cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3337
Views
0
Helpful
10
Replies

archive every incoming and outgoing mails transfering through the IronPort included the mails deleted by end user also

mohamed.fadel
Level 1
Level 1

We have C100v and we are runing version 11.0.0.264.

 

We need to archive every incoming and outgoing mails transfering through the IronPort included the mails deleted by end user also.

 

Also we need to allow end user to release the mails that put in the policy quarantine as the same as he can do with the mails that put in the spam quarantine.

 

We are doing a clustering between this Vm and a physical IronPort box, I need to know if I must do static NAT for the physical box IP address and also must have Mx record for the physical box public IP address as the same as we did with VM IP address.

 

Best regards

Mohamed Abdelaty

 

10 Replies 10

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

 

Message filters have an action "archive" which can be used to archive emails.

Do note that adding all emails to archive would fill up disk space allotted for the archive very quickly and add additional load on the appliance.

archive("Name_of_Archive");

Since the archive action would be performed when the email is initially processed it would be basically a duplicate copy of all emails before they are delivered to the recipients.

End users cannot access PVO quarantines at the moment, they can only manage emails within their spam quarantine once end user access is enabled.

If two appliances have two MX records published for them, the firewall would need to NAT each public IP on the MX back to these boxes.

If both appliances work off the same MX record, then the firewall would need to NAT the IP and then a load balancer function would need to distribute emails between the two devices.

 

Regards,
Libin Varghese

If what you are archiving to will take it as smtp mail, you can use a message filter to bcc the mail to that device...

As far as user's releasing policy quarantined mail, users aren't given access to those at all... instead of using the "Quarantine" action, add a header called 'X-Ironport-quarantine" (and maybe a log event so you can find it in message tracking) and it will put the mail in the spam quarantine that the users can access.

Yes both boxed need their own nat/mx/a records. Clustering only replicates configuration, it has zero effect on the mail flow.

Hi,

First I need to thank you for your support and kindly be informed that I appreciate your effort.

In reference to your answers I need to clarify the following point:

1-for archiving every incoming and outgoing mail

In reference to Libin Varghese’ answer, he told me that Message filters have an action "archive" which can be used to archive emails but I cannot find this action in the content filter actions, although I find this action only in antispam and graymail advanced actions, so please clarify with full details in which filter I can find the archive action

But if you refer to send copy (Bcc :) in the content filter actions as an archive action, please tell me if there is any other way to archive all incoming and outgoing mail  

2- for allowing end user to release the mails that put in the policy quarantine as the same as he can do with the mails that put in the spam quarantine.

In reference to Ken Stieers’ answer he told me that instead of using the "Quarantine" action, add a header called 'X-Ironport-quarantine" and it will put the mail in the spam quarantine that the users can access but I need to ensure that I need only to put ‘X-Ironport-quarantine" in the header field in required policies

I also need your support to know if run and migrate the Vm IronPort first and create the cluster and then join the physical box to the cluster, will I face an issue in the physical box security services update and then I need to statically inform the physical box the update URL as update-manifests.ironport.com:443 , because every time I  run and migrate the physical box IronPort first and create the cluster and then join the Vm to the cluster I need to statically inform the Vm the update URL as , update-manifests.sco.cisco.com:443.

 

Finally I need to thank you again for your support.  

 

Best regards

Mohamed Abdelaty

1. Archive action is only available for message filter and not content filters. Other scanning engines can also archive emails to save a copy on the appliance.
The bcc action in content filters would do just that, send a copy of the email to selected recipeints. Not the same as archive.

 

2. If you would like to redirect certain emails to the spam quarantine instead of delivering them to the intended recipient then you can create a content filter to perform this action using the "Add/Edit Header action" and set conditions as per your requirement.

 

Refer to the end user guides or the online help guide on the appliance when in doubt.

 

The update manifest server is different for physical and virtual appliances.

 

Customer Virtual appliances — ESA and WSA updater server update-manifests.sco.cisco.com:443
Customer Physical appliances —ESA, WSA, SMA updater server update-manifests.ironport.com:443

 

Adding a physical and virtual appliance in cluster would lead to errors, hence you would need to configure the updates at the mahine mode and not the cluster mode.

 

- Libin V

Hello Libin,

 

Thank you for your fast response.

 

Kindly I need to clarify the following points: 

 

in reference to your answer you told me that the archive action is only available for message filter and not content filters.

  1. In which message filter can I find the archive action, please clarify with details and image if possible because I find the archive action only in antispam and graymail under advanced actions?

 

To redirect certain emails to the spam quarantine instead of delivering them to the intended recipient such as policy quarantine so end user will be able to release this mails

  1. create a content filter to perform this action using the "Add/Edit Header action" and set 'X-Ironport-quarantine" as a header name without add anything in the value field 

 

 

Best Regards

Mohamed Abdelay

Hello,

 

Thank you for your effort.

 

Please I need your support in the following point:

A-in reference to the creating a message filter to archive the all incoming and outgoing message, I read the user guide and find that I need to create new message filter and use the following script

filtername:
if (true)
{
archive ("logname')
}
.

  1. I need your confirmation that is the required script
  2. I know that I can pull the archived messages through FTP by the logconfig sub command, is that right?
  3. Am I able to see the archived messages and retrieve any single message and send it back to sender from Archived Reports in the GUI?
  4. Is there any way to see the archived messages through the GUI [without pulling the messages]?
  5. is there any way to retrieve any single message and send it back to sender through the GUI or even through the CLI?
  6. How can I delete the oldest archived messages without deleting the newest through the GUI or even through the CLI?

 

B-To redirect certain emails to the spam quarantine instead of delivering them to the intended recipient such as policy quarantine so end user will be able to release this mails

  1. create a content filter to perform this action using the "Add/Edit Header action" and set 'X-Ironport-quarantine" as a header name without add anything in the value field 

 

C-There is any way to edit the way of displaying the messages in the message tracking under monitor tab?

 

Best regards

Mohamed

Mohamed,

 

You would need to create and test filters to see if it matches your requirement.

 

If you are unsure with the implementation spin up a lab virtual device and perform the steps there.

 

Emails that are archives are stored as a mbox file, read through steps available online on how to work with mbox files. A single mbox file may contain multiple emails and you cannot view these through the CLI/GUI.

 

You would need to download the file and work on it through your computer.

 

For the X-Ironport-Quarantine header the value can be entered as True.

 

Message tracking details would be displayed as designed, no changes can be made.

 

- Libin V

Hello,

 

Thank you for your support.

 

I need to ask you another some questions,

  1. Can I create a report for spam mails, if yes please tell me how?
  2. Can I retrieve the dropped mails if I did not make archive, if yes please tell me how?
  3. How can I know the reason of applying specific action on the message from the message tracking details [i.e not which action applied and by which policy and filter but the reason of applying this action by this filter or policy] ?

 

Best regards

Mohamed

Hi,

 

The incoming mail report under the Monitor tab shows how many emails were detected as spam.

 

Dropped emails cannot be retrieved.

 

How the email is processed through the ESA is shown in message tracking and mail_logs. To understand the email pipeline read through the end user guide.

 

- Libin V