Hello, working with a client that is getting a ton of NDR's from spammers using their domain, typical case. Setup SPF records, verified email was definitely not coming from systems in their domain.
The Ironport was previously configured by someone else, so not sure as to why some things are configured as they. I do not have continuous access to this system to get logs, configuration, etc to post. My questions are pretty generic though, so hope somone can assist.
1, Bounce Verication was set to reject, however there was not a key configured to use for this. Am I correct in thinking that since there is no key/tag configured, Ironport has nothing to consider upon receiving these, so just allows all?
Since it is enabled, with the setting to reject, shouldn't all NDR's be rejected, or because there is nothing to validate a tag, it defaults to allow all?
2. What is the best way to actually see that in fact the outgoing messages are adding the tag in the return path? When I look at emails on a client, such as Outlook and look at the headers for messages from the ironport, this information does not show.
Is it stripped by the mail server as the message traverses, so the end client will not even see this information?
Or is this info correct and the Ironport isn't even adding the prvs?
How best can I verify this is in fact working as it should?
Thank you for any input!
To clarify, I did configure the tagging key and applied to the config. It was not configured prior to, pertaining to question 2. Thanks!
Hello Mike, please check the answers in-line below.
1, Bounce Verication was set to reject, however there was not a key...
Bounce Verification settings apply only if bounce verification address tagging is in use. Hope this explains your rest of the queries.
2. What is the best way to actually see that in fact the outgoing messages......
There are two kinds of logs that can be found relating to Bounce Verification. The first shows when an address is rewritten to the Bounce Verification Format. The rewritten address is not logged in the text mail logs but may be found in message tracking. The second log type is created during rejections.These log entries can be found by parsing your logs with the CLI grep command. The command below, ran on example.com Cisco IronPort, will return all the log entries that have do with Bounce Verification rejection events.
example.com> grep "rejected by Bounce Verification" mail_logs Mon Aug 31 13:28:43 2009 Info: MID 1094 ICID 502 invalid bounce, rcpt address <email@example.com> rejected by Bounce Verification.
Further parsing for ICID 502 (Injection Connection ID) of the session will show the details of the connecting host.
example.com> grep "ICID 502" mail_logs
Mon Aug 31 13:28:30 2009 Info: New SMTP ICID 502 interface Management (10.161.1.10) address 192.168.10.10 reverse dns host unknown verified no Mon Aug 31 13:28:30 2009 Info: ICID 502 ACCEPT SG Unknown match 192.168.10.10 SBRS None Mon Aug 31 13:28:38 2009 Info: Start MID 1094 ICID 502 Mon Aug 31 13:28:38 2009 Info: MID 1094 ICID 502 From: <> Mon Aug 31 13:28:43 2009 Info: MID 1094 ICID 502 invalid bounce, rcpt address <firstname.lastname@example.org> rejected by Bounce Verification. Mon Aug 31 13:28:47 2009 Info: ICID 502 close
Thank you for your reply Viahmed, it does help. So if I understand correctly, if they had BV enabled, but did not have a key configured, it would not actually be enabled correct? That is how it was when I got involved. I then added a key, as that is how I presume it would have to be to even work.
Nothing else needs to be done, like on separate mail polices to enable this by deafult right? Unless I want to add some exemption destinations, etc?
For the logging, I have not looked at how their logging is setup, is the defualt logging to include this, as it does with all messages? Or does something specific need to be added for this logging?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...