Mailing list reminder: password is sent in the clear

Mike Shaver mike.shaver at
Fri Jul 1 12:00:57 PDT 2011

On Fri, Jul 1, 2011 at 2:50 PM, Mike Samuel <mikesamuel at> wrote:
> 2011/7/1 Mike Shaver <mike.shaver at>:
>> On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at> wrote:
>>> 2011/7/1 Mike Shaver <mike.shaver at>:
>>>> What can someone do with that password, though? Just change your
>>>> subscription settings, afaik, so the security in place seems proportionate.
>>>> Could report it upstream to the mailman team, I suppose.
>>> Use it to do a better job of impersonating.  Try it out on other sites.
>> I don't understand how you could impersonate better, could you
>> explain?  You can send mail with any From: you want without bothering
>> to go through someone's mailman account, and you can't even send mail
>> from the mailman interface!
>> Since mailman passwords are randomly generated at subscription time
>> (and virtually never changed), password reuse is pretty unlikely.
> Can't a mailman account holder associate a public key with a mailman instance?

Not in stock mailman (, but
there is a fork which permits it, I think.


More information about the es-discuss mailing list