Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3396
Views
0
Helpful
3
Replies

Problems receiving e-mail from Yahoo

Go to solution
mitchrussell42
Level 1
Level 1

‎11-16-2010 09:26 AM

Independent contractor is e-mailing reports (about 120K) inbound from personal Yahoo account. Our C160 reports repeated "Receiving aborted by sender" errors. Version 7.01-010

Our timeouts are huge (10 minutes on reject, 30 minutes on accept). This is also early in the morning.

Our Internet pipe is 45Mbit/sec, and not near full. PIX 525 isn't under a strain either. Messages eventually come through, but only after many retries.

Any one have any clues about this?

Obfuscated config file attached for the really curious.

Labels:
Preview file
318 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Christopher Smith
Level 4
Level 4

‎11-17-2010 06:05 AM

Greetings,

The best place to start with this issue would be to enable the injection debug logs. This will allow you to view the entire smtp conversation between your appliance and the sending domain. You can enable the injection debug logs from the CLI.

With "Injection Debug Logs," you can trace the entire SMTP conversation between your ESA and the incoming connecting server.

Each line within an Injection Debug Logs outlines data sent and received during the SMTP conversation.

To enable the Injection Debug Logs in the GUI
1.  System Administration > Log Subscriptions
2.  Select "Add log subscription..."
3.  In the log type, select "Injection Debug Logs" and fill out the rest of the fields.

Note:

  • CIDR addresses such as 10.1.1.0/24 are allowed
  • IP address ranges such as 10.1.1.10-20 are allowed, as are IP subnets such as 10.2.3
  • Hostnames  and wildcards, hostnames such as crm.example.com are allowed (but not  example.com) and wildcards should be expressed as .example.com (without  an asterisk). When tracing incoming email the host name should match the  sender host, when tracing outgoing email the host name should match the  internal host name(s).

4.  The number of SMTP sessions should be between 1-25.

To enable the Injection Debug Logs in the CLI
1. Enter the command logconfig > new.
2. Select "Injection Debug Logs."
3. Enter a name for this log (i.e. debugging_example)
4.  Enter the hostname, IP address or block of IP addresses for which you  want to record injection debug information. (i.e. mail1.example.com)
5. You will be asked for the number of SMTP sessions you want to record for this domain.   A value between 1-25 is fine.
6. Enter the method to retrieve the logs. FTP Poll is fine.
7. Enter the filename. The default is fine.
8. Select the remaining defaults.

Below is an example of what an Injection Debug Logs looks like when the ESA accepts mail from a server.
The  "Injection Debug Log" and"Domain Debug Log" are similar to the  mail_logs. You can use the "grep" and "tail" commands on them.

Sent to '10.251.21.203': '220 ironportappliance ESMTP\r\n'
Rcvd from '10.251.21.203': 'EHLO outgoing.example.com\r\n'
Sent to '10.251.21.203': '250-nibbles.run\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Rcvd from '10.251.21.203': 'MAIL FROM:<jsmith@example.com>\r\n'
Sent to '10.251.21.203': '250 sender <jsmith@example.com> ok\r\n'
Rcvd from '10.251.21.203': 'RCPT TO:<test@example.org>\r\n'
Sent to '10.251.21.203': '250 recipient <test@example.org>ok\r\n'
Rcvd from '10.251.21.203': 'DATA\r\n'
Sent to '10.251.21.203': '354 go ahead\r\n'
Rcvd  from '10.251.21.203': 'To: "test@example.org"  <test@example.org>\r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users  <jsmith@example.com>\r\nContent-Type: text/plain; format=flowed;  delsp=yes; charset=iso-8859-15\r\nMIME-Version:  1.0\r\nContent-Transfer-Encoding: 7bit\r\nDate: Tue, 09 Jan 2007  12:14:35 -0800\r\nMessage-ID:  <op.tlwk6lvgwomlp4@outgoing.example.com>\r\nUser-Agent: Opera  Mail/9.10 (Win32)\r\n\r\ntest\r\n'
Rcvd from '10.251.21.203': '\r\n.\r\n'
Sent to '10.251.21.203': '250 ok: Message 270 accepted\r\n'
Rcvd from '10.251.21.203': 'QUIT\r\n'
Sent to '10.251.21.203': '221 nibbles.run\r\n'

This should help in making a more accurate analysis of the inbound traffic.

Christopher C Smith
CSE

Cisco IronPort Customer Support 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Christopher Smith
Level 4
Level 4

‎11-17-2010 06:05 AM

Greetings,

The best place to start with this issue would be to enable the injection debug logs. This will allow you to view the entire smtp conversation between your appliance and the sending domain. You can enable the injection debug logs from the CLI.

With "Injection Debug Logs," you can trace the entire SMTP conversation between your ESA and the incoming connecting server.

Each line within an Injection Debug Logs outlines data sent and received during the SMTP conversation.

To enable the Injection Debug Logs in the GUI
1.  System Administration > Log Subscriptions
2.  Select "Add log subscription..."
3.  In the log type, select "Injection Debug Logs" and fill out the rest of the fields.

Note:

  • CIDR addresses such as 10.1.1.0/24 are allowed
  • IP address ranges such as 10.1.1.10-20 are allowed, as are IP subnets such as 10.2.3
  • Hostnames  and wildcards, hostnames such as crm.example.com are allowed (but not  example.com) and wildcards should be expressed as .example.com (without  an asterisk). When tracing incoming email the host name should match the  sender host, when tracing outgoing email the host name should match the  internal host name(s).

4.  The number of SMTP sessions should be between 1-25.

To enable the Injection Debug Logs in the CLI
1. Enter the command logconfig > new.
2. Select "Injection Debug Logs."
3. Enter a name for this log (i.e. debugging_example)
4.  Enter the hostname, IP address or block of IP addresses for which you  want to record injection debug information. (i.e. mail1.example.com)
5. You will be asked for the number of SMTP sessions you want to record for this domain.   A value between 1-25 is fine.
6. Enter the method to retrieve the logs. FTP Poll is fine.
7. Enter the filename. The default is fine.
8. Select the remaining defaults.

Below is an example of what an Injection Debug Logs looks like when the ESA accepts mail from a server.
The  "Injection Debug Log" and"Domain Debug Log" are similar to the  mail_logs. You can use the "grep" and "tail" commands on them.

Sent to '10.251.21.203': '220 ironportappliance ESMTP\r\n'
Rcvd from '10.251.21.203': 'EHLO outgoing.example.com\r\n'
Sent to '10.251.21.203': '250-nibbles.run\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Rcvd from '10.251.21.203': 'MAIL FROM:<jsmith@example.com>\r\n'
Sent to '10.251.21.203': '250 sender <jsmith@example.com> ok\r\n'
Rcvd from '10.251.21.203': 'RCPT TO:<test@example.org>\r\n'
Sent to '10.251.21.203': '250 recipient <test@example.org>ok\r\n'
Rcvd from '10.251.21.203': 'DATA\r\n'
Sent to '10.251.21.203': '354 go ahead\r\n'
Rcvd  from '10.251.21.203': 'To: "test@example.org"  <test@example.org>\r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users  <jsmith@example.com>\r\nContent-Type: text/plain; format=flowed;  delsp=yes; charset=iso-8859-15\r\nMIME-Version:  1.0\r\nContent-Transfer-Encoding: 7bit\r\nDate: Tue, 09 Jan 2007  12:14:35 -0800\r\nMessage-ID:  <op.tlwk6lvgwomlp4@outgoing.example.com>\r\nUser-Agent: Opera  Mail/9.10 (Win32)\r\n\r\ntest\r\n'
Rcvd from '10.251.21.203': '\r\n.\r\n'
Sent to '10.251.21.203': '250 ok: Message 270 accepted\r\n'
Rcvd from '10.251.21.203': 'QUIT\r\n'
Sent to '10.251.21.203': '221 nibbles.run\r\n'

This should help in making a more accurate analysis of the inbound traffic.

Christopher C Smith
CSE

Cisco IronPort Customer Support 

0 Helpful

Go to solution
Douglas Hardison
Cisco Employee
Cisco Employee

‎11-18-2010 12:09 PM

Hi,

     csmith is on track regarding the debug logs. Out of curiosity, you mention that you use a PIX firewall. Do you happen to have [E]SMTP Inspection enabled? It would be worth a check to see if it's enabled.

     The Cisco IronPort email gateways are inherently e-mail firewalls.  This  obsoletes the need for an upstream firewall, such as a Cisco PIX or  ASA, to inspect mail traffic to and from an ESA.  It is suggested to  disable the ESMTP Application Inspection features on the firewall for  any IronPort appliance host addresses.  By default, ESMTP protocol  inspection is enabled for all connections passing through the Cisco  firewalls.  This means that all commands issued between mail gateways  via TCP port 25, as well as individual message headers, are analyzed to  adhere strictly to RFC specifications (RFC's 821, 1123, 1870).  There  are defined default values for maximum number of recipients and message  sizes that may cause issues with delivery to and from your ESA in some  cases.

-whardison

0 Helpful

Go to solution
exMSW4319
Level 3
Level 3
In response to Douglas Hardison

‎11-26-2010 01:50 PM

I'd suggest that although it might be a good idea to drop the ESTMP inspection*, there's still some mileage in handing off manual entries that would otherwise go into the BLACKLIST to an upstream firewall. Is the C-class engine so efficient that it can handle an unlimited number of entries? If not, what are the maximum recommended number of manual entries in sender groups for the current models? The question assumes routine junk mail rather than an outright DoS attack. (I don't think we'll apply that label to Yahoo just yet.)

* RFC pickiness used to be an issue on znvyfjrrcre too; I must confess that I used to say fsck 'em.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents