11-26-2015 01:23 AM
Hi there
to better debug some of our SPF , DKIM and DMARC implementation I created a simple message filter which seems to have an error with a missing bracket I can simply not find to resolve :
Error
An error occurred during processing: filter:17:22:expected ')'
Filter
TestGroupTagInt: if (recv-listener == "InboundMail") AND (rcpt-to ==
"(s\\.w|m\\.l)@(f-care\\.com|net-dept\\.com|fmc-ag\\.com)") {
insert-header("X-Ironport-TestGrp", "1");
insert-header("X-Ironport-FromTag", "1");
log-entry("$EnvelopeFrom");
log-entry("$From");
log-entry("$To");
log-entry("$MID");
log-entry("$Subject");
log-entry("$Date");
log-entry("$Time");
log-entry("$AllHeaders");
log-entry("$Filtername");
log-entry("$Policy");
log-entry("$Group");
log-entry("$Reputation");
log-entry("$Header["signed"]);
log-entry("$Header["encrypted"]);
skip-filters();
}
Solved! Go to Solution.
11-26-2015 02:56 PM
Hello,
As Robert has provided, the Add Log Entry with "All headers" will be truncated after 1024 bytes.
It is advised to remove that add log entry as it will be truncated with little data.
As per your final two entries, these will be giving out errors; As per the online help guide
Header |
Returns the value of the quoted header, if the original message contains a matching header. Note that double quotes may also be used. |
Essentially it should read:
log-entry("$Header['signed']");
log-entry("$Header['encrypted']");
Regards,
Matthew
11-26-2015 01:37 AM
Your last 2 entries look like they have open quotes...do you need quotes between the ) and the ]
11-26-2015 02:56 PM
Hello,
As Robert has provided, the Add Log Entry with "All headers" will be truncated after 1024 bytes.
It is advised to remove that add log entry as it will be truncated with little data.
As per your final two entries, these will be giving out errors; As per the online help guide
Header |
Returns the value of the quoted header, if the original message contains a matching header. Note that double quotes may also be used. |
Essentially it should read:
log-entry("$Header['signed']");
log-entry("$Header['encrypted']");
Regards,
Matthew
12-09-2015 04:22 AM
So good so far , that works now the tricky questions :
a) I had supposed that if I would use the debug like this the values would not be empty in case on of the key words fires off :
log-entry("$Header['signed']");
log-entry("$Header['encrypted']");
log-entry("$Header['spf-status']");
log-entry("$Header['spf-passed']");
log-entry("$Header['dkim-authentication']");
but even mail sent from a SPF confirmed email system are always empty in the log. Do those eky words not get set for a message filter ?
b) How could I get log entry to add a key word in front of the variable like :
From-> and then log-entry("$From")
I tried all combination which came in my mind but had no luck so far getting it to work
c) How can you combine log-entry("$Date) and log-entry("$Time) so it displays on one line with a simple space in between ?
Thank you for any feedback
12-09-2015 04:36 AM
Todays version of the filter
TestGroupTagTest: if (recv-listener == "InboundMail") AND ((rcpt-to == "(stefan\\.wernicke|marc\\.luescher)@(fresenius-netcare\\.com|net-dept\\.com|fmc-ag\\.com)") AND
(mail-from !=
"@(activhealth|akdq-euclid|appdrugs|apppharma|artistic|asiarenalcare|atg-fresenius|bcm-fresenius|benjicare|biotec-systems|calcucare|calcucare|calea-online|calea|caremark|cfl-online|enterale-ernaehrung|fenwalinc|.*\\.fenwalinc|fenwalinc2\\.onmicrosoft|fmc-ag|fmc-asia|fmc-na|fmc|fondazioneorizzonte|fresenius-ag|fresenius-hemocare|fresenius-hemocare|fresenius-kabi-oncology|fresenius-kabi-us|fresenius-kabi|fresenius-netcare|fresenius-pp|fresenius-proserve|fresenius|fresucare-freiermitarbeiter|hditravel|helios-.*|allgaeu-resort|wir-fuer-gesundheit|hsk-wiesbaden|hemocare|hemosystems|henke-pharma|hesylation|hkrenalhealth|hosped|hospitalia-activhealth|hospitalia|hosppharma|kabi|kabinutrir|kidneycommunity|labesfal|lev-ee|neomedics|nephrocare-eservices|nephrocare|nephrocareasia|net-dept|novafarma|npbi|onko-service|opcionrenal|pfk|pharmaprocip|pharmatec-group|pharmatecprocip|ppcdrugs|removab|rheinische-compounding|ribbonchem|rriny|rudern-gegen-krebs-berlin|rudern-gegen-krebs|ruderngegenkrebs|stiftung-leben-mit-krebs|trublulogistics|vamed|vitality-world|yeolinmf)\\.(de|com|net|com\\.au|at|nl|ca|org|pt|co\\.jp|com\\.pl|com\\.br|fax\\.uk|es|co\\.nz|it|co\\.kr)$")) {
log-entry("Before Ironport Stripping Filter applied");
log-entry("$EnvelopeFrom");
log-entry("$From");
if header("From") != "\\s" {
strip-header("From");
insert-header("From", "$EnvelopeFrom <$EnvelopeFrom>");
}
insert-header("X-Ironport-TestGrp", "1");
insert-header("X-Ironport-FromTag", "1");
log-entry("After Ironport Stripping Filter applied");
log-entry("$EnvelopeFrom");
log-entry("$From");
log-entry("$To");
log-entry("$MID");
log-entry("$Subject");
log-entry("$Date") + " " + log-entry("$Time");
log-entry("$Filtername");
log-entry("$Policy");
log-entry("$Group");
log-entry("$Reputation");
log-entry("$Header['signed']");
log-entry("$Header['encrypted']");
log-entry("$Header['spf-status']");
log-entry("$Header['spf-passed']");
log-entry("$Header['dkim-authentication']");
log-entry("End of detailed Debug");
skip-filters();
}
12-10-2015 05:37 AM
Marc, spf-status and spf-passed aren't action variables so they can't be directly quoted in headers, log entries and the like.
Here's a fragment from one of my own scripts:
if (spf-status == 'fail') {
if (no-reputation) {
insert-header('X-Recycle', 'Bad SPF, no SBRS');
}
else {
if (reputation < 4.1) {
insert-header('X-Recycle', 'Bad SPF, SBRS $reputation');
}
}
}
where the presence of the header X-Recycle later causes the message to be thrown into the appropriate bit bucket.
11-26-2015 10:25 AM
To me, this wouldn't make sense --- as those two lines in question would result the following in mail_logs:
Thu Nov 26 13:07:08 2015 Info: MID 5348 Custom Log Entry: $Header[signed]
Thu Nov 26 13:07:08 2015 Info: MID 5348 Custom Log Entry: $Header[encrypted]
Also - keep in mind - you have $AllHeaders specified earlier in the filter --- which if headers are >1024 characters, you are not going to log anything past 1024...
-Robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: