Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

Unexplained bounce backs from Ironport

We have a C10 device and last week we receved instanct bounce backs from the Ironport when trying to send to several different external email addresses at different domains.

The bounce backs were being generated by our internal Ironport itself instead of the destination email server so it is as if the email never left our company.

After serval days and no configuration changes on the Ironport I sent several test emails to these external domains. They are being recevied okay without any problems. Can any one explain what is going on here and how the problem recitifed itself?

Thanks for your help!

New Member

Re: Unexplained bounce backs from Ironport

What may be happening:

It could be that your mailserver(e.g. Exchange) handed the mail off to the Ironport appliance, who took responsibility for the message. Then, after any last outbound scanning and appending disclaimers, the Ironport appliance did a MX lookup to deliver the message and then upon trying to deliver the message to the appropriate destination, the Ironport MTA received a SMTP 5## error code.

Upon receiving the SMTP 5## error code, the Ironport appliance will consider this undeliverable to the destination and then turnaround and bounce it back to the original sender, which may be what you're observing.

Where to go from here:

It would be useful if you still have those bounce messages that were generated by the Ironport appliance. You can look up the original sender and intended recipient or subject line through the mail logs and find the corresponding timeframe when the Ironport MTA tried to establish a connection to the destination host. This will show up as an ICID event where the Ironport tried to connect to the destination host. I'm surprised that the bounce message didn't provide some info on the cause of the bounce.


1. findevent is a good tool on the command line that you can use to search for messages.
How can I determine the disposition of a message using the mail logs?