Showing results for 
Search instead for 
Did you mean: 

Best Practices regarding IronPort with ISP redundancy

Kevin Marcan
Level 4
Level 4


        I am currently working through an issue with outbound email, and was curious what solutions are out there.

Basically, we have IronPort behind a ASA relaying email.  The ASA has 2 ISP's used for redundancy purposes.

ISP1 -->

ISP2 -->

mx records --> pref 10

                  --> pref 20

IronPort Interface hostname -->

When the main ISP is up, everything is happy.

IronPort's interface is configured with the hostname, which in turn, is populated into the SMTP banner.   Reverse DNS checks of course pass.

The issue is if ISP1 fails, and email starts getting sent out ISP2 (

IronPort still populates the SMTP banner with, Resulting in reverse DNS checks failing.

My 2 questions are basically.

1) Is there a solution to deal with this? Have IronPort send out in the event of a failure?

2) If no, does this even matter?  Obviously its undesirable, but according to the RFC, email servers should not actually be blocking email based on this fact.

Thanks in advance!                   

1 Reply 1

We do it by using one IP subnet for all of our public stuff and getting both ISP's to publish the BGP for it.. that way the IP doesn't change depending on which ISP is carrying the traffic.   We did this even when our subnet range was owned by one of the ISPs.