[sf-lug] Yes, Mailman stores and sends the passwords in the clear: Re: Anyone here had any contact with Linu xChix.org?

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu Jun 6 18:19:18 PDT 2019


Yes, Mailman stores and sends the passwords in the clear.
As far as I'm aware, that's a long established
(mis-?) feature of Mailman, and though it's been oft
requested to change that, as far as I'm aware they've thus
far got no intention of changing it.  But feel free to
check/research to see if that's changed.
Storing passwords in the clear - or reversibly encrypted,
is considered a "bad thing" ... however, its necessary if one
is going to send periodic (e.g. monthly) password reminders
of the current password ... as Mailman is quite capable of.
One can disable that if one wishes, and list admins can also change
that or the default.  But regardless, Mailman stores that in the
clear.  To its credit, it does explicitly tell one to not use
a valuable/important password ... because, well, it stores the
Mailman list passwords in the clear.

Can't exactly say it didn't tell 'ya.  ;-)
... but folks tend to forget, often having subscribed, months,
years, even decades earlier.

> From: "Akkana Peck" <akkana at shallowsky.com>
> Subject: Re: [sf-lug] Anyone here had any contact with Linu xChix.org?
> Date: Thu, 6 Jun 2019 15:55:24 -0600

> Ehud Kaldor writes:
>> i am registered on it, and it seems it's saving passwords in clear, and the
>> monthly mailer daemon sends them in clear email :(
>>
>>
>> This is a reminder, sent out once a month, about your linuxchix.org
>> mailing list memberships.  It includes your subscription info and how
>> to use it to change it or unsubscribe from a list.
> [ ... ]
>
> Doesn't Mailman always do that? Every Mailman list I'm on does
> things that way, and I don't even know if Mailman has any other
> way of doing things. The list page mentions that explicitly:
> https://www.linuxchix.org/content/join-our-email-lists-or-read-archives
> as do the subscription pages for each list ("Do not use a valuable
> password as it will occasionally be emailed back to you in cleartext.")
>
> Doesn't this sf-lug list do the same thing? I don't seem to
> have any saved Mailman notices for sf-lug, but svlug and balug
> (as well as a zillion other technical lists I'm on) send the same
> cleartext reminders.
>
> I don't know why Mailman does things that way, but it's definitely
> not a LinuxChix specific problem.
>
>         ...Akkana




More information about the sf-lug mailing list