What about situation when address is no longer assigned in AD? For now I don't want to drop messages to old address. I have tried RAT with accept to specific old domain address with custom SMTP reposne but that doesn't work. Also tried mail filter if it sees old address but before it can even check it, the address is bounced because of It missing in LDAP. Right now I have setup bounce with correct email address as mailer daemon@newdomain.com . Is there a way to do this before LDAP checks address and not to reject mail via RAT?

Evening Matthew.

 

Can I try that with one user (user@oldcisco.com) and then apply it to every old address if it works?

Hey Flyingjet,

Yes you definitely can.
If you have a list of old addresses, add them in and separate them with a comma.
Just ensure that you click the bypass LDAP accept else it'll all be stopped at the LDAP level :).

Let me know how it goes.

- Matthew

Alright, will check it out Monday for sure and will report back!

Thanks Matthew!

Okay, so I've tried it today and something doesn't seem to work. Attaching screen shoots.

In address I've used user@olddomain.com and changed order. In Mail policy filter I've used equals recipient address : user@olddomain.com . Am I missing something? I've applied mail filter to the default policy. I'm getting back bounce email saying recipient is not available (but not the custom message I've created.)

 

Maybe go to System Administration/Ldap and flush the LDAP cache?

By default the ESA holds LDAP results for 15 min...

 

 

That address isn't used for over a month ( removed from exchange when
migrated)

Hey Flyingjet,

Are you able to share with me the message tracking so i can cross check this?
From what you shared: "I'm getting back bounce email saying recipient is not available "

If it's 554 Recipient Rejected Bounce - then it could the be RAT, but in this circumstance this is my assumption:
the ESA sees the email, allows it based on that new allowance you created.
Email is processed -> Sent to exchange which rejects with email is not available, and thus not using the template you created.

I suspect; either the email is not matching this content filter due to the conditions not matching up, or policy matching concerns.

But with the message tracking it'll help us find out what's happening.

From what I can see; the email should be matching Incoming Mail policies.
It needs to match DEFAULT, so on your message tracking - ensure that it's not matching any other policy.
The content filter enabled on default, ensure it was committed prior to testing.
The condition, i see it's using an 'equals' rule - this recipient in this condition must be the same one you see in the recipient 'to' fields at the envelope level and not what we see in the Header To fields in outlook.

Finally, I would recommend perhaps creating an Incoming Mail Policy -> Define the recipient address you have, order this policy up top.
Enable the content filter into this policy alone, but remove the condition.

Then send the test.
This will ensure if the email contains other recipient user/domains as well, it wont be mistakenly stopped by the content filter in the future.

(You can also use GUI > System Admin > Trace) to run a verification of the setup as well.

Regards,
Matthew

This is the error message I am getting back. The rest I can check tomorrow and will get back for sure! Appreciate Your help guys!

 

Delivery has failed to these recipients or groups:

USER@OLDdomain.com (USER@OLDdomain.com)
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:

Generating server: OLDdomain.com

USER@OLDdomain.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##

Original message headers:

Received: from GATEWAY.INTERNAL.DOMAIN (xxx.xxx.xxx.xxx) by EXCHANGE1.INTERNAL.DOMAIN

 (xxx.xxx.xxx.xxx) with Microsoft SMTP Server id 14.3.361.1; Tue, 13 Feb 2018

 15:58:36 -0600

X-IronPort-Anti-Spam-Filtered: true

X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DEBwBSX4NahivXVdFdHgEGDIMlggMog?=

 =?us-ascii?q?2WBOZcRgV4FYlSCaoYNh2+HYRIPiCBYFAECAQEBAQEBAhMBAQEICwsIKCQLhUM?=

 =?us-ascii?q?KHQEbFwcDEggBAgU3AiQBEQEFASIbiFmBOwEDFQUBoAyDRUCMF4IFBQEcgwwFg?=

 =?us-ascii?q?2MKGScNWVmCPQIGEoRvghWBV4ZqhmWCZQEEpC4JlgSCBgGSPZgEOYEXNoFyMxo?=

 =?us-ascii?q?IGxVvghSCRh+CEkE3jlwBAQE?=

X-IPAS-Result: =?us-ascii?q?A0DEBwBSX4NahivXVdFdHgEGDIMlggMog2WBOZcRgV4FYlS?=

 =?us-ascii?q?CaoYNh2+HYRIPiCBYFAECAQEBAQEBAhMBAQEICwsIKCQLhUMKHQEbFwcDEggBA?=

 =?us-ascii?q?gU3AiQBEQEFASIbiFmBOwEDFQUBoAyDRUCMF4IFBQEcgwwFg2MKGScNWVmCPQI?=

 =?us-ascii?q?GEoRvghWBV4ZqhmWCZQEEpC4JlgSCBgGSPZgEOYEXNoFyMxoIGxVvghSCRh+CE?=

 =?us-ascii?q?kE3jlwBAQE?=

X-IronPort-AV: E=Sophos;i="5.46,509,1511848800";

   d="scan'208,217";a="5901111"

X-Amp-Result: CLEAN

X-Amp-File-Uploaded: False

Received: from mail-lf0-f43.google.com ([209.85.215.43])  by

 Mail.DOMAIN.COM with ESMTP; 13 Feb 2018 15:58:35 -0600

Received: by mail-lf0-f43.google.com with SMTP id 37so8160596lfs.7        for

 <USER@OLDdomain.com>; Tue, 13 Feb 2018 13:58:35 -0800 (PST)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=gmail.com; s=20161025;

        h=mime-version:from:date:message-id:subject:to;

        bh=MHPHq7jyZ+KO0LH/SMfSIVZiA+pJpgHiXcecl22iOiw=;

        b=fTqlIUjtb75aMqGRA/bZ+EoOiRp1ckNr/vYBltRb7oJVO0GjOaeaBq3Mc3evz4P8uQ

         yJQsUHYfm6olCuC84+p6XtDg5NOyhFNsncujkpbO+mPw99YRvHwJt6ySARJIT6FWWWnu

         IteOH3aOnOyOj4Lnm10aGtPZwXeOI7EBsSEcmyp+6tPuc8V43nf6FgQlF27MB98tMPXh

         AmKuCXE+xurbrRHaTzcUOWBHBdaQ2gcnWtI1PRwY5Vi1Lhu85SZKYt9ATlqRt3paaJvX

         CAH8l/EvgCcPfF48EKtcRdsvMxu2PuLbeu4ZOmIejHrDhd0L+xt8SAwfMR2qVBz9sQ4w

         oYWw==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=1e100.net

 

 

Hey Flyingjet,

yep i am 100% confident the email didn't get matched against your content filter, it was delivered right to your exchange server :)
That's an exchange server response and we can see in the headers it finished on the ESA.

With the message tracking indication, i am 100% confident you'll see that the email's envelope recipient either didn't match that condition - or it didn't match the policy with the content filter committed into :)

Please keep me posted :).

Cheers,
Matthew

Hello Matthew,

 

Finally found time to play with it and this time I've created separate mail policy (instead of applying it to the default) and also change condition from "equals" to "contains" and it worked (I think problem was with "equals").

 

Thank You for all your help guys, especially Matthew!