both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending
the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so
but the version leak is a bad idea as for any server software
X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I won't have time to test this until after next weekend. If anyone else can test it, please do.
- Tim
On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald h.reindl@thelounge.net wrote:
both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending
the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so
but the version leak is a bad idea as for any server software
X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
security-team mailing list security-team@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team
If they are available, guess I'll be writing up a short howto....
On Sat, Aug 9, 2014 at 6:10 PM, joat joat@757.org wrote:
In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I won't have time to test this until after next weekend. If anyone else can test it, please do.
- Tim
On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald h.reindl@thelounge.net wrote:
both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending
the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so
but the version leak is a bad idea as for any server software
X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
security-team mailing list security-team@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team
Let me reword that... Both are described as being able to customize the employed headers. Will take a look at it...
On Sat, Aug 9, 2014 at 6:11 PM, joat joat@757.org wrote:
If they are available, guess I'll be writing up a short howto....
On Sat, Aug 9, 2014 at 6:10 PM, joat joat@757.org wrote:
In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I won't have time to test this until after next weekend. If anyone else can test it, please do.
- Tim
On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald h.reindl@thelounge.net wrote:
both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending
the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so
but the version leak is a bad idea as for any server software
X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
security-team mailing list security-team@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team
disable the headers completly is not optimal you even as admin don't see if a message was scanned
the real problem is spit out the exact version
Am 10.08.2014 um 00:10 schrieb joat:
In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I won't have time to test this until after next weekend. If anyone else can test it, please do.
On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl@thelounge.net mailto:h.reindl@thelounge.net> wrote:
both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so but the version leak is a bad idea as for any server software X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
Sorry. I realized that I'd been thinking about it incorrectly about 10 seconds after hitting send. I'll take a look at this one.
On Sat, Aug 9, 2014 at 6:12 PM, Reindl Harald h.reindl@thelounge.net wrote:
disable the headers completly is not optimal you even as admin don't see if a message was scanned
the real problem is spit out the exact version
Am 10.08.2014 um 00:10 schrieb joat:
In certain versions, both the ClamAV and SpamAssassin milters are
described as having a command line switches
("-n" and "-M" respectively) which disables the adding of headers. Are
these missing from the Fedora versions? I
won't have time to test this until after next weekend. If anyone else
can test it, please do.
On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl@thelounge.net
mailto:h.reindl@thelounge.net> wrote:
both "clamav-milter" and "spamass-milter" leaking their version into mail-headers - that should IMHO be patched out to not present possible security flaws if there is a important update pending the header itself is fine to verify that a message was scanned and could be easily stripped with postfix header_checks if the admin wants to do so but the version leak is a bad idea as for any server software X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
testserver.rhsoft.net
security-team mailing list security-team@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/security-team
Am 10.08.2014 um 00:14 schrieb joat:
Sorry. I realized that I'd been thinking about it incorrectly about 10 seconds after hitting send. I'll take a look at this one.
thanks!
what i would love is something like
* "X-Virus-Scanned: clean, hostname" * "X-Spam-Checked": status and score, hostname"
that won't leak the version and even not what exact software type is running on the server and makes sure to know which machine added the headers (in case of message smade it through a lot of hosts relevant because the only one you trust is the own)
On Sat, Aug 9, 2014 at 6:12 PM, Reindl Harald <h.reindl@thelounge.net mailto:h.reindl@thelounge.net> wrote:
disable the headers completly is not optimal you even as admin don't see if a message was scanned the real problem is spit out the exact version Am 10.08.2014 um 00:10 schrieb joat: > In certain versions, both the ClamAV and SpamAssassin milters are described as having a command line switches > ("-n" and "-M" respectively) which disables the adding of headers. Are these missing from the Fedora versions? I > won't have time to test this until after next weekend. If anyone else can test it, please do. > > On Sat, Aug 9, 2014 at 8:09 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net> <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> wrote: > > both "clamav-milter" and "spamass-milter" leaking their > version into mail-headers - that should IMHO be patched > out to not present possible security flaws if there > is a important update pending > > the header itself is fine to verify that a message was > scanned and could be easily stripped with postfix > header_checks if the admin wants to do so > > but the version leak is a bad idea as for any server software > > X-Virus-Scanned: clamav-milter 0.98.4 at testserver.rhsoft.net > X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on testserver.rhsoft.net
security-team@lists.fedoraproject.org