Solved

Cisco Ironport ESA Not Showing From Header in Message Tracking Logs

Posted on 2014-09-05
3
1,061 Views
Last Modified: 2014-12-18
I have a Cisco Ironport C370 Appliance, ASync OS version 7.6.3-019, I noticed in the Message Tracking Details logs, that there is no From field in the message header.  Instead there is "Envelope Sender".  The issue we are seeing is if a recipient in our Exchange 2010 environment receives certain e-mails, they contain a From header, and will show one e-mail address.  For example bob@abccompany.com.  However, in some cases, I see that the message tracking details do not contain any reference to the bob@abccompany.com e-mail address, instead they are showing a completely different e-mail domain under the Envelope Sender.  This is especially the case when some automated systems/mailing companies are used to send e-mail.

The problem is, user's report to us that they aren't receiving e-mail from bob@abccompany.com, yet when we search the message tracking logs for bob@abccompany.com, it yields no results.  So we are not able to effectively troubleshoot, add domain exclusions for abccompany.com.

Any ideas if this is by design on the Cisco Ironport ESA appliances?  How can we get around this issue?  Is there any way to display the From header?

Thank you in advance.
0
Comment
Question by:fireguy1125
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40307486
Seeing NDR msg is another hint on mail delivery which caused an empty envelope sender address https://supportforums.cisco.com/discussion/12127601/envelope-sender-no-sender

Here is one means using grep to locate the original senders IP (instead of email address), of course provided it exists. May want to have another try to searching for the sender, the recipient or for the Subject. https://supportforums.cisco.com/discussion/11227366/finding-sender

IronPort mail log events are given acronyms. The most important  events are ICID (Injection  Connection ID) > MID  (Message ID) > RID  (Recipient ID) > DCID (Delivery Connection ID). Some note:
-An ‘ICID 0’ defines a message that was that  was injected from itself. In fact, the numeral 0 after an ICID or DCID  refers to sessions open to or from the local loop address of the device.
-A ‘DCID 0’ defines a message that was never sent out. In fact, the  numeral 0 after an ICID or DCID refers to sessions open to or from the  local loop address of the device

For exchange can try export log into csv and find as well - searching for sender and clientip
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

Also there is a quite similar case but mainly is to check the email client view, rule etc and also
Check that GAL has the correct email address
Check that their personal COntact List has the correct email address
Check that the user and or AutoComplete has the correct users Email Address.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27584172.html
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40351414
I'm not seeing in your reply how I can have Ironport log the "From" field, if it is even possible?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40351487
Based on extract there is "From" and wondering if this the one instead https://supportforums.cisco.com/discussion/11227366/finding-sender
MID  (Message ID): Once a connection is established, each successful SMTP  "mail from:" command creates a new MID. A single MID can spawn many RIDs

Do you want to paginate the output? [N]>

Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
'<4o8836$30@mail.example.com>'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example10.com>
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Easy CSR creation in Exchange 2007,2010 and 2013
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now