Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6024
Views
0
Helpful
4
Replies

How to allow authenticated User to relay on a Cisco ESA C170 on same Port as incoming Mail

Go to solution
rene.kockisch
Level 1
Level 1

‎05-17-2016 11:02 PM

I'am trying to configure my ESA C170 and all works as expected. But now I want to add support for relay function for authed external user. I add a SMTP Auth Profile against LDAP that works. Next Step is to configure HAT and the sender group. If I add the Mail Flow Policy to HAT Relay and add my own IP to Sendergroup than it works but I need for all the internet. What I'am looking for is a rule that allows only authed User from 0.0.0.0/0 to relay and all other should match to accepted if the Address is listed in the transport section. In the manual for the ASYNC OS I found the section "Configuring AsyncOS for SMTP Authentication"

SMTP Authentication and HAT Policy Settings
Because senders are grouped into the appropriate sender group before
the SMTP Authentication negotiation begins, Host Access Table (HAT)
settings, are not affected. When a remote mail host connects, the
appliance first determines which sender group applies and imposes the
Mail Policy for that sender group. For example, if a remote MTA
“suspicious.com” is in your SUSPECTLIST sender group, the THROTTLE
policy will be applied, regardless of the results of
“suspicious.com’s” SMTPAUTH negotiation.

However, senders that do authenticate using SMTPAUTH are treated
differently than “normal” senders. The connection behavior for
successful SMTPAUTH sessions changes to “RELAY,” effectively bypassing
the Recipient Access Table (RAT) and LDAPACCEPT. This allows the
sender to relay messages through the appliance. As stated, any Rate
Limiting or throttling that applies will remain in effect.

I'am searching for the configuration path of "senders that do authenticate using SMTPAUTH are treated differently" but there is nothing like that.

Heres my current HAT

current HAT

if I add my own IP to sender list of sendergroup RELAYLIST than I can see the AUTHMECH in SMTP Dialog. 

sender group

How can I change the Sendergroups to show SMTP AUTH like this

Connected to 192.168.100.3.
 Escape character is '^]'.
 220 ironport.domain.tld ESMTP
 ehlo test
 250-ironport.domain.tld
 250-8BITMIME
 250 SIZE 10485760
 250-AUTH PLAIN LOGIN
 250 AUTH=PLAIN LOGIN

For all external Users to Login. If I change the senderlist to 0.0.0.0/0 than everyone must authenticate against the iron port so I cannot accept Messages for the own recipients.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
martin.eppler
Level 1
Level 1
In response to rene.kockisch

‎05-18-2016 12:14 AM

Hello Rene,

could you please provide some details to the below questions, so that I can get a better understanding of your configuration?

1. to which Sender Group in the HAT did you add the 0.0.0.0/0 subnet?

2. what is the Mail Flow Policy of the above Sender Group?

3. which "Connection Behavior" is set in the above Mail Flow Policy? (Note: it should NOT be "Relay" but "Accept", because that would be an open relay configuration then)

From the above screen shots I'd assume that question number 3 would be answered with being set to "Relay". You may want to set up a new Sender Group for testing with a Mail Flow Policy "Connection Behavior" being set to "Accept", the STMP AUTH to "Preferred" and containing the IP address in your Sender List of your previous test. It should allow relaying only when SMTP AUTH is successful, but would allow inbound mail when SMTP AUTH is not used at all. 

Usually adding 0.0.0.0/0 is not required. It is sufficient to enable SMTP AUTH as "Preferred" in the "Default Policy Parameters" in Mail Flow Policy (so it is inherited to all other Sender Groups). You most likely do not want to match all IPs to a single Sender Group, especially when you use SBRS scoring for Sender Group decisions.

Best regards,

Martin 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
martin.eppler
Level 1
Level 1

‎05-17-2016 11:15 PM

Hello Rene,

did you set SMTP Authentication in the Mail Flow Policy to "Preferred" or "Required"? From the described scenario I'd assume it is set to "Required". If you set it to "Preferred", SMTP AUTH is offered to the sender and would allow relaying once the sender has successfully authenticated. However, if SMTP AUTH is not initiated by the sender or the authentication fails, the configured "Connection Behavior" from the Mail Flow Policy will be used.

In other words: with "Preferred" setting, SMTP AUTH is allowed but not enforced. So if the sender does not use SMTP AUTH, normal inbound mail delivery (without relay privileges) is possible.

Best regards,

Martin

0 Helpful

Go to solution
rene.kockisch
Level 1
Level 1
In response to martin.eppler

‎05-17-2016 11:54 PM

Hello Martin, 

thank you for this fast answer, this is the problem I have. If I add the 0.0.0.0/0 to the sender list and set AUTH to preferred than I have an open relay. Thats the reason why I set it to required but than every relayed and incoming mail need authentication. This is the SMTP Dialog if I add 0.0.0.0/0 to sender list and change the SMTP AUTH in the mail flow policy from required to preferred:

220 ironport.domain.tld ESMTP
ehlo rene
250-ironport.domain.tld
250-8BITMIME
250-SIZE 10485760
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
mail from:user@domain.tld
250 sender <user@domain.tld> ok
rcpt to:user@gmail.com
250 recipient <user@gmail.com> ok

Without Auth I can relay :-( What I'am looking for is the way to create a sender group for authenticated User from 0.0.0.0/0 but there is no way I find.

0 Helpful

Go to solution
martin.eppler
Level 1
Level 1
In response to rene.kockisch

‎05-18-2016 12:14 AM

Hello Rene,

could you please provide some details to the below questions, so that I can get a better understanding of your configuration?

1. to which Sender Group in the HAT did you add the 0.0.0.0/0 subnet?

2. what is the Mail Flow Policy of the above Sender Group?

3. which "Connection Behavior" is set in the above Mail Flow Policy? (Note: it should NOT be "Relay" but "Accept", because that would be an open relay configuration then)

From the above screen shots I'd assume that question number 3 would be answered with being set to "Relay". You may want to set up a new Sender Group for testing with a Mail Flow Policy "Connection Behavior" being set to "Accept", the STMP AUTH to "Preferred" and containing the IP address in your Sender List of your previous test. It should allow relaying only when SMTP AUTH is successful, but would allow inbound mail when SMTP AUTH is not used at all. 

Usually adding 0.0.0.0/0 is not required. It is sufficient to enable SMTP AUTH as "Preferred" in the "Default Policy Parameters" in Mail Flow Policy (so it is inherited to all other Sender Groups). You most likely do not want to match all IPs to a single Sender Group, especially when you use SBRS scoring for Sender Group decisions.

Best regards,

Martin 

0 Helpful

Go to solution
rene.kockisch
Level 1
Level 1
In response to martin.eppler

‎05-18-2016 12:30 AM

Hey Martin,

here are the answers of your questions:

1. To the Relaylist (order 1) 

2. The Mail Flow Policy is SMTPAuthPolicy

3. Connection Behavior is Relay 

I change the connection behavior from relay to accept and it works. No only authenticated User can relay mails all other will be accepted if RCPT is valid. 

 

0 Helpful
Customers Also Viewed These Support Documents