Cisco Cisco Email Security Appliance X1070 Informationshandbuch

Contributed by Scott Roeder and Stephan Bayer, Cisco TAC Engineers.

Jul 30, 2014

How do I keep copies of messages matched by my message filter?

There are several ways to keep copies of messages matched by a message filter.

The Archive message filter action will archive a copy of the message to a log file on the ESA in UNIX mbox
file format (which is a very simple text format).  Once created, the log file can be controlled with
the 

filters−>logconfig

  CLI command. Log files can be cut on regular boundaries, and regularly

pushed off to an archive fileserver. Here is an example of a message filter to log all inbound mail to recipient
alan@exchange.example.com:

Log−Alan−All−Mail:

if (recv−listener == "InboundMail")

and (rcpt−to == "alan@exchange\\.example\\.com") {

  archive("alan−all−mail");

}

In the archived message, additional X−IronPort−RCPT−TO: headers are added for each envelope recipient
(which might differ from the content To: header line.) Please note that this list of envelope recipients does not
necessarily include all recipients the sender designated. If a sender specifies a bcc address, for example, the
sending MTA might choose to send it as a separate message entirely. Included in the archive log are the
envelope recipients from the SMTP transaction that created the message.

Note: The Archive message filter action replaces the Log action. Message filters which use the previous
names will automatically be updated when the system is upgraded.

Another way to keep copies of a message is to generate a copy with the bcc filter action. The bcc action makes
an exact copy of the message and sends it to the designated recipient, which could be a collection mailbox on
an archive server. It will be an exact copy of the message content, but does not include envelope recipients
(which might differ from the content To: header line.)