Tibor Molnar writes:
I'm also aware that mailman3 is already query API on localhost and that's how it's generating the output for system information but if I was going to configure it for remote where else other than mailman.cfg do I need to configure this?
You don't want to mess with mailman.cfg. Instead you should reverse proxy it, the same way that you do for Postorius.
Note that you don't have to open up the whole REST API, you can restrict to very specific endpoints. For example for nginx, the basic scheme is
location /REST-API/domains {
proxy_pass http://127.0.0.1:8001/3.1/domains;
}
That particular configuration allows access to domains but not lists. Still,I recommend strong authentication on those locations. ... There are probably ways to get at pretty much everything once you have access to anything. For example, if you can get to a specific list, you can get its subscriber roster, and I think there's a way to pick a specific user, so then you can get their addresses and other subscriptions .... I haven't tried to do that, but I see no good reason to suppose pretty arbitrary path traversal is impossible.
See https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/rest/docs/r... for the REST API endpoints.
Steve