I am looking for an answer from somebody who has experience with ironport. When an email is rejected by ironport (due to low reputation or whatever) does it write it someplace in a log? If so where.
I am on the sender's side. Unfortunately I don't have access to the smtp logs of my server to see what errors ironport throws back. Is there a way to capture those in some other way?
Is there a way to whitelist a sender domain in ironport? If so how (link to a documentation would be enough).
Thank you!
IronPort utilizes 4 Host Access groups which decide what policy will be applied to a sender based on their reputation on SBRS.
$TRUSTED (My trusted senders have no anti-spam scanning or rate limiting)
$BLOCKED (Spammers are rejected)
$THROTTLED (Suspicious senders are throttled)
$ACCEPTED (Reviewed but undecided, continue normal acceptance)
$ACCEPTED (Everyone else)
When the initial SMTP connection is established there will be a new log event written depending on the HAT match
ICID 936657752 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 4.8 ICID 936594871 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -1.4 ICID 936620321 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -10.0
Looking at the log verbosely
Thu Nov 27 11:32:36 2014 Info: New SMTP ICID 936620321 interface address x.x.x.x reverse dns host unknown verified no Thu Nov 27 11:32:36 2014 Info: ICID 936620321 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -10.0 Thu Nov 27 11:32:36 2014 Info: ICID 936620321 close
ICID: Incoming Connection ID MID: Message ID DCID: Delivery ID
On a rejection only an ICID will be created as the message will never enter the queue due to the SBRS rejection
To view these logs you can either SSH or telnet into your appliance and tail/grep the mail log based on the log name - to verify your log name you can view this under 'logconfig' The log labelled IronPort Text Mail Logs will be what you are looking for. You can also alternatively forward this to a syslog host - option is available under logconfig
Whitelisting can be completed 3 ways
Documentation for Cisco IronPort is available at http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa7-6/ESA_7-6_Configuration_Guide.pdf - version dependent