Hi, 

I got a question regarding this issue.

Let say the messages released on spam quarantine on SMA are not delivered to it's destination.

Does it will bounce back to SMA quarantine or the message will gone?

Thanks.

Hi Abdul,

The original email would no longer be available, the SMA would generated a new MID and attempt to deliver the bounce notification to the original sender.

Something similar to this:

sma0.esa-lab.co.local> grep "MID 302" mail_logs

Wed May 24 07:09:10 2017 Info: Start MID 302 ICID 0 (ISQ Released Message)
Wed May 24 07:09:10 2017 Info: ISQ: Reinjected MID 301 as MID 302
Wed May 24 07:09:10 2017 Info: MID 302 ICID 0 From: <test@cisco.com>
Wed May 24 07:09:10 2017 Info: MID 302 ICID 0 RID 0 To: <test@esa-lab.local>
Wed May 24 07:09:10 2017 Info: MID 302 Subject 'Test quarantine'
Wed May 24 07:09:10 2017 Info: MID 302 ready 1609 bytes from <test@cisco.com>
Wed May 24 07:09:10 2017 Info: ISQ: MID 302 targeted for release MGA for final delivery
Wed May 24 07:09:10 2017 Info: MID 302 queued for delivery
Thu May 25 07:27:12 2017 Info: Bounced: DCID 0 MID 302 to RID 0 - Bounced by destination server with response: 5.x.0 - Message bounced by administrator ('000', [])
Thu May 25 07:27:12 2017 Info: MID 304 was generated for bounce of MID 302
Thu May 25 07:27:12 2017 Info: Message finished MID 302 done

sma0.esa-lab.co.local> grep "MID 304" mail_logs

Thu May 25 07:27:12 2017 Info: Start MID 304 ICID 0
Thu May 25 07:27:12 2017 Info: MID 304 was generated for bounce of MID 302
Thu May 25 07:27:12 2017 Info: MID 304 ICID 0 From: <>
Thu May 25 07:27:12 2017 Info: MID 304 ICID 0 RID 0 To: <test@cisco.com>
Thu May 25 07:27:12 2017 Info: MID 304 ready 2739 bytes from <>
Thu May 25 07:27:12 2017 Info: MID 304 queued for delivery

If the SMA does not have connectivity to deliver emails to cisco.com directly the bounce email will remain in the delivery queue. As in this case my lab device cannot go out to the internet.

- Libin V

Hi Libin,

Thanks for the explanations.

May i know what is the port need to open in releasing the PVO Quarantine email from SMA?

Do i need to configure any listener on the ESA to receive the email from SMA PVO Quarantine.

Hello,

The following ports are needed for SMA <-- --> ESA communication :

PVO:

1) ESA --> SMA (7025)

2) SMA --> ESA (7025)

Spam Quarantine:

1) ESA --> SMA (6025)

2) SMA --> ESA (25)

General Connectivity / Tracking / Reporting:

1) ESA --> SMA (22)

2) SMA --> ESA (22)

Thanks!

-Dennis M.

Hello Libin,

Hope u can help me on this.

Previously i have an issue where my customer said the email gone/undelivered on they released from SMA.

Below is the logs i got from SMA.

Wed May 24 08:40:31 2017 Info: Connection Error: DCID: 7 domain: 10.0.0.3 IP: 192.168.191.20 port: 7025 details: timeout interface: 10.0.0.4 reason: connection timed out
Wed May 24 08:40:31 2017 Info: Quarantine: Could not connect to PVO release port on ESA 192.168.191.20. This could be because the ESA is unreachable or PVO is not enabled on ESA.


Incoming mail : 192.168.191.20 (ESA) -> 192.168.192.20 (ESA) -> Mail Server

POV Quarantine: 192.168.191.20 - >  Mgmt ESA (10.0.0.3) -> 10.0.0.4 (SMA)

Kindly advise what actually happen on the email? How can i trace back the email. Thanks.

Hi,

It would be difficult to comment on the network situations for past dates when the connection timed out.

However, based on the logs it appears 10.0.0.4 could not connect to 192.168.191.20 over port 7025 to deliver emails from an ESA to SMA centralized PVO.

The emails released from centralized PVO should be re-injected to the ESA on port 25, from the second log it shows an error as well. SMA could not connect to 192.168.191.20 to deliver the released email.

You can use telnet from the devices to confirm connectivity:

ESA to SMA port 7025 for centralized PVO

ESA to SMA port 6025 for centralized spam quarantine

SMA to ESA port 22 (bi-directional) and 25 for centralized reporting, tracking and released emails.

As mentioned earlier the original email would no longer be available if after multiple retries the email could not be delivered.

A separate listener is not required on the ESA, and the SMA can deliver emails to an existing listener on the ESA.

Thank You!

Libin Varghese

Hi Libin,

Why 10.0.0.4 needs to connect to 192.168.191.20? That is the ESA listener for incoming SMTP faced outside interface.

The connectivity of SMA and ESA are using Mgmt int 10.0.0.3 on ESA and 10.0.0.4 on SMA. We do that because we want to separate into Management Vlan.

Do i need to add listener and assigned to mgmt port?

Based on the logs that you shared

Wed May 24 08:40:31 2017 Info: Connection Error: DCID: 7 domain: 10.0.0.3 IP: 192.168.191.20 port: 7025 details: timeout interface: 10.0.0.4 reason: connection timed out

The domain is listed as 10.0.0.3 and it is attempting to deliver to destination IP 192.168.191.20, not sure if you have a SMTP route configured on the SMA which is causing this.

- Libin V

I do not configure any SMTP route on the SMA. 

Actual environment without SMA, we used port 1 and port 2 as listener.

With SMA, we want to apply using management port. Right now, centralized reporting and message tracking are running well with no issue. Previously, PVO migration also running well.

Can u advise the basic configuration to make PVO quarantine running well at all?

Normally, when a message is released from a centralized quarantine, the Security Management appliance returns it for processing to the Email Security appliance that originally sent it to the centralized quarantine.

So you could track the mail_logs for the email on the ESA to see which interface was used to deliver the email to the SMA.

Interface selection depends on the routing configuration of the appliance.

If the Email Security appliance that originated a message is not available, a different Email Security appliance can process and deliver released messages. You designate the appliance for this purpose.

On the Security Management appliance, choose Management Appliance > Centralized Services > Security Appliances.
Click the Specify Alternate Release Appliance button.

Interface selection depends on the routing configuration of the appliance

Based on your statement above. Seem like im having a routing issue.

It is mean that i need to configure routing correctly on SMA?

For troubleshooting assistance I would recommend opening a TAC case.

For configuration steps you can always refer to the end user guides below:

http://www.cisco.com/c/en/us/support/security/content-security-management-appliance/products-user-guide-list.html

- Libin