Mohsen Masoudfar writes:
It seems anybody can go to the site: https://LISTSERVNAME/mailman3/postorius/lists/ and click on the [Sign up] on the top-right corner and create an account.
Yes.
This can easily be automated, even though the next step, confirming the email address, being ignored. I believe it can be used as a target for a DOS attack by creating so many accounts, that eventually causes an 'out of space' error.
Is this a justified concern?
"Justified" depends on who you think the attacker is. Theoretically it's a real possibility, but the space used by an unverified account is not large. I suspect there are always much more painful DoS attacks to worry about.
Is there a way to manage this feature in a secure way?
In some sense, I don't think there is. The point of the feature is to allow anybody to sign up without authentication beyond having a usable email address. Either you allow the DoS attack or anything you do is likely to deny service to legitimate users.
Brian's approach (cron job purging unverified users) is generally good hygiene, but I don't think it would do much against an deliberate attack. And it shouldn't be hard to automate the confirmation process. I guess you could handle that by purging accounts with no subscriptions or other roles on any lists, but that might annoy a few legitimate users.
Probably the best you could do for an open server would be to throttle user creation to say 1 per minute (adjustable to the scale of your site).
I don't know if there is currently a way to require admin approval for account creation (as opposed to list subscription). Perhaps we should add that if we don't have it.
Steve