Cisco Cisco Email Security Appliance X1070 Troubleshooting Guide
How do I troubleshoot why a message was not
received by the ESA?
received by the ESA?
Document ID: 118014
Contributed by Jackie Fleming and Enrico Werner, Cisco TAC
Engineers.
Jul 18, 2014
Engineers.
Jul 18, 2014
Contents
Question:
How do I troubleshoot why a message was not received by the ESA?
To troubleshoot message reception, you need to know the IP addresses used for sending mail by the
organization sending mail. Usually, contacting the sender organization's mail administrator is the most
accurate way to get this info. In the absence of this option, you can use some other resources:
organization sending mail. Usually, contacting the sender organization's mail administrator is the most
accurate way to get this info. In the absence of this option, you can use some other resources:
SenderBase− If you enter a domain in the search box at http://www.senderbase.org, you will receive
a list of known sending IPs for that domain.
a list of known sending IPs for that domain.
•
Mail Logs − If you have successfully received mail from the domain in the past, you can look in mail
logs for one of those successful deliveries.
logs for one of those successful deliveries.
•
DNS − You can look up the MX records for the domain. Most smaller organizations use the same
inbound and outbound servers. For larger or more segmented organizations, this option will not likely
reveal the needed information.
inbound and outbound servers. For larger or more segmented organizations, this option will not likely
reveal the needed information.
•
Once you know the IP addresses, you will need to search the mail logs. The grep utility is a good tool for this
purpose. If you are running Windows, you can use Find in Word Pad or Notepad or download a grep utility
from the Internet. Unix and Mac OSX have grep built in and can be accessed from a shell. The grep
command line would look like this (where '10.2.3.4' is the IP address you are searching for):
purpose. If you are running Windows, you can use Find in Word Pad or Notepad or download a grep utility
from the Internet. Unix and Mac OSX have grep built in and can be accessed from a shell. The grep
command line would look like this (where '10.2.3.4' is the IP address you are searching for):
host> grep '10.2.3.4' file.log
If the sender's server is successfully connecting to your server, you will see a line similar to the
following when you search for their IP(s):
following when you search for their IP(s):
Wed Feb 2 23:43:11 2008 Info: New SMTP ICID 6 interface
Management (10.0.0.1) address 10.2.3.4 reverse dns host
test.ironport.com verified no
You can then search for all the lines involving the ICID (Incoming Connection ID). The lines you find will
tell you if they sent From information, if they sent To information, and the message IDs (MID) linked with the
connection. Searching on the MID(s) will show you if the message was accepted by the system, the scan
results, and whether delivery was attempted.
tell you if they sent From information, if they sent To information, and the message IDs (MID) linked with the
connection. Searching on the MID(s) will show you if the message was accepted by the system, the scan
results, and whether delivery was attempted.
Another tool available for troubleshooting this is the Injection Debug Logs. You will need the IP address of
the sending server(s) first. Once you have these, use the
the sending server(s) first. Once you have these, use the
logconfig
commands and select this log type.
Once the log is configured and committed, you can have the user send a test message and (assuming their
server connects to your ESA) the ESA will log the entire SMTP conversation. This will allow you to see the
server connects to your ESA) the ESA will log the entire SMTP conversation. This will allow you to see the