06-01-2016 12:39 AM
Dear Team
Please address the following queries related to Ironport.
Query 1: how we can see the queue status in Ironport and manually clear it (if possible). System capacity only shows queue size.
There are instances when ironport shows many message in queue and system admin wants to check them..
Query 2: for incoming default policy, for positive spams, we have the following 4 mutually exclusive options, of which only 1 can be selected.
Drop
Deliver
Spam Quarantine
Bounce
is it possible by any means that both Drop & Spam Quarantine options can be selected. the feature exists on the existing email gateway.
Any inputs will be highly appreciated.
Thanks
Ahad
06-01-2016 01:22 AM
Hello Ahad,
For your query 1)
You can use "Status Detail" to see how many emails are in the Delivery or Workqueue
To audit the delivery queue you can use showrecipients
For workqueue values, you will need to check what emails are coming through the ESA to try to audit the workqueue (creative use of mail_logs).
This article will help allow troubleshooting and also solution to remove emails depending on the queue it's impacting: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200030-Troubleshoot-unwanted-outbound-emails-on.html
For query 2) You can only select one of the 4.
Else you can set to "Spam Quarantine" and it will flag the email as a quarantine, and pass it through the rest of the workqueue before quarantining, so you can then run a Content filter to match some conditions to drop the entire email if you like, otherwise if it passes through all content filters, it will end up in the quarantine.
Regards,
Matthew
06-01-2016 02:34 AM
06-01-2016 04:04 PM
Hello Ahad,
Yes it will attribute to capacity space used and also show mails in queue on the status detail command.
if you run deliver now and it's failing, you could tail mail_logs at the time you run that command to see what is causing the failures.
Chances are your ESA is unable to reach their MX records, or other soft bounce errors.
If you deem these emails as invalid and you do not wish to keep it, they will hard bounce eventually or you can use deleterecipients to forcefully remove it.
Regards,
Matthew
06-01-2016 01:23 AM
Hi, Regarding your queries;
Query1: use the following two commands workqueue (to check the e-mails that are pending in the workqueue) and delivernow (allows you to reschedule email in the queue for immediate delivery)
Query2: This can be done, to do so please follow these steps with setting the anti-spam engine on the mail policy and the incoming content filter.
"Set the action for spam e-mail as deliver and add the header from the advanced settings" check the screenshot
And create the following incoming filter and assign it to the policy in question "or you can do this for the default policy and then inherit the settings to all other policies this way the effect will be on all incoming mail policies"
"using the quarantine action with enabling the Duplicate message option" and using the exist option for the header condition .
I did a test and it is working as intended "mail_logs":
Regards
Raed
06-01-2016 01:44 AM
This will send the e-mails to Policy quarantine, i didn't notice that you wrote spam quarantine.
06-01-2016 01:57 AM
in case you want to send them to the spam quarantine you could follow Mathew's suggestion by setting the action to quarantine and then release them and take action based on the CASE engine headers to drop the e-mail from content filters
06-01-2016 02:35 AM
Dear Raed
Thanks for your kind response, will check accordingly.
Ahad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide