<sect>Format = Flowed <!--{{{-->
-<p>Mutt-ng contains support for so-called <tt/format=flowed/ messages.
-In the beginning of email, each message had a fixed line width, and
-it was enough for displaying them on fixed-size terminals. But times
-changed, and nowadays hardly anybody still uses fixed-size terminals:
-more people nowaydays use graphical user interfaces, with dynamically
-resizable windows. This led to the demand of a new email format that
-makes it possible for the email client to make the email look nice
-in a resizable window without breaking quoting levels and creating
-an incompatible email format that can also be displayed nicely on
-old fixed-size terminals.
-
-<p>For introductory information on <tt/format=flowed/ messages, see
-<htmlurl url="http://www.joeclark.org/ffaq.html"
-name="<http://www.joeclark.org/ffaq.html>">.
-
-<p>When you receive emails that are marked as <tt/format=flowed/
-messages, and is formatted correctly, mutt-ng will try to reformat
-the message to optimally fit on your terminal. If you want a fixed
-margin on the right side of your terminal, you can set the
-following:
+ <sect1>Introduction <!--{{{-->
-<verb>
-set wrapmargin = 10
-</verb>
+ <p>Mutt-ng contains support for so-called <tt/format=flowed/ messages.
+ In the beginning of email, each message had a fixed line width, and
+ it was enough for displaying them on fixed-size terminals. But times
+ changed, and nowadays hardly anybody still uses fixed-size terminals:
+ more people nowaydays use graphical user interfaces, with dynamically
+ resizable windows. This led to the demand of a new email format that
+ makes it possible for the email client to make the email look nice
+ in a resizable window without breaking quoting levels and creating
+ an incompatible email format that can also be displayed nicely on
+ old fixed-size terminals.
-<p>The code above makes the line break 10 columns before the right
-side of the terminal.
+ <p>For introductory information on <tt/format=flowed/ messages, see
+ <htmlurl url="http://www.joeclark.org/ffaq.html"
+ name="<http://www.joeclark.org/ffaq.html>">.
-<p>If your terminal is so wide that the lines are embarrassingly long,
-you can also set a maximum line length:
+ <!--}}}-->
-<verb>
-set max_line_length = 120
-</verb>
+ <sect1>Receiving: Display Setup <!--{{{-->
-<p>The example above will give you lines not longer than 120
-characters.
+ <p>When you receive emails that are marked as <tt/format=flowed/
+ messages, and is formatted correctly, mutt-ng will try to reformat
+ the message to optimally fit on your terminal. If you want a fixed
+ margin on the right side of your terminal, you can set the
+ following:
-<p>When you view at <tt/format=flowed/ messages, you will often see
-the quoting hierarchy like in the following example:
+ <verb>
+ set wrapmargin = 10
+ </verb>
-<verb>
->Bill, can you please send last month's progress report to Mr.
->Morgan? We also urgently need the cost estimation for the new
->production server that we want to set up before our customer's
->project will go live.
-</verb>
+ <p>The code above makes the line break 10 columns before the right
+ side of the terminal.
-<p>This obviously doesn't look very nice, and it makes it very
-hard to differentiate between text and quoting character. The
-solution is to configure mutt-ng to "stuff" the quoting:
+ <p>If your terminal is so wide that the lines are embarrassingly long,
+ you can also set a maximum line length:
-<verb>
-set stuff_quoted
-</verb>
+ <verb>
+ set max_line_length = 120
+ </verb>
-<p>This will lead to a nicer result that is easier to read:
+ <p>The example above will give you lines not longer than 120
+ characters.
-<verb>
-> Bill, can you please send last month's progress report to Mr.
-> Morgan? We also urgently need the cost estimation for the new
-> production server that we want to set up before our customer's
-> project will go live.
-</verb>
+ <p>When you view at <tt/format=flowed/ messages, you will often see
+ the quoting hierarchy like in the following example:
+
+ <verb>
+ >Bill, can you please send last month's progress report to Mr.
+ >Morgan? We also urgently need the cost estimation for the new
+ >production server that we want to set up before our customer's
+ >project will go live.
+ </verb>
-<p>If you want mutt-ng to send emails with <tt/format=flowed/ set, you
-need to explicitly set it:
+ <p>This obviously doesn't look very nice, and it makes it very
+ hard to differentiate between text and quoting character. The
+ solution is to configure mutt-ng to "stuff" the quoting:
-<verb>
-set text_flowed
-</verb>
+ <verb>
+ set stuff_quoted
+ </verb>
-<p>Additionally, you have to use an editor which supports writing
-<tt/format=flowed/-conforming emails. For vim, this is done by
-adding <tt/w/ to the formatoptions (see <tt/:h formatoptions/ and
-<tt/:h fo-table/) when writing emails.
+ <p>This will lead to a nicer result that is easier to read:
+
+ <verb>
+ > Bill, can you please send last month's progress report to Mr.
+ > Morgan? We also urgently need the cost estimation for the new
+ > production server that we want to set up before our customer's
+ > project will go live.
+ </verb>
+
+ <!--}}}-->
+
+ <sect1>Sending <!--{{{-->
+
+ <p>If you want mutt-ng to send emails with <tt/format=flowed/ set, you
+ need to explicitly set it:
+
+ <verb>
+ set text_flowed
+ </verb>
+
+ <p>Additionally, you have to use an editor which supports writing
+ <tt/format=flowed/-conforming emails. For vim, this is done by
+ adding <tt/w/ to the formatoptions (see <tt/:h formatoptions/ and
+ <tt/:h fo-table/) when writing emails.
+
+ <p>Also note that <em/format=flowed/ knows about ``space-stuffing'',
+ that is, when sending messages, some kinds of lines have to be
+ indented with a single space on the sending side. On the receiving
+ side, the first space (if any) is removed. As a consequence and in
+ addition to the above simple setting, please keep this in mind when
+ making manual formattings within the editor. Also note that mutt-ng
+ currently violates the standard (RfC 3676) as it does not
+ space-stuff lines starting with:
+
+ <itemize>
+
+ <item><tt/>/ This is <em/not/ the quote character but a right
+ angle used for other reasons
+
+ <item><tt/From/ with a trailing space.
+
+ <item>just a space for formatting reasons
+
+ </itemize>
+
+ Please make sure that you manually prepend a space to each of them.
+
+ <!--}}}-->
+
+ <sect1>Additional Notes <!--{{{-->
+
+ <p> For completeness, the <ref id="delete_space"
+ name="$delete_space"> variable provides the mechanism
+ to generate a <tt/DelSp=yes/ parameter on <em/outgoing/ messages.
+ According to the standard, clients receiving a <tt/format=flowed/
+ messages should delete the last space of a flowed line but still
+ interpret the line as flowed. Because flowed lines usually contain
+ only one space at the end, this parameter would make the receiving
+ client concatenate the last word of the previous with the first of
+ the current line <em/without/ a space. This makes ordinary text
+ unreadable and is intended for languages rarely using spaces. So
+ please use this setting only if you're sure what you're doing.
+
+ <!--}}}-->
<!--}}}-->
<!--}}}-->
+<chapt>Security Considerations <!--{{{-->
+
+ <p>First of all, mutt-ng contains no security holes included by
+ intention but may contain unknown security holes. As a consequence,
+ please run mutt-ng only with as few permissions as possible.
+
+ <p>Please do not run mutt-ng as the super user.
+
+ <p>When configuring mutt-ng, there're some points to note about secure
+ setups.
+
+ <p>In practice, mutt-ng can be easily made as vulnerable as even the
+ most insecure mail user agents (in their default configuration) just
+ by changing mutt-ng's configuration files: it then can execute
+ arbitrary programs and scripts attached to messages, send out private
+ data on its own, etc. Although this is not believed to the common type
+ of setup, please read this chapter carefully.
+
+ <sect>Passwords <!--{{{-->
+
+ <p>Although mutt-ng can be told the various passwords for accounts,
+ please never store passwords in configuration files. Besides the
+ fact that the system's operator can always read them, you could
+ forget to replace the actual password with asterisks when reporting
+ a bug or asking for help via, for example, a mailing list so that
+ your mail including your password could be archived by internet
+ search engines, etc. Please never store passwords on disk.
+
+ <!--}}}-->
+
+ <sect>Temporary Files <!--{{{-->
+
+ <p>Mutt-ng uses many temporary files for viewing messages, verifying
+ digital signatures, etc. The <ref id="umask" name="$umask">
+ variable can be used to change the default permissions of these
+ files. Please only change it if you really know what you are doing.
+ Also, a different location for these files may be desired which can
+ be changed via the <ref id="tmpdir" name="$tmpdir"> variable.
+
+ <!--}}}-->
+
+ <sect>Information Leaks <!--{{{-->
+
+ <sect1>Message-ID: headers <!--{{{-->
+
+ <p>In the default configuration, mutt-ng will leak some information
+ to the outside world when sending messages: the generation of
+ <tt/Message-ID:/ headers includes a step counter which is increased
+ (and rotated) with every message sent. If you'd like to hide this
+ information probably telling others how many mail you sent in which
+ time, you at least need to remove the <tt/%P/ expando from the
+ default setting of the <ref id="msgid_format"
+ name="$msgid_format"> variable. Please make sure that
+ you really know how local parts of these <tt/Message-ID:/ headers
+ are composed.
+
+ <!--}}}-->
+
+ <sect1>mailto:-style links <!--{{{-->
+
+ <p>As mutt-ng be can be set up to be the mail client to handle
+ <tt/mailto:/ style links in websites, there're security
+ considerations, too. To keep the old behavior by default, mutt-ng
+ will be strict in interpreting them which means that arbitrary
+ header fields can be embedded in these links which could override
+ existing header fields or attach arbitrary files. This may be
+ problematic if the <ref id="edit_headers"
+ name="$edit_headers"> variable is <em/unset/, i.e. the
+ user doesn't want to see header fields while editing the message.
+
+ <p>For example, following a link like
+
+ <verb>
+mailto:joe@host?Attach=~/.gnupg/secring.gpg</verb>
+
+ will send out the user's private gnupg keyring to <tt/joe@host/ if
+ the user doesn't follow the information on screen carefully
+ enough.
+
+ <p>When <em/unsetting/ the <ref id="strict_mailto"
+ name="$strict_mailto"> variable, mutt-ng will
+
+ <itemize>
+
+ <item>be less strict when interpreting these links by
+ prepending a <tt/X-Mailto-/ string to all header fields
+ embedded in such a link <em/and/
+
+ <item>turn on the <ref id="edit_headers"
+ name="$edit_headers"> variable by
+ force to let the user see all the headers
+ (because they still may leak information.)
+
+ </itemize>
+
+ <!--}}}-->
+
+ <!--}}}-->
+
+ <sect>External applications <!--{{{-->
+
+ <p>Mutt-ng in many places has to rely on external applications or
+ for convenience supports mechanisms involving external
+ applications.
+
+ <sect1>mailcap <!--{{{-->
+
+ <p>One of these is the <tt/mailcap/ mechanism as defined by RfC
+ 1524. Mutt-ng can be set up to <em/automatically/ execute any
+ given utility as listed in one of the mailcap files (see the
+ <ref id="mailcap_path" name="$mailcap_path">
+ variable for details.)
+
+ These utilities may have a variety of security vulnerabilities,
+ including overwriting of arbitrary files, information leaks or
+ other exploitable bugs. These vulnerabilities may go unnoticed by
+ the user, especially when they are called automatically (and
+ without interactive prompting) from the mailcap file(s). When
+ using mutt-ng's autoview mechanism in combination with mailcap
+ files, please be sure to...
+
+ <itemize>
+
+ <item>manually select trustworth applications with a reasonable
+ calling sequence
+
+ <item>periodically check the contents of mailcap files,
+ especially after software installations or upgrades
+
+ <item>keep the software packages referenced in the mailcap file up to date
+
+ <item>leave the <ref id="mailcap_sanitize"
+ name="$mailcap_sanitize"> variable in its default
+ state to restrict mailcap expandos to a safe set of characters
+
+ </itemize>
+
+ <!--}}}-->
+
+ <sect1>Other <!--{{{-->
+
+ <p>Besides the mailcap mechanism, mutt-ng uses a number of other
+ external utilities for operation.
+
+ <p>The same security considerations apply for these as for tools
+ involved via mailcap (for example, mutt-ng is vulnerable to Denial
+ of Service Attacks with compressed folders support if the
+ uncompressed mailbox is too large for the disk it is saved to.)
+
+ <p>As already noted, most of these problems are not built in but
+ caused by wrong configuration, so please check your configuration.
+
+ <!--}}}-->
+
+ <!--}}}-->
+
+<!--}}}-->
+
<chapt>Reference <!--{{{-->
<sect>Command line options<label id="commandline"> <!--{{{-->
to send messages from the command line as well.
<tscreen><verb>
--A expand an alias
+-A expand an alias
-a attach a file to a message
-b specify a blind carbon-copy (BCC) address
-c specify a carbon-copy (Cc) address
projects / apps / madmutt.git / blobdiff