Ralf Hauser:
> Hi Wietse,
>
> Thx for the quick reply.
> > > This can cause contents to be disclosed since not treated properly by
> > > above-mentioned gateways (in particular, if the main.cf doesn't say
> > > bounce_size_limit=1 [the value 0 is not permitted??]).
> >
> > Normally, "zero" means "no limit" in Postfix. I did not think that
> > that would be desirable in the case of bounce messages.
> Sure, in most cases, a content leak of 1 character isn't a big deal.
Actually, there is no 1-character leak, because Postfix does not
truncate text that exceeds the bounce_size_limit setting. That
would break message formats.
Instead, Postfix produces bounce messages according to the formats
defined in RFC 3461-3464 (Delivery Status Notifications) and in
RFC 2045-2048 (MIME). When the message is smaller than the bounce
size limit, Postfix sends a message/rfc822 segment, otherwise
Postfix sends text/rfc822-headers.
There is no code in Postfix to measure the size of the message
header against the bounce size limit. See also my comments below
about why I disagree with the idea of a global configuration setting
to send header-less bounces.
> But perhaps the semantics could be:
>
> 0 = unlimited original message can be attached (albeit it is de facto
> limited by 'message_size_limit' of the incoming message...)
>
> -1 = do not attach original message
>
> -2 = don't even attach the header details: revealing who are the
> recipients and what is the title may well be undesirable in some
> MTA configurations. No "Undelivered Message Headers.txt" attachment
> or alike.
>
> What do you think?
Hm. That would specify non-size information via a size-limit parameter.
Personally, I think that bounces without returned headers are a
complete waste of human and computer resources, because the receiver
has no idea what message was undeliverable.
In fact, bounces without returned headers are harmful, With today's
backscatter mail, the original message header is needed to block
bounced forgeries without losing legitimate email.
In summary, I think that it is wrong to turn off returned headers
without consideration for what mail is being returned. If you want
to improve Postfix to make it security-gateway friendly, then the
changes should not be presented as isolated little hacks (as above),
but they need to be part of an over-all plan.
Wietse
