Hello,
On Thu, 8 Jul 2010, Mark Sapiro wrote:
Ivan Fetch wrote:
We would like to integrate Mailman with a spam quarantine system. List
admin(s) will need to login to manage quarantined messages, and we would
like this login to use the list admin password. I'd like some feedback on
the best way to accomplish this, with Mailman.
I can think of two ways to accomplish this -
1. Mailman consults LDAP for the list admin password, and is able to
also set that password (for the web UI and the change_pw script). Mailing
lists are already defined in LDAP for our MTAs.
2. The Mailman list admin passwords are stored in an unencrypted form,
which we regularly sync to LDAP, for the quarantine system to use.
IT seems like option 2 would be simpler in terms of code, although less
ideal (because the password wouldn't be encrypted).
Which method (or is there a third way?) is going to make the most sense
for seamless integration with Mailman?
I suggest a third method.
Do not change Mailman at all.
Periodically, via cron and/or on demand, retrieve the list's 'password'
attribute from lists/listname/config.pck. This can be done with a
Python program using the Mailman API to instantiate the list and get
the password, or it could be done with a withlist script whose process
was simply
def get_list_pw(mlist):
print mlist.password
or it could be done, e.g., by
/path/to/bin/dumpdb /path/to/lists/$listname/config.pck | \
grep \'password\' | sed -e s'/^.*: .//' -e 's/.,$//'
This is the encrypted password. Store that in LDAP and have your
quarantine system validate a password by encrypting it using Mailman's
algorithm (a 40-hex-digit representation of a SHA1 hash of the
plaintext) and comparing that to the list's encrypted password.
--
Mark Sapiro <[email protected]> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Great - makes very good sense, thank you. We have tested this by
getting the list's admin password, removing the hexification (with
binascii.unhexlify) which leaves the password in SHA1 digest form, then
base64 encoding the password, and putting it into LDAP.
How much difference in eficiency is there, between runnig dumpdb vs.
using python code to only get a list's password? I know dumpdb is doing
more (because it dumps the entire pck), but is it going to be enough to matter?
The script we'll write, will probably run every 5 minutes, iterating
through all lists, and setting password attributes in LDAP for passwords
which have changed. I'd like to have minimal impact on Mailman (RE: using
dumpdb).
- Ivan
------------------------------------------------------
Mailman-Users mailing list [email protected]
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
