Header name field inside a compliance policy on a Symantec Messaging Gateway is not RFC2822 compliant and may throw an error 587: Cannot parse

book

Article ID: 156147

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

The "header name" field inside a compliance policy on a Control Center appliance of a Symantec Messaging Gateway (SMG) is not RFC2822 compliant, and when SMG encounters a header name it cannot understand, it can throw an error in a log file and a compliance policy associated with that header name may not fire.

Inside the "bmserver_log" log file, this error is displayed:

... (DEBUG:2360.2720742288): [src/parse_rules.c:2882:parse_directive] directive = header 418 X-Spam1 =~ /positive/i

... (DEBUG:2360.2720742288): [src/load_rules.c:1792:read_gatekeeper_rules] Error in rule file, line number 587: Cannot parse: header 418 X-Spam1 =~ /positive/i

... (DEBUG:2360.2720742288): [src/parse_rules.c:2882:parse_directive] directive = meta 419 (418)

 

This is how the entries in the log should look like without an error between the two entries:

... (DEBUG:2360.2720742288): [src/parse_rules.c:2882:parse_directive] directive = header 418 X-SpamA =~ /positive/i

... (DEBUG:2360.2720742288): [src/parse_rules.c:2882:parse_directive] directive = meta 419 (418)

Resolution

Symantec is currently investigating this behavior.  This article will be updated when more information is available.

A work-around here is not to use numbers, but use capital and lowercase letters in the "header name" field. 


Applies To

Compliance Policy Setup:

  • Content->Policies->Email, the "Email Content Filtering Policies" page

Condition: 

  • Text in this specific part of the message: Message header
  • Header name (in bold):
    • Example 1:  "X-SpamA" (a valid name, RFC compliant),
    • Example 2: "X-Spam1" (currently an invalid name, not RFC compliant - should be valid)
    • Example 3: "X-Spam:Ed" (currently a valid name, not RFC compliant - should be invalid)
    • Example 4: "X-SpamEd:" (currently a valid name, not RFC compliant - should be invalid)
    • Example 5: "X-Spam:" (currently a valid name, not RFC Compliant - should be invalid)
  • contains 1 or more occurences of positive
    • This means that the word "positive" is inside this message header (value, after the header name).  For example: "X-Spam: positive", where "X-Spam" is the header name and "positive" is the value.
  • Actions:
    • Hold message in Spam Quarantine
  • Policy Group:
    • Default

 

From the RFC2822 doc: http://www.ietf.org/rfc/rfc2822.txt :

2.2. Header Fields

   Header fields are lines composed of a field name, followed by a colon    (":"), followed by a field body, and terminated by CRLF.  A field name MUST be composed of printable US-ASCII characters (i.e., characters that have values between 33 and 126, inclusive), except  colon. So, because the ASCII value for "1" is "49", it should be allowed in the "header name" field.

ASCII Chart: http://www.techonthenet.com/ascii/chart.php :

Dec Hex Oct Char

33 21 041 !  

...  

49 31 061 1  

...

58 3A 072 :    

Note: the    :    is not allowed by RFC in the "header name" field, but in tests with the setup mentioned above, the illegal header names such as "X-Spam:Ed", "X-SpamEd:" and "X-Spam:" were acceptable via the GUI and there were no errors in bmserver_log file.

...

65 41 101 A

...

126 7E 176 ~