Solved

Cisco Ironport ESA Not Showing From Header in Message Tracking Logs

Posted on 2014-09-05
3
1,161 Views
Last Modified: 2014-12-18
I have a Cisco Ironport C370 Appliance, ASync OS version 7.6.3-019, I noticed in the Message Tracking Details logs, that there is no From field in the message header.  Instead there is "Envelope Sender".  The issue we are seeing is if a recipient in our Exchange 2010 environment receives certain e-mails, they contain a From header, and will show one e-mail address.  For example bob@abccompany.com.  However, in some cases, I see that the message tracking details do not contain any reference to the bob@abccompany.com e-mail address, instead they are showing a completely different e-mail domain under the Envelope Sender.  This is especially the case when some automated systems/mailing companies are used to send e-mail.

The problem is, user's report to us that they aren't receiving e-mail from bob@abccompany.com, yet when we search the message tracking logs for bob@abccompany.com, it yields no results.  So we are not able to effectively troubleshoot, add domain exclusions for abccompany.com.

Any ideas if this is by design on the Cisco Ironport ESA appliances?  How can we get around this issue?  Is there any way to display the From header?

Thank you in advance.
0
Comment
Question by:fireguy1125
  • 2
3 Comments
 
LVL 62

Expert Comment

by:btan
ID: 40307486
Seeing NDR msg is another hint on mail delivery which caused an empty envelope sender address https://supportforums.cisco.com/discussion/12127601/envelope-sender-no-sender

Here is one means using grep to locate the original senders IP (instead of email address), of course provided it exists. May want to have another try to searching for the sender, the recipient or for the Subject. https://supportforums.cisco.com/discussion/11227366/finding-sender

IronPort mail log events are given acronyms. The most important  events are ICID (Injection  Connection ID) > MID  (Message ID) > RID  (Recipient ID) > DCID (Delivery Connection ID). Some note:
-An ‘ICID 0’ defines a message that was that  was injected from itself. In fact, the numeral 0 after an ICID or DCID  refers to sessions open to or from the local loop address of the device.
-A ‘DCID 0’ defines a message that was never sent out. In fact, the  numeral 0 after an ICID or DCID refers to sessions open to or from the  local loop address of the device

For exchange can try export log into csv and find as well - searching for sender and clientip
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

Also there is a quite similar case but mainly is to check the email client view, rule etc and also
Check that GAL has the correct email address
Check that their personal COntact List has the correct email address
Check that the user and or AutoComplete has the correct users Email Address.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27584172.html
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40351414
I'm not seeing in your reply how I can have Ironport log the "From" field, if it is even possible?
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40351487
Based on extract there is "From" and wondering if this the one instead https://supportforums.cisco.com/discussion/11227366/finding-sender
MID  (Message ID): Once a connection is established, each successful SMTP  "mail from:" command creates a new MID. A single MID can spawn many RIDs

Do you want to paginate the output? [N]>

Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
'<4o8836$30@mail.example.com>'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example10.com>
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question