    Cisco IronPort ESA CLI Reference Card Test network and configuration Configuring SMTP

release 20160226, by Jens Roesen ping or ping6 Test network by sending a IPv4/IPv6 ping to a remote host. smtproutes Add, delete, edit and view SMTP routing.
Default user & password, batch command mode and contacts traceroute or View IPv4/IPv6 network path/routing to a remote host. listenerconfig Configure and manage public, private or blackhole listeners.
traceroute6 deliveryconfig Configure mail delivery settings.
The default username is admin and it's password is ironport. The default IP is 192.168.42.42
on Data1 on C1X0 appliances and Management Interface on all others. telnet Telnet to a remote host. Defaults to port 25, not 23! destconfig Configure destination control limits for a specified domain.
For access through serial console use 9600/8-N-1 with hardware flow control. dig Run DNS queries. Supports batch mode. exceptionconfig Configure and manage the domain exception table.
▬▬▬▬▬▬▬▬

Send undetected spam to [email protected], false positives to nslookup Run DNS queries. altsrchost View, create and modify virtual gateway mappings for sender
[email protected], missed ads to [email protected] and false positive ads to packetcapture Start a packet capture in AsyncOS versions up from 7.2. addresses or client IPs.
[email protected]. Send each as RFC822 MIME encoded attachment. See bounceconfig
Knowledge Base article 472.
tcpdump Start a packet capture in AsyncOS versions up to 7.1. Create and modify bounce profiles.
tcpservices Display information about running TCP/IP services. policyconfig Configure and manage incoming and outgoing mail policies.
Basic commands
netstat Display current network connections, network statistics, interface status, textconfig Configure text blocks for use in disclaimers, anti-virus alerts, DLP,
help command or h command View online help for command. listen queue size or routing table. encryption notifications or bounces.
who Show a list of currently logged in users. trace Trace the mail flow through the system with a virtual test mail. filters Create, edit and view message filters.
whoami Show name and groups for current user. ldaptest Run an LDAP query against a configured LDAP server. sievechar Configure Sieve filtering char used in LDAP Accept and Routing.
date View current date and time. ldapflush Clear all cached LDAP query results. dictionaryconfig Create and manage content dictionaries.
passwd Change password for the current user. dnslisttest Manually test an IP against a DNS-based blacklist. sslconfig Configure SSL for TLS connections (Versions, Ciphers).
last Show list of recently logged in users and session dates. dnsflush Flush DNS cache. certconfig Manage certificates in PEM format and CRLs and CAs.
clear or clearchanges Abandon all pending configuration changes. tlsverify Test and verify a TLS connection to a remote MTA. callaheadconfig Configure, edit, view and test SMTP Call-Ahead feature.
commit Commit pending configuration changes. smtpauthconfig Configure and manage SMTP authentication profiles.
General configuration
clustermode Switch between machine, cluster and group mode. Configure and manage address lists.
systemsetup Run the system setup wizard. This will remove any existing listener and addresslistconfig
shutdown Shut down and power-off the appliance. associated HAT configuration. aliasconfig Configure and manage the alias table.
reboot Reboot the appliance. loadlicense Paste a virtual appliance XML license into CLI or load one from file. bvconfig Configure bounce verification address tagging.
exit or quit or q Exit CLI. Will warn you about uncommitted changes. userconfig View and manage users and external authentication. domainkeysconfig Configure, manage and test tons of DKIM settings.
Infos and status adminaccessconfig Configure banner, restrict access on IP basis, configure XSS and CSRF quarantineconfig Configure and manage system and outbreak quarantines.
protection and CLI/Web UI timeouts.
credits Show the credits for this AsyncOS version. addresslistconfig Configure and manage addresslists.
interfaceconfig Add, delete and edit IP interface settings (IPv4 and IPv6).
version Show brief hardware and software information. slblconfig Import or export End-User Safelists/Blocklists.
etherconfig Configure ethernet settings (speed/duplex mode, VLANs , NIC pairing) incomingrelayconfig
ipcheck Show extended hardware and software information. Manage incoming mail relay settings.
diskquotaconfig Configure disk space quotas for several services.
status detail View detailed system status. dmarcconfig Manage DMARC verification profiles and modify global settings.
healthconfig View and edit system health checks configuration.
healthcheck Analyse collected data to determine the health of the appliance. smimeconfig Configure S/MIME settings and manage keys.
sethostname Set system hostname.
commitdetail View details about the last commit in the active session. localeconfig Manage locale modification and enforcement settings.
showchanges
setgateway Set default gateway.
View pending config changes as nested tree structure. ESA configuration files
antispamstatus
routeconfig Configure static network routes.
Show status and latest update for enabled anti-spam engines. showconfig View XML configuration file as paged output.
antivirusstatus
dnsconfig Configure DNS servers and domain DNS settings.
Show status and latest update for active antivirus engines. mailconfig Send XML configuration file via mail.
websecuritydiagnostics View Web Security Service/URL Filtering statistics and errors.
dnshostprefs Configure global or per domain DNS resolver preferences.
saveconfig Save XML configuration file in the /configuration directory.
contentscannerstatus
dnslistconfig Configure global settings for DNS blacklist queries.
View content scanner engine version and latest update. loadconfig Load XML configuration file from the /configuration directory or paste
repengstatus
featurekeyconfig Enable/disable auto-download and activation of feature keys. it directly into the CLI.
Show version and latest updates for SBRS engines.
outbreakstatus
ldapconfig Create, delete and manage LDAP server profiles. rollbackconfig Roll back to one of the last 10 saved configurations.
Show status and last update of Virus Outbreak Filters.
sbstatus
snmpconfig Enable SNMP, set community string and password, define trap targets. resetconfig Reset ALL configurations to factory default.
Show SenderBase status.
encryptionstatus
ntpconfig Configure NTP Servers and source interface for NTP queries.
Show PXE engine status and last engine update. Managing message queues and mails
dlpstatus
sshconfig Configure sshd settings and view, add, delete or modify SSH user keys.
Show status of RSA DLP engine. showrecipients Show messages from the queue by recipient host name, sender
ecstatus
sslconfig Configure SSL for SMTP and HTTPS GUI access (SSL Versions, Ciphers). address or all mails in the queue.
Show enrollment client version info.
showlicense
sslv3config Enable/disable SSLv3 for EUQ, LDAP, Updater or Websecurity. deleterecipients Delete messages from the queue by recipient host name, sender
Display virtual appliance license information.
settz Setup time zone. address or all mails in the queue.
graymailstatus Display Graymail version information.
tzupdate Update time zone rules. bouncerecipients Bounce messages from the queue by recipient host name, sender
workqueue status Display current work queue status. address or all mails in the queue.
workqueue rate n
settime Set system time and date as MM/DD/YYYY HH:MM:SS
Display number of pending, incoming and outgoing mails in the redirectrecipients Redirect all mails to a relay host.
queue and refresh every n seconds. setttymode Set the TTY mode to interactive or non-interactive.
showmessage Show a complete message by MID in ASCII.
topin View top hosts by number of incoming connections. generalconfig Configure browser settings (IE compatibility override mode).
archivemessage Archive a message by it's MID as mbox file to the /configuration
destqueue status dom Display destination-queue statistics for the domain dom. reportingconfig Configure reporting system. directory.
rate n Display in/out connections and recipient statistics every n sec. alertconfig Configure mail alert settings and mail alert recipients. removemessage Remove a message from work, retry or destination queue.
hostrate domain n Similar to rate but limited to a single destination domain. trackingconfig Configure message tracking settings. oldmessage Display Headers and MID of the oldest message in the queue.
hoststatus domain View domain statistics including MX settings and latest 5xx error. addressconfig Set From: address to be used for mails generated by the system. delivernow Attempt to deliver pending messages either by domain or simply
tophosts View the top 20 destination domains in the mail queue. fipsconfig Enable FIPS mode to meet FIPS 140-2 requirements. reschedule all mails.
featurekey View, activate and check for new feature keys. resetcounters Reset all counters of a single machine. unsubscribe Manage unsubscribe lists for recipient addresses that will always be
bounced or dropped.
dnsstatus Show DNS statistics since counter reset / last reboot / ever. IronPort®, AsyncOS®, IOS®and SenderBase® are all registered trademarks of Cisco
stripheaders Strip all headers by name in this table from all mails.
displayalerts n
supportrequeststatus
Display the last n alerts sent by the appliance.
Show version and last update of the support request keywords.
 Systems, Inc. - Licensed under CC BY–NC–SA. Latest version of the card is available at
http://bit.ly/ESAcli. USE COMMANDS AT YOUR OWN RISK. NO WARRANTIES GIVEN. resetqueue Reinitialize queue. DELETES ALL QUEUED MAIL.
Cisco IronPort Support and advanced diagnostics AsyncOS management Message Filter conditions (Excerpt. See “ESA User Guide” for more info + examples)
supportrequest Open a support request with Cisco TAC. updateconfig Configure update URLs and HTTP/HTTPS proxies to use. This will also [url-]reputation Compares sender's SB or a URL reputation to value.
supportrequestupdate Request immediate update of support request keywords. affect Anti-Spam and Anti-Virus updates. [url-]no-reputation True when SB rep. is “none” or a URL rep. is unavailable.
upgrade List all available AsyncOS versions and perform an upgrade.
techsupport Enable/disable a tunnel for Cisco Support to access the appliance. url-category Checks all URLs in a message for the specified category.
revert Revert the appliance to a previously used AsyncOS version. Except
diagnostic Check RAID status, flush DNS/ARP/LDAP caches, test remote SMTP dictionary-match(<dict>) Look in body for RegExp match from dictionary <dict>.
servers, check disk quota and usage or reset configuration. network settings ALL configurations and logs will be lost.
<position>-dictionary- Looks in <position> of a message for a RegExp match
tarpit Configure countermeasures and resource conservation mode. Suspending and resuming receiving and/or delivering mails match(<dict>) from the dictionary named <dict>. <position> can be:
setcorewatch workqueue pause Pause working queue. subject, mail-from, rcpt-to, attachment, body.
Configure alert-on-core functionality.
wipedata Wipe core files from disk and view status from last wipe operation. workqueue resume Resume working queue. header-dictionary- Looks in header <header> for RegExp match from
match(<dict>, <header>) dictionary named <dict>.
Emergency login with user enablediag if normal login fails. Same password as "admin". suspendlistener Stop accepting mails on one, several or all listeners.
smtp-auth-id-matches(<header> Checks sender in envelope and mail header (From: or
Working with logs
resumelistener Resume accepting mails on one, several or all listeners. [, <sieve-char>]) Sender:) against the sender's SMTP auth user ID.
grep Search for a Regular Expression pattern inside a log file.
suspenddel Suspend delivering mails. true True is true and therefore matches all mails.
findevent Find an event in the logs matching either a message id, a mail address
resumedel Resume delivering mails. valid Tests mail for complete MIME validity.
(From: / To:) or a subject. Menu driven or batch mode. suspend Suspend receiving and delivering all mails. signed Tests if the message is S/MIME signed.
tail Continuously display new entries from the end of a log file. resume Resume receiving and delivering all mails. signed-certificate(<field> Check if the issuer or signer <field> in the
rollovernow Do a rollover on one specific log or simply all log files. [<operator> <regexp>]) certificate of a S/MIME message matches/does not
Centralized Management Cluster
match (== or != as <operator>) a certain <regexp>.
logconfig Configure and manage log files and delivery methods (FTP, SCP, Syslog). View clusterconfig Create SSH or CSS clusters, add or remove single ESAs to or from a cluster.
public RSA/DSS key from users. Create and manage cluster groups. List machines in cluster and view cluster Message Filter actions (Excerpt. See “ESA User Guide” for more info + examples)
Managing security services and connection status. alt-src-host() Deliver mail from this named interface.
updateconfig Configure update URLs and HTTP/HTTPS proxies to use.
clustercheck Check configuration databases for inconsistencies and resolve them if alt-rcpt-to() Change all recipients of a message.
necessary.
This will also affect AsyncOS updates. alt-mailhost() Deliver mail via alternate mail host.
clusterdiag Configure cluster diagnostic settings.
updatenow Manually update all components. Force updating with the option notify() Notify specified recipient about a message (and include
updatenow force force. The force option also works with all other update commands. _clusterjoin There is nothing to see here, move on. notify-copy() a copy of the original message).
antispamconfig Configure IronPort anti-spam and Intelligent Multi-Scan. Message Filter conditions (Excerpt. See “ESA User Guide” for more info + examples) bcc() Send a copy of this message to a new recipient. Treat the
antispamupdate Manually request immediate anti-spam rules update. subject Tests subject against a RegExp.
bcc-scan() copy like a new mail and scan again.
antivirusconfig Configure and view anti-virus settings and scanners. body-size Tests size of entire message in bytes.
log-entry() Add a log message at INFO level to mail logs.
antivirusupdate Manually request immediate anti-virus definitions update. mail-from Tests envelope sender against a RegExp.
quarantine(<name>) Send this mail to the named quarantine.
contentscannerupdate Request immediate content scanner engine update. mail-from-group Tests envelope sender against LDAP group.
archive(<filename>) Save copy of the message in mbox format file.
scanconfig duplicate-quarantine(<name>) Send copy of this mail to the named quarantine.
Configure scanner options like skipped file types, scanning depth sendergroup Tests against a HAT sendergroup name.
(nesting), maximum scan size, scanner timeout. rcpt-to
strip-header() Look for a header and remove it.
Tests envelope recipients against a RegExp.
verdictcacheconfig Configure CASE and SPF verdict caching. rcpt-to-group
insert-header() Insert a header and its value into the mail.
Tests envelope recipients with LDAP group.
outbreakconfig Enable, disable and configure Outbreak Filters. remote-ip
add-footer(<footer>) Add the footer named <footer> to the mail.
Tests client IP for exact or IP range match.
outbreakupdate Request immediate update of CASE rules and engine. add-heading(<heading>) Add text resource <heading> as a heading to a message.
recv-int or recv-listener Matches mails received on the named interface/listener.
outbreakflush Clear the current in-memory and disk-cached Outbreak Rules. date
bounce-profile() Apply a bounce profile to the mail.
Tests current date against value in US date format:
encryptionconfig Configure IronPort PXE mail encryption. MM/DD/YYYY HH:MM:SS encrypt-deferred(<profile>) Encrypt message before final delivery.
encryptionupdate Manually request immediate PXE engine update. header(<string>) Tests the given header against a RegExp. tag-message(<name>) Add tag <name> for RSA DLS policy filtering.
dlpupdate Manually request immediate RSA DLP engine update. random(<integer>) Compares a random integer to given value. skip-filters() Skip all remaining message filters.
dlprollback Rollback RSA DLP engine and config to the previous version. rcpt-count Checks recipient count against value. skip-<scanner>() Skip all checks of <scanner> for this mail. <scanner>
emconfig Configure RSA Enterprise Manager integration. addr-count() Compares recipient count from header (To: and/or Cc:) can be spamcheck, marketingcheck, socialcheck,
blukcheck, viruscheck, ampcheck, vofcheck.
emdiagnostic RSA Enterprise Manager integration diagnostics. against value.
drop-attachments-by-<trait>() Drop attachments matching a characteristic <trait>
ecconfig Configure enrollment client used to obtain certificates for URL spf-status Checks the SPF status.
which can be name, size, type, filetype or mimetype.
filtering. spf-passed Checks if SPF verification was successful. drop-attachments-where- Drop attachments that match a Regular Expression. Also
ecupdate Request immediate update of the enrollment client. image-verdict Scans attached images for category match. contains(<regexp>) matches files in archives and drops whole archive.
graymailconfig Configure Graymail Detection and Safe Unsubscribe settings. workqueue-count Checks number of mails in the workqueue. drop-attachments-where- Drop attachments that match a term in the dictionary
graymailupdate Request manual update of graymail files. body-contains(<regexp>) dictionary-match(<dict>) <dict>.
Checks mail and attachments for a RegExp.
repengupdate Manually request immediate SBRS engine update. only-body-contains(<regexp>) Checks message body for a RegExp. html-convert() Strip all HTML tags from a message.
senderbaseconfig Configure SenderBase SBNP statistics sharing status. encrypted Tests if a message is S/MIME or PGP encrypted. edit-header-text() Substitute a matched RegExp within a header.
ampconfig Configure advanced malware scanning and clear file reputation attachment-<trait> Checks if a attachment matches a characteristic <trait>. edit-body-text() Substitute a matched RegExp within a body.
cache. <trait> can be filename, size, type (MIME signature), deliver() Deliver the message. Final action.
websecurityconfig Configure basic settings for URL filtering. For more advanced filetype (fingerprint) or mimetype (MIME header)
drop() Drop the message. Final action.
configuration use websecurityadvancedconfig. attachment-protected Looks for passworded/encrypted attachments. bounce() Bounce the message. Final action.
webcacheflush Flush the URL filtering cache. attachment-unprotected Looks for unprotected attachments.
urllistconfig Manage URL whitelists for skipping category and reputation checks. attachment-contains()
Message Filter example
Tests attachment for the given pattern.
drop_huge_presentations:
imageanalysisconfig Configure the IronPort Image Analysis settings and thresholds. attachment-binary-contains() Tests raw binary attachment for pattern.
if (mail-from-group == "Sales") AND (attachment-filename ==
aggregatorconfig Set the address of the Cisco Aggregator Server. every-attachment-contains() Tests every attachment of a message for a given pattern. "(?i)\\.(ppt|pptx)$") AND (attachment-size >= 10M) {
slblconfig Import or export End-User Safelists/Blocklists. attachment-size Matches attachments by size in B, K or M. drop-attachments-where-contains ("(?i)\\.(ppt|pptx)$", "Large presentation
dropped.");
fulldatasharing Configure SenderBase statistics-sharing with unhashed filename. dnslist(<server>) Looks at server for a match in a DNSBL. }