cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2025
Views
0
Helpful
7
Replies

Email Relay

My company has a C100. Suppose that the incoming MX record IP for my company domain is A.B.C.D

My boss always has a trip to another country and would like to use A.B.C.D as the SMTP server address in Outlook client. By default, if I point to A.B.C.D as the SMTP server, I cannot send email to other domains except my company domain. How can I configure my C100 with SMTP authentication to do that?

7 Replies 7

jaigill
Cisco Employee
Cisco Employee

Setting up relaying functionality for external users who are outside of the company's network that use Outlook Express or Mozilla Thunderbird or similar mail clients.

NOTE: Before setting up LDAP SMTPAUTH, you need to configure an LDAP profile that connects to a Domain Controller, Active Directory, etc. This can be done in the "System Admnistration --> LDAP" section.


(1) After the LDAP Profile has been set up and is working, go to "System Administration -> LDAP -> server profile -> SMTP Authentication Query". Checkmark this item.

For the 'query string', use: (samaccountname={u}) for Active Directory. It may be different for Lotus, Novell.

For the 'Authentication Method', use: Authenticate via LDAP BIND

The other settings can be left as default.

Submit and Commit changes. Perform a few test to confirm that authentication works. You should submit your windows credentials(i.e. jsmith/*****) If it doesn't, verify if LDAP Accept works up top.


(2) Now, click on "Network -> SMTP Authentication -> Add Profile ...". Select LDAP as the 'Profile Type'. Submit and Commit changes.

(3) Click on "Network -> Listener -> either public or private listener" to enable the ldap profile for this listener.

For the 'SMTP Authentication Profile', select the ldap profile that you created in the previous step. Submit and Commit changes.

(4) Click on "Mail Policies > Mail Flow Policies". Make sure you select the correct "Listener" at the top. Select the Listener/IP address that external users will be connecting on.

Once the correct listener in the Mail Flow Policies is selected, click on "Default Policy Parameters".

In the "Default Policy Parameters", go down to the bottom to the "Security Features" section. For the "SMTP Authentication", set it to "Preferred".

Submit and Commit Changes.


(5) At this point, you should be able authenticate yourself using the Ironport appliance as your 'Outgoing server' in Outlook Express or Mozilla Thunderbird and relay mail.

If you successfully authenticate, your HAT/mail flow policy will be set to 'Relay' and bypass LDAP ACCEPT and RAT check.


Example of what it should look like in the mail_logs when there is a successful relay with TLS enabled.

Wed Sep 12 07:59:39 2007 Info: New SMTP ICID 36 interface Management (172.19.0.146) address 10.251.21.126 reverse dns host unknown verified no
Wed Sep 12 07:59:39 2007 Info: ICID 36 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None
Wed Sep 12 07:59:41 2007 Info: ICID 36 TLS success protocol TLSv1 cipher DHE-RSA-AES256-SHA
Wed Sep 12 07:59:41 2007 Info: SMTP Auth: (ICID 36) succeeded for user: jsmith using AUTH mechanism: LOGIN with profile: ldap_smtp
.....
.....
......
Wed Sep 12 07:59:41 2007 Info: MID 86 matched all recipients for per-recipient policy DEFAULT in the outbound table



The outbound table entry indicates that it's going out to the Internet as opposed to inbound table, which is heading into your network.

Thank you very much. I got it.
One more question, as you mentioned.

(4) Click on "Mail Policies > Mail Flow Policies". Make sure you select the correct "Listener" at the top. Select the Listener/IP address that external users will be connecting on.

I just got one listener(For Incoming and Outgoing) in my C100. Do I need to create one more listener for the external users?? If so, public or private listener??

For the SMTP authentication, What's the difference between "Preferred" and "Required"??

Hello
I set as suggested, but when tryin gto send email to the company smtp from internet, most users receive this error message


554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

any suggestion?
thanks

spangler79
Level 1
Level 1

This ***probably*** relates to the order of the policy, you'll need to ensure that this policy is higher that anything that might interfere.

thanks, but it's the highest one and it doesn't work

superman.do
Level 1
Level 1

I got the same problem. All the configuration is follow the document which almost the same as jgill. The test IP is dynamic and the SBRS is -3.5.

Add a new HAT policy under RELAYLIST which sender group's SBRS is -4 to 0. I can send mail from outside now. My question is how to skip the SBRS check before SMTHAUTH.

Doc_ironport
Level 1
Level 1

Add a new HAT policy under RELAYLIST which sender group's SBRS is -4 to 0. I can send mail from outside now. My question is how to skip the SBRS check before SMTHAUTH.


You can't - at least not on the one listener.

The easiest way around this is to use a different listener - either on a different IP address or preferably just on a different port (port 587 is the RFC standard port for this). Disable all reputation filtering on this listener, and then configure it only to accept messages once SMTHAUTH has occurred.

You should probably also enable/enforce TLS on this listener too - unless you want your passwords/email going across the net (mostly) unencrypted.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: