-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason R. Mastaler wrote: > Eric <[EMAIL PROTECTED]> writes: > > >>Some security policies often require that version numbers not be >>disclosed. > > > Well, that's security by obscurity which I've never thought was a good > idea. Also, no vulnerabilities have been found in TMDA to my > knowledge.
There are some good papers on why obscurity is a reasonable adjunct to security - just don't rely(!) on it. I have done the one e-mail leak report for a friend, which went something along the lines of from this one e-mail I know you have a vulnerable mail client, a vulnerable exchange server, I know your internal IP address range, and the naming convention used on Internal servers, I know what OS you are using on desktop and server. I agree they should patch client and server, but should anyone doing a Google search, or getting into my machine know this much about another companies internal IT system because they sent me one e-mail, or sent one message to a mailing list? The security services have long prided themselves on cloaking everything they do in obscurity from recruitment to covert operations - is this bad for security? > Anyway, I just remembered that you could probably strip > X-Delivery-Agent by setting PURGED_HEADERS. Postfix uses header_checks to do this, and is quite good, although it does insist on telling people it is Postfix in bounced messages! With his usual acute observation Wietse (whilst acknowledging obscurity shouldn't be relied on) pointed out you should whitelist acceptable headers, not blacklist "leaky" ones if you persist in this approach. The Postfix mailing list also recently discussed how to filter on outgoing only which is harder with Postfix than it ought to be as it doesn't distinguish incoming and outgoing when tidying up. Rewriting envelopes at the MTA level is of course SMTP infringing, so exercise care. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+LH/CGFXfHI9FVgYRAoY8AKCxJlqyTtE1bkG7eVr9l6eIwD3V4QCeJScR VNLokHYjq4It2gzzv6Np9yc= =LT81 -----END PGP SIGNATURE----- _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
