[Mailman-Users] E-Mail Interface Documentation
Hello there, is there a documentation of the email interface available somewhere? I found: http://www.list.org/mailman-member/node10.html but that page seems to be offline. Regards, Sascha. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On 2012-01-19 19:32, Geoff Mayes wrote: I hope a general question about Mailman's features and future direction (along with some Sympa comparisons) are appropriate for this list. The University of Oregon is migrating away from Majordomo. We decided on Sympa because Mailman sends passwords over email ... Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? You can stop the cronjob used to email reminders. With this you don't email them to the users, but they will still be saved in clear text in Mailman. I've written a number of Django apps using my own LDAP module, so I was also wondering if folks think now is a mature-enough time to perhaps grab Mailman 3, its Django front-end, and hack together what I'm after? A final, random question: Mailman 3 is still in alpha, but is it stable given that it's almost been in alpha for 4 years? Didn't test it yet, so no comment from me. Kind regards, Christian Mack -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] E-Mail Interface Documentation
Hello Sascha Rissel On 2012-01-20 09:04, Sascha Rissel wrote: is there a documentation of the email interface available somewhere? I found: http://www.list.org/mailman-member/node10.html but that page seems to be offline. You can send an email to any list with activated processing of email commands, in order to get the command syntax. Just send an email with subject help (without quotes) to somelist-requ...@yourdomain.org As an example mailman-users-requ...@python.org should work. Kind regards, Christian Mack -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On Fri, Jan 20, 2012 at 10:05:20AM +0100, Mailman Admin wrote: On 2012-01-19 19:32, Geoff Mayes wrote: I hope a general question about Mailman's features and future direction (along with some Sympa comparisons) are appropriate for this list. The University of Oregon is migrating away from Majordomo. Hurrah! ;o) We decided on Sympa because Mailman sends passwords over email ... Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? You can stop the cronjob used to email reminders. +1 With this you don't email them to the users, but they will still be saved in clear text in Mailman. Another way could be to make the 'don't use a valuable password' text more prominent, or enforce some password complexity test. There is the LDAP extension, YMMV. I've written a number of Django apps using my own LDAP module, so I was also wondering if folks think now is a mature-enough time to perhaps grab Mailman 3, its Django front-end, and hack together what I'm after? A final, random question: Mailman 3 is still in alpha, but is it stable given that it's almost been in alpha for 4 years? http://mail.python.org/pipermail/mailman-announce/2011-September/000164.html seems to be the latest update. IIRC, Barry's not on -users, but does post on -developers. (There was an update, but I can't quickly find it) I could be wrong on that, though/ -- I try not to get drunk at lunchtime any earlier in the week than Thursday. -- Giles Coren -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On 1/20/2012 1:05 AM, Mailman Admin wrote: On 2012-01-19 19:32, Geoff Mayes wrote: Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? You can stop the cronjob used to email reminders. With this you don't email them to the users, but they will still be saved in clear text in Mailman. You can also easily change the code to leave it out of the reminder. z! -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On 1/20/2012 8:48 AM, Carl Zwanzig wrote: On 1/20/2012 1:05 AM, Mailman Admin wrote: On 2012-01-19 19:32, Geoff Mayes wrote: Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? You can stop the cronjob used to email reminders. With this you don't email them to the users, but they will still be saved in clear text in Mailman. You can also easily change the code to leave it out of the reminder. Or simplest of all, use the option on the General Settings page (under Notifications) and turn off the monthly reminders. Chris -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
Thank you everyone for your help and sharing all of this information. I found it very useful and further proof of the active and supportive Mailman community. It sounds like, to summarize, the Mailman2 branch can lock down its passwords by: 1. disabling cron password reminders 2. increasing the warning in the UI about not using valuable passwords Mailman2 cannot change the following, however, without code changes: a. storing passwords unencrypted b. sending password reminder emails to list subscribers who request a reminder via the UI (is that right?). I'm not worried about (a), just trying to be thorough. Question: Can list admins request a password reminder email via the UI? In the UI I see that subscribers can but it doesn't look like list admins can. If that is true and a list admin/owner loses their password, does the Mailman site administrator have to fetch it for them? I'm thinking about the extra work (however small, as others have pointed out that admins rarely change their settings) this will put on our mailman administrator if there are 2k+ lists. Thanks to all for your prompt and wonderful responses, Geoff Mayes -Original Message- From: mailman-users-bounces+gmayes=uoregon@python.org [mailto:mailman-users-bounces+gmayes=uoregon@python.org] On Behalf Of C Nulk Sent: Friday, January 20, 2012 9:39 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo) On 1/20/2012 8:48 AM, Carl Zwanzig wrote: On 1/20/2012 1:05 AM, Mailman Admin wrote: On 2012-01-19 19:32, Geoff Mayes wrote: Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? You can stop the cronjob used to email reminders. With this you don't email them to the users, but they will still be saved in clear text in Mailman. You can also easily change the code to leave it out of the reminder. Or simplest of all, use the option on the General Settings page (under Notifications) and turn off the monthly reminders. Chris -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/gmayes%40uoregon.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] slow out queue
Anil Jangity wrote: We just moved a very old mailman infrastructure mailman to Solaris and sendmail. It seems, when a message is posted, the out directory doesn't seem to clear out fast enough. 1K archive 1K bounces 1K commands 1K in 1K news 403K out 1K retry 1K shunt 1K virgin The size just stays like that forever and slowly decrements. When I look in /var/log/syslog (mail log of sendmail), I see deliveries going through. Look at Mailman's 'smtp' log. You undoubtedly have a huge backlog in the out queue because you aren't processing outgoing SMTP fast enough to keep up with demand. In the smtp log you will see entries like Jan 20 09:41:14 2012 (17283) message-id smtp to listname for 223 recips, completed in 3.500 seconds You will observe that each entry's timestamp is equal to that of the previous entry plus this entry's 'completed in' time indicating no delay between messages. Each entry represents processing of one out/ queue entry. You will probably also note that the processing rate is much less than the 64 recipients/second in the above message which is from a full VERP installation. I do a 'truss' of the OutgoingRunner python process and I see: % truss -p 11997 recv(10, 0x00748454, 8192, 0) (sleeping...) ... % What is it waiting for? Most likely an SMTP reply from sendmail. See the FAQ's at http://wiki.list.org/x/roA9 and http://wiki.list.org/x/q4A9. This is almost certainly a case of sendmail not keeping up with Mailman's demand and if so, will require sendmail tuning to fix. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On 1/20/2012 10:06 AM, Geoff Mayes wrote: Thank you everyone for your help and sharing all of this information. I found it very useful and further proof of the active and supportive Mailman community. It sounds like, to summarize, the Mailman2 branch can lock down its passwords by: 1. disabling cron password reminders 2. increasing the warning in the UI about not using valuable passwords Mailman2 cannot change the following, however, without code changes: a. storing passwords unencrypted b. sending password reminder emails to list subscribers who request a reminder via the UI (is that right?). I'm not worried about (a), just trying to be thorough. Question: Can list admins request a password reminder email via the UI? In the UI I see that subscribers can but it doesn't look like list admins can. If that is true and a list admin/owner loses their password, does the Mailman site administrator have to fetch it for them? I'm thinking about the extra work (however small, as others have pointed out that admins rarely change their settings) this will put on our mailman administrator if there are 2k+ lists. Thanks to all for your prompt and wonderful responses, Geoff Mayes I don't believe the List Administrator/owner can have the list admin password sent to them. I don't think the site administrator can do it either. The only solution is to have the Site Admin change the list administrator password or if there are multiple list admins, have them tell the other admins for the list what the password is or change the password and then let the other know (if any). But I could be wrong. We don't have 2+k lists so having the Site Admin change a list admin password is not a problem. Then again, since we started using Mailman, that has happened maybe three or four times. The student government moderates their own list for the undergraduate student population and sometimes they forget to let the incoming government people know the moderator password. Chris -Original Message- From: mailman-users-bounces+gmayes=uoregon@python.org [mailto:mailman-users-bounces+gmayes=uoregon@python.org] On Behalf Of C Nulk Sent: Friday, January 20, 2012 9:39 AM To: mailman-users@python.org Subject: Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo) On 1/20/2012 8:48 AM, Carl Zwanzig wrote: On 1/20/2012 1:05 AM, Mailman Admin wrote: On 2012-01-19 19:32, Geoff Mayes wrote: Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? You can stop the cronjob used to email reminders. With this you don't email them to the users, but they will still be saved in clear text in Mailman. You can also easily change the code to leave it out of the reminder. Or simplest of all, use the option on the General Settings page (under Notifications) and turn off the monthly reminders. Chris -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/gmayes%40uoregon.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] E-Mail Interface Documentation
Sascha Rissel wrote: is there a documentation of the email interface available somewhere? I found: http://www.list.org/mailman-member/node10.html but that page seems to be offline. Yes, www.list.org appears to be currently off line. It is mirrored at http://www.gnu.org/software/mailman/ and http://mailman.sourceforge.net/. You can find the above page at http://www.gnu.org/software/mailman/mailman-member/node10.html and http://mailman.sourceforge.net/mailman-member/node10.html. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On Jan 19, 2012, at 06:32 PM, Geoff Mayes wrote: Mailman is more mature (the max bug ID for mailman in its issue-tracking system is ~913,400; the max bug ID for Sympa is 8,117 and there is still no bug category for Sympa's latest version -- 6.1.7 -- even though it has been out for over 4 months) I'm not sure bug numbers are a good indication. Launchpad has one namespace for all bugs, so the maximum number reflects bugs reported across all hosted upstream projects *and* all Ubuntu bugs. OTOH, Mailman has been around since the mid-90's. That's good because the key parts of the code are heavily battle-tested and (IMO) very stable. It's bad because some things like the web ui really need a good updating (and this is going on in the web-ui project for Mailman 3). Mailman has greater branch stability and code reliability (I noticed that Barry ran a pre-checkin acceptance suite for the Postgres patch for Mailman 3 before he checked it in) Yep. I have a strict testing policy for mm3 code. Mailman has a bright and well-documented future (Mailman 3 and its bug tracker, source code, milestones, etc) I think so too! Mailman has a more active and supportive community, which is very important in resolving future issues (Mailman had 150 list postings in December and through mid-January while Sympa had 44; I've been impressed with Mark Sapiro's responsiveness on this list) Mark is *awesome*. Does anyone know a way around the emailed passwords issue in Mailman, clever hacks, certain plugins, or a timeline for Mailman 3's release? As I think others have pointed out, individual users can disable password reminders, list admins can disable them for their lists, and site admins can disable them for the entire site (by turning off the cron job). As for mm3 release, well, I think now that I'll be giving a talk at Pycon 2012 on it, I *have* to release it before then! There are two blockers, that I am attempting to solve before going into beta. 1) the REST API needs an authentication/authorization framework; 2) we need some kind of schema migration approach. Come on over to mailman-developers@ if you want to participate. I know there is at least one site using mm3 in production today. I have some patches that need to be applied to improve the API performance, but I'm confident the core engine is pretty solid. I've written a number of Django apps using my own LDAP module, so I was also wondering if folks think now is a mature-enough time to perhaps grab Mailman 3, its Django front-end, and hack together what I'm after? Yes, I think now is a great time to do that. The API is fleshed out enough that you should be able to build a web-ui to communicate with it, or you can help Florian and Terri drive the official web-ui toward release. A final, random question: Mailman 3 is still in alpha, but is it stable given that it's almost been in alpha for 4 years? Nothing can replace actual field testing under real world conditions, but I'm pretty confident about the core engine. As I mentioned above, one way or another it has to go to beta before Pycon. :) -Barry -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
On Thu, 19 Jan 2012, Geoff Mayes wrote: If Mailman provided a way around the passwords in the clear issue, I'm pretty sure we'd go with Mailman ... My personal opionion is Mailman passwords are so insignificant that it really shouldn't be an issue. On the other hand, I recognize that you may have direction from above that because it's called a password, it needs to be ulta-secure (there are, unfortunately, too many bosses who don't understand security and don't understand that different types of systems have different security needs). How much damage could be done if a Mailman user password was compromised? How much damage could be done if my on-line banking password was compromised? The answers are very different yet there are many who want them secured in the same way. I so rarely use a Mailman password that I don't even try to remember it. If I need to use it on a Mailman system, I have it send it to me, use it, then forget it. If someone wants to mess up my subscription on a Mailman system, well, go ahead. I have far more important things in life to worry about. Also, consider how many other times passwords are sent in the clear, just not in email. A snail mail with a password is also a password sent in the clear yet few seem to have a problem with that. Maybe because I practice good password managment, I am less concerned about an email being snooped than I am about snail mail theft or privileged access abuses. I would not worry about Mailman passwords being sent in the clear and instead, urge users to use good password practices. For Mailman, encourage them to let Mailman assign a password (and thereby, not reuse a PW). Because no matter what you do, people will reuse passwords, use the same password for low and high security needs, use easy-to-guess passwords, write them down, and other things that just make Mailman's password concerns the least of your organization's security concerns. -- Larry Stone lston...@stonejongleux.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo)
Larry, I think you closed our security hole! You're right that someone else getting their hands on your mailman password is incredibly minor. The issue is when individuals subscribe to lists using their central LDAP/AD password as their Mailman list password. In that case password interception is a bigger deal. As you recommend in your paragraph on password best practices, people should let Mailman2 auto-generate a password. And it looks like this can easily be enforced by simply removing the Pick a password and Reenter password to confirm fields from the list subscription page. Mailman will then auto-generate all passwords. Voila! Unique passwords that only exist in Mailman. (Now if someone chooses to start using their Mailman list password as their LDAP password...) :) The annoying issue that remains is that Mailman2 cannot be brought under centralized authorization and users have yet another password to maintain. But as you and others have pointed out, list owners and list subscribers rarely interact with Mailman. And MM3 is on the horizon... This is great. Thanks, Geoff -Original Message- From: mailman-users-bounces+gmayes=uoregon@python.org [mailto:mailman-users-bounces+gmayes=uoregon@python.org] On Behalf Of Larry Stone Sent: Friday, January 20, 2012 1:18 PM To: mailman-users@python.org Subject: Re: [Mailman-Users] Thoughts about migrating to Mailman instead of Sympa (from Majordomo) On Thu, 19 Jan 2012, Geoff Mayes wrote: If Mailman provided a way around the passwords in the clear issue, I'm pretty sure we'd go with Mailman ... My personal opionion is Mailman passwords are so insignificant that it really shouldn't be an issue. On the other hand, I recognize that you may have direction from above that because it's called a password, it needs to be ulta-secure (there are, unfortunately, too many bosses who don't understand security and don't understand that different types of systems have different security needs). How much damage could be done if a Mailman user password was compromised? How much damage could be done if my on-line banking password was compromised? The answers are very different yet there are many who want them secured in the same way. I so rarely use a Mailman password that I don't even try to remember it. If I need to use it on a Mailman system, I have it send it to me, use it, then forget it. If someone wants to mess up my subscription on a Mailman system, well, go ahead. I have far more important things in life to worry about. Also, consider how many other times passwords are sent in the clear, just not in email. A snail mail with a password is also a password sent in the clear yet few seem to have a problem with that. Maybe because I practice good password managment, I am less concerned about an email being snooped than I am about snail mail theft or privileged access abuses. I would not worry about Mailman passwords being sent in the clear and instead, urge users to use good password practices. For Mailman, encourage them to let Mailman assign a password (and thereby, not reuse a PW). Because no matter what you do, people will reuse passwords, use the same password for low and high security needs, use easy-to-guess passwords, write them down, and other things that just make Mailman's password concerns the least of your organization's security concerns. -- Larry Stone lston...@stonejongleux.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail- archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman- users/gmayes%40uoregon.edu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
