On 02/10/2011 03:41 PM, Warren Togami Jr. wrote: > On 2/10/2011 1:29 PM, John Hardin wrote: >> I suppose we ought to compose a boilerplate response for the >> inevitable visitors who will show up asking about this "exploit in >> SpamAssassin"... > > Perhaps more than boilerplate, but rather an official advisory to > clear up the confusion? Given that upstream of that milter is dead, > nobody else will make an official advisory?
This came from an accidental lost checkin that has since been fixed. There is little activity on the spamass-milter project because it doesn't need anything; almost all updates go to SA and the MTAs rather than the milter. As noted by Robert Schetterer, postfix doesn't allow this syntax anymore. As Giles Goochey forwarded from the sa-milter list, maintainer Dan Nelson has committed the patch to CVS and will officially release the fix this weekend. I'm one of several people who have mentioned that this is fixed in both Fedora- and Debian- derived systems. There appears to be a communication issue between these two lists; once I connected the SA list to the SA-milter list, the issue got resolved in very quick order. SA-milter is still one of the best methods for invoking SA from sendmail or postfix. I consider it a mission-critical component to be able to deliver a rejection notice at SMTP-time (to avoid backscatter from an emailed bounce message). The other systems out there (specifically amavis and mailscanner) just can't do this while spamass-milter does it with very little overhead or configuration. I've considered working on boosting the support for SA in milter-greylist (my C is 5-10+ years rusty and my free time is sparse), but most people have a hard time understanding that you can use that milter without greylisting -- it does all sorts of useful things at SMTP-time (before and after DATA), including SPF, DKIM, DNSBLs, tarpitting, spamassassin (limited), p0f, and greylisting. Notes on SA support in Milter-Greylist: http://tech.groups.yahoo.com/group/milter-greylist/message/5621 (Tip for evading Yahoo's cookies: set UserAgent to "Googlebot/2.1")
signature.asc
Description: OpenPGP digital signature
