X-Git-Url: http://git.madism.org/?a=blobdiff_plain;f=doc%2Fmanual.sgml.head;h=66898380e82f6d0daba757719c90577de4ceb117;hb=618ceafdc9564dbb8f3bf45c3869297a1d5a3320;hp=6469349d26d04fe34ffb053880f71643def5f8cc;hpb=c6b020e0fa5c38e4fd8a6ffb75e00338c0535b11;p=apps%2Fmadmutt.git diff --git a/doc/manual.sgml.head b/doc/manual.sgml.head index 6469349..6689838 100644 --- a/doc/manual.sgml.head +++ b/doc/manual.sgml.head @@ -1664,82 +1664,132 @@ is ``*'', Format = Flowed -

Mutt-ng contains support for so-called For introductory information on . - -

When you receive emails that are marked as Introduction - -set wrapmargin = 10 - +

Mutt-ng contains support for so-called The code above makes the line break 10 columns before the right -side of the terminal. +

For introductory information on . -

If your terminal is so wide that the lines are embarrassingly long, -you can also set a maximum line length: + - -set max_line_length = 120 - + Receiving: Display Setup -

The example above will give you lines not longer than 120 -characters. +

When you receive emails that are marked as When you view at + set wrapmargin = 10 + - ->Bill, can you please send last month's progress report to Mr. ->Morgan? We also urgently need the cost estimation for the new ->production server that we want to set up before our customer's ->project will go live. - +

The code above makes the line break 10 columns before the right + side of the terminal. -

This obviously doesn't look very nice, and it makes it very -hard to differentiate between text and quoting character. The -solution is to configure mutt-ng to "stuff" the quoting: +

If your terminal is so wide that the lines are embarrassingly long, + you can also set a maximum line length: - -set stuff_quoted - + + set max_line_length = 120 + -

This will lead to a nicer result that is easier to read: +

The example above will give you lines not longer than 120 + characters. - -> Bill, can you please send last month's progress report to Mr. -> Morgan? We also urgently need the cost estimation for the new -> production server that we want to set up before our customer's -> project will go live. - +

When you view at + >Bill, can you please send last month's progress report to Mr. + >Morgan? We also urgently need the cost estimation for the new + >production server that we want to set up before our customer's + >project will go live. + -

If you want mutt-ng to send emails with This obviously doesn't look very nice, and it makes it very + hard to differentiate between text and quoting character. The + solution is to configure mutt-ng to "stuff" the quoting: - -set text_flowed - + + set stuff_quoted + -

Additionally, you have to use an editor which supports writing -This will lead to a nicer result that is easier to read: + + + > Bill, can you please send last month's progress report to Mr. + > Morgan? We also urgently need the cost estimation for the new + > production server that we want to set up before our customer's + > project will go live. + + + + + Sending + +

If you want mutt-ng to send emails with + set text_flowed + + +

Additionally, you have to use an editor which supports writing + Also note that + + just a space for formatting reasons + + + + Please make sure that you manually prepend a space to each of them. + + + + Additional Notes + +

For completeness, the variable provides the mechanism + to generate a @@ -4298,6 +4348,164 @@ muttrc. +Security Considerations + +

First of all, mutt-ng contains no security holes included by + intention but may contain unknown security holes. As a consequence, + please run mutt-ng only with as few permissions as possible. + +

Please do not run mutt-ng as the super user. + +

When configuring mutt-ng, there're some points to note about secure + setups. + +

In practice, mutt-ng can be easily made as vulnerable as even the + most insecure mail user agents (in their default configuration) just + by changing mutt-ng's configuration files: it then can execute + arbitrary programs and scripts attached to messages, send out private + data on its own, etc. Although this is not believed to the common type + of setup, please read this chapter carefully. + + Passwords + +

Although mutt-ng can be told the various passwords for accounts, + please never store passwords in configuration files. Besides the + fact that the system's operator can always read them, you could + forget to replace the actual password with asterisks when reporting + a bug or asking for help via, for example, a mailing list so that + your mail including your password could be archived by internet + search engines, etc. Please never store passwords on disk. + + + + Temporary Files + +

Mutt-ng uses many temporary files for viewing messages, verifying + digital signatures, etc. The + variable can be used to change the default permissions of these + files. Please only change it if you really know what you are doing. + Also, a different location for these files may be desired which can + be changed via the variable. + + + + Information Leaks + + Message-ID: headers + +

In the default configuration, mutt-ng will leak some information + to the outside world when sending messages: the generation of + variable. Please make sure that + you really know how local parts of these + + mailto:-style links + +

As mutt-ng be can be set up to be the mail client to handle + variable is For example, following a link like + + +mailto:joe@host?Attach=~/.gnupg/secring.gpg + + will send out the user's private gnupg keyring to When variable, mutt-ng will + + + + be less strict when interpreting these links by + prepending a turn on the variable by + force to let the user see all the headers + (because they still may leak information.) + + + + + + + + External applications + +

Mutt-ng in many places has to rely on external applications or + for convenience supports mechanisms involving external + applications. + + mailcap + +

One of these is the + variable for details.) + + These utilities may have a variety of security vulnerabilities, + including overwriting of arbitrary files, information leaks or + other exploitable bugs. These vulnerabilities may go unnoticed by + the user, especially when they are called automatically (and + without interactive prompting) from the mailcap file(s). When + using mutt-ng's autoview mechanism in combination with mailcap + files, please be sure to... + + + + manually select trustworth applications with a reasonable + calling sequence + + periodically check the contents of mailcap files, + especially after software installations or upgrades + + keep the software packages referenced in the mailcap file up to date + + leave the variable in its default + state to restrict mailcap expandos to a safe set of characters + + + + + + Other + +

Besides the mailcap mechanism, mutt-ng uses a number of other + external utilities for operation. + +

The same security considerations apply for these as for tools + involved via mailcap (for example, mutt-ng is vulnerable to Denial + of Service Attacks with compressed folders support if the + uncompressed mailbox is too large for the disk it is saved to.) + +

As already noted, most of these problems are not built in but + caused by wrong configuration, so please check your configuration. + + + + + + + Reference Command line options