8 Replies Latest reply on Jul 11, 2012 6:40 AM by mcafee-com-user

    MEG 6.7.2 HF5 - Logging for 556

    mcafee-com-user

      Hello,

       

      we don´t accept email with from-adress which is in our own domain.

       

      For example someone tries to send email with from-adress

       

      test@ourdomain.com

       

      we reject with "556 connot accept message from this email address"

       

      Can we see this event in any log?

       

      We would like to do a search with

       

      "grep test@ourdomain.com"

       

      We have not been able to find this event even we changed logging level for SMTPI to the highest value "detailed".

       

      Any idea or no chance to see this event in one of the logs?

       

      Best regards!

        • 1. Re: MEG 6.7.2 HF5 - Logging for 556

          This does not sound like any error message or number that the IronMail would generate.  The IronMail will give something along the lines of 'relay denied'.

           

          Is it possible that there is some other solution in front of the IronMail that could also block messages?

          • 2. Re: MEG 6.7.2 HF5 - Logging for 556
            mcafee-com-user

            Hello,

             

            the E-Mails are blocked by MEG, and this is okay, coz we activated in SMTPI the following option

             

            Reject Invalid MailFrom (Select this checkbox to enable Email Gateway to reject mail from an address that is part of the routing domain but is not in the Allow Relay list.)

             

            What we want is to see this behavior in log file.

             

            Best regards!

            • 3. Re: MEG 6.7.2 HF5 - Logging for 556

              You should see something like:
              20111017:13:39:52|22994305346204|9260|MAIL FROM - Forged/Invalid From address. Domain listed in routing list, but IP address not in allow relay list. Rejecting command...||

               

              The date/time and connection ID will change, but the rest of the line (event ID and text) will be the same. 

              • 4. Re: MEG 6.7.2 HF5 - Logging for 556
                mcafee-com-user

                Hello,

                 

                thanks for your answer. We did see this record in the events already

                 

                Our question is as described at the beginning of this thread:

                 

                We would like to do a search with

                 

                "grep test@ourdomain.com"

                 

                (this is the forged email adress)

                 

                and see when it has been used.

                 

                The log only shows IP address, time and so on but not the email address which is used as FROM-address in envelope.

                 

                Maybe this in not implemented in MEG at the moment.

                 

                Best regards.

                • 5. Re: MEG 6.7.2 HF5 - Logging for 556

                  You will not find everything on the same line, but the address is there:

                   

                  20111017:13:39:42|22994305346204|9235|ChannelID:ThreadID:Source IP:Port:Destination IP:Port-|0:18:10.10.174.0:34197:10.10.130.202:25|

                  20111017:13:39:42|22994305346204|9233|Processingstarted.||

                  20111017:13:39:42|22994305346204|9236|Connection accepted.||

                  20111017:13:39:42|22994305346204|10772|<Channels VIP:Secure Flag> -|<id=<0>, name=<Default Virtual Host>,network_active=<1>:0>| 20111017:13:39:42|22994305346204|9281|Relay----> -|<0>|

                  20111017:13:39:44|22994305346204|9240|Command line -|ehlo test|

                  20111017:13:39:52|22994305346204|9240|Command line -|mail from:aclements@mfesupport.com|

                  20111017:13:39:52|22994305346204|9259|Trimmed aspecial character from MAIL FROM.||

                  20111017:13:39:52|22994305346204|9260|MAIL FROM - Forged/Invalid From address. Domain listed in routing list, but IPaddress not in allow relay list. Rejecting command...||

                  20111017:13:39:58|22994305346204|9240|Command line -|quit|

                  20111017:13:39:58|22994305346204|9234|Processing completed.||

                  • 6. Re: MEG 6.7.2 HF5 - Logging for 556
                    mcafee-com-user

                    Hello,

                     

                    thanks for quick reply. Unfortunately our MEG does not log in this detailed way.

                     

                    Our settings for the logging level are:

                     

                    SMTPI-Loglevel ==> Detailed

                    SMTPO-Loglevel ==> Detailed

                    Highest SMTPO Logging for Troubleshooting  ==> activated

                     

                    The log then shows only the following lines:

                     

                    show events | grep 22994812321491

                    20111019:07:02:35|22994812321491|9235|ChannelID:ThreadID:Source IP:Port:Destination IP:Port -|6:89:112.19.31.61:2436:112.51.15.91:25|
                    20111019:07:02:35|22994812321491|9233|Processing started.||
                    20111019:07:02:35|22994812321491|9236|Connection accepted.||
                    20111019:07:02:35|22994812321491|10772|<Channels VIP:Secure Flag> -|< id=<0>, name=<Default Virtual Host>, network_active=<1>:0>|
                    20111019:07:02:35|22994812321491|9281|Relay ----> -|<0>|
                    20111019:07:02:52|22994812321491|9259|Trimmed a special character from MAIL FROM.||
                    20111019:07:02:52|22994812321491|9260|MAIL FROM - Forged/Invalid From address. Domain listed in routing list, but IP address not in allow relay list. Rejecting command...||

                     

                    Which are the logging levels you choose on your MEG?

                     

                    Thanks for your help!

                     

                    Best regards.

                     

                    Nachricht geändert durch mcafee-com-user on 19.10.11 07:29:13 MESZ
                    • 7. Re: MEG 6.7.2 HF5 - Logging for 556
                      mcafee-com-user

                      Hello "ajclements",

                       

                      we did not get an answer. Can you please tell us which logging levels you are using on your MEG?

                       

                      We tried the settings as written in last posting

                       

                      SMTPI-Loglevel ==> Detailed

                      SMTPO-Loglevel ==> Detailed

                      Highest SMTPO Logging for Troubleshooting  ==> activated

                       

                      and do not see the address which is used as FROM-address in envelope.

                       

                      It would be great if you could give us this information.

                       

                      Best regards.

                      • 8. Re: MEG 6.7.2 HF5 - Logging for 556
                        mcafee-com-user

                        Hello,

                         

                        I am still searching for the setting to see such lines in log file

                         

                        20111017:13:39:44|22994305346204|9240|Command line -|ehlo test|

                        20111017:13:39:52|22994305346204|9240|Command line -|mail from:aclements@mfesupport.com|

                         

                        Is here no one especially from McAfee support who can tell me which log level settings have to set to see this lines?

                         

                         

                        I already tried

                        SMTPI-Loglevel ==> Detailed

                        SMTPO-Loglevel ==> Detailed

                        Highest SMTPO Logging for Troubleshooting  ==> activated

                        SuperQueue Configuration ==> LogLevel ==> Detailed

                         

                        Thanks in advance.

                         

                        Best regards.