Hi, On Tue, 25 Jun 2013 17:50:20 -0700 Mark Sapiro <m...@msapiro.net> wrote: > > As you surmise, your settings do not pass multipart/related so the > multipart/related part including its text/html and image/jpeg subparts > were removed. > > Note that even if you were to change your pass_mime_types to > > multipart > text/plain > text/html > image/jpeg > > so that all the parts of the message are accepted, the result would > still only be the text/plain part because collapse_alternatives = Yes > means replace the multipart/alternative part with the first (the > text/plain) sub-part. I deactivated the collapse_alternatives as this was not what I intended. > If you want to filter only on filename extensions and pass all MIME > types that don't have associated file names with the > filter_filename_extensions extensions, you want pass_mime_types to be > empty and collapse_alternatives and convert_html_to_plaintext to be > No, but this will potentially accept all kinds of malware which may > have Content-Type: application/octet-stream and no file name. Basically I prefert text to html mails and would like to keep convert_html_to_plaintext=yes as I know some members have quite weird colour and formatting settings as default. So far none of the list members complained. RFC8220 [1] does not say anything about MIME types and I don't know which others are possible so I better disable mime type filtering. However accepting application/octet-stream seems risky and I see no way to handle that properly, except whitelisting all accepted types like pdf, jpg, png and all documents. However odt with embedded macros can be harmful as well. So there is probably no easy fix for that.
> Whether this is safe or not depends on other things like discarding > non-member posts and knowing your list members. This is a quite open regional list with people who are not that experienced on security topics. Even if encourage people to not send attachments and to use external filehosting services, receivers are prone to any kind of linked malware. So far I trusted the installed virus scanners used by amavisd-new and have to admit I digged not very deeped into their capabilities. > The real question is do you really want some list members 3.2 Mbyte > jpeg stationery background (if that's what it was) in your archive and > distributed to your list? I definitely do not want that. The current maximum file size is 500kb as members requested this, but this is still quite a lot for non-dsl users. The option to link attachments in the archive instead of forwarding them sounds like the best solution in my eyes, while accepting the above issues still. Kardan 1] http://tools.ietf.org/html/rfc822 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
