Q - email workflow - pipeline for bounced messages.

Przemyslaw Konitz · ‎04-29-2017

hi all,

I'm trying to figure out the pipeline when ESA is getting bounce for none-existing user.

The thing is that:

- client from my domain (user1@domain.com) wants to send the email to user in different doman (lets call him imaginary@dest.com)

- outgoing content filters are applied for this communication as the following table:

1	Add/Edit Header	insert-header("Return-Receipt-To", "<user2@domain.com>")
2	Add/Edit Header	edit-header-text("Return-Path", "user1@domain.com", "<user2@domain.com>")
3	Add/Edit Header	insert-header("Disposition-Notification-To", "<user2@domain.com>")
4	Add/Edit Header	edit-header-text("From", "TEST1 <user1@domain.com>", "TEST2 <user2@domain.com>")
5	Add/Edit Header	insert-header("Envelope-FROM", "<user2@domain.com>")
6	Send Copy (Bcc:)	bcc ("<user2@domain.com>", "$Subject")

which in general says that replace the mail-from for this outgoing mail.

user2@domain.com is receiving the copy which is correct (rule 6) - and lall headers are replaced accordingly

I want the bounce message hit user2@domain.com not the original user1@domain.com

is ESA keeping some kind of cache that this bouce should hit the original message? Would message filters help in that case?

are content filters applied before ESA establishes SMTP connections to the destination server or are they being applied in a fly?

when establishing telnet on 25 port RCPT verification is done before typing rest of the message so I started to wonder which is first for outgoing connection. It would be stupid to do it in a fly especially when one TCP connection is being used for multiple mail delivery but I cant explain the following behavior.

25 Apr 2017 14:42:13 (GMT +02:00) SMTP delivery connection (DCID 34204) opened from Cisco IronPort interface 10.x.x.71 to IP address 10.x.y.175 on port 25.
25 Apr 2017 14:43:47 (GMT +02:00) Protocol SMTP interface private (IP 10.x.x.71) on incoming connection (ICID 311146) from sender IP 10.x.y.74. Reverse DNS host srv1.domain.com verified yes.
25 Apr 2017 14:43:47 (GMT +02:00) (ICID 311146) RELAY sender group RELAYLIST match 10.x.y.74 SBRS not enabled
25 Apr 2017 14:43:47 (GMT +02:00) Start message 11779 on incoming connection (ICID 311146).
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 enqueued on incoming connection (ICID 311146) from user1@domain.com.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 on incoming connection (ICID 311146) added recipient (imaginary@DEST.com).
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 contains message ID header '<368D0E11E885214EBDEBEB274888537B683C@MAIL1.domain.com>'.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 original subject on injection: SUBJECT-XXX numer 12/25
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 (1697 bytes) from user1@domain.com ready.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 matched per-recipient policy RULE1 for outbound mail policies.
25 Apr 2017 14:43:47 (GMT +02:00) Start message 11780 on incoming connection (ICID 0).
25 Apr 2017 14:43:47 (GMT +02:00) A new message 11780 was generated based on message 11779 by bcc filter CONTENET-FILTER-RULE1.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11780 enqueued on incoming connection (ICID 0) from MAILER-DAEMON@domena.com.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11780 on incoming connection (ICID 0) added recipient (user2@domain.com).
25 Apr 2017 14:43:47 (GMT +02:00) Message 11780 is not signed. No domain key profile matches user2@domain.com.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11780 not signed. No DKIM profile matched user2@domain.com.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11780 (1699 bytes) from MAILER-DAEMON@domena.com ready.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11780 queued for delivery.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11779 queued for delivery.
25 Apr 2017 14:43:47 (GMT +02:00) (DCID 34204) Delivery started for message 11780 to user2@domain.com.
25 Apr 2017 14:43:47 (GMT +02:00) SMTP delivery connection (DCID 34205) opened from Cisco IronPort interface 10.x.z.71 to IP address 217.x.x.x on port 25.
25 Apr 2017 14:43:47 (GMT +02:00) (DCID 34205) Delivery started for message 11779 to imaginary@DEST.com.
25 Apr 2017 14:43:47 (GMT +02:00) (DCID 34205) Message 11779 to imaginary@DEST.com bounced by destination server. Reason: 5.1.0 - Unknown address error ('550', ['5.1.1 Account not found '])
25 Apr 2017 14:43:47 (GMT +02:00) Start message 11781 on incoming connection (ICID 0).
25 Apr 2017 14:43:47 (GMT +02:00) A new message 11781 was generated to handle bounce of message 11779.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11781 enqueued on incoming connection (ICID 0) from .
25 Apr 2017 14:43:47 (GMT +02:00) Message 11781 on incoming connection (ICID 0) added recipient (user1@domain.com).
25 Apr 2017 14:43:47 (GMT +02:00) Message 11781 (3032 bytes) from ready.
25 Apr 2017 14:43:47 (GMT +02:00) Message 11781 queued for delivery.
25 Apr 2017 14:43:47 (GMT +02:00) SMTP delivery connection (DCID 34206) opened from Cisco IronPort interface 10.x.x.71 to IP address 10.x.y.74 on port 25.
25 Apr 2017 14:43:47 (GMT +02:00) (DCID 34206) Delivery started for message 11781 to user1@domain.com.
25 Apr 2017 14:43:48 (GMT +02:00) (DCID 34206) Delivery details: Message 11781 sent to user1@domain.com
25 Apr 2017 14:43:48 (GMT +02:00) Message 11781 to user1@domain.com received remote SMTP response '2.6.0 <133526$bg5@srv1.domain.com> [InternalId=4943507357704, Hostname=srv1.domain.com] Queued mail for delivery'.
25 Apr 2017 14:44:12 (GMT +02:00) (DCID 34204) Delivery details: Message 11780 sent to user2@domain.com
25 Apr 2017 14:44:12 (GMT +02:00) Message 11780 to user2@domain.com received remote SMTP response '2.6.0 <368D0E11E885214EBDEBEB274888537B683C@MAIL1.domain.com> [InternalId=2800318676999, Hostname=exchange.domain.com] Queued mail for delivery'.

If someone could explain it to me I would be very grateful

regards

Przemek

Libin Varghese · ‎05-01-2017

Hi Przemek,

I think the missing link would be understanding that mail-from (envelope sender) is not an email header, it is a SMTP command. Envelope sender (mail-from) cannot be modified using the content filters currently.

The ESA processes emails using the mail-from and rcpt-to values and in order to rewrite the envelope sender you could use the masquerading feature on the ESA.

Configuring masquerading is explained in the user guide below
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf
Page 25-16 Configuring Masquerading

The content filters are applied during the workqueue processing before the email enters the delivery queue and a TCP port 25 connection is established with the destination sever.

A workaround would be add an incoming content filter or domain mapping to redirect all emails for user1@domain.com to user2@domain.com using action "Change recipient to". This would cause all emails coming in to the ESA for the recipient user1@domain to be redirected to user2@domain.com.

Thank You!
Libin Varghese

Przemyslaw Konitz · ‎05-01-2017

Hi Libin,

thx for reply and the explanation.

I will try the masquerading next week and let you know. Nevertheless I have a question regarding your workaround solution.

Would content filter on incoming direction (with change recipient to) solve the thing for bounce messages which were sent originally in outgoing direction?

The thing I want to achieve is that:

when whatever user is sending the email with specific subject, a copy is sent to admin@domain.com and I wanted the bounces to hit that email as well but they hit the original one. The key condition for this rule is that it should be triggered only on a specific subject. The rest I want to leave as it is.

regards

Przemek

Libin Varghese · ‎05-02-2017

For the email being sent outbound, the bounce back from the original recipient would be inbound to the ESA. So it should match the incoming filters.

However, the subject line used for bounce emails could vary so you would need to figure out a common subject or common header to limit the incoming filter to work only on bounces.

- Libin V