Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2971
Views
5
Helpful
3
Replies

When to use "Incoming Relay" instead of relay list under HAT

MachoBear123
Level 1
Level 1

‎03-04-2020 07:14 PM

I read through various documents and it's not clear to me what is the difference between "Incoming Relay" under "Network" an when to use a Relay list under HAT.  To me, they served the same purpose.  I need help to distinguish when to use one and when to use the other.

Thank you.

Labels:
0 Helpful
3 Replies 3

charella
Cisco Employee
Cisco Employee

‎03-05-2020 05:00 AM

Hello MachoBear123,

The use of words is sometimes confusing with this technology.

What is the difference between "Incoming Relay" under "Network" and a Relay list (Action) under HAT.

RELAY > Typically is the Behavior within the Mail Flow Policy.
We associate that with the name of the Sender Group and sometimes Mail Flow Policy for better recognition.

Incoming Relay > Is utilized when an ESA does not directly touch the Edge of the network. It does not see the outside IP Address of the connecting domain.
If the ESA does not directly receive mail from the external source, it cannot retrieve SBRS which is the first line of defense.
The Incoming Relay may retrieve that information for use within the processing.

* The Incoming Relay allows the ESA to look within the email header and retrieve the IP one, two, three hops prior to connecting to the ESA, and utilize that within the mail processing.
* The Incoming Relay takes the SBRS score and utilizes with Spam scanning to assist in the verdict of a message.
* Since the SBRS does not directly work, the Incoming Relay value can be actioned within a Message Filter or Content Filter to drop messages with a failing score.


Thanks,
Chris



MachoBear123
Level 1
Level 1
In response to charella

‎03-05-2020 12:45 PM

Thank you for your reply. Just to make it clear, if my ESA is in the DMZ, I shouldn't need to use the "Incoming Relay"?
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to MachoBear123

‎03-15-2020 07:29 AM

Hi,

 

     The "Incoming Relay" is needed when there is another MX gateway in front of your ESA in the e-mail flow from the Internet. So if all e-mail sent to your domain are sent to the ESA directly, there is no need to configure "Incoming Relay". "Relay List" configured in HAT is required for a private listener, so the ESA knows which inside hosts are trusted/allowed to send e-mail to the ESA, and for which domains; this is usually your internal Exchange server.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents