Closed larryl closed 6 years ago
mailman-owner@pm.org File too large
, I don't have access to that.Thanks Jay, I turned off password reminder emails. But I was hoping for something a bit more secure to replace the current process of mailing passwords in plain text, like instead mailing a reset link.
Nod. I assume MailMan is open source. I don't know if our MailMan is current. Patches to that project welcome, I assume. :)
We're using the latest version of Mailman 2. I'm not sure if Mailman 3 has changed this system, but it's a very non-trivial upgrade.
This is how Mailman works, and we're unlikely to make a custom patch for it. Realistically, if someone can read your email, you have bigger problems than someone changing a mailing list subscription. Remember, mailing lists often authenticate you based on email address.
Realistically, if you are storing plain text passwords in your database and don't seem to care about the security implications of that, you have bigger problems.
You can bring that up with the mailman developers. The passwords are a convenience -- as I said before, for most mailing lists the "password" is your email address. This isn't any worse.
The mailman-owner issue has been fixed.
The pm.org reminder emails from
mailman-owner@pm.org
contain plain-text passwords:I tried to email
mailman-owner@pm.org
about it and got: