Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1708
Views
0
Helpful
5
Replies

Using c-100 as smarthost

Pauly_ironport
Level 1
Level 1

‎06-10-2007 05:13 AM

Hey everyone, I have Exchange 2003 sending outbound mail to a Mail Marshal box ATM. I have just implimented 2 C-100's because the MM box just isn't cutting it anymore.

The C-100's are setup and working perfectly with incoming mail, but as soon as I change the smarthost setting on the Exchange box to point to the C100, I get the following for all outgoing mail :

"There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
smtp;550 #5.1.0 Address rejected

Anyone know why?
I assume a relay or DNS setting?

**EDIT** Looked at the logs, seems the outbound mail is being rejected because of the RAT policies - how do I set this right?

I think what is happening is that outbound mail is being redirected back to my Exchange box, and therefore being rejected?

TIA
Paul.

Labels:
0 Helpful
5 Replies 5

Denis_ironport
Level 1
Level 1

‎06-10-2007 06:11 PM

Did you add your exchange server to the Ironports relaylist? "Mail Policies" -> "HAT Overview". Select your Outbound Listener from the dropdown and click the relaylist. The relaylist might be called differently in your setup. It's the "Sender Group" which uses the "Mail Flow Policy" with "Relay" behavoir. If you don't have one, you need to create it.

Cheers

Denis

0 Helpful

Pauly_ironport
Level 1
Level 1

‎06-11-2007 05:13 AM

Thanks for the reply Denis.

I only have one Listener called "IncomingMail" running off the Management Port (using Port 25).

On this listener there is a Relaylist that has the IP of my Exchange box in the Sender box in the HAT Overview screen.

Do I need to create an OutgoingMail listener? Would it be Private or Public?
Does it need to use the same LDAP queries as my current listener?

TIA for your help.
Paul.

0 Helpful

jbivens_ironport
Level 1
Level 1

‎06-11-2007 07:42 PM

Pauly,

If the RAT is rejecting it then your Exchange server isn't being classified in the RELAYLIST. This could be due to the fact that the Exchange server is going through a device that is NATing the source IP address.

What you need to pay attention is the information in the logs that contain the ICID (Incoming Connection ID). This will show you IP address that the IronPort see's and also the Sender Group that the IP address is falling under. Below is an example output:

ip1.bivens.us> grep -e "MID 636797" -e "ICID 6349140" mail_logs

Mon Jun 11 14:37:49 2007 Info: New SMTP ICID 6349140 interface PublicNet (10.12.23.12) address 10.12.23.55 reverse dns host mybook.bivens.us verified yes
Mon Jun 11 14:37:49 2007 Info: ICID 6349140 RELAY SG RELAYLIST match 10.12.23.0/24 SBRS rfc1918
Mon Jun 11 14:37:49 2007 Info: ICID 6349140 TLS success protocol TLSv1 cipher DES-CBC3-SHA
Mon Jun 11 14:37:49 2007 Info: SMTP Auth: (ICID 6349140) succeeded for user: jbivens using AUTH mechanism: LOGIN with profile: OpenLDAP
Mon Jun 11 14:37:49 2007 Info: Start MID 636797 ICID 6349140
Mon Jun 11 14:37:49 2007 Info: MID 636797 ICID 6349140 From:
Mon Jun 11 14:37:49 2007 Info: MID 636797 ICID 6349140 RID 0 To:
Mon Jun 11 14:37:49 2007 Info: MID 636797 Message-ID ''
Mon Jun 11 14:37:49 2007 Info: MID 636797 Subject 'Test Message for IronPort Nation'
Mon Jun 11 14:37:49 2007 Info: MID 636797 ready 649 bytes from
Mon Jun 11 14:37:50 2007 Info: MID 636797 DomainKeys: signing with bivens-us - matches jbivens@bivens.us
Mon Jun 11 14:37:50 2007 Info: MID 636797 matched all recipients for per-recipient policy DEFAULT in the outbound table
Mon Jun 11 14:37:50 2007 Info: MID 636797 interim AV verdict using Sophos CLEAN
Mon Jun 11 14:37:50 2007 Info: MID 636797 antivirus negative
Mon Jun 11 14:37:50 2007 Info: MID 636797 queued for delivery
Mon Jun 11 14:37:52 2007 Info: ICID 6349140 close
Mon Jun 11 14:37:53 2007 Info: Delivery start DCID 364856 MID 636797 to RID [0]
Mon Jun 11 14:37:54 2007 Info: Message done DCID 364856 MID 636797 to RID [0]
Mon Jun 11 14:37:54 2007 Info: MID 636797 RID [0] Response 'ok dirdel'
Mon Jun 11 14:37:54 2007 Info: Message finished MID 636797 done

If you look at the first two lines you'll see the connecting IP address and the second line has a statement for SG (abbreviation for Sender Group) followed by RELAYLIST. Check these two pieces of information and verify that the IP address isn't changing and also what Sender Group the IP address is falling under.

Sincerely,

Jay Bivens
IronPort Systems

0 Helpful

Denis_ironport
Level 1
Level 1

‎06-12-2007 05:56 PM 

Do I need to create an OutgoingMail listener? Would it be Private or Public?


You don't need to create an extra listener for outbound mail. If your exchange servers IP is already in your existing relaylist, then use Jay's advice for debugging the issue.

Cheers

Denis

0 Helpful

Pauly_ironport
Level 1
Level 1

‎06-12-2007 11:26 PM

Thanks guys, working on it now!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents