Using Older Versions of PMDF to Protect Vulnerable Clients

PMDF e-Mail Interconnect

• Shipping version is V5.1
• Current release is V5.1-9 (August 1997 CD)
• Patches to the current version available from ftp://ftp.pmdf.process.com/ in the /pmdf_51_patches/ directory.

1. Upgrade to PMDF V5.1-9.
2. Fetch and install an  updated PMDFSHR.EXE (OpenVMS) or libpmdf.so (UNIX) image (dated 31-July-1998 or later) from the Process PMDF FTP site.
3. Enable any of the various PMDF configuration options that result in MIME processing of message bodies; for instance, place the inner keyword on all channels.

For sites that cannot upgrade immediately

The following less targeted approaches are available:

(A) PMDF's header trimming facilities may be used to configure forcible truncation of MIME headers. Sites running at least PMDF V5.0 or later should be able to truncate both Content-type: and Content-disposition: header lines. More specifically, put the headertrim keyword on the destination channel or channels of concern, and for each such channel create a channel-name_headers.opt file in the PMDF table directory containing lines such as:

(B) Sites running PMDF V5.1-7 or later that wish to truncation Content-type: type, subtype, and NAME parameters independently may use the conversion channel and an entry or entries with OVERRIDE-HEADER-FILE=1 to cause the execution of their own, site-supplied truncation procedure  to process MIME headers. The procedure should write the processed and truncated MIME Content-type: and Content-disposition: header lines, plus a terminating blank line, back into the OUTPUT_HEADERS file.

(C) Sites may use a conversion channel approach, or more efficiently a CHARSET-CONVERSION with conversion file RELABEL=1 entries, to simply discard file names from MIME headers (Content-type: NAME parameters and Content-Disposition: FILENAME parameters) and to force unrecognized MIME Content-type: type/subtype values to some recognized values.