private and public listener

Unanswered Question
May 31st, 2010

hi, i would like to query on using a two leg setup on my ironport 360, using data1 - private listener -relay  and data2 - public listener - accept incoming.


my mail server has a public ip which is the primary mx of my abc.com domain - mx1.abc.com

i defined another public ip for my ironport mx2.abc.com


im using a unix messaging server.


my problem is, i can't get it to work forwarding smtp traffic from the unix mail server towards my ironport.


any suggestions would be ok.


anyone familiar with this setup?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Tze Tai Mak Tue, 06/01/2010 - 01:32

Hi, let me try to answer your question.


In order to protect your mail server from accepting spams or malicious emails directly from Internet (since spammers will send spams to your mail host as long as it is accepting emails (open to port 25), no matter whether you publish its' public IP address in MX record or not), you should either configure your firewall to redirect inbound port 25 traffic for mx1.abc.com to IronPort private IP address, or configure mx2.abc.com (IronPort) as your primary MX instead. Your mail host should only accept incoming SMTP connections from IronPort.


Please note that you cannot configure IP addresses on same network range on two different physical interfaces on IronPort (i.e. 10.1.1.1/24 on interface 1 and 10.1.1.2/24 on interface 2). If you want to have separate IP addresses for accepting incoming and outgoing email traffic, you can configure two IP addresses on same physical interface (we call virtual gateway).


You can choose to use one IP address for both incoming and outgoing traffic (system setup wizard will guide you through - just click both "Accept mail on this interface" and "Relay mail on this interface" checkboxes, page 3-62 of ESA 7.0.1 Configuration Guide).


Please note that you should add your mail server's private IP address (instead of hostname) in "Relay Outgoing Mail" list or RELAYLIST on corresponding listener since your mail hostname is likely to resolve as public IP address by DNS server configured on IronPort.


If both your mail host and IronPort are on a private IP network segment behind firewall, your outgoing emails will be sent from mail host to IronPort (as smarthost) and IronPort will only see the connection from private IP address of your mail host.


I wish it helps.


Tommy

angfeglandagan Tue, 06/01/2010 - 09:48

hi tommy,

  thanks for the information indeed.


  I was able to make it work after rigorous testing and these were my mistakes below;

    - i happened to defined a wrong relay on the public listener which shouldn't be the case since this will just accept all incoming mails to that particular

     trusted domain.

      relay should be on the private interface since this will be used by the mail server for smtp traffic

    - i used different hostnames on my priv and pub listener which corrected to mail.abc.com on both


modified rules on the srx firewall.


Then configured the linux box to relay to my priv ip then tests...



  thank you for the information.

Actions

This Discussion