Incoming Mails logged and handled as Outgoing Mails

Unanswered Question
Jun 18th, 2008

Hello,
i try to explain my problem with my bad english ;) sorry for that.

yesterday i configured my C150 as Smarthost for the Exchange 2003 Server.

Everything works fine, i can send and receive Mails but - Since i use the C150 as Smarthost, in the Monitor incomming Mails are logged as outgoing Mails.

On the "Outgoing Senders" List i can find a lot of Incoming Senders and so on.

The number of loggged incoming mails is 0 since the Smatrhost config, and 5.400 outgoing Mails.

Thats impossible, and the statistics and manual filters of the Ironport are now not useable for me, because if i set an outgoing allowed senders filter for example, i cant receive Mails from other senders ;)

what could be wrong?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
crypto_ironport Wed, 06/18/2008 - 14:44

The Exchange SMTP Connector is Configured to send all Mails to the Smarthost (Ironport IP).

Torsten_ironport Wed, 06/18/2008 - 15:54

Something sounds fishy about your HAT configuration.

Only emails that trigger an "Accept" Policy should be considered Incoming, while emails that trigger a "Relay" Policy should be considered Outgoing.

From what you describe it seems that any email being sent through your appliance is being checked by the outgoing policies.

In your case I'd have a closer look at my logfile and look for entries like these in your connections:

Wed Jun 18 16:41:08 2008 Info: ICID 14344608 ACCEPT SG UNKNOWNLIST match sbrs[0.0:7.0] SBRS 2.4
[...]
Wed Jun 18 16:41:09 2008 Info: MID 6576555 matched all recipients for per-recipient policy [POLICY] in the outbound table

Should ALL messages that go through your appliance use the outbound table (2nd entry) you should go ahead and check which SenderGroup they triggered (1st entry) and have a closer at the Mail Flow Policies mentioned there.

It sounds a bit like you have your external listeners configured to allow relaying for every host out there, if it is really true that you don't have any problems with incoming mail (yet).

-T

kluu_ironport Wed, 06/18/2008 - 16:01

To verify the sendergroup that your Exchange server is matching, type this on the command line:


grep -i "IP_of_Exchange_Server" mail_logs


look for entries that have the ICID word. This will let you know what sendergroup your mailserver is matching. If it says anything about RELAYLIST or RELAY, then your mailserver's IP/hostname is in the relaylist. To change this, go to "Mail Policies > HAT Overview"

crypto_ironport Wed, 06/18/2008 - 16:11

Thanks! I Think i found the error.

The MailFlow Polici "Accepted" is set to "Relay".

But, if i set "Relay" to "Accept", outgoing Mails are Rejected.

I set the IP of the Exchange Server to the Relay list, but it seems the Ironport could not get the IP Adress or Hostname of the Mailserver.

crypto_ironport Wed, 06/18/2008 - 16:22

To verify the sendergroup that your Exchange server is matching, type this on the command line:


grep -i "IP_of_Exchange_Server" mail_logs


look for entries that have the ICID word. This will let you know what sendergroup your mailserver is matching. If it says anything about RELAYLIST or RELAY, then your mailserver's IP/hostname is in the relaylist. To change this, go to "Mail Policies > HAT Overview"


The Log says

Wed Jun 18 17:01:43 2008 Info: New SMTP DCID 71638 interface  address  port 25


The Exchange Serverip is in the Rlaylist. That is not Correct?!
Torsten_ironport Wed, 06/18/2008 - 17:00

That log entry you posted is about delivery (DCID) - about emails leaving the box.

You want to look for ICIDs though - emails coming into the box.

Torsten

kluu_ironport Wed, 06/18/2008 - 18:25

Here is a more precise way of searching for the entry:



grep -e "ICID.*1.2.3.4" mail_logs


replace 1.2.3.4 with the IP of your mailserver

crypto_ironport Thu, 06/19/2008 - 09:39

Here is a more precise way of searching for the entry:

grep -e "ICID.*1.2.3.4" mail_logs

replace 1.2.3.4 with the IP of your mailserver


Ok, the entries all looks like this


Thu Jun 19 09:59:10 2008 Info: New SMTP ICID 1499509 interface MailInterface () address 201.245.178.228 reverse dns host telebucaramanga.net.co verified no


Just the "verified" param is sometimes "yes".
kluu_ironport Thu, 06/19/2008 - 15:46

If you can search for the "ICID 499509", it will let us know what the sendergroup you're matching.

grep -i "ICID 499509" mail_logs


Here is a more precise way of searching for the entry:

grep -e "ICID.*1.2.3.4" mail_logs

replace 1.2.3.4 with the IP of your mailserver


Ok, the entries all looks like this


Thu Jun 19 09:59:10 2008 Info: New SMTP ICID 1499509 interface MailInterface () address 201.245.178.228 reverse dns host telebucaramanga.net.co verified no


Just the "verified" param is sometimes "yes".
crypto_ironport Thu, 06/19/2008 - 16:16

If you can search for the "ICID 499509", it will let us know what the sendergroup you're matching.

grep -i "ICID 499509" mail_logs





ironport> grep -i "ICID 1499509" mail_logs

Thu Jun 19 09:59:10 2008 Info: New SMTP ICID 1499509 interface MailInterface () address 201.245.178.228 reverse dns host telebucaramanga.net.co verified no
Thu Jun 19 09:59:10 2008 Info: ICID 1499509 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -10.0
Thu Jun 19 09:59:10 2008 Info: ICID 1499509 close



searching for other IDs..
crypto_ironport Thu, 06/19/2008 - 16:29


ironport> grep -i "ICID 1502535" mail_logs

Thu Jun 19 17:15:43 2008 Info: New SMTP ICID 1502535 interface MailInterface () address 195.129.12.230 reverse dns host dfallback0.dtm.ops.eu.uu.net verified yes
Thu Jun 19 17:15:43 2008 Info: ICID 1502535 RELAY SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.3
Thu Jun 19 17:15:43 2008 Info: Start MID 232568 ICID 1502535
Thu Jun 19 17:15:43 2008 Info: MID 232568 ICID 1502535 From: <>
Thu Jun 19 17:15:43 2008 Info: MID 232568 ICID 1502535 RID 0 To:
Thu Jun 19 17:15:43 2008 Info: ICID 1502535 close


Ok, it seems the problem is what i said, unknown Mails are handled as "RELAY".

But, if i change it from "RELAY" to "ACCEPT" outgoing mails are blocked.

It seems, the Exchange Server do not match the RELAYLIST Polici in the HAT. But the IP and Hostename of the Exchange server is entered in the RELAYLIST.
It seems the ironport could not get the host ip of our exchange server, so outhoing mails could not match the IP or Hostname entered in the RELAYLIST.
crypto_ironport Thu, 06/19/2008 - 16:39

Solved it :D

I just had to add the subnetmask to the IP Adress of exchange. Then i could set the Accept policy back to "Accept".
Now incoming testmails are registered as incoming and outgoing is outgoing.

Got this idea by checking the logfiles.

Thank you for your great help!

Actions

This Discussion