05-17-2016 11:02 PM
I'am trying to configure my ESA C170 and all works as expected. But now I want to add support for relay function for authed external user. I add a SMTP Auth Profile against LDAP that works. Next Step is to configure HAT and the sender group. If I add the Mail Flow Policy to HAT Relay and add my own IP to Sendergroup than it works but I need for all the internet. What I'am looking for is a rule that allows only authed User from 0.0.0.0/0 to relay and all other should match to accepted if the Address is listed in the transport section. In the manual for the ASYNC OS I found the section "Configuring AsyncOS for SMTP Authentication"
SMTP Authentication and HAT Policy Settings
Because senders are grouped into the appropriate sender group before
the SMTP Authentication negotiation begins, Host Access Table (HAT)
settings, are not affected. When a remote mail host connects, the
appliance first determines which sender group applies and imposes the
Mail Policy for that sender group. For example, if a remote MTA
“suspicious.com” is in your SUSPECTLIST sender group, the THROTTLE
policy will be applied, regardless of the results of
“suspicious.com’s” SMTPAUTH negotiation.
However, senders that do authenticate using SMTPAUTH are treated
differently than “normal” senders. The connection behavior for
successful SMTPAUTH sessions changes to “RELAY,” effectively bypassing
the Recipient Access Table (RAT) and LDAPACCEPT. This allows the
sender to relay messages through the appliance. As stated, any Rate
Limiting or throttling that applies will remain in effect.
I'am searching for the configuration path of "senders that do authenticate using SMTPAUTH are treated differently" but there is nothing like that.
Heres my current HAT
if I add my own IP to sender list of sendergroup RELAYLIST than I can see the AUTHMECH in SMTP Dialog.
How can I change the Sendergroups to show SMTP AUTH like this
Connected to 192.168.100.3.
Escape character is '^]'.
220 ironport.domain.tld ESMTP
ehlo test
250-ironport.domain.tld
250-8BITMIME
250 SIZE 10485760
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
For all external Users to Login. If I change the senderlist to 0.0.0.0/0 than everyone must authenticate against the iron port so I cannot accept Messages for the own recipients.
Solved! Go to Solution.
05-18-2016 12:14 AM
Hello Rene,
could you please provide some details to the below questions, so that I can get a better understanding of your configuration?
1. to which Sender Group in the HAT did you add the 0.0.0.0/0 subnet?
2. what is the Mail Flow Policy of the above Sender Group?
3. which "Connection Behavior" is set in the above Mail Flow Policy? (Note: it should NOT be "Relay" but "Accept", because that would be an open relay configuration then)
From the above screen shots I'd assume that question number 3 would be answered with being set to "Relay". You may want to set up a new Sender Group for testing with a Mail Flow Policy "Connection Behavior" being set to "Accept", the STMP AUTH to "Preferred" and containing the IP address in your Sender List of your previous test. It should allow relaying only when SMTP AUTH is successful, but would allow inbound mail when SMTP AUTH is not used at all.
Usually adding 0.0.0.0/0 is not required. It is sufficient to enable SMTP AUTH as "Preferred" in the "Default Policy Parameters" in Mail Flow Policy (so it is inherited to all other Sender Groups). You most likely do not want to match all IPs to a single Sender Group, especially when you use SBRS scoring for Sender Group decisions.
Best regards,
Martin
05-17-2016 11:15 PM
Hello Rene,
did you set SMTP Authentication in the Mail Flow Policy to "Preferred" or "Required"? From the described scenario I'd assume it is set to "Required". If you set it to "Preferred", SMTP AUTH is offered to the sender and would allow relaying once the sender has successfully authenticated. However, if SMTP AUTH is not initiated by the sender or the authentication fails, the configured "Connection Behavior" from the Mail Flow Policy will be used.
In other words: with "Preferred" setting, SMTP AUTH is allowed but not enforced. So if the sender does not use SMTP AUTH, normal inbound mail delivery (without relay privileges) is possible.
Best regards,
Martin
05-17-2016 11:54 PM
Hello Martin,
thank you for this fast answer, this is the problem I have. If I add the 0.0.0.0/0 to the sender list and set AUTH to preferred than I have an open relay. Thats the reason why I set it to required but than every relayed and incoming mail need authentication. This is the SMTP Dialog if I add 0.0.0.0/0 to sender list and change the SMTP AUTH in the mail flow policy from required to preferred:
220 ironport.domain.tld ESMTP
ehlo rene
250-ironport.domain.tld
250-8BITMIME
250-SIZE 10485760
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
mail from:user@domain.tld
250 sender <user@domain.tld> ok
rcpt to:user@gmail.com
250 recipient <user@gmail.com> ok
Without Auth I can relay :-( What I'am looking for is the way to create a sender group for authenticated User from 0.0.0.0/0 but there is no way I find.
05-18-2016 12:14 AM
Hello Rene,
could you please provide some details to the below questions, so that I can get a better understanding of your configuration?
1. to which Sender Group in the HAT did you add the 0.0.0.0/0 subnet?
2. what is the Mail Flow Policy of the above Sender Group?
3. which "Connection Behavior" is set in the above Mail Flow Policy? (Note: it should NOT be "Relay" but "Accept", because that would be an open relay configuration then)
From the above screen shots I'd assume that question number 3 would be answered with being set to "Relay". You may want to set up a new Sender Group for testing with a Mail Flow Policy "Connection Behavior" being set to "Accept", the STMP AUTH to "Preferred" and containing the IP address in your Sender List of your previous test. It should allow relaying only when SMTP AUTH is successful, but would allow inbound mail when SMTP AUTH is not used at all.
Usually adding 0.0.0.0/0 is not required. It is sufficient to enable SMTP AUTH as "Preferred" in the "Default Policy Parameters" in Mail Flow Policy (so it is inherited to all other Sender Groups). You most likely do not want to match all IPs to a single Sender Group, especially when you use SBRS scoring for Sender Group decisions.
Best regards,
Martin
05-18-2016 12:30 AM
Hey Martin,
here are the answers of your questions:
1. To the Relaylist (order 1)
2. The Mail Flow Policy is SMTPAuthPolicy
3. Connection Behavior is Relay
I change the connection behavior from relay to accept and it works. No only authenticated User can relay mails all other will be accepted if RCPT is valid.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide