search

scVENUS / PeekabooAV-Installer

This repository provides scripts and configuration files to install, update and test a Peekaboo installation
GNU General Public License v3.0
7 stars 9 forks source link

add some default blocked files and mime types #47

Closed Clevero closed 4 years ago

Clevero commented 4 years ago

This PR extends the default blocked file extensions and mime types from debian amavis.

Some of the new derive from https://www.allianz-fuer-cybersicherheit.de/ACS/DE/Micro/E-Mailsicherheit/emotet.html others from our settings.

Jack28 commented 4 years ago

Thanks for sharing. You are bringing up an old discussion here ^^. I have been thinking about including configuration options like this a while ago. Never finished though.

Maybe it would be better to only include settings like these with a # in front? (I’m not saying ”go and comment out every line”!)

How email is used varies a lot, amount, size, type of attachments ... . And there might even be sane reasons to send certain file types.

I guess what I’m trying to say is these hard coded lists are part of the surroundings of Peekaboo. We can/should only do our job and trust the administrators to know how, what and for whom he is using Peekaboo and hope has adequate measure to secure from the other risks.

Let me know if I’m lost here and what’s your opinion

michaelweiser commented 4 years ago

I guess what I’m trying to say is these hard coded lists are part of the surroundings of Peekaboo. We can/should only do our job and trust the administrators to know how, what and for whom he is using Peekaboo and hope has adequate measure to secure from the other risks.

There is a case to be made for providing a secure default configuration. Generally, commenting out stuff to open up holes is easier than locking stuff down. OTOH we should certainly not provide a false sense of security to admins by providing an elaborate default configuration that looks comprehensive and complete while it isn't.

While it's certainly no question that what we install should not have security problems it's another question whether what we install should in it's default configuration solve all the user's security problems. Therefore I'm also leaning towards providing commented out examples that can easily be activated.

michaelweiser commented 4 years ago

The same could be said of https://github.com/scVENUS/PeekabooAV-Installer/blob/master/amavis/50-peekaboo#L64 because it's certainly elaborate and changes amavis default behaviour.

Jack28 commented 4 years ago

@Clevero, whar do you think? Do you agree to providing well documentet, commented out examples? I agree with @michaelweiser, we don't require these settings, we can propose them with background attached and help our users that way

Clevero commented 4 years ago

Sorry, had yesterday my final exams and had not plenty time besides work Hope the last commit fits the needed changes

Or should this be in the wiki?

michaelweiser commented 4 years ago

Or should this be in the wiki?

No need to hide this away in the wiki, IMO.