Security: Upgrade Mailman (discussion lists) to v3+ and enable SSL

DreamHost’s discussion list service[1] runs on GNU Mailman[2], an open-source project.

The web interface of a Mailman list – consisting of things like subscribe and unsubscribe forms, user and administrative settings, membership management, list archives, and more, for both subscribers and administrators – are HTML pages. These are served from your discussion list subdomain (by default lists.yourdomain.tld).

These are presented as HTTP only, with no option to add even a free LetsEncrypt SSL cert to the subdomain to enable HTTPS.

This means that things like email addresses+passwords are being transmitted in plaintext and are subject to MITM attacks[3]. That’s why right now, in 2021, every major browser pops up big warnings when you try to log in or use forms on a website that isn’t HTTPS.

That obviously isn’t great for the usability or confidence of your users/subscribers, even if you’re not worried about the security implications.

This was requested twice before, first way back in 2012[4], and more recently in 2017[5] (where it was closed without being responded to).

When I contacted DreamHost about this, I was told:

I hate to say it, but we currently do not support HTTPS for the
discussion list service, I’m afraid. I don’t believe our current Mailman
version supports the setup of vanity list sub-domains with HTTPS
services. Until we’re able to look into possibly updating Mailman to
version 3, the list service will not work with HTTPS.

We currently do not have any plans on upgrading Mailman, but we are very
well aware that HTTPS is a necessity, so hopefully, we can get some
consideration in getting the discussion list service up to date to run
through HTTPS. But, as mentioned, we don’t have any plans just yet on
that, so you’ll have to continue connecting through HTTP. I’m very sorry
about that.

Mailman 3 was first released in 2015[6], so DreamHost is running 6 years behind in this update.

And so this is a request to upgrade to Mailman 3 so that SSL certificates on the discussion list subdomains are possible.

Responses from DreamHost – especially with regards to some sort of timeline as to when we can expect this to happen – are most welcome.

If anyone is aware of any workarounds for this issue (apart from running Mailman on your own server elsewhere) please share!

Finally, please do not close or archive this topic until the upgrade happens. This is important relevant information for anyone running or setting up a new discussion list, and it shouldn’t be hidden away just because it hasn’t been done yet. Thanks!

Links: (some addresses have a space in them to get around link limitations in posts)

  1. help.dreamhost. com/hc/en-us/articles/215029188-How-do-I-create-a-Discussion-List-
  2. list.org
  3. en.wikipedia. org/wiki/Man-in-the-middle_attack
  4. discussion.dreamhost. com/t/security-https-for-discussion-list-admin-pages-web-email-admin-pages/56989
  5. discussion.dreamhost. com/t/mailman-web-ui-add-ssl-https/64215
  6. pypi.org/project/mailman/3.0.0/

You’ll need to install your own Mailman.

You’ll need to install your own Mailman.

Per the original post:

If anyone is aware of any workarounds for this issue (apart from running Mailman on your own server elsewhere) please share!

Mailman is, officially, “supported software”.

Install your own Mailman.