On Sat, 10 May 2014, Daniel Pocock wrote:
>
>
> On 10 May 2014 08:40:53 CEST, Alexander Wirt <[email protected]> wrote:
> >On Fri, 25 Apr 2014, Daniel Pocock wrote:
> >
> >> Package: amavis-new
> >> Version: 1:2.7.1-2
> >> Severity: serious
> >>
> >>
> >> When an email is banned due to an attachment, the ban email sent to
> >the
> >> sender includes the ultimate recipient's address resolved by the
> >virtual
> >> lookup table
> >>
> >> This appears to be a privacy risk, as the virtual mapping contains
> >email
> >> addresses that may not already be known to the sender.
> >No, you should never send those mails to someone out of your domain. If
> >you
> >don't want to expose this, don't send this mails.
> >
> >This is entirely configurable and there is no useful option for amavis
> >to
> >prevent this problem. Therefore I'll close this bug.
> >
> >If you disagree feel free to reopen the bug, but imho this is a user
> >configuration problem and no software problem.
> >
>
> It is a default config using the config files from the package
>
> Therefore it is likely other users will end up observing the same problem. I
> would prefer to pinpoint what causes this rather than closing the bug without
> any analysis
There is no sane default configuration for amavis. Amavis is a framework and
no end-user software. Amavis in its default configuration will _not_ send any
bounce/whatever message to users outside local_domains. Controlling which
mails sent to foreign domains is controlled via $warn_offsite.
} elsif (!c('warn_offsite') && !$r->recip_is_local) { # the code for reference.
If you want to control the notification of senders in general you can use
$warnbannedsender and $warnbadhsender.
You can also play with the D_REJECT / D_BOUNCE targets. Things also depends
on how your amavis is integrated into your mail system. (before queue, after
queue, milter). As said, amavis is a framework and you have to know how to
use it.
Bug closed again.
Alex
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
