Hi,

First I need to thank you for your support and kindly be informed that I appreciate your effort.

In reference to your answers I need to clarify the following point:

1-for archiving every incoming and outgoing mail

In reference to Libin Varghese’ answer, he told me that Message filters have an action "archive" which can be used to archive emails but I cannot find this action in the content filter actions, although I find this action only in antispam and graymail advanced actions, so please clarify with full details in which filter I can find the archive action

But if you refer to send copy (Bcc :) in the content filter actions as an archive action, please tell me if there is any other way to archive all incoming and outgoing mail  

2- for allowing end user to release the mails that put in the policy quarantine as the same as he can do with the mails that put in the spam quarantine.

In reference to Ken Stieers’ answer he told me that instead of using the "Quarantine" action, add a header called 'X-Ironport-quarantine" and it will put the mail in the spam quarantine that the users can access but I need to ensure that I need only to put ‘X-Ironport-quarantine" in the header field in required policies

I also need your support to know if run and migrate the Vm IronPort first and create the cluster and then join the physical box to the cluster, will I face an issue in the physical box security services update and then I need to statically inform the physical box the update URL as update-manifests.ironport.com:443 , because every time I  run and migrate the physical box IronPort first and create the cluster and then join the Vm to the cluster I need to statically inform the Vm the update URL as , update-manifests.sco.cisco.com:443.

Finally I need to thank you again for your support.  

Best regards

Mohamed Abdelaty

1. Archive action is only available for message filter and not content filters. Other scanning engines can also archive emails to save a copy on the appliance.
The bcc action in content filters would do just that, send a copy of the email to selected recipeints. Not the same as archive.

2. If you would like to redirect certain emails to the spam quarantine instead of delivering them to the intended recipient then you can create a content filter to perform this action using the "Add/Edit Header action" and set conditions as per your requirement.

Refer to the end user guides or the online help guide on the appliance when in doubt.

The update manifest server is different for physical and virtual appliances.

Customer Virtual appliances — ESA and WSA updater server update-manifests.sco.cisco.com:443
Customer Physical appliances —ESA, WSA, SMA updater server update-manifests.ironport.com:443

Adding a physical and virtual appliance in cluster would lead to errors, hence you would need to configure the updates at the mahine mode and not the cluster mode.

- Libin V

Hello Libin,

Thank you for your fast response.

Kindly I need to clarify the following points: 

in reference to your answer you told me that the archive action is only available for message filter and not content filters.

1. In which message filter can I find the archive action, please clarify with details and image if possible because I find the archive action only in antispam and graymail under advanced actions?

To redirect certain emails to the spam quarantine instead of delivering them to the intended recipient such as policy quarantine so end user will be able to release this mails

1. create a content filter to perform this action using the "Add/Edit Header action" and set 'X-Ironport-quarantine" as a header name without add anything in the value field 

Best Regards

Mohamed Abdelay

Mohamed,

Please read through the end user guides to become familiar with how the message filters function and are added.

www.cisco.com/c/en/us/support/security/email-security-appliance/products-user-guide-list.html

Other useful articles on message filters:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117825-technote-esa-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118100-configure-esa-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118145-technote-esa-00.html

Hello,

Thank you for your effort.

Please I need your support in the following point:

A-in reference to the creating a message filter to archive the all incoming and outgoing message, I read the user guide and find that I need to create new message filter and use the following script

filtername:
if (true)
{
archive ("logname')
}
.

1. I need your confirmation that is the required script
2. I know that I can pull the archived messages through FTP by the logconfig sub command, is that right?
3. Am I able to see the archived messages and retrieve any single message and send it back to sender from Archived Reports in the GUI?
4. Is there any way to see the archived messages through the GUI [without pulling the messages]?
5. is there any way to retrieve any single message and send it back to sender through the GUI or even through the CLI?
6. How can I delete the oldest archived messages without deleting the newest through the GUI or even through the CLI?

B-To redirect certain emails to the spam quarantine instead of delivering them to the intended recipient such as policy quarantine so end user will be able to release this mails

1. create a content filter to perform this action using the "Add/Edit Header action" and set 'X-Ironport-quarantine" as a header name without add anything in the value field 

C-There is any way to edit the way of displaying the messages in the message tracking under monitor tab?

Best regards

Mohamed

Mohamed,

You would need to create and test filters to see if it matches your requirement.

If you are unsure with the implementation spin up a lab virtual device and perform the steps there.

Emails that are archives are stored as a mbox file, read through steps available online on how to work with mbox files. A single mbox file may contain multiple emails and you cannot view these through the CLI/GUI.

You would need to download the file and work on it through your computer.

For the X-Ironport-Quarantine header the value can be entered as True.

Message tracking details would be displayed as designed, no changes can be made.

- Libin V

Hello,

Thank you for your support.

I need to ask you another some questions,

1. Can I create a report for spam mails, if yes please tell me how?
2. Can I retrieve the dropped mails if I did not make archive, if yes please tell me how?
3. How can I know the reason of applying specific action on the message from the message tracking details [i.e not which action applied and by which policy and filter but the reason of applying this action by this filter or policy] ?

Best regards

Mohamed

Hi,

The incoming mail report under the Monitor tab shows how many emails were detected as spam.

Dropped emails cannot be retrieved.

How the email is processed through the ESA is shown in message tracking and mail_logs. To understand the email pipeline read through the end user guide.

- Libin V