Showing results for 
Search instead for 
Did you mean: 

Integration with Email Scanner

Hi folks,

I'm trying to integrate IronPort with this other box that does scanning and stuff on emails that is not an MTA. It's supposed to receive emails from IronPort, scan and do what it's doing, then send it back to IronPort to send it out to the receiver. This box receives the IronPort connections on port 10025 and send them to port 10026 (I can change these ports but not to a well-known/reserved port).

Now with IronPort, I know I can receive emails on any port by setting up a listener. The listener I've created is a private listener, listening on 10026, and the HAT only has one sender group (RELAYLIST) that relays all mail from 172.16.x.x and The connection behaviour is RELAY as opposed to CONTINUE and ACCEPT...not sure which one I was supposed to use so I left it at the default.

Is this configuration ok so far? I don't really know much about configuring IronPort as most of my expertise is in configuring this other box. I tried going through the admin guide but it's so confusing...

Assuming that that config is fine (hopefully), how can I get the IronPort to send the connections to port 10025 on the scanning box? I configured an outgoing filter that sends to an alternate host but I suspect that the default port is 25. When I sniff the port on the scanning box, I don't see anything coming from IronPort at all (I once saw a single packet connecting on port 25...but it hasn't shown up again since that first time no matter how many test emails I send).

Ideas and help would be greatly appreciated!

Many thanks,


Cisco Employee

Hi Xavier,

By using RELAY as the connection behavior, your appliance will consider the traffic as an outbound traffic. Depending on your scenario, you can continue to use RELAYLIST (and mail flow policy RELAYED).

All messages which pass through this Cisco IronPort Email Security Appliance will need to be delivered to that server on post 10025, correct?

If yes, you will need to configure a SMTP route to the destination server. You can configure the port to be used by your Cisco IronPort device to reach that server.

Please refer to the following Technical Article in our Knowledge Base:

Can the IronPort appliance deliver SMTP traffic to a different port number other than 25?

External Article ID: 210

Direct Link:



Yes eventually all emails will need to be forwarded but right now it's in testing so I was hoping that I could use a filter to do testing. Right now I only want some emails to be forwarded. Is this possible?

Many thanks for the answer and the article! You saved me :-)


You are welcome, Xavier.

We are glad we could assist you.

Best regards,


You can create a seperate policy based on sender and/or receiver. For that policy you can make a filter to route the messages (be sure to set a variabel on your Email scanner otherwise there will be a loop).



The loop is exactly what happened! The route points to 10025 and I'm using the receiving domain as for testing (ever heard of mailinator? Great service!)

The scanner gets and scans the email and sends it back to IronPort on 10026...but because the email is still destined for, it sends it back through the scanner and so on until it eventually gives up.

What kind of variable so I set on the scanner? I'm assuming I should use an SMTP header. Then based on the header, IronPort should send it out? How do I configure that on IronPort?


As in, what filter action should I use to send it out?


The filter action will something like: Set header var to send to scanner AND send to scanner. Check in the filter if header var =is not send to scanner. If it is send to scanner already do not send it again to scanner.


Hmm, I get the logic but in terms of the actual action that I configure in the IronPort. These are the options:

I thought it would be "send to alternate destination" but I'm not sure which IP address I'd send it to. Next I thought it'd be "skip remaining content filters" but I just have a feeling that it'll loop again.


Create a filter:

Condition(s) : Header ("Scanned") is not Succesfull

Action(s): Set Header ("Scanned") = Succesfull AND

               Send to alternate Host xxxxxxxxxxxx



Internet >> IronPort >> Server >> IronPort >> Exchange

Is this the scenario you have?

If not, please let us know. It might be easier to assist you by knowing the mail flow.



Ok the desired mailflow is:

Inside (Notes) >> IronPort(:25) >> Scanner(:10025) >> IronPort(:10026) >> Internet (final recipient)

I think that's the mix up. The scanning from inside going outside. Kinda like a DLP thing. Sorry about that mixup!



This is a great thread and I think you have gotten some good responses here. This issue may be one that we can better assist you with by discussing this over the phone. I would recommend opening a support request so one of the engineers can go over this with you in a bit more detail. You can open an SR right here from the forums and all the data from the forum post will be included in the SR. Once we have resolved your issue we can post the solution(s) back to the forums for the benefit of the others involved.

I just wanted to provide that option to you being that this sounds like a somewhat complex issue involving several factors.

If you choose to open an SR from the forums just let me know if you need help and I can assist with that as well.

Christopher C Smith

Cisco IronPort Customer Support