Hello Mathew

MANSOORQ123 · ‎06-01-2016

Dear Team

Please address the following queries related to Ironport.

Query 1: how we can see the queue status in Ironport and manually clear it (if possible). System capacity only shows queue size.

There are instances when ironport shows many message in queue and system admin wants to check them..

Query 2: for incoming default policy, for positive spams, we have the following 4 mutually exclusive options, of which only 1 can be selected.

Drop

Deliver

Spam Quarantine

Bounce

is it possible by any means that both Drop & Spam Quarantine options can be selected. the feature exists on the existing email gateway.

Any inputs will be highly appreciated.

Thanks

Ahad

Mathew Huynh · ‎06-01-2016

Hello Ahad,

For your query 1)

You can use "Status Detail" to see how many emails are in the Delivery or Workqueue

To audit the delivery queue you can use showrecipients

For workqueue values, you will need to check what emails are coming through the ESA to try to audit the workqueue (creative use of mail_logs).

This article will help allow troubleshooting and also solution to remove emails depending on the queue it's impacting: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200030-Troubleshoot-unwanted-outbound-emails-on.html

For query 2) You can only select one of the 4.

Else you can set to "Spam Quarantine" and it will flag the email as a quarantine, and pass it through the rest of the workqueue before quarantining, so you can then run a Content filter to match some conditions to drop the entire email if you like, otherwise if it passes through all content filters, it will end up in the quarantine.

Regards,

Matthew

MANSOORQ123 · ‎06-01-2016

Hello Mathew

when I enter workqueue, I see no message, but when I do showrecipients it shows some message. attached logs might help.

Further I run "delivernow' command to deliver the message but they still show up in queue.

what could attribute this behavior.

Mathew Huynh · ‎06-01-2016

Hello Ahad,

Yes it will attribute to capacity space used and also show mails in queue on the status detail command.

if you run deliver now and it's failing, you could tail mail_logs at the time you run that command to see what is causing the failures.

Chances are your ESA is unable to reach their MX records, or other soft bounce errors.

If you deem these emails as invalid and you do not wish to keep it, they will hard bounce eventually or you can use deleterecipients to forcefully remove it.

Regards,

Matthew

Raed Boshmaf · ‎06-01-2016

Hi, Regarding your queries;

Query1: use the following two commands workqueue (to check the e-mails that are pending in the workqueue) and delivernow (allows you to reschedule email in the queue for immediate delivery)

Query2: This can be done, to do so please follow these steps with setting the anti-spam engine on the mail policy and the incoming content filter.

"Set the action for spam e-mail as deliver and add the header from the advanced settings" check the screenshot

And create the following incoming filter and assign it to the policy in question "or you can do this for the default policy and then inherit the settings to all other policies this way the effect will be on all incoming mail policies"

"using the quarantine action with enabling the Duplicate message option" and using the exist option for the header condition .

I did a test and it is working as intended "mail_logs":

Regards

Raed

Raed Boshmaf · ‎06-01-2016

This will send the e-mails to Policy quarantine, i didn't notice that you wrote spam quarantine.

Raed Boshmaf · ‎06-01-2016

in case you want to send them to the spam quarantine you could follow Mathew's suggestion by setting the action to quarantine and then release them and take action based on the CASE engine headers to drop the e-mail from content filters

MANSOORQ123 · ‎06-01-2016

Dear Raed

Thanks for your kind response, will check accordingly.

Ahad

Ironport Queries