Autor: W B Hacker Datum: To: exim users Betreff: Re: [exim] replacing headers in ACLs
Stanislaw Halik wrote:
> On Mon, Apr 03, 2006, W B Hacker wrote:
>
>>>i'm trying to replace headers in the ACLs, so i could hint SpamAssassin
>>>(through exiscan-acl) about the status of callout verification. however,
>>>'warn message' adds a new header instead of replacing the existing one.
>>>
>>>is replacing headers ACL-time possible or is there any good workaround?
>>
>>Suggest you leave the original headers alone, add what you need
>>in an X-header, 'act' on that X-header.
>
>
> 'warn' inserts an another header below existing ones, the first one
> (above) is the one interpreted. SA interprets the first encountered
> header, when many of them exist. this way, rogue users could send email
> with headers influencing SA's decision. am i being overly paranoid? :-)
>
> -- sh
>
Not paranoid at all - spam is often loaded with nonsense headers
- though I haven't seen SA falling for them.
In any case, it is easier to create 'unique' X-headers and keep
them confidential if they are stripped after use and never
'seen' by the outside world.
For that matter, flags in acl_c or acl_m variables cover that
ground even better for 'smtp time' scanning (all of ours).
A header is useful only if some sort of flag must survive beyond
the Exim smtp phase and travel with the message.
Even then it can be stripped once it has served it purpose,
either by the external process, or by Exim after re-injection.
Trying to control SA 'remotely' with header content risks having
surprises when SA updates itself - as it must do.
Better to delve into SA and configure it the way you need it to
work, and in such a manner as to survive its periodic refreshes.
