Hi All

I am just looking for some advice on the best way to approach allowing internal applications \ servers and devices to use our Cisco C170 Ironport appliances for SMTP relay. I am learning as I go, so apologies if this is a rather greenhorn question.

At present, for any internal client (app\srv\dev) to send email via the Ironport appliances, we have to add the IP of the sender to a relay group (where we also document host \ device names to aid with cleanup down the track).

The issue we face is that we also have legacy SMTP servers in our environment where relay is not restricted via IP, but rather by the sending address domain. The plan is to remove these legacy servers but we want to do it without having to reflag all clients using the legacy servers maniually on the Ironport IP as we dont have a clear list of who these senders are.

What we are looking for is advice as to whether the following can and more importantly should be done:

We will have 2 relay policies on our ironport appliances.

* Unrestricted -> Internal client can send to any domain, as long as the FROM address is using our domain & IP is flagged (this is current state and we can keep it unless there are better ways)

* Restricted -> The second policy would allow the internal client to only send email to our domain. Membership of this group should be approved for any internal sender as long as they send the email using our domain in the sender address. 

All existing members of our Unrestricted group (which is already setup) wont be affected. Unrestricted sending we would leave as IP based authorization. 

Finally, if for some reason a client that is covered by the Restricted group also happens to have its IP in the unrestricted group, the restricted conditions should take effect. 

Appreciate in advance any advice

Ash