Mailman privacy


  • Big brother is watching your /var/log/ ; have a look to
  • Mailman default configuration logs every e-mail/subscription to any list.
  • Mailman does not use syslog, but writes his logs himself to /var/log/mailman (on a Debian system at least), using the Mailman/Logging Python code
  • This is applicable to Mailman 2.1.5. At least.

Various kind of logs

SMTP-related logs : =post, smtp, smtp-failure

Mailman default configuration logs many e-mail addresses and message IDs (which often more or less disclose the sender's e-mail address).

The SMTP-related Mailman logging format is defined by a few configuration variables, defined in, and that can be overriden by values assigned in /etc/mailman/ without any patching.

Example privacy-aware values (of course, privacy-awareness depends on your context, and the following values may not suit yours) :

    'smtp for %(#recips)d recips, completed in %(time).3f seconds')
    'post to %(listname)s, size=%(size)d, success')
    'post to %(listname)s, size=%(size)d, %(#refused)d failures')
    'delivery to %(recipient)s failed with code %(failcode)d: %(failmsg)s')

Other faulty files


At least Queue/ and write e-mail addresses and message IDs to this log file.


A few bits of code, such as, write at least e-mail addresses to this log file.


At least Cgi/, Cgi/ and write e-mail addresses to this log file.


At least and write e-mail addresses to this log file.


At least Handlers/, Handlers/, Queue/, Queue/, and write e-mail addresses and message IDs to this log file.

Log files to examin further


Dunno. Mine is empty.



Clean log files

These log files do not contain any privacy-sensitive data, according to our own definition of "privacy-sensitive data" :

A few possible (or not) solutions

Patch Mailman to avoid writting such data in the first place

Would take tons of energy. Too much energy.

Patch Mailman so that it uses syslog

This way, the privacy-enabled syslog-ng would be able to strip any undesired data from these log files. And optionnally write a non-stripped version to a ramdisk, if needed.

Should be feasible quite quickly and cleanly. Might even be implemented in Mailman v3 devel branch ?

Symlink the faulty log files to /dev/null, or put the whole /var/log/mailman onto a ramdisk

Why not, he he. TODO : check that Mailman does not need to retrieve any information from these log files, and test these solutions.