Cisco ESA SMTP Authentication with Exchange Server 2016

user2023 · ‎03-28-2023

Hello,

We're trying to set up SMTP authentication on Cisco ESA to authenticate with our internal Exchange 2016 servers, but emails do not make it through inbound with error message "Client was not authenticated to send anonymous mail during MAIL FROM". The complete error is listed below as well as our current Cisco ESA configuration. Has anyone set this on their environment and can give me pointers on anything I might be missing or misconfigured?

I know the Exchange servers are set to not allow Anonymous users and the expectation is that the ESA will send the email authenticated since the configuration links it to LDAP. Are we mistaken to assume this?

Error message: Message <number> to <recipient> bounced by destination server. Reason: 5.1.0 - Unknown address error ('530', ['5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM'])

ESA version: AsyncOS 14.2.1-020
Exchange Server 2016

Network > SMTP Routes
Receiving Domain: domain.com
Destination Hosts: 0 10.10.10.1 587 (priority/destination/port)

System Administration > LDAP
SMTP Authentication Query
Name: LDAP.smtpauth
Query String: (sAMAccountName={u})
Authentication Method: Authenticate via LDAP BIND
Maximum number of simultaneous connections for this query: 1
*Tested good with account name/password*

Network > SMTP Authentication
Profile Name: AuthProfileName
LDAP Query: LDAP.smtpauth
Default Encryption Method: Plain
LDAP Verification: Disabled

Network > Listeners
Name: ListenerName
Type of Listener: Private
Interface: Management (only one used)
TCP Port: 587
SMTP Authentication Profile: AuthProfileName
Certificate: (ESA certificate signed by our CA, also tried our external signed certificate)
LDAP Queries: Group Query: LDAP.group

Mail Policies > Mail Flow Policies
Name: RelayPolicyName
Connection Behavior: Relay
Encryption and Authentication:
TLS: Required
Verify Client Certificate (unchecked, also tried checked)
SMTP Authentication: Required
If Both TLS and SMTP Authentication are enabled: Require TLS To Offer SMTP Authentication

Mail Policies > HAT Overview
Name: SenderGroupRelayName
Order: 1
Policy: RelayPolicyName
SBRS (Optional): Not in use
External Threat Feed (Optional): None
DNS Lists (Optional): None
Connecting Host DNS Verification: None Included

Octavian Szolga · ‎03-31-2023

Hi,

The assumption is wrong. ESA to Exchange (inbound and outbound) is just plain old SMTP with no auth.

The fact that you're using LDAP to integrate ESA with AD Services does not mandate the need for SMTP auth.

You can still use LDAP for RBAC (ESA mgmt users) or for listener LDAP accept query (check if destination really exists before letting mail in) or LDAP group query or SPAM quarantine access.

The way I see it, and this is everybody's using it, you should pay attention to:

1. exchange config - not sure about exchange terminology - smart transport, smart relay, whatever - bottom line is that the IP of the ESA should be added as exception on Exchange - that is to allow unauthenticated SMTP traffic to your domain coming from ESA IP. This is need for inbound email (outside -> ESA -> exchange).

Also, exchange should have the ESA IP defined as relay - anything related to outside world - send to ESA.

2. Mail flow policy RELAYED should not have any SMTP auth. You don't want to authenticate Exchange when emails are sent outside your company. That's why you've added exchange's IP in that relay HAT. It's whitelist based. Why care to authenticate?

This is needed for outbound. You -> exchange (you to exchange authenticated) -> ESA (exchange to ESA not authenticated) -> outside world.

BR,

Octavian

user2023 · ‎03-31-2023

Thanks. We do have ESA <-> Exchange working fine without authentication on port 25. We would like to move to authentication between them. Why? Because if there is a more secure option, that's the option we rather use. The options are available to be configured on the ESA, which means it should be able to support it.