Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7266
Views
5
Helpful
30
Replies

Ironport c360 - mail routing conundrum

Go to solution
ashley.rees
Level 1
Level 1

‎02-04-2015 11:03 PM

Hi All,

 

I am abit of a greenthumb when it comes to our Ironport appliances, but I have been assigned a task that I am stuck on.

 

Basically we use Google Apps for our mail, with Ironport being the gateway into our old legacy environment. 

 

I need to get Ironport to redirect any email it receives for a specific recipient (a@example.com) to a specific host (n.example.com) on Port 25000 specifically. 

 

The host is listening on that port for the incoming connection rather than port 25.

 

I have created an SMTP  route on our Ironport appliance for n.example.com with its IP and also specified port 25000.

I have also added the domain example.com to the RAT on our appliance.

 

Basically the mail gets to the Ironport appliance, but then its queued for delivery until it eventually expires. I am not sure what else I can try to get this working so any advice is appreciated. 

 

Sorry for the trouble

 

Ash

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to ashley.rees

‎02-05-2015 09:49 PM

On a plus side, your filter + SMTP routes is working :)


OK host is down so emails are stuck on queued for delivery..

 

What i would suggest you do now is...

 

CLI > deliveryconfig


Check what is the delivery interface set.

If auto, then it would use the interface IP closest to your default gateway (setgateway)

If you only have 1 IP interface, then you can ignore the above.

 

Then i would like you to do

 

CLI > telnet <IP of the server> 25000

 

See the results.

 

If it's a connection refused or a timeout it is likely no available routes available from your ESA's delivery interface to the destination IP

View solution in original post

0 Helpful
30 Replies 30

Go to solution
Jens Roesen
Level 1
Level 1

‎02-05-2015 01:13 AM

Did you create a content filter ("Mail Policies - >Incoming Content Filters") with the appropriate condition and actions and is that filter active in your policy ("Mail Policies -> Incoming mail Policies")?

Like the content filter condition being "Envelope Recipient is a@example.com" and the action being "Send to Alternate Destination Host n.example.com".

if (rcpt-to == "^a@example.com$") { alt-mailhost ("n.example.com"); }

 

Regards

Jens

0 Helpful

Go to solution
ashley.rees
Level 1
Level 1
In response to Jens Roesen

‎02-05-2015 01:14 AM

Hi Jens

 

Thanks for the reply!

 

Yep content filter was the first thing I tried, but the issue is that you can only specify the host but not the port to transfer it to. And thus it always just tries to connect on port 25 which the target server wont accept.

 

That is when I setup the smtp route for server's specific domain.

Ash

 

0 Helpful

Go to solution
Jens Roesen
Level 1
Level 1
In response to ashley.rees

‎02-05-2015 01:25 AM

So as alt-mailhost you use the receiving domain name from the SMTP route pointing to the IP of n.example.com port 25000? That should work. At least it does here ;)

 

You can try to add another SMTP route like "redirect.a.example.com" with destination host n.example.com port 25000 and use this route as alt-mailhost in your content filter.
 

Regards

Jens

0 Helpful

Go to solution
ashley.rees
Level 1
Level 1
In response to Jens Roesen

‎02-05-2015 03:30 AM

Hey Jens

 

Yep that is the current setup. I setup the content filter and added it to the policy. 

 

The policy takes all email addressed to abc@example.com and passes it to abc.different.com. abc.different.com is then defined as an smtp route to its IP on port 25000. 

 

Message tracking shows the test message as queued for delivery :(

 

I can access the CLI for additional info if you can recommend anything to look for?

 

ash

0 Helpful

Go to solution
Jens Roesen
Level 1
Level 1
In response to ashley.rees

‎02-05-2015 03:57 AM

Strange, we are using the exact same setup on different sites and it works perfectely.

Did you do a trace to check if the content filter really matches? ("System Administration -> Trace" or on the CLI "trace")

What do the logs say? On the CLI "findevent -t a@example.com mail_logs" should give you a list of message-ID's matching the recipient. Then take one of the ID's and look at the log entrys with "findevent -m ID mail_logs".

 

Regards

Jens

0 Helpful

Go to solution
ashley.rees
Level 1
Level 1
In response to Jens Roesen

‎02-05-2015 04:33 AM

Here are the outputs from the findevent commands. As you can see it just says queued for delivery
 

(Machine our.ironport.com)> findevent -m 31582911 mail_logs
 
Thu Feb  5 12:22:21 2015 Info: New SMTP ICID 62966628 interface Public (1.2.3.4) address 209.85.218.43 reverse dns host mail-oi0-f43.google.com verified yes
Thu Feb  5 12:22:21 2015 Info: ICID 62966628 ACCEPT SG NOBEL_SENDERS match 209.85.128.0/17 SBRS not enabled
Thu Feb  5 12:22:22 2015 Info: Start MID 31582911 ICID 62966628
Thu Feb  5 12:22:22 2015 Info: MID 31582911 ICID 62966628 From: <ashley.rees@nobelbiocare.com>
Thu Feb  5 12:22:22 2015 Info: MID 31582911 ICID 62966628 RID 0 To: <vimmail_qa@nobelbiocare.com>
Thu Feb  5 12:22:22 2015 Info: MID 31582911 Message-ID '<CAALzv44yobz+QiZsbpxZymhk4taT9zXNq6mn9__s2StQvkR8iw@mail.gmail.com>'
Thu Feb  5 12:22:22 2015 Info: MID 31582911 Subject 'Test routing via Ironport'
Thu Feb  5 12:22:22 2015 Info: MID 31582911 ready 5246 bytes from <ashley.rees@nobelbiocare.com>
Thu Feb  5 12:22:22 2015 Info: MID 31582911 matched all recipients for per-recipient policy Incoming to NobelBiocare in the inbound table
Thu Feb  5 12:22:22 2015 Info: MID 31582911 queued for delivery
Thu Feb  5 12:22:22 2015 Info: ICID 62966628 close
(Machine our.ironport.com)>
0 Helpful

Go to solution
Jens Roesen
Level 1
Level 1
In response to ashley.rees

‎02-05-2015 04:39 AM

And the trace? It should tell you if the filter matches.

(You might want to anonymize the mail adresses ;)

0 Helpful

Go to solution
ashley.rees
Level 1
Level 1
In response to Jens Roesen

‎02-05-2015 05:57 AM

Hi jens

 

Ran the trace and it looks like the filter is not being applied. It is not mentioned anywhere in the trace results. 

 

It accepts the email from google (source) using my address as the envelope sender. Then it matches the target address in the RAT.

 

It doesnt say anything about it being picked up in an incoming policy

 

Ash

0 Helpful

Go to solution
Jens Roesen
Level 1
Level 1
In response to ashley.rees

‎02-05-2015 06:21 AM

Then make sure that the filter is used in the "Incoming" policy. You can check this in the "Content Filters" settings of the policy. The Content Filters overview should also tell you in which policies a filter is used. Should look something like this:


0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to Jens Roesen

‎02-05-2015 05:58 PM

From your SMTP routes you set for this domain, can you show us what you've done here if that's alright?


EDIT: Just realised you're trying to re-route for a specific recipient and not the entire domain.

*scratches head* let me see what we can do.


Off the top of my head i was considering changing the recipient domain (re-write the recipient(?)) and use an SMTP route for this re-written recipient domain to use the SMTP route + required port. but this means the next hop needs to be able to allow it for this re-written recipient as the alternate mail host rule would still make it fall on port 25 rather than 25000 from memory

 

THanks

0 Helpful

Go to solution
ashley.rees
Level 1
Level 1
In response to Mathew Huynh

‎02-05-2015 06:47 PM

Hi Jens

 

Yep I assigned the filter to incoming policy.

 

Matt,

 

SMTP route is defined as target.domain.com at IP (its internal IP) and Port 25000. 

 

Basically the scenario is this:

 

I send an email to bob@firstdomain.com. A content filter is defined on the incoming policy to then grab any email sent to that address and change the recipient to bob@domain.com (ie: the domain defined in the SMTP route). 

 

I dont add any other actions to the filter, as I thought from there it would act off its SMTP route. 

 

Now what I see in the Ironport log is that it successfully picks up the content filter, creates a new message and adds the new recipient address, but then it just sits there as queued for delivery.

 

My email address is shown earlier in the thread, if you want I can send you the exact screens if you fancy dropping me a mail. Otherwise I can add the edited versions here?

 

Ash

 

 

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to ashley.rees

‎02-05-2015 09:31 PM

Hey Ash,

 

On your system, run a 'hoststatus domain.com'  it should show the configured route for this host if it's queued for delivery it may display something here.

0 Helpful

Go to solution
ashley.rees
Level 1
Level 1
In response to Mathew Huynh

‎02-05-2015 09:46 PM

Hi Matt

 

That is done. See attached. 

Looks like the target server interface is down \ unavailable?

I cant think of anything else Ironport side that needs to be done (but then again I am a noob).

Ash

 

Preview file
50 KB
0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to ashley.rees

‎02-05-2015 09:49 PM

On a plus side, your filter + SMTP routes is working :)


OK host is down so emails are stuck on queued for delivery..

 

What i would suggest you do now is...

 

CLI > deliveryconfig


Check what is the delivery interface set.

If auto, then it would use the interface IP closest to your default gateway (setgateway)

If you only have 1 IP interface, then you can ignore the above.

 

Then i would like you to do

 

CLI > telnet <IP of the server> 25000

 

See the results.

 

If it's a connection refused or a timeout it is likely no available routes available from your ESA's delivery interface to the destination IP

0 Helpful
Customers Also Viewed These Support Documents