Solved: Hello Manirul,

Md. Manirul Islam · ‎12-26-2015

Hi,

Actually I have 3 mail domains under ESA. Let's say, company1.com, company2.com, company3.com; all these three domain has been added to send mails through ESA C170. ESA is using only data 1 interface to which have more one IP configured for let's say for company1-192.168.1.101, company2-192.168.1.102, company3-192.168.1.103, these IPs are used to connect to respective mail server and also these IPs are port-forwarded via firewall to receive mail from outside domain.

But the problem is: sometimes ESA can send/receive mail, sometime it can receive only not sent via ESA. So, I have gone through some tests and found that ESA is working as open relay, so I stopped that via RAT. But still problem persists.

So, I have checked HAT, which I believe, is used for sending mail to internet/other domain. But found nothing. Now, stuck with the issue. Can anyone help me here?

By the way, mail server is exhange, which is fully functional & Firewall port forwarding is also ok.

Thanks in advance.

Mathew Huynh · ‎12-27-2015

Hello Manirul,

For outbound emails to work for the 3 domains (company1.com, company2.com and company3.com). When you add them to your ESA for outbound mails to send, you need to ensure (as you're using one interface and one listener) that a RELAYLIST with RELAY action is applied to these 3 IP's to allow it to send outbound without going through RAT checking.

Outgoing email should not match the RAT table (RAT -> Receipients Access is for purely inbound traffic recipient checking and 'ALL' should be 'reject' to ensure no open RELAY is set, and just add company1.com, company2.com and company3.com to ensure your ESA accepts inbound email for these domains).

To avoid this RAT affecting outbound and configure an outgoing email setup on your ESA running one listener.

Please go to GUI > Mail Policies > Mail Flow Policies

Add a new Mail Flow Policy

Name it "RELAYED"

On the settings where it asks "Connection Behaviour" choose "Relay"

Submit this policy.

Now go to GUI > Mail Policies > HAT overview

Add a new sendergroup

Name it RELAYLIST

Order it as '1'

Choose the RELAYED mail flow policy you just created

One done, submit this sendergroup and add senders.

Add the IP of your 3 domain's mail server which is sending outbound email into this.

Submit and commit changes.

Outgoing emails from your exchange/mail server will match the RELAYLIST where it will be treated as outgoing and not go through RAT checking.

Regards,

Matthew

View solution in original post

Mathew Huynh · ‎12-27-2015

Hello Manirul,

For outbound emails to work for the 3 domains (company1.com, company2.com and company3.com). When you add them to your ESA for outbound mails to send, you need to ensure (as you're using one interface and one listener) that a RELAYLIST with RELAY action is applied to these 3 IP's to allow it to send outbound without going through RAT checking.

Outgoing email should not match the RAT table (RAT -> Receipients Access is for purely inbound traffic recipient checking and 'ALL' should be 'reject' to ensure no open RELAY is set, and just add company1.com, company2.com and company3.com to ensure your ESA accepts inbound email for these domains).

To avoid this RAT affecting outbound and configure an outgoing email setup on your ESA running one listener.

Please go to GUI > Mail Policies > Mail Flow Policies

Add a new Mail Flow Policy

Name it "RELAYED"

On the settings where it asks "Connection Behaviour" choose "Relay"

Submit this policy.

Now go to GUI > Mail Policies > HAT overview

Add a new sendergroup

Name it RELAYLIST

Order it as '1'

Choose the RELAYED mail flow policy you just created

One done, submit this sendergroup and add senders.

Add the IP of your 3 domain's mail server which is sending outbound email into this.

Submit and commit changes.

Outgoing emails from your exchange/mail server will match the RELAYLIST where it will be treated as outgoing and not go through RAT checking.

Regards,

Matthew

SteffenT · ‎02-16-2018

Great explanation Mathew.

I know this is an old thread, but I have a follow-up question.

I also have several domains with each listener, and I noticed that when the ESA relays a mail from a inside server to the Internet, it does'nt use the same interface as it came in on.

Example:

example.com has IP listener on 2.2.2.2

test.com has IP listener on 1.1.1.1

Protocol SNMP interface example.com (IP: 2.2.2.2) on incomming connection (ICID X) from sender IP 10.1.1.1. Reverse DNS host None Verfied none
// snip
SMTP delivery connection (DCID Y) opened from Cisco IronPort interface 1.1.1.1 to IP address A.B.C.D on port 25.

This will break SPF if I don't add 1.1.1.1 to the SPF record for example.com.

Is there a way to make ESA send from the same interface as it received the mail on?

Thanks

Mathew Huynh · ‎02-18-2018

Hello Steffen,

SPF shouldn't be breaking if the ICID (receiving connection) on the ESA is seen in that manner, as it's the delivery IP going to the next mail server (which is doing SPF verification) that is checked.

However, the ICID receiving connection is based on either MX records (from internet to your domain) or your exchange send connectors (for internal to internet); as for the delivery side of things (DCID) -> this can be statically configured on your device in CLI > deliveryconfig

This setting however, will apply to ALL emails leaving your ESA, to the internet or exchange.
If you want to use specific IP interface for specific domains. Your deliveryconfig must be kept on auto, and you can use message or content filters with "Alternate Source Interface" or on the CLI you can also use "altsrchost" and statically define without the use of filters.

I strongly recommend to test these in a controlled environment as to not impact your production flow.

Regards,
Matthew

Outbound mail is not passing through ESA C170