Re: On-* quarantine fails

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Thu, 25 Apr 2013 14:34:59 -0700 (PDT)

On Thu, 25 Apr 2013, Claus Assmann wrote:
> If libmilter/MTA doesn't support quarantining, then you want to detect
> that as early as possible. If you can figure it out during "configure",
> then those quarantine options should not be available for the config
> file.

Obviously you can't tell if the MTA talking to you supports quarantining
until runtime, but you can tell if your own libmilter does at compile
time.

>> That way we get automate away a config file option and command line
>> flag we probably no longer need. Does that seem reasonable?
>
> I don't understand this part, sorry. The (global) "Quarantine"
> option has a different purpose then those for On-*, right?

It seems to be fairly obsolete in the current code. It's tied to a flag
that requests quarantining of messages that result in unknown errors from
openssl, or on specific request by a policy script, or via one of the On-*
settings.

I think the following will work:

- detect at compile time if libmilter supports quarantining; if not,
arrange to reject the configuration if any On-* requests quarantine or if
the OpenSSL capture thing is enabled (i.e., fail to start if that's the
case)

- at run time, when talking to an MTA that doesn't have quarantine service
(by negotiation) and a quarantine action is requested, replace it with
temp-fail and log something

Does that make sense?

-MSK
Received on Thu Apr 25 2013 - 21:35:31 PST