Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2064
Views
0
Helpful
4
Replies

Wrong logging on IronPort C300V

GarrykZ
Level 1
Level 1

‎02-21-2020 02:04 AM - edited ‎02-21-2020 02:18 AM

Hello, yesterday I noticed 1 thing:

IronPort passed mail but in logs it's looking like rejected connection with a comment "Incoming connection (ICID 37639876) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES128-GCM-SHA256.

Can anyone explain me why it's working like that? Passing mail but logs rejection.

Labels:
0 Helpful
4 Replies 4

marc.luescherFRE
Spotlight
Spotlight

‎02-21-2020 02:29 PM

Can you provide us more info form the maillog to be able to help you ?

 

 

0 Helpful

GarrykZ
Level 1
Level 1
In response to marc.luescherFRE

‎02-24-2020 10:35 PM

Ofcourse, that's a log in rejected mail. I see nothing what can be wrong and why it's rejected mail.

Preview file
19 KB
0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to GarrykZ

‎02-25-2020 06:16 AM

The normal content of the messages tracking are like below :

 

 

Incoming connection (ICID 114822195) has sender_group: UNKNOWNLIST, sender_ip: 208.74.204.5 and sbrs: 3.4
Protocol SMTP interface Management (IP 10.33.66.14) on incoming connection (ICID 114822195) from sender IP 208.74.204.5. Reverse DNS host smtp.lithium.com verified yes.
(ICID 114822195) ACCEPT sender group UNKNOWNLIST match sbrs[0.0:10.0] SBRS 3.4 sender IP 208.74.204.5 country United States
Incoming connection (ICID 114822195) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384.
Message 361574539 Sender Domain: cisco.com
Start message 361574539 on incoming connection (ICID 114822195).
Message 361574539 enqueued on incoming connection (ICID 114822195) from ciscocommunity-donotreply@cisco.com.
Message 361574539 direction: incoming
Message 361574539 on incoming connection (ICID 114822195) added recipient (marc.luescher@fmc-na.com).
Message 361574539 SPF: helo identity postmaster@smtp.lithium.com None
Message 361574539 SPF: mailfrom identity ciscocommunity-donotreply@cisco.com SoftFail
Message 361574539 does not contain DKIM signature.
Message 361574539 SPF: pra identity ciscocommunity-donotreply@cisco.com None headers from
Message 361574539: DMARC Message from domain cisco.com, DMARC fail, (SPF aligned False, DKIM aligned False) DMARC policy is quarantine, applied policy is none
Message 361574539: DMARC verification failed. No action taken on the message.
Message 361574539 contains message ID header '<516377712.54047.1582614369438.JavaMail.lithium@sjc1papp20.sj.lithium.com>'.
Message 361574539 original subject on injection: Re: Wrong logging on IronPort C300V (Cisco Community Subscription Update: Email Security )
Message 361574539 Domains for which SDR is requested: reverse DNS host: smtp.lithium.com, helo: smtp.lithium.com, env-from: cisco.com, header_from: cisco.com, reply_to: Not Present
Message 361574539 Consolidated Sender Reputation: Weak, Threat Category: N/A. Youngest Domain Age: 25 years 4 months 12 days for domain: smtp.lithium.com
Message 361574539 (7723 bytes) from ciscocommunity-donotreply@cisco.com ready.
Message 361574539 has sender_group: UNKNOWNLIST, sender_ip: 208.74.204.5 and sbrs: 3.4

 

Looking at the sample you have provided the Sender Domain Extraction - SDR is not happening. To troubleshoot this issue we would need to look or enable if not already enabled the SMTP conversation log to see what is happening on the transport level when the message is rejected.

 

This would give us a hint what is happening.

 

 

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to marc.luescherFRE

‎02-25-2020 06:18 AM

details of the smtp_logs

 

Mon Feb 24 16:23:43 2020 Info: ICID 38670987 address 208.74.204.5 dns host smtp.lithium.com sbrs 3.4
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 >> 220 mv13.xxxxx.com ESMTP
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 << EHLO smtp.lithium.com
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 >> 250-mv13.xxxxx.com\r\n250-8BITMIME\r\n250-SIZE 36700160\r\n250 STARTTLS
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 << STARTTLS
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 >> 220 Go ahead with TLS
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 << EHLO smtp.lithium.com
Mon Feb 24 16:23:43 2020 Info: ICID 38670987 >> 250-mv13.xxxxx.com\r\n250-8BITMIME\r\n250 SIZE 36700160
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 << MAIL FROM:<community-donotreply@anaplan.com> SIZE=13086
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 >> 250 sender <community-donotreply@anaplan.com> ok
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 << RCPT TO:<kirill.barshevsky@fmc-na.com>
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 >> 250 recipient <kirill.barshevsky@fmc-na.com> ok
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 << DATA
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 >> 354 go ahead
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 >> 250 ok: Message 150885594 accepted
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 << QUIT
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 >> 221 mv13.xxxxx.com
Mon Feb 24 16:23:44 2020 Info: ICID 38670987 close

0 Helpful
Customers Also Viewed These Support Documents