Thank you both. This is great information.
We may want to do this as all email that goes to our ListServ at this point
is from internal network email accounts only (though we have some external
subscribers, who are manually maintained).
I'll talk to the security folks and see just how much they really want this
locked down.
Krista
On Mon, Dec 13, 2021 at 1:07 PM Nathan Brindle <[log in to unmask]> wrote:
> You probably don't want to do that, because it will also reject
> non-restricted list mail from non-TLS hosts. Not everyone uses TLS at this
> point. It's just a fact of life. And that's what opportunistic TLS is for.
>
>
>
> For more information about SMTP TLS and LISTSERV, see
> http://lsoft.com/manuals/lsv-faq/447SMTPTLSandLISTSERV.html
>
>
>
> *From:* LISTSERV Site Administrators' Forum <[log in to unmask]>
> *On Behalf Of *Lawrence Finch
> *Sent:* Monday, December 13, 2021 12:47 PM
> *To:* [log in to unmask]
> *Subject:* Re: Passwords (do they get sent unencrypted)?
>
>
>
> Your IT can disable non-TLS inbound email. That way the entire message,
> including the password, will be encrypted. This is an easy setting on the
> mail server; just disable the unencrypted email port. They should do that
> anyway, because I’m sure there is a huge amount of email both coming and
> going that includes company-proprietary content.
>
>
>
> Larry
>
>
>
> On Dec 13, 2021, at 12:33 PM, Krista <[log in to unmask]> wrote:
>
>
>
> I tried the command REP PW XXXXX and REP password XXXXX and even REP
> XXXXX and all said "unknown command". I must be using the wrong command or
> wrong syntax.
>
> So it is possible for a user to initiate the change by sending the
> command, with the password, in the email, correct? Is there any way to not
> allow that and to require them to go to the website to initiate that change?
>
> Krista
>
>
>
> On Mon, Dec 13, 2021 at 11:55 AM Lawrence Finch <[log in to unmask]>
> wrote:
>
> Assuming that your email clients and servers are using TLS the password
> updates are being end-to-end encrypted by the mail system. Note that
> listserv does not send password changes, it only receives them. However,
> anyone able to log in to the listserv user account can see password updates.
>
>
>
> On Dec 13, 2021, at 11:33 AM, Krista <[log in to unmask]> wrote:
>
>
>
> My company's IT security folks are concerned that ListServ 16.5 may send
> password changes "in the clear" through unencrypted email, or that users
> could send passwords change requests, via email, to the server (not
> encrypted).
>
>
>
> We're using the ListServ on Windows. Does this ever happen, and if so is
> it possible for any password changes / requests to be initiated through the
> web interface only, and that it won't accept users trying to change PW via
> a mail command, and/or won't send passwords unencrypted via email?
>
>
>
> Krista Landon
>
>
> ------------------------------
>
> To unsubscribe from the LSTSRV-L list, click the following link:
> http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
>
>
>
>
> ------------------------------
>
> To unsubscribe from the LSTSRV-L list, click the following link:
> http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
>
>
> ------------------------------
>
> To unsubscribe from the LSTSRV-L list, click the following link:
> http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
>
>
>
>
> ------------------------------
>
> To unsubscribe from the LSTSRV-L list, click the following link:
> http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
>
> ------------------------------
>
> To unsubscribe from the LSTSRV-L list, click the following link:
> http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
>
############################
To unsubscribe from the LSTSRV-L list:
write to: mailto:[log in to unmask]
or click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
|
