Dear Cisco IronPort Customer,
Cisco has learned of an issue impacting delivery of encrypted email (PXE envelopes) to recipients whose email is filtered by Google Postini.
Whom does it affect?
This affects our encryption customers who send encrypted mail (PXE envelopes) to their customers who use Google. Encrypted emails (PXE envelopes) get blocked. The only way for Cisco’s customers to find out that business critical emails are impacted is via manual business to business contact.
What is Cisco doing?
Cisco continues to work with Google to address this issue.
What should customers do?
Google will only respond to its own customers. If you are experiencing issues with delivery of secure messages to Google customers, we ask that you have your recipients escalate the issue to Google.
Additionally, to help us track this situation, please contact Cisco IronPort Customer Support if you are impacted.
there is no way for the appliance to figure out if a destination uses filtering by Postini or not, so configuring an alert would require that you are aware which of your recipient domaains have that kind of filtering enabled. For these you'd add a condition in the filter that enables encryption and sends a note to the sender. More important though as the note states is to inform your business partners to get in contact with Google/Postini, or to whitelist your domain.
Not definitive of course but Postini's instructions on TLS connections is that the IP ranges 184.108.40.206/20 and 220.127.116.11/20 are theirs and their MX records for clients always fall in that range.
For awhile until a permanent solution is determined, any outgoing SMTP session to one of those IPs is a Postini corporate client. Gmail looks like 18.104.22.168/17 and 22.214.171.124/16. I'm guessing Gmail is likewise affected.
Not sure it's possible to code that in a C-series. Not familiar enough with IEA/PXE yet to know if it can detect it. We're just planning a move to IEA/PXE and sort of wondering if Cisco will do more than tell us to ask clients to whitelist us. Does Gmail have a customer service desk so I can ask to be whitelisted for all of Gmail, call someone for each email address? More likely we're out of luck.
IEA/PXE does have a webmail feature but I don't want to maintain thousands of mailboxes that may be single use.
I'm hoping Cisco commits to changing the Java to an HTML front end with the code back at the server.
Anxiously awaiting news from Cisco.
Thanks for the clarification. That's a bit of good news for sure.