10-25-2007 05:27 AM
My company has a C100. Suppose that the incoming MX record IP for my company domain is A.B.C.D
My boss always has a trip to another country and would like to use A.B.C.D as the SMTP server address in Outlook client. By default, if I point to A.B.C.D as the SMTP server, I cannot send email to other domains except my company domain. How can I configure my C100 with SMTP authentication to do that?
10-25-2007 10:04 PM
Setting up relaying functionality for external users who are outside of the company's network that use Outlook Express or Mozilla Thunderbird or similar mail clients.
NOTE: Before setting up LDAP SMTPAUTH, you need to configure an LDAP profile that connects to a Domain Controller, Active Directory, etc. This can be done in the "System Admnistration --> LDAP" section.
(1) After the LDAP Profile has been set up and is working, go to "System Administration -> LDAP -> server profile -> SMTP Authentication Query". Checkmark this item.
For the 'query string', use: (samaccountname={u}) for Active Directory. It may be different for Lotus, Novell.
For the 'Authentication Method', use: Authenticate via LDAP BIND
The other settings can be left as default.
Submit and Commit changes. Perform a few test to confirm that authentication works. You should submit your windows credentials(i.e. jsmith/*****) If it doesn't, verify if LDAP Accept works up top.
(2) Now, click on "Network -> SMTP Authentication -> Add Profile ...". Select LDAP as the 'Profile Type'. Submit and Commit changes.
(3) Click on "Network -> Listener -> either public or private listener" to enable the ldap profile for this listener.
For the 'SMTP Authentication Profile', select the ldap profile that you created in the previous step. Submit and Commit changes.
(4) Click on "Mail Policies > Mail Flow Policies". Make sure you select the correct "Listener" at the top. Select the Listener/IP address that external users will be connecting on.
Once the correct listener in the Mail Flow Policies is selected, click on "Default Policy Parameters".
In the "Default Policy Parameters", go down to the bottom to the "Security Features" section. For the "SMTP Authentication", set it to "Preferred".
Submit and Commit Changes.
(5) At this point, you should be able authenticate yourself using the Ironport appliance as your 'Outgoing server' in Outlook Express or Mozilla Thunderbird and relay mail.
If you successfully authenticate, your HAT/mail flow policy will be set to 'Relay' and bypass LDAP ACCEPT and RAT check.
Example of what it should look like in the mail_logs when there is a successful relay with TLS enabled.
Wed Sep 12 07:59:39 2007 Info: New SMTP ICID 36 interface Management (172.19.0.146) address 10.251.21.126 reverse dns host unknown verified no
Wed Sep 12 07:59:39 2007 Info: ICID 36 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None
Wed Sep 12 07:59:41 2007 Info: ICID 36 TLS success protocol TLSv1 cipher DHE-RSA-AES256-SHA
Wed Sep 12 07:59:41 2007 Info: SMTP Auth: (ICID 36) succeeded for user: jsmith using AUTH mechanism: LOGIN with profile: ldap_smtp
.....
.....
......
Wed Sep 12 07:59:41 2007 Info: MID 86 matched all recipients for per-recipient policy DEFAULT in the outbound table
The outbound table entry indicates that it's going out to the Internet as opposed to inbound table, which is heading into your network.
10-26-2007 03:25 AM
Thank you very much. I got it.
One more question, as you mentioned.
(4) Click on "Mail Policies > Mail Flow Policies". Make sure you select the correct "Listener" at the top. Select the Listener/IP address that external users will be connecting on.
I just got one listener(For Incoming and Outgoing) in my C100. Do I need to create one more listener for the external users?? If so, public or private listener??
For the SMTP authentication, What's the difference between "Preferred" and "Required"??
11-21-2007 11:37 AM
Hello
I set as suggested, but when tryin gto send email to the company smtp from internet, most users receive this error message
554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
any suggestion?
thanks
11-21-2007 03:41 PM
This ***probably*** relates to the order of the policy, you'll need to ensure that this policy is higher that anything that might interfere.
11-22-2007 11:10 AM
thanks, but it's the highest one and it doesn't work
12-10-2007 01:55 PM
I got the same problem. All the configuration is follow the document which almost the same as jgill. The test IP is dynamic and the SBRS is -3.5.
Add a new HAT policy under RELAYLIST which sender group's SBRS is -4 to 0. I can send mail from outside now. My question is how to skip the SBRS check before SMTHAUTH.
12-17-2007 04:31 AM
Add a new HAT policy under RELAYLIST which sender group's SBRS is -4 to 0. I can send mail from outside now. My question is how to skip the SBRS check before SMTHAUTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide