ANNOUNCE: Beta 4.25-5 released

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 5 09:48:49 GMT 2003


At 10:41 04/11/2003, you wrote:
>On Sat, 1 Nov 2003, Julian Field wrote:
>
> > [...]
> > I have added the "disarm" option for the "Allow ...." HTML checks, so you
> > can choose to just disarm the individual HTML tags rather than convert the
> > entire message to plain text.
> > [...]
> > - Added support for "disarm" option on all HTML tag detectors, which will
> >    disarm those tags while leaving the rest of the HTML intact.
>
>Excellent!  Many thanks.  Sounds like what we've been discussing recently
>on the list about controlled conversion of potentially dangerous bits of
>HTML (as we discussed offline yesterday evening).
>
>I have just installed it on our lowest preference (highest MX number)
>campus relay.
>
>With the aim of allowing most HTML but of de-clawing "Object Codebase", we
>used to have (4.24-5):
>    Allow IFrame Tags = yes
>    Allow Form Tags = yes
>    Allow Object Codebase Tags = no
>    Convert Dangerous HTML To Text = yes
>But in practice, this used to affect HTML containing any of those tags,
>not just OC.
>
>I have now (4.25-5) set:
>    Allow IFrame Tags = yes
>    Allow Form Tags = yes
>    Allow Object Codebase Tags = disarm
>    Convert Dangerous HTML To Text = no
>
>which I hope should achieve this (permit everything, but de-claw OC).
>Correct?

Yes.

>But I have a suggestion, Julian.  Could you clarify the comments in
>MailScanner.conf about "Convert Dangerous HTML To Text", so that it
>clearly relates to the words "yes" and "disarm" in the "Allow X" options?
>It currently says:
>    # This will only apply if you are also allowing the tags to be present
>    # using the configuration options above.
>
>Does "allowing to be present" relate to "yes" only, or also to "disarm"?
>Put another way: How does 'Convert ...' interact with the multiple values
>of the various 'Allow ...'?

I will endeavour to rewrite the comments.
Is this better?

# Do you want to convert HTML messages to plaint text if they contain
# any HTML tags whose settings above are "yes"?
# This will only apply if you are also allowing the tags to be present
# using the configuration options above. You can allow messages
# that contain the tags, but convert them to plain text. This makes
# the HTML harmless, while still allowing your users to see the text
# content of the messages.
# The newer "disarm" settings above can be used instead of this setting,
# to selectively disable the individual tags while leaving the rest of
# the message as the original HTML.
# Settin this to "yes" will cause all graphical content to be removed
# from messages, for example.
# This can also be the filename of a ruleset, so you can make this apply
# only to specific users or domains.
Convert Dangerous HTML To Text = no


> > [...]
> > I am not planning a stable release for November, as there really haven't
> > been enough changes to justify it.
> > [...]
>
>But for those of us itching to use the new features in major production
>use, how "unstable" is this beta overall, compared to the previous stable?
>(The question is more about the basic MailScanner code and possible added
>risk there, less about the intrinsic risk of the newly enabled features.)

I just want to wait until a few people have tried the HTML disarming before
I consider it working. I've tested it myself and it appears to be fine, but
I would like to see the results when it is applied to "real world" mail.

>Many thanks again for a great product and great support.

My pleasure :)
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654



More information about the MailScanner mailing list