Verbose message tracking

ArjanBroekhuizen · ‎09-27-2023

Hello,

Some of our message are not delived to the recipients. In the message tracking is see some errors, but I am searching for more information. Is there an option for verbose message tracking. I tried the maillogs, but there I can't find information either.

I think the messages aren't delivered because of an TLS-problem. The message tracking says "TLS unavailable". But I cann't see the TLS-handshake and the ciphers that are used. Both sides are using TLSv1.2, but it is still not delivered. So I am curious for more detailed information.

Kind regards,
Arjan

filiadata · ‎09-29-2023

You can test with tlsverify from the command line.

To record all exchanged SMTP messages in full details, Log subcriptions > Add log subscription > Type: Domain Debug Logs can be used: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117848-configure-esa-00.html
Just enter the domain of the recipient address and the amount of messages which you want to record.

ArjanBroekhuizen · ‎09-29-2023

Hello @filiadata

Thanks for your reply. I enabled the log subscription. When I send a mail, I see some logging for the configured domain.

Fri Sep 29 11:27:14 2023 Info: 1490256 Rcvd: '220 Ready to start TLS - go on'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '220 spamrelay-****.****.nl ESMTP Postfix'
Fri Sep 29 11:27:24 2023 Info: 1490258 Sent: 'EHLO ****.iphmx.com'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250-spamrelay-****.****.nl'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250-STARTTLS'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250-SIZE 104857600'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250-VRFY'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250-ENHANCEDSTATUSCODES'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250-8BITMIME'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '250 DSN'
Fri Sep 29 11:27:24 2023 Info: 1490258 Sent: 'STARTTLS'
Fri Sep 29 11:27:24 2023 Info: 1490258 Rcvd: '220 Ready to start TLS - go on'

Then it stops... at the point where it should be interesting. I hoped to see here some logging about a failed TLS-handshake. Apparently TLS is started, but not succeeded. But we can't see why.

filiadata · ‎09-29-2023

I wonder why anyone would name their server spamrelay.

Did you try the tlsverify command?

You can start a packet capture to the IP addresses of the MX servers of the domain of the recipient and then send another test message. The capture will show you the complete TLS handshake to the point where it stops, however you need some knowledge about TLS to be able to see possible problems. They could be anything from incompatible TLS extensions, non-overlapping ciphers to a lack of entropy on the server side.

You can also set up a TLS connection manually with Openssl: openssl s_client -connect <mxserver>:25 -starttls smtp
Openssl also provides options for debug output.

ArjanBroekhuizen · ‎10-11-2023

Hi @filiadata

Thanks for your reply. we do have an solution in the cloud. Is it possible to do a packet capture in this scenario?

Kind regards,
Arjan

Ken Stieers · ‎09-29-2023

You can use enable the SMTP Conversation logs under System Administration/Log Subscriptions to get more data.
This isn't normally configured as its REALLY chatty, so be sure to disable it when you're done.

saliyev · ‎10-01-2023

usually ESA puts cipher info on Message Tracking and as well as in mail_logs. Seems it couldn't get this info as well.

Here I recommend to use packet-capture feature to capture relevant session and then open pcap file on wireshark or by tcpdump and check tls handshake.

ArjanBroekhuizen · ‎10-11-2023

Hi @saliyev

Is it possible to do a packet-capture in an cloud-installation?

Kind regards,
Arjan