How do I migrate from local spam quarantine on Cisco Email Security Appliance (ESA) to central spam quarantine on Security Management Appliance (SMA)?

Introduction

This document describes how to move quarantined messages from local spam quarantine on ESA to central spam quarantine on SMA.

How do I migrate from local spam quarantine on Cisco Email Security Appliance (ESA) to central spam quarantine on Security Management Appliance (SMA)?

Assumptions

The following solution assumes that the SMA appliance is configured, so that the ESA appliance(s) has been added and Centralized quarantine has been enabled.

Configuration Summary

1. Enable centralized quarantine on the ESA appliance(s):GUI > Security Services > Spam Quarantine >Check  Enable External Spam Quarantine
2. Disable the local quarantine(s):GUI > Monitor > Spam Quarantine> Uncheck Enable Spam Quarantine
3. Submit and Commit Changes.
4. Optionally migrate quarantine messages from local to central quarantine via the process below.

Procedure

On ESA appliance you would need to empty the queue. To empty the workqueue:

Suspend all Listeners using the CLI command suspendlistener and choose the option "1. All".

> suspendlistener

Choose the listener(s) you wish to suspend.
Separate multiple entries with commas.
1. All
2. Public
3. Test
[*]> 1

Wait some time until most deliverable messages in delivery queue are delivered. (You can see the number of "Active Recipients" in the output of the commands status and tophosts).

>status
...
Gauges:                                      Current
  Connections
    Current Inbound Conn.                          0
    Current Outbound Conn.                         0
  Queue
    Active Recipients                              1
    Messages In Work Queue                         0
    Kilobytes Used                                85
    Kilobytes Free                        71,303,083
    Messages In Quarantine
      Policy, Virus and Outbreak                  10
    Kilobytes In Quarantine
      Policy, Virus and Outbreak                  50

> tophosts

Sort results by:

1. Active Recipients
2. Connections Out
3. Delivered Recipients
4. Hard Bounced Recipients
5. Soft Bounced Events
[1]>1

Status as of:                   Mon Sep 29 13:09:53 2014 EDT
Hosts marked with '*' were down as of the last delivery attempt.

                                 Active  Conn.     Deliv.       Soft       Hard
#   Recipient Host               Recip.    Out     Recip.    Bounced    Bounced

1   earthlink.net                     1      0          2          0          0
2   the.cpq.host                      0      0          1          0          0
3   the.encryption.queue              0      0         14          0          0
4   the.euq.queue                     0      0          2          0          0
5   the.euq.release.queue             0      0          0          0          0
 

If after 1-2 hours there are still some messages in the delivery queue you would need to bounce these messages using command bouncerecipients choosing option "3. All" and wait till the queue gets empty.

> bouncerecipients

Please select how you would like to bounce messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 3

Senders of bounced messages will receive notification that message could not be delivered)
 
Suspend the delivery of messages using command suspenddel.

> suspenddel

Enter the number of seconds to wait before abruptly closing connections.
[30]>

Make a backup of your configuration via the command saveconfig or mailconfig as it requires clearing your smtp routes and then adding them back later :

> saveconfig

Do you want to mask the password? Files with masked passwords cannot be loaded using
 loadconfig command. [Y]>

Via GUI Go to Network -> SMTP Routes and remove all smtp routes. (note down the old routes as you will need to add them again later). Or, via CLI use print to display then clear to remove.

> smtproutes


There are currently 4 routes configured.

Choose the operation you want to perform:
- NEW - Create a new route.
- EDIT - Edit destinations of an existing route.
- DELETE - Remove a route.
- PRINT - Display all routes.
- IMPORT - Import new routes from a file.
- EXPORT - Export all routes to a file.
- CLEAR - Remove all routes.
[]> print
..
[]> clear

Edit the "All Other Domains" smtp route and set it to the IP address of SMA appliance and port to 6025.

>smtproutes
[]> edit

Enter the hostname you want to edit.
[]> ALL


Choose the operation you want to perform:
- ADD - Add new destination hosts.
- REPLACE - Specify a new destination or set of destinations
[]> REPLACE

Enter the destination hosts, separated by commas, which you want mail for ALL to be
 delivered.
Enter USEDNS by itself to use normal DNS resolution for this route.
Enter /dev/null by itself if you wish to discard the mail.
Enclose in square brackets to force resolution via address (A)
records, ignoring any MX records.
[]> mysma.com:6025

Default route updated.

Verify:  Commit the changes and release 2-3 spam messages from your local quarantine as a test.

> commit

Please enter some comments describing your changes:
[]> changed default smtp route to point to SMA

If the released messages arrive correctly to the centralized spam quarantine, release the rest of the messages.

After all messages have been transferred to the SMA appliance, restore the old SMTP routes routes on the ESA appliance.

Disable local spam quarantine and enable the Centralized quarantine instead.

Resume normal operation on the ESA using command resume.

> resume
Mail delivery resumed.