[Mailman-Developers] 2.1.8 documentation mismatch
Brad Knowles
brad at stop.mail-abuse.org
Fri Jun 9 16:01:31 CEST 2006
At 11:06 AM +0100 2006-06-09, Ian Eiloart wrote:
>> Using a per-sender password for the same mechanism will prevent the
>> spoofing,
>
> Only if you ensure that the entire email transmission chain is encrypted.
Using the existing "Approved:" mechanism would also prevent the
spoofing, and would have the same exposures regarding encryption.
We're not trying to fix all of the security problems in Mailman,
we're just trying to take an existing mechanism (with known
vulnerabilities) and extend that to work in a per-sender manner.
> That's only possible if you know the sender is on-site (on your campus,
> in your company, whatever). If that's true, then you can rely on
> authenticated SMTP anyway.
Red Herring. We're not trying to fix all the possible security
problems in Mailman. That's a job for Barry, Tokio, Mark, and others.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Developers
mailing list