Thanks, Mark. The MUA is including "application/octet-stream" as the mime type. I didn't include this as passable because I wanted to strip ".exe" files from messages. It looks like if I want to enable subscribers to attach PDF files, it will at the same time enable them to attach EXE files. From the security perspective, do most Mailman admins let EXE files pass?
Thanks, Ted -----Original Message----- From: Mark Sapiro [mailto:[EMAIL PROTECTED] Sent: Friday, July 20, 2007 11:15 AM To: Fitzpatrick, Ted; [email protected] Subject: Re: [Mailman-Users] Content Filtering Scrubs PDF Attachment Fitzpatrick, Ted wrote: > >When Mailman's Content Filtering is on, it is scrubbing (removing) pdf >and png attachments, I am guessing you mean 'removing' as in throwing away, as opposed to 'scrubbing' as in storing on the server and replacing with a link to the stored file. If by chance, you do mean 'scrubbing' in this sense, you need to set Non-digest options->scrub_nondigest to No in the list's admin interface. >even though I have entered the MIME types for these >files as "passable." For the MIME types, I used: > > > >application/pdf > >image/png These are the appropriate MIME types. The real question is why isn't the poster's MUA putting the correct Content-Type: in the header? What is the Content-Type of these attachments. If this is just one bogus MUA, you could just accept the bogus Content-Type. >The only fix I found within this list's archives was a patch to Mailman >that sets it to use only file extensions when filtering attachments. I >noticed debate over the security ramifications of this. There are alternative ways to patch this. In fact, I'm not sure that the current behavior couldn't be considered a bug. Currently, if we have pass_filename_extensions defined, we don't accept any parts with filenames that don't have a matching extension. I suppose this is OK since the main inline parts we want probably don't have filenames so aren't subject to this test. The issue is that currently the mime types tests are applied first and the filename extension tests are only applied to what's left. Perhaps the 'pass' tests should be applied concurrently and a part accepted if it has a matching mime type OR a matching extension. >What is the best way to configure Mailman to allow PDF and PNG files to >pass through its filtering? Wrong question. The question should be "what's the best way to get list members to use MUAs that properly identify the types of attachments?" (not that I know the answer). Basically, you're dealing with non-compliant MUAs, and given that the MUA is non-compliant, you can't predict what it will do. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
