PureMessage Exchange DAG - double quarantine spam digest?

I have the exact same issue, Puremessage 4 latest version on Exchange 2016, 2 brand new servers, separate remote SQL server. Clustering for puremessage working fine, can see all servers in the console, but receive 2 separate quarantine emails for each server. The quarantine files are replicated between the two servers I can see all the quarantine files for both servers in the single DFS replicated directory, yet the web digest only shows emails relating to the server the web request is directed to. In the puremessage console all the spam emails for all servers can be seen in one place.

Any one have a fix for this, I've had a request open with Sophos for over a month now and still no response other than having to email them some SDU logs. Shockingly bad service.

sounds like the db requirement is not met .. have a quick look here.. chapter 13:

https://docs.sophos.com/msg/pme/4-0-4/help/en-us/pdf/pme_sg.pdf

In short you may have a cluster, however it sounds like you have separate sql lites on each box.. so they are scanning 2 databases instead of a shared db that would normally be used with a pmex cluster.

I'm guessing you installed to edge servers in front of your mail box server?

once the cluster is using the same database then your digest should work fine.. otherwise each member will scrape its local database for mail between X and Y time. 

again sounds right..

This sounds line a case where pmex was removed/reinstalled or perhaps the server was upgraded from 2008 .. and for what ever reason the job that scrapes the DB for new items has the wrong path. 

Has this ever worked?  or did it magically just break?

unfortunately my hands are kind of tied without that information so referring to your case will be the best thing.. You may wish to request the case be escalated to L2 

The full story is, 2 x Exchange 2013 servers on Server 2012 installed back in 2014, both with Puremessage, completely clean install (everything was brand new, new domain controllers, domain etc etc etc)., it never worked on these, had the same issue, but as all inbound email was handled by one server it was never an issue we just disabled the firejob scheduled task on the other server and forgot about it.

Fast forward to now and we have recently migrated to 2 new server 2016/exchange 2016 boxes and installed puremessage to those, then decommissioned the old 2013 boxes, and modified the puremessage master server to one of the new 2016 boxes. Both servers now handle the inbound mail so this now needs to be addressed.

Its essentially brand new 2016 installs but using the old puremessage database from the original 2013 installs, just with the master server setting modified to fix the error on console startup. Is there an entry in the database I can check/modify?

The case 8334241 was escalated a week ago, but no response as yet.

Thanks for your help.

Still no response from Support, can you step in at all, this is taking ages to resolve.

I made some notes in the case on your behalf Ben, I apologize for any delays.. currently the case is queued in the escalations queue.  I requested that someone get in touch with you asap.

Regards.

Thats great thank you.

Hey Ben,

Did you ever get this fixed?  We seem to have the exact same issue with an Exchange 2016 DAG.

Afraid not. I had a support ticket open and was supposed to be running some debug on SQL but I never got around to doing it and my case was closed. It still doesn't work properly. If you find a solution with Sophos please update here.

Hey Ben,

I opened a support ticket and the answer from the support agent is:

"I've received a response from the Global Escalations team, it isn't doable unfortunately. Puremessage produces one email per server. It is not possible to merge these into one email."

So I'm guessing its not possible.

Regards

Hi SysAdmin,

Sorry I don't buy this, sounds like you were fobbed off. I got quite far up the escalation process and was told this should have worked.

Why on earth would puremessage collect all spam entries in one database, and also DFS replicate all the spam messages between all cluster members, if then the end user can only see and manage emails on one server.

What happens in a cluster of 10 servers all receiving inbound mail? Is the user expected to to receive 10 separate emails and manage them all. I don't think so.

I may revisit this with Sophos one day, but the answer you received sounds like nonsense to me.

Thanks.

In addition, all the entries of all servers can be viewed in the console as a single list and can all be managed, why wouldn't the end users be able to do the same? If that really is the case this software is not fit for purpose in my opinion.

In addition, all the entries of all servers can be viewed in the console as a single list and can all be managed, why wouldn't the end users be able to do the same? If that really is the case this software is not fit for purpose in my opinion.

Hi Ben Goodfellow1 

I have checked this with our global escalation team, unfortunately, the feature you are looking for is not available as each server will send a digest email as soon as there is a message in quarantine. Apologies for the inconvenience caused.

Hi Shweta,

Thank you for the reply. However I have to disagree. A digest email is sent once per day rather every time a message enters the quarantine. I also would expect the global escalation team to have given some explanation why we (administrators) can see the entire quarantine across all servers, but not for the end-users. This makes no sense at all. Why go to all the bother of developing software that can combine data (all held in a central database), and replicate all failed suspected spam messages across ALL servers, to then only present the ones held on one server to the end user. And on top of that send multiple emails to end users if more than one Exchange server exists.

If this really is the case, yours software is total rubbish and you need to redevelop it. It's been the same since 2013.

Also I would note that your Puremessage for Unix does this (i.e combines quarantine emails from multiple servers for end users to digest). It does exactly what the software for Windows (Exchange) should do. Perhaps you can get an answer from a developer rather than 1st line global.

Thanks.

Hi Ben Goodfellow1 

I certainly understand your concern, but this is something that is beyond the puremessage capability as of now.