cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1294
Views
0
Helpful
5
Replies

Centralized Quarantine with two C150.

Hello,
I followed the article 897 to create a centralized quarantine in one of my two C150.
AP2 sends quarantined mails to AP1, and you can see that it says it's sending it to the external quarantine.

But AP1 just takes the messages and deliver them.

When I look for the headers in the mail_logs logs, I can't find them.

AsyncOS 6.3.5 is installed.

I thought the maybe Message Filters are not applying because Headers names were changed in 6.3.5, could it be?

5 Replies 5

kluu_ironport
Level 2
Level 2

You may not see the Internet headers in the "mail_logs" since the mail_logs don't show that level of detail.

For the messages that get forwarded from AP2 to AP1 and that then goes to the mailserver without getting quarantined, can you capture the ICID and MID of that message paste in back here.




Hello, 
I followed the article 897 to create a centralized quarantine in one of my two C150.
AP2 sends quarantined mails to AP1, and you can see that it says it's sending it to the external quarantine.

But AP1 just takes the messages and deliver them.

When I look for the headers in the mail_logs logs, I can't find them.

AsyncOS 6.3.5 is installed.

I thought the maybe Message Filters are not applying because Headers names were changed in 6.3.5, could it be?

This is the mail coming in AP2:

Wed Oct  8 19:32:45 2008 Info: New SMTP ICID 11967 interface XXXX_XX (A.B.C.20) address A.B.C.101 reverse dns host unknown verified no
Wed Oct 8 19:32:45 2008 Info: ICID 11967 ACCEPT SG None match ALL SBRS rfc1918
Wed Oct 8 19:32:45 2008 Info: Start MID 13568 ICID 11967
Wed Oct 8 19:32:45 2008 Info: MID 13568 ICID 11967 From:
Wed Oct 8 19:32:45 2008 Info: MID 13568 ICID 11967 RID 0 To:
Wed Oct 8 19:32:46 2008 Info: MID 13568 IncomingRelay(xxxxxxxxx01): Header Received found, IP 118.216.141.154 being used, SBRS -4.0
Wed Oct 8 19:32:46 2008 Info: MID 13568 Message-ID '<000601c92995>'
Wed Oct 8 19:32:46 2008 Info: MID 13568 Subject 'Viagra users report longer and better sex'
Wed Oct 8 19:32:46 2008 Info: MID 13568 ready 2320 bytes from
Wed Oct 8 19:32:46 2008 Info: MID 13568 matched all recipients for per-recipient policy Usuarios Permitidos Zip Protected in the inbound table
Wed Oct 8 19:32:46 2008 Info: ICID 11967 close
Wed Oct 8 19:32:46 2008 Info: MID 13568 interim verdict using engine: CASE spam positive
Wed Oct 8 19:32:46 2008 Info: MID 13568 using engine: CASE spam positive
Wed Oct 8 19:32:46 2008 Info: ISQ: Tagging MID 13568 for quarantine
Wed Oct 8 19:32:46 2008 Info: MID 13568 interim AV verdict using Sophos CLEAN
Wed Oct 8 19:32:46 2008 Info: MID 13568 queued for delivery
Wed Oct 8 19:32:46 2008 Info: New SMTP DCID 23589 interface A.B.C.14 address A.B.C.13 port 25
Wed Oct 8 19:32:46 2008 Info: Delivery start DCID 23589 MID 13568 to RID [0] to offbox IronPort Spam Quarantine
Wed Oct 8 19:32:46 2008 Info: Message done DCID 23589 MID 13568 to RID [0] [('X-IronPort-CQ', 'true')]
Wed Oct 8 19:32:46 2008 Info: MID 13568 RID [0] Response 'ok: Message 9357 accepted'
Wed Oct 8 19:32:46 2008 Info: Message finished MID 13568 done
Wed Oct 8 19:32:51 2008 Info: DCID 23589 close





Then it's sent to AP1:

Wed Oct  8 19:32:47 2008 Info: New SMTP ICID 6207 interface xxxx_xx (A.B.C.13) address A.B.C.14 reverse dns host unknown verified no
Wed Oct 8 19:32:47 2008 Info: ICID 6207 RELAY SG Grupo_Aceptar match A.B.C.14 SBRS rfc1918
Wed Oct 8 19:32:47 2008 Info: Start MID 9357 ICID 6207
Wed Oct 8 19:32:47 2008 Info: MID 9357 ICID 6207 From:
Wed Oct 8 19:32:47 2008 Info: MID 9357 ICID 6207 RID 0 To:
Wed Oct 8 19:32:47 2008 Info: MID 9357 Message-ID '<000601c92995>'
Wed Oct 8 19:32:47 2008 Info: MID 9357 Subject 'Viagra users report longer and better sex'
Wed Oct 8 19:32:47 2008 Info: MID 9357 ready 2619 bytes from
Wed Oct 8 19:32:47 2008 Info: MID 9357 matched all recipients for per-recipient policy DEFAULT in the outbound table
Wed Oct 8 19:32:47 2008 Info: MID 9357 queued for delivery
Wed Oct 8 19:32:47 2008 Info: New SMTP DCID 7606 interface A.B.C.13 address X.Y.Z.162 port 25
Wed Oct 8 19:32:47 2008 Info: Delivery start DCID 7606 MID 9357 to RID [0]
Wed Oct 8 19:32:47 2008 Info: Message done DCID 7606 MID 9357 to RID [0] [('X-IronPort-CQ', 'true'), ('x-ironport-cq', 'true')]
Wed Oct 8 19:32:47 2008 Info: MID 9357 RID [0] Response 'Mail Q2025205 (2578 bytes (41 less than specified) on 62 rows) received.'
Wed Oct 8 19:32:47 2008 Info: Message finished MID 9357 done
Wed Oct 8 19:32:52 2008 Info: ICID 6207 close



If I put AP2 as a RELAYER, like AnswerID897 states, it matches the outbound table and because AntiSpam is not activated there, it will be sent.

If I put AP2 with an "ACCEPT" mail flow policy, it will reject it by RAT.
I have four listeners and the external quarantine's ip is the same as one of them that attends a couple of domains and not "@mydomain.com.uy".

kluu_ironport
Level 2
Level 2

On your second point, if the FROM and TO are still the same, it shouldn't be rejected by RAT since it didn't have any problems on the first machine.

So, if AP2 was set to ACCEPT mail flow policy, your To: field should still be allowed in unless something else changed.





If I put AP2 as a RELAYER, like AnswerID897 states, it matches the outbound table and because AntiSpam is not activated there, it will be sent.

If I put AP2 with an "ACCEPT" mail flow policy, it will reject it by RAT.
I have four listeners and the external quarantine's ip is the same as one of them that attends a couple of domains and not "@mydomain.com.uy".

Don't mind me, AnswerID 897 works.

kluu_ironport
Level 2
Level 2

Paste in the ICID and MID of the message now that it's being regard as an Inbound message. I'm interested in two things:


1. What sendergroup/mail flow policy did the connection match?

The mail flow policy is important because some mail flow policies have the option of skipping anti-spam scanning (see Whitelist sendergroup / Trusted mail flow policy as a good example).


2. What inbound mail policy did the message get assigned to?

"Mail Policies > Incoming Mail Policy"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: