Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4081
Views
5
Helpful
10
Replies

CISCO ESA SPF CONFIGURATION Behind SMTP RELAY

Go to solution
adbj
Level 1
Level 1

‎02-10-2020 01:22 AM

HELLO,
is there any possibility to get SPF working when cisco ESA is behind smtp relay?
i just added the smtp relay in incoming relay section, and i can see the real public IP of the sender, but SPF always fail, because it see the email was sent from the IP of the relay and not from the public ip of the smtp sender 


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to adbj

‎02-11-2020 04:58 AM

Hi,

As we enable incoming relay below is the impact:

SPF, DKIM, DMARC - All of these will no longer work.
SPF will fail due to the source IP will not be able to be located to do the SPF lookup against for verification.
EHLO (HELO) will not be able to be parsed

SPF are working with a DNS Text record which containing the Allowed Sender IP addresses. With an Incoming Relay config, the Appliance are only getting messages from this incoming relay server and with this the Appliance are not able to check the incoming IP address to see if they are included within the SPF DNS record information.
setting up an Incoming Relay can only get the reputation score (SBRS) and not the SPF record. The SPF record is something which is stored on the DNS server and the DNS comes into picture at the connection level. Hence, it is not possible in any manner to get the SPF record of the connecting mail servers unless and until you make a change in your deployment and replacing the Iron Port with the mail relay as the edge device.

I hope the above helps!

Cheers,
Pratham

View solution in original post

10 Replies 10

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎02-10-2020 04:51 AM

I assume you added your incoming relay like this:

 

Name = hostname of relay

IP = internal IP of relay

Header = Received

Parse after = from

Hops = 1

 

make sure the dark blue selection is covering the Disable option to make sure it is enabled.

 

I hope that help

 

-Marc

0 Helpful

Go to solution
adbj
Level 1
Level 1
In response to marc.luescherFRE

‎02-10-2020 06:09 AM

thanks marc for your reply,
i want to mention that the configuration of incoming relay and the received header is already done,
also the sbrs feature work , and detect the public ip of the sender istead of the local IP adresses of the local incoming realy(the MX),

but the SPF feature is not working correctly, and the SPF result is performed on the local ip adresse of local incoming Relay insted of the public ip of the sender, 

so is there any other config to implement?



0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎02-10-2020 04:56 AM

Hello,

For resolving your issue, I believe you can configure incoming relay on your ESA.

A very quick way to learn about a feature: in the GUI, navigate to the Network -> Incoming Relays page. Then, click the online help link in the upper-right of the page. The online help will be opened directly section that relates to that feature; it is context sensitive. (This technique works for all pages in the GUI.)

"The Incoming Relays Feature: Overview

"Occasionally, administrators need to run the IronPort appliance behind the mail exchange (MX) or mail transfer agent (MTA) at the edge of the network instead of receiving mail directly from the Internet. Unfortunately, when using this configuration the IronPort appliance is not receiving the mail directly from the Internet and so it does not have access to the last connecting IP address from the external network. Instead mail received is listed as being received from the local MX/MTA. It is critical for successful operation of the IronPort appliance that the connecting IP address be known so that SenderBase Reputation Service (SBRS) can be used in IronPort Anti‑Spam scanning.

"The solution is to configure an incoming relay. When configuring an incoming relay, you specify the names and IP addresses of all of the internal MX/MTAs connecting to the IronPort appliance, as well as the header used to store the originating IP address. You have two options for specifying the header: a custom header or an existing received header."

Also, please refer below document link for more details on incoming relay:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118465-technote-esa-00.pdf

Cheers,
Pratham
0 Helpful

Go to solution
adbj
Level 1
Level 1
In response to ppreenja

‎02-10-2020 06:08 AM

thanks PPREENJA for your reply,
i want to mention that the configuration of incoming relay and the received header is already done,
also the sbrs feature work , and detect the public ip of the sender istead of the local IP adresses of the local incoming realy(the MX),

but the SPF feature is not working correctly, and the SPF result is performed on the local ip adresse of local incoming Relay insted of the public ip of the sender, 

so is there any other config to implement?



0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to adbj

‎02-10-2020 08:56 AM

Can you sent me a message tracking export (pDF) via private message ?

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to adbj

‎02-11-2020 04:58 AM

Hi,

As we enable incoming relay below is the impact:

SPF, DKIM, DMARC - All of these will no longer work.
SPF will fail due to the source IP will not be able to be located to do the SPF lookup against for verification.
EHLO (HELO) will not be able to be parsed

SPF are working with a DNS Text record which containing the Allowed Sender IP addresses. With an Incoming Relay config, the Appliance are only getting messages from this incoming relay server and with this the Appliance are not able to check the incoming IP address to see if they are included within the SPF DNS record information.
setting up an Incoming Relay can only get the reputation score (SBRS) and not the SPF record. The SPF record is something which is stored on the DNS server and the DNS comes into picture at the connection level. Hence, it is not possible in any manner to get the SPF record of the connecting mail servers unless and until you make a change in your deployment and replacing the Iron Port with the mail relay as the edge device.

I hope the above helps!

Cheers,
Pratham

Go to solution
adbj
Level 1
Level 1
In response to ppreenja

‎02-11-2020 08:50 AM

thank you ppreenja for your reply.

0 Helpful

Go to solution
richard_or
Level 1
Level 1
In response to ppreenja

‎07-09-2020 08:04 AM

 
0 Helpful

Go to solution
richard_or
Level 1
Level 1
In response to richard_or

‎07-09-2020 08:06 AM - edited ‎07-09-2020 08:22 AM

Hi pPreenja, is the failure for SPF DKIM and DMARC even if the from is parsed before the last hop to the ESA?

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to richard_or

‎07-09-2020 09:27 AM

Hi Richard, yes it should result in failure.
0 Helpful
Customers Also Viewed These Support Documents