Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3529
Views
0
Helpful
3
Replies

RAT dropping outgoing messages

Go to solution
michelegarribba
Level 1
Level 1

‎03-31-2015 12:48 AM

Hi,

 

in my configuration, a couple of ESA at the edge with one listener and one phy interface i enabled the desired domain, example mydomain.it,

in the RAT and then all others blocked. What happened is that for some other domain, public domain like google and aol for example, i started recieving dropped messages because refused by the RAT for outgoing messages. I had to open the all other which i really don't like it. Is this a normal behaviour ? how can i fix it?

 

thanks a lot

smaikol

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to Robert Sherwin

‎03-31-2015 08:20 PM

Hello Michele,

 

To build on Robert's response.

I would suggest to look at your message tracking (located in GUI > Monitor > Message Tracking)

Check the emails which were rejected where recipient is @gmail/@aol etc.

 

Check the "ICID and sendergroup" information and action.

If you see:

(ICID XXXXXXX) ACCEPT sender group SENDERGROUPNAME match <IP of your outgoing exchange server IP> SBRS XXXX

 

Then it is likely your outbound emails are being treated as INCOMING emails where RAT checking is done.


If so my suggestive action is:

 

GUI > Mail Policies > Mail Flow Policies

Check for an available "RELAY" mail flow policy, if none visible, create it.

Create a new mail flow policy

Name it "RELAY"

Action for this mail flow policy should be chosen as "RELAY" and not accept

Leave the rest as it is and submit this mail flow policy.

 

Then go to GUI > Mail Policies > HAT Overview

Check if you have a RELAYLIST enabled, if you see no RELAYLIST

Add a new sendergroup

Name it RELAYLIST

Mail flow policy to use "RELAY"

Order it "1" on the list

Leave the rest blank, submit and add senders


Here add the Sending IP of your exchange server which is routing outbound emails here

Submit this sendergroup and sender. Your HAT overview should now be updated with the RELAYLIST using RELAY mail flow policy.

 

Then go to your RAT table.

Re-enable REJECT for all other domains (do not work as an open relay)

 

Then commit changes.

Re-try your outgoing email.

 

Now outgoing emails should match RELAYLIST and thus not using the RAT table.

All other email servers will (and should) match the other Inbound sendergroups as the IPs of external servers should not match the RELAYLIST as its not defined in there.

 

I hope this helps.

Please keep us updated.

 

Regards,

Matthew

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎03-31-2015 05:12 AM

Are those messages legitimate message?  Or - for Google, AOL -- are those suppose to be treated as outgoing messages?  What is message tracking showing for these examples?  You shouldn't be accepting mail for gmail.com, aol.com in your RAT.  If those are suppose to be outbound, then you'd have to have a Relay mail flow policy set to allow those as outbound messages.  I would imagine that as inbound (gmail.com, aol.com) to your domain - those should be dropped.

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to Robert Sherwin

‎03-31-2015 08:20 PM

Hello Michele,

 

To build on Robert's response.

I would suggest to look at your message tracking (located in GUI > Monitor > Message Tracking)

Check the emails which were rejected where recipient is @gmail/@aol etc.

 

Check the "ICID and sendergroup" information and action.

If you see:

(ICID XXXXXXX) ACCEPT sender group SENDERGROUPNAME match <IP of your outgoing exchange server IP> SBRS XXXX

 

Then it is likely your outbound emails are being treated as INCOMING emails where RAT checking is done.


If so my suggestive action is:

 

GUI > Mail Policies > Mail Flow Policies

Check for an available "RELAY" mail flow policy, if none visible, create it.

Create a new mail flow policy

Name it "RELAY"

Action for this mail flow policy should be chosen as "RELAY" and not accept

Leave the rest as it is and submit this mail flow policy.

 

Then go to GUI > Mail Policies > HAT Overview

Check if you have a RELAYLIST enabled, if you see no RELAYLIST

Add a new sendergroup

Name it RELAYLIST

Mail flow policy to use "RELAY"

Order it "1" on the list

Leave the rest blank, submit and add senders


Here add the Sending IP of your exchange server which is routing outbound emails here

Submit this sendergroup and sender. Your HAT overview should now be updated with the RELAYLIST using RELAY mail flow policy.

 

Then go to your RAT table.

Re-enable REJECT for all other domains (do not work as an open relay)

 

Then commit changes.

Re-try your outgoing email.

 

Now outgoing emails should match RELAYLIST and thus not using the RAT table.

All other email servers will (and should) match the other Inbound sendergroups as the IPs of external servers should not match the RELAYLIST as its not defined in there.

 

I hope this helps.

Please keep us updated.

 

Regards,

Matthew

0 Helpful

Go to solution
Steve Berglund
Level 1
Level 1
In response to Mathew Huynh

‎10-01-2015 04:46 PM

Edit: Deleted

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents