You may sometimes experience that your MEG appliance blocks your email. This blog post explains how to identify what configuration and/or policy setting is blocking your email by using

Message Search feature and Email Reports feature on your MEG appliance.

 

SMTP Conversation

Before digging into MEG features, we need to understand how email transport is done behind the scene. When you send an email, your email software sends your message to your email server, then the server forwards it to destination email server (or next hop MTA, depending on your network design). In the Internet, email message across organizations is typically transferred over SMTP (Simple Mail Transfer Protocol) communication.

 

The below list shows very simple SMTP conversation between an SMTP client and server, where message from the server to the client is denoted as :S, and message from the client to the server is denoted as :C.

 

220 scmgateway.tomo.local EGVA/SMTP Ready.:S
HELO test:C
250 Requested mail action okay, completed.:S

MAIL FROM: <tomo@some.domain>

:C
250 Requested mail action okay, completed.:S

RCPT TO: <tomo@tomo.local>

:C
250 Requested mail action okay, completed.:S
DATA:C
354 Enter mail, end with "." on a line by itself.:S

From: <tomo@some.domain>

:C

To: <tomo@tomo.local>

:C
Subject: Test:C
Date: Mon, 10 Feb 2014 09:09:09 +0900:C
:C
Test:C
Message:C
.:C
250 Requested mail action okay, completed.:S
QUIT:C

 

Because MEG receives email message, scans it, and delivers it to the next hop, MEG initially comes as an SMTP server when handling an email message.

 

MAIL FROM, RCPT TO, and DATA Phases

The client transfers email message after the DATA command. In other words, email message content can only be noticed by your MEG appliance after the client sends DATA command. It characterizes SMTP conversation, and affects how the MEG reporting features are oriented in Message Search and Email Report features.

 

SMTP conversation which goes after DATA phase can be searched from both Message Search and Email Reports. However, some SMTP conversations can be rejected and closed before reaching to the DATA command. You cannot find traces for such short SMTP conversations using Message Search; Message Search can only show email messages that have passed DATA phase.

 

MEG appliance has several features to restrict rogue SMTP conversations at MAIL FROM phase and RCPT TO phase. For example, Permit Sender feature under Email, Email Configuration, Receiving Email, Permit and Deny Lists, Permitted and blocked senders takes effect at MAIL FROM phase, whereas Anti-relay feature under Email, Email Configuration, Receiving Email, Anti-Relay Settings takes effect at RCPT TO phase. You can use Email Reports Detail View to troubleshoot those features that take effect at MAIL FROM and RCPT TO phases.

 

For the complete list of the processors that are associated with SMTP commands, please refer to the Life of an email message section in McAfee® Email Gateway Appliances Administrators Guide.

 

Message Search feature and Email Reports Detail View feature

You can search for email message and/or SMTP conversation for a variety of search criteria, for example date and time, source IP address, and policy. Search for your email message in Message Search and/or Email Reports Detail View, then identify which setting has blocked your email. I would suggest you to firstly check Message Search then Email Reports Detail View because it is easy to search for email messages with subject of your email message in Message Search (recall that email subject only appears after DATA command).

 

NOTE: Message Search gives almost real time result of the processed email messages, whereas Email Reports reflects the event information in a couple of minutes delay due to event information caching and bulk update in the appliance backend.

 

Message Search screenshot

messagesearch.png


Email Reports Detail View screenshot

emailreport.png


Conversation Logging

MEG 7.x has SMTP Conversation Logging feature. It logs SMTP conversations allowing you to see how an email has been processed. You can view logs for individual messages in Message Search.

On MEG 7.5 and onwards, Conversation Logging is enabled by default. Please note that on MEG 7.0 enabling Conversation Logging adversely affects performance.

 

To view conversation log for an email message, select a row in the Message Search results, then click View Conversation Log button. You can see what configuration has had particular action result, what SMTP scanning policy group has been applied, and scanner results in chronological order.

 

Screenshot for selecting one row in Message Search

tooseeconvlog.png

 

Screenshot for a conversation log

convlog.png
Here, in the conversation log screenshot, we can see the SMTP conversation including MAIL FROM, RCPT TO and DATA, the MEG scanned the message using Default SMTP policy group, no detection from anti-virus scan, spam score is 7.3 which is relatively high.