[exim-dev] [Bug 2282] New: Support HTTP-based & JSON-parsing…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 2282] Support HTTP-based & JSON-parsing content scanning (rspamd), [exim-dev] [Bug 2282] Support HTTP-based & JSON-parsing content scanning (rspamd), [exim-dev] [Bug 2282] Support HTTP-based & JSON-parsing content scanning (rspamd), [exim-dev] [Bug 2282] Support HTTP-based & JSON-parsing content scanning (rspamd)
Subject: [exim-dev] [Bug 2282] New: Support HTTP-based & JSON-parsing content scanning (rspamd)
https://bugs.exim.org/show_bug.cgi?id=2282

            Bug ID: 2282
           Summary: Support HTTP-based & JSON-parsing content scanning
                    (rspamd)
           Product: Exim
           Version: N/A
          Hardware: All
                OS: All
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Content Scanning
          Assignee: tom@???
          Reporter: pdp@???
                CC: exim-dev@???


https://rspamd.com/doc/architecture/protocol.html

That's an HTTP protocol layering information into custom headers, with
responses in JSON.

Enough stuff uses HTTP and JSON these days that integrating support as a
framework, for both spam and malware scanning, probably makes sense.

Tentatively: just use cURL for HTTP/HTTPS, make sure there's no way for
attacker-controlled input to leak out, make sure we handle
<"foo\r\nMessage-Length: 0"@???> as an SMTP Envelope Sender (and From:
header address), etc etc, and integrate a small C JSON library for parsing
responses.

For JSON, I'd be inclined to pick Jansson, <http://www.digip.org/jansson/> and
<https://github.com/akheron/jansson>. Else sajson.

Both of these will add build dependencies to Exim, so would be the sorts of
things not enabled by default, but open to others for parsing.

And once we have them, we can consider MTA-STS support I suppose, even though I
personally believe MTA-STS to be a horrible idea leading to coerced inclusion
of every possible trust anchor, for every possible domain, and utterly unsuited
for email. (It's equivalent to DANE usages 0 and 1, which were rejected for
use with SMTP MX delivery because of the exact failure modes which are the only
ones MTA-STS supports).

--
You are receiving this mail because:
You are on the CC list for the bug.