Are the remote mail relays the customer's? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Wednesday, February 27, 2008 8:57 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SMTP Filter > > e.g. Remote Mail Relays => Internet => Internal Unix Mail > Relays => ISA => Exchange > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: 27 February 2008 14:51 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SMTP Filter > > It forces the Unix relays to queue all subsequent email once > it happens. Hence they get backlogs on the mail relays... > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: 27 February 2008 14:49 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SMTP Filter > > Hi Jason, > > What I don't get is why they care if some spammer's computer gets its > queue loaded up when it tries to send spam to their Exchange Server > behind the ISA Firewall. > > What am I missing here? > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > Sent: Wednesday, February 27, 2008 8:45 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SMTP Filter > > > > They won't allow me to disable the SMTP filter at this time > > as they are not sure if the Unix servers can provide the same > > level of application-level protection, how ironic :) > > > > I get alerts in the monitoring section of the ISA console > > when it happens - from what I understand the CR CR . CR CR is > > contained within the message body of rogue (spam) messages. > > > > If ISA doesn't respond with the SMTP error code, I guess this > > must be Exchange - but surely ISA had prevented this connection??? > > > > I have tested it manually or personally...if you want more > > details the guy has posted on some sendmail forums here: > > http://www.webservertalk.com/message2285500.html > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > (Hammer of God) > > Sent: 27 February 2008 14:18 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SMTP Filter > > > > You've directly connected to the SMTP server via ISA and manually > > entered the character sequence to verify this? With the SMTP filter > > applied, I don't get this error. Further, like I said last > time, you > > don't get SMTP error messages when the filter trigger terminates the > > connection - it just terminates. > > > > But I'm assuming you've disabled the SMTP filter and > everything works? > > > > t > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: Wednesday, February 27, 2008 3:08 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SMTP Filter > > > > > > Feedback: > > > > > > "Absolutely. And that's why "<CR>.<CR>" should just be passed > > straight > > > through like any other random sequence of characters, and > not cause > > the > > > session to abort with a "Syntax error" ..." > > > > > > Let me know if this is pushing the boundaries of the > > mailing list and > > I > > > will get them to log a PSS call. If not, keep posting! > > > > > > Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202 > > 360489 > > > | Mobile: +44 (0)7971 500312 | Email/MSN: > > jason.jones@xxxxxxxxxxxxxxxxx > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: 26 February 2008 22:55 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SMTP Filter > > > > > > Tell them I said to read RFC 2821: > > > http://rfc.net/rfc2821.html#s4.1.1.4 > > > <quote> > > > The mail data is terminated by a line containing only a > period, that > > > is, the character sequence "<CRLF>.<CRLF>" > > > </quote> > > > > > > They didn't say "something almost, but not quite totally unlike > > > <CRLF>.<CRLF>". > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: Tuesday, February 26, 2008 1:02 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SMTP Filter > > > > > > Guys, > > > > > > Here's more background below. From what I can tell the only way to > > > prevent this is to disable the SMTP filter for the publishing rule > > that > > > provide access from the Unix mail relays to Exchange. I was > > hoping for > > > something a little more granular but can't see how to do > this in the > > > GUI. > > > > > > Cheers > > > > > > JJ > > > > > > ------- > > > If Unix forwards a message to ISA / Exchange terminated > > with "CR CR . > > > CR CR" the ISA smtp filter drops the connection and > returns a 421 > > > 5.5.2 error, (rather than dropping/rejecting the message) > > this causes > > > the mail queues on the Unix servers to back-up. > > > > > > Is it possible to change the status code ISA Returns to a more > > > appropriate code, or otherwise ignore this check? > > > > > > The email below explains in a bit more detail. > > > > > > Okay, so it's ISA not Exchange, but ... > > > > > > We are getting messages stuck in our queues on their way into > > Exchange. > > > The ISA server replies with > > > > > > 421 5.5.2 Syntax error (invalid DATA termination) > > > > > > and the messages are held with > > > > > > xxx@xxxxxx Deferred: 421 5.5.2 Syntax error (invalid DATA > > termination) > > > > > > This is a problem, since it is interpreted as a temporary server > > > failure and a request to try again later, effectively blocking all > > > further mail to that server on that queue run, and > leaving a backlog > > of > > > messages in the queue. > > > > > > Now the Microsoft site says that means > > > > > > "SMTP filter encountered an invalid DATA terminator Some character > > > combinations in DATA may pose a security risk. The > > connection has been > > > terminated. > > > SMTP filter event > > > Invalid DATA termination" > > > > > > And it appears the cause is the occurrence of > > > > > > CR CR . CR CR > > > > > > in the message, accepted and passed on by our > > sendmail-based relays . > > > It appears that ISA will not accept this, and returns a 421 > > response, > > > meaning try again later. This seems wrong, since it is not a > > temporary > > > failure, and the message will never be delivered. Surely > the correct > > > thing to do is either accept the message, or reject it with a > > permanent > > > failure so that the sender can be notified. > > > > > > Is there any way to disable or modify this behaviour within ISA ? > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: 26 February 2008 17:58 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SMTP Filter > > > > > > What - you want to add the \r\r.\r\r in the filter definitions? > > > Is this sequence sent with or without actual mail content? > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: Tuesday, February 26, 2008 9:37 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] SMTP Filter > > > > > > Hi, > > > > > > Is there any way to modify the ISA SMTP filter behaviour > outside of > > the > > > GUI? > > > > > > We have a customer who is getting a weird error from the > SMTP filter > > > when the *data* portion contains "CR CR . CR CR". The > > problem is that > > > instead of rejecting the connection, as I would have expected, the > > > filter returns a 421 error, which essentially means "syntax error > > > (invalid data termination), try again later" causing a > > backlog on the > > > upstream SMTP server. > > > > > > I am guessing this is a log with PSS job to determine if > > the behaviour > > > is a bug, or by design...just wondered in anyone had any similar > > > experiences or thoughts? > > > > > > Cheers > > > > > > JJ > > > > > > > > > > > > ________________________________ > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual to whom it is > > addressed. > > > If you have received this email in error, or if you believe > > this email > > > is unsolicited and wish to be removed from any future > > mailings, please > > > contact our Support Desk immediately on 01202 360360 or email > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > If this email contains a quotation then unless otherwise > > stated it is > > > valid for 7 days and offered subject to Silversands Professional > > > Services Terms and Conditions, a copy of which is available on > > request. > > > Any pricing information, design information or information > > concerning > > > specific Silversands' staff contained in this email is considered > > > confidential or of commercial interest and exempt from the > > Freedom of > > > Information Act 2000. > > > > > > Any view or opinions presented are solely those of the > author and do > > > not necessarily represent those of Silversands > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > Company Registration Number : 2141393. > > > > > > > > > > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual to whom it is > > addressed. > > > If you have received this email in error, or if you believe > > this email > > > is unsolicited and wish to be removed from any future > > mailings, please > > > contact our Support Desk immediately on 01202 360360 or email > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > If this email contains a quotation then unless otherwise > > stated it is > > > valid for 7 days and offered subject to Silversands Professional > > > Services Terms and Conditions, a copy of which is available on > > request. > > > Any pricing information, design information or information > > concerning > > > specific Silversands' staff contained in this email is considered > > > confidential or of commercial interest and exempt from the > > Freedom of > > > Information Act 2000. > > > > > > Any view or opinions presented are solely those of the > author and do > > > not necessarily represent those of Silversands > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual to whom it is > > addressed. > > > If you have received this email in error, or if you believe > > this email > > > is unsolicited and wish to be removed from any future > > mailings, please > > > contact our Support Desk immediately on 01202 360360 or email > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > If this email contains a quotation then unless otherwise > > stated it is > > > valid for 7 days and offered subject to Silversands Professional > > > Services Terms and Conditions, a copy of which is available on > > request. > > > Any pricing information, design information or information > > concerning > > > specific Silversands' staff contained in this email is considered > > > confidential or of commercial interest and exempt from the > > Freedom of > > > Information Act 2000. > > > > > > Any view or opinions presented are solely those of the > author and do > > > not necessarily represent those of Silversands > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > Company Registration Number : 2141393. > > > > > > > > > > > This email and any files transmitted with it are confidential > > and intended solely for the use of the individual to whom it > > is addressed. If you have received this email in error, or > > if you believe this email is unsolicited and wish to be > > removed from any future mailings, please contact our Support > > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > > > If this email contains a quotation then unless otherwise > > stated it is valid for 7 days and offered subject to > > Silversands Professional Services Terms and Conditions, a > > copy of which is available on request. Any pricing > > information, design information or information concerning > > specific Silversands' staff contained in this email is > > considered confidential or of commercial interest and exempt > > from the Freedom of Information Act 2000. > > > > Any view or opinions presented are solely those of the author > > and do not necessarily represent those of Silversands > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > Company Registration Number : 2141393. > > > > > > > > > > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual to whom it > is addressed. If you have received this email in error, or > if you believe this email is unsolicited and wish to be > removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise > stated it is valid for 7 days and offered subject to > Silversands Professional Services Terms and Conditions, a > copy of which is available on request. Any pricing > information, design information or information concerning > specific Silversands' staff contained in this email is > considered confidential or of commercial interest and exempt > from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author > and do not necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > > This email and any files transmitted with it are confidential > and intended solely for the use of the individual to whom it > is addressed. If you have received this email in error, or > if you believe this email is unsolicited and wish to be > removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise > stated it is valid for 7 days and offered subject to > Silversands Professional Services Terms and Conditions, a > copy of which is available on request. Any pricing > information, design information or information concerning > specific Silversands' staff contained in this email is > considered confidential or of commercial interest and exempt > from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author > and do not necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > >