On Tuesday 10 February 2004 10:05 pm, you wrote: > > Well, Spamassassin is where the data comes from, and it should have > > reasonable limits on what it spits out. Exim already has a reasonable > > limit. SA doesn't have anything. > > OK, and what happens when some spammer/hacker decides to DoS you with > messages with horribly long headers? Or Mr. Executive/Boss/... creates > a maillist or alias that expands to 1000 recipients, etc... > > That's why industrial strength MTAs use dynamically allocated buffers, > they've learned from bad past experience that any "reasonable limit" > sooner or later becomes an unreasonable choke-point/attack-point.
I would hesitate to accuse Exim of not being an industrial-strength MTA. We've been using it in high-load production environments for years now and and I know many other people are also. We've been very pleased with its performance, reliability, and flexibility. It should be noted that the problem I ran into was not Exim's, but Exiscan's. True, Exim does have a hard limit on header size, which may not be the greatest thing, but Exiscan is what wasn't doing its housekeeping and causing trouble. We're we running vanilla Exim, this never would have come up, even if somebody was purposefully trying to exceed the size limit. And I would also like to note that the _only_ instances I could find of this header size limit error are caused by Spamassassin. This issue came up in pre-2.40 SA versions, and a patch was included in future SA versions to fix it. See: http://www.exim.org/pipermail/exim-users/Week-of-Mon-20020923/044137.html - and - http://bugzilla.spamassassin.org/show_bug.cgi?id=444 Why not patch it again for a new breed of rules? > You may have no need to see all those match headers listed, but > what about developers trying to see where their rules hit, or > an admin trying to debug a particular message that went wrong. So it should have a granularity setting or something. We don't need every possible bit of information on every message. However, I still don't think what I'm saying means loosing all that much info. With these types of rules, it's only the difference between knowing if it matched gibberish of 'bhj' or 'ehx' or a bogus html tag of <asdf> versus <jkl;>. Not stuff that usually has a whole lot of use for anybody but the developer. I say a summary of the whole ruleset would be better. > If you limit yourself to Exim, that's your choice but please don't > expect the rest of the SA world to cripple our tool to fit your > limitations. Regardless of limitations, I don't particularly WANT more than 8k or so of headers. How much is too much for SA to spit out? 8k? 32k? 128k? Shall there be no limit at all? I would like to see every significant rule that hits, but I don't necessarily want the full report of every single rule in a huge Tripwire/Chickenpox-style set. > Maybe your time would be better spent over in the Exim community > encouraging its developers to improve their program to the level > that other MTAs have already achieved. I did post a bug report to the Exiscan list. Again, this isn't an error in Exim itself. -- Matt Systems Administrator Local Access Communications 360.330.5535
