cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2507
Views
0
Helpful
8
Replies

Ironport Relay Problem

Hello,
I want to configure my outgoing mail trought the applience.I want to use one interface ( data 1 ) of my C350.I recieve mail via xxx.xxx.xxx.xxx Ip address and I want to use the same ip address to relay mail.But When I try to create a private listaner for the outgoing mail, it say that already exist a listener (public) on 25 port. What is the solution of this kind of problems?

Can you explain me step by step how to configure outgoing mail?

Thanks a lot and best regards ;)

8 Replies 8

Hello, 
I want to configure my outgoing mail trought the applience.I want to use one interface ( data 1 ) of my C350.I recieve mail via xxx.xxx.xxx.xxx Ip address and I want to use the same ip address to relay mail.But When I try to create a private listaner for the outgoing mail, it say that already exist a listener (public) on 25 port. What is the solution of this kind of problems?

Can you explain me step by step how to configure outgoing mail?

Thanks a lot and best regards ;)


Hi thedarkangel,

If you would like to use the same ip address to relay email, you don't need to create a private listener. You just do the following:

1. Mail Polices -> HAT -> Mail Flow Policies -> Add policies
2. Name: RELAYED
Connection Behavior: relay
submit
3. Mail Policies -> HAT -> HAT Overview
Add sender group -> Name: Relaylist, Order:1, Policy: RELAYED -> Submit and add sender -> type the ip address of your mail server address.

When you finished the steps above, your mail server can send email through IronPort.

When you create your listener, you will need to use a different port, for instance 2525 or whatever, then configure your groupware to deliver outgoing mail to xxx.xxx.xxx.xxx:2525
otherwise you can create another interface on the same physical interface, then you can use port 25

Kr,

Raf

I guess we are looking at a simple networking limitation here (nothing IronPort could do anything about). On any single machine you can only bind the same port (= application) to each IP address once. Otherwise the higher layers wouldn't know which appliaction to direct the connections to.

What you want to do is:

1) understand the difference between a physical and a logical interface. You can run your whole setup using only one physical connection to the first physical interface (data1).

2) Configure two logical interfaces with different IP addresses (name them according to what they are supposed to do: I_INBOUND / I_OUTBOUND for example). Bind both of them to the same physical interface (data1).

3) Configure two listeners on port 25, one running on your I_INBOUND (public) interface, the other on I_OUTBOUND (private).

4) Finalize the rest of the configuration.

5) Done.

Hope that helps. 8)
Torsten

thanks a lot, but what is the purpose of the private listener then?

The main difference lies in their default settings. A good example are the default HAT settings for public and private listeners.

HAT settings for public listeners usually include several different sender groups (WHITELIST, BLACKLIST, SUSPECTLIST, UNKNOWNLIST, SBRSNONE...) that you can assign SBRS ratings to and other settings that are usually important for incoming connections from the internet.

Compared to that you usually only find the "RELAYLIST" SenderGroup on Private listeners that you can use to set up the systems being allowed to relay emails through your ironport.

From a technical point of view both scenarios work. You can set up the same options for private and for public listeners, even though some might not make too much sense on listeners of a certain type (like SBRS on private listeners).

I guess it's more a question of how complex and how flexible you want your setup to be. If you are only going to set it up once, have an easy setup and never change anything you can go with the one listener approach. On the other hand, if you want to stay as flexible as possible and never know what new needs might pop up next week go with the multi-listener configuration.

Personally I always go with the at-least-two-listeners configuration (usually more if the environment includes an encryption gateway). That way it's quite easy to adapt to new needs and add new functions to your configuration.

Torsten

What would be the impact on reporting if you go for the 1 listener approach?

Reporting is not impacted and we can still tell the difference between inbound and outbound mails and report accordingly. nothing to worry about.

Erich_ironport
Level 1
Level 1

Inbound vs. Outbound messages are not a function of the listener. They are determined based on the Behavior defined in the Mail Flow Policies.
See - Mail Policies menu -> Mail Flow Policies -> Behavior.

Reject is counted as Inbound
Accept is counted as Inbound
TCP Refuse is counted as Inbound
Continue (I'm not sure that is it counted, extremely odd use case)
Relay is counted as Outbound

Hope this clarifies things.

FYI - It is common for both inbound and outbound traffic to be configured on the same NIC, same IP, same Listener, different SenderGroup, and different Mail Flow Policies.

Erich