sarah.baso at owasp.org
Tue Feb 25 00:32:01 UTC 2014
Matt- you can just go ahead and set this up... We can talk about other
On Feb 24, 2014, at 4:30 PM, Tobias <tobias.gondrom at owasp.org> wrote:
fyi: Sarah mentioned during our board meeting today about some thoughts,
but these did not correspond with this basic request. And as I explained we
do not need more than a simple mailing-list here. As Sarah did
unfortunately not cc me on her ping to you, I do not know whether that was
before or after our board meeting. Anyway, I will schedule a talk with her
during this week and see whether any alternatives are better than the basic
Besides that, I definitely agree that we need to have a stable mailing-list
setup for all mailing-lists in any case - whether with or without one more
list being hosted on our servers. Our mailing-lists are the central nervous
system of our community. And they are essential to our operation.
Best regards, Tobias
OWASP Global Board Member
OWASP CISO Survey Project Lead
email: tobias.gondrom at owasp.org
mobile: +852 56002975
mobile: +44 7521003005
On 25/02/14 00:09, Jim Manico wrote:
Our community is not portal friendly, just warning you all. I still back
this new list regardless of this portal. The staff does not need to be a
part of it, the list managers can keep them posted.
My 2 cents,
On Feb 24, 2014, at 4:05 PM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
Tobias & Jim,
I suspect the current server can handle the load (outbound is especially
problematic) for this new list. I agree with Tobias that the best way to
find out is to just try it and see what happens. 
*HOWEVER*, I know the full time staff are working on the communities site
which is hooked into Salesforce. I've not worked directly on this (I think
its been primarily Kate but check with Sarah for 100% accuracy) and from
what I understand, that site (and the features it will bring) will be a
much better home for this type of list/communication mechanism.
Sarah ping'ed me off this thread to ask me to hold off on this. From what
she told me, she mentioned getting back to the board on Monday with a
proposed solution for your request/suggestion.
So, I'm putting this on hold until Monday - I've been busy upgrading the
MediaWiki source code to get us up to the latest stable version. Look for
a leaders-list announcement shortly.
 TLDR: Mailman may be working OK currently, but its still full of
cruft and requires a lot more work to be optimally setup.
Just a note for the record, during the Christmas break of 2011, Mailman
was migrated to Rackspace's public cloud hosting by the previous OWASP IT
person. By February 2012, that Mallman server was becoming useless due to
being buried in SPAM. I was on the board at the time and negotiated a
donation of SPAM filtering service from Barracuda and got access to the
Mailman install. The install was less then optimal with basic things like
MX and PTR records missing. I'm actually surprised that it worked as well
as it did. After getting the SPAM under control, Achim and I worked on
getting a much better mail setup. With Achim's help (he knows Sendmail much
better then me) we got a much more stable and working Mailman install setup.
When the OWASP Connector started being sent is when we noticed the service
dying and a mail storm of bounced bad email addresses was taking down
Sendmail due to maxing out our connections. Moving the OWASP Connector off
to the third-party service helped alleviate this problem.
All that said, there's still many "kustomizations" of Mallman that are
undocumented and deviate wildly from the methods suggested by the Mailman
admin manual. I've found a bunch of shell scripts and other kustomizations
in my Mailman archaeology explorations on that server but I continue to
find unique and atypical settings. I suspect there's something broken in
how Mailman handles bounces (and pruning address that perpetually bounce)
but I've not found where those customizations were made.
I've focused my work on keeping the service up and working for the
community over getting all those edge cases worked out. I also prioritized
getting the wiki fully updated over a clean install of Mailman, though that
is my next large project for OWASP IT.
So, if I'm uncertain about the capacity of that server it is because it
has a far from optimal setup with undocumented diversions from the norm as
well as unique customizations. Once I get a fresh install of Mailman setup
and the lists migrated, then I'll be confident in its capacity.
-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
On Mon, Feb 24, 2014 at 5:05 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> Hi Jim,
> I think we can just try it and see how we can cope with the volume. And
> if things don't perform enough, we can still either improve the server
> or change the system.
> I know from other cases that mailman can handle a large number of users
> in a reasonably high volume.
> A good example of such a large list is the global IETF mailing-list:
> If we run into performance problems, I could probably connect Matt with
> their Admin to see how they do it.
> Cheers, Tobias
> On 24/02/14 16:25, Jim Manico wrote:
> > Matt,
> > We want to start a new email list that anyone (following our code of
> > ethics) can join called owasp-community.
> > Can mailman handle a large number of users in a high volume list?
> > Aloha,
> > Jim
> > _______________________________________________
> > Owasp-board mailing list
> > Owasp-board at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-board
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board