本文檔介紹在思科郵件安全裝置(ESA)上無法啟用集中策略、病毒和爆發隔離區(PVO)時遇到的問題,因為「啟用」按鈕顯示為灰色,可提供問題的解決方案。
思科建議您瞭解以下主題:
本文中的資訊係根據以下軟體和硬體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
ESA上某些過濾器、策略和掃描操作處理的郵件可以放入隔離區,以臨時保留這些郵件以供進一步操作。在某些情況下,雖然已在SMA上正確配置了PVO,並且使用了遷移嚮導,但似乎無法在ESA上啟用PVO。在ESA上啟用此功能的按鈕通常仍然顯示為灰色,因為ESA無法連線到埠7025上的SMA。
在ESA上,「啟用」按鈕顯示為灰色。
SMA顯示服務非活動且需要操作
有幾種情況在此說明。
在SMA上,在CLI上運行status命令以確保裝置處於聯機狀態。如果SMA離線,則無法在ESA上啟用PVO,因為連線失敗。
sma.example.com> status
Enter "status detail" for more information.
Status as of: Mon Jul 21 11:57:38 2014 GMT
Up since: Mon Jul 21 11:07:04 2014 GMT (50m 34s)
Last counter reset: Never
System status: Offline
Oldest Message: No Messages
如果SMA離線,請運行resume命令使其重新聯機,這會啟動cpq_listener。
sma.example.com> resume
Receiving resumed for euq_listener, cpq_listener.
在SMA上使用「遷移嚮導」後,請務必提交更改。如果不提交更改,則ESA上的[Enable...]按鈕將保持為灰色。
如果透過deliveryconfig命令為ESA配置了預設交付介面,並且如果該預設介面由於駐留在不同子網中或沒有路由而無法連線到SMA,則無法在ESA上啟用PVO。
下面是一個ESA,其預設傳輸介面配置為In介面:
mx.example.com> deliveryconfig
Default interface to deliver mail: In
以下是從介面In到SMA埠7025的ESA連線測試:
mx.example.com> telnet
Please select which interface you want to telnet from.
1. Auto
2. In (192.168.1.1/24: mx.example.com)
3. Management (10.172.12.18/24: mgmt.example.com)
[1]> 2
Enter the remote hostname or IP address.
[]> 10.172.12.17
Enter the remote port.
[25]> 7025
Trying 10.172.12.17...
telnet: connect to address 10.172.12.17: Operation timed out
telnet: Unable to connect to remote host
要解決此問題,請將預設介面配置為自動,ESA將在其中自動使用正確的介面。
mx.example.com> deliveryconfig
Default interface to deliver mail: In
Choose the operation you want to perform:
- SETUP - Configure mail delivery.
[]> setup
Choose the default interface to deliver mail.
1. Auto
2. In (192.168.1.1/24: mx.example.com)
3. Management (10.172.12.18/24: mgmt.example.com)
[1]> 1
預設情況下,與集中隔離區的連線是傳輸層安全(TLS)-加密的。如果您檢視ESA上的郵件日誌檔案並搜尋SMA上的埠7025的傳送連線ID (DCID),您可能會看到TLS失敗錯誤,如下所示:
Mon Apr 7 15:48:42 2014 Info: New SMTP DCID 3385734 interface 172.16.0.179
address 172.16.0.94 port 7025
Mon Apr 7 15:48:42 2014 Info: DCID 3385734 TLS failed: verify error: no certificate
from server
Mon Apr 7 15:48:42 2014 Info: DCID 3385734 TLS was required but could not be
successfully negotiated
當您在ESA CLI上運行tlsverify命令時,您會看到相同的結果。
mx.example.com> tlsverify
Enter the TLS domain to verify against:
[]> the.cpq.host
Enter the destination host to connect to. Append the port (example.com:26) if you are not
connecting on port 25:
[the.cpq.host]> 10.172.12.18:7025
Connecting to 10.172.12.18 on port 7025.
Connected to 10.172.12.18 from interface 10.172.12.17.
Checking TLS connection.
TLS connection established: protocol TLSv1, cipher ADH-CAMELLIA256-SHA.
Verifying peer certificate.
Certificate verification failed: no certificate from server.
TLS connection to 10.172.12.18 failed: verify error.
TLS was required but could not be successfully negotiated.
Failed to connect to [10.172.12.18].
TLS verification completed.
因此,用於與SMA協商的ADH-CAMELLIA256-SHA 密碼會導致SMA無法提供對等證書。進一步調查表明,所有ADH密碼都使用匿名身份驗證,而匿名身份驗證不提供對等證書。解決之道是消除匿名密碼。為此,請將傳出密碼清單更改為HIGH:MEDIUM:ALL:-aNULL:-SSLv2。
mx.example.com> sslconfig
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> OUTBOUND
Enter the outbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]>
Enter the outbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> HIGH:MEDIUM:ALL:-aNULL:-SSLv2
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: HIGH:MEDIUM:ALL:-aNULL:-SSLv2
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>
mx.example.com> commit
無法啟用PVO並顯示這種型別的錯誤消息。
Unable to proceed with Centralized Policy, Virus and Outbreak Quarantines
configuration as host1 and host2 in Cluster have content filters / DLP actions
available at a level different from the cluster Level.
此錯誤消息可能表示其中一台主機未應用DLP功能金鑰,並且DLP已停用。解決方案是增加缺少的功能金鑰,並應用與應用了功能金鑰的主機相同的DLP設定。此功能金鑰不一致可能會對爆發過濾器、Sophos防病毒和其他功能金鑰產生相同的效果。
如果在集群配置中存在內容、消息過濾器、DLP和DMARC設定的電腦或組級配置,則PVO的啟用按鈕將呈灰色。要解決此問題,所有郵件和內容過濾器都必須從電腦或組級別移動到集群級別,以及DLP和DMARC設定。或者,您可以從叢集中完全移除具有機器層級組態的機器。輸入CLI命令clusterconfig > removemachine,然後將其連線回集群以繼承集群配置。
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
23-Jul-2014 |
初始版本 |