Tom Kistner wrote:
> The former. You can implement most of the old error conditions
> through the logic of the MIME ACL itself. These are:
Thanks Tom. So based on your information, I've crafted the following
ACLs that replicate the level 3 MIME error checks provided by the old
demime function. All values are taken straight from demime.h.
# Too many MIME parts
#
deny
condition = ${if >{$mime_part_count}{1024}{yes}{no}}
message = Too many MIME parts (max 1024)
log_message = DENY: MIME Error (Too many MIME parts: $mime_part_count)
# Excessive line length
#
deny
regex = "^.{131071}$"
message = MIME error: Line length in message or single header
exceeds 131071.
log_message = DENY: MIME Error (Maximum line length exceeded)
# Partial message
#
deny
condition = ${if eq {$mime_content_type}{message/partial}{yes}{no}}
message = MIME error: MIME type message/partial not allowed here
log_message = DENY: MIME Error (MIME type message/partial found)
# Filename length too long (> 512 characters)
#
deny
condition = ${if >{strlen:$mime_filename}{512}{yes}{no}}
message = MIME error: Proposed filename exceeds 512 characters
log_message = DENY: MIME Error (Proposed filename too long)
# MIME boundary length too long (> 1024)
#
deny
condition = ${if >{strlen:$mime_boundary}{1024}{yes}{no}}
message = MIME error: MIME boundary length exceed 1024 characters
log_message = DENY: MIME Error (Boundary length too long)
Some of these values seem a little high, particularly the line length of
131071 and the MIME boundary of 1024. I'll probably adjust the line
length down to 1024 and the MIME boundary down to 76 (as indicated from
the testvirus.org tests). Additionally, the maximum filename length for
most Windows machines is 255 characters. Since that's what we run here,
I'll probably go ahead and reduce that in size as well.
Additionally, am I correct in assuming that the line length check above
is only for MIME parts? If I wanted to check the line length of the
original message headers, I would need to perform a similar check in the
DATA ACL?
> UUDECODING is not supported any more but you can use an external
> unpacker using ${run, likewise for tnef.
I'll rely on ClamAV or McCrappy on our internal Exchange server to deal
with these.
Thoughts, input?
- S
---
Steven Dickenson <sdickenson@???>
Computer Network Manager
The Key School, Annapolis Maryland