LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show HTML Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Passwords (do they get sent unencrypted)?

Nathan Brindle <[log in to unmask]>

Mon, 13 Dec 2021 18:07:28 +0000

text/plain (3391 bytes) , text/html (8 kB)

You probably don't want to do that, because it will also reject non-restricted list mail from non-TLS hosts.  Not everyone uses TLS at this point.  It's just a fact of life.  And that's what opportunistic TLS is for.



For more information about SMTP TLS and LISTSERV, see http://lsoft.com/manuals/lsv-faq/447SMTPTLSandLISTSERV.html



From: LISTSERV Site Administrators' Forum <[log in to unmask]> On Behalf Of Lawrence Finch

Sent: Monday, December 13, 2021 12:47 PM

To: [log in to unmask]

Subject: Re: Passwords (do they get sent unencrypted)?



Your IT can disable non-TLS inbound email. That way the entire message, including the password, will be encrypted. This is an easy setting on the mail server; just disable the unencrypted email port. They should do that anyway, because I’m sure there is a huge amount of email both coming and going that includes company-proprietary content.



Larry





On Dec 13, 2021, at 12:33 PM, Krista <[log in to unmask]<mailto:[log in to unmask]>> wrote:



I tried the command REP PW XXXXX  and REP password XXXXX and even REP XXXXX and all said "unknown command". I must be using the wrong command or wrong syntax.

So it is possible for a user to initiate the change by sending the command, with the password, in the email, correct?  Is there any way to not allow that and to require them to go to the website to initiate that change?



Krista



On Mon, Dec 13, 2021 at 11:55 AM Lawrence Finch <[log in to unmask]<mailto:[log in to unmask]>> wrote:

Assuming that your email clients and servers are using TLS the password updates are being end-to-end encrypted by the mail system. Note that listserv does not send password changes, it only receives them. However, anyone able to log in to the listserv user account can see password updates.





On Dec 13, 2021, at 11:33 AM, Krista <[log in to unmask]<mailto:[log in to unmask]>> wrote:



My company's IT security folks are concerned that ListServ 16.5 may send password changes "in the clear" through unencrypted email, or that users could send passwords change requests, via email, to the server (not encrypted).



We're using the ListServ on Windows. Does this ever happen, and if so is it possible for any password changes / requests to be initiated through the web interface only, and that it won't accept users trying to change PW via a mail command, and/or won't send passwords unencrypted via email?



Krista Landon



________________________________

To unsubscribe from the LSTSRV-L list, click the following link:

http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1





________________________________

To unsubscribe from the LSTSRV-L list, click the following link:

http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1



________________________________

To unsubscribe from the LSTSRV-L list, click the following link:

http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1





________________________________



To unsubscribe from the LSTSRV-L list, click the following link:

http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1



############################



To unsubscribe from the LSTSRV-L list:

write to: mailto:[log in to unmask]

or click the following link:

http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM