when I opened the gate directly out internet smtp server is ok. login outlook ok.
but when I opened the iron port C170 is not error smtp authentication.
I do not know where the wrong configuration. I only know all internal emails are not over iron. all outbound email send another company with a different domain, then over iron.
All email sent to the email server directly and not through the iron.
I got to do to configure a basic way for both inbound and outbound email over iron?

You can refer to the end user guide at the below link Chapter 4 to understand the mail flow through the appliance.

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf

In order to determine what the issue is are there any mail_logs or message tracking available for review?

- Libin

thank you
I have read over Chapter 4 as you.
I still do not understand fully. Sure I do not specialize in cisco much.
you can guide basic image capture to configure inbound and outbound email is not?
I needed such guidance
thank you very much

I unfortunately do not see an image capture as the setup varies from organization to organization depending on their network.

For inbound email you would need to setup internal network routing to ensure traffic over port 25 reaches the ESA and such traffic would be logged in the mail_logs of the appliance. The appliance uses listeners in order to service incoming SMTP connection requests.

Internal emails are normally not passed through the ESA and the exchange handles it, however you can configure internal emails to also be processed by the ESA.

First, make sure you either have a Private listener configured on the IronPort with a properly populated RELAYLIST with your internal groupware servers, or you have a Public listener with a likewise configured RELAYLIST.

Second, see the related Microsoft Technet article for creating Send Connectors:
http://technet.microsoft.com/en-us/library/aa998814.aspx

When asked what the intended use of the connector is, select "Custom." For the address space, enter "*" and check the "Include All Subdomains" checkbox. On the Network settings page, be sure to select "Route all mail through the following smart hosts" and enter in the IP address of the IronPort.

The basic mail flow would look like this

For inbound email
Internet -> Firewall/Modem -> ESA Listener -> HAT Sendergroup (Whitelist/Unknownlist) -> RAT Recipient validation -> Workqueue processing (inbound mail policy) -> SMTP Routes/DNS -> Internal Exchange -> Outlook

For outbound email
Outlook -> Internal Exchange -> SMTP send connector -> ESA Listener -> HAT Sendergroup (Relaylist) -> Workqueue processing (outbound mail policy) -> SMTP Routes/DNS -> Internet

Did you have any specific configuration query for any of the above steps.

- Libin

thank your answer.
I logged on outlook from Internet under the following model:
outlook (internet) -> Modem (open port 25 on the iron) -> iron C170 -> email server.
outlook report errors as shown below.
I sent some pictures configure capture.
any place you want to know the parts missing or does snooze. I will send more photos.

The error on outlook shows the sender is being blocked due to error 554 Poor MTA reputation. This means the sender IP is being blocked due to a poor score on Cisco senderbase. You can look at the current email reputation for a IP from the below link:

www.senderbase.org

In order to prevent the senderbase score check on the ESA you would need to add the sender IP address to the HAT Whitelist under Mail Policies -> HAT Overview from the WebUI.

If you are unsure of what the IP is then you can run the command "tail mail_logs" before sending a test email to see the connection entries on the ESA.

In the mail logs rejected connections by Blacklist would appear such as below

Wed Feb 24 14:11:51 2016 Info: New SMTP ICID 24 interface Management (14.1.148.11) address 14.0.26.72 reverse dns host unknown verified no
Wed Feb 24 14:11:51 2016 Info: ICID 24 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -8.0
Wed Feb 24 14:11:51 2016 Info: ICID 24 close

- Libin

Hi Libin

but you do not know what his
his system description and pictures to you clearly.
- Now, I open ports on firewalls for email server ports 25.587, 110.995 and 443. The system operates normally. All email sent out when users are configured to run through the Iron C170. is running very well. but email sent from outside to the past do not iron.
- I would like to open the ports 25.587, 110, 995 for the C170 and not opened Iron direct email server. but the only open port 25 alone were reported as on already.
I do not know how to properly configured. configuration place?
help me.
thanks

Hi,

Routing emails from the internet to the ESA would be configured on the firewall and not on the ESA.

Also a listener configured on the ESA would listen on port 25 and would does not require to open any ports on the ESA itself.

You currently would have a configuration on the firewall which routes emails to the internal email server, this would need to be changed to route emails to the ESA instead if you would like that to be included in the mail flow path.

- Libin

I have configured on the wall to open the gate for Esa half but failed.
Esa port but also opened my fault as the previous image capture
I open the gate on the email server is ok.
I want to mention here is possibly due to the formation on Esa I have something wrong and want to thank the guidance.
I can capture any image on Esa configuration if required.
thanks

Hi,

When traffic is being routed to the ESA through the firewall you would need to either review the mail_logs at the time or set up a packet capture on the ESA using command "packetcapture port 25".

You can stop the capture by using command "packetcapture stop". The capture file can then be downloaded from the GUI Help and Support -> Packet Capture.

For troubleshooting assistance I would recommend opening a TAC case with the information.

- Libin

I can send an email with the log as your own speak to you.
you give me your email you? I do not like this information publicly

how to open a TAC case ?