[Mailman-Users] MailMan For LAN Only
Carlos Williams writes: > I am wanting to implement MailMan for my company LAN. I am currently > running my email server on Postfix. I am wondering if someone can > answer these questions for me. If I install MailMan / Apache on my > mail server, will the MailMan list be visible by anyone on the web who > can access my mail server via Apache? No, only to those with the admin password. It may also be possible to get the list of members by email, but (a) list members (or the admin) can exclude their own addresses from that list and (b) the facility can be turned off entirely (which it is by default AFAIK). However, as Adam McGregor pointed out, this really isn't an issue of Mailman security at all as you've described it so far. It's a question of locking down the firewall in general, the MTA, and Apache. First, you may want to consider a separate host which runs Postfix, Apache, and Mailman. The only users are root, mailman, and www-data. This is not an MX, in fact it probably shouldn't be routable at all from outside the LAN/VPN. I ran my (very small) Mailman lists from a Pentium 133 MHz with 80MB of RAM running Linux until it died last year. Mailman per se thus can run on any hardware you can buy off the shelf today. Performance should not be a problem until you have lists > 1 members with frequent traffic; the price of the hardware will be determined by the reliability you demand. If you are installing a webserver on the existing mail host only to provide the Mailman web interface, you can restrict access to Apache at the firewall. This implies that admins do their work, and list members access their membership configurations, via the corporate LAN or VPN. Mailman restricts access to the membership list and other admin functions to those with the admin password. If you use a strong password and have access via https rather than http, the worrying risk to the admin pages is social (disgruntled admins, bribery, rootkit on the admin's machine) rather than technical, even with access via the public Internet. (I still recommend restricting access to the Mailman pages to inside the LAN/VPN, though.) > I am worried about spammers using MailMan to harvest valid email > addresses. The main vulnerability here is the archives. Some obfuscation of the addresses in the messages can be done by the default archiver. But a better route is to restrict access to those pages (or to Apache itself) to inside-the-LAN IP addresses. > Can someone please tell me if this is possible and or how I should > consider configuring MailMan for my LAN? If I were you, I wouldn't worry about configuring Mailman for security at all. I'd configure the firewall and Apache to require strong authorization (eg, the VPN or attached directly to the LAN) to access Mailman admin and user pages (including the list archives) at all. If people need access from outside the physical LAN, they should use a VPN. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] MailMan For LAN Only
On Wed, Aug 05, 2009 at 11:54:44AM -0400, Carlos Williams wrote: > I am wanting to implement MailMan for my company LAN. I am currently > running my email server on Postfix. I am wondering if someone can > answer these questions for me. If I install MailMan / Apache on my > mail server, will the MailMan list be visible by anyone on the web who > can access my mail server via Apache? "visible" in which regard? via Apache, it's possible to restrict access to subnets, for example. Firewall rules can also be invoked. (in short: depends how you set it up.) Presumably Postfix supports some sort of ACLs, which may "help" in keeping your list(s) to people/addresses you've explicitly whitelisted, or something similar. Or just rely on Mailman's handling of non-members. > I am worried about spammers > using MailMan to harvest valid email addresses. Even though it appears > from the reading I have done that non-members can't send to the list > w/o moderator approval, I still don't want the vulnerability of > exposing my subscribed members email addresses. restrict seeing subscribers to admins only? use "strong" passwords, perhaps. Disable access to specific mailman scripts from non-trusted addresses? don't have archives available to the public internet? > Can someone please tell me if this is possible Should be... > and or how I should consider configuring MailMan for my LAN? ... although most of what you're after, as I understand it, is not within Mailman itself, but down to webserver/firewall/MTA configuration (well, that's how I might go about sorting out a 'private' installation) -- ``Have you always been revolutionary socialists?'' ``No, we vote Conservative.'' (Simon Hoggart, interviewing a middle-class couple at a reading of Tony Benn's speeches) -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Users] MailMan For LAN Only
I am wanting to implement MailMan for my company LAN. I am currently running my email server on Postfix. I am wondering if someone can answer these questions for me. If I install MailMan / Apache on my mail server, will the MailMan list be visible by anyone on the web who can access my mail server via Apache? I am worried about spammers using MailMan to harvest valid email addresses. Even though it appears from the reading I have done that non-members can't send to the list w/o moderator approval, I still don't want the vulnerability of exposing my subscribed members email addresses. Can someone please tell me if this is possible and or how I should consider configuring MailMan for my LAN? Thanks for any assistance! -- Carlos -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
