The mailman3 service is controlled by a REST API that you can do just about anything with (it's very powerful). It's protected by HTTP auth and that it by default only listens on localhost.
There are various applications of having automation interact with mailman3 to e.g. automatically subscribe/unsubscribe users based on account state or something.
As far as I can tell, the REST API has no further access control besides the singular HTTP auth password - we may want to talk to upstream about that.
In theory we should be able to allow the server to listen on 0.0.0.0 and have ferm block all non-internal connections.