Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 09:33 PM, incoming-pythonli...@rjl.com wrote: I wrote scripts that read the list and generated a rule per network. It can be slow, but has worked reliably for many years. Since it is a mailserver, performance has not been a big issue. I am in the process of designing a replacement. If you enter your list of networks as a separate iptables list, then you only need to call that list when the traffic is on the relevant port(s), so you avoid traversing the list for other services. *nod* Thank you for sharing. I've done something similar with IPSets and recently using routing with reverse path filtering. I've found all of the above to be quite effective. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 06:24 PM, Grant Taylor via Mailman-Users wrote: > >> There are many ways to implement the same thing. Before there were >> modules in the kernel for this, I simply pulled lists of address >> blocks out of databases and incorporated them into my IPtables >> lists. There are better tools to do this today. > > ACK > > I'm curious, did you use IPSets or just a rule per network / IP? I wrote scripts that read the list and generated a rule per network. It can be slow, but has worked reliably for many years. Since it is a mailserver, performance has not been a big issue. I am in the process of designing a replacement. If you enter your list of networks as a separate iptables list, then you only need to call that list when the traffic is on the relevant port(s), so you avoid traversing the list for other services. Nataraj -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 06:37 PM, incoming-pythonli...@rjl.com wrote: Both are valid alternatives. There may be performance advantages, to stopping attacks at the firewall level instead of higher up in the application stack. Agreed, on both accounts. Firewalls also have a tendency to protect multiple machines, not just one. (I'm referring to network appliance type firewalls, not host based.) No, this is not security through obscurity. It runs on a different port so I can add firewall rules that effect only mailman service and not other web applications. Fair enough. I need to give my users a url that they can easily remember. It's too complex to have to give them urls with port numbers in them, and since this is not security through obscurity, it is not a problem. Fair. yes *nod* There are many ways to implement the same thing. Before there were modules in the kernel for this, I simply pulled lists of address blocks out of databases and incorporated them into my IPtables lists. There are better tools to do this today. ACK I'm curious, did you use IPSets or just a rule per network / IP? It was unclear from the OPs initial posting whether it was a private or a public mailing list. What I describe here probably would not be appropriate for a public list and the best solution there is probably to upgrade to mailman 3 if they need a more secure interface that is wide open to the public. VPN and/or fwknop (which is primarily SPA though the older port knocking is still supported) are more suitable if you have a private list where user membership must be approved anyway and your moderators and admins might use these tools to have access to mailman, but the web GUI would be blocked from public access. Certainly adding web server based username authentication sounds pretty cumbersome to me because users would have to login twice, Maybe, maybe not. I've seen applications that can re-use the web server's authentication mechanism. This would likely be a code change to Mailman. (I have no idea how big.) though from a security standpoint it would help protect from vulnerabilities in the mailman web GUI. ;-) There's no one answer to solving these problems. I'm only sharing ideas that have worked for me. The less of the public Internet that can apply brute force attacks on your web interface, the less likely you are to have a compromise. Also, the less junk in your log files, the easier it is to monitor the logs. Nope. Hence my interest in what others have done and why the did it. I'm always interested in observing and hopefully learning. I plan to go to mailman 3, but in the meantime I have minimal issues with attacks on my mailman GUI. Maybe not the perfect solution for everyone, but it is effective. If it does what you need it to and you feel comfortable maintaining it, then more power to you. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 11:25 AM, Grant Taylor via Mailman-Users wrote: > I feel like I'm missing something and as such have some questions. > > On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote: >> Depending on where your users are coming from, it might be easier to >> limit access to the GUI using a firewall. > > Why are you using a firewall instead of leveraging the web server's > ability to filter by IP? Both are valid alternatives. There may be performance advantages, to stopping attacks at the firewall level instead of higher up in the application stack. > >> What I do, is to run the mailman GUI on a non-standard https port. > > Okay. (Additional) security through obscurity. Sure. I do similar > with various things. No, this is not security through obscurity. It runs on a different port so I can add firewall rules that effect only mailman service and not other web applications. > >> I then create webserver URL rewrites that redirect url access to that >> port. > > Why? I feel like this voids hiding the Mailman Web UI on an alternate > port? I need to give my users a url that they can easily remember. It's too complex to have to give them urls with port numbers in them, and since this is not security through obscurity, it is not a problem. > >> I use my firewall (IPTABLES), to control who can access the GUI. If >> all of your users come from a LAN inside an office, you can easily >> restrict access to only those on the LAN. > > Or is this purely so that you can protect the Mailman Web UI via the > firewall without impacting other web resources running on the default > ports? yes > >> I've also used thing like GEOIP, and other tools to limit access to >> specific countries or specific geographic areas or specific service >> providers. Alot of attacks come from outside countries and limiting >> access substantially reduces attacks on my servers. > > I've not messed with GeoIP filters in a long time. I don't know how > IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP > feature set. There are many ways to implement the same thing. Before there were modules in the kernel for this, I simply pulled lists of address blocks out of databases and incorporated them into my IPtables lists. There are better tools to do this today. > >> You could also require users to use a VPN or fwknop in order to access >> the GUI. This is easy if your users already access your site over a >> VPN. > > I can see a VPN for corporate users. I think it's a high bar for most > public mailing lists. Maybe not for the (few) administrator(s). > > I feel like port knocking is a REALLY HIGH BAR for most public mailing > lists. It was unclear from the OPs initial posting whether it was a private or a public mailing list. What I describe here probably would not be appropriate for a public list and the best solution there is probably to upgrade to mailman 3 if they need a more secure interface that is wide open to the public. VPN and/or fwknop (which is primarily SPA though the older port knocking is still supported) are more suitable if you have a private list where user membership must be approved anyway and your moderators and admins might use these tools to have access to mailman, but the web GUI would be blocked from public access. Certainly adding web server based username authentication sounds pretty cumbersome to me because users would have to login twice, though from a security standpoint it would help protect from vulnerabilities in the mailman web GUI. There's no one answer to solving these problems. I'm only sharing ideas that have worked for me. The less of the public Internet that can apply brute force attacks on your web interface, the less likely you are to have a compromise. Also, the less junk in your log files, the easier it is to monitor the logs. I plan to go to mailman 3, but in the meantime I have minimal issues with attacks on my mailman GUI. Maybe not the perfect solution for everyone, but it is effective. Nataraj > > > > > > > -- > Mailman-Users mailing list Mailman-Users@python.org > https://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ > Unsubscribe: > https://mail.python.org/mailman/options/mailman-users/incoming-pythonlists%40rjl.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 04:52 PM, Grant Taylor via Mailman-Users wrote: > On 05/31/2018 03:05 PM, Dimitri Maziuk wrote: >> What exactly is it about mailman usernames and passwords that you are >> trying to protect with HTTPS? > > I wasn't talking about Mailman usernames (email addresses) and > passwords. I was talking about the usernames and passwords for Basic > HTTP(S) authentication. As in authenticating to the web server and > having it control who can access the Mailman Web UI. Ah, sorry, I didn't realize you propose to protect subscriber's username and password by requiring a second username and password to get to them. Moving along now. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 03:05 PM, Dimitri Maziuk wrote: What exactly is it about mailman usernames and passwords that you are trying to protect with HTTPS? I wasn't talking about Mailman usernames (email addresses) and passwords. I was talking about the usernames and passwords for Basic HTTP(S) authentication. As in authenticating to the web server and having it control who can access the Mailman Web UI. There's always the fact that HTTPS (SSL/TLS) protects both sets of credentials. I was replying to the original poster, Michael P., suggesting that HTTP(S)'s Basic Authentication can be used to protect the Mailman Web UI. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 02:40 PM, Grant Taylor via Mailman-Users wrote: > On 05/31/2018 01:18 PM, Dimitri Maziuk wrote: >> Yeah, I too once thought that was a good idea. > > I'm not quite following you. Are you saying that you now dislike > HTTP(S) usernames & passwords specifically? I do dislike the HTTPS push specifically. Google has a vested interest in stopping those pesky ISPs from replacing Google's revenue-generating ads with their own. I don't. What exactly is it about mailman usernames and passwords that you are trying to protect with HTTPS? -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 01:18 PM, Dimitri Maziuk wrote: Yeah, I too once thought that was a good idea. I'm not quite following you. Are you saying that you now dislike HTTP(S) usernames & passwords specifically? Or are you saying that you dislike hosting something yourself? And then heartbleed came along, and our knee-jerk security department cut off everyone who hasn't patched in 24 hours -- at the gateway. Problems happen. It's how you (or the powers that be) respond to something that matters. As Murphy would have it, I was traveling across the Atlantic and our other IT guy was driving across North America. And of course cut-off at the gateway meant no mail, no ssh, no way to know what happened and no way to fix it. Yep. Murphy and his law will get you when you least expect it or are least able to respond to it. This stuff sounds like it's coming from the same security experts. Proper answer with those guys is don't run mailman. Export the subscribers and use it as CC list in Orifice'365: you can't go wrong with "industry standard". I'm going to disagree with you there. You most certainly can go wrong with "industry standard" or "what everybody else does". -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 01:25 PM, Grant Taylor via Mailman-Users wrote: > On 05/30/2018 03:36 PM, Parker, Michael D. wrote: >> I've been assigned the task of attempting to secure our current >> implementation of GNU MailMan. > > One thing that I've not seen (or missed) in this thread is the idea of > leveraging HTTPS usernames and passwords to protect the web interface. Yeah, I too once thought that was a good idea. And then heartbleed came along, and our knee-jerk security department cut off everyone who hasn't patched in 24 hours -- *at the gateway*. As Murphy would have it, I was traveling across the Atlantic and our other IT guy was driving across North America. And of course cut-off at the gateway meant no mail, no ssh, no way to know what happened and no way to fix it. This stuff sounds like it's coming from the same security experts. Proper answer with those guys is don't run mailman. Export the subscribers and use it as CC list in Orifice'365: you can't go wrong with "industry standard". -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
I feel like I'm missing something and as such have some questions. On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote: Depending on where your users are coming from, it might be easier to limit access to the GUI using a firewall. Why are you using a firewall instead of leveraging the web server's ability to filter by IP? What I do, is to run the mailman GUI on a non-standard https port. Okay. (Additional) security through obscurity. Sure. I do similar with various things. I then create webserver URL rewrites that redirect url access to that port. Why? I feel like this voids hiding the Mailman Web UI on an alternate port? I use my firewall (IPTABLES), to control who can access the GUI. If all of your users come from a LAN inside an office, you can easily restrict access to only those on the LAN. Or is this purely so that you can protect the Mailman Web UI via the firewall without impacting other web resources running on the default ports? I've also used thing like GEOIP, and other tools to limit access to specific countries or specific geographic areas or specific service providers. Alot of attacks come from outside countries and limiting access substantially reduces attacks on my servers. I've not messed with GeoIP filters in a long time. I don't know how IPTables' GoIP feature set compares with Apache's / Nginx's GeoIP feature set. You could also require users to use a VPN or fwknop in order to access the GUI. This is easy if your users already access your site over a VPN. I can see a VPN for corporate users. I think it's a high bar for most public mailing lists. Maybe not for the (few) administrator(s). I feel like port knocking is a REALLY HIGH BAR for most public mailing lists. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 12:25 PM, Grant Taylor wrote: IMHO the web server has a LOT more experience at user access control than most web applications. As such, I feel like the web server probably has a better handle on how to do it. Apache (and I suspect Nginx) has the ability to use client side TLS certificates to authenticate the client to the server. — I have yet to see any Web UI leverage this. — It's built into the web server. }:-) -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/30/2018 03:36 PM, Parker, Michael D. wrote: I've been assigned the task of attempting to secure our current implementation of GNU MailMan. One thing that I've not seen (or missed) in this thread is the idea of leveraging HTTPS usernames and passwords to protect the web interface. IMHO the web server has a LOT more experience at user access control than most web applications. As such, I feel like the web server probably has a better handle on how to do it. As for the default ugly username & password dialog box, there are ways around that. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 09:52 AM, Mark Sapiro wrote: > On 05/31/2018 08:10 AM, Carl Zwanzig wrote: > >>> 3. Can user passwords be eliminated and have the list >>> administrator make any user adjustments which should not be necessary? >> At a great loss of utility, sure. This would require a code change. > > The code changes to do it right would not be simple. Depending on where your users are coming from, it might be easier to limit access to the GUI using a firewall. What I do, is to run the mailman GUI on a non-standard https port. I then create webserver URL rewrites that redirect url access to that port. I use my firewall (IPTABLES), to control who can access the GUI. If all of your users come from a LAN inside an office, you can easily restrict access to only those on the LAN. I've also used thing like GEOIP, and other tools to limit access to specific countries or specific geographic areas or specific service providers. Alot of attacks come from outside countries and limiting access substantially reduces attacks on my servers. You could also require users to use a VPN or fwknop in order to access the GUI. This is easy if your users already access your site over a VPN. Nataraj -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
On 05/31/2018 08:10 AM, Carl Zwanzig wrote:
> I'm sure Mark has more complete answers, but diving in anyways :)
Carl's answers are good, but to add a bit ...
> On 5/30/2018 2:36 PM, Parker, Michael D. wrote:
>
>> Some of the initial items that have been directed my way:
>> 1. Can archiving be totally and permanently be eliminated?
> More than turning it off on a per-list basis? (This doesn't "secure"
> mailman, it only makes archives unusable. You'd be better off to hide
> them behind a web page requiring web-server authentication.) Won't stop
> users from keeping their own archives, of course. (Or change the code to
> disable them.)
To disable archiving completely, you could add to mm_cfg.py
GLOBAL_PIPELINE.remove('ToArchive')
>> 2. How and where are the passwords stored?
> IIRC users' list passwords are stored in the list config 'pickle' in the
> lists/ directory; see the comments in "Mailman/SecurityManager.py".
Correct.
>> 3. Can user passwords be eliminated and have the list
>> administrator make any user adjustments which should not be necessary?
> At a great loss of utility, sure. This would require a code change.
The code changes to do it right would not be simple.
>> 4. Does the website have to run in http: since passwords are
>> entered at points in the interactions?
> No, the FAQ describes to to enable HTTPS.
Specifically .
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] How do I run 2.x mailman more securely?
I'm sure Mark has more complete answers, but diving in anyways :) On 5/30/2018 2:36 PM, Parker, Michael D. wrote: I've been assigned the task of attempting to secure our current implementation of GNU MailMan. You're probably better off changing to MM3, but if you have to stay with v2-- What did you do? Needs a better definition of "secure" and an understanding of the intended goals- protect the archive? spam prevention? keep users from (un)subscribing lists? Are these goals part of the _mailing_list_manager_ or another part of the system (web server, email MTA & spam filtering, file sharing, etc)? Some of the initial items that have been directed my way: 1. Can archiving be totally and permanently be eliminated? More than turning it off on a per-list basis? (This doesn't "secure" mailman, it only makes archives unusable. You'd be better off to hide them behind a web page requiring web-server authentication.) Won't stop users from keeping their own archives, of course. (Or change the code to disable them.) 2. How and where are the passwords stored? IIRC users' list passwords are stored in the list config 'pickle' in the lists/ directory; see the comments in "Mailman/SecurityManager.py". 3. Can user passwords be eliminated and have the list administrator make any user adjustments which should not be necessary? At a great loss of utility, sure. This would require a code change. 4. Does the website have to run in http: since passwords are entered at points in the interactions? No, the FAQ describes to to enable HTTPS. Later, z! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
