Ironport rejecting emails

Question

I am looking for an answer from somebody who has experience with ironport. When an email is rejected by ironport (due to low reputation or whatever) does it write it someplace in a log? If so where.

I am on the sender's side. Unfortunately I don't have access to the smtp logs of my server to see what errors ironport throws back. Is there a way to capture those in some other way?

Is there a way to whitelist a sender domain in ironport? If so how (link to a documentation would be enough).

Thank you!

Answer 1

IronPort utilizes 4 Host Access groups which decide what policy will be applied to a sender based on their reputation on SBRS.

WHITELIST:
    $TRUSTED (My trusted senders have no anti-spam scanning or rate limiting)

BLACKLIST:
sbrs[-10.0:-3.0]
    $BLOCKED (Spammers are rejected)

SUSPECTLIST:
sbrs[-3.0:-1.0]
    $THROTTLED (Suspicious senders are throttled)

UNKNOWNLIST:             
sbrs[-1.0:10.0]
sbrs[none]
    $ACCEPTED (Reviewed but undecided, continue normal acceptance)

ALL
$ACCEPTED (Everyone else)

When the initial SMTP connection is established there will be a new log event written depending on the HAT match

ICID 936657752 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 4.8 ICID 936594871 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -1.4 ICID 936620321 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -10.0

Looking at the log verbosely

Thu Nov 27 11:32:36 2014 Info: New SMTP ICID 936620321 interface address x.x.x.x reverse dns host unknown verified no Thu Nov 27 11:32:36 2014 Info: ICID 936620321 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -10.0 Thu Nov 27 11:32:36 2014 Info: ICID 936620321 close

ICID: Incoming Connection ID MID: Message ID DCID: Delivery ID

On a rejection only an ICID will be created as the message will never enter the queue due to the SBRS rejection

To view these logs you can either SSH or telnet into your appliance and tail/grep the mail log based on the log name - to verify your log name you can view this under 'logconfig' The log labelled IronPort Text Mail Logs will be what you are looking for. You can also alternatively forward this to a syslog host - option is available under logconfig

Whitelisting can be completed 3 ways

1. Whitelisting the IP in the HAT table as per above
2. Whitelisting via a content filter and applying this to your relevant policy
3. Creating a policy with a content filter set to skip processing and just deliver - domains you would like to include in this policy can just be added as either a sender or recipient

Documentation for Cisco IronPort is available at http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa7-6/ESA_7-6_Configuration_Guide.pdf - version dependent