cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1734
Views
0
Helpful
7
Replies

ESA C190 New Installation first time

i have configured ESA for first time and not working  and here the details for my network 

domain :     x.y.com

exchange :  mail.x.y.com

i configured ESA as document said and put data1 interface in DMZ zone 

 

smtp routes    x.y.com    >>>>>>> 10.10.10.5 "exchange server"

DNS          >>>>>>> 10.10.10.2 

Listener     >>>> point to data1 interface with HAT and RAT policy

DATA 1 interface >>>>  hostname : smtp.x.y.com

RelayList  point to exchange ip address 10.10.10.5

RAT point to domain "x.y.com"

 

my questions :

1) do i have to change the mx record that configured in ISP domain to point to hostname of ESA or leave it as it is

2) i have configured A record for ESA in DNS with name "smtp.x.y.com" and create mx record for it also point to "smtp.x.y.com", is that right or there is something else i have to do 

3)i have configured policy in firewall to allow traffic in and out to smtp and also internally (in & out)

4) what i suppose to change  in send connector of exchange server to point to my ESA ?

i faced issue yesterday that outgoing mails was rejected by RAT and i don't know why 

what i suppose to do else in ESA ?

 

7 Replies 7

Libin Varghese
Cisco Employee
Cisco Employee

1. Your mx record needs to point to a public IP which will direct emails to the ESA. This could be direct or through NAT. 

 

2. MX, A and PTR records need to be published for the email flow ideally.

 

3. Traffic needs to be allowed over port 25 for email and other ports needed for updates etc are provided in the end user guide.

 

4. The send connector on the exchange needs to point to the IP interface for which listener is created, ie Data 1.

 

The missing step would be under Mail Policies - > HAT Overview - > Relaylist - > Add the IP Address for your internal exchange.

 

Without this step all outgoing emails would be treated as inbound and get rejected by RAT.

 

Regards 

Libin Varghese 

i did as you said and incoming mail working well but outgoing mail didn't work and always give me logs 

rejected by sender and this is the output from message tracking as per attached

 

also note that the customer have two exchange server and load balance between them and gave me load-balance ip address and i added it to relay list and then added two real ip of each exchange to relay list and still same problem but didn't gave me logs with rejected it give me another logs said 

"Potential Directory Harvest Attack" error message

 

The sender IP based on the logs is 200.200.200.247 which was injected to the listener on the Mail-DMZ interface 200.200.122.100 and matched the HAT Unknownlist.

This would suggest IP 200.200.200.247 has not been added to the HAT Relaylist on the mentioned listener.

To understand DHAP please go through the below articles, the DHAP limit is being triggered again because the IP is not added to the Relaylist yet.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117847-technote-esa-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118936-technote-esa-00.html

Regards,
Libin Varghese

i added it "200.200.200.247" with the other ip of 2nd exchange "200.200.200.246" and also i added the load-balance ip "200.200.200.106" for both exchange and still problem exit , see these logs

 

New SMTP ICID 60 interface MAIL-DMZ (200.200.122.100) address 200.200.200.246 reverse dns host mop-mbx002.mop.local verified yes
Sun Dec 31 17:35:53 2017 Info: ICID 60 RELAY SG RELAYLIST match 200.200.200.246 SBRS None country Brazil
Sun Dec 31 17:35:53 2017 Warning: Dropping connection due to potential Directory Harvest Attack from host=('200.200.200.246', 'mop-mbx002.mop.local'), dhap_limit=25, sender_group=RELAYLIST, listener=IncomingMail, reverse_dns=200.200.200.246, ICID 60
Sun Dec 31 17:35:53 2017 Info: ICID 60 close
Sun Dec 31 17:36:56 2017 Info: SenderBase upload: 5 hosts totaling 11575 bytes
Sun Dec 31 17:37:03 2017 Info: New SMTP DCID 149 interface 200.200.122.100 address 98.136.102.55 port 25
Sun Dec 31 17:37:04 2017 Info: Delivery start DCID 149 MID 61 to RID [0]
Sun Dec 31 17:37:04 2017 Info: Delayed: DCID 149 MID 61 to RID 0 - 4.1.0 - Unknown address error ('450', ['4.2.2 User is receiving mail too quickly']) []
Sun Dec 31 17:37:04 2017 Info: MID 61 to RID [0] pending till Sun Dec 31 18:29:05 2017 [Default]
Sun Dec 31 17:37:10 2017 Info: DCID 149 close
Sun Dec 31 17:40:26 2017 Info: New SMTP ICID 61 interface MAIL-DMZ (200.200.122.100) address 200.200.200.245 reverse dns host mop-mbx001.mop.local verified yes
Sun Dec 31 17:40:26 2017 Info: ICID 61 RELAY SG RELAYLIST match 200.200.200.245 SBRS None country Brazil
Sun Dec 31 17:40:26 2017 Warning: Dropping connection due to potential Directory Harvest Attack from host=('200.200.200.245', 'mop-mbx001.mop.local'), dhap_limit=25, sender_group=RELAYLIST, listener=IncomingMail, reverse_dns=200.200.200.245, ICID 61
Sun Dec 31 17:40:26 2017 Info: ICID 61 close
Sun Dec 31 17:40:54 2017 Info: New SMTP ICID 62 interface MAIL-DMZ (200.200.122.100) address 200.200.200.246 reverse dns host mop-mbx002.mop.local verified yes
Sun Dec 31 17:40:54 2017 Info: ICID 62 RELAY SG RELAYLIST match 200.200.200.246 SBRS None country Brazil
Sun Dec 31 17:40:54 2017 Warning: Dropping connection due to potential Directory Harvest Attack from host=('200.200.200.246', 'mop-mbx002.mop.local'), dhap_limit=25, sender_group=RELAYLIST, listener=IncomingMail, reverse_dns=200.200.200.246, ICID 62
Sun Dec 31 17:40:54 2017 Info: ICID 62 close
Sun Dec 31 17:41:58 2017 Info: SenderBase upload: 2 hosts totaling 3475 bytes

Well now the sender IP matches the Relaylist which is much better if you are attempting to relay emails outbound from these servers through the ESA.

 

You can change the DHAP limit configured under Mail Policies -> Mail Flow Policies -> Relay.

 

If the DHAP_Limit was triggered for this IP it would likely need an hour for the counter to reset.

For the error '450', ['4.2.2 User is receiving mail too quickly', it indicates that the destination server is rejecting the email which would need to be corrected on the MTA 98.136.102.55.

 

Regards,
Libin Varghese

it is not working with this solution at all , i have solved the problem it is related to exchange server 2013 which differentiate CAS server and Mail Server and customer have two exchange with load-balancer so i had to add 4 IP address in RelayList to work

Glad to hear you were able to figure it out.

 

Adding the sender IP to the HAT Relaylist was the only step required to allow that server to relay emails through the ESA.

 

Regards,

Libin Varghese