Solved: Re: Outbound relay

paul.mead · ‎06-30-2009

Hi, just installed the very promising Spam and Virus blocker to improve things for our Groupwise using client.

Wish to relay outbound mail via the unit as well as inbound mail; but the instructions seem to be a little incomplete - or perhaps I am being thick?

We have redirected our NAT port 25 relay to point to the new unit and inbound seems to be working well. Outbound works as usual at present as the Groupwise system stills relays in the old fashion via our ISP mail servers. Ideally I want the Cisco unit to do this.

It seems from the manual that one should set up a new private listener in addition to the already configured inbound public listener. First issue is that it would seem that the new outbound private listener needs to operate on a different port to port 25 in order to avoid a port conflict? If this is correct, then I would need to reconfigure the Groupwise SMTP relay to operate via this new private listener port (e.g. 2525?).

If someone can shed some light on this for me - that would be great! Let me know if you need any extra details.

Thanks Paul.

bethingt · ‎06-30-2009

The Blocker will not relay messages for hosts that are not configured in the relay list. The most common setup is to use an existing Listener by adding an appropriate Sender Group and Mail Flow Policy.

First create a new Mail Flow Policy from the Mail Flow Policies page of the Mail Policies tab. Click on the Add Policy Tab.

You can give it any name you want; the most common is RELAYED. The critical setting on this that the 'Connection Behavior' must be set to 'Relay'.

Once the Mail Flow Policy is created, go to the HAT Overview page of the Mail Policies tab and create a new Sender Group.

You can give it any name you like; the most common is RELAYLIST. From the Policy dropdown list, select your new Mail Flow Policy. Change the Order to 1; the first match wins and we want to make sure your trusted hosts always match on this Sender Group.

Then click on 'Submit and Add Senders'. On this page, add the IP addresses of the machines you trust to send outbound mail (Email Server).

Once you are satisfied with the outbound mail setup; Submit, Commit, and test to make sure it is working appropriately.

View solution in original post

jsteer · ‎06-30-2009

Paul

you wont need a private listener - i'd suggest you try & keep the config as simple as possible.

We had a thread on this last week that i detailed the config to do this at:

https://www.myciscocommunity.com/thread/3302?tstart=0

Of course post here if you get any problems or other questions :)

Good luck

Jason

bethingt · ‎06-30-2009

The Blocker will not relay messages for hosts that are not configured in the relay list. The most common setup is to use an existing Listener by adding an appropriate Sender Group and Mail Flow Policy.

First create a new Mail Flow Policy from the Mail Flow Policies page of the Mail Policies tab. Click on the Add Policy Tab.

You can give it any name you want; the most common is RELAYED. The critical setting on this that the 'Connection Behavior' must be set to 'Relay'.

Once the Mail Flow Policy is created, go to the HAT Overview page of the Mail Policies tab and create a new Sender Group.

You can give it any name you like; the most common is RELAYLIST. From the Policy dropdown list, select your new Mail Flow Policy. Change the Order to 1; the first match wins and we want to make sure your trusted hosts always match on this Sender Group.

Then click on 'Submit and Add Senders'. On this page, add the IP addresses of the machines you trust to send outbound mail (Email Server).

Once you are satisfied with the outbound mail setup; Submit, Commit, and test to make sure it is working appropriately.

paul.mead · ‎07-01-2009

Thanks bethingt - that was the more complete answer required - I initally missed the important order change option - which meant that my outbound emails were being blocked due to RAT - recipient testing - which correctly failed and therefore refused to relay the msg. So if this happens to you - make sure that you have selected order "1" as per bethingt instructions.

Feedback for Cisco manual writers - I have to say that the way the manual reads I am sure that it implies that you need to set up a private listener to achieve the outbound relay: I think this should rewritten and a more complete answer given with a fully worked example and screen shots.

General comments:

But I have to say after 12-24 hours of going live - this CSVB is looking very good - spam levels hitting inboxes have dropped off a cliff. Managed to get LDAP working really easily with Novell edirectory and Groupwise - so will be able to switch on LDAP authentication for access to quarantine if necessary - although quarantine access via the email digest is a really nice feature. Also be good to use ldap to help stop address book/directory attacks - although some of our Groupwise users have two forms if email address - I will need to check that the ldap query works for both,otherwise we could see CSVB blocking one form of the valid address.

Toodle pip.

paul.mead · ‎07-02-2009

Thanks for the responses - both helpful.