e-mails cause a problem in non-trivial(inc.RegEx) cPanel/Exim

[OldB]

Approx. a week ago I started to get deferred e-mail deliveries stacked with a message "internal problem in central_filter router" - full text below. When I investigated - almost all of them were delivered from mail-random-id.outbound.protection.outlook.com.

When I eventually got a full set of headers for some e-mails (9K+!) and ran them through the cPanel Filter Trace facility the tool didn't complete:
1. it didn't summarise what matched and what didn't at the start
2. there was a trace shown for a very simple RegEx filter shown as the first filter - although that should have matched it simply ended with "**** debug string too long - truncated ****"
3. as it's very last message was: "**** debug string too long - truncated ****" then the start of a RegEx:

Pattern = ((to|cc): | from (.|\n)*smtp(.|\n)*((( )+|\t)for ))<?((majordomo|uucp|root|fax|scans))\@(domain1|domain2|etc)\.(me|com?|org)(\.uk)?

That was it - no mention about the actions or the usual:

Filtering set up at least one significant delivery or other action.
No other deliveries will occur.
FYI when I looked at a few headers they were pretty huge - e.g. over 9k in 1 e-mail - a couple of very long ones shown below.

When I change the very first filter to NOT be a RegEx *that matches* - the filter trace works AND IT has a proper trace start and end as I describe above.

Is there a storage limit to the RegEx processor in Exim?

Any ideas - either possible fixes or how to investigate further... Old B...

Examples of those long headers - their lengths: 933 , 811 - given below.

X-Microsoft-Exchange-Diagnostics:1;AM3PR07MB0520;2:MI4+9YKC0hXJE9uZ/RLUt1PxSeuKlhcneEJiQ5wFpCWYu3XTtVYJylfWtKCegeEuBeyIkYLH4jKG4xVF1GbaH7tAqm7U0uoK3qA1XlXsVhoh0SXKEsyfxbCjCVC1ODmFrmL4FjvqtB8zOULfTliD2patUa1Z/XJQ9cXdGcKdArM=;3:VrY/7S6Oky2ARH4acKhZQYWCggG1fWSqr3ulNWzznj3gENIhfxGz52t3IOLHgqsZa4v4hQJ93UT5lqnvBbHr4JYzBNNfMYfQgvk1EA3DQqUtGOzjCZhwdZ80gTlkNyZBMK/VkyUJUz3fz63sRyLQKA==;25:8vYXCzOQh6BUtSTmsYoaekmk57n+0xj6IH8JVTmIDhACS6Sxvb6sVOxsljeXvhTb2EiPHSUUgN+ouRceFVB8+Th/9swmKcyeaT2tfYJG2SippY2lPkUpCv8rJo0km228chpLn6KADXVFtyMO5x8MgtPYe2jwMOCu5A5SMqXZ+UwtJmEBU9CfTEVUq8yEmVS4utUCkuhnnqx0xcVsZ5U5ILfNS9ByJPqCVA/lfyhmVr3TAhQTkkz87ZnP43d7DkhqKxoO7NRNiwYP7oNJzyDzgg==;4:J5cQRBIM+kw4Waxf/SJNpB8MLTdQd4JcH0/vNhTlxeA5UaRfiR7Qj5WbDtLvQrlVAW+vK5G9qmCGl0mO+6FaRmiOH4VJvc7Gb6ahYfKUxI/D91VhkcU7yoZsOV1yrGqSbXfFJk3NWc2dtadVKe9xf8ZkAECe9G7+SnYn5maFeYW6akNthDHbvM4OB4On4aN8iPIQOgT6NcfneAUGdH+rA8UDer0yO67Zh0gVT60QKvA7oMN4c7tl1g219kYbonUZ6PKAnI10a2oP4Z2c9RycQdvuIy/InOXakpkAY+gSGAY=
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(52604005)(199003)(71364002)(189002)(40100003)(19300405004)(46102003)(33646002)(105586002)(61296003)(97736004)(575784001)(19627595001)(84326002)(16236675004)(110136002)(5005140100001)(5001960100002)(81156007)(36756003)(5001830100001)(19617315012)(50986999)(96836002)(5001860100001)(19625215002)(42186005)(18717965001)(2950100001)(71636004)(77096005)(2656002)(76176999)(84116002)(16601075003)(68736005)(15975445007)(101416001)(66066001)(84392001)(72586001)(86362001)(102836002)(189998001)(92566002)(87976001)(50226001)(19580395003)(106356001)(77156002)(19580405001)(14726001)(4001540100001)(17760045003)(64706001)(18206015028)(512934002)(122386002)(62966003)(221733001)(7099028)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:AM3PR07MB0520;H:LizPC;FPR:;SPF:None;PTR:InfoNoRecords;A:0;MX:1;LANG:en;

I am a reseller but not a direct client of CPanel, Exim or WHM. I do not have root access but I have a responsive hosting service who have already run an Exim command as root for me to repeat the problem but I don't want to take too much of their time as the filters are created by me - so *if* the problem is my work then it is "my problem".

What follows is the message in cPanel / WHM as the Result in "Mail delivery reports":
internal problem in central_filter router (recipient is [email protected]): failure to transfer data from subprocess: status=000b readerror='Success'

 

[cPanelMichael]

I am a reseller but not a direct client of CPanel, Exim or WHM. I do not have root access but I have a responsive hosting service who have already run an Exim command as root for me to repeat the problem but I don't want to take too much of their time as the filters are created by me - so *if* the problem is my work then it is "my problem".

Hello

Could you let us know the specific entry found in /var/log/exim_mainlog by your hosting provider when this occurs?

Thank you.

 

[OldB]

Hello

Could you let us know the specific entry found in /var/log/exim_mainlog by your hosting provider when this occurs?

Thank you.

I *think* that the first part of what support gave me was a manual test
I haven't included the repetition (deferred 20? times) of the 2nd part of this message as they are all the same.
The very first line is from support...

These are all logs related to the message ID provided,
-------------
2015-08-13 11:38:41 1ZPpuD-003Mza-Mo <= [email protected] H=mail-db3on0137.outbound.protection.outlook.com (emea01-db3-obe.outbound.protection.outlook.com) [157.55.234.137]:35328 P=esmtps X=TLSv1:AES256-SHA:256 S=49226 [email protected] T="Re: Replacing your PC - steps to resolve/progress" for [email protected]
2015-08-13 11:38:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZPpuD-003Mza-Mo
.
and just before I replaced the RegEx with a contains when it was then delivered:
2015-08-15 09:56:34 1ZPpuD-003Mza-Mo internal problem in central_filter router (recipient is [email protected]): failure to transfer data from subprocess: status=000b readerror='Success'
2015-08-15 09:56:34 1ZPpuD-003Mza-Mo == [email protected] <[email protected]> R=central_filter defer (-1): internal problem in central_filter router (recipient is [email protected]): failure to transfer data from subprocess: status=000b readerror='Success'

I cut+paste the title line but it was truncated - it did have 'filtering - I can't tell which' at the end.

Just to be clear:
(1) If I make the 1st filter an IF "Any Header *contains* 'outbound.protection.outlook.com'" THEN Deliver to (Pending) Folder then there are no filter errors. When it was a v.simple equivalent Regex it failed as above.
(2) For many months I have had thousands of e-mails a day that use one or more of several filters (inc. multiple RegEx) that I have written without a problem

 

[cPanelMichael]

Is your hosting provider using any custom rules in their /etc/cpanel_exim_system_filter file?

Thank you.

 

[OldB]

Is your hosting provider using any custom rules in their /etc/cpanel_exim_system_filter file?

Thank you.

From hosting support:
No, we do not have any custom rules for spam filtering inside the server, we manage all spam filtering via Spamexperts only.

 

[cPanelMichael]

I suggest consulting with your hosting provider and having them open a support ticket with us if they are unable to determine the cause of the problem. There's not much further we can investigate without root access to the system.

Thank you.

 

[cPanelMichael]

Hello

Were you able to get in touch with your hosting provider to have them take a closer look? I look forward to your response.

Thank you.