Using c-100 as smarthost

Unanswered Question
Jun 10th, 2007

Hey everyone, I have Exchange 2003 sending outbound mail to a Mail Marshal box ATM. I have just implimented 2 C-100's because the MM box just isn't cutting it anymore.

The C-100's are setup and working perfectly with incoming mail, but as soon as I change the smarthost setting on the Exchange box to point to the C100, I get the following for all outgoing mail :

"There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
smtp;550 #5.1.0 Address rejected

Anyone know why?
I assume a relay or DNS setting?

**EDIT** Looked at the logs, seems the outbound mail is being rejected because of the RAT policies - how do I set this right?

I think what is happening is that outbound mail is being redirected back to my Exchange box, and therefore being rejected?

TIA
Paul.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Denis_ironport Sun, 06/10/2007 - 18:11

Did you add your exchange server to the Ironports relaylist? "Mail Policies" -> "HAT Overview". Select your Outbound Listener from the dropdown and click the relaylist. The relaylist might be called differently in your setup. It's the "Sender Group" which uses the "Mail Flow Policy" with "Relay" behavoir. If you don't have one, you need to create it.

Cheers

Denis

Pauly_ironport Mon, 06/11/2007 - 05:13

Thanks for the reply Denis.

I only have one Listener called "IncomingMail" running off the Management Port (using Port 25).

On this listener there is a Relaylist that has the IP of my Exchange box in the Sender box in the HAT Overview screen.

Do I need to create an OutgoingMail listener? Would it be Private or Public?
Does it need to use the same LDAP queries as my current listener?

TIA for your help.
Paul.

jbivens_ironport Mon, 06/11/2007 - 19:42

Pauly,

If the RAT is rejecting it then your Exchange server isn't being classified in the RELAYLIST. This could be due to the fact that the Exchange server is going through a device that is NATing the source IP address.

What you need to pay attention is the information in the logs that contain the ICID (Incoming Connection ID). This will show you IP address that the IronPort see's and also the Sender Group that the IP address is falling under. Below is an example output:

ip1.bivens.us> grep -e "MID 636797" -e "ICID 6349140" mail_logs

Mon Jun 11 14:37:49 2007 Info: New SMTP ICID 6349140 interface PublicNet (10.12.23.12) address 10.12.23.55 reverse dns host mybook.bivens.us verified yes
Mon Jun 11 14:37:49 2007 Info: ICID 6349140 RELAY SG RELAYLIST match 10.12.23.0/24 SBRS rfc1918
Mon Jun 11 14:37:49 2007 Info: ICID 6349140 TLS success protocol TLSv1 cipher DES-CBC3-SHA
Mon Jun 11 14:37:49 2007 Info: SMTP Auth: (ICID 6349140) succeeded for user: jbivens using AUTH mechanism: LOGIN with profile: OpenLDAP
Mon Jun 11 14:37:49 2007 Info: Start MID 636797 ICID 6349140
Mon Jun 11 14:37:49 2007 Info: MID 636797 ICID 6349140 From:
Mon Jun 11 14:37:49 2007 Info: MID 636797 ICID 6349140 RID 0 To:
Mon Jun 11 14:37:49 2007 Info: MID 636797 Message-ID ''
Mon Jun 11 14:37:49 2007 Info: MID 636797 Subject 'Test Message for IronPort Nation'
Mon Jun 11 14:37:49 2007 Info: MID 636797 ready 649 bytes from
Mon Jun 11 14:37:50 2007 Info: MID 636797 DomainKeys: signing with bivens-us - matches [email protected]
Mon Jun 11 14:37:50 2007 Info: MID 636797 matched all recipients for per-recipient policy DEFAULT in the outbound table
Mon Jun 11 14:37:50 2007 Info: MID 636797 interim AV verdict using Sophos CLEAN
Mon Jun 11 14:37:50 2007 Info: MID 636797 antivirus negative
Mon Jun 11 14:37:50 2007 Info: MID 636797 queued for delivery
Mon Jun 11 14:37:52 2007 Info: ICID 6349140 close
Mon Jun 11 14:37:53 2007 Info: Delivery start DCID 364856 MID 636797 to RID [0]
Mon Jun 11 14:37:54 2007 Info: Message done DCID 364856 MID 636797 to RID [0]
Mon Jun 11 14:37:54 2007 Info: MID 636797 RID [0] Response 'ok dirdel'
Mon Jun 11 14:37:54 2007 Info: Message finished MID 636797 done

If you look at the first two lines you'll see the connecting IP address and the second line has a statement for SG (abbreviation for Sender Group) followed by RELAYLIST. Check these two pieces of information and verify that the IP address isn't changing and also what Sender Group the IP address is falling under.

Sincerely,

Jay Bivens
IronPort Systems

Denis_ironport Tue, 06/12/2007 - 17:56

Do I need to create an OutgoingMail listener? Would it be Private or Public?


You don't need to create an extra listener for outbound mail. If your exchange servers IP is already in your existing relaylist, then use Jay's advice for debugging the issue.

Cheers

Denis

Actions

This Discussion