Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1862
Views
0
Helpful
13
Replies

Incoming Mails logged and handled as Outgoing Mails

crypto_ironport
Level 1
Level 1

‎06-18-2008 09:02 AM

Hello,
i try to explain my problem with my bad english ;) sorry for that.

yesterday i configured my C150 as Smarthost for the Exchange 2003 Server.

Everything works fine, i can send and receive Mails but - Since i use the C150 as Smarthost, in the Monitor incomming Mails are logged as outgoing Mails.

On the "Outgoing Senders" List i can find a lot of Incoming Senders and so on.

The number of loggged incoming mails is 0 since the Smatrhost config, and 5.400 outgoing Mails.

Thats impossible, and the statistics and manual filters of the Ironport are now not useable for me, because if i set an outgoing allowed senders filter for example, i cant receive Mails from other senders ;)

what could be wrong?

Labels:
0 Helpful
13 Replies 13

rrbranco_ironport
Level 1
Level 1

‎06-18-2008 01:49 PM

Is the Exchange server using the relay policy ?

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-18-2008 02:44 PM

The Exchange SMTP Connector is Configured to send all Mails to the Smarthost (Ironport IP).

0 Helpful

Torsten_ironport
Level 1
Level 1

‎06-18-2008 03:54 PM

Something sounds fishy about your HAT configuration.

Only emails that trigger an "Accept" Policy should be considered Incoming, while emails that trigger a "Relay" Policy should be considered Outgoing.

From what you describe it seems that any email being sent through your appliance is being checked by the outgoing policies.

In your case I'd have a closer look at my logfile and look for entries like these in your connections:

Wed Jun 18 16:41:08 2008 Info: ICID 14344608 ACCEPT SG UNKNOWNLIST match sbrs[0.0:7.0] SBRS 2.4
[...]
Wed Jun 18 16:41:09 2008 Info: MID 6576555 matched all recipients for per-recipient policy [POLICY] in the outbound table

Should ALL messages that go through your appliance use the outbound table (2nd entry) you should go ahead and check which SenderGroup they triggered (1st entry) and have a closer at the Mail Flow Policies mentioned there.

It sounds a bit like you have your external listeners configured to allow relaying for every host out there, if it is really true that you don't have any problems with incoming mail (yet).

-T

0 Helpful

kluu_ironport
Level 2
Level 2

‎06-18-2008 04:01 PM

To verify the sendergroup that your Exchange server is matching, type this on the command line:


grep -i "IP_of_Exchange_Server" mail_logs


look for entries that have the ICID word. This will let you know what sendergroup your mailserver is matching. If it says anything about RELAYLIST or RELAY, then your mailserver's IP/hostname is in the relaylist. To change this, go to "Mail Policies > HAT Overview"

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-18-2008 04:11 PM

Thanks! I Think i found the error.

The MailFlow Polici "Accepted" is set to "Relay".

But, if i set "Relay" to "Accept", outgoing Mails are Rejected.

I set the IP of the Exchange Server to the Relay list, but it seems the Ironport could not get the IP Adress or Hostname of the Mailserver.

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-18-2008 04:22 PM 

To verify the sendergroup that your Exchange server is matching, type this on the command line:


grep -i "IP_of_Exchange_Server" mail_logs


look for entries that have the ICID word.  This will let you know what sendergroup your mailserver is matching.  If it says anything about RELAYLIST or RELAY, then your mailserver's IP/hostname is in the relaylist.  To change this, go to "Mail Policies > HAT Overview"


The Log says

Wed Jun 18 17:01:43 2008 Info: New SMTP DCID 71638 interface  address  port 25


The Exchange Serverip is in the Rlaylist. That is not Correct?!

0 Helpful

Torsten_ironport
Level 1
Level 1

‎06-18-2008 05:00 PM

That log entry you posted is about delivery (DCID) - about emails leaving the box.

You want to look for ICIDs though - emails coming into the box.

Torsten

0 Helpful

kluu_ironport
Level 2
Level 2

‎06-18-2008 06:25 PM

Here is a more precise way of searching for the entry:



grep -e "ICID.*1.2.3.4" mail_logs


replace 1.2.3.4 with the IP of your mailserver

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-19-2008 09:39 AM 

Here is a more precise way of searching for the entry:

grep -e "ICID.*1.2.3.4" mail_logs

replace 1.2.3.4 with the IP of your mailserver


Ok, the entries all looks like this


Thu Jun 19 09:59:10 2008 Info: New SMTP ICID 1499509 interface MailInterface () address 201.245.178.228 reverse dns host telebucaramanga.net.co verified no


Just the "verified" param is sometimes "yes".

0 Helpful

kluu_ironport
Level 2
Level 2

‎06-19-2008 03:46 PM

If you can search for the "ICID 499509", it will let us know what the sendergroup you're matching.

grep -i "ICID 499509" mail_logs


Here is a more precise way of searching for the entry:

grep -e "ICID.*1.2.3.4" mail_logs

replace 1.2.3.4 with the IP of your mailserver


Ok, the entries all looks like this


Thu Jun 19 09:59:10 2008 Info: New SMTP ICID 1499509 interface MailInterface () address 201.245.178.228 reverse dns host telebucaramanga.net.co verified no


Just the "verified" param is sometimes "yes".

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-19-2008 04:16 PM 

If you can search for the "ICID 499509", it will let us know what the sendergroup you're matching.

grep -i "ICID 499509" mail_logs





ironport> grep -i "ICID 1499509" mail_logs

Thu Jun 19 09:59:10 2008 Info: New SMTP ICID 1499509 interface MailInterface () address 201.245.178.228 reverse dns host telebucaramanga.net.co verified no
Thu Jun 19 09:59:10 2008 Info: ICID 1499509 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -10.0
Thu Jun 19 09:59:10 2008 Info: ICID 1499509 close



searching for other IDs..

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-19-2008 04:29 PM 


ironport> grep -i "ICID 1502535" mail_logs

Thu Jun 19 17:15:43 2008 Info: New SMTP ICID 1502535 interface MailInterface () address 195.129.12.230 reverse dns host dfallback0.dtm.ops.eu.uu.net verified yes
Thu Jun 19 17:15:43 2008 Info: ICID 1502535 RELAY SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.3
Thu Jun 19 17:15:43 2008 Info: Start MID 232568 ICID 1502535
Thu Jun 19 17:15:43 2008 Info: MID 232568 ICID 1502535 From: <>
Thu Jun 19 17:15:43 2008 Info: MID 232568 ICID 1502535 RID 0 To: 
Thu Jun 19 17:15:43 2008 Info: ICID 1502535 close


Ok, it seems the problem is what i said, unknown Mails are handled as "RELAY".

But, if i change it from "RELAY" to "ACCEPT" outgoing mails are blocked.

It seems, the Exchange Server do not match the RELAYLIST Polici in the HAT. But the IP and Hostename of the Exchange server is entered in the RELAYLIST.
It seems the ironport could not get the host ip of our exchange server, so outhoing mails could not match the IP or Hostname entered in the RELAYLIST.

0 Helpful

crypto_ironport
Level 1
Level 1

‎06-19-2008 04:39 PM

Solved it :D

I just had to add the subnetmask to the IP Adress of exchange. Then i could set the Accept policy back to "Accept".
Now incoming testmails are registered as incoming and outgoing is outgoing.

Got this idea by checking the logfiles.

Thank you for your great help!

0 Helpful
Customers Also Viewed These Support Documents