cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4264
Views
0
Helpful
6
Replies

Ironport Message Filter Problem

Marc Luescher
Level 1
Level 1

Hi there

to better debug some of our SPF , DKIM and DMARC implementation I created a simple message filter which seems to have an error with a missing bracket I can simply not find to resolve :

Error

An error occurred during processing: filter:17:22:expected ')'

Filter

TestGroupTagInt: if (recv-listener == "InboundMail") AND (rcpt-to ==
"(s\\.w|m\\.l)@(f-care\\.com|net-dept\\.com|fmc-ag\\.com)") {
                  insert-header("X-Ironport-TestGrp", "1");
      insert-header("X-Ironport-FromTag", "1");
      log-entry("$EnvelopeFrom");
      log-entry("$From");
      log-entry("$To");
      log-entry("$MID");
      log-entry("$Subject");
      log-entry("$Date");
      log-entry("$Time");
      log-entry("$AllHeaders");
      log-entry("$Filtername");
      log-entry("$Policy");
      log-entry("$Group");
      log-entry("$Reputation");
      log-entry("$Header["signed"]);
      log-entry("$Header["encrypted"]);
      skip-filters();
              }
    

1 Accepted Solution

Accepted Solutions

Hello,

As Robert has provided, the Add Log Entry with "All headers" will be truncated after 1024 bytes. 
It is advised to remove that add log entry as it will be truncated with little data.

As per your final two entries, these will be giving out errors; As per the online help guide

Header

$Header['string']

Returns the value of the quoted header, if the original message contains a matching header. Note that double quotes may also be used.

Essentially it should read:

log-entry("$Header['signed']");
log-entry("$Header['encrypted']");

Regards,

Matthew

View solution in original post

6 Replies 6

Your last 2 entries look like they have open quotes...do you need quotes between the ) and the ]

Hello,

As Robert has provided, the Add Log Entry with "All headers" will be truncated after 1024 bytes. 
It is advised to remove that add log entry as it will be truncated with little data.

As per your final two entries, these will be giving out errors; As per the online help guide

Header

$Header['string']

Returns the value of the quoted header, if the original message contains a matching header. Note that double quotes may also be used.

Essentially it should read:

log-entry("$Header['signed']");
log-entry("$Header['encrypted']");

Regards,

Matthew

So good so far , that works now the tricky questions :

a) I had supposed that if I would use the debug like this the values would not be empty in case on of the key words fires off :

log-entry("$Header['signed']");
log-entry("$Header['encrypted']");
log-entry("$Header['spf-status']");
log-entry("$Header['spf-passed']");
log-entry("$Header['dkim-authentication']");

but even mail sent from a SPF confirmed email system are always empty in the log. Do those eky words not get set for a message filter ?

b) How could I get log entry to add a key word in front of the variable like :

From->  and then log-entry("$From")

I tried all combination which came in my mind but had no luck so far getting it to work

c) How can you combine log-entry("$Date) and log-entry("$Time) so it displays on one line with a simple space in between ?

Thank you for any feedback

Todays version of the filter

TestGroupTagTest: if (recv-listener == "InboundMail") AND ((rcpt-to == "(stefan\\.wernicke|marc\\.luescher)@(fresenius-netcare\\.com|net-dept\\.com|fmc-ag\\.com)") AND
(mail-from !=
"@(activhealth|akdq-euclid|appdrugs|apppharma|artistic|asiarenalcare|atg-fresenius|bcm-fresenius|benjicare|biotec-systems|calcucare|calcucare|calea-online|calea|caremark|cfl-online|enterale-ernaehrung|fenwalinc|.*\\.fenwalinc|fenwalinc2\\.onmicrosoft|fmc-ag|fmc-asia|fmc-na|fmc|fondazioneorizzonte|fresenius-ag|fresenius-hemocare|fresenius-hemocare|fresenius-kabi-oncology|fresenius-kabi-us|fresenius-kabi|fresenius-netcare|fresenius-pp|fresenius-proserve|fresenius|fresucare-freiermitarbeiter|hditravel|helios-.*|allgaeu-resort|wir-fuer-gesundheit|hsk-wiesbaden|hemocare|hemosystems|henke-pharma|hesylation|hkrenalhealth|hosped|hospitalia-activhealth|hospitalia|hosppharma|kabi|kabinutrir|kidneycommunity|labesfal|lev-ee|neomedics|nephrocare-eservices|nephrocare|nephrocareasia|net-dept|novafarma|npbi|onko-service|opcionrenal|pfk|pharmaprocip|pharmatec-group|pharmatecprocip|ppcdrugs|removab|rheinische-compounding|ribbonchem|rriny|rudern-gegen-krebs-berlin|rudern-gegen-krebs|ruderngegenkrebs|stiftung-leben-mit-krebs|trublulogistics|vamed|vitality-world|yeolinmf)\\.(de|com|net|com\\.au|at|nl|ca|org|pt|co\\.jp|com\\.pl|com\\.br|fax\\.uk|es|co\\.nz|it|co\\.kr)$")) {
                  log-entry("Before Ironport Stripping Filter applied");
      log-entry("$EnvelopeFrom");
                  log-entry("$From");
                  if header("From") != "\\s" {
                      strip-header("From");
                      insert-header("From", "$EnvelopeFrom <$EnvelopeFrom>");
                  }
                  insert-header("X-Ironport-TestGrp", "1");
                  insert-header("X-Ironport-FromTag", "1");
                  log-entry("After Ironport Stripping Filter applied");
      log-entry("$EnvelopeFrom");
                  log-entry("$From");
                  log-entry("$To");
                  log-entry("$MID");
                  log-entry("$Subject");
                  log-entry("$Date") + " " + log-entry("$Time");
                  log-entry("$Filtername");
                  log-entry("$Policy");
                  log-entry("$Group");
                  log-entry("$Reputation");
                  log-entry("$Header['signed']");
                  log-entry("$Header['encrypted']");
                  log-entry("$Header['spf-status']");
                  log-entry("$Header['spf-passed']");
                  log-entry("$Header['dkim-authentication']");
                  log-entry("End of detailed Debug");
                  skip-filters();
              }

Marc, spf-status and spf-passed aren't action variables so they can't be directly quoted in headers, log entries and the like.

Here's a fragment from one of my own scripts:

if (spf-status == 'fail') {
    if (no-reputation) {
        insert-header('X-Recycle', 'Bad SPF, no SBRS');
    }
    else {
        if (reputation < 4.1) {
            insert-header('X-Recycle', 'Bad SPF, SBRS $reputation');
        }

    }

}

where the presence of the header X-Recycle later causes the message to be thrown into the appropriate bit bucket.

Robert Sherwin
Cisco Employee
Cisco Employee

To me, this wouldn't make sense --- as those two lines in question would result the following in mail_logs:

Thu Nov 26 13:07:08 2015 Info: MID 5348 Custom Log Entry: $Header[signed]
Thu Nov 26 13:07:08 2015 Info: MID 5348 Custom Log Entry: $Header[encrypted]

Also - keep in mind - you have $AllHeaders specified earlier in the filter --- which if headers are >1024 characters, you are not going to log anything past 1024...

-Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: