Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco Ironport ESA Not Showing From Header in Message Tracking Logs

Posted on 2014-09-05
3
1,201 Views
Last Modified: 2014-12-18
I have a Cisco Ironport C370 Appliance, ASync OS version 7.6.3-019, I noticed in the Message Tracking Details logs, that there is no From field in the message header.  Instead there is "Envelope Sender".  The issue we are seeing is if a recipient in our Exchange 2010 environment receives certain e-mails, they contain a From header, and will show one e-mail address.  For example bob@abccompany.com.  However, in some cases, I see that the message tracking details do not contain any reference to the bob@abccompany.com e-mail address, instead they are showing a completely different e-mail domain under the Envelope Sender.  This is especially the case when some automated systems/mailing companies are used to send e-mail.

The problem is, user's report to us that they aren't receiving e-mail from bob@abccompany.com, yet when we search the message tracking logs for bob@abccompany.com, it yields no results.  So we are not able to effectively troubleshoot, add domain exclusions for abccompany.com.

Any ideas if this is by design on the Cisco Ironport ESA appliances?  How can we get around this issue?  Is there any way to display the From header?

Thank you in advance.
0
Comment
Question by:fireguy1125
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40307486
Seeing NDR msg is another hint on mail delivery which caused an empty envelope sender address https://supportforums.cisco.com/discussion/12127601/envelope-sender-no-sender

Here is one means using grep to locate the original senders IP (instead of email address), of course provided it exists. May want to have another try to searching for the sender, the recipient or for the Subject. https://supportforums.cisco.com/discussion/11227366/finding-sender

IronPort mail log events are given acronyms. The most important  events are ICID (Injection  Connection ID) > MID  (Message ID) > RID  (Recipient ID) > DCID (Delivery Connection ID). Some note:
-An ‘ICID 0’ defines a message that was that  was injected from itself. In fact, the numeral 0 after an ICID or DCID  refers to sessions open to or from the local loop address of the device.
-A ‘DCID 0’ defines a message that was never sent out. In fact, the  numeral 0 after an ICID or DCID refers to sessions open to or from the  local loop address of the device

For exchange can try export log into csv and find as well - searching for sender and clientip
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

Also there is a quite similar case but mainly is to check the email client view, rule etc and also
Check that GAL has the correct email address
Check that their personal COntact List has the correct email address
Check that the user and or AutoComplete has the correct users Email Address.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27584172.html
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40351414
I'm not seeing in your reply how I can have Ironport log the "From" field, if it is even possible?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40351487
Based on extract there is "From" and wondering if this the one instead https://supportforums.cisco.com/discussion/11227366/finding-sender
MID  (Message ID): Once a connection is established, each successful SMTP  "mail from:" command creates a new MID. A single MID can spawn many RIDs

Do you want to paginate the output? [N]>

Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
'<4o8836$30@mail.example.com>'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example10.com>
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question