[COLUG] mailman implementation policies

Brian Miller bnmille at gmail.com
Sat Jul 22 15:27:22 EDT 2006 

Our work is looking at implementing a mailman (with postfix and apache2) list 
server.  While discussing  it, management has come up with a lot of policy 
questions/isssues.  So I thought I would try to get some feed back from folks 
on this list who run listservers.  Disclaimer:  I think _some_ of the 
concerns raised are misguided, but since they have been raised, we'll need to 
address them..

Has anyone's security dept. expressed any concern over the monthly 
transmission of subscriber's passwords in email?  What about the fact that 
mailman does not support the forced changing of list owner passwords?  What 
about the shared nature of list owner and list moderator passwords?

Has anyone implemented SSL on the web interface to protect passwords during 
the authentication process?  Has anyone thought about it?  If you have 
thought about it, which way did you go, and why?

Does anyone have policies regarding the purpose or type of lists that can be 
created?  Management has expressed concerns that any list owner is able to 
reconfigure a list to be unmoderated.  The first couple of lists we are 
looking at are announce-only, and someone raised the issue of what happens 
when a list owner changes the configuration?    So what policies and/or 
procedures do people have to prevent a list owner doing something like that?  
Do people allow business units to be list owners, or is that privilege 
restricted to IT people (possibly allowing business units to be list 
moderators)?

Has anyone installed the server so that the web interface is not accessible 
from the Internet (requiring all public subscribe/unsubscribe requests be 
accomplished through email)?   In this configuration, the web server is only 
accessible to users on the internal network.

Mailman allows list owners to delete individual posts.  Has anyone limited 
this ability?  Why or why not?  (I'm particularly interested in agencies that 
have legal requirements to make all correspondence, documents, etc., 
available upon request.)

What measures have people taken to combat spam?  Do you run your spam filter 
on the same box as mailman?  About how much spam do you get a day?  What kind 
of load does this put on your server?  (Shameless plug:  If you don't know 
how to determine the load on the server, attend the upcoming COLUG meeting 
this Wednesday to find out all about sar/sadc and iostat.)

Thanks for any input you can offer.  If you need clarification on anything, 
let me know.

Brian

More information about the colug432 mailing list