Thank you for your feedback, but there is something which is still not clear for me.

In the AsyncOS documentation, it is mentioned that :

"Only one of the three available intefraces on the Cisco IronPort appliance is required for most network environments."

( they show a picture of an ironport behind a firewall)

Which means that they are using the same inteface for Public and private listeners.

In the same chapter, they also mention that you have to allow port 25 for message coming from the inside to the ironport

and you also have to allow port 25 for messages coming from the internet to the Ironport.

After reading this chapter I thought that there is a way to use both listeners on the same interface using the same IP address and using the same port 25 to communicate, but from what you mentioned above, it seems that it would be impossible to do it.

N.B: they also mention that on the C150 and C160 appliances you would typically use one interface for both incoming and outgoing mail.

Thank you

Don't confuse physical and logical interfaces. The physical interfaces exist so that you can connect to different physical connections (etherconfig). With a physical appliance you can connect to multiple physical interfaces to do things like NIC Pairing or use a different physical management network. Data 1/ Data 2 is the nomenclature for the physical interfaces.

Since you are using the virtual ESA that doesn't really apply to you. You just need to create multiple logical interfaces using "interfaceconfig" or Network/IP Interfaces on the GUI. Each interface needs to have its own IP address.

Once you have done that you can create listeners. As long as you only assign one listener per logical interface you won't run into a port conflict.

Physical ethernet -> etherconfig

Logical interfaces -> interfaceconfig

SMTP listeners -> listenerconfig

Remy, this is something to add to Bob's response.

The device has physical interfaces (Data 1/Data 2 and Management). Some devices only Data 1 and Data 2, like C160.

You can create IP interfaces, which are logical interfaces. You can create more than 1 IP interface per physical interface. Something like:

esalab.cisco.com> interfaceconfig

Currently configured interfaces:

1. InternalNet (10.97.14.35/24 on Data 1: esalab.cisco.com)

2. Management (192.168.42.42/24 on Data 2: ironport.example.com)

3. SecondLogicInterface (10.97.14.36/24 on Data 1: esa.cisco.com)

As you can see, I have the IP interfaces named "InternalNet" and "SecondLogicInterface" binded to Data 1 Physical Interface.

Then using one Logic Interface named "InternalNet", I have two listeners (one for inbound other for outbound):

esalab.cisco.com> listenerconfig

Currently configured listeners:

1. IncomingMail (on InternalNet, 10.97.14.35) SMTP TCP Port 25 Public

2. OutgoingMail (on InternalNet, 10.97.14.35) SMTP TCP Port 2525 Private

=============================================

But one thing it is important to note.

You can use one listener only, to do both, inbound and outbound traffic. And that listener will be binded to only one interface.

The important thing here is that the unique listener (configure to use port 25), will need a Sender Group and a Mail Flow Policy to handle outbound traffic.

As you know, each Sender Group requires a Mail Flow Policy. When you create a private listener, the system automatically create the sender group RELAYLIST and a mail flow policy named RELAYED. You will notice that the RELAYED mail flow policy has the connection behavior as Relay.

So, if you want to use one interface, one listener for inbound and outbound, you just need to manually create the sender group and mail flow policy for relaying traffic through your appliance.

Note, make sure the sender group (named RELAYLIST or any other name you want) is the first sender group (from top to bottom), in the HAT (Host Access Table). This is because the system process the HAT from top to bottom, first match wins. It is better to mention that each listener will have a HAT associated with it.

To recap:

Data 1 - IP interface - Listener - port 25 - HAT - Sender Group - Mail Flow Policy

So, if a host connects to your appliance, to the listener you have created for inbound and outbound, the system will look in the HAT for the IP address of that host. Once it finds it in the RELAYLIST sender group, it will apply the mail flow policy RELAYED (or any other name you choose), and then apply the connection behavior, to relay.

I hope this clarifies things a little better but feel free to reach us out if you have any further questions.

Regards,

-Valter

Thank you Bob and Valter,

I was a bit confused because one document said that I should have 1 listener for incoming and 1 listener for outgoing emails, and another document stated that I can have 1 listener for both incoming and outgoing email. 

After reading your posts and the rest of the cisco documentation, I think that things are pretty much clearer.

Thank you for your help

Best Regards

I've run large (30+) appliance clusters with just one listener but your HAT policies will be cleaner and easier to administer if you use two listeners. Just make sure you have one logical interface for each listener and you'll be fine.