(s), so you avoid traversing the list for
other services.

Nataraj


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

On 05/31/2018 06:37 PM, incoming-pythonli...@rjl.com wrote:
Both are valid alternatives.  There may be performance advantages, 
to stopping attacks at the firewall level instead of higher up in the 
application stack.


Agreed, on both accounts.

Firewalls also have a tendency to protect multiple machines, not just 
one. (I'm referring to network appliance type firewalls, not host based.)


No, this is not security through obscurity.  It runs on a different 
port so I can add firewall rules that effect only mailman service and 
not other web applications.


Fair enough.

I need to give my users a url that they can easily remember.  It's too 
complex to have to give them urls with port numbers in them, and since 
this is not security through obscurity, it is not a problem.


Fair.


yes


*nod*

There are many ways to implement the same thing.  Before there were 
modules in the kernel for this, I simply pulled lists of address blocks 
out of databases and incorporated them into my IPtables lists.  There are 
better tools to do this today.


ACK

I'm curious, did you use IPSets or just a rule per network / IP?

It was unclear from the OPs initial posting whether it was a private 
or a public mailing list.  What I describe here probably would not be 
appropriate for a public list and the best solution there is probably to 
upgrade to mailman 3 if they need a more secure interface that is wide 
open to the public.  VPN and/or fwknop (which is primarily SPA though the 
older port knocking is still supported) are more suitable if you have 
a private list where user membership must be approved anyway and your 
moderators and admins might use these tools to have access to mailman, 
but the web GUI would be blocked from public access.


Certainly adding web server based username authentication sounds pretty 
cumbersome to me because users would have to login twice,


Maybe, maybe not.

I've seen applications that can re-use the web server's authentication 
mechanism.  This would likely be a code change to Mailman.  (I have no 
idea how big.)


though from a security standpoint it would help protect from 
vulnerabilities in the mailman web GUI.


;-)

There's no one answer to solving these problems.  I'm only sharing 
ideas that have worked for me.  The less of the public Internet that 
can apply brute force attacks on your web interface, the less likely 
you are to have a compromise.  Also, the less junk in your log files, 
the easier it is to monitor the logs.


Nope.  Hence my interest in what others have done and why the did it. 
I'm always interested in observing and hopefully learning.


I plan to go to mailman 3, but in the meantime I have minimal issues with 
attacks on my mailman GUI.  Maybe not the perfect solution for everyone, 
but it is effective.


If it does what you need it to and you feel comfortable maintaining it, 
then more power to you.




--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[incoming-pythonlists]

On 05/31/2018 11:25 AM, Grant Taylor via Mailman-Users wrote:
> I feel like I'm missing something and as such have some questions.
>
> On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote:
>> Depending on where your users are coming from, it might be easier to
>> limit access to the GUI using a firewall.
>
> Why are you using a firewall instead of leveraging the web server's
> ability to filter by IP?

Both are valid alternatives.  There may be performance advantages, to
stopping attacks at the firewall level instead of higher up in the
application stack.

>
>> What I do, is to run the mailman GUI on a non-standard https port.
>
> Okay.  (Additional) security through obscurity.  Sure.  I do similar
> with various things.

No, this is not security through obscurity.  It runs on a different port
so I can add firewall rules that effect only mailman service and not
other web applications.

>
>> I then create webserver URL rewrites that redirect url access to that
>> port.
>
> Why?  I feel like this voids hiding the Mailman Web UI on an alternate
> port?

I need to give my users a url that they can easily remember.  It's too
complex to have to give them urls with port numbers in them, and since
this is not security through obscurity, it is not a problem.

>
>> I use my firewall (IPTABLES), to control who can access the GUI.  If
>> all of your users come from a LAN inside an office, you can easily
>> restrict access to only those on the LAN.
>
> Or is this purely so that you can protect the Mailman Web UI via the
> firewall without impacting other web resources running on the default
> ports?

yes

>
>> I've also used thing like GEOIP, and other tools to limit access to
>> specific countries or specific geographic areas or specific service
>> providers.  Alot of attacks come from outside countries and limiting
>> access substantially reduces attacks on my servers.
>
> I've not messed with GeoIP filters in a long time.  I don't know how
> IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP
> feature set.

There are many ways to implement the same thing.  Before there were
modules in the kernel for this, I simply pulled lists of address blocks
out of databases and incorporated them into my IPtables lists.  There
are better tools to do this today.
>
>> You could also require users to use a VPN or fwknop in order to access
>> the GUI.  This is easy if your users already access your site over a
>> VPN.
>
> I can see a VPN for corporate users.  I think it's a high bar for most
> public mailing lists.  Maybe not for the (few) administrator(s).
>
> I feel like port knocking is a REALLY HIGH BAR for most public mailing
> lists.

It was unclear from the OPs initial posting whether it was a private or
a public mailing list.  What I describe here probably would not be
appropriate for a public list and the best solution there is probably to
upgrade to mailman 3 if they need a more secure interface that is wide
open to the public.  VPN and/or fwknop (which is primarily SPA though
the older port knocking is still supported) are more suitable if you
have a private list where user membership must be approved anyway and
your moderators and admins might use these tools to have access to
mailman, but the web GUI would be blocked from public access.

Certainly adding web server based username authentication sounds pretty
cumbersome to me because users would have to login twice, though from a
security standpoint it would help protect from vulnerabilities in the
mailman web GUI.

There's no one answer to solving these problems.  I'm only sharing ideas
that have worked for me.  The less of the public Internet that can apply
brute force attacks on your web interface, the less likely you are to
have a compromise.  Also, the less junk in your log files, the easier it
is to monitor the logs.

I plan to go to mailman 3, but in the meantime I have minimal issues
with attacks on my mailman GUI.  Maybe not the perfect solution for
everyone, but it is effective.

Nataraj

>
>
>
>
>
>
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/incoming-pythonlists%40rjl.com


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Server joining the CBL blacklist every day!

[Henrique Fagundes]

Dear,

Sorry if the text is difficult to understand. I am Brazilian and I do 
not have many English language skills.


I'm just sending this email for information.

There we have I was not able to send emails from my server to some 
domains [especially those linked to Microsoft (hotmail.como, msn.com, 
outlook.com, etc.)].


Then I realized that the IP of my server was listed in the CBL blacklist.

I realized that one of the sites hosted on this server (which is also a 
Web server) was infected by malware that was connecting all the time to 
IP 192.42.116.41 (port 80 and 443).


This infection comes from Wordpress. One of my hosting clients used an 
obsolete version of the Wordpress platform and was eventually hit.


Details here:
https://consultalinux.org/blog/ler_post.php?category=linux=129

Almost every source on his site had been encrypted.
Fortunately, the server automatically backs up the database every day. 
Just delete the old WP, ​​install the new upload dump of the DB.


After I resolved the problem, the IP was no longer listed.

Regards,

Henrique Fagundes
supo...@aprendendolinux.com
Skype: magnata-br-rj
Linux User: 475399

https://www.aprendendolinux.com
https://www.facebook.com/AprendendoLinux
https://youtube.com/AprendendoLinux
https://twitter.com/AprendendoLinux
https://telegram.me/AprendendoLinux
__
Participe do Grupo Aprendendo Linux
https://listas.aprendendolinux.com/listinfo/aprendendolinux

Ou envie um e-mail para:
aprendendolinux-subscr...@listas.aprendendolinux.com


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Dimitri Maziuk]

On 05/31/2018 04:52 PM, Grant Taylor via Mailman-Users wrote:
> On 05/31/2018 03:05 PM, Dimitri Maziuk wrote:
>> What exactly is it about mailman usernames and passwords that you are
>> trying to protect with HTTPS?
> 
> I wasn't talking about Mailman usernames (email addresses) and
> passwords.  I was talking about the usernames and passwords for Basic
> HTTP(S) authentication.  As in authenticating to the web server and
> having it control who can access the Mailman Web UI.

Ah, sorry, I didn't realize you propose to protect subscriber's username
and password by requiring a second username and password to get to them.
Moving along now.

-- 
Dimitri Maziuk
Programmer/sysadmin
BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

On 05/31/2018 03:05 PM, Dimitri Maziuk wrote:
What exactly is it about mailman usernames and passwords that you are 
trying to protect with HTTPS?


I wasn't talking about Mailman usernames (email addresses) and 
passwords.  I was talking about the usernames and passwords for Basic 
HTTP(S) authentication.  As in authenticating to the web server and 
having it control who can access the Mailman Web UI.


There's always the fact that HTTPS (SSL/TLS) protects both sets of 
credentials.


I was replying to the original poster, Michael P., suggesting that 
HTTP(S)'s Basic Authentication can be used to protect the Mailman Web UI.




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Dimitri Maziuk]

On 05/31/2018 02:40 PM, Grant Taylor via Mailman-Users wrote:
> On 05/31/2018 01:18 PM, Dimitri Maziuk wrote:
>> Yeah, I too once thought that was a good idea.
> 
> I'm not quite following you.  Are you saying that you now dislike
> HTTP(S) usernames & passwords specifically?

I do dislike the HTTPS push specifically. Google has a vested interest
in stopping those pesky ISPs from replacing Google's revenue-generating
ads with their own. I don't.

What exactly is it about mailman usernames and passwords that you are
trying to protect with HTTPS?

-- 
Dimitri Maziuk
Programmer/sysadmin
BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] -EXT-Re: How does one edit the .pck files?

[Mark Sapiro]

On 05/31/2018 01:14 PM, Parker, Michael D. wrote:
> Hmmnot being a python expert, where is a pointer to manipulating the file 
> using withlist
> 
> Specifically listing a variable, changing a variable, and then writing it 
> back to the file?


bin/withlist -l LISTNAME
Loading list LISTNAME (locked)
The variable `m' is the LISTNAME MailList instance
>>> m.ATTRIBUTE_NAME
value of ATTRIBUTE_NAME prints
>>> m.ATTRIBUTE_NAME = NEW_VALUE
>>> m.Save()
>>> m.Unlock()
>>>   <- control-D to exit.

But do not do this!! There are already scripts to do most of what you
would want. withlist is for people who know enough Python and Mailman
internals to know what to do without asking. If you aren't one of those
people, you can easily shoot yourself in the foot.

Instead, describe what you are trying to accomplish in a post to this
list, and we will help you find a safe way to do it.

I have answered your specific question in another post. The answer
involves setting things properly in mm_cfg.py and then using withlist
but with a script fix_url.py that is much safer.

Also, in addition to the FAQ article I pointed to in the prior answer,
you might see .

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] -EXT-Re: How does one edit the .pck files?

[Mark Sapiro]

On 05/31/2018 01:10 PM, Parker, Michael D. wrote:
> Change the URL in a migrated mailman list so that it appears properly in the 
> browser display.
> 
> Specifically, I'm trying to change the following variable as per dumpdb 
> program of the config.pck file.
> 
>   'web_page_url': 'http://badhostname.ga.com/mailman/',


See the FAQ article at  which discusses
the proper way to do this.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] -EXT-Re: How does one edit the .pck files?

[Parker, Michael D.]

Hmmnot being a python expert, where is a pointer to manipulating the file 
using withlist

Specifically listing a variable, changing a variable, and then writing it back 
to the file?

* * *


-Original Message-
From: Mailman-Users  
On Behalf Of Mark Sapiro
Sent: Thursday, May 31, 2018 13:02
To: mailman-users@python.org
Subject: -EXT-Re: [Mailman-Users] How does one edit the .pck files?

On 05/31/2018 12:50 PM, Parker, Michael D. wrote:
> I'd trying to change one of the parameters in one of the .pck files  How 
> can this file be edited/changed in Linux?
> 
> I've tried searching but cannot find what I want.


If you're talking about Mailman 2.1's config.pck, you can edit it with 
mailman's bin/withlist, but what specifically are you trying to do?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org 
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: 
http://wiki.list.org/x/QIA9 Searchable Archives: 
http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/michael.d.parker%40ga.com

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] -EXT-Re: How does one edit the .pck files?

[Parker, Michael D.]

Change the URL in a migrated mailman list so that it appears properly in the 
browser display.

Specifically, I'm trying to change the following variable as per dumpdb program 
of the config.pck file.

'web_page_url': 'http://badhostname.ga.com/mailman/',

* * *
Michael D. Parker - provisional CISSP
General Atomics - ElectroMagnetics Systems Group (EMS)
michael.d.par...@ga.com  < NOTE: Remember to include my middle initial >

*
The information contained in this electronic message is intended only for the 
use of the individual or entity to
which it is addressed and may contain information that is privileged, 
confidential and exempt from disclosure
under applicable law. This message may also contain technical data, export of 
which is restricted by the
International Traffic in Arms Regulations (ITAR). Disclosure to foreign persons 
without prior U.S. Government
approval is prohibited. Violations of these export laws and regulations are 
subject to severe civil and criminal
penalties.
 
This message may include Company Sensitive and/or Proprietary Information.  If 
the reader
of this message is not the intended recipient, you are informed that any 
dissemination, copying or disclosure of
the material contained herein, in whole or in part, is strictly prohibited. If 
you received this message in error,
please notify the sender by reply e-mail and delete all copies of this message.
**

-Original Message-
From: Mailman-Users  
On Behalf Of Mark Sapiro
Sent: Thursday, May 31, 2018 13:02
To: mailman-users@python.org
Subject: -EXT-Re: [Mailman-Users] How does one edit the .pck files?

On 05/31/2018 12:50 PM, Parker, Michael D. wrote:
> I'd trying to change one of the parameters in one of the .pck files  How 
> can this file be edited/changed in Linux?
> 
> I've tried searching but cannot find what I want.


If you're talking about Mailman 2.1's config.pck, you can edit it with 
mailman's bin/withlist, but what specifically are you trying to do?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org 
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: 
http://wiki.list.org/x/QIA9 Searchable Archives: 
http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/michael.d.parker%40ga.com

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How does one edit the .pck files?

[michaelof--- via Mailman-Users]

Hi Michael D.,


although I strongly believe it's NOT recommended to do what you're thinking 
about for a productive environment - it's
open and free software, have fun ;-)

Instead of just changing the .pck files, as a starting point, I would suggest 
to download the mailman sources, try to
figure out how they do it, and then maybe "tweak" this, getting your own fork.


Just my five cents,
Michael


Am 31.05.2018 um 21:50 schrieb Parker, Michael D.:
> I'd trying to change one of the parameters in one of the .pck files  How 
> can this file be edited/changed in Linux?
> 
> I've tried searching but cannot find what I want.
> 
> Thanks.
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/michaelof%40rocketmail.com
> 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How does one edit the .pck files?

[Mark Sapiro]

On 05/31/2018 12:50 PM, Parker, Michael D. wrote:
> I'd trying to change one of the parameters in one of the .pck files  How 
> can this file be edited/changed in Linux?
> 
> I've tried searching but cannot find what I want.


If you're talking about Mailman 2.1's config.pck, you can edit it with
mailman's bin/withlist, but what specifically are you trying to do?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] How does one edit the .pck files?

[Parker, Michael D.]

I'd trying to change one of the parameters in one of the .pck files  How 
can this file be edited/changed in Linux?

I've tried searching but cannot find what I want.

Thanks.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

On 05/31/2018 01:18 PM, Dimitri Maziuk wrote:

Yeah, I too once thought that was a good idea.


I'm not quite following you.  Are you saying that you now dislike 
HTTP(S) usernames & passwords specifically?  Or are you saying that you 
dislike hosting something yourself?


And then heartbleed came along, and our knee-jerk security department 
cut off everyone who hasn't patched in 24 hours -- at the gateway.


Problems happen.  It's how you (or the powers that be) respond to 
something that matters.


As Murphy would have it, I was traveling across the Atlantic and our 
other IT guy was driving across North America. And of course cut-off at 
the gateway meant no mail, no ssh, no way to know what happened and no 
way to fix it.


Yep.  Murphy and his law will get you when you least expect it or are 
least able to respond to it.


This stuff sounds like it's coming from the same security experts. 
Proper answer with those guys is don't run mailman. Export the subscribers 
and use it as CC list in Orifice'365: you can't go wrong with "industry 
standard".


I'm going to disagree with you there.  You most certainly can go wrong 
with "industry standard" or "what everybody else does".




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Dimitri Maziuk]

On 05/31/2018 01:25 PM, Grant Taylor via Mailman-Users wrote:
> On 05/30/2018 03:36 PM, Parker, Michael D. wrote:
>> I've been assigned the task of attempting to secure our current
>> implementation of GNU MailMan.
> 
> One thing that I've not seen (or missed) in this thread is the idea of
> leveraging HTTPS usernames and passwords to protect the web interface.

Yeah, I too once thought that was a good idea. And then heartbleed came
along, and our knee-jerk security department cut off everyone who hasn't
patched in 24 hours -- *at the gateway*. As Murphy would have it, I was
traveling across the Atlantic and our other IT guy was driving across
North America. And of course cut-off at the gateway meant no mail, no
ssh, no way to know what happened and no way to fix it.

This stuff sounds like it's coming from the same security experts.
Proper answer with those guys is don't run mailman. Export the
subscribers and use it as CC list in Orifice'365: you can't go wrong
with "industry standard".

-- 
Dimitri Maziuk
Programmer/sysadmin
BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

I feel like I'm missing something and as such have some questions.

On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote:

Depending on where your users are coming from, it might be easier to
limit access to the GUI using a firewall.


Why are you using a firewall instead of leveraging the web server's 
ability to filter by IP?



What I do, is to run the mailman GUI on a non-standard https port.


Okay.  (Additional) security through obscurity.  Sure.  I do similar 
with various things.


I then create webserver URL rewrites that redirect url access to that 
port.


Why?  I feel like this voids hiding the Mailman Web UI on an alternate port?

I use my firewall (IPTABLES), to control who can access the GUI.  If all 
of your users come from a LAN inside an office, you can easily restrict 
access to only those on the LAN.


Or is this purely so that you can protect the Mailman Web UI via the 
firewall without impacting other web resources running on the default ports?


I've also used thing like GEOIP, and other tools to limit access to 
specific countries or specific geographic areas or specific service 
providers.  Alot of attacks come from outside countries and limiting 
access substantially reduces attacks on my servers.


I've not messed with GeoIP filters in a long time.  I don't know how 
IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP 
feature set.



You could also require users to use a VPN or fwknop in order to access
the GUI.  This is easy if your users already access your site over a VPN.


I can see a VPN for corporate users.  I think it's a high bar for most 
public mailing lists.  Maybe not for the (few) administrator(s).


I feel like port knocking is a REALLY HIGH BAR for most public mailing 
lists.




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

On 05/31/2018 12:25 PM, Grant Taylor wrote:
IMHO the web server has a LOT more experience at user access control 
than most web applications. As such, I feel like the web server probably 
has a better handle on how to do it.


Apache (and I suspect Nginx) has the ability to use client side TLS 
certificates to authenticate the client to the server.  —  I have yet to 
see any Web UI leverage this.  —  It's built into the web server.  }:-)




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Grant Taylor via Mailman-Users]

On 05/30/2018 03:36 PM, Parker, Michael D. wrote:
I've been assigned the task of attempting to secure our current 
implementation of GNU MailMan.


One thing that I've not seen (or missed) in this thread is the idea of 
leveraging HTTPS usernames and passwords to protect the web interface.


IMHO the web server has a LOT more experience at user access control 
than most web applications. As such, I feel like the web server probably 
has a better handle on how to do it.


As for the default ugly username & password dialog box, there are ways 
around that.




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[incoming-pythonlists]

On 05/31/2018 09:52 AM, Mark Sapiro wrote:
> On 05/31/2018 08:10 AM, Carl Zwanzig wrote:
>
>>> 3.   Can user passwords be eliminated and have the list
>>> administrator make any user adjustments which should not be necessary?
>> At a great loss of utility, sure. This would require a code change.
>
> The code changes to do it right would not be simple.

Depending on where your users are coming from, it might be easier to
limit access to the GUI using a firewall.  What I do, is to run the
mailman GUI on a non-standard https port.  I then create webserver URL
rewrites that redirect url access to that port.  I use my firewall
(IPTABLES), to control who can access the GUI.  If all of your users
come from a LAN inside an office, you can easily restrict access to only
those on the LAN.  I've also used thing like GEOIP, and other tools to
limit access to specific countries or specific geographic areas or
specific service providers.  Alot of attacks come from outside countries
and limiting access substantially reduces attacks on my servers.

You could also require users to use a VPN or fwknop in order to access
the GUI.  This is easy if your users already access your site over a VPN.

Nataraj

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Mark Sapiro]

On 05/31/2018 08:10 AM, Carl Zwanzig wrote:
> I'm sure Mark has more complete answers, but diving in anyways :)


Carl's answers are good, but to add a bit ...


> On 5/30/2018 2:36 PM, Parker, Michael D. wrote:
> 
>> Some of the initial items that have been directed my way:
>> 1.   Can archiving be totally and permanently be eliminated?
> More than turning it off on a per-list basis? (This doesn't "secure"
> mailman, it only makes archives unusable. You'd be better off to hide
> them behind a web page requiring web-server authentication.) Won't stop
> users from keeping their own archives, of course. (Or change the code to
> disable them.)


To disable archiving completely, you could add to mm_cfg.py

GLOBAL_PIPELINE.remove('ToArchive')


>> 2.   How and where are the passwords stored?
> IIRC users' list passwords are stored in the list config 'pickle' in the
> lists/ directory; see the comments in "Mailman/SecurityManager.py".


Correct.


>> 3.   Can user passwords be eliminated and have the list
>> administrator make any user adjustments which should not be necessary?
> At a great loss of utility, sure. This would require a code change.


The code changes to do it right would not be simple.


>> 4.   Does the website have to run in http: since passwords are
>> entered at points in the interactions?
> No, the FAQ describes to to enable HTTPS.


Specifically .


-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

[Carl Zwanzig]

I'm sure Mark has more complete answers, but diving in anyways :)

On 5/30/2018 2:36 PM, Parker, Michael D. wrote:

I've been assigned the task of attempting to secure our current implementation 
of GNU MailMan.

You're probably better off changing to MM3, but if you have to stay with v2--


What did you do?
Needs a better definition of "secure" and an understanding of the intended 
goals- protect the archive? spam prevention? keep users from (un)subscribing 
lists? Are these goals part of the _mailing_list_manager_ or another part of 
the system (web server, email MTA & spam filtering, file sharing, etc)?




Some of the initial items that have been directed my way:
1.   Can archiving be totally and permanently be eliminated?
More than turning it off on a per-list basis? (This doesn't "secure" 
mailman, it only makes archives unusable. You'd be better off to hide them 
behind a web page requiring web-server authentication.) Won't stop users 
from keeping their own archives, of course. (Or change the code to disable 
them.)




2.   How and where are the passwords stored?
IIRC users' list passwords are stored in the list config 'pickle' in the 
lists/ directory; see the comments in "Mailman/SecurityManager.py".




3.   Can user passwords be eliminated and have the list administrator make 
any user adjustments which should not be necessary?

At a great loss of utility, sure. This would require a code change.



4.   Does the website have to run in http: since passwords are entered at 
points in the interactions?

No, the FAQ describes to to enable HTTPS.


Later,

z!
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] How do I run 2.x mailman more securely?

[Parker, Michael D.]

I've been assigned the task of attempting to secure our current implementation 
of GNU MailMan.

Have any of you out there done this?

What did you do?


Some of the initial items that have been directed my way:


1.   Can archiving be totally and permanently be eliminated?

2.   How and where are the passwords stored?

3.   Can user passwords be eliminated and have the list administrator make 
any user adjustments which should not be necessary?

4.   Does the website have to run in http: since passwords are entered at 
points in the interactions?

Thanks for your guidance and thoughts.




--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Duplicate command results

[Stephen J. Turnbull]

Mark Sapiro writes:

 > If you are including the command in both the Subject: and the body, that
 > is why. If the Subject: contains a valid command, it will be executed.
 > Thus a message with 'Subject: help' and 'help' in the body contains two
 > help commands so the command is executed twice.

I don't think this is worth fixing in Mailman 2, but we should try to
ensure idempotence in Mailman 3.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] GDPR

[Stephen J. Turnbull]

Grant Taylor via Mailman-Users writes:

 > > Some of these may be hidden (eg, Reply-To is normally not displayed; 
 > > I don't know offhand if it's in the mbox files).
 > 
 > Yes, Reply-To: is a standard header and included in mbox files.

"The" mbox files refers to what Mailman stores in archives, which are
accessible not only to admins but to 3rd parties in some
configurations.  I believe a lot of fields are cleaned out of those
files, just enough is kept to rebuild the archives.  But I'm not sure.

 > The technical implications of [full text search in markup] in and
 > of itself astound.

It's really not that hard.  The same technology that renders email to
the screen can be used to render it to a sequence of sentences each on
a single line.  It won't be 100% accurate, but there is that
"disproportionate" clause.  Do one extra thing the judge doesn't think
of herself and you're gold, I expect. :-)

 > But I think it's more the B2B selling of information that causes
 > more concern (to me) than what hackers do with it.

You're probably right about that.  I suspect GDPR is as much motivated
by kneecapping Google and Facebook in EU markets as it is by privacy. ;-)

 > > What does "verify" mean here?  The problematic address may have been 
 > > deleted or pwned, and not available to the person wanting redaction.
 > 
 > Technical complications.  :-D

Yeah, and this is a big one.  The more I think about it, the more I
think that this has the potential to be worse than DMCA takedowns.  I
hope the EU lawmakers considered that aspect, and there are provisions
to require identification of people requesting various remedies under
GDPR.

Steve




--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] analytics tool for mailman?

[Stephen J. Turnbull]

tlhackque via Mailman-Users writes:

 > I have no opinion on the wisdom or bases of GitLab's position.  As
 > mailing lists share some characteristics with their services, those
 > who have to deal with GPDR may wish to consider it in developing
 > their own.
 > 
 > [Among other things, GitLab's ToS sez:]

 > I understand the removal of this information would be impermissibly
 > destructive to the project and the interests of all those who
 > contribute, utilize, and benefit from it.

tlhackque sort of implies this, but I think it's worth emphasis:

AFAICS "impermissible" is a point of difference.  It will never be
true of a stock Mailman.  (For git geeks: GitLab's problem is that
removing such information at minimum changes the SHA1 of that commit,
and all descendent commits, completely rewriting that part of the DAG.
Mailman doesn't have such an integrity check on threads, although
perhaps DKIM signatures could be abused that way. :-)

However, in some cases it might be a severe inconvenience for users,
etc.  Be careful not to overstate your wording here.  And consult a
lawyer if you have a business interest in your lists.

Steve

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] [Mailman-cabal] GDPR

[Stephen J. Turnbull]

Grant Taylor via Mailman-Users writes:

 > What is their working definition of "thread"?

I don't know.  I gave what I think is a reasonable definition, and I
would argue that going to parents of that message is not required by
GDPR, even if for some reason you need to remove whole posts.

 > I'm afraid that the infinite wisdom of politicians will say that the 
 > entire paper needs to be shredded.

We know what the politicians said.  It's in the GDPR law.  Forget
politicians' stupidity.  What matters now is (1) what courts will say,
and (2) what courts will refuse to call frivolous (so that the party
with the uglier lawyer wins at great expense to the party with the
beautiful lawyer).

Appeals judges generally are pretty sensible in the U.S. and Japan,
and usually they do understand the issues.  I suppose it's similar in
the EU.

What I'm concerned with is where PII can enter Mailman and be stored
on the host.  Whether the law reaches that or not is not really
important here.  We look at each place, decide how easy it is to (1)
find all instances of a particular identifier, (2) determine whether
and by whom it has been accessed, and (3) redact that identifier.
Then we look at costs and start implementing the cheaper cases.

 > I think it also significantly depends on what needs to be redacted. 
 > Removing "supercalifragilisticexpialidocious" is a LOT different than 
 > removing "Grant Taylor" from the Mailman-Users archive. 

It needs to be personally identifying, and pragmatically (1) above
means either (a) it will be found in certain header fields which we
can remove entirely or redact in full or part, or (b) a full-text
search will find it.  This means that descriptions like "the US
politician known to lie 6 times a day" are out -- there are too many
ways to express that.  If GDPR requires finding and redacting that,
the list will have to fold up shop.  But I don't think it does: I
think here PII refers to numbers, names, and addresses (as we usually
understand those words!) that uniquely identify a person for purposes
such delivering goods, services and information, or as part of an
authentication process for accessing services (eg, financial or
informational).

 > I wonder if there's any correlation between the IP that authenticated 
 > and the IP that accessed data.

Not in Mailman, although it could be done.  HTTP is a stateless
protocol, so to maintain a session you need to provide a token
(typically a "cookie").  That token can be passed around in the user's
network.  It would be possible to include the IP in the data hashed to
create the auth token, and validate that, but we don't.

 > 2)  *sigh*  It sounds like GDPR is talking about specific fields that 
 > could contain PII, even if they don't, while ignoring other fields that 
 > erroneously do contain PII.

It's not GDPR.  *I* wrote that.  What I was trying to say is that
there are fields like display name and email that are normally used
for data that is PII, and so would be presumed to contain PII if
populated in a database record.

 > > However, in Mailman 2 the various list passwords are shared, and
 > > would not identify individuals in cases with multiple moderators
 > > or list owners.
 > 
 > IMHO that's an operational mis-step.

It's a FACT, and it's not going to change in Mailman 2.  We need to
work with it, or perhaps European lists simply won't be able to use
Mailman 2 with multiple admins if GDPR requires auth that identifies a
single individual.  (Mailman 3 does allow identifying a single
individual, but I don't think we log auth attempts or successes
yet.)

 > (Part of) GDPR is not about (just) knowing who has (had at the
 > time) legitimate access to data, but additionally making it more
 > difficult for other 3rd parties to gain access to the data in the
 > future.  By the fact that the data is removed from the corpus that
 > the 3rd party is subsequently given access to.

I don't think "make it difficult to access data" is a requirement in
GDPR.  I think making reconstruction of history difficult is the
*intent* of GDPR's "right to be forgotten", but that doesn't mean you
need to conceal data (such as social network "handles") that is
normally used to identify users in operation.

The access logging is about a different aspect of privacy, which is
knowing who had access to that data.

AFAICS, the privacy policy itself is up to the host and/or the
industry and its regulators.  Wikis may have zero privacy in normal
operation, but you still need to log accesses to people's profiles I
suppose.  Banking privacy is specified by banking laws, not GDPR, I
suppose, but again GDPR mandates logging of accesses.

 > I'm talking about 3rd party spam filtering services that are in the
 > path between, downstream in between Mailman and the recipient's
 > server.  They collect logs / data all the time.  Usually those logs
 > and that data are what help them be better at their job of spam
 > filtering.

The Mailman admins don't have access