Hi, Gurus.
I have FW-1 and eSafe working via CVP and from time to time users
receive mail with "<< MIME_ATTACHMENT_STRIPPED >>" message.
You can find example below.
in FW-1 log it appeared as:
8:46:06 accept nkmz <daemon proto: tcp; src: mxb.rambler.ru;
dst: Proxy; Service_name: smtp; service: smtp; s_port: 3331; agent:
mail dequeuer ,number of recipients:1,; orig_from:
<[EMAIL PROTECTED]>; to:
<[EMAIL PROTECTED]>(+)<[EMAIL PROTECTED]>(+)<[EMAIL PROTECTED]>(+)<[EMAIL
PROTECTED]>;
rule: 8; reason: Original resource was unsafe. Content Security
Server has modified and cured the requested resource: Msg #1052 - CVP
Server: file was scanned and modified (cleaned). For further
information, please refer to the eSafe Gateway report.(+)Content
Security Server has approved the requested resource: Msg #1051 - CVP
Server: file was scanned and found to be clean. For further
information, please refer to the eSafe Gateway report.(+)Content
Security Server has approved the requested resource: Msg #1051 - CVP
Server: file was scanned and found to be clean. For further
information, please refer to the eSafe Gateway report.(+)Content
Security Server has approved the requested resource: Msg #1051 - CVP
Server: file was scanned and found to be clean. For further
information, please refer to the eSafe Gateway report.Forbidden MIME
attachment stripped; product: VPN-1 & FireWall-1;
and the message user received was:
Return-Path: [EMAIL PROTECTED]
Received: from xxxxx ([xxxxx])
by xxxxx (8.12.10/8.12.10) with SMTP id j2M6dYes018767
for <[EMAIL PROTECTED]>; Tue, 22 Mar 2005 08:39:37 +0200 (EET)
Received: from vega.all-biz.info ([80.68.242.39]) by xxxxxx; Tue, 22 Mar
2005 08:45:25 +0200 (GMT-2)
Received: from vega.all-biz.info (localhost.all-biz.info [127.0.0.1]) by
vega.all-biz.info (8.13.1/8.13.1)
with ESMTP id
j2M6e3Hm062496 for <[EMAIL PROTECTED]>; Tue, 22 Mar 2005 08:40:03
+0200 (EET) (envelope-from
[EMAIL PROTECTED])
Received: (from [EMAIL PROTECTED]) by vega.all-biz.info
(8.13.1/8.13.1/Submit) id j2M6e3nJ062495; Tue, 22 Mar
2005 08:40:03 +0200
(EET) (envelope-from www)
Date: Tue, 22 Mar 2005 08:40:03 +0200 (EET)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject:
=?UTF-8?B?0JLQsNGIIGUtbWFpbCDQt9Cw0YDQtdCz0LjRgdGC0YDQuNGA0L7QstCw0L0g0LIg0YHQuNGB0YLQtdC80LUg0YDQsNGB0YHRi9C70L7QuiDRgNC10YHRg9GA0YHQsCAi0KPQutGA0LDQuNC90LAg0J/RgNC+0LzRi9GI0LvQtdC90L3QsNGPIg==?=
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-Mailer: script
Content-type: Text/plain;
Content-type: Text/plain;
charset=US-ASCII;
charset=US-ASCII
Mime-Version: 1.0
X-Spam-Status: No, hits=0.2 required=5.4 tests=BAYES_44,NO_REAL_NAME
autolearn=no version=2.64
X-Spam-Report: * 0.2 NO_REAL_NAME From: does not include a real name*
-0..0 BAYES_44 BODY: Bayesian spam
probability is 44
to 50%* [score: 0.4828]
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on vega.all-biz.info
X-Virus-Scanned: ClamAV 0.80/742/Wed Mar 2 03:05:59 2005, clamav-milter
version 0.70j
X-Virus-Scanned: by amavisd-new
X-ESAFE-STATUS: Mail clean
X-ESAFE-DETAILS: Clean
X-Logged: Logged by xxxx as j2M6dYes018767 at Tue Mar 22 08:39:37 2005
X-UIDL: e26e12755ffbc8b73eb50beadd9d3f54
<< MIME_ATTACHMENT_STRIPPED >>
----------------------
Judging from the message "<< MIME_ATTACHMENT_STRIPPED >>" the
attachement was stripped by FW-1.
A similar not stripped message attached and I don't understand why FW-1
disliked it. Any help is appreciated.
Thanks,
Andrey.
I'm using Check Point VPN-1(TM) & FireWall-1(R) NG with Application
Intelligence (R55) HFA_09, Hotfix 182 - Build 011.
Here are configuration details regarding smtp:
:SMTP_security_server (
:AdminInfo (
:chkpf_uid ("{FCFD1062-35E2-11D6-A48B-00D0B7BE171D}")
:ClassName (SMTP_security_server)
)
:smtp_add_received_header (true)
:smtp_check_bad_commands (true)
:smtp_composite_encoding (false)
:smtp_direct_mime_strip (false)
:smtp_force_recipient_domain (true)
:smtp_log_too_many_commands (true)
:smtp_max_allowed_err_commands (8)
:smtp_max_allowed_nop_commands (10)
:smtp_multi_cont_type (false)
:smtp_multi_encoding (false)
:smtp_unknown_encoding (true)
:smtp_valid_on_all (false)
)
-----------------------------------
:smtp_transparent_server_connection (false)
:smtp_allow_extended_relay (false)
:smtp_encoded_content_field (true)
:smtp_enforce_hex_encoding (true)
:smtp_exact_str_match (false)
:smtp_force_no_uu_begin_after_decode (true)
:smtp_force_no_uu_begin_before_decode (true)
:smtp_force_no_uu_begin_in_prolog_epilog (true)
:smtp_force_sender_domain (false)
:smtp_force_uu_syntax_check (true)
:smtp_limit_content_buf_size (true)
:smtp_mail_encoding (false)
:smtp_max_file_name_length (512)
:smtp_max_global_headers_size (32768)
:smtp_max_user_name_length (400)
:smtp_msg ()
:smtp_rfc821 (false)
:smtp_rfc822 (true)
:smtp_strict_mime_header (true)
------------------------------------
: (SMTP-incomin
:AdminInfo (
:chkpf_uid ("{035F8E39-96D0-4DE4-85C8-68A1B7AF5677}")
:ClassName (smtp_resource)
:table (resources)
:Wiznum (-1)
:LastModified (
:Time ("Fri Nov 19 11:36:47 2004")
:By (ivan)
:From (oio-2838-a)
)
)
:content_type (
: ("message/partial")
)
:forbiddenfiles (
: ()
)
:from (
: ()
: ()
)
:match_from (
: ("*")
)
:match_to (
: ("[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]")
)
:to (
: ()
: ()
)
:user_field (
: ()
: ()
: ()
)
:allowed_chars ("8 bit")
:av_headers (true)
:av_server (ReferenceObject
:Name (eSafe-Gateway)
:Table (opsec)
:Uid ("{FEE4399D-39CF-4DAE-94C5-C11FCA9F8F22}")
)
:av_setting (cure)
:av_skip (false)
:av_use (true)
:check_rulebase_again (false)
:color ("deep pink")
:comments ()
:default_server ()
:err_check_rulebase_again (false)
:err_notify (false)
:error_server ()
:except_track (ReferenceObject
:Table (tracks)
:Name ("Exception Log")
:Uid ("{97AEB48D-9AEA-11D5-BD16-0090272CCB30}")
)
:maxsize (5000)
:reply_mode (reply_first)
:resolve_recipient_domain (false)
:resolve_sender_domain (false)
:smtp_strip_active_tags (false)
:smtp_strip_applet_tags (false)
:smtp_strip_ftp_tags (false)
:smtp_strip_port_tags (false)
:smtp_strip_script_tags (false)
:type (smtp)
)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
[Filename: 2-P.eml, Content-Type: text/plain]
The attachment file in the message has been removed by eManager.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
