This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PureMessage Exchange DAG - double quarantine spam digest?

Hey,

 

we're using PMEX on a DAG environment. We have two server with PMEX installed in a clusted composite. 

Is there a way that we only receive one spam digest e-mail in which we can release messages from both servers?

 

Right now we got two spam digest e-mails from Exchange01 and Exchange02. Messages which arrived by Exchange01 can't be released by the spam digest e-mail gererated from Exchange02.

 

Thanks for your help.



This thread was automatically locked due to age.
Parents
  • I have the exact same issue, Puremessage 4 latest version on Exchange 2016, 2 brand new servers, separate remote SQL server. Clustering for puremessage working fine, can see all servers in the console, but receive 2 separate quarantine emails for each server. The quarantine files are replicated between the two servers I can see all the quarantine files for both servers in the single DFS replicated directory, yet the web digest only shows emails relating to the server the web request is directed to. In the puremessage console all the spam emails for all servers can be seen in one place.

     

    Any one have a fix for this, I've had a request open with Sophos for over a month now and still no response other than having to email them some SDU logs. Shockingly bad service.

  • sounds like the db requirement is not met .. have a quick look here.. chapter 13:

    https://docs.sophos.com/msg/pme/4-0-4/help/en-us/pdf/pme_sg.pdf

     

    In short you may have a cluster, however it sounds like you have separate sql lites on each box.. so they are scanning 2 databases instead of a shared db that would normally be used with a pmex cluster.

    I'm guessing you installed to edge servers in front of your mail box server?

     

    once the cluster is using the same database then your digest should work fine.. otherwise each member will scrape its local database for mail between X and Y time. 

  • Hi, thanks for the feedback, however Puremessage has been installed correctly as per the guilde. We use a separate SQL server and both puremessage installations in the cluster point to the shared remote SQL instance therefore sharing a database. Also in the Puremessage console both servers can be seen and the full combined quarantine of both servers is displayed. Only the end-user digest is not working correctly. We are not using edge servers the traffic is proxied by a load balancer.

  • Ok, that sounds right,

    the loadbalancer comment tho, I've seen issues where the LB will strip off the connecting mta's IP's and replace it with its own..  Have you run an SDU and checked out the debug information?  

    assuming your post is correct your going to have to open a case with that sdu.. unfortunately the forums is not the place for that info.   

     

    If its stripping off the ips or other header info .. that's going to cause all sorts of issues.. otherwise the way its supposed to work is .. cluster into it, share the database and the cluster master will scrape the db for new records and send out the digest.. 

     

    also try releasing a message to yourself (google gtube eicar  paste that 60 bit line into an email and send it from an external email address) this will produce a 100% spam hit on it.. then release it and make sure you see all the Received by: headers 

  • Thanks again, yes I am sure it is all installed correctly and already have a case open and have submitted SDU logs for both servers, but it's been over a month now and nothing useful from Sophos hence why I came to the forums.

     

    The load balancers is working correctly and forwards the original IPs so no issues there, I've also tested bypassing the load balancer with mail direct to the Exchange servers and the issue persists.

     

    I've sent EICAR test emails before and ensured they are directed in turn to each exchange server, they just show up in the digest email for the server in question. The quarantine files are replicating correctly over DFS I can see them all in the Quarantine folder for both servers, but the digest web site just seems to show ones relating to itself and ignores the other files. I can only assume there is a configuration setting file somewhere that needs something altered but I've looked through them all and cannot see anything obvious.

    I guess I'll just have to wait for Sophos to respond whenever that may be,

Reply
  • Thanks again, yes I am sure it is all installed correctly and already have a case open and have submitted SDU logs for both servers, but it's been over a month now and nothing useful from Sophos hence why I came to the forums.

     

    The load balancers is working correctly and forwards the original IPs so no issues there, I've also tested bypassing the load balancer with mail direct to the Exchange servers and the issue persists.

     

    I've sent EICAR test emails before and ensured they are directed in turn to each exchange server, they just show up in the digest email for the server in question. The quarantine files are replicating correctly over DFS I can see them all in the Quarantine folder for both servers, but the digest web site just seems to show ones relating to itself and ignores the other files. I can only assume there is a configuration setting file somewhere that needs something altered but I've looked through them all and cannot see anything obvious.

    I guess I'll just have to wait for Sophos to respond whenever that may be,

Children
  • again sounds right..

    This sounds line a case where pmex was removed/reinstalled or perhaps the server was upgraded from 2008 .. and for what ever reason the job that scrapes the DB for new items has the wrong path. 

    Has this ever worked?  or did it magically just break?

     

    unfortunately my hands are kind of tied without that information so referring to your case will be the best thing.. You may wish to request the case be escalated to L2 

  • The full story is, 2 x Exchange 2013 servers on Server 2012 installed back in 2014, both with Puremessage, completely clean install (everything was brand new, new domain controllers, domain etc etc etc)., it never worked on these, had the same issue, but as all inbound email was handled by one server it was never an issue we just disabled the firejob scheduled task on the other server and forgot about it.

    Fast forward to now and we have recently migrated to 2 new server 2016/exchange 2016 boxes and installed puremessage to those, then decommissioned the old 2013 boxes, and modified the puremessage master server to one of the new 2016 boxes. Both servers now handle the inbound mail so this now needs to be addressed.

    Its essentially brand new 2016 installs but using the old puremessage database from the original 2013 installs, just with the master server setting modified to fix the error on console startup. Is there an entry in the database I can check/modify?

    The case 8334241 was escalated a week ago, but no response as yet.

     

    Thanks for your help.

  • Still no response from Support, can you step in at all, this is taking ages to resolve.

  • I made some notes in the case on your behalf Ben, I apologize for any delays.. currently the case is queued in the escalations queue.  I requested that someone get in touch with you asap.

     

    Regards.

  • Hey Ben,

    Did you ever get this fixed?  We seem to have the exact same issue with an Exchange 2016 DAG.

  • Afraid not. I had a support ticket open and was supposed to be running some debug on SQL but I never got around to doing it and my case was closed. It still doesn't work properly. If you find a solution with Sophos please update here.

  • Hey Ben,

    I opened a support ticket and the answer from the support agent is:


    "I've received a response from the Global Escalations team, it isn't doable unfortunately. Puremessage produces one email per server. It is not possible to merge these into one email."

     

    So I'm guessing its not possible.

    Regards

  • Hi SysAdmin,

     

    Sorry I don't buy this, sounds like you were fobbed off. I got quite far up the escalation process and was told this should have worked.

    Why on earth would puremessage collect all spam entries in one database, and also DFS replicate all the spam messages between all cluster members, if then the end user can only see and manage emails on one server.

    What happens in a cluster of 10 servers all receiving inbound mail? Is the user expected to to receive 10 separate emails and manage them all. I don't think so.

     

    I may revisit this with Sophos one day, but the answer you received sounds like nonsense to me.

     

    Thanks.

  • In addition, all the entries of all servers can be viewed in the console as a single list and can all be managed, why wouldn't the end users be able to do the same? If that really is the case this software is not fit for purpose in my opinion.