tnef madness

Discussion:

tnef madness

Kevin Miller

2014-06-05 23:28:53 UTC

I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following:

" I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF."

It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on.

Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories:
mxg:/var/spool/MailScanner/quarantine/20140605 # l
total 145
drwxrwx--- 6 root www 160 Jun 5 13:05 ./
drwxrwx--- 33 root www 800 Jun 5 09:47 ../
drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/
drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/
drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/
drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/

Normally I just see nonspam and spam.
Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5
I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact.

TNEF settings in MailScanner.conf:

Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = internal
TNEF Timeout = 120

In Mailwatch, I see this when looking at the message:
message/rfc822 20140605/nonspam/s55Kkmnf026492
message/rfc822\0117bit 20140605/s55Kkmnf026492/message

No idea what rfc822\0117bit indicates but suspect it's a clue...

?...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

Martin Hepworth

2014-06-06 08:00:21 UTC

Permalink

you tried using the external tnef scanner at all?
--
Martin Hepworth, CISSP
Oxford, UK

Post by Kevin Miller
I've been having trouble with tnef attachements from one person. Most get
through OK, but this one is stumping me. The sender is not using rich text
" I have deleted Anita's outlook profile and recreated it and have also
checked the Exchange settings to see if it is enforcing rich-text format
over the user's settings (it is not). Her email still gets bounced back
when sent as HTML with or without an attachment. Her email is successful
as plain text without an attachment, but fails with an attachment. The
attachment is a PDF."
It works for other users at this site - it's just her email that is acting
oddly. She's using Outlook - I'm not sure what version or which version of
Exchange they're on.
Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple
mxg:/var/spool/MailScanner/quarantine/20140605 # l
total 145
drwxrwx--- 6 root www 160 Jun 5 13:05 ./
drwxrwx--- 33 root www 800 Jun 5 09:47 ../
drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/
drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/
drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/
drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/
Normally I just see nonspam and spam.
Within s55K40Y6019591/ is a single file named message. Contents are at
http://pastebin.com/kGrmSpN5
I munged the email addresses, and stripped out the middle of the
attachment but all else is otherwise intact.
Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = internal
TNEF Timeout = 120
message/rfc822 20140605/nonspam/s55Kkmnf026492
message/rfc822\0117bit 20140605/s55Kkmnf026492/message
No idea what rfc822\0117bit indicates but suspect it's a clue...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/f310ba26/attachment.html

Randal, Phil

2014-06-06 09:04:23 UTC

Permalink

It?s also worth reminding people to use the TNEF.pm from the MailScanner git repo, if they?re not already.

Cheers,

Phil

--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT
Tel: 01432 260415 | Email: phil.randal at hoopleltd.co.uk<mailto:phil.randal at hoopleltd.co.uk>

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: 06 June 2014 09:00
To: MailScanner discussion
Subject: Re: tnef madness

you tried using the external tnef scanner at all?

--
Martin Hepworth, CISSP
Oxford, UK

On 6 June 2014 00:28, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following:

" I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF."

It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on.

Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories:
mxg:/var/spool/MailScanner/quarantine/20140605 # l
total 145
drwxrwx--- 6 root www 160 Jun 5 13:05 ./
drwxrwx--- 33 root www 800 Jun 5 09:47 ../
drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/
drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/
drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/
drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/

Normally I just see nonspam and spam.
Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5
I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact.

TNEF settings in MailScanner.conf:

Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = internal
TNEF Timeout = 120

In Mailwatch, I see this when looking at the message:
message/rfc822 20140605/nonspam/s55Kkmnf026492
message/rfc822\0117bit 20140605/s55Kkmnf026492/message

No idea what rfc822\0117bit indicates but suspect it's a clue...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Hoople Ltd, Registered in England and Wales No. 7556595
Registered office: Plough Lane, Hereford, HR4 0LE

"Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/4eaea742/attachment.html

Kevin Miller

2014-06-06 17:54:54 UTC

Permalink

I believe am. The preamble shows:
# $Id: TNEF.pm 5119 2013-06-17 13:29:15Z sysjkf $
Which is the same as I saw on the github site. Unless I was looking in the wrong place.

Running MailScanner ?V, I?m showing:
MailScanner version 4.84.3
0.17 Convert::TNEF

I?m unsure of the relationship between Convert::TNEF and the TNEF.pm packages.

I show the following when doing a locate for tnef:
/usr/bin/tnef
/usr/lib/MailScanner/MailScanner/TNEF.pm
/usr/lib/perl5/vendor_perl/5.8.8/Convert/TNEF.pm

The external version is 1.4.5, circa 2008. We?ll see how it works.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil
Sent: Friday, June 06, 2014 1:04 AM
To: MailScanner discussion
Subject: RE: tnef madness

It?s also worth reminding people to use the TNEF.pm from the MailScanner git repo, if they?re not already.

Cheers,

Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/58a3f3cb/attachment.html

PSI Mailbag

2014-06-10 13:37:37 UTC

Permalink

? # $Id: TNEF.pm 5119 2013-06-17 13:29:15Z sysjkf $
Which is the same as I saw on the github site.? Unless I was looking in the wrong place.

Don?t trust the preamble.. Most of the GIT sources haven?t updated them, effectively making those tags useless.

Just a quick followup.? After experimenting with the internal and external TNEF decoders in MailScanner
to no avail we narrowed down the issue to only messages sent to my internal user. The sender was able
to email me in both plain and html formats with and without attachments. It turns out that having her
delete her nickname entry in Outlook for Jane (the internal user) was the cure.

I've run into this before too. It can also be controlled by a "Contact" object in AD, overriding the global settings from Exchange. Outlook thinks it's an internal object at that point and blissfully sends in rich text. Very annoying to track down sometimes, especially when you're trying to prevent TNEF from escaping out to the Internet.

Cheers
-Joshua

Kevin Miller

2014-06-06 17:39:02 UTC

Permalink

I switched to it yesterday afternoon after posting. I?m waiting for test messages from the sender to see how it behaves.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: Friday, June 06, 2014 12:00 AM
To: MailScanner discussion
Subject: Re: tnef madness

you tried using the external tnef scanner at all?

--
Martin Hepworth, CISSP
Oxford, UK

On 6 June 2014 00:28, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following:

" I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF."

It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on.

Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories:
mxg:/var/spool/MailScanner/quarantine/20140605 # l
total 145
drwxrwx--- 6 root www 160 Jun 5 13:05 ./
drwxrwx--- 33 root www 800 Jun 5 09:47 ../
drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/
drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/
drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/
drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/

Normally I just see nonspam and spam.
Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5
I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact.

TNEF settings in MailScanner.conf:

Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = internal
TNEF Timeout = 120

In Mailwatch, I see this when looking at the message:
message/rfc822 20140605/nonspam/s55Kkmnf026492
message/rfc822\0117bit 20140605/s55Kkmnf026492/message

No idea what rfc822\0117bit indicates but suspect it's a clue...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140606/7bafbbcd/attachment.html

Kevin Miller

2014-06-09 17:32:06 UTC

Permalink

Just a quick followup. After experimenting with the internal and external TNEF decoders in MailScanner to no avail we narrowed down the issue to only messages sent to my internal user. The sender was able to email me in both plain and html formats with and without attachments. It turns out that having her delete her nickname entry in Outlook for Jane (the internal user) was the cure. Apparently whatever is cached there will override default or run-time settings. TNEF is still problematic in some cases, but in this case it was yet another odd Microsoft command decision to behave oddly that hindered the troubleshooting.

I stumbled across this page: http://www.officeformachelp.com/office/glossary/winmail-dat/ which provided the necessary clue to at least work around the problem. Hope it is helpful to others?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Martin Hepworth
Sent: Friday, June 06, 2014 12:00 AM
To: MailScanner discussion
Subject: Re: tnef madness

you tried using the external tnef scanner at all?

--
Martin Hepworth, CISSP
Oxford, UK

On 6 June 2014 00:28, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
I've been having trouble with tnef attachements from one person. Most get through OK, but this one is stumping me. The sender is not using rich text format. The mail administrator at her site sent me the following:

" I have deleted Anita's outlook profile and recreated it and have also checked the Exchange settings to see if it is enforcing rich-text format over the user's settings (it is not). Her email still gets bounced back when sent as HTML with or without an attachment. Her email is successful as plain text without an attachment, but fails with an attachment. The attachment is a PDF."

It works for other users at this site - it's just her email that is acting oddly. She's using Outlook - I'm not sure what version or which version of Exchange they're on.

Looking in the /var/spool/MailScanner/quarantine/20140605 I see a couple of odd directories:
mxg:/var/spool/MailScanner/quarantine/20140605 # l
total 145
drwxrwx--- 6 root www 160 Jun 5 13:05 ./
drwxrwx--- 33 root www 800 Jun 5 09:47 ../
drwxrwx--- 2 root www 123760 Jun 5 15:04 nonspam/
drwxrwx--- 2 root www 72 Jun 5 12:22 s55K40Y6019591/
drwxrwx--- 2 root www 72 Jun 5 13:05 s55Kkmnf026492/
drwxrwx--- 2 root www 24240 Jun 5 15:01 spam/

Normally I just see nonspam and spam.
Within s55K40Y6019591/ is a single file named message. Contents are at http://pastebin.com/kGrmSpN5
I munged the email addresses, and stripped out the middle of the attachment but all else is otherwise intact.

TNEF settings in MailScanner.conf:

Expand TNEF = yes
Use TNEF Contents = replace
Deliver Unparsable TNEF = no
TNEF Expander = internal
TNEF Timeout = 120

In Mailwatch, I see this when looking at the message:
message/rfc822 20140605/nonspam/s55Kkmnf026492
message/rfc822\0117bit 20140605/s55Kkmnf026492/message

No idea what rfc822\0117bit indicates but suspect it's a clue...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140609/a11863c3/attachment.html