[isapros] Re: SMTP Filter
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Wed, 27 Feb 2008 15:07:56 +0000
Sorry, my typo, I meant "have not" :S
They haven't fully engaged us to "fix it" - they just asked me to disable the
filter, which I wasn't keen to do "just cos they ask"
Yeah, I know I could test more...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: 27 February 2008 15:06
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SMTP Filter
You "have" or "have not" tested it "manually or personally"? The "or"
in there makes me think you dropped out a "not" - just making sure.
I've tested this and can't re-create the issue -- the 421 error must be
coming from Exchange - ISAs SMTP filter doesn't "inject" error messages.
I don't see how a CR CR . CR CR in the message body would do anything
anyway...
You could disable the rule for just a moment to test, or of course, just
set up another pub rule on a different IP going to the same Exchange
server and test away ;)
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Wednesday, February 27, 2008 6:45 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
>
> They won't allow me to disable the SMTP filter at this time as they
are
> not sure if the Unix servers can provide the same level of
application-
> level protection, how ironic :)
>
> I get alerts in the monitoring section of the ISA console when it
> happens - from what I understand the CR CR . CR CR is contained within
> the message body of rogue (spam) messages.
>
> If ISA doesn't respond with the SMTP error code, I guess this must be
> Exchange - but surely ISA had prevented this connection???
>
> I have tested it manually or personally...if you want more details the
> guy has posted on some sendmail forums here:
> http://www.webservertalk.com/message2285500.html
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: 27 February 2008 14:18
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
>
> You've directly connected to the SMTP server via ISA and manually
> entered the character sequence to verify this? With the SMTP filter
> applied, I don't get this error. Further, like I said last time, you
> don't get SMTP error messages when the filter trigger terminates the
> connection - it just terminates.
>
> But I'm assuming you've disabled the SMTP filter and everything works?
>
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Wednesday, February 27, 2008 3:08 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SMTP Filter
> >
> > Feedback:
> >
> > "Absolutely. And that's why "<CR>.<CR>" should just be passed
> straight
> > through like any other random sequence of characters, and not cause
> the
> > session to abort with a "Syntax error" ..."
> >
> > Let me know if this is pushing the boundaries of the mailing list
and
> I
> > will get them to log a PSS call. If not, keep posting!
> >
> > Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202
> 360489
> > | Mobile: +44 (0)7971 500312 | Email/MSN:
> jason.jones@xxxxxxxxxxxxxxxxx
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 26 February 2008 22:55
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SMTP Filter
> >
> > Tell them I said to read RFC 2821:
> > http://rfc.net/rfc2821.html#s4.1.1.4
> > <quote>
> > The mail data is terminated by a line containing only a period, that
> > is, the character sequence "<CRLF>.<CRLF>"
> > </quote>
> >
> > They didn't say "something almost, but not quite totally unlike
> > <CRLF>.<CRLF>".
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Tuesday, February 26, 2008 1:02 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SMTP Filter
> >
> > Guys,
> >
> > Here's more background below. From what I can tell the only way to
> > prevent this is to disable the SMTP filter for the publishing rule
> that
> > provide access from the Unix mail relays to Exchange. I was hoping
> for
> > something a little more granular but can't see how to do this in the
> > GUI.
> >
> > Cheers
> >
> > JJ
> >
> > -------
> > If Unix forwards a message to ISA / Exchange terminated with "CR CR
> .
> > CR CR" the ISA smtp filter drops the connection and returns a 421
> > 5.5.2 error, (rather than dropping/rejecting the message) this
> causes
> > the mail queues on the Unix servers to back-up.
> >
> > Is it possible to change the status code ISA Returns to a more
> > appropriate code, or otherwise ignore this check?
> >
> > The email below explains in a bit more detail.
> >
> > Okay, so it's ISA not Exchange, but ...
> >
> > We are getting messages stuck in our queues on their way into
> Exchange.
> > The ISA server replies with
> >
> > 421 5.5.2 Syntax error (invalid DATA termination)
> >
> > and the messages are held with
> >
> > xxx@xxxxxx Deferred: 421 5.5.2 Syntax error (invalid DATA
> termination)
> >
> > This is a problem, since it is interpreted as a temporary server
> > failure and a request to try again later, effectively blocking all
> > further mail to that server on that queue run, and leaving a backlog
> of
> > messages in the queue.
> >
> > Now the Microsoft site says that means
> >
> > "SMTP filter encountered an invalid DATA terminator Some character
> > combinations in DATA may pose a security risk. The connection has
> been
> > terminated.
> > SMTP filter event
> > Invalid DATA termination"
> >
> > And it appears the cause is the occurrence of
> >
> > CR CR . CR CR
> >
> > in the message, accepted and passed on by our sendmail-based relays
.
> > It appears that ISA will not accept this, and returns a 421
response,
> > meaning try again later. This seems wrong, since it is not a
> temporary
> > failure, and the message will never be delivered. Surely the correct
> > thing to do is either accept the message, or reject it with a
> permanent
> > failure so that the sender can be notified.
> >
> > Is there any way to disable or modify this behaviour within ISA ?
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: 26 February 2008 17:58
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SMTP Filter
> >
> > What - you want to add the \r\r.\r\r in the filter definitions?
> > Is this sequence sent with or without actual mail content?
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Tuesday, February 26, 2008 9:37 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] SMTP Filter
> >
> > Hi,
> >
> > Is there any way to modify the ISA SMTP filter behaviour outside of
> the
> > GUI?
> >
> > We have a customer who is getting a weird error from the SMTP filter
> > when the *data* portion contains "CR CR . CR CR". The problem is
> that
> > instead of rejecting the connection, as I would have expected, the
> > filter returns a 421 error, which essentially means "syntax error
> > (invalid data termination), try again later" causing a backlog on
the
> > upstream SMTP server.
> >
> > I am guessing this is a log with PSS job to determine if the
> behaviour
> > is a bug, or by design...just wondered in anyone had any similar
> > experiences or thoughts?
> >
> > Cheers
> >
> > JJ
> >
> >
> >
> > ________________________________
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual to whom it is
> addressed.
> > If you have received this email in error, or if you believe this
> email
> > is unsolicited and wish to be removed from any future mailings,
> please
> > contact our Support Desk immediately on 01202 360360 or email
> > helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise stated it
is
> > valid for 7 days and offered subject to Silversands Professional
> > Services Terms and Conditions, a copy of which is available on
> request.
> > Any pricing information, design information or information
concerning
> > specific Silversands' staff contained in this email is considered
> > confidential or of commercial interest and exempt from the Freedom
of
> > Information Act 2000.
> >
> > Any view or opinions presented are solely those of the author and do
> > not necessarily represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
> >
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual to whom it is
> addressed.
> > If you have received this email in error, or if you believe this
> email
> > is unsolicited and wish to be removed from any future mailings,
> please
> > contact our Support Desk immediately on 01202 360360 or email
> > helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise stated it
is
> > valid for 7 days and offered subject to Silversands Professional
> > Services Terms and Conditions, a copy of which is available on
> request.
> > Any pricing information, design information or information
concerning
> > specific Silversands' staff contained in this email is considered
> > confidential or of commercial interest and exempt from the Freedom
of
> > Information Act 2000.
> >
> > Any view or opinions presented are solely those of the author and do
> > not necessarily represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
> >
> >
> >
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual to whom it is
> addressed.
> > If you have received this email in error, or if you believe this
> email
> > is unsolicited and wish to be removed from any future mailings,
> please
> > contact our Support Desk immediately on 01202 360360 or email
> > helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise stated it
is
> > valid for 7 days and offered subject to Silversands Professional
> > Services Terms and Conditions, a copy of which is available on
> request.
> > Any pricing information, design information or information
concerning
> > specific Silversands' staff contained in this email is considered
> > confidential or of commercial interest and exempt from the Freedom
of
> > Information Act 2000.
> >
> > Any view or opinions presented are solely those of the author and do
> > not necessarily represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
>
>
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
