Solved: How to bind different Mail Policies to 2 Listners

flathill · ‎08-16-2019

Hello.

I am using AsyncOS 12.5 on Cisco ESA C190.
Addressed from outside the organization (Outgoing), from outside the organization to the inside (Incoming)
I want to apply a separate "Mail Policy" to my mail.

(Mail Policies> Incoming Mail Policies)
IncomingPolicy) "Anti-Spam" enabled

(Mail Policies> Outgoing Mail Policies)
OutgoingPolicy) "Anti-Spam" disabled

For this reason, I am planning to prepare two Listners.
(Network> Listner)

Listner Name Interface Port
------------------------------
IncomintMail Service 25
OutgoingMail Service 2525

Ultimately, we have the following network configuration.

-Incoming
Other MTA-> External MTA-> ESA (IncomingMail: IncomingPolicy)-> Internal Mail Server-> Deliver

-Outgoing
Mail client (inside organization)-> Internal MTA-> ESA (OutgoingMail: OutgoingPolicy)-> Internal Mail Server-> Deliver

Here are two questions.
1) How should each Listner and Policy be associated with each other?

2) What is the difference between Private and Public in "Type of Listener" when adding Listner?

Best regards,

ppreenja · ‎08-18-2019

Hello flathill,

If the emails are "from within the organization" the I believe it will be hitting the "Relayed" mail flow policy in Relaylist rather than the "TRUSTED" mail flow policy of WHITELIST (usually).

Spam check is by default disabled for outgoing emails, for the same you can confirm by going to Mail Policies-->Outgoing Mail Policy, you will be able to see "disabled" under Anti-Spam option as per the attachment here.

BR,
Pratham

View solution in original post

Ken Stieers · ‎08-16-2019

Private listeners get tied to outgoing policies

Public listeners get tied to incoming policies.

So to answer your questions:

1) You don't have to tie them together, that's already done

2) The difference is which set of polices they feed.

ppreenja · ‎08-16-2019

Hi Flathill,

Please find below the answers to your queries:

1) How should each Listner and Policy be associated with each other?

- You can think of a listener as an "SMTP daemon" that runs on a specific port for each IP address specified. We have various sendergroups (GUI-->Mail Policies--> HAT Overview) tied to each listener.
However, (incoming/outgoing) mail policies are checked once they pass through the sendergroups tied to the listener.
If any sendergroup is using ("Relayed" mail flow policy) then any emails coming to the listener will take the route of the outgoing mail policy for the sendergroup (using any other mail flow policy apart from "Relayed") will be transversing via incoming mail policy.
Note: "Mail Flow Policy" is different from "Incoming/Outgoing" mail policies and are usually linked to the sendergroups.

2) What is the difference between Private and Public in "Type of Listener" when adding a Listener?

- Below information should be able to answer your query:

Public - Listens for and accepts email messages that come in from the Internet. Public listeners receive connections from many hosts and direct messages to a limited number of recipients.
Private - Listens for and accepts email messages that come from systems within the network, typically from internal groupware and email servers (POP/IMAP), intended for recipients outside the network in the Internet. Private listeners receive connections from a limited (known) number of hosts and direct messages to many recipients.
Please refer to the below article for more information:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118236-configure-esa-00.html

I hope the aforementioned information is able to clear your queries or concerns.

BR,
Pratham

flathill · ‎08-18-2019

Hello, ppreenja

Thank you for your detailed answer.
The requirement this time was to disable "only" spam checking for "from within the organization" emails.
It seems to be possible by registering the address in the organization with “TRUSTED” with the HAT function, so try it first.
Thank you very much.

ppreenja · ‎08-18-2019

Hello flathill,

If the emails are "from within the organization" the I believe it will be hitting the "Relayed" mail flow policy in Relaylist rather than the "TRUSTED" mail flow policy of WHITELIST (usually).

Spam check is by default disabled for outgoing emails, for the same you can confirm by going to Mail Policies-->Outgoing Mail Policy, you will be able to see "disabled" under Anti-Spam option as per the attachment here.

BR,
Pratham

flathill · ‎08-19-2019

Hello, Pratham

When I added the sender address to WHITELIST, I was able to disable SPAM check.
I checked "Mail flow policy", but only the following policies existed, and "Relayed" did not exist. (Is it wrong to see it?)
ACCEPTED,
BLOCKED,
THROTTLED,
TRUSTED,
Default Policy Parameters

Anyway, I was able to realize the desired motion, which was very helpful.
Thank you very much.

ppreenja · ‎08-20-2019

Hello Flathill,

Since the WHITELIST policy must have been tied to the "TRUSTED" mail flow policy in which spam-check is disabled by default.
Nothing should be wrong, if you are not able to see "Relayed" mail flow policy then there must be a mail flow policy (Mail Policies-->Mail Flow Policy) which is having "Connection Behaviour" set to "Relay" which make sure that mails are treated as outgoing mails.
Also, under HAT overview there is option of "Sender Groups (Listener:A.B.C.D:25 )" where you see the listener making use of the below sendergroups.

Glad to know if everything is working fine as per your requirement.

BR,
Pratham

flathill · ‎09-05-2019

I'm late to reply.
As you answered, "Sender Group: WHITELIST" is tied to "Policy: TRUSTED"
And SPAM checks worked as invalid.

Our requirements were met by treating all emails as IncomingMail
So it was not necessary to use the "Relayed" mail flow policy.

Thank you very much.

ppreenja · ‎09-11-2019

Hello Flathill,

Thanks for the update! Happy that I was able to help :)

Cheers,
Pratham