[exim] Strange system filter behaviour.

Góra strony
Delete this message
Reply to this message
Autor: Molly Fletcher
Data:  
Dla: exim-users
Temat: [exim] Strange system filter behaviour.
We have a large important customer which has a mail filter on their
exchange server which tends to quietly drop emails that have urls with
IP addresses in. Because of this I added a filter rule to the system
filter to detect messages from local users to this customer and when if
finds them to scan the body of the message for a url and send a warning
back to the user that sent the original message. The rule looks like
this (I have changed only the localpart and domain name of the customer):

==========

if $h_to: contains "bigcorp.com" and $sender_address: contains 
"@redembedded.com"
         then
         if $message_body: matches 
"(http|https|ftp)://([01]?\\\\d\\\\d?|2[0-4]\\\\d|25[0-5])\\\\.([01]?\\\\d\\\\d?|2[0-4]\\\\d|25[0-5])\\\\.([01]?\\\\d\\\\d?|2[0-4]\\\\d|25[0-5]) 
\\\\.([01]?\\\\d\\\\d?|2[0-4]\\\\d|25[0-5])"
                 then
                 save /var/log/exim4/filtertest
                 mail text "WARNING: You sent an email to a bigcorp 
address which contained a numeric (IP address) URL - this WILL BE 
REJECTED by bigcorps message filtering"
         endif
endif


==========

The 'save' line was added to help debug the issue we're havin which is
that sometimes this works as expected but others this happens:

==========

2012-09-19 14:07:12 [24983] SMTP connection from [10.82.128.38]:16012 I=[10.82.1.26]:25 (TCP/IP connection count = 1)
2012-09-19 14:07:12 [21240] 1TEJzk-0005Wa-LR <= tim.sheen@??? H=exmail.redembedded.com [10.82.128.38]:16012 I=[10.82.1.26]:25 P=esmtps X=TLS1.0:RSA_AES_128_CBC_SHA1:16 CV=no S=2441 id=6019C40693D5BB4AA0D196982B2BF9AE5B6EF2F8@??? T="Test of mail filter - please ignore." from <tim.sheen@???> for testuser@???
2012-09-19 14:07:12 [21240] SMTP connection from exmail.redembedded.com [10.82.128.38]:16012 I=[10.82.1.26]:25 closed by QUIT
2012-09-19 14:07:12 [21241] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1TEJzk-0005Wa-LR
2012-09-19 14:07:13 [21241] 1TEJzk-0005Wa-LR ** >tim.sheen@??? <system-filter> F=<tim.sheen@???> P=<tim.sheen@???> T=local_delivery: SMTP error from remote mail server after RCPT TO:<>tim.sheen@???>: host exmail.redembedded.com [10.82.128.38]: 501 5.1.3 Invalid address
2012-09-19 14:07:13 [21241] 1TEJzk-0005Wa-LR => testuser@??? <testuser@???> F=<tim.sheen@???> P=<tim.sheen@???> R=dnslookup T=remote_smtp S=2518 H=mail.messaging.microsoft.com [213.199.180.150]:25 X=TLS1.0:RSA_AES_128_CBC_SHA1:16 CV=no DN="C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,OU=Forefront Online Protection for Exchange,CN=mail.global.frontbridge.com,EMAIL=support@???" C="250 2.6.0 <6019C40693D5BB4AA0D196982B2BF9AE5B6EF2F8@???> [InternalId=11927494]" QT=1s DT=0s
2012-09-19 14:07:13 [21245] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4 -t -oem -oi -f <> -E1TEJzk-0005Wa-LR
2012-09-19 14:07:14 [21245] 1TEJzl-0005Wf-VB <= <> R=1TEJzk-0005Wa-LR U=Debian-exim P=local S=3455 T="Mail delivery failed: returning message to sender" from <> for tim.sheen@???
2012-09-19 14:07:14 [21246] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc 1TEJzl-0005Wf-VB
2012-09-19 14:07:14 [21241] 1TEJzk-0005Wa-LR Completed QT=2s
2012-09-19 14:07:14 [21246] 1TEJzl-0005Wf-VB => tim.sheen@??? F=<> P=<> R=localuser T=local_delivery S=3661 H=exmail.redembedded.com [10.82.128.38]:25 X=TLS1.0:RSA_AES_128_CBC_SHA1:16 CV=no DN="O=exmail.redembedded.com,OU=Domain Control Validated,CN=exmail.redembedded.com" C="250 2.6.0 <E1TEJzl-0005Wf-VB@???> [InternalId=135871] Queued mail for delivery" QT=1s DT=0s
2012-09-19 14:07:14 [21246] 1TEJzl-0005Wf-VB Completed QT=1s

==========

That is the mail back to the user is sent to
">user.name@???" rather than "user.name@???"
which is then rejected by our exchange server when exim passes the
message to it for local delivery generating a bounce. The only change to
the main exim configuration related to this filter was to set
"message_body_visible = 32768" so the filter scans enough message body
to catch all numeric URLs.

Does anyone have any suggestions where the extra ">" on the start of the
address might be coming from or why it only seems to happen some of the
time and not all?

This is with exim4-daemon-heavy 4.76-3ubuntu3 running on ubuntu 12.04
LTS server amd64.

The exim configuration is monolithic I'll post any bits if necessary but
it's a bit big to put in the initial post.

--
Molly Fletcher, IT System Administrator <molly.fletcher@???>
Red Embedded Design www.redembedded.com
Tel: +44 (0)1274 287724

This E-mail and any attachments hereto are strictly confidential and
intended solely for the addressee. If you are not the intended addressee
please notify the sender by return and delete the message.

You must not disclose, forward or copy this E-mail or attachments to any
third party without the prior consent of the sender.

Red Embedded Design Registered in England, Company Number: 06688253
Registered Office: The Waterfront, Salts Mill Road, Saltaire, West
Yorkshire, BD17 7EZ