Discussion:
Could not parse Outlook Rich Text attachment
Robert Lopez
2013-10-14 21:16:12 UTC
Permalink
I am seeing a lot of log lines like these:

Oct 14 13:37:15 mg08 MailScanner[22850]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/22850/B30054C0007.A33A0/winmail.dat
Oct 14 13:37:15 mg08 MailScanner[22850]: Trying to unpack nwinmail.dat in
message B30054C0007.A33A0, could not create subdirectory
B30054C0007.A33A0//tnefncr7nY, failed to unpack TNEF message
Oct 14 13:37:15 mg08 MailScanner[22850]: Corrupt TNEF winmail.dat that
cannot be analysed in message B30054C0007.A33A0

I have been looking through the source of MailScanner-4.84.5-3 and I do not
recognize any answers to my questions.

Can the attachment really be named "nwinmail.dat" or is that first "n" a
typographical error?

Any hints on how to find why the directory cannot be created? By the time I
find log lines and take a look the parent directory is already gone.

If the winmail.dat file is removed will the email lose information? If
not, how is MailScanner told to remove it without trying to scan it?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131014/3d550222/attachment.html
Kai Schaetzl
2013-10-15 09:01:16 UTC
Permalink
Post by Robert Lopez
I have been looking through the source of MailScanner-4.84.5-3 and I do not
recognize any answers to my questions.
There is a 4.84.6 that specifically lists a TNEF patch.

Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Martin Hepworth
2013-10-15 09:49:19 UTC
Permalink
about time people dropped rtf emails from outlook and went to html....
security aside nothing else other than outleek can parse the email properly.
--
Martin Hepworth, CISSP
Oxford, UK
Post by Kai Schaetzl
Post by Robert Lopez
I have been looking through the source of MailScanner-4.84.5-3 and I do
not
Post by Robert Lopez
recognize any answers to my questions.
There is a 4.84.6 that specifically lists a TNEF patch.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131015/b18b0d67/attachment.html
Robert Lopez
2013-10-15 17:50:26 UTC
Permalink
Post by Martin Hepworth
about time people dropped rtf emails from outlook and went to html....
security aside nothing else other than outleek can parse the email properly.
--
Martin Hepworth, CISSP
Oxford, UK
Post by Kai Schaetzl
Post by Robert Lopez
I have been looking through the source of MailScanner-4.84.5-3 and I do
not
Post by Robert Lopez
recognize any answers to my questions.
There is a 4.84.6 that specifically lists a TNEF patch.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
Kai,
Thanks for that. In the archives there is also email saying some patch did
not fix the problem. I need to see if the one you point to is newer.

Martin,

I agree with your statement and the sentiment. It may not be that easy. Ie,
the choice may not be a personal one and the choice may not be honoured
even when made.

I am becoming convinced there might be bugs in Exchange and/or Outlook.
We have done some experiments and email composed in HTML when forwarded by
a person who is set up to default to HTML end up forwarding "HTML" email
with winmail.dat attached.

It is not clear to me if it is our implementation of Exchange that is
messed up or if it is all Exchange because suddenly the problem is growing
very fast on incoming email from outside our college.

We are also struggling with our phone system that is running on a UNIX box
which sends voice messages to employees who are on Exchange. When Exchange
forwards that message it has a winmail.dat attached.

Right now many persons are complaining about the sender.error.report.txt
info.
My thinking is until I get things fixed as per Kai's suggestion I need to
stop the sending of the report, which I think means stop the scanning of
the winmail.dat file by discarding it instead of scanning it.

I just do not know if that means a loss of information.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131015/23723b35/attachment.html
Mark Sapiro
2013-10-15 17:23:17 UTC
Permalink
Post by Robert Lopez
Oct 14 13:37:15 mg08 MailScanner[22850]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/22850/B30054C0007.A33A0/winmail.dat
Oct 14 13:37:15 mg08 MailScanner[22850]: Trying to unpack nwinmail.dat
in message B30054C0007.A33A0, could not create subdirectory
B30054C0007.A33A0//tnefncr7nY, failed to unpack TNEF message
Oct 14 13:37:15 mg08 MailScanner[22850]: Corrupt TNEF winmail.dat that
cannot be analysed in message B30054C0007.A33A0
The 4.84.6-1 MailScanner/TNEF.pm contains the following at line 232

my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir,
UNLINK => 0);

This doesn't do anything reasonable. It creates a file, not a directory,
and TMPDIR is a boolean, not a path so this causes the file to be
created in the "File::Spec->tmpdir" directory, not $dir.

I'm not sure in what version this was introduced. It's not in
<https://github.com/MailScanner/MailScanner/blob/master/mailscanner/bin/MailScanner/TNEF.pm>

It should probably be something like

my $unpackdir = tempdir("tnefXXXXXX", DIR => $dir);

but this is untested.
Post by Robert Lopez
I have been looking through the source of MailScanner-4.84.5-3 and I do
not recognize any answers to my questions.
Can the attachment really be named "nwinmail.dat" or is that first "n" a
typographical error?
nwinmail.dat is not the attachment name, it is a MailScanner name for
the file where the attachment will be stored for decoding/scanning.
Post by Robert Lopez
Any hints on how to find why the directory cannot be created? By the
time I find log lines and take a look the parent directory is already gone.
Try the above suggested replacement and see if it helps.
Post by Robert Lopez
If the winmail.dat file is removed will the email lose information? If
not, how is MailScanner told to remove it without trying to scan it?
I don't understand this question. I think what "should" happen with this
message is the winmail.dat is unscanned and the mail with the
winmail.dat is delivered.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Robert Lopez
2013-10-15 19:10:14 UTC
Permalink
Mark,

With respect to your statement "I think what 'should' happen with this
message is the winmail.dat is unscanned and the mail with the
winmail.dat is delivered."

Will these configuration statements do what you think "should" happen?:

Expand TNEF = no
Use TNEF Contents = no
Deliver Unparsable TNEF = yes

Would I need to make any other related changes?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131015/8eb3a94c/attachment.html
Mark Sapiro
2013-10-15 23:08:37 UTC
Permalink
Post by Robert Lopez
Mark,
With respect to your statement "I think what 'should' happen with this
message is the winmail.dat is unscanned and the mail with the
winmail.dat is delivered."
Expand TNEF = no
Use TNEF Contents = no
Deliver Unparsable TNEF = yes
Those will do, and I just tested and just

Expand TNEF = no

is sufficient.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
Robert Lopez
2013-10-16 18:24:37 UTC
Permalink
Mark, thanks for the testing. I used all three. It is good to know less is
sufficient.
Post by Mark Sapiro
Post by Robert Lopez
Mark,
With respect to your statement "I think what 'should' happen with this
message is the winmail.dat is unscanned and the mail with the
winmail.dat is delivered."
Expand TNEF = no
Use TNEF Contents = no
Deliver Unparsable TNEF = yes
Those will do, and I just tested and just
Expand TNEF = no
is sufficient.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131016/edb009a7/attachment.html
Loading...