5:18 p.m.
Am 10.08.2014 um 00:14 schrieb joat:
Sorry. I realized that I'd been thinking about it incorrectly
about 10 seconds after hitting send. I'll take a
look at this one.
thanks!
what i would love is something like
* "X-Virus-Scanned: clean, hostname"
* "X-Spam-Checked": status and score, hostname"
that won't leak the version and even not what exact software type
is running on the server and makes sure to know which machine
added the headers (in case of message smade it through a lot
of hosts relevant because the only one you trust is the own)
On Sat, Aug 9, 2014 at 6:12 PM, Reindl Harald
<h.reindl(a)thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
disable the headers completly is not optimal
you even as admin don't see if a message was scanned
the real problem is spit out the exact version
Am 10.08.2014 um 00:10 schrieb joat:
> In certain versions, both the ClamAV and SpamAssassin milters are described as
having a command line switches
> ("-n" and "-M" respectively) which disables the adding of
headers. Are these missing from the Fedora
versions? I
> won't have time to test this until after next weekend. If anyone else can
test it, please do.
>
> On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl(a)thelounge.net
<mailto:h.reindl@thelounge.net>
<mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>>
wrote:
>
> both "clamav-milter" and "spamass-milter" leaking their
> version into mail-headers - that should IMHO be patched
> out to not present possible security flaws if there
> is a important update pending
>
> the header itself is fine to verify that a message was
> scanned and could be easily stripped with postfix
> header_checks if the admin wants to do so
>
> but the version leak is a bad idea as for any server software
>
> X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net
> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
testserver.rhsoft.net