On Tue, Mar 09, 2021 at 01:18:53PM +0100, Luca Bertoncello via Exim-users wrote:
> > It can be finally confirmed with ltrace or gdb run,
> > and it should disappear if you remove library call.
>
> OK, I tried to start:
>
> ltrace exim -bh...
>
> But I don't see any call to/from Kaspersky...
Am 24.02.2021 13:31, schrieb Jeremy Harris via Exim-users:
Hi again
Add debug options to your -bh repeat-by,
and follow through the flow of the ACLs.
This is very strange... I tried to add a "deny" just after the check by
Kaspersky:
warn condition = ${if def:h_X-Ciphermail
Am 09.03.2021 11:45, schrieb Evgeniy Berdnikov via Exim-users:
On Tue, Mar 09, 2021 at 11:25:20AM +0100, Luca Bertoncello via
Exim-users wrote:
In Exim mainlog I can just see, that the E-Mail was sent:
2021-03-09 09:56:29 1lJYAH-lJ-75 <= lucab...@lucabert.de
U=Debian-exim P=local S=3031
We have Exim running as our MTA. When we forward mail for a user, we use
SRS to ensure we do not violate the SPF policy of the sending domain.
Sometimes messages are rejected from recipients.
550-5.7.26 DMARC policy. Please contact the administrator of omnis.com
domain
550-5.7.26 if this was a
Am 09.03.2021 09:49, schrieb Luca Bertoncello via Exim-users:
The strange is, that the E-Mail just be submitted if it contains a ZIP
file as attachment. For example, an E-Mail with a PNG will not be
resubmitted...
Even stranger...
The behaviour happens just if an E-Mail was sent with a
On Tue, Mar 09, 2021 at 09:49:55AM +0100, Luca Bertoncello via Exim-users wrote:
> This is very strange... I tried to add a "deny" just after the check
> by Kaspersky:
>
> warn condition = ${if def:h_X-Ciphermail {false}{true}}
> condition = ${if eq {$acl_m_dontAVscan}{}
Am 09.03.2021 12:10, schrieb Evgeniy Berdnikov via Exim-users:
Hi Evgeniy
Where the evil comes this sendmail-call?!?
I suspect Kaspersky library as source of this process.
I suspect it too, but I'd like to confirm that...
There are simple ways to check it:
1. Run exim -bh under
On Tue, Mar 09, 2021 at 12:53:09PM +0100, Luca Bertoncello via Exim-users wrote:
> > I suspect Kaspersky library as source of this process.
>
> I suspect it too, but I'd like to confirm that...
...
> This is my /tmp/sendmail.log:
>
> 6366 pts/0S+ 0:00 exim -d+all -bh 185.242.112.224
>
On Tue, Mar 09, 2021 at 11:25:20AM +0100, Luca Bertoncello via Exim-users wrote:
> In Exim mainlog I can just see, that the E-Mail was sent:
>
> 2021-03-09 09:56:29 1lJYAH-lJ-75 <= lucab...@lucabert.de
> U=Debian-exim P=local S=3031
> 2021-03-09 09:56:29 1lJYAH-lJ-75 =>
Am 09.03.2021 10:42, schrieb Evgeniy Berdnikov via Exim-users:
Your debug log does not show any invocation of transport. If mail
really
appears in the destination mailbox, next point of investigation should
be
Kaspersky. But it is very unlikely that Kaspersky can do direct
delivery
to
On Tue, Mar 09, 2021 at 11:49:41AM +0100, Luca Bertoncello via Exim-users wrote:
> 2021-03-09 11:44:14.593 [24107] cwd=/var/spool/exim4 5 args:
> /usr/sbin/sendmail -i -f lucab...@lucabert.de
> l.bertonce...@queo-group.com
...
> 2021-03-09 11:44:14.770 [24109] 1lJZqY-0006Gp-JE Completed QT=0.174s
Am 09.03.2021 13:44, schrieb Evgeniy Berdnikov via Exim-users:
Hi
Line
${dlfunc{/opt/kaspersky/klms/lib64/libklms-exim.so}{scan}{${spool_directory}/input}}
suggests that library entry point is called "scan".
Could you suggest me how to call it? And maybe (since it logs a huge
amount of
Am 09.03.2021 16:26, schrieb Evgeniy Berdnikov via Exim-users:
On Tue, Mar 09, 2021 at 03:28:25PM +0100, Luca Bertoncello via
Exim-users wrote:
Now, this is for me a confirmation, that Kaspersky want to send an
E-Mail...
Of course, I cannot leave the situation so, since the sender will
retry
Am 09.03.2021 14:11, schrieb Jeremy Harris via Exim-users:
On 09/03/2021 10:25, Luca Bertoncello via Exim-users wrote:
2021-03-09 09:56:29 1lJYAH-lJ-75 <= lucab...@lucabert.de
U=Debian-exim P=local S=3031
2021-03-09 09:56:29 1lJYAH-lJ-75 => l.bertonce...@queo-group.com
On 09/03/2021 10:25, Luca Bertoncello via Exim-users wrote:
2021-03-09 09:56:29 1lJYAH-lJ-75 <= lucab...@lucabert.de U=Debian-exim
P=local S=3031
2021-03-09 09:56:29 1lJYAH-lJ-75 => l.bertonce...@queo-group.com
R=ciphermail_ext_to_int_gw T=ciphermail_smtp H=127.0.0.1 [127.0.0.1]
Am 09.03.2021 14:38, schrieb Jeremy Harris via Exim-users:
Hi Jeremy
Look into the docs description of acl_not_smtp. The data
ACL is called after an SMTP DATA command finishes, and your
message source is not SMTP.
So, I see, the "phantom E-Mail" contains an Header X-Loop.
So I create an ACL
On Tue, Mar 09, 2021 at 03:28:25PM +0100, Luca Bertoncello via Exim-users wrote:
> Now, this is for me a confirmation, that Kaspersky want to send an E-Mail...
> Of course, I cannot leave the situation so, since the sender will retry to
> send the E-Mail...
Sender should NOT send e-mail after
On 09/03/2021 13:21, Luca Bertoncello via Exim-users wrote:
The virus-checking is in the data-ACL:
Look into the docs description of acl_not_smtp. The data
ACL is called after an SMTP DATA command finishes, and your
message source is not SMTP.
--
Cheers,
Jeremy
--
## List details at
Rob,
Generally if you need for messages to pass DMARC check when forwarding,
you need to rewrite the From header field to make it align. Hacking up
an example from the IETF DMARC mailing list, they would rewrite the
address to something like:
From: Happy User
Where of course you would
Am 09.03.2021 10:42, schrieb Evgeniy Berdnikov via Exim-users:
Hi Evgeniy
Your debug log does not show any invocation of transport. If mail
really
appears in the destination mailbox, next point of investigation should
be
This is what I suppose, too...
Kaspersky. But it is very unlikely
Am 09.03.2021 13:06, schrieb Evgeniy Berdnikov via Exim-users:
Hi
This is my /tmp/sendmail.log:
6366 pts/0S+ 0:00 exim -d+all -bh 185.242.112.224
Do I understand correctly, that Exim generate the E-Mail?
Yes, this is what expected if Kaspersky library spawns child process.
It
21 matches
Mail list logo
