12-26-2015 10:27 AM
Hi,
Actually I have 3 mail domains under ESA. Let's say, company1.com, company2.com, company3.com; all these three domain has been added to send mails through ESA C170. ESA is using only data 1 interface to which have more one IP configured for let's say for company1-192.168.1.101, company2-192.168.1.102, company3-192.168.1.103, these IPs are used to connect to respective mail server and also these IPs are port-forwarded via firewall to receive mail from outside domain.
But the problem is: sometimes ESA can send/receive mail, sometime it can receive only not sent via ESA. So, I have gone through some tests and found that ESA is working as open relay, so I stopped that via RAT. But still problem persists.
So, I have checked HAT, which I believe, is used for sending mail to internet/other domain. But found nothing. Now, stuck with the issue. Can anyone help me here?
By the way, mail server is exhange, which is fully functional & Firewall port forwarding is also ok.
Thanks in advance.
Solved! Go to Solution.
12-27-2015 05:03 PM
Hello Manirul,
For outbound emails to work for the 3 domains (company1.com, company2.com and company3.com). When you add them to your ESA for outbound mails to send, you need to ensure (as you're using one interface and one listener) that a RELAYLIST with RELAY action is applied to these 3 IP's to allow it to send outbound without going through RAT checking.
Outgoing email should not match the RAT table (RAT -> Receipients Access is for purely inbound traffic recipient checking and 'ALL' should be 'reject' to ensure no open RELAY is set, and just add company1.com, company2.com and company3.com to ensure your ESA accepts inbound email for these domains).
To avoid this RAT affecting outbound and configure an outgoing email setup on your ESA running one listener.
Please go to GUI > Mail Policies > Mail Flow Policies
Add a new Mail Flow Policy
Name it "RELAYED"
On the settings where it asks "Connection Behaviour" choose "Relay"
Submit this policy.
Now go to GUI > Mail Policies > HAT overview
Add a new sendergroup
Name it RELAYLIST
Order it as '1'
Choose the RELAYED mail flow policy you just created
One done, submit this sendergroup and add senders.
Add the IP of your 3 domain's mail server which is sending outbound email into this.
Submit and commit changes.
Outgoing emails from your exchange/mail server will match the RELAYLIST where it will be treated as outgoing and not go through RAT checking.
Regards,
Matthew
12-27-2015 05:03 PM
Hello Manirul,
For outbound emails to work for the 3 domains (company1.com, company2.com and company3.com). When you add them to your ESA for outbound mails to send, you need to ensure (as you're using one interface and one listener) that a RELAYLIST with RELAY action is applied to these 3 IP's to allow it to send outbound without going through RAT checking.
Outgoing email should not match the RAT table (RAT -> Receipients Access is for purely inbound traffic recipient checking and 'ALL' should be 'reject' to ensure no open RELAY is set, and just add company1.com, company2.com and company3.com to ensure your ESA accepts inbound email for these domains).
To avoid this RAT affecting outbound and configure an outgoing email setup on your ESA running one listener.
Please go to GUI > Mail Policies > Mail Flow Policies
Add a new Mail Flow Policy
Name it "RELAYED"
On the settings where it asks "Connection Behaviour" choose "Relay"
Submit this policy.
Now go to GUI > Mail Policies > HAT overview
Add a new sendergroup
Name it RELAYLIST
Order it as '1'
Choose the RELAYED mail flow policy you just created
One done, submit this sendergroup and add senders.
Add the IP of your 3 domain's mail server which is sending outbound email into this.
Submit and commit changes.
Outgoing emails from your exchange/mail server will match the RELAYLIST where it will be treated as outgoing and not go through RAT checking.
Regards,
Matthew
02-16-2018 03:21 AM
Great explanation Mathew.
I know this is an old thread, but I have a follow-up question.
I also have several domains with each listener, and I noticed that when the ESA relays a mail from a inside server to the Internet, it does'nt use the same interface as it came in on.
Example:
example.com has IP listener on 2.2.2.2
test.com has IP listener on 1.1.1.1
Protocol SNMP interface example.com (IP: 2.2.2.2) on incomming connection (ICID X) from sender IP 10.1.1.1. Reverse DNS host None Verfied none // snip SMTP delivery connection (DCID Y) opened from Cisco IronPort interface 1.1.1.1 to IP address A.B.C.D on port 25.
This will break SPF if I don't add 1.1.1.1 to the SPF record for example.com.
Is there a way to make ESA send from the same interface as it received the mail on?
Thanks
02-18-2018 06:09 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: