Rule with alt-mailhost not working ...

marc.luescherFRE · ‎01-10-2016

Hi there,

I just created a very simple incoming mail rule in our internal IronPort cluster with the purpose to forward larger e-mail to two dedicated virtual appliances for processing without impacting the main mail delivery.

1st try based on a mail-from

Reroute_large_mails_mv6: if (mail-from == "jared.kilgour@fmc-na.com") { insert-header("X-IronPort-USIntGWFwdRule", "1"); alt-mailhost ("mv8int.corp.ad.fmcna.com"); }

2nd try based on message size

Reroute_large_mails_mv6: if (body-size > 2048000) { insert-header("X-IronPort-USIntGWFwdRule", "1"); alt-mailhost ("mv8int.corp.ad.fmcna.com"); }

None of the rules seem to work, not matter wether I use it in the GUI or write it in CLI. I had assumed mail rules would leave a trace in the mail_logs when in debug mode but this is not the case.

how can I debug this ?

marc.luescherFRE · ‎01-10-2016

Further debugging not clear why alt-host is not triggered on this message

Sun Jan 10 15:44:01 2016 Info: MID 765754 Message-ID '<OF45D91C54.2C78A737-ONC1257F36.003C9125-C1257F36.0071DA4D@CORP.AD.FMCNA.COM>'
Sun Jan 10 15:44:01 2016 Info: MID 765754 Subject 'Re: Testmail for > 2 MB Filter'
Sun Jan 10 15:44:01 2016 Info: MID 765754 ready 3075520 bytes from <marc.luescher@fresenius-netcare.com>
Sun Jan 10 15:44:01 2016 Debug: SenderBase: Incrementing counter for ip: 10.14.32.192 idx: messages accepted
Sun Jan 10 15:44:01 2016 Debug: SenderBase: Incrementing counter for ip: 10.14.32.192 idx: aggregate message size
Sun Jan 10 15:44:01 2016 Info: MID 765754 matched all recipients for per-recipient policy DEFAULT in the inbound table
Sun Jan 10 15:44:01 2016 Info: graymail [RPC_CLIENT] Graymail scan skipped since message size exceeds configured threshold
Sun Jan 10 15:44:01 2016 Trace: ANTISPAM: pass_spamcheck
Sun Jan 10 15:44:01 2016 Trace: ANTISPAM: CASE scanning for the sake of sbnp data
Sun Jan 10 15:44:01 2016 Trace: ANTISPAM: MID 765754 will use ['CASE'] spam engines
Sun Jan 10 15:44:01 2016 Trace: CASE: No VOF or AS on this message.
Sun Jan 10 15:44:01 2016 Trace: CASE took 0.000
Sun Jan 10 15:44:01 2016 Trace: MID 765754: Skip AMP Engine check
Sun Jan 10 15:44:01 2016 Trace: Outbreak: Exception getting vtl from {}
Sun Jan 10 15:44:01 2016 Trace: Outbreak: no vtl score
Sun Jan 10 15:44:01 2016 Info: MID 765754 using engine: GRAYMAIL negative
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Info: MID 765754 attachment 'CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf'
Sun Jan 10 15:44:02 2016 Info: ICID 251945 close
Sun Jan 10 15:44:02 2016 Trace: Reporting Client: 2660 bytes saved to journal.
Sun Jan 10 15:44:02 2016 Debug: scanning: MID 765754 scanned 'CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf' (d): bin 2236696B, text 52761C, id 51
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Info: MID 765754 attachment 'smime.p7s'
Sun Jan 10 15:44:02 2016 Debug: scanning: MID 765754 scanned 'smime.p7s' (d): bin 8244B, text 6837C, id 2
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Info: MID 765754 queued for delivery
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('m1.fmcna.com', 'MX')
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('spam1.fmcna.com', 'A')
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('m2.fmcna.com', 'MX')
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('m2.fmcna.com', 'A')
Sun Jan 10 15:44:02 2016 Info: New SMTP DCID 100015 Sun Jan 10 15:44:01 2016 Info: MID 765754 Message-ID '<OF45D91C54.2C78A737-ONC1257F36.003C9125-C1257F36.0071DA4D@CORP.AD.FMCNA.COM>'
Sun Jan 10 15:44:01 2016 Info: MID 765754 Subject 'Re: Testmail for > 2 MB Filter'
Sun Jan 10 15:44:01 2016 Info: MID 765754 ready 3075520 bytes from <marc.luescher@fresenius-netcare.com>
Sun Jan 10 15:44:01 2016 Debug: SenderBase: Incrementing counter for ip: 10.14.32.192 idx: messages accepted
Sun Jan 10 15:44:01 2016 Debug: SenderBase: Incrementing counter for ip: 10.14.32.192 idx: aggregate message size
Sun Jan 10 15:44:01 2016 Info: MID 765754 matched all recipients for per-recipient policy DEFAULT in the inbound table
Sun Jan 10 15:44:01 2016 Info: graymail [RPC_CLIENT] Graymail scan skipped since message size exceeds configured threshold
Sun Jan 10 15:44:01 2016 Trace: ANTISPAM: pass_spamcheck
Sun Jan 10 15:44:01 2016 Trace: ANTISPAM: CASE scanning for the sake of sbnp data
Sun Jan 10 15:44:01 2016 Trace: ANTISPAM: MID 765754 will use ['CASE'] spam engines
Sun Jan 10 15:44:01 2016 Trace: CASE: No VOF or AS on this message.
Sun Jan 10 15:44:01 2016 Trace: CASE took 0.000
Sun Jan 10 15:44:01 2016 Trace: MID 765754: Skip AMP Engine check
Sun Jan 10 15:44:01 2016 Trace: Outbreak: Exception getting vtl from {}
Sun Jan 10 15:44:01 2016 Trace: Outbreak: no vtl score
Sun Jan 10 15:44:01 2016 Info: MID 765754 using engine: GRAYMAIL negative
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Info: MID 765754 attachment 'CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf'
Sun Jan 10 15:44:02 2016 Info: ICID 251945 close
Sun Jan 10 15:44:02 2016 Trace: Reporting Client: 2660 bytes saved to journal.
Sun Jan 10 15:44:02 2016 Debug: scanning: MID 765754 scanned 'CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf' (d): bin 2236696B, text 52761C, id 51
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Info: MID 765754 attachment 'smime.p7s'
Sun Jan 10 15:44:02 2016 Debug: scanning: MID 765754 scanned 'smime.p7s' (d): bin 8244B, text 6837C, id 2
Sun Jan 10 15:44:02 2016 Debug: DLP: Not configured?
Sun Jan 10 15:44:02 2016 Info: MID 765754 queued for delivery
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('m1.fmcna.com', 'MX')
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('spam1.fmcna.com', 'A')
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('m2.fmcna.com', 'MX')
Sun Jan 10 15:44:02 2016 Debug: DNS query: Q('m2.fmcna.com', 'A')
Sun Jan 10 15:44:02 2016 Info: New SMTP DCID 100015 interface 10.32.32.211 address 192.168.207.30 port 25
Sun Jan 10 15:44:02 2016 Info: DCID 100015 TLS success protocol TLSv1 cipher RC4-SHA
Sun Jan 10 15:44:02 2016 Info: Delivery start DCID 100015 MID 765754 to RID [0]
Sun Jan 10 15:44:02 2016 Info: Message done DCID 100015 MID 765754 to RID [0]
Sun Jan 10 15:44:02 2016 Info: MID 765754 RID [0] Response 'ok: Message 223145808 accepted'
Sun Jan 10 15:44:02 2016 Info: Message finished MID 765754 done
Sun Jan 10 15:44:02 2016 Info: DCID 100015 TLS success protocol TLSv1 cipher RC4-SHA
Sun Jan 10 15:44:02 2016 Info: Delivery start DCID 100015 MID 765754 to RID [0]
Sun Jan 10 15:44:02 2016 Info: Message done DCID 100015 MID 765754 to RID [0]
Sun Jan 10 15:44:02 2016 Info: MID 765754 RID [0] Response 'ok: Message 223145808 accepted'
Sun Jan 10 15:44:02 2016 Info: Message finished MID 765754 done

So what are we trying to do :

Notes -> GW1 Virtual IP mv5 -> mail > 2 MB should be processed by alternate host mv7 (virtual IP) to not impact mv5

Notes -> GW2 round robin ->

Notes-> GW3 Virtual IP mv6 -> mail > 2 MB should be processed by alternate host mv8 (virtual IP) to not impact mv6

Mathew Huynh · ‎01-11-2016

Hello,

Is your ESA able to resolve mv8int.corp.ad.fmcna.com to an available IP to route the emails to ?

Essentially the delivery should be going to the mail-host mv8int.corp.ad.fmcna.com which is not 192.168.207.30

As such, please ensure that the actual host resolves correctly, else for the alt-mailhost you can insert the IP directly and you should see the DCID point to the right server.

Regards,

Matthew