03-29-2012 09:08 PM
Hi, i want to ask the function of smtp authentication in ironport. Is it used to authenticate with the exchange server or per client using LDAP? When i configure the smtp authentication, is it used for incoming or outgoing connection ? Thanks.
Regards
Alkuin Melvin
Solved! Go to Solution.
04-04-2012 04:15 AM
Hello Alkuin,
SMTP authentication is usually used to allow users outside their network to relay email trough the appliance. So authentication enables relaying on inbound connection, but only after the client has been authenticated by SMTP authentication. Like I said, this is the most common usage. Another possibility SMTP Auth is used for is when an (internal) mailserver only accepts traffic from authenticated hosts, so to be able to forward messages to that host, the appliance needs to autheticate itself against that server before delivering that traffic.
For the authentication itself, you can either use LDAP, or forward the authentication request to another mailserver (SMTP Auth with forwarding).
Hope that helps,
Andreas
04-04-2012 09:52 PM
Dear Alkuin,
For SMTP authentication configuration, you can configure SMTP auth profile under 'Network'-'SMTP Authentication' (LDAP, forward and outgoing).
In my opinion, you can choose to enable SMTP AUTH in mail flow polic(ies) of existing listener (port 25) and/or a new listener using another port (say port 8025). The reason to use 'port number other than port 25' is that some residential ISP or hotel internet connection will block outgoing port 25 connection (due to antispam reason - blocking botnet/malware infected hosts to send spams and ISP IP address gets blacklisted).
For existing listener, you can configure SMTP AUTH "Preferred" setting in default mail flow policy, and then users can authenticate and then relay emails through IronPort from public IP address (configure email client's outgoing SMTP gateway with IronPort public IP address and port 25). One point to note is that if the user is sending from a poor reputation IP, their SMTP connection may be blocked or throttled.
For listener using port number other than 25 (e.g. 8025) , you can configure to have just one sender group with default mail flow policy configured with SMTP AUTH "Required". The email client needs to configure with outgoing SMTP gateway with IronPort listener's public IP address and specific port number (say port 8025). In this way, only authenticated user can relay emails through this listener and they can avoid port 25 blocking issue or sending host's reputation issue as mentioned above.
Cheers,
Tommy
04-04-2012 04:15 AM
Hello Alkuin,
SMTP authentication is usually used to allow users outside their network to relay email trough the appliance. So authentication enables relaying on inbound connection, but only after the client has been authenticated by SMTP authentication. Like I said, this is the most common usage. Another possibility SMTP Auth is used for is when an (internal) mailserver only accepts traffic from authenticated hosts, so to be able to forward messages to that host, the appliance needs to autheticate itself against that server before delivering that traffic.
For the authentication itself, you can either use LDAP, or forward the authentication request to another mailserver (SMTP Auth with forwarding).
Hope that helps,
Andreas
04-04-2012 08:34 PM
Hello Andreas,
Thank you so much for the answer, i have been told by one of the vendor engineer that i should use SMTP Authentication on another listener with a different port. Is that true?
Regards
Alkuin Melvin
04-04-2012 09:52 PM
Dear Alkuin,
For SMTP authentication configuration, you can configure SMTP auth profile under 'Network'-'SMTP Authentication' (LDAP, forward and outgoing).
In my opinion, you can choose to enable SMTP AUTH in mail flow polic(ies) of existing listener (port 25) and/or a new listener using another port (say port 8025). The reason to use 'port number other than port 25' is that some residential ISP or hotel internet connection will block outgoing port 25 connection (due to antispam reason - blocking botnet/malware infected hosts to send spams and ISP IP address gets blacklisted).
For existing listener, you can configure SMTP AUTH "Preferred" setting in default mail flow policy, and then users can authenticate and then relay emails through IronPort from public IP address (configure email client's outgoing SMTP gateway with IronPort public IP address and port 25). One point to note is that if the user is sending from a poor reputation IP, their SMTP connection may be blocked or throttled.
For listener using port number other than 25 (e.g. 8025) , you can configure to have just one sender group with default mail flow policy configured with SMTP AUTH "Required". The email client needs to configure with outgoing SMTP gateway with IronPort listener's public IP address and specific port number (say port 8025). In this way, only authenticated user can relay emails through this listener and they can avoid port 25 blocking issue or sending host's reputation issue as mentioned above.
Cheers,
Tommy
04-11-2012 11:30 PM
Hi Tze Tai Mak,
Thanks for the information. Really helpful for me to understand the authentication.
Thanks all.
Alkuin Melvin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide