Solved: CISCO ESA SPF CONFIGURATION Behind SMTP RELAY

adbj · ‎02-10-2020

HELLO,
is there any possibility to get SPF working when cisco ESA is behind smtp relay?
i just added the smtp relay in incoming relay section, and i can see the real public IP of the sender, but SPF always fail, because it see the email was sent from the IP of the relay and not from the public ip of the smtp sender

ppreenja · ‎02-11-2020

Hi,

As we enable incoming relay below is the impact:

SPF, DKIM, DMARC - All of these will no longer work.
SPF will fail due to the source IP will not be able to be located to do the SPF lookup against for verification.
EHLO (HELO) will not be able to be parsed

SPF are working with a DNS Text record which containing the Allowed Sender IP addresses. With an Incoming Relay config, the Appliance are only getting messages from this incoming relay server and with this the Appliance are not able to check the incoming IP address to see if they are included within the SPF DNS record information.
setting up an Incoming Relay can only get the reputation score (SBRS) and not the SPF record. The SPF record is something which is stored on the DNS server and the DNS comes into picture at the connection level. Hence, it is not possible in any manner to get the SPF record of the connecting mail servers unless and until you make a change in your deployment and replacing the Iron Port with the mail relay as the edge device.

I hope the above helps!

Cheers,
Pratham

View solution in original post

marc.luescherFRE · ‎02-10-2020

I assume you added your incoming relay like this:

Name = hostname of relay

IP = internal IP of relay

Header = Received

Parse after = from

Hops = 1

make sure the dark blue selection is covering the Disable option to make sure it is enabled.

I hope that help

-Marc

adbj · ‎02-10-2020

thanks marc for your reply,
i want to mention that the configuration of incoming relay and the received header is already done,
also the sbrs feature work , and detect the public ip of the sender istead of the local IP adresses of the local incoming realy(the MX),

but the SPF feature is not working correctly, and the SPF result is performed on the local ip adresse of local incoming Relay insted of the public ip of the sender,

so is there any other config to implement?

ppreenja · ‎02-10-2020

Hello,

For resolving your issue, I believe you can configure incoming relay on your ESA.

A very quick way to learn about a feature: in the GUI, navigate to the Network -> Incoming Relays page. Then, click the online help link in the upper-right of the page. The online help will be opened directly section that relates to that feature; it is context sensitive. (This technique works for all pages in the GUI.)

"The Incoming Relays Feature: Overview

"Occasionally, administrators need to run the IronPort appliance behind the mail exchange (MX) or mail transfer agent (MTA) at the edge of the network instead of receiving mail directly from the Internet. Unfortunately, when using this configuration the IronPort appliance is not receiving the mail directly from the Internet and so it does not have access to the last connecting IP address from the external network. Instead mail received is listed as being received from the local MX/MTA. It is critical for successful operation of the IronPort appliance that the connecting IP address be known so that SenderBase Reputation Service (SBRS) can be used in IronPort Anti‑Spam scanning.

"The solution is to configure an incoming relay. When configuring an incoming relay, you specify the names and IP addresses of all of the internal MX/MTAs connecting to the IronPort appliance, as well as the header used to store the originating IP address. You have two options for specifying the header: a custom header or an existing received header."

Also, please refer below document link for more details on incoming relay:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118465-technote-esa-00.pdf

Cheers,
Pratham

adbj · ‎02-10-2020

thanks PPREENJA for your reply,
i want to mention that the configuration of incoming relay and the received header is already done,
also the sbrs feature work , and detect the public ip of the sender istead of the local IP adresses of the local incoming realy(the MX),

but the SPF feature is not working correctly, and the SPF result is performed on the local ip adresse of local incoming Relay insted of the public ip of the sender,

so is there any other config to implement?

marc.luescherFRE · ‎02-10-2020

Can you sent me a message tracking export (pDF) via private message ?

ppreenja · ‎02-11-2020

Hi,

As we enable incoming relay below is the impact:

SPF, DKIM, DMARC - All of these will no longer work.
SPF will fail due to the source IP will not be able to be located to do the SPF lookup against for verification.
EHLO (HELO) will not be able to be parsed

SPF are working with a DNS Text record which containing the Allowed Sender IP addresses. With an Incoming Relay config, the Appliance are only getting messages from this incoming relay server and with this the Appliance are not able to check the incoming IP address to see if they are included within the SPF DNS record information.
setting up an Incoming Relay can only get the reputation score (SBRS) and not the SPF record. The SPF record is something which is stored on the DNS server and the DNS comes into picture at the connection level. Hence, it is not possible in any manner to get the SPF record of the connecting mail servers unless and until you make a change in your deployment and replacing the Iron Port with the mail relay as the edge device.

I hope the above helps!

Cheers,
Pratham

adbj · ‎02-11-2020

thank you ppreenja for your reply.

richard_or · ‎07-09-2020

richard_or · ‎07-09-2020

Hi pPreenja, is the failure for SPF DKIM and DMARC even if the from is parsed before the last hop to the ESA?

ppreenja · ‎07-09-2020

Hi Richard, yes it should result in failure.