Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4514
Views
0
Helpful
4
Replies

IronPort C170 as outbound relay

Go to solution
mdafforn
Level 1
Level 1

‎10-15-2012 12:35 PM

I have an exchange server behind 2 clustered C170s.

Inbound mail flow from the Internet is flowing correctly, now I want to move my outbound relay from the old barracuda to the C170s.

On the cluster config, I setup a mail flow policy (called relayed), that's conenction behavior is relay, and most of the other settings are default.

I then setup a sender group called relaylist that has the IP address of the exchange server in it.

If I go into Monitoring > delivery status, the remtoes hosts are listed as "Down"

I also tried setting up a relay under Network > Incomming Relays, but that didn't seem to work either.

If I go into Network > SMTP routes, I have a route for my internal domains pointed to my exchange server, the other route "All other domains" is set to (Not Defined).  I tried setting it to USEDNS, but it gives the error "The "usedns" option may not be used for the "All Other Domains" route."

Any help would be appreciated.

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bechara.abouraha
Level 1
Level 1

‎10-15-2012 01:22 PM

I faced the same issue once,

there was a problem in NATing on ASA

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ken Stieers
VIP
VIP

‎10-15-2012 01:06 PM

You need to create a listener... and put the Sender Group you created on the appropriate  Listener.

I have my box set up with 2 logical interfaces, one "public", one "private" (inside the firewall...), and they are on seperate physical interfaces, and the physical interfaces are wired to a DMZ for the public and internal net for the private.

I created a listener for both... in your case, you're probably just missing the listener for the Outbound...

Go to Network/Listeners, and create a listener, called "outboundmail", on the appropriate IP interface

When you set it up, it has a "Host access table" (HAT), that's where you can configure the approrpriate sender group.

If you go back to MailPolicies/HAT Overview, you'll see that you can pick which listener you're creating the Sender Group for...

The mail flow policy for the Relayed sender group on the  Outbound listener defines how can your Exchange boxes talk to the IronPort.

Hope that helps...

Ken

0 Helpful

Go to solution
mdafforn
Level 1
Level 1
In response to Ken Stieers

‎10-15-2012 01:14 PM

I only have 1 IP interface, I NAT it through the firewall, so I cannot add a second listner on port 25.

0 Helpful

Go to solution
Bechara.abouraha
Level 1
Level 1

‎10-15-2012 01:22 PM

I faced the same issue once,

there was a problem in NATing on ASA

0 Helpful

Go to solution
mdafforn
Level 1
Level 1
In response to Bechara.abouraha

‎10-15-2012 01:42 PM

Thanks for getting me most of the way there!

I forgot I had set a rule on this customers firewall to only allow outbound SMTP from certain IP addresses, the ironports weren't in there yet.

0 Helpful
Customers Also Viewed These Support Documents