Solved: Re: how to shift email receiving from exchange to ironport? - Cisco Community

3808

Views

15

Helpful

8

Replies

when i need to implement a mail security appliance and i want to shift receiving email from the microsoft exchange to iron port , how does that happen exactly? can anyone explain how usually one shifts email receiving from exchange to iron port? what does one changes to do that?

2 Accepted Solutions

Accepted Solutions

Hi,

The configuration on the ESA to accept emails from the exchange and relay them would just require the below steps.

Add exchange IP to the HAT Relaylist (or another sender group with relay action)

GUI -> HAT Overview -> Relaylist -> IP/DNS resolvable hostname of the exchange server.

(Relay action allows the sending server to send emails outbound to the internet.)

Also in order for the ESA to deliver emails to the destination domains directly the ESA would use the configured DNS servers.

User -> Exchange -> ESA -> Use DNS to deliver emails (if no SMTP route is configured)

In order for the exchange to send emails to the ESA there should be a send connection pointing traffic over port 25 from the exchange to the ESA.

Microsoft has official documentation available online for the same such as the below

https://technet.microsoft.com/en-us/library/aa998814.aspx?f=255&MSPPError=-2147217396

Note: AMP is only available for inbound emails and not outbound emails.

To allow emails inbound to be delivered to the exchange would need an entry for the internal domain under Mail Policies -> Recipient Access Table and an entry under Network -> SMTP routes which points traffic for the domain to the internal exchange server.

Hope this information helps.

Rgds,

Gagan

View solution in original post

You want the A record that points to the ESA to match the interface name that the ESA is giving out, and the reverse look up...

So, working from the inside out...

NAT the interface the ESA is accepting mail in to an outside IP on the firewall.
Allow inbound port 25 traffic to that IP
Allow outbound port 25 traffic from that IP
Setup an A record for that IP in your external DNS, that should match the host name configured on the listener
Set up a PTR record for that IP that points to the name in the A record.
Set the MX record that points at the A record.
Turn of rules that allow SMTP to the Exchange box. (otherwise bad actors WILL go around your ESA)

View solution in original post

8 Replies 8

Hi,

The configuration on the ESA to accept emails from the exchange and relay them would just require the below steps.

Add exchange IP to the HAT Relaylist (or another sender group with relay action)

GUI -> HAT Overview -> Relaylist -> IP/DNS resolvable hostname of the exchange server.

(Relay action allows the sending server to send emails outbound to the internet.)

Also in order for the ESA to deliver emails to the destination domains directly the ESA would use the configured DNS servers.

User -> Exchange -> ESA -> Use DNS to deliver emails (if no SMTP route is configured)

In order for the exchange to send emails to the ESA there should be a send connection pointing traffic over port 25 from the exchange to the ESA.

Microsoft has official documentation available online for the same such as the below

https://technet.microsoft.com/en-us/library/aa998814.aspx?f=255&MSPPError=-2147217396

Note: AMP is only available for inbound emails and not outbound emails.

To allow emails inbound to be delivered to the exchange would need an entry for the internal domain under Mail Policies -> Recipient Access Table and an entry under Network -> SMTP routes which points traffic for the domain to the internal exchange server.

Hope this information helps.

Rgds,

Gagan

thx but my question is what changes needed to be done to make incoming emails from outside come to the ESA instead of the exchange? do i need to just change the MX records like set it to esa.mydomain.com instead of exchange.mydomain.com?

Hi,

I would need to know your architecture and placement of ESA on your environment to answer your query. You could go through below guide for more information on your query.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010.pdf

Rgds,

Gagan

You want the A record that points to the ESA to match the interface name that the ESA is giving out, and the reverse look up...

So, working from the inside out...

NAT the interface the ESA is accepting mail in to an outside IP on the firewall.
Allow inbound port 25 traffic to that IP
Allow outbound port 25 traffic from that IP
Setup an A record for that IP in your external DNS, that should match the host name configured on the listener
Set up a PTR record for that IP that points to the name in the A record.
Set the MX record that points at the A record.
Turn of rules that allow SMTP to the Exchange box. (otherwise bad actors WILL go around your ESA)

thx for the great reply , but please can you explain further the points below?

-"Setup an A record for that IP in your external DNS, that should match the host name configured on the listener"

A record should match what listener? you mean the iron port or what exactly?

-Turn of rules that allow SMTP to the Exchange box. "where do i do that?"

-is the PTR necessary?

On the ESA, under Network/Listener, one of those will be intended for incoming mail from the outside. One of the settings is hostname.

That name should match the A record in your external DNS. And should match the PTR record for the IP.

Do you HAVE to have a PTR record? No, but it's best practice. Some people still check it.

Right now mail is allowed through your firewall tontalk to Exchange...
Turn those rules off. (After you get all the rest working...)

I assume your email from outside isn't going directly to the Exchange, you are directing it from a FW or an external facing device, simply change the IP on the device to send the emails to the ESA, the IP that is the public listener if you have a two legged configuration. Then also add a SMTP route where to deliver the inbound emails for the accepted domain i.e youdomain.com 10.1.1.2 (exchange server IP). on the ESA.

On the receive connectors, generally no changes are required, unless the default has been modified.

The you'll need to modify the smart host on the exchange to send outbound emails to the ESA on the private listeners IP.

Remember to ensure your names match the SPF, MX and other records to avoid failing different security checks.

For mail incoming to your system, mail is directed to connec to your Exchange server by public DNS records. There is an MX record that references a server name. That name is in DNS as an A record that equates that name to an ip address

There are many ways to actually switch the traffic depending upon how your firewall is set up.