Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
On 05/31/2018 09:33 PM, incoming-pythonli...@rjl.com wrote: I wrote scripts that read the list and generated a rule per network. It can be slow, but has worked reliably for many years. Since it is a mailserver, performance has not been a big issue. I am in the process of designing a replaceme

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread incoming-pythonlists
On 05/31/2018 06:24 PM, Grant Taylor via Mailman-Users wrote: > >> There are many ways to implement the same thing.  Before there were >> modules in the kernel for this, I simply pulled lists of address >> blocks out of databases and incorporated them into my IPtables >> lists.  There are better to

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
On 05/31/2018 06:37 PM, incoming-pythonli...@rjl.com wrote: Both are valid alternatives. There may be performance advantages, to stopping attacks at the firewall level instead of higher up in the application stack. Agreed, on both accounts. Firewalls also have a tendency to protect multiple

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread incoming-pythonlists
On 05/31/2018 11:25 AM, Grant Taylor via Mailman-Users wrote: > I feel like I'm missing something and as such have some questions. > > On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote: >> Depending on where your users are coming from, it might be easier to >> limit access to the GUI using

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Dimitri Maziuk
On 05/31/2018 04:52 PM, Grant Taylor via Mailman-Users wrote: > On 05/31/2018 03:05 PM, Dimitri Maziuk wrote: >> What exactly is it about mailman usernames and passwords that you are >> trying to protect with HTTPS? > > I wasn't talking about Mailman usernames (email addresses) and > passwords.  I

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
On 05/31/2018 03:05 PM, Dimitri Maziuk wrote: What exactly is it about mailman usernames and passwords that you are trying to protect with HTTPS? I wasn't talking about Mailman usernames (email addresses) and passwords. I was talking about the usernames and passwords for Basic HTTP(S) authen

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Dimitri Maziuk
On 05/31/2018 02:40 PM, Grant Taylor via Mailman-Users wrote: > On 05/31/2018 01:18 PM, Dimitri Maziuk wrote: >> Yeah, I too once thought that was a good idea. > > I'm not quite following you.  Are you saying that you now dislike > HTTP(S) usernames & passwords specifically? I do dislike the HTTP

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
On 05/31/2018 01:18 PM, Dimitri Maziuk wrote: Yeah, I too once thought that was a good idea. I'm not quite following you. Are you saying that you now dislike HTTP(S) usernames & passwords specifically? Or are you saying that you dislike hosting something yourself? And then heartbleed came

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Dimitri Maziuk
On 05/31/2018 01:25 PM, Grant Taylor via Mailman-Users wrote: > On 05/30/2018 03:36 PM, Parker, Michael D. wrote: >> I've been assigned the task of attempting to secure our current >> implementation of GNU MailMan. > > One thing that I've not seen (or missed) in this thread is the idea of > levera

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
I feel like I'm missing something and as such have some questions. On 05/31/2018 11:42 AM, incoming-pythonli...@rjl.com wrote: Depending on where your users are coming from, it might be easier to limit access to the GUI using a firewall. Why are you using a firewall instead of leveraging the w

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
On 05/31/2018 12:25 PM, Grant Taylor wrote: IMHO the web server has a LOT more experience at user access control than most web applications. As such, I feel like the web server probably has a better handle on how to do it. Apache (and I suspect Nginx) has the ability to use client side TLS ce

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Grant Taylor via Mailman-Users
On 05/30/2018 03:36 PM, Parker, Michael D. wrote: I've been assigned the task of attempting to secure our current implementation of GNU MailMan. One thing that I've not seen (or missed) in this thread is the idea of leveraging HTTPS usernames and passwords to protect the web interface. IMHO

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread incoming-pythonlists
On 05/31/2018 09:52 AM, Mark Sapiro wrote: > On 05/31/2018 08:10 AM, Carl Zwanzig wrote: > >>> 3.   Can user passwords be eliminated and have the list >>> administrator make any user adjustments which should not be necessary? >> At a great loss of utility, sure. This would require a code change

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Mark Sapiro
On 05/31/2018 08:10 AM, Carl Zwanzig wrote: > I'm sure Mark has more complete answers, but diving in anyways :) Carl's answers are good, but to add a bit ... > On 5/30/2018 2:36 PM, Parker, Michael D. wrote: > >> Some of the initial items that have been directed my way: >> 1.   Can archivi

Re: [Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Carl Zwanzig
I'm sure Mark has more complete answers, but diving in anyways :) On 5/30/2018 2:36 PM, Parker, Michael D. wrote: I've been assigned the task of attempting to secure our current implementation of GNU MailMan. You're probably better off changing to MM3, but if you have to stay with v2-- What

[Mailman-Users] How do I run 2.x mailman more securely?

2018-05-31 Thread Parker, Michael D.
I've been assigned the task of attempting to secure our current implementation of GNU MailMan. Have any of you out there done this? What did you do? Some of the initial items that have been directed my way: 1. Can archiving be totally and permanently be eliminated? 2. How and wh