In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I won't have time to test this until after next weekend. If anyone else can test it, please do. - Tim On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl(a)thelounge.net&gt; wrote: > both "clamav-milter" and "spamass-milter" leaking their > version into mail-headers - that should IMHO be patched > out to not present possible security flaws if there > is a important update pending > > the header itself is fine to verify that a message was > scanned and could be easily stripped with postfix > header_checks if the admin wants to do so > > but the version leak is a bad idea as for any server software > > X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net > X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on > testserver.rhsoft.net > > > _______________________________________________ > security-team mailing list > security-team(a)lists.fedoraproject.org > https://lists.fedoraproject.org/mailman/listinfo/security-team > >

In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I won't have time to test this until after next weekend. If anyone else can test it, please do. On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl(a)thelounge.net <mailto:h.reindl@thelounge.net>> wrote: both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so but the version leak is a bad idea as for any server software X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net

Sorry. I realized that I'd been thinking about it incorrectly about 10 seconds after hitting send. I'll take a look at this one.

On Sat, Aug 9, 2014 at 6:12 PM, Reindl Harald <h.reindl(a)thelounge.net <mailto:h.reindl@thelounge.net>> wrote: disable the headers completly is not optimal you even as admin don't see if a message was scanned the real problem is spit out the exact version Am 10.08.2014 um 00:10 schrieb joat: > In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches > ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I > won't have time to test this until after next weekend. If anyone else can test it, please do. > > On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl(a)thelounge.net <mailto:h.reindl@thelounge.net> <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> wrote: > > both "clamav-milter" and "spamass-milter" leaking their > version into mail-headers - that should IMHO be patched > out to not present possible security flaws if there > is a important update pending > > the header itself is fine to verify that a message was > scanned and could be easily stripped with postfix > header_checks if the admin wants to do so > > but the version leak is a bad idea as for any server software > > X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net > X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net