[Mimedefang] Quarantine management - anyone else working on this?

Fri Apr 2 06:52:46 EST 2004

OK, here's my code (attached) as it stands at the moment, with some instructions
and comments below.

Status
======

This is very much ALPHA code - if you read the source, you'll see that it uses a
horrible mix of Perl CGI calls and raw HTML, which is not good style.  However,
it works, and I'll have time later to carry out some plastic surgery to make it
look better.  Use it at your own risk - there is no warranty.

Installation
============

Drop the two files into your CGI bin, making sure that they are executable, and
owned by the user you run your webserver as, so that they can be executed.
Ensure that they cannot be modified by anyone else.

Configure your webserver to include an appropriate CGI handler for Perl code, if
it doesn't already have one.  On Apache, this should be something like:

    AddHandler cgi-script .cgi .sh .pl

You must also edit the main quarantine.pl script as indicated, so that it uses
the correct inbound and outbound e-mail servers - the assumption is that the
server running MIMEDefang is a gateway system, which forwards incoming mail to
another server, and which optionally forwards outbound mail to a smart host for
onward delivery.  If your system is an end-node which does direct outbound
delivery, set both the local and remote SMTP servers to localhost, and ensure
that your mimedefang-filter has a way to skip checks on mail from the local
system, otherwise you will re-examine and re-quarantine released messages.

Permissions
===========

MIMEDefang creates its quarantine folders as the defang user (or whatever user
you've configured MIMEDefang to run as), which means that your webserver user
probably has no access to the quarantine folders.  This has to be sorted out
before the scripts will work.

There are three approaches:

A.  Make all of your programs run as the same unprivileged user, such as defang
or nobody.  While this will work, it can possibly open up all of the systems to
compromise if one has a security issue.

B.  Patch the MIMEDefang code to force all quarantine folders to be created with
full group access (mode 770), and to set the group to something which the web
server is a member of, so that full access is granted.  This works OK, but has
to be re-done every time a new version of MIMEDefang is installed, and is not
guaranteed to be future proof.

C.  Have a cron job which runs every minute (or whatever interval you prefer)
which changes the permissions appropriately.  I use this method, running 
			chmod -R g+rwx /var/spool/MD-Quarantine

If the permissions are incorrect, the main script will display a warning that it
cannot access the folder.  Note that if a message has been quarantined after the
last run of the cron job, you will not be able to view it until the next cron
run has completed.

Functionality
=============

This code is intended to perform five main tasks:

A.  Display a summary of the messages which have been quarantined so that the
queue can be managed
B.  Release messages for delivery if they have been quarantined in error
C.  Delete messages which have been quarantined correctly
D.  Re-direct messages to IT Support addresses for further inspection or action
E.  Allow viewing of the message details wherever possible.

The main display presents a table of messages which are being held in
quarantine.  These are displayed in date order.  The table shows the sender,
recipients, subject, the filename of quarantined parts, and the reason for a
message being quarantined.  

Sorting of messages by other field headings is not supported at this time.

When viewing a message, the display program will show a navigation header which
lists the files which can be viewed in the quarantine folder.  Binary files
(from quarantined parts) are not displayed.  When an entire message has been
quarantined, this can be viewed, but you should be wary of large messages as
this could cause difficulties when the file is sent to the browser.

All fields which could contain HTML code are displayed using the <XMP>
formatting tag, which prevents interpretation of the contents as HTML - this tag
is supported by most browsers but is described as obsolete, which is a shame
since the suggested replacement is <PRE>, which most browsers treat in the same
way as <FONT> or <B>, i.e. they change the formatting, but embedded HTML tags
are still interpreted.  Think of a message which has something nasty in it,
either as javascript or something like an image which has a remote CGI script as
its source.  Since you want to look at the source, we have to stop the HTML
being interpreted.

Security
========

These scripts make no effort to authenticate the user who runs them - this is
not the job of the script, since the web server is more than capable of doing
this for you using an or all of the following:
		basic/digest/certificate authentication
		SSL
		.htaccess files
		httpd.conf directives
to restrict access by username/password, certificate ownership, IP address, etc,
etc.

Comments welcome!

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________ 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: quar_display.pl
Type: application/octet-stream
Size: 3131 bytes
Desc: quar_display.pl
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20040402/60925f42/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quarantine.pl
Type: application/octet-stream
Size: 17072 bytes
Desc: quarantine.pl
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20040402/60925f42/attachment-0001.obj>