[Esa-l] Possible suggestions...
mecha.ike at hydramedia.com
Fri Nov 24 07:31:52 PST 2000
At 06:30 24/11/00 -0800, you wrote:
>What I plan to achieve (Real Soon Now!) is to have attachment filename
>poisoning separate[sic] from mangling, and have mangling be
>user-selectable to be MANGLE_LIST or SAFE_LIST (e.g. "mangle all
>I've been thinking of something similar to that, given the number of
>questions I receive about why the sanitizer is mangling .DOC files and
>how to stop it.
Ah, the open sourcers friend, RSN :-) Separate mangling and poisoning
would kill the one little bird of 'issue' that I have with the sanitizer as
it currently stands (V1.123)
The idea of the external addition to the mangle list is to allow site
admins to add in extra file types to the default mangle list without
banging the perl (and the opportunities for error that introduces).
I operate the sanitizer here in a rather over-the-top way (a
poisoned-executables file full of "*.whatevers") but I can see that there
would be others who would want less stuff mangled/poisoned. You're faced
with striking a happy medium out of the box. It's a case of "Not
explicitly denied" and erring on the side of caution in the mangle list
(although your SAFE_LIST idea is more like "Not explicity allowed"). Hmm...
>Of course! This is open source after all. However: the latest version
>has a SECURITY_NOTIFY_RECIPIENT option - what version are you running?
Wrong end of the stick (partly my fault).
I don't particularly want users here knowing that an e-mail didn't get
delivered to them, whatever the reason (ignorance being bliss...), but I
(as postmaster) want to know that Alice sent Bob an email which was blocked
because of attachment/macros, and I want Alice to know that we don't like
what he/she tried to send to Bob.
I'm talking about $STATUS and $STATUS_PUBLIC for SECURITY_QUARANTINE. I've
tweaked V1.123 so that SECURITY_QUARANTINE messages include $TO (like
SECURITY_NOTIFY), but more often than not that's a dist. list of email
addresses, and I still get the 'msgid()'. Really, all I want to see is the
address that delivery at my site is being attempted to (does that make
sense?) Is $MAIL_TO what I'm after, or does that only exist outside of the
sanitizer? (I'll try that, so save yourself answering that query.)
That reminds me, how can I stop getting a copy of SECURITY_NOTIFY_SENDER
sent to me as well? The SECURITY_NOTIFY(_VERBOSE)? is amply sufficient
More information about the esd-l