Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
0
Helpful
8
Replies

Domain Map activity logging

Greg.Howley
Level 1
Level 1

‎07-10-2015 12:06 PM

Hey all,

 

Is there anywhere I can see the activity history of the domain map?

We have one in place for a bunch of legacy domains and I am trying to determine if any of the addresses listed are long dormant & can be safely removed.  The mail_logs don't show this.

 

Thanks

Greg

 

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Mathew Huynh
Cisco Employee
Cisco Employee

‎07-12-2015 04:47 PM

Hello Greg,

 

This may not be the ideal way or my understanding of the issue may be incorrect.

But as mail_logs are more limited to the number of allowable log files on the system it may not retain all the information you're seeking for older log entries.


As such i would suggest perhaps using the message tracking to audit back at a later date if these domains are still actively receiving emails on it.

 

Else you may be able to use the GUI > Internal users > on the drop down at the very bottom change it to destination domain > search for these domains for the custom time-frame and see if any emails were routing to this domain through your ESA.

 

Regards,
Matthew

0 Helpful

Greg.Howley
Level 1
Level 1
In response to Mathew Huynh

‎07-14-2015 11:31 AM

Perhaps I didn't explain this properly.

We have several legacy domains that we do a domainmap translation on the way in.  For instance inbound email for user@example.com gets mapped to user@new.example.com.    I am trying to clean up or eliminate the domain map table, so I need to see what legacy domains are still getting mail sent to them.  This is not possible to see in message tracking.

Is there another log I should look into to see domainmap activity (ie: track mail sent to user@example.com)?

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Greg.Howley

‎07-14-2015 08:49 PM

Hello Greg,

The only way I can see that can assist with the audit is to review your current domain mapping, and search for the 'remapped' recipient domains to see if there are still emails to these domains.

 

If the remapped domains are not seeing any results, then it should be safe to remove the mapping.

 

CLI > listenerconfig > edit the listener with the mapping > domainmap > print to see how the domains are being mapped

 

Once found, audit the associated re-mapped domain accordingly.

0 Helpful

Greg.Howley
Level 1
Level 1
In response to Mathew Huynh

‎07-16-2015 06:35 AM

Yeah, that's the problem because the remapped domain is our default domain, as in everything we pass to the Exchange servers. 

 

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Greg.Howley

‎07-16-2015 03:51 PM

Hey Greg,

Thank you for your update.

I'll see what i can do on my lab box to try and locate the original sender before remapping of possible.


Regards,

Matthew

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Mathew Huynh

‎07-16-2015 06:47 PM

Hello Greg,

 

While I was doing some testing I came to the same conclusion as a colleague (Robert)  who shared this as well:

 

---

Unfortunately – there is no further way to see the incoming email being matched and re-mapped to a new domain.  The process is silently re-written as injected.  

 

The only way is with enabling SMTP Conversation Logs, and then saving those logs off-appliance, and grepping out the domains that are "expected".

 

Example:

 

I have domain mapping of "@big.com" going to "@small.com".  My domain of "small.com" is smtp routed to /dev/null.  This is just for my testing/repro purposes.

 

Email sent from my yahoo account to "joe@big.com" and referenced in the SMTP log I created:

 

Thu Aug  1 15:16:40 2013 Info: ICID 119 address 172.16.6.1 dns host unknown sbrs rfc1918

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 220 myesa_2.local ESMTP

Thu Aug  1 15:16:40 2013 Info: ICID 119 << EHLO [172.16.6.1]

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 250-myesa_2.local\r\n250-8BITMIME\r\n250 SIZE 10485760

Thu Aug  1 15:16:40 2013 Info: ICID 119 << EHLO [172.16.6.1]

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 250-myesa_2.local\r\n250-8BITMIME\r\n250 SIZE 10485760

Thu Aug  1 15:16:40 2013 Info: ICID 119 << MAIL FROM:<robsherw_cisco@yahoo.com>

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 250 sender <robsherw_cisco@yahoo.com> ok

Thu Aug  1 15:16:40 2013 Info: ICID 119 << RCPT TO:<joe@big.com>

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 250 recipient <joe@big.com> ok

Thu Aug  1 15:16:40 2013 Info: ICID 119 << DATA

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 354 go ahead

Thu Aug  1 15:16:40 2013 Info: ICID 119 >> 250 ok:  Message 151 accepted

Thu Aug  1 15:17:41 2013 Info: ICID 119 << QUIT

Thu Aug  1 15:17:41 2013 Info: ICID 119 >> 221 myesa_2.local

Thu Aug  1 15:17:41 2013 Info: ICID 119 close

 

At the same time, in the mail logs – I see:

 

Thu Aug  1 15:16:40 2013 Info: Start MID 151 ICID 119

Thu Aug  1 15:16:40 2013 Info: MID 151 ICID 119 From: <robsherw_cisco@yahoo.com>

Thu Aug  1 15:16:40 2013 Info: MID 151 ICID 119 RID 0 To: <joe@small.com>

Thu Aug  1 15:16:40 2013 Info: MID 151 Message-ID '<7CAFCC52-B001-49FF-957C-40949D856BBD@yahoo.com>'

Thu Aug  1 15:16:40 2013 Info: MID 151 Subject '12:39pm'

Thu Aug  1 15:16:40 2013 Info: MID 151 ready 460 bytes from <robsherw_cisco@yahoo.com>

Thu Aug  1 15:16:40 2013 Info: MID 151 matched all recipients for per-recipient policy DEFAULT in the inbound table

 

 

This is a little more intensive that I would imagine you are looking for, but is the only way to show the domain mapping is actually in use.  Due to the fact that the domain mapping is silent in it's actions.

---

 

Regards,

Matthew

0 Helpful

martynw
Level 1
Level 1

‎12-20-2018 07:47 AM

Hi

 

I know this is a really old thread but I was just trying to find this information today as well, I think I have found a way to discover this information.

I have dumped the 'domainmap' in to a dictionary file then created the content filter below:
Filter Name:  AuditDomainMap

 
Conditions (Any of the following must match):
header-dictionary-match("DomainMapRecipients","To", 1)
header-dictionary-match("DomainMapRecipients","CC", 1)
 
Actions:
log-entry("DomainMap $MatchedContent")

The $MatchedContent will then be the dictionary entry that it matched, unfortunatly the data wont be 100% as the BCC is missed but can't do much about that.

The next thing would then be to sit and wait, we have our going via syslog to an aggregation service so we can get stats fairly easily off this. You should however be able to grep the mail logs for your custom log entry and use Excel to count occurrences.
 
Good luck if anyone finds this in the future 
0 Helpful

stcl
Level 1
Level 1
In response to martynw

‎09-06-2024 04:36 AM

This won't help in many cases because you look for the header To:/Cc: field while the rewriting is done on the envelope recipient address and both do not necessarily macht. E.g. often in mailing lists or when the mail goes to a Bcc recipient.

Though is thread is 6+ yeas old, there still seems no possibility to get domainmapping logged - at least I couldn't find any.

 

0 Helpful
Customers Also Viewed These Support Documents