11-16-2010 09:26 AM
Independent contractor is e-mailing reports (about 120K) inbound from personal Yahoo account. Our C160 reports repeated "Receiving aborted by sender" errors. Version 7.01-010
Our timeouts are huge (10 minutes on reject, 30 minutes on accept). This is also early in the morning.
Our Internet pipe is 45Mbit/sec, and not near full. PIX 525 isn't under a strain either. Messages eventually come through, but only after many retries.
Any one have any clues about this?
Obfuscated config file attached for the really curious.
Solved! Go to Solution.
11-17-2010 06:05 AM
Greetings,
The best place to start with this issue would be to enable the injection debug logs. This will allow you to view the entire smtp conversation between your appliance and the sending domain. You can enable the injection debug logs from the CLI.
With "Injection Debug Logs," you can trace the entire SMTP conversation between your ESA and the incoming connecting server.
Each line within an Injection Debug Logs outlines data sent and received during the SMTP conversation.
To enable the Injection Debug Logs in the GUI
1. System Administration > Log Subscriptions
2. Select "Add log subscription..."
3. In the log type, select "Injection Debug Logs" and fill out the rest of the fields.
Note:
4. The number of SMTP sessions should be between 1-25.
To enable the Injection Debug Logs in the CLI
1. Enter the command logconfig > new.
2. Select "Injection Debug Logs."
3. Enter a name for this log (i.e. debugging_example)
4. Enter the hostname, IP address or block of IP addresses for which you want to record injection debug information. (i.e. mail1.example.com)
5. You will be asked for the number of SMTP sessions you want to record for this domain. A value between 1-25 is fine.
6. Enter the method to retrieve the logs. FTP Poll is fine.
7. Enter the filename. The default is fine.
8. Select the remaining defaults.
Below is an example of what an Injection Debug Logs looks like when the ESA accepts mail from a server.
The "Injection Debug Log" and"Domain Debug Log" are similar to the mail_logs. You can use the "grep" and "tail" commands on them.
Sent to '10.251.21.203': '220 ironportappliance ESMTP\r\n'
Rcvd from '10.251.21.203': 'EHLO outgoing.example.com\r\n'
Sent to '10.251.21.203': '250-nibbles.run\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Rcvd from '10.251.21.203': 'MAIL FROM:<jsmith@example.com>\r\n'
Sent to '10.251.21.203': '250 sender <jsmith@example.com> ok\r\n'
Rcvd from '10.251.21.203': 'RCPT TO:<test@example.org>\r\n'
Sent to '10.251.21.203': '250 recipient <test@example.org>ok\r\n'
Rcvd from '10.251.21.203': 'DATA\r\n'
Sent to '10.251.21.203': '354 go ahead\r\n'
Rcvd from '10.251.21.203': 'To: "test@example.org" <test@example.org>\r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users <jsmith@example.com>\r\nContent-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15\r\nMIME-Version: 1.0\r\nContent-Transfer-Encoding: 7bit\r\nDate: Tue, 09 Jan 2007 12:14:35 -0800\r\nMessage-ID: <op.tlwk6lvgwomlp4@outgoing.example.com>\r\nUser-Agent: Opera Mail/9.10 (Win32)\r\n\r\ntest\r\n'
Rcvd from '10.251.21.203': '\r\n.\r\n'
Sent to '10.251.21.203': '250 ok: Message 270 accepted\r\n'
Rcvd from '10.251.21.203': 'QUIT\r\n'
Sent to '10.251.21.203': '221 nibbles.run\r\n'
This should help in making a more accurate analysis of the inbound traffic.
Christopher C Smith
CSE
Cisco IronPort Customer Support
11-17-2010 06:05 AM
Greetings,
The best place to start with this issue would be to enable the injection debug logs. This will allow you to view the entire smtp conversation between your appliance and the sending domain. You can enable the injection debug logs from the CLI.
With "Injection Debug Logs," you can trace the entire SMTP conversation between your ESA and the incoming connecting server.
Each line within an Injection Debug Logs outlines data sent and received during the SMTP conversation.
To enable the Injection Debug Logs in the GUI
1. System Administration > Log Subscriptions
2. Select "Add log subscription..."
3. In the log type, select "Injection Debug Logs" and fill out the rest of the fields.
Note:
4. The number of SMTP sessions should be between 1-25.
To enable the Injection Debug Logs in the CLI
1. Enter the command logconfig > new.
2. Select "Injection Debug Logs."
3. Enter a name for this log (i.e. debugging_example)
4. Enter the hostname, IP address or block of IP addresses for which you want to record injection debug information. (i.e. mail1.example.com)
5. You will be asked for the number of SMTP sessions you want to record for this domain. A value between 1-25 is fine.
6. Enter the method to retrieve the logs. FTP Poll is fine.
7. Enter the filename. The default is fine.
8. Select the remaining defaults.
Below is an example of what an Injection Debug Logs looks like when the ESA accepts mail from a server.
The "Injection Debug Log" and"Domain Debug Log" are similar to the mail_logs. You can use the "grep" and "tail" commands on them.
Sent to '10.251.21.203': '220 ironportappliance ESMTP\r\n'
Rcvd from '10.251.21.203': 'EHLO outgoing.example.com\r\n'
Sent to '10.251.21.203': '250-nibbles.run\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Rcvd from '10.251.21.203': 'MAIL FROM:<jsmith@example.com>\r\n'
Sent to '10.251.21.203': '250 sender <jsmith@example.com> ok\r\n'
Rcvd from '10.251.21.203': 'RCPT TO:<test@example.org>\r\n'
Sent to '10.251.21.203': '250 recipient <test@example.org>ok\r\n'
Rcvd from '10.251.21.203': 'DATA\r\n'
Sent to '10.251.21.203': '354 go ahead\r\n'
Rcvd from '10.251.21.203': 'To: "test@example.org" <test@example.org>\r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users <jsmith@example.com>\r\nContent-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15\r\nMIME-Version: 1.0\r\nContent-Transfer-Encoding: 7bit\r\nDate: Tue, 09 Jan 2007 12:14:35 -0800\r\nMessage-ID: <op.tlwk6lvgwomlp4@outgoing.example.com>\r\nUser-Agent: Opera Mail/9.10 (Win32)\r\n\r\ntest\r\n'
Rcvd from '10.251.21.203': '\r\n.\r\n'
Sent to '10.251.21.203': '250 ok: Message 270 accepted\r\n'
Rcvd from '10.251.21.203': 'QUIT\r\n'
Sent to '10.251.21.203': '221 nibbles.run\r\n'
This should help in making a more accurate analysis of the inbound traffic.
Christopher C Smith
CSE
Cisco IronPort Customer Support
11-18-2010 12:09 PM
Hi,
csmith is on track regarding the debug logs. Out of curiosity, you mention that you use a PIX firewall. Do you happen to have [E]SMTP Inspection enabled? It would be worth a check to see if it's enabled.
The Cisco IronPort email gateways are inherently e-mail firewalls. This obsoletes the need for an upstream firewall, such as a Cisco PIX or ASA, to inspect mail traffic to and from an ESA. It is suggested to disable the ESMTP Application Inspection features on the firewall for any IronPort appliance host addresses. By default, ESMTP protocol inspection is enabled for all connections passing through the Cisco firewalls. This means that all commands issued between mail gateways via TCP port 25, as well as individual message headers, are analyzed to adhere strictly to RFC specifications (RFC's 821, 1123, 1870). There are defined default values for maximum number of recipients and message sizes that may cause issues with delivery to and from your ESA in some cases.
-whardison
11-26-2010 01:50 PM
I'd suggest that although it might be a good idea to drop the ESTMP inspection*, there's still some mileage in handing off manual entries that would otherwise go into the BLACKLIST to an upstream firewall. Is the C-class engine so efficient that it can handle an unlimited number of entries? If not, what are the maximum recommended number of manual entries in sender groups for the current models? The question assumes routine junk mail rather than an outright DoS attack. (I don't think we'll apply that label to Yahoo just yet.)
* RFC pickiness used to be an issue on znvyfjrrcre too; I must confess that I used to say fsck 'em.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: