Cisco IronPort C-series / ESA CLI Cheat Sheet - 20140512 Infos and status Configuring SMTP

Jens Roesen – email – www - twitter featurekey View, activate and check for new feature keys. smtproutes Add, delete, edit and view SMTP routing.
Prompt, cluster and command modes, default user & password, contacts dnsstatus Show DNS statistics since counter reset / reboot / ever. listenerconfig Configure and manage public, private or blackhole
displayalerts n Display the last n alerts sent by the appliance. listeners.
Being part of a cluster, the prompt will indicate the current mode:
(Machine esa1.example.com)> vs. (Cluster Example.com-Cluster)> resetcounters Reset all counters of a single machine. deliveryconfig Configure mail delivery settings.
Some commands are restricted to cluster or machine mode, some may be run in any destconfig Configure destination control limits for a specified domain.
Test network and configuration
mode. If necessary, the ESA will prompt you for a change of mode. exceptionconfig Configure and manage the domain exception table.
▬▬▬▬▬▬▬▬
ping or ping6 Test network by sending a IPv4/IPv6 ping to a remote host.
If interactive commands require additional input from the user, the prompt will change altsrchost View, create and modify virtual gateway mappings for
to opening and closing square brackets enclosing a default value, if available. traceroute or View IPv4/IPv6 network path/routing to a remote host. sender addresses or client IPs.
▬▬▬▬▬▬▬▬ traceroute6
Some commands like dig or aliasconfig support a batch mode allowing you to run bounceconfig Create and modify bounce profiles.
telnet Telnet to a remote host. Defaults to port 25, not 23!
a complete command with one single-line command input: policyconfig Configure and manage incoming and outgoing mail policies.
esa1.example.com> dig -t mx example.com dig Run DNS queries. Supports batch mode.
▬▬▬▬▬▬▬▬ textconfig Configure text blocks for use in disclaimers, anti-virus
nslookup Run DNS queries.
The default username is admin and it's password is ironport. The default IP is alerts, DLP, encryption notifications or bounces.
192.168.42.42 on Data1 on C1X0 appliances and Management Interface on all others. packetcapture Start a packet capture in AsyncOS versions up from 7.2. filters Create, edit and view message filters.
For access through serial console use 9600/8-N-1 with hardware flow control. tcpdump Start a packet capture in AsyncOS versions up to 7.1.
▬▬▬▬▬▬▬▬ sievechar Configure the char used for sieve mail filtering. Only used in
Send undetected spam to spam@access.ironport.com, false positives to tcpservices Display information about running TCP/IP services. LDAP Accept and LDAP Routing.
ham@access.ironport.com, missed ads to ads@access.ironport.com and false netstat Display current network connections, network statistics, dictionaryconfig Create and manage content dictionaries.
positive ads to not_ads@access.ironport.com. Send each as RFC822 MIME encoded interface status, listen queue size or routing table.
attachment. See Knowledge Base article 472. sslconfig Configure SSL for TLS connections (Versions, Ciphers).
mailconfig Send a mail with the XML configuration attached. certconfig Manage certificates in PEM format and CA.
Basic commands trace Trace the mail flow through the system with a virtual test mail. callaheadconfig Configure, edit, view and test SMTP Call-Ahead feature.
help command View online help for command. ldaptest Run an LDAP query against a configured LDAP server. smtpauthconfig Configure and manage SMTP authentication profiles.
who Show a list of currently logged in users. ldapflush Clear all cached LDAP query results. addresslistconfig Configure and manage address lists.
whoami Show name and groups for own user. dnslisttest Manually test an IP against a DNS-based blacklist. aliasconfig Configure and manage the alias table.
date View current date and time. dnsflush Flush DNS cache. bvconfig Configure bounce verification address tagging.
passwd Change password for the current user. tlsverify Test and verify a TLS connection to a remote MTA. domainkeysconfig Configure, manage and test tons of DKIM settings.
last Show list of recently logged in users and session dates. General configuration quarantineconfig Configure and manage system quarantines.
clear Abandon all pending configuration changes. systemsetup Run the system setup wizard. This will remove any existing incomingrelayconfig Manage incoming mail relay settings.
commit Commit pending configuration changes. listener and associated HAT configuration. localeconfig Manage locale modification and enforcement settings.
clustermode Switch between machine, cluster and group mode. userconfig View and manage users and external authentication.
shutdown Managing message queues and mails
Shut down and power-off the appliance. adminaccessconfig Configure banner message and restrict access to the ESA
based on IP ranges. Check these when building SSH cluster. workqueue status Display current work queue status.
reboot Reboot the appliance.
interfaceconfig Add, delete and edit IP interface settings (IPv4 and IPv6). workqueue rate n Display number of pending, incoming and outgoing mails in
exit / quit Exit CLI. Will warn you about uncommitted changes.
the queue and refresh every n seconds.
etherconfig Configure ethernet settings like speed and duplex mode,
Infos and status showrecipients Show messages from the queue by recipient host name,
VLANs or NIC pairing.
version Show brief hardware and software information. sender address or all mails in the queue.
sethostname Set system hostname.
ipcheck Show extended hardware and software information. deleterecipients Delete messages from the queue by recipient host name,
setgateway Set default gateway.
status detail View detailed system status. sender address or all mails in the queue.
routeconfig Configure static network routes.
commitdetail View details about the last commit in the active session. bouncerecipients Bounce messages from the queue by recipient host name,
dnsconfig Configure DNS servers and domain DNS settings. sender address or all mails in the queue.
showchanges View pending config changes as nested tree structure. dnshostprefs Configure global or per domain DNS resolver preferences. redirectrecipients Redirect all mails to a relay host.
antispamstatus Show status and latest update for enabled anti-spam engines. dnslistconfig Configure global settings for DNS blacklist queries. showmessage Show a complete message by MID in ASCII.
antivirusstatus Show status and latest update for active antivirus engines. featurekeyconfig Enable/disable auto-download and activation of feature keys. archivemessage Archive a message by it's MID as mbox file to the
repengstatus Show version and latest updates for SBRS engines. ldapconfig Create, delete and manage LDAP server profiles. /configuration directory.
outbreakstatus Show status of Virus Outbreak Filters. removemessage
snmpconfig Enable SNMP, set community string and password, define Remove a message from work, retry or destination queue.
sbstatus Show SenderBase status. trap targets. oldmessage Display Headers and MID of the oldest message in the
encryptionstatus Show PXE engine status and last engine update. ntpconfig Configure NTP Servers and source interface for NTP queries. queue.
dlpstatus Show status of RSA DLP engine. sshconfig Configure sshd settings and view, add, delete or modify SSH delivernow Attempt to deliver pending messages either by domain or
workqueue status Display current work queue status. keys used for SSH access. simply reschedule all mails.
workqueue rate n Display number of pending, incoming and outgoing mails in sslconfig Configure SSL for HTTPS access (SSL Versions, Ciphers). unsubscribe Manage unsubscribe lists for recipient addresses that will
the queue and refresh every n seconds. settz Setup time zone. always be bounced or dropped.
topin View top hosts by number of incoming connections. tzupdate stripheaders Strip all headers by name in this table from all mails.
Update time zone rules.
rate n Display in/out connections and recipient statistics. Updated settime resetqueue Reinitialize queue. DELETES ALL QUEUED MAIL
Set system time and date as MM/DD/YYYY HH:MM:SS
every n seconds. alertconfig Configure mail alert settings and mail alert recipients. AsyncOS management
hostrate domain n Similar to rate but limited to a single destination domain. trackingconfig Configure message tracking settings. updateconfig Configure update URLs and HTTP/HTTPS proxies to use. This will
hoststatus domain View statistics for domain including MX settings and latest addressconfig Set sender address to be used for mails generated by the also affect Anti-Spam and Anti-Virus updates.
5xx delivery error. system like bounces and notifications. upgrade List all available AsyncOS versions and perform an upgrade.
tophosts View the top 20 destination domains in the mail queue. Can addresslistconfig Configure and manage addresslists. revert Revert the appliance to a previously used AsyncOS version.
be sorted in different ways to meet your requirements. fipsconfig Enable FIPS mode to meet FIPS 140-2 requirements. Except network settings ALL configurations and logs will be lost.
Suspending and resuming receiving and/or delivering mails Centralized Management Cluster Message Filter conditions (See “ESA Advanced Guide” for more info + examples)
workqueue pause Pause working queue. clusterconfig Create SSH or CSS clusters, add or remove single ESAs to or true True is true and therefore matches all mails.
workqueue resume Resume working queue. from a cluster. Create and manage cluster groups. List valid Tests mail for complete MIME validity.
machines in cluster and view cluster and connection status.
suspendlistener Suspend receiving mails on one, several or all listeners. Shut signed Tests if the message is S/MIME signed.
down won't be graceful. clustercheck Check configuration databases for inconsistencies and resolve
signed-certificate(<field> Checks S/MIME messages for <regexp>
them if necessary.
resumelistener Resume receiving mails on one, several or all listeners. [<operator> <regexp>]) matching or not matching (<operator>)
suspenddel Suspend delivering mails. Shut down won't be graceful. Message Filter conditions (See “ESA Advanced Guide” for more info + examples) X.509 certificate issuer or signer (<field>).
resumedel Resume delivering mails. subject Tests subject against a RegExp.
Message Filter actions (See “ESA Advanced Guide” for more info + examples)
suspend Suspend receiving and delivering all mails. Shut down won't body-size Tests size of entire message in bytes.
alt-src-host() Deliver mail from this named interface.
be graceful. mail-from Tests envelope sender against a RegExp.
alt-rcpt-to() Change all recipients of a message.
resume Resume receiving and delivering all mails. mail-from-group Tests envelope sender against LDAP group.
alt-mailhost() Deliver mail via alternate mail host.
ESA configuration files sendergroup Tests against a HAT sendergroup name.
notify() Notify specified recipient about a message (and
showconfig View XML configuration file as paged output. rcpt-to Tests envelope recipients against a RegExp. notify-copy() include a copy of the original message).
mailconfig Send XML configuration file via mail. rcpt-to-group Tests envelope recipients with LDAP group. bcc() Send a copy of this message to a new recipient.
saveconfig remote-ip Tests client IP for exact or IP range match. bcc-scan() Treat the copy like a new mail and scan again.
Save XML configuration file in the /configuration directory.
loadconfig recv-int Matches mails received on the named log-entry() Add a log message at INFO level to mail logs.
Load XML configuration file from the /configuration directory or
paste it directly into the CLI. recv-listener interface/listener. quarantine(<name>) Send this mail to the named quarantine.
rollbackconfig Roll back to one of the last 10 saved configurations. date Tests current date against value in US date archive(<filename>) Save copy of the message in mbox format file.
format: MM/DD/YYYY HH:MM:SS
resetconfig Reset ALL configurations to factory default. duplicate- Send copy of this mail to the named quarantine.
header(<string>) Tests the given header against a RegExp. quarantine(<name>)
Working with logs random(<integer>) Compares a random integer to given value. strip-header() Look for a header and remove it.
grep Search for a Regular Expression pattern inside a log file. rcpt-count Checks recipient count against value. insert-header() Insert a header and its value into the mail.
findevent Find an event in the logs matching either a message id, a mail addr-count() Compares recipient count from header (To: add-footer(<footer>) Add the footer named <footer> to the mail.
address (From/To) or a subject. Menu driven or batch mode. and/or Cc:) against value.
tail Continuously display new entries from the end of a log file. bounce-profile() Apply a bounce profile to the mail.
spf-status Checks the SPF status.
rollovernow Do a rollover on one certain or simply all log files. encrypt-deferred() Encrypt message before final delivery.
spf-passed Checks if SPF verification was successful.
logconfig Configure and manage log files and delivery methods (FTP, SCP, tag-message(<name>) Add tag <name> for RSA DLS policy filtering.
image-verdict Scans attached images for category match.
Syslog). View public RSA/DSS key from users. skip-filters() Skip all remaining message filters.
workqueue-count Checks number of mails in the workqueue.
skip-spamcheck() Skip all anti spam checks for this mail.
Managing engines body-contains(<regexp>) Checks mail and attachments for a RegExp.
updateconfig skip-viruscheck() Skip all anti virus checks for this mail.
Configure update URLs and HTTP/HTTPS proxies to use. only-body-contains(<regexp>) Checks message body for a RegExp.
This will also affect AsyncOS updates. skip-vofcheck() Skip all outbreak filters for this mail.
encrypted Tests if a message is S/MIME or PGP
updatenow Manually update all components. Force updating with the encrypted. drop-attachments-by-name() Drop all attachments with matching filename.
updatenow force option force. The force option also works with all other drop-attachments-by-type() Drop all attachments with matching MIME type.
attachment-filename Tests a file name against a RegExp.
update commands below drop-attachments-by-
attachment-type Checks for MIME file type by signature. Drop all attachments with matching file type
antispamconfig Configure IronPort anti-spam and Intelligent Multi-Scan. filetype() determined by type fingerprint.
attachment-filetype Matches a file type fingerprint (not MIME).
antispamupdate Manually request immediate anti-spam rules update. drop-attachments-by- Drop all attachments with matching MIME type.
attachment-mimetype Checks for MIME file type in MIME header. mimetype()
antivirusconfig Configure and view anti-virus settings and scanners. Does not match on extension or scan archives.
attachment-protected Looks for passworded/encrypted attachments. drop-attachments-by-size()
antivirusupdate Manually request immediate anti-virus definitions update. Drop attachment by examining raw size.
attachment-unprotected Looks for unprotected attachments. drop-attachments-where-
scanconfig Configure scanner options like skipped file types, scanning Drop attachments that match a Regular
depth (nesting), maximum scan size, scanner timeout. attachment-contains() Tests attachment for the given pattern. contains(<regexp>) Expression. Also matches files in archives.
outbreakconfig Enable, disable and configure Outbreak Filters. attachment-binary-contains() Tests raw binary attachment for pattern. drop-attachments-where- Drop attachments that match a term in the
every-attachment-contains() Tests every attachment of a message for a dictionary-match(<dict>) dictionary <dict>.
outbreakupdate Request immediate update of CASE rules and engine.
given pattern. html-convert() Strip all HTML tags from a message.
outbreakflush Clear CASE rules cache.
attachment-size Matches attachments by size in B, K or M. edit-header-text() Substitute a matched RegExp within a header.
encryptionconfig Configure IronPort PXE mail encryption.
dnslist(<server>) Looks at server for a match in a DNSBL. edit-body-text() Substitute a matched RegExp within a body.
encryptionupdate Manually request immediate PXE engine update.
reputation Compares sender's SB reputation to value. add-footer() Add the named footer to the end of the mail.
dlpupdate Manually request immediate RSA DLP engine update.
no-reputation True when SB reputation is “none”. deliver() Deliver the message. Final action.
dlprollback Rollback RSA DLP engine and config to the previous version.
dictionary-match(<dict>) Look in body for RegExp match from named drop() Drop the message. Final action.
repengupdate Manually request immediate SBRS engine update.
dictionary <dict>. bounce() Bounce the message. Final action.
senderbaseconfig Configure SenderBase SBNP statistics sharing status.
<position>-dictionary- Looks in <position> of a message for a
Cisco IronPort Support and advanced diagnostics match(<dict>) Message Filter example
RegExp match from the dictionary named
supportrequest <dict>. <position> can be: subject, drop_huge_presentations:
Open a support request with Cisco TAC.
mail-from, rcpt-to, attachment, body if (mail-from-group == "Sales") AND (attachment-filename ==
techsupport Enable or disable a (secured) tunnel for Cisco IronPort Support "(?i)\\.(ppt|pptx)$") AND (attachment-size >= 10M) {
to access the appliance remotely. header-dictionary- Looks in header <header> for RegExp match drop-attachments-where-contains ("(?i)\\.(ppt|pptx)$", "Large
diagnostic Check RAID status, flush DNS/ARP/LDAP caches, test remote match(<dict>, <header>) from dictionary named <dict>. presentation dropped.");
SMTP servers or check disk quota and usage. smtp-auth-id-matches(<header> Checks sender in envelope and mail header }
enablediag Login with this user if "admin" account fails. Same password as [, <sieve-char>]) (From: or Sender:) against the sender's SMTP Licensed under CC BY–NC–SA . Latest version of the sheet is available at http://bit.ly/ESAcli.
"admin". Provides several emergency options. authentication user ID. IronPort®, AsyncOS®, IOS® and SenderBase® are all registered trademarks of Cisco Systems, Inc.