ANNOUNCE: Beta 4.25-5 released

David Lee t.d.lee at DURHAM.AC.UK
Wed Nov 5 10:42:55 GMT 2003 

On Wed, 5 Nov 2003, Julian Field wrote:

> [...]
> I will endeavour to rewrite the comments.
> Is this better?
>
> # Do you want to convert HTML messages to plaint text if they contain
> # any HTML tags whose settings above are "yes"?
> # This will only apply if you are also allowing the tags to be present
> # using the configuration options above. You can allow messages
> # that contain the tags, but convert them to plain text. This makes
> # the HTML harmless, while still allowing your users to see the text
> # content of the messages.
> # The newer "disarm" settings above can be used instead of this setting,
> # to selectively disable the individual tags while leaving the rest of
> # the message as the original HTML.
> # Settin this to "yes" will cause all graphical content to be removed
> # from messages, for example.
> # This can also be the filename of a ruleset, so you can make this apply
> # only to specific users or domains.
> Convert Dangerous HTML To Text = no

There are some details, including a split infinitive, which need
attention.  And in months and years to come the qualification "newer" to
the word "disarm" will be superfluous.

But looking wider, I wonder whether it could be simplified (dare I say
clarified?) to something like:

   # The following "Convert Dangerous HTML To Text" only applies if set to
   # "yes" and if one or more of the above "Allow ... Tags" settings is "no".
   # It does not apply if those "Allow..." tags are all "yes" or "disarm".
   #
   # If an "Allow ... Tags = no" is triggered by a message, and this
   # "Convert Dangerous HTML To Text" is set to "yes", then the HTML
   # message will be converted to plain text.  This makes the HTML
   # harmless, while still allowing your users to see the text content
   # of the messages.  Note that all graphical content will be removed.
   #
   # This can also be the filename of a ruleset, so you can make this apply
   # only to specific users or domains.
   Convert Dangerous HTML To Text = no

And even that contains some possibly spurious repetition.

> [David Lee had earlier written:]
> >But for those of us itching to use the new features in major production
> >use, how "unstable" is this beta overall, compared to the previous stable?
> >(The question is more about the basic MailScanner code and possible added
> >risk there, less about the intrinsic risk of the newly enabled features.)
>
> I just want to wait until a few people have tried the HTML disarming before
> I consider it working. I've tested it myself and it appears to be fine, but
> I would like to see the results when it is applied to "real world" mail.

General Rule: When providing a computer service, a 99% sure way to break
something catastrophically is to go public and say "it works".

So here goes:  I installed 4.25-5 yesterday on our campus relays (each 40K
msgs/day) including the settings:
   Allow IFrame Tags = yes
   Allow Form Tags = yes
   Allow Object Codebase Tags = disarm
   Convert Dangerous HTML To Text = no

and "it works".

So now let's wait for it to break later today ("Fireworks Day" in the UK,
by the way!)

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

More information about the MailScanner mailing list