Quoting John Rudd <[EMAIL PROTECTED]>: > Tilman Schmidt wrote: > >> So why am I dissecting that list like this? Just to show that blocking >> or not blocking certain unusal characters in mail addresses is indeed a >> policy decision which should not be forced by a piece of software, but at >> most offered as a configurable option. > > Absolutely agree.
I disagree in this case (read on). > It is not ClamAV's place to make policy decisions for > me. And ClamAV does not. The milter is. And the milter is designed to work with sendmail. And if leaving this enabled by default produces an exploitable sendmail, then it is wrong. I'm not saying it can't be configurable, but whether it is or not, it must be disabled by default, IIF it is known to make sendmail or the milter itself exploitable. > It is ClamAV's place to match email messages to signatures. Yes, but this is _not_ the function of the milter, it is the function of ClamAV, and ClamAV is not the thing causing the issue, the milter is. > It is > up to me what to do with messages that match signatures. Correct, and not of any concern to the actual discussion, despite the fact that some people believe it is. > At most, it > should offer me policy options, but only _options_. You would rather it allows you to become exploitable? I wouldn't... IMHO, the proper thing to do is to document this in the milter docs. Whether it becomes a configurable option or not, it should certainly be documented that the default is to block such addresses. BUT, the point of my email is ClamAV is an anti-virus program, its jobs is to match patterns and report the match. clamav-milter is a separate program, a milter for sendmail. A milter is by definition a filter. It's job IS to filter (see: https://www.sendmail.org/milter/), even though many people use them in a non-filtering way... Don't confuse the two programs, or their functions. It would be irresponsible for a milter to knowingly allow a security hole by default. Protecting against such a hole is the only reasonable thing to do. How to best protect that hole is still a subject of debate. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
