Yep that is the plan i would suggest.

Check with network guys and see if there is availability to connect to the host and also check the destination host itself and see if it's listening on the port and allowing

Will do, and I will update the case when I hear back from them.

Thanks very much for the excellent support and advice, I really appreciate it.

Ash

Happy to help :)
Keep us updated if possible.

Hi Matt

Looks like there are indeed connectivity issues for the appliances other interface IP's at the firewall. 

Getting them resolved and then hopefully will work. will update again when I the rules are in place. 

Ash

Hope it does get resolved for you ash :)

All working now thanks Matt & Jens!

The 2 missing firewall rules did the trick. Thanks very much again!

Ash

That is awesome ! :D

Good stuff, happy to hear it's working for you Ash.

Have a good day.

- matty

Hi Matt

Was wondering if I could run another routing scenario past you? Is this the place to do that or should I start a new one?

Ash

Happy to answer here.

:D thanks

Ok so we are in the process of migrating a bunch of servers to a new DC.

I have been asked to route mail differently for this set group of servers while during the migration. 

Basically they only want the servers to be able to send to our domain only, or even a single specified address (whichever is simpler).

Once they are migrated they will revert that so they relay to anyone as normal.

Short of me creating a content filter for every server IP, I thought their must be a more efficient solution? Maybe another relay policy? Its above my (low) skill level.

Any ideas? 

Ash

Hey Ash

Sorry for the delay in response, a bit occupied with some things here on my end.

Um for this requirement this is my assumption from what i've read.

Your IronPort needs to allow only a certain set of IPs to allow to be relayed through it, and to only be able to send to an individual domain/sender as welel.

So this set of IPs is very restricted to sending emails through the IronPort only to 1 address/domain

Keep in mind, if you set them to "RELAY" action then they will ignore recipient validation (RAT table) and be treated as outbound email, if this is fine just simply make a new sendergroup and make it use the RELAY mail flow policy, else if you want it to be treated as inbound, use the ACCEPT policy

For this setup i recommend (for easiest setup) use of Sendergroup + 1 message filter.

Create a new sendergroup

Name it a meaningful name, for this example i'll call it "Allowed_IP"

order it '1' or the top or so

Add the set of IPs that will match this sendergroup (rather than others).

Submit this sendergroup.

Commit changes.

Then go to CLI and create a message filter.,

CLI > filters > new

Filter syntax, you can copy and paste or re-type.

Allowed_IP_Restrict:

if (sendergroup =="Allowed_IP") AND (rcpt-to !="@domain.com")

{

drop();

}

.

Then press enter twice and commit changes.

What this does is, the restricted IPs will match this Allow_IP sendergroup

This message filter will take action where if the IPs match this sendergroup but is not sending to this allowed domain, it will be dropped.

If it is the allowed domain, it'll ignore this filter.

Worked perfectly thanks Matt!

Saved me a horribly inefficient solution and taught me something very useful. Thanks very much for your help and time. 

Ash

:D 

Happy to help!
Glad to hear my solution worked to your requirements.

It's all good, here to help and also we're all here to learn as well -- i myself am learning off other users here.

Don't hesitate to start up new threads with any questions (hopefully some i can answer as well :))