Sabahattin,
Thanks for the detailed info.
I've been getting passwords mailed to me monthly for years. Someone
pointed out the disable option just yesterday.
So I've selected the option, but that's hardly the point: the option
should default to OFF and not be enable-able so passwords are never sent
in the clear.
I find it hard to understand that this is acceptable to the IETF.
Thanks,
P.
On 1 Nov 2012, at 20:20, Paul Aitken <paitken@xxxxxxxxx> wrote:
Why does the "mailing list memberships reminder" send passwords in the clear?
Because mailman is brain-dead stupid. See:
http://www.jwz.org/doc/mailman.html
Sadly, and despite my best efforts to find alternative mailing list software, mailman wins on popularity (ugh) and hence support with practically no competition. Only majordomo2, which has been unmaintained for a while now (and it's author calls it "Dead" holds much of a chance, but I doubt it would work for the IETF in its current condition.
But have hope! The IETF serves the mailman interface over TLS, and it is an option that you can exercise *not* to have passwords mailed to you. Go to your membership options page, and in the group containing the option to turn off the membership reminders, check the checkbox to make it global. Later, you can have the password mailed to you on demand, or unsubscribe without needing a password at all (email confirmation loop).
For everything else I'm subscribed to, if I forget my details, one click sends a one-time password-reset link.
Passwords are never mailed out, and never shown.
Yes. Sadly this isn't possible with mailman; you will always be mailed your password if you need it and can't remember it.
HTH.
Cheers,
Sabahattin