Mailman Passwords: How Fedora IT is dealing with them

Fedora uses Mailman software to run its mailing lists which for all its strengths is showing its age. One of its biggest irritants is its password system. Back in the stone age of the 1980's mailing list software was usually dealt with either by archaic email commands to some sort of list server software, or would have to have user changes done by a list administrator (mainly because it might take 8 or so emails to be able to get some versions of the mail software to put you on vacation or change your email to digest, UUCP or whatever.. and it only took 1 email to the list administrator to get it done.)

When the web came around in 1995 or so, various mailing lists added software to allow users to "self-service" themselves without having to try and reach the list administrator. This had great benefits but "griefers" also found it great to unsubscribe people, change their options, etc etc. So the creators of mailman put in passwords to stop this, and because they knew that the first thing people would do is forget the password they put in a monthly reminder email system.

These days those of us with many email subscriptions usually call the first of the month "Happy Mailman Day" as we get multiple emails telling us that we are subscribed to devel@lists.fedoraproject.org and we chose the password "spew-guts-twiggles" as our password in case we want to change some options. Now this is all fine if we don't use spew-guts-twiggles to password protect our bank.. but some people will use the same password in multiple places.

In order to combat this, most mailing lists have the following text:

Your email address:  
Your name (optional):  
You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext.
If you choose not to enter a password, one will be automatically generated for you, and it will be sent to you once you've confirmed your subscription. You can always request a mail-back of your password when you edit your personal options. Once a month, your password will be emailed to you as a reminder.  

However as one can guess, this isn't read by many people and password reuse becomes normal. After a bunch of work, Fedora Infrastructure has hopefully fixed it so that password reuse won't happen for mailing lists anymore.

  1. We found all accounts whose mailman password matched their FAS password and we changed those passwords.
  2. We removed the options on the mailman servers to allow for passwords to be set in the first place. It turns out that if we remove those two fields in the file.. mailman will just create a password for you and email that to you instead. [Mailman 3.0 has this as the default and when it is in beta state we will look at upgrading to it. It will also have a some other work that Fedora is helping with but that should be covered by the people doing that work.]
tl;dr. Mailman passwords allowed for a place where passwords could be reused and stored in the clear. Fedora IT has reset passwords we knew were reused and turned off the ability for people to enter in bad passwords again. Further changes will be done as needed.

1 comment:

Chuck said...

Since you brought the topic up here, I have a suggestion but I don't know the practicality of the idea.

Can the mailman notices be gpg encrypted to the recipient if there is a pub key available in the FAS profile?