06-02-2019 12:20 PM
when i need to implement a mail security appliance and i want to shift receiving email from the microsoft exchange to iron port , how does that happen exactly? can anyone explain how usually one shifts email receiving from exchange to iron port? what does one changes to do that?
Solved! Go to Solution.
06-02-2019 09:33 PM
Hi,
The configuration on the ESA to accept emails from the exchange and relay them would just require the below steps.
Add exchange IP to the HAT Relaylist (or another sender group with relay action)
GUI -> HAT Overview -> Relaylist -> IP/DNS resolvable hostname of the exchange server.
(Relay action allows the sending server to send emails outbound to the internet.)
Also in order for the ESA to deliver emails to the destination domains directly the ESA would use the configured DNS servers.
User -> Exchange -> ESA -> Use DNS to deliver emails (if no SMTP route is configured)
In order for the exchange to send emails to the ESA there should be a send connection pointing traffic over port 25 from the exchange to the ESA.
Microsoft has official documentation available online for the same such as the below
https://technet.microsoft.com/en-us/library/aa998814.aspx?f=255&MSPPError=-2147217396
Note: AMP is only available for inbound emails and not outbound emails.
To allow emails inbound to be delivered to the exchange would need an entry for the internal domain under Mail Policies -> Recipient Access Table and an entry under Network -> SMTP routes which points traffic for the domain to the internal exchange server.
Hope this information helps.
Rgds,
Gagan
06-09-2019 11:07 AM
You want the A record that points to the ESA to match the interface name that the ESA is giving out, and the reverse look up...
So, working from the inside out...
06-02-2019 09:33 PM
Hi,
The configuration on the ESA to accept emails from the exchange and relay them would just require the below steps.
Add exchange IP to the HAT Relaylist (or another sender group with relay action)
GUI -> HAT Overview -> Relaylist -> IP/DNS resolvable hostname of the exchange server.
(Relay action allows the sending server to send emails outbound to the internet.)
Also in order for the ESA to deliver emails to the destination domains directly the ESA would use the configured DNS servers.
User -> Exchange -> ESA -> Use DNS to deliver emails (if no SMTP route is configured)
In order for the exchange to send emails to the ESA there should be a send connection pointing traffic over port 25 from the exchange to the ESA.
Microsoft has official documentation available online for the same such as the below
https://technet.microsoft.com/en-us/library/aa998814.aspx?f=255&MSPPError=-2147217396
Note: AMP is only available for inbound emails and not outbound emails.
To allow emails inbound to be delivered to the exchange would need an entry for the internal domain under Mail Policies -> Recipient Access Table and an entry under Network -> SMTP routes which points traffic for the domain to the internal exchange server.
Hope this information helps.
Rgds,
Gagan
06-08-2019 10:25 PM
06-09-2019 06:42 AM
Hi,
I would need to know your architecture and placement of ESA on your environment to answer your query. You could go through below guide for more information on your query.
Rgds,
Gagan
06-09-2019 11:07 AM
You want the A record that points to the ESA to match the interface name that the ESA is giving out, and the reverse look up...
So, working from the inside out...
06-09-2019 09:42 PM - edited 06-10-2019 12:55 AM
thx for the great reply , but please can you explain further the points below?
-"Setup an A record for that IP in your external DNS, that should match the host name configured on the listener"
A record should match what listener? you mean the iron port or what exactly?
-Turn of rules that allow SMTP to the Exchange box. "where do i do that?"
-is the PTR necessary?
06-10-2019 05:58 AM
06-10-2019 01:45 AM
I assume your email from outside isn't going directly to the Exchange, you are directing it from a FW or an external facing device, simply change the IP on the device to send the emails to the ESA, the IP that is the public listener if you have a two legged configuration. Then also add a SMTP route where to deliver the inbound emails for the accepted domain i.e youdomain.com 10.1.1.2 (exchange server IP). on the ESA.
On the receive connectors, generally no changes are required, unless the default has been modified.
The you'll need to modify the smart host on the exchange to send outbound emails to the ESA on the private listeners IP.
Remember to ensure your names match the SPF, MX and other records to avoid failing different security checks.
10-15-2019 05:51 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: