Mailing List Archive

Why "blackhole"?
Hi list,

I recently discovered this very curiously message in the mainlog:

2018-02-28 00:56:11 1eqp6G-0004wp-IR DKIM: d=email.microsoftemail.com
s=102420140131 c=relaxed/relaxed a=rsa-sha1 b=1024 [verification
succeeded]
2018-02-28 00:56:12 1eqp6G-0004wp-IR LMS check accept: 250 OK
2018-02-28 00:56:12 1eqp6G-0004wp-IR <=
bounce-866153_HTML-528534629-5439879-228974-247@bounce.e-mail.microsoft.com
H=(mta28.email.microsoftemail.com) [66.231.92.214] P=esmtps
X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 S=69286
id=df627243-be0d-4776-9939-7408baf52a86@xtinmta177.xt.local
2018-02-28 00:56:12 1eqp6G-0004wp-IR => blackhole (local_scan
discarded recipients)
2018-02-28 00:56:12 1eqp6G-0004wp-IR Completed

I really can't understand why the E-Mail will be discarded.
Can someone help me?

Thanks
Luca Bertoncello
(lucabert@lucabert.de)


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Why "blackhole"? [ In reply to ]
Have you added a local_scan function to your configuration?

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-adding_a_local_scan_function_to_exim.html


If so, then it sounds like it has decided to discard all the recipients for
that incoming message. If you read the *Specification* it says (emphasis
mine):

The list of accepted recipients, held in a vector of length
recipients_count. The recipient_item structure is discussed below. You can
add additional recipients by calling receive_add_recipient() (see below). *You
can delete recipients by removing them from the vector and adjusting the
value in recipients_count. In particular, by setting recipients_count to
zero you remove all recipients. If you then return the value
LOCAL_SCAN_ACCEPT, the message is accepted, but immediately blackholed.* To
replace the recipients, you can set recipients_count to zero and then call
receive_add_recipient() as often as needed.


If local_scan says to accept the message but it has no recipients left it
is blackholed.

Cheers,
Mike B-)

On 12 March 2018 at 15:30, Luca Bertoncello via Exim-users <
exim-users@exim.org> wrote:

> Hi list,
>
> I recently discovered this very curiously message in the mainlog:
>
> 2018-02-28 00:56:11 1eqp6G-0004wp-IR DKIM: d=email.microsoftemail.com
> s=102420140131 c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
> 2018-02-28 00:56:12 1eqp6G-0004wp-IR LMS check accept: 250 OK
> 2018-02-28 00:56:12 1eqp6G-0004wp-IR <= bounce-866153_HTML-528534629-5
> 439879-228974-247@bounce.e-mail.microsoft.com H=(
> mta28.email.microsoftemail.com) [66.231.92.214] P=esmtps
> X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 S=69286
> id=df627243-be0d-4776-9939-7408baf52a86@xtinmta177.xt.local
> 2018-02-28 00:56:12 1eqp6G-0004wp-IR => blackhole (local_scan discarded
> recipients)
> 2018-02-28 00:56:12 1eqp6G-0004wp-IR Completed
>
> I really can't understand why the E-Mail will be discarded.
> Can someone help me?
>
> Thanks
> Luca Bertoncello
> (lucabert@lucabert.de)
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Why "blackhole"? [ In reply to ]
Zitat von Mike Brudenell via Exim-users <exim-users@exim.org>:

Hi Mike

> Have you added a local_scan function to your configuration?

Yes! Kaspersky. And I must say, that I already had some suspect on that...

> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-adding_a_local_scan_function_to_exim.html
>
> If so, then it sounds like it has decided to discard all the recipients for
> that incoming message. If you read the *Specification* it says (emphasis
> mine):
>
> The list of accepted recipients, held in a vector of length
> recipients_count. The recipient_item structure is discussed below. You can
> add additional recipients by calling receive_add_recipient() (see
> below). *You
> can delete recipients by removing them from the vector and adjusting the
> value in recipients_count. In particular, by setting recipients_count to
> zero you remove all recipients. If you then return the value
> LOCAL_SCAN_ACCEPT, the message is accepted, but immediately blackholed.* To
> replace the recipients, you can set recipients_count to zero and then call
> receive_add_recipient() as often as needed.
>
>
> If local_scan says to accept the message but it has no recipients left it
> is blackholed.

OK, thanks.
But I really can't find any place in my configuration to delete the
recipients...

warn set acl_m_klms_headers =
set acl_m_klms_result =
set acl_m_klms_answer =
${dlfunc{/opt/kaspersky/klms/lib64/libklms-exim.so}{scan}{${spool_directory}/input}}
condition = ${if def:h_X-Ciphermail {false}{true}}

defer condition = ${if def:h_X-Ciphermail {false}{true}}
condition = ${if eq {$acl_m_klms_answer}{}{yes}{no}}
log_message = 451 PVC01 - LMS check failed (empty answer)
$acl_m_klms_answer $acl_m_klms_result $acl_m_klms_tempfile
message = 451 PVC01 - Temporary local problem -
please try later. ASSISTENCE_MESSAGE (PVC01)

defer condition = ${if def:h_X-Ciphermail {false}{true}}
condition = ${if match {$acl_m_klms_answer}{\N^451\N}{yes}{no}}
log_message = 451 PVC02 - LMS check defer
$acl_m_klms_answer $acl_m_klms_result $acl_m_klms_tempfile
message = 451 PVC02 - Temporary local problem -
please try later. ASSISTENCE_MESSAGE (PVC02)

defer condition = ${if def:h_X-Ciphermail {false}{true}}
condition = ${if match {$acl_m_klms_answer}{\N^452\N}{yes}{no}}
log_message = 451 PVC03 - LMS check defer
$acl_m_klms_answer $acl_m_klms_result $acl_m_klms_tempfile
message = 451 PVC03 - Temporary local problem -
please try later. ASSISTENCE_MESSAGE (PVC03)

deny condition = ${if def:h_X-Ciphermail {false}{true}}
condition = ${if match {$acl_m_klms_answer}{\N^550\N}{yes}{no}}
log_message = 552 PVC04 - LMS check reject
$acl_m_klms_answer $acl_m_klms_result $acl_m_klms_tempfile
message = 552 PVC04 - E-Mail contains Virus.
ASSISTENCE_MESSAGE (PVC04)

deny condition = ${if def:h_X-Ciphermail {false}{true}}
condition = ${if match {$acl_m_klms_answer}{\N^554\N}{yes}{no}}
log_message = 552 PDV01 - LMS check reject
$acl_m_klms_answer $acl_m_klms_result $acl_m_klms_tempfile
message = 552 PDV01 - E-Mail contains Virus.
ASSISTENCE_MESSAGE (PDV01)

warn condition = ${if def:h_X-Ciphermail {false}{true}}
condition = ${if match {$acl_m_klms_answer}{\N^250\N}{yes}{no}}
logwrite = LMS check accept: $acl_m_klms_answer
$acl_m_klms_result $acl_m_klms_tempfile
set acl_m_klms_answer =

Did I forgot something?

Thanks
Luca Bertoncello
(lucabert@lucabert.de)


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Why "blackhole"? [ In reply to ]
On 12 March 2018 at 15:59, Luca Bertoncello via Exim-users <
exim-users@exim.org> wrote:

>
> Yes! Kaspersky. And I must say, that I already had some suspect on that...
>
> If local_scan says to accept the message but it has no recipients left it
>> is blackholed.
>>
>
> OK, thanks.
> But I really can't find any place in my configuration to delete the
> recipients...
>

The sample configuration you posted is just a set of ACLs entries. The
*Specification* seems to be saying that when Exim calls the function
specified by *local_scan* then that function itself can delete recipients
from the list. If so and *that* is removing all the recipients but then
tells Exim to accept the message it ends up getting blackholed.

However I've never used local_scan so might be entirely wrong. Can someone
who knows more about it confirm?

Cheers,
Mike B-)

--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Why "blackhole"? [ In reply to ]
Mike Brudenell via Exim-users <exim-users@exim.org> schrieb:

Hi Mike

> The sample configuration you posted is just a set of ACLs entries. The

This was NOT a sample configuration, but the real configuration we use to
scan the E-Mail with Kaspersky...

> *Specification* seems to be saying that when Exim calls the function
> specified by *local_scan* then that function itself can delete recipients
> from the list. If so and *that* is removing all the recipients but then
> tells Exim to accept the message it ends up getting blackholed.

It'd be very nice to check if that is the problem...
Any idea?

Regards
Luca Bertoncello
(lucabert@lucabert.de)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/