Limit IronPort relay access using username and password

mizwan.saib-c · ‎05-15-2017

Hi Support Community,

As my understand is the Cisco IronPort can act like a relay server to accept the external SMTP request then send out the email thru the Cisco IronPort gateway. Is there an that have configuration can be done in the IronPort to secure and limit only accept the trusted public IP address with the username and password credentials?

Libin Varghese · ‎05-16-2017

Hi,

The feature on the ESA for this is called SMTP Authentication.

Essentially, the outside user would connect to the ESA and pass the username/password credentials. It is highly recommended that you have TLS configured between the sender and the ESA so their credentials are not passed in the clear. Once the ESA has the credentials, it will either use LDAP to query and verify the credentials, or it will forward the credentials to a pre-configured mail server that receives authentication requests to verify.

The connection behavior for successful SMTPAUTH sessions changes to “RELAY,” effectively bypassing the Recipient Access Table (RAT) and LDAPACCEPT. This allows the sender to relay
messages through the appliance.

Details about working of SMTP authentication are available in the end user guide.

www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf
Page 26-33

Thank you!
Libin Varghese

mizwan.saib-c · ‎05-20-2017

Libin Varghese,

Thank you very much on the findings, explanation and guide.

mizwan.saib-c · ‎05-23-2017

Hi Libin Varghese,

Based on guide provided for setup the AAA for the SMTP, can we use local database for the AAA rather than using the LDAP server?

Libin Varghese · ‎05-24-2017

As far as I know, SMTP authentication works using LDAP server only at this point, a local user database cannot be used for the same.

- Libin V