Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

dmarc - few emails with ironport hostname

Hi,

We have published SPF, DKIM and DMARC and now we start getting DMARC Reports. What is strange is that there are few messages that are send with email Ironport hostname? We have some situations when we return mail reject custome message but that message is sent as MAILER-DEAMON@domain.com not as ironport.hostname.local. How can we find what message is send with ironport hostname because if we search in message tracking “sender contains ironport.hostname – nothing is found”.

 

Example:

<record>
  <row>
     <source_ip>XXX.XXX.XXX.XXX</source_ip> [this is legit IP adress of MTA]
     <count>3</count>
     <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
         <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
       <header_from>domain.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
         <domain>ironport.hostname.local</domain>
         <result>neutral</result>
       </spf>
   </auth_results>
</record>

 

Beside that do you have some experience with DMARC and when some other companies have some auto forwarder rule - then forwarder does not rewrite sender and then you get DMARC fail results?

3 REPLIES
New Member

We have this problem as well.

We have this problem as well. 

I see lines like this from the ironport log:

Delayed: DCID XXXXXX MID YYYYYY to RID 0 - 4.1.0 - Unknown address error ('450', ['4.1.8 <MAILER-DAEMON@IronPort.OURDOMAIN.com>: Sender address rejected: Domain not found']) []

 

I'm guessing from timing and frequency that this is actually the Ironport delivering its DMARC reports to other domains.

 

The only place in the config where that name is found is the Ironport host name.

New Member

You can fix this under System

You can fix this under System Administration --> Return addresses.

One of the options is the dmarc feedback address.

 

Found it seconds after posting the first message :)

New Member

Thanks. Didn't watch there.i

Thanks. Didn't watch there.

i'll check it tommorow.

210
Views
5
Helpful
3
Replies