[Mailman-Users] URL of scrubbed attachments missing in the list archive

Mark Sapiro mark at msapiro.net
Wed Jun 26 02:50:20 CEST 2013 

On 06/25/2013 04:32 PM, kardan wrote:
> 
> The tree is like this (according to claws-mail)
> 1) * message/rfc822 (3.29MB)
> 2) ** multipart/alternative (3.29MB)
> 3) *** text/plain (1.14KB)
> 4) *** multipart/related (3.28MB)
> 5) **** text/html (3.83KB)
> 6) **** image/jpeg (3.28MB)
> 
[...]
> 
> The filter options:
> * filter_content: yes
> * filter_mime_types: <none>
> * pass_mime_types:
>> multipart/mixed
>> multipart/alternative
>> text/plain
[...]
> * collapse_alternatives: yes
> * convert_html_to_plaintext: yes



> 
> The resulted mail contained only (3) and had these headers:
> X-Mailman-Approved-At: Tue, 25 Jun 2013 04:35:52 +0200
> X-ContentX-Mailman-Approved-At: Tue, 25 Jun 2013 04:35:52 +0200
> X-Content-Filtered-By: Mailman/MimeDel 2.1.13-Filtered-By:
> Mailman/MimeDel 2.1.13
> Content-Type: text/plain; charset="utf-8"; Format="flowed"; DelSp="yes"
> 
> So multipart/related is not in the allowed MIME type and was filtered.
> I think it is no bad idea to have the above filenames filtered, while
> everything else should pass landing in the archive. Please give me a
> hint, how to archieve this.


As you surmise, your settings do not pass multipart/related so the
multipart/related part including its text/html and image/jpeg subparts
were removed.

Note that even if you were to change your pass_mime_types to

multipart
text/plain
text/html
image/jpeg

so that all the parts of the message are accepted, the result would
still only be the text/plain part because collapse_alternatives = Yes
means replace the multipart/alternative part with the first (the
text/plain) sub-part.

If you want to filter only on filename extensions and pass all MIME
types that don't have associated file names with the
filter_filename_extensions extensions, you want pass_mime_types to be
empty and collapse_alternatives and convert_html_to_plaintext to be No,
but this will potentially accept all kinds of malware which may have
Content-Type: application/octet-stream and no file name.

Whether this is safe or not depends on other things like discarding
non-member posts and knowing your list members.

The real question is do you really want some list members 3.2 Mbyte jpeg
stationery background (if that's what it was) in your archive and
distributed to your list?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list