[Mailman-Users] recovering mailing list members and .cfg files

2024-05-13 Thread incoming-pythonlists 
I have a backup of an older mailman 2 system that is no longer
bootable.  In order to recover the mailing lists I am looking to get
something like the output to list_members -f and the .cfg files if
possible.  I have access to systems with python 2.7.18 and python 2.6.6
installed.

I tried running list_members and got the following error:

Traceback (most recent call last):
  File "./list_members", line 73, in 
    import paths
  File "/oldroot/usr/lib/mailman/bin/paths.py", line 56, in 
    import japanese
ImportError: No module named japanese

I tried searching for a japanese module but the output I get is in
Japanese, so I can't read it. I'm not sure if resolving this module
would allow the list_members script to run.  I would appreciate any
suggestions on how to proceed with this.

Thank You,

Nataraj



--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread incoming-pythonlists 
On 05/31/2018 06:24 PM, Grant Taylor via Mailman-Users wrote:
>
>> There are many ways to implement the same thing.  Before there were
>> modules in the kernel for this, I simply pulled lists of address
>> blocks out of databases and incorporated them into my IPtables
>> lists.  There are better tools to do this today.
>
> ACK
>
> I'm curious, did you use IPSets or just a rule per network / IP?

I wrote scripts that read the list and generated a rule per network.  It
can be slow, but has worked reliably for many years.  Since it is a
mailserver, performance has not been a big issue.  I am in the process
of designing a replacement.  If you enter your list of networks  as a
separate iptables list, then you only need to call that list when the
traffic is on the relevant port(s), so you avoid traversing the list for
other services.

Nataraj


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread incoming-pythonlists 
On 05/31/2018 11:25 AM, Grant Taylor via Mailman-Users wrote:
> I feel like I'm missing something and as such have some questions.
>
> On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote:
>> Depending on where your users are coming from, it might be easier to
>> limit access to the GUI using a firewall.
>
> Why are you using a firewall instead of leveraging the web server's
> ability to filter by IP?

Both are valid alternatives.  There may be performance advantages, to
stopping attacks at the firewall level instead of higher up in the
application stack.

>
>> What I do, is to run the mailman GUI on a non-standard https port.
>
> Okay.  (Additional) security through obscurity.  Sure.  I do similar
> with various things.

No, this is not security through obscurity.  It runs on a different port
so I can add firewall rules that effect only mailman service and not
other web applications.

>
>> I then create webserver URL rewrites that redirect url access to that
>> port.
>
> Why?  I feel like this voids hiding the Mailman Web UI on an alternate
> port?

I need to give my users a url that they can easily remember.  It's too
complex to have to give them urls with port numbers in them, and since
this is not security through obscurity, it is not a problem.

>
>> I use my firewall (IPTABLES), to control who can access the GUI.  If
>> all of your users come from a LAN inside an office, you can easily
>> restrict access to only those on the LAN.
>
> Or is this purely so that you can protect the Mailman Web UI via the
> firewall without impacting other web resources running on the default
> ports?

yes

>
>> I've also used thing like GEOIP, and other tools to limit access to
>> specific countries or specific geographic areas or specific service
>> providers.  Alot of attacks come from outside countries and limiting
>> access substantially reduces attacks on my servers.
>
> I've not messed with GeoIP filters in a long time.  I don't know how
> IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP
> feature set.

There are many ways to implement the same thing.  Before there were
modules in the kernel for this, I simply pulled lists of address blocks
out of databases and incorporated them into my IPtables lists.  There
are better tools to do this today.
>
>> You could also require users to use a VPN or fwknop in order to access
>> the GUI.  This is easy if your users already access your site over a
>> VPN.
>
> I can see a VPN for corporate users.  I think it's a high bar for most
> public mailing lists.  Maybe not for the (few) administrator(s).
>
> I feel like port knocking is a REALLY HIGH BAR for most public mailing
> lists.

It was unclear from the OPs initial posting whether it was a private or
a public mailing list.  What I describe here probably would not be
appropriate for a public list and the best solution there is probably to
upgrade to mailman 3 if they need a more secure interface that is wide
open to the public.  VPN and/or fwknop (which is primarily SPA though
the older port knocking is still supported) are more suitable if you
have a private list where user membership must be approved anyway and
your moderators and admins might use these tools to have access to
mailman, but the web GUI would be blocked from public access.

Certainly adding web server based username authentication sounds pretty
cumbersome to me because users would have to login twice, though from a
security standpoint it would help protect from vulnerabilities in the
mailman web GUI.

There's no one answer to solving these problems.  I'm only sharing ideas
that have worked for me.  The less of the public Internet that can apply
brute force attacks on your web interface, the less likely you are to
have a compromise.  Also, the less junk in your log files, the easier it
is to monitor the logs.

I plan to go to mailman 3, but in the meantime I have minimal issues
with attacks on my mailman GUI.  Maybe not the perfect solution for
everyone, but it is effective.

Nataraj

>
>
>
>
>
>
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/incoming-pythonlists%40rjl.com


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread incoming-pythonlists 
On 05/31/2018 09:52 AM, Mark Sapiro wrote:
> On 05/31/2018 08:10 AM, Carl Zwanzig wrote:
>
>>> 3.   Can user passwords be eliminated and have the list
>>> administrator make any user adjustments which should not be necessary?
>> At a great loss of utility, sure. This would require a code change.
>
> The code changes to do it right would not be simple.

Depending on where your users are coming from, it might be easier to
limit access to the GUI using a firewall.  What I do, is to run the
mailman GUI on a non-standard https port.  I then create webserver URL
rewrites that redirect url access to that port.  I use my firewall
(IPTABLES), to control who can access the GUI.  If all of your users
come from a LAN inside an office, you can easily restrict access to only
those on the LAN.  I've also used thing like GEOIP, and other tools to
limit access to specific countries or specific geographic areas or
specific service providers.  Alot of attacks come from outside countries
and limiting access substantially reduces attacks on my servers.

You could also require users to use a VPN or fwknop in order to access
the GUI.  This is easy if your users already access your site over a VPN.

Nataraj

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org