This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email through appliance has not picked up CC recipients.

Bit of a strange one but a user(Christine) has recieved an email today which had some people CC'ed. I cannot see those people CC'ed(Paul) if i look at the email passing through the appliance but i can see their email addresses when i look at the email in Christines mailbox. Paul has not recieved the email and i cannot see it passing through exchange at all.

 

I have the email headers which I've pasted into an analyzer and even the analyzer seems to discard the CC'ed recipients.

Looking at the editted header below, every user has recieved the email up until Christine. Jim and Paul have not.

And as below the email appliance only see's two recipients.

Does anyone have any suggestions? Happy to provide more info if i've missed anything.

 

Thanks,

 

Stephen



This thread was automatically locked due to age.
Parents
  • Hi Steven,

     

    Without the actual email and such, best guess is the only answer that can be posted on the forums .. so if you want anything past this you should create a new message from Christine's inbox, drag/drop the original message as a .eml attachment and send it to not-spam@labs.sophos.com  .. then open a support case. 

     

    In short when you have a message to individual people, the appliance sees these recipients .. but there is only one message .. your downstream exchange server would message split a copy for each recipient.  The only time the appliance would do the split is.. if one of the recipients has the sender in their per-user allow/block list.   in those cases the appliance would split copies based on those user policies..  the other option (doesn't look like that's the case here) is if the message is going to a distribution group and you have configured the group (via ad sync query string) this would also show up under usergroups.

     

    in this case .. the (2) around the message listing seems to indicate that 2 splits were done.  again tho, one can not tell properly without the message and access to the postfix and milter logs.

     

    In the ui, you should also see a link that points to the additional information about the message.

     

    its also possible that outlook or exchange is blocking the message (ie they have a blacklist or rule specific to the user's outlook)

  • Hi Red,

     

    Thanks for the reply. It seems that email appliance is splitting it into 2 messages although it should be splitting it into 4. For some reason the email appliance is only seeing two of the recipents even though I can see in the header there are four. Probably best if i log this with Sophos like you say, but if you've got any other ideas i'd appreciate it :)

Reply
  • Hi Red,

     

    Thanks for the reply. It seems that email appliance is splitting it into 2 messages although it should be splitting it into 4. For some reason the email appliance is only seeing two of the recipents even though I can see in the header there are four. Probably best if i log this with Sophos like you say, but if you've got any other ideas i'd appreciate it :)

Children
  • Normally the appliance would not split any message, unless it has to for sake of policy.

    Think of it more like this..

     

    distribution list = accounting

    jimmy, sally, jane are in accounting

    your appliance query string pulls down the list, it should understand the 3 users and the list. so all 4 entries are "valid"  you should be able to see the 3 users and the group via the ad query tool, or simply by creating a new additional policy

     

    2 scenarios:

    #1 .. mail arrives from paint.com for the list accounting .. no policy on the device triggers, all users are valid and everything is fine.  only 1 message is received and only 1 message is sent downstream.. once exchange gets the message it would split 3 copies and deliver them to the users.

     

    #2

    if its addressed to the list..  assuming the appliance AD query string is correct .. It would understand there is a new message for a valid dist group called "accounting" .. it would then understand that list consists of "3" recipients.  the appliance would then apply policy for all 4 components..  anytime there is an action .. the message would be split. so if jimmy added paint.com to his black list.. the message would be split for the other 2 users and jimmy's copy would be trashed. or paint.com.  This applys to both ui based policy and per-user lists.

    if this all looks good, I would start looking down stream for things like. ..

    ie: exchange AS scanning, or additional exchange rules, or per user client lists in outlook, or out look rules in general.