03-28-2011 07:41 AM
I have a user that address a domain into their blocklist but it is still coming thru.
Is it possible for this to happen when a user has two e-mail addresses attached to their account?
Example
bob@domain.com - main e-mail
bsmith@domain.com - secondary
E-mail getting sent to bsmith@domain.comis getting thru the blocklist.
If this is the case how do you fix it?
Thanks
03-28-2011 11:31 AM
Hi
Since I can not see your configuration I would be doing a bit of guessing here. Ideally you would want to consult the mail logs to find out exactly what happened with the message. Does it show that it did not match the address at all? Typically these are entered as a single address however the user may have many individual addresses listed
First lets go over the Safe List Block List.
The SL/BL feature is evaluating incoming messages on both envelope "Mail From" and on "From" header in the following sequence:
The message is processed until the first match is met. This can result in a more general match getting preferred to a more specific, as illustrated in the example below:
Example:
The recipient userA@test.com is having the following SL/BL:
example.com on Blocklist
userB@example.com on Safelist
userB@example.com sends a message to userA@test.com with the following property:
envelope Mail From = userB@example.com
header From = notreply@example.com
Result: Domain part of email address in "From" header (example.com) is matching the entry in the Blocklist, and the message is therefore blocked, even though "userB@example.com" is on the Safelist.
How to find SL/BL entries in the mail logs?
If an end user has added a sender's email or sender's domain to their personal safelist/blacklist in the EUQ, the mail_log entries will look like this:
Thu Aug 16 13:41:51 2007 Info: MID 152 ICID 125 From: <lilj@allow.com>
Thu Aug 16 13:41:55 2007 Info: MID 152 ICID 125 RID 0 To: <end_user@ironport.com>
Thu Aug 16 13:42:10 2007 Info: MID 152 Message-ID '<66nnd2$4o@test.run>'
Thu Aug 16 13:42:10 2007 Info: MID 152 Subject '3:43pm'
Thu Aug 16 13:42:10 2007 Info: MID 152 ready 150 bytes from <lilj@allow.com>
Thu Aug 16 13:42:10 2007 Info: MID 152 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Aug 16 13:42:10 2007 Info: MID 152 interim verdict using engine: SLBL spam negative
Thu Aug 16 13:42:10 2007 Info: MID 152 using engine: SLBL spam negative
Thu Aug 16 13:42:10 2007 Info: MID 152 queued for delivery
If there are multiple recipients in the message and one recipient is using the SL/BL feature, then there will be message will be splintered with new MID's.
Thu Aug 16 15:55:57 2007 Info: ICID 139 ACCEPT SG None match ALL SBRS None
Thu Aug 16 15:56:02 2007 Info: Start MID 170 ICID 139
Thu Aug 16 15:56:02 2007 Info: MID 170 ICID 139 From: <x@x.com>
Thu Aug 16 15:56:06 2007 Info: MID 170 ICID 139 RID 0 To: <lijlij@ironport.com>
Thu Aug 16 15:56:10 2007 Info: MID 170 ICID 139 RID 1 To: <end_user@ironport.com>
Thu Aug 16 15:56:21 2007 Info: MID 170 Message-ID '<66nnd2$5a@falcon.run>'
Thu Aug 16 15:56:21 2007 Info: MID 170 Subject '5:58pm'
Thu Aug 16 15:56:21 2007 Info: MID 170 ready 151 bytes from <x@x.com>
Thu Aug 16 15:56:21 2007 Info: MID 170 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Aug 16 15:56:21 2007 Info: MID 170 was split creating MID 171 due to a SL/BL configuration for following recipients: kluu@ironport.com
Thu Aug 16 15:56:21 2007 Info: MID 171 ICID 0 From: <x@x.com>
Thu Aug 16 15:56:21 2007 Info: MID 171 ICID 0 RID 0 To: <end_user@ironport.com>
Thu Aug 16 15:56:21 2007 Info: MID 170 was split creating MID 172 due to a SL/BL configuration for following recipients: lijlij@ironport.com
Thu Aug 16 15:56:21 2007 Info: MID 172 ICID 0 From: <x@x.com>
Thu Aug 16 15:56:21 2007 Info: MID 172 ICID 0 RID 0 To: <lijlij@ironport.com>
Thu Aug 16 15:56:21 2007 Info: Message finished MID 170 done
Thu Aug 16 15:56:21 2007 Info: MID 171 interim verdict using engine: SLBL spam negative
Thu Aug 16 15:56:21 2007 Info: MID 171 using engine: SLBL spam negative
Thu Aug 16 15:56:21 2007 Info: MID 171 queued for delivery
Thu Aug 16 15:56:21 2007 Info: New SMTP DCID 134 interface 172.19.0.146 address 10.1.1.39 port 25
Thu Aug 16 15:56:21 2007 Info: Delivery start DCID 134 MID 171 to RID [0]
Thu Aug 16 15:56:22 2007 Info: Message done DCID 134 MID 171 to RID [0]
Thu Aug 16 15:56:22 2007 Info: MID 171 RID [0] Response 'ok: Message 56596446 accepted'
My guess is you will see one address triggering and not the other. I would probably have to see your configuration to understand how the addresses are implemented in the SL/BL.
Christopher C Smith
CSE
Cisco IronPort Customer Support
03-29-2011 06:25 AM
I submitted a ticket for it, but it appears to be the LDAP Spam Quarantine Alias Consolidation Query.
Still not working at the moment but I am looking into it.
Currently i have setup for the query string
Query String: (|(proxyAddresses={a})(proxyAddresses=smtp:{a}))
Email Attribute: proxyAddresses
Hopefully we will find a proper LDAP Query for Exchange 2010.
03-30-2011 12:25 PM
Hi,
I just wanted to check to see if your issue was addressed through the ticket you opened. Were you able to determine if he query was the problem?
If the Query is at issue,
Are you using LDAP for other functionality, if so do the other queries work, for example the accept query?
Did you enable the ldap debug logs?
Christopher C Smith
CSE
Cisco IronPort Customer Support
03-30-2011 01:05 PM
We have it working using the following.
Server Type: Active Directory
Port: 3268
Base DN:
End User Authentication
Query: (sAMAccountName={u})
Email Attribute: mail,proxyAddresses
Alias Consolidation Query
Query: (|(proxyAddresses={a})(proxyAddresses=smtp:{a}))
Email Attribute: mail,proxyAddresses
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide