Re: [exim] New Stuff

Pàgina inicial
Delete this message
Reply to this message
Autor: Fred Viles
Data:  
A: exim-users
Assumpte: Re: [exim] New Stuff
On 24 Feb 2005 at 18:17, Stephen Gran wrote about
    "Re: [exim] New Stuff":


| On Thu, Feb 24, 2005 at 01:44:35PM -0800, Fred Viles said:

|...
| > To my mind, the big question is why clamd does not recognise the .eml
| > file as a MIME message that should be unpacked.
|
| <ClamAV maintainer hat on>
|
| Do you mind trying a little debugging work?


I've just been doing that, and have some major egg to wipe off my
face. I wasn't testing what I thought I was testing (ever heard that
before?), because I keep forgetting that in my config, email
submitted by authenticated users isn't scanned.

I looked at the libclamav code, and found the code that detects file
type by its content. It certainly *looked* like it should work, so I
ran clamd in debugging mode to see what was up. When I got no output
*at all* for my test message, even *with* demime in place, the
lightbulb finally went off.

Retesting without authentication shows that clamd indeed recognized
and unpacked my test message. Sorry for the noise. Though, in my
defense, the mis-information still exists in the latest exim docs.

David, FYI, I was *not* wrong about decode=. decode= does not cause
malware= to pass the individual decoded message parts to the scanner.
With "decode = default" in the MIME ACL and no "demime =" in the DATA
ACL, the complete message file is passed to the scanner.

- Fred