12-29-2017 03:28 AM - edited 03-08-2019 07:30 PM
i have configured ESA for first time and not working and here the details for my network
domain : x.y.com
exchange : mail.x.y.com
i configured ESA as document said and put data1 interface in DMZ zone
smtp routes x.y.com >>>>>>> 10.10.10.5 "exchange server"
DNS >>>>>>> 10.10.10.2
Listener >>>> point to data1 interface with HAT and RAT policy
DATA 1 interface >>>> hostname : smtp.x.y.com
RelayList point to exchange ip address 10.10.10.5
RAT point to domain "x.y.com"
my questions :
1) do i have to change the mx record that configured in ISP domain to point to hostname of ESA or leave it as it is
2) i have configured A record for ESA in DNS with name "smtp.x.y.com" and create mx record for it also point to "smtp.x.y.com", is that right or there is something else i have to do
3)i have configured policy in firewall to allow traffic in and out to smtp and also internally (in & out)
4) what i suppose to change in send connector of exchange server to point to my ESA ?
i faced issue yesterday that outgoing mails was rejected by RAT and i don't know why
what i suppose to do else in ESA ?
12-29-2017 05:07 AM - edited 12-29-2017 05:08 AM
1. Your mx record needs to point to a public IP which will direct emails to the ESA. This could be direct or through NAT.
2. MX, A and PTR records need to be published for the email flow ideally.
3. Traffic needs to be allowed over port 25 for email and other ports needed for updates etc are provided in the end user guide.
4. The send connector on the exchange needs to point to the IP interface for which listener is created, ie Data 1.
The missing step would be under Mail Policies - > HAT Overview - > Relaylist - > Add the IP Address for your internal exchange.
Without this step all outgoing emails would be treated as inbound and get rejected by RAT.
Regards
Libin Varghese
12-31-2017 04:50 PM
i did as you said and incoming mail working well but outgoing mail didn't work and always give me logs
rejected by sender and this is the output from message tracking as per attached
also note that the customer have two exchange server and load balance between them and gave me load-balance ip address and i added it to relay list and then added two real ip of each exchange to relay list and still same problem but didn't gave me logs with rejected it give me another logs said
"Potential Directory Harvest Attack" error message
12-31-2017 04:58 PM
The sender IP based on the logs is 200.200.200.247 which was injected to the listener on the Mail-DMZ interface 200.200.122.100 and matched the HAT Unknownlist.
This would suggest IP 200.200.200.247 has not been added to the HAT Relaylist on the mentioned listener.
To understand DHAP please go through the below articles, the DHAP limit is being triggered again because the IP is not added to the Relaylist yet.
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117847-technote-esa-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118936-technote-esa-00.html
Regards,
Libin Varghese
12-31-2017 08:13 PM
i added it "200.200.200.247" with the other ip of 2nd exchange "200.200.200.246" and also i added the load-balance ip "200.200.200.106" for both exchange and still problem exit , see these logs
New SMTP ICID 60 interface MAIL-DMZ (200.200.122.100) address 200.200.200.246 reverse dns host mop-mbx002.mop.local verified yes
Sun Dec 31 17:35:53 2017 Info: ICID 60 RELAY SG RELAYLIST match 200.200.200.246 SBRS None country Brazil
Sun Dec 31 17:35:53 2017 Warning: Dropping connection due to potential Directory Harvest Attack from host=('200.200.200.246', 'mop-mbx002.mop.local'), dhap_limit=25, sender_group=RELAYLIST, listener=IncomingMail, reverse_dns=200.200.200.246, ICID 60
Sun Dec 31 17:35:53 2017 Info: ICID 60 close
Sun Dec 31 17:36:56 2017 Info: SenderBase upload: 5 hosts totaling 11575 bytes
Sun Dec 31 17:37:03 2017 Info: New SMTP DCID 149 interface 200.200.122.100 address 98.136.102.55 port 25
Sun Dec 31 17:37:04 2017 Info: Delivery start DCID 149 MID 61 to RID [0]
Sun Dec 31 17:37:04 2017 Info: Delayed: DCID 149 MID 61 to RID 0 - 4.1.0 - Unknown address error ('450', ['4.2.2 User is receiving mail too quickly']) []
Sun Dec 31 17:37:04 2017 Info: MID 61 to RID [0] pending till Sun Dec 31 18:29:05 2017 [Default]
Sun Dec 31 17:37:10 2017 Info: DCID 149 close
Sun Dec 31 17:40:26 2017 Info: New SMTP ICID 61 interface MAIL-DMZ (200.200.122.100) address 200.200.200.245 reverse dns host mop-mbx001.mop.local verified yes
Sun Dec 31 17:40:26 2017 Info: ICID 61 RELAY SG RELAYLIST match 200.200.200.245 SBRS None country Brazil
Sun Dec 31 17:40:26 2017 Warning: Dropping connection due to potential Directory Harvest Attack from host=('200.200.200.245', 'mop-mbx001.mop.local'), dhap_limit=25, sender_group=RELAYLIST, listener=IncomingMail, reverse_dns=200.200.200.245, ICID 61
Sun Dec 31 17:40:26 2017 Info: ICID 61 close
Sun Dec 31 17:40:54 2017 Info: New SMTP ICID 62 interface MAIL-DMZ (200.200.122.100) address 200.200.200.246 reverse dns host mop-mbx002.mop.local verified yes
Sun Dec 31 17:40:54 2017 Info: ICID 62 RELAY SG RELAYLIST match 200.200.200.246 SBRS None country Brazil
Sun Dec 31 17:40:54 2017 Warning: Dropping connection due to potential Directory Harvest Attack from host=('200.200.200.246', 'mop-mbx002.mop.local'), dhap_limit=25, sender_group=RELAYLIST, listener=IncomingMail, reverse_dns=200.200.200.246, ICID 62
Sun Dec 31 17:40:54 2017 Info: ICID 62 close
Sun Dec 31 17:41:58 2017 Info: SenderBase upload: 2 hosts totaling 3475 bytes
01-01-2018 05:02 PM
Well now the sender IP matches the Relaylist which is much better if you are attempting to relay emails outbound from these servers through the ESA.
You can change the DHAP limit configured under Mail Policies -> Mail Flow Policies -> Relay.
If the DHAP_Limit was triggered for this IP it would likely need an hour for the counter to reset.
For the error '450', ['4.2.2 User is receiving mail too quickly', it indicates that the destination server is rejecting the email which would need to be corrected on the MTA 98.136.102.55.
Regards,
Libin Varghese
01-06-2018 03:41 PM
01-06-2018 05:06 PM
Glad to hear you were able to figure it out.
Adding the sender IP to the HAT Relaylist was the only step required to allow that server to relay emails through the ESA.
Regards,
Libin Varghese
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide