Closed Bug 1144999 Opened 5 years ago Closed 4 years ago
Dir Store, ignore Quarantine option for POP3(mailnews .download To Temp File=true), because no need to do it
+++ This bug was initially created as a clone of Bug #1135309 +++ If MailDirStore, ignore Quarantine option for POP3(mailnews.downloadToTempFile=true), because no need to do it
There may be "less need" because an entire inbox won't get squashed, but 1. it seems wrong to not honor the user's explicit settings 2. if this is done, don't we need to do more code change than just ignore the setting? On the flip side, bigger picture, is it possile the quarantine function itself is obsolete? (And we don't do quarantine for imap)
Depends on: 116443
(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #1) Quarantine option is for pop3/BerkleyStore Inbox, so it's never obsolete. If MailDirStore, /tmp directory is used first, so, if AV software want to delete data of downloaded mail, data in /tmp is deleted :-) So, no need if MaildirStore. But Quarantine option is Thunderbird wide option, and is perhaps used by POP3 code instead of plugguble Store code. So, "ignore if pop3/MaildirStore" is needed to kill excess work. POP3 code and filter code is affected. POP3 : If downloadToTempFile=true, write data to temp file instead of "append to msgStore" Filter : If move, and if downloadToTempFile=true, copy from temp file. If false, copy from msgStore, and if Berkley, truncate Inbox. finally, if not moved, and if downloadToTempFile=true, "copy from temp file to msgStore" is executed. If "Entirely move quarantine option related code to BerkleyStore code" is possible, I think it's better.
(In reply to WADA from comment #2) > (In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #1) > If MailDirStore, /tmp directory is used first, so, if AV software want to > delete data of downloaded mail, data in /tmp is deleted :-) > So, no need if MaildirStore. But if you do as you suggest and if the user's AV does not scan the thunderbird profile (most modern AV do not scan the profile), then their mail is not being scanned and the user is not as "protected" from virus as they intended. Also, quarantine is an opt in, intentional choice by the user - they _want_ and are asking for thunderbird to behave this way. (what is below is a counter argument, which is an different question that perhaps I should have mentioned, and I'm convinced it is true, but I thought it locial to raise the question ) > Quarantine option is for pop3/BerkleyStore Inbox, so it's never obsolete. I disagree with "never" as an absolute premise. Quarantine was created 10 years ago when AV software was frankly pretty dumb with respect to email. Now it might argue some AV still are dumb, so perhaps Quarantine is in fact still needed (and if so, why not extend the option to imap?), but one would hope that most AV are not so dumb. That said, Quarantine was created to allow the user to deal with random dumb AV software and prevent dataloss, which is rarely a bad thing. :)
(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #3) > AV software was frankly pretty dumb with respect to email. I disgree on it. It is to protect from "Quarantine of entire Unix Mbox file" which Tb uses. From perspective of mail data stream, if following happens, it's mail infected by Virus. From - ... multipart mail, sub part with Virus, close boubdary From - ... other mail data follows Virus scan was/is for data of file, and Unix Mbox format file can be considered "same as .eml file". It is not "AV software was so dumb." Quarantine option is to limit "quarantine one mail only" in any situation. > But if you do as you suggest and if the user's AV does not scan the thunderbird profile (most modern AV do not scan the profile), > then their mail is not being scanned and the user is not as "protected" from virus as they intended. > Also, quarantine is an opt in, intentional choice by the user - they _want_ and are asking for thunderbird to behave this way. This option is not to do or force virus scan by AV softwre. Main mail data protection method in recent AV software is "port scan", so "quarantine of mail data file" is rather rare than past However, even if recent AV software well knows about Unix Mbox and can quarantine only one mail in Unix Mbox file, "protection from qurantine of entire Unix Mbox file" is needed, as far as unix Mbox file is used as Tb's MsgStore file. Please note that user can freely use any AV software including old AV software. If user or AV software excludes Tb's profile or Mail directory from scan target, needless to say, user can freely use downloadToTempFile=false. If MaildirStore, even if quarantined by AV software, lost mail is always one mail only, so there is no need to protect from "delete of entire Unix Mbox file". In ohter words, MaildirStore always does do downloadToTempFile, because data is written to /tmp first, then moved to /cur, in both pop3 and imap. > why not extend the option to imap? Untill auto-sync is released, there was no msgStore file in imap. If Offline-use=Off, Offline-Store file doesn't exist on earth. Even if entirre Offline-Store file is deleted(quarantined), all mail data is still held at server, and auto-sync downloads mail data sooner or later. i.e. No dataloss if imap. So no developer implemented support of mailnews.downloadToTempFile=true in imap.
Quarantine option has two purposes. (1) AV scan of Unix Mbox file doesn't work well, so write data of single mail only in temp file. (2) AV scan may quarantine(delete) entire Unix Mbox file which Tb uses as msgStore file. Your "AV software was so dumb." is perhaps for (1). My "NEVER obsolete" is for (2). Because main line of Virus check of mail is "port scan" in recent AV software, (1) may not be needed any more. However, protection from (2) is still needed as far as Tb uses Unix Mbox file as msgStore file. And, both (1) and protection from (2) are already done always if MaildirStore.
It looks to me this is already covered at http://hg.mozilla.org/comm-central/file/a54375d27b3f/mailnews/local/src/nsPop3Sink.cpp#l444 in the patch in bug 402392. That was done long time ago before the bug here was filed. WADA, what evidence do you have that TB is still doing quarantining even with maildir store? How can we check it?
(In reply to :aceman from comment #6) > WADA, what evidence do you have that TB is still doing quarantining even with maildir store? How can we check it? I ddn't know at where mailnews.downloadToTempFile is referred, whether Quarantine options is already ignored or not when MailDirStore. This bug is memo random of "ignoring Quarantine option is needed when MailDirStore". Pointing the code is sufficient.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: [maildir] → [maildir][already covered by bug 402392]
You need to log in before you can comment on or make changes to this bug.