ANNOUNCE: Beta 4.25-5 released

David Lee t.d.lee at DURHAM.AC.UK
Tue Nov 4 10:41:30 GMT 2003

On Sat, 1 Nov 2003, Julian Field wrote:

> [...]
> I have added the "disarm" option for the "Allow ...." HTML checks, so you
> can choose to just disarm the individual HTML tags rather than convert the
> entire message to plain text.
> [...]
> - Added support for "disarm" option on all HTML tag detectors, which will
>    disarm those tags while leaving the rest of the HTML intact.

Excellent!  Many thanks.  Sounds like what we've been discussing recently
on the list about controlled conversion of potentially dangerous bits of
HTML (as we discussed offline yesterday evening).

I have just installed it on our lowest preference (highest MX number)
campus relay.

With the aim of allowing most HTML but of de-clawing "Object Codebase", we
used to have (4.24-5):
   Allow IFrame Tags = yes
   Allow Form Tags = yes
   Allow Object Codebase Tags = no
   Convert Dangerous HTML To Text = yes
But in practice, this used to affect HTML containing any of those tags,
not just OC.

I have now (4.25-5) set:
   Allow IFrame Tags = yes
   Allow Form Tags = yes
   Allow Object Codebase Tags = disarm
   Convert Dangerous HTML To Text = no

which I hope should achieve this (permit everything, but de-claw OC).

But I have a suggestion, Julian.  Could you clarify the comments in
MailScanner.conf about "Convert Dangerous HTML To Text", so that it
clearly relates to the words "yes" and "disarm" in the "Allow X" options?
It currently says:
   # This will only apply if you are also allowing the tags to be present
   # using the configuration options above.

Does "allowing to be present" relate to "yes" only, or also to "disarm"?
Put another way: How does 'Convert ...' interact with the multiple values
of the various 'Allow ...'?

> [...]
> I am not planning a stable release for November, as there really haven't
> been enough changes to justify it.
> [...]

But for those of us itching to use the new features in major production
use, how "unstable" is this beta overall, compared to the previous stable?
(The question is more about the basic MailScanner code and possible added
risk there, less about the intrinsic risk of the newly enabled features.)

Many thanks again for a great product and great support.


:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

More information about the MailScanner mailing list