[Mailman-Developers] MailMan-Traffic

[J C Lawrence]

On Thu, 25 Apr 2002 06:11:10 -0400 
Carson Gaspar <carson@taltos.org> wrote:

> Speaking as someone who has just a few years of computer security
> experience, the above proposal accomplishes just about nothing,
> security-wise. If the mail list system in the DMZ can get the
> subscriber data from the system inside your firewall, then so can any
> attacker that compromises the mail list system. If you have some sort
> of read-only access to the datastore, then you may be protected from
> corruption, but not disclosure.

You have to think about in terms of threat vectors and risk containment.

With Mailman storing the membership roster locally, the only thing
required to expose the roster is compromise of the Mailman box (it can
then be copied off at leisure).  With the membership roster stored
remotely, exposure of the membership roster requires compromise both of
the Mailman box and of the authentication/access controls for the
membership roster (assuming a reasonably constrained ACL/capability
system).  That need not be a trivial second step.

Further, Chuq's rosters are likely approaching large enough that he
needs to keep them under an external DB.  In such case, moving that DB
off the Mailman box gives various advantages and disadvantages, primary
among which are reduced complexity on the mailman box, no need for
external access/export of the DB to other systems (eg marketing), better
segmentation of risks, and reduced exposure to same-network-segment (as
the mailman server) system compromise.

-- 
J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.