Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2269
Views
0
Helpful
3
Replies

Message splintering

Tony Kilbarger
Level 1
Level 1

‎10-26-2016 08:48 AM

I have a question involving splintering.  We have two groups (clusters) of Ironport gateways.  When an email comes to the first set, if it is to one of our internal domains, then it gets routed by an SMTP route to an MX name that is our internal email system.  If it is not to one of those domains, then the "All Other Domains" SMTP route defines each host in our other cluster of Ironports.  The issue is if an email has recipients in two separate domains (example gmail.com and yahoo.com), even though they both match the All Other Domains" route, the message is getting splintered into one copy per domain. I guess my question is why is that behaving that way and splintering a message going to the same next hop.  I could swear that in the past this was not occurring, but I cannot prove that.  We are running a mix of 380 and 680's on 9.7.1.

Thanks for all input.

Labels:
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎10-26-2016 09:14 AM

Hi Tony,

The IronPort device will give each recipient a different RID (Recipient ID) number but they will all be part of the same MID unless the message is splintered by the Incoming or Outgoing Mail Policies.

For example, a message is sent to user1@example.net, user2@test.test and user3@example.com. The mail log entries would be as follows:

Thu May 22 17:33:27 2016 Info: MID 2 ICID 2 From: <bob@example.com>
Thu May 22 17:33:27 2016 Info: MID 2 ICID 2 RID 0 To: <user1@example.net>
Thu May 22 17:33:28 2016 Info: MID 2 ICID 2 RID 1 To: <user2@test.test>
Thu May 22 17:33:28 2016 Info: MID 2 ICID 2 RID 2 To: <user3@example.com>
Thu May 22 17:33:28 2016 Info: MID 2 Message-ID '<4835AE8C.9050902@example.com>'
Thu May 22 17:33:28 2016 Info: MID 2 Subject 'test 2'
Thu May 22 17:33:28 2016 Info: MID 2 ready 499 bytes from <bob@example.com>
Thu May 22 17:33:28 2016 Info: MID 2 matched all recipients for per-recipient policy DEFAULT in the outbound table
Thu May 22 17:33:28 2016 Info: MID 2 queued for delivery
Thu May 22 17:33:28 2016 Info: New SMTP DCID 5 interface 10.10.1.10 address 10.1.1.11 port 25
Thu May 22 17:33:28 2016 Info: ICID 2 close
Thu May 22 17:33:28 2016 Info: New SMTP DCID 4 interface 10.10.1.10 address 206.190.53.191 port 25
Thu May 22 17:33:28 2016 Info: New SMTP DCID 6 interface 10.10.1.10 address 72.14.253.27 port 25
Thu May 22 17:33:28 2016 Info: Delivery start DCID 6 MID 2 to RID [2]
Thu May 22 17:33:28 2016 Info: Delivery start DCID 5 MID 2 to RID [0]
Thu May 22 17:33:28 2016 Info: Message done DCID 5 MID 2 to RID [0]
Thu May 22 17:33:28 2016 Info: MID 2 RID [0] Response 'ok: Message 78200469 accepted'
Thu May 22 17:33:29 2016 Info: Delivery start DCID 4 MID 2 to RID [1]
Thu May 22 17:33:30 2016 Info: Message done DCID 4 MID 2 to RID [1]
Thu May 22 17:33:30 2016 Info: MID 2 RID [1] Response 'ok dirdel'
Thu May 22 17:33:31 2016 Info: Message done DCID 6 MID 2 to RID [2]
Thu May 22 17:33:31 2016 Info: MID 2 RID [2] Response '2.0.0 OK 1211477677 t1si5605036poh.9'
Thu May 22 17:33:31 2016 Info: Message finished MID 2 done
Thu May 22 17:33:33 2016 Info: DCID 5 close
Thu May 22 17:33:35 2016 Info: DCID 4 close
Thu May 22 17:33:36 2016 Info: DCID 6 close

If the same SMTP route is matched then each DCID would deliver it separately on a separate connection, these separate connections would be what you are seeing as splintered emails on the next hop.

However, if you have RID 0 and 1 for the same domain then a single DCID would have been used. This behavior has been in place for quite a few years.

Thanks
Libin Varghese

0 Helpful

Tony Kilbarger
Level 1
Level 1
In response to Libin Varghese

‎10-27-2016 02:49 PM

That does appear to be what we are seeing.  I guess I had hoped that even though the domain was different, since the same SMTP route is matched it would only send the one copy.  Here is a sample from our server with the addresses and some host names altered to protect the innocent:

Oct 27 16:42:24 Info: New SMTP DCID 15383960 interface 10.93.150.34 address 10.93.22.16 port 25
Oct 27 16:42:39 Info: New SMTP ICID 36475216 interface Data 1 (10.93.150.34) address 10.18.9.1 reverse dns host blah.blah.net verified yes
Oct 27 16:42:39 Info: ICID 36475216 ACCEPT SG REGISTERED_APPS match blah.blah.net SBRS not enabled
Oct 27 16:42:39 Info: Start MID 64342598 ICID 36475216
Oct 27 16:42:39 Info: MID 64342598 ICID 36475216 From: <user@ourdomain.com>
Oct 27 16:42:39 Info: MID 64342598 ICID 36475216 RID 0 To: <user@yahoo.com>
Oct 27 16:42:39 Info: MID 64342598 ICID 36475216 RID 1 To: <user@gmail.com>
Oct 27 16:42:39 Info: MID 64342598 Message-ID '<CY1PR07MB22979E6B76CD2229D3AE96E696AA0@CY1PR07MB2297.namprd07.prod.outlook.com>'
Oct 27 16:42:39 Info: MID 64342598 Subject 'Some Subject'
Oct 27 16:42:39 Info: MID 64342598 ready 1273156 bytes from <user@ourdomain.com>
Oct 27 16:42:39 Info: MID 64342598 matched all recipients for per-recipient policy DEFAULT in the inbound table
Oct 27 16:42:39 Info: MID 64342598 queued for delivery
Oct 27 16:42:39 Info: Delivery start DCID 15383960 MID 64342598 to RID [1]
Oct 27 16:42:39 Info: ICID 36475216 close
Oct 27 16:42:39 Info: New SMTP DCID 15383994 interface 10.93.150.34 address 10.93.22.17 port 25
Oct 27 16:42:39 Info: Delivery start DCID 15383994 MID 64342598 to RID [0]
Oct 27 16:42:39 Info: Message done DCID 15383960 MID 64342598 to RID [1]
Oct 27 16:42:39 Info: MID 64342598 RID [1] Response 'ok: Message 54631624 accepted'
Oct 27 16:42:39 Info: Message done DCID 15383994 MID 64342598 to RID [0]
Oct 27 16:42:39 Info: MID 64342598 RID [0] Response 'ok: Message 52940178 accepted'
Oct 27 16:42:39 Info: Message finished MID 64342598 done
Oct 27 16:42:45 Info: DCID 15383960 close
Oct 27 16:42:48 Info: DCID 15383994 close

As you can see, it delivered it using two separate connections actually to two different hosts.  The issue we have is another system we have monitoring email traffic is seeing this as two separate emails, even though it is really ( from a logical perspective ) one email to two recipients.

So it appears there is no way to change this behaviour?  It seems it would behave more liek say Domino or Exchange.  If one of our users send email to multiple people, Domino or exchange send it as our routing specifies to our Ironport cluster but even if it is to multiple recipients, only one copy since the route is the same.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Tony Kilbarger

‎10-31-2016 05:34 AM

Hi Tony,

If the emails are destined for different domains and destinations, the appliance will have to open separate DCIDs even if the next hop may be the same, this is because the destinations will require different parameters which may need to be applied per domain.

Each DCID is generated after a connection has been made to accept emails for that particular domain, it is unique to each connection for delivery.

For instance :-
If an email had recipients for both Yahoo and Gmail.

If for example:- gmail requires TLS, and yahoo is rate limited, it cannot be handled in the same connection even if it was to the same next hop - the parameters and actions put on the connections will be different by domains so the appliance seperates this into two unique DCIDs as you see.

This cannot be changed on the appliance. Hope this explains it a bit better.

Thanks
Libin

0 Helpful
Customers Also Viewed These Support Documents