X-Git-Url: https://git.llucax.com/software/mutt-debian.git/blobdiff_plain/19304f7c526fbe36ba0db2fb80bcaf3bd974d81d..5f2a574d6c8989bc7f90612704e3e5f255b5cb58:/doc/security.html diff --git a/doc/security.html b/doc/security.html new file mode 100644 index 0000000..ad5a2e2 --- /dev/null +++ b/doc/security.html @@ -0,0 +1,92 @@ + + +
Table of Contents
+First of all, Mutt contains no security holes included by intention but +may contain unknown security holes. As a consequence, please run Mutt +only with as few permissions as possible. Especially, do not run Mutt as +the super user. +
+When configuring Mutt, there're some points to note about secure setups +so please read this chapter carefully. +
+Although Mutt can be told the various passwords for accounts, please +never store passwords in configuration files. Besides the fact that the +system's operator can always read them, you could forget to mask it out +when reporting a bug or asking for help via a mailing list. Even worse, +your mail including your password could be archived by internet search +engines, mail-to-news gateways etc. It may already be too late before +you notice your mistake. +
+Mutt uses many temporary files for viewing messages, verifying digital +signatures, etc. As long as being used, these files are visible by other +users and maybe even readable in case of misconfiguration. Also, a +different location for these files may be desired which can be changed +via the $tmpdir variable. +
+Message-Id: headers contain a local part that is to be created in a +unique fashion. In order to do so, Mutt will âleakâ some +information to the outside world when sending messages: the generation +of this header includes a step counter which is increased (and rotated) +with every message sent. In a longer running mutt session, others can +make assumptions about your mailing habits depending on the number of +messages sent. If this is not desired, the header can be manually +provided using $edit_headers (though +not recommended). +
+As Mutt be can be set up to be the mail client to handle
+mailto:
style links in websites, there're security
+considerations, too. Arbitrary header fields can be embedded in these
+links which could override existing header fields or attach arbitrary
+files using the Attach:
+pseudoheader. This may be problematic if the $edit-headers variable is
+unset, i.e. the user doesn't want to see header
+fields while editing the message and doesn't pay enough attention to the
+compose menu's listing of attachments.
+
+For example, following a link like +
+mailto:joe@host?Attach=~/.gnupg/secring.gpg
+will send out the user's private gnupg keyring to
+joe@host
if the user doesn't follow the information
+on screen carefully enough.
+
+Mutt in many places has to rely on external applications or for +convenience supports mechanisms involving external applications. +
+One of these is the mailcap
mechanism as defined by
+RfC1524. Details about a secure use of the mailcap mechanisms is given
+in Section 3.2, âSecure Use of Mailcapâ.
+
+Besides the mailcap mechanism, Mutt uses a number of other external +utilities for operation, for example to provide crypto support, in +backtick expansion in configuration files or format string filters. The +same security considerations apply for these as for tools involved via +mailcap. +