Those are not "addresses", they are URLs. I think the "addresses" you are concerned with are the cllient IP addresses. not the server's address. Also, although
Tomcat is/was part of the Apache project, mailman runs under the Apache http server, not Tomcat.
Normally you can restrict who can obtain a response from a URL in Apache by using the htaccess mechanism. But the mailman
create and
listinfo URLs are administrative functions and it's less important
where you access them from as
who can access them.
Specifically, only designated administrative users should be able to request these URLs. Non-administrators would receive a "403 Forbidden" response. To use mailman you have to log in, and your administrative rights (if any) are tied to your user ID.
So the best place to get the information you need is in the mailman docs at
http://list.org. The administrator's manual is here:
https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual