Re: [PLUG] Weird handling of incoming attachments in dovecot--winmail.dat file

[brent timothy saner <brent.saner@gmail.com>]

On 01/16/2018 04:53 PM, Greg Helledy wrote:
> My users get emails generated by Outlook from a government agency.  Our
> mailserver is dovecot running on CentOS 7.  When these emails have
> attachments, something strange happens:
> 
> -some users see the attachments correctly (Excel spreadsheets being the
> most common)
> -other users get a winmail.dat file.
> 
> All users are using Thunderbird as a mail client.  The issue does not
> seem to be confined to the mail client--if the users go into webmail
> (Horde), the ones that get the winmail.dat still see information jumbled
> together (i.e. not handled as expected), while those who get the
> attachments properly in T-Bird also see it properly in webmail.
> 
> I want to make it clear that, although what I read implies this is
> strictly the result of Outlook, the same email sent from the agency to
> two users at our company is displayed in two different ways.
> 
> Basically, our server seems to be doing something weird with incoming
> attachments, on a per-user basis.  Anyone ever had this?  What would I
> look at to try to fix it?
> 
> Thanks,


recall seeing this ONLY rarely, and never recently, but my theory is it
isn't your MDA, it's your MTA - i.e. postfix, smtpd, qmail, whatever it
is you're using.

assuming your clients are using IMAP and not POP3 (without "leave on
server" enabled), check the raw message for one of those emails. the
path for this is going to change depending on configuration, but most
likely it's in one of:

/var/vmail/
/var/spool/mail/
/home/<user>/Maildir

etc.

remember, we want the "*delivered*" version.

find a message that is reported as having a winmail.dat. open it in vi
or less or something that'll do plaintext. you should see a big ol'
block of base64 and *the actual filename above it*. this is the
attachment. if my theory is correct, this is going to be "winmail.dat".

if it IS, check your MTA setup - message filtering? does it do any
rewriting, quarantining, etc.?

if you've gone over all this and are not finding anything that's
modifying content, then it's almost assuredly on the sender's end.[0]
whether in the MUA, MTA, or MDA, however, i'm not sure. i don't know if
you're at liberty to say, but are all these faulty attachments from a
specific department in the given agency? if so, it may be a certain
workstation policy being applied to all windows desktops/outlook configs
in a given AD domain (or whatever they're called now). but that's kind
of on the crazier end of theories. gut tells me it's something in their MDA.



[0]
https://support.microsoft.com/en-us/help/278061/email-received-from-a-sender-using-outlook-includes-a-winmail-dat-atta

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug