Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1646
  • Last Modified:

Cisco Ironport ESA Not Showing From Header in Message Tracking Logs

I have a Cisco Ironport C370 Appliance, ASync OS version 7.6.3-019, I noticed in the Message Tracking Details logs, that there is no From field in the message header.  Instead there is "Envelope Sender".  The issue we are seeing is if a recipient in our Exchange 2010 environment receives certain e-mails, they contain a From header, and will show one e-mail address.  For example bob@abccompany.com.  However, in some cases, I see that the message tracking details do not contain any reference to the bob@abccompany.com e-mail address, instead they are showing a completely different e-mail domain under the Envelope Sender.  This is especially the case when some automated systems/mailing companies are used to send e-mail.

The problem is, user's report to us that they aren't receiving e-mail from bob@abccompany.com, yet when we search the message tracking logs for bob@abccompany.com, it yields no results.  So we are not able to effectively troubleshoot, add domain exclusions for abccompany.com.

Any ideas if this is by design on the Cisco Ironport ESA appliances?  How can we get around this issue?  Is there any way to display the From header?

Thank you in advance.
0
fireguy1125
Asked:
fireguy1125
  • 2
1 Solution
 
btanExec ConsultantCommented:
Seeing NDR msg is another hint on mail delivery which caused an empty envelope sender address https://supportforums.cisco.com/discussion/12127601/envelope-sender-no-sender

Here is one means using grep to locate the original senders IP (instead of email address), of course provided it exists. May want to have another try to searching for the sender, the recipient or for the Subject. https://supportforums.cisco.com/discussion/11227366/finding-sender

IronPort mail log events are given acronyms. The most important  events are ICID (Injection  Connection ID) > MID  (Message ID) > RID  (Recipient ID) > DCID (Delivery Connection ID). Some note:
-An ‘ICID 0’ defines a message that was that  was injected from itself. In fact, the numeral 0 after an ICID or DCID  refers to sessions open to or from the local loop address of the device.
-A ‘DCID 0’ defines a message that was never sent out. In fact, the  numeral 0 after an ICID or DCID refers to sessions open to or from the  local loop address of the device

For exchange can try export log into csv and find as well - searching for sender and clientip
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

Also there is a quite similar case but mainly is to check the email client view, rule etc and also
Check that GAL has the correct email address
Check that their personal COntact List has the correct email address
Check that the user and or AutoComplete has the correct users Email Address.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27584172.html
0
 
fireguy1125Author Commented:
I'm not seeing in your reply how I can have Ironport log the "From" field, if it is even possible?
0
 
btanExec ConsultantCommented:
Based on extract there is "From" and wondering if this the one instead https://supportforums.cisco.com/discussion/11227366/finding-sender
MID  (Message ID): Once a connection is established, each successful SMTP  "mail from:" command creates a new MID. A single MID can spawn many RIDs

Do you want to paginate the output? [N]>

Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
'<4o8836$30@mail.example.com>'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example10.com>
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now