Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Failed TLS Connection to alternate SMTP Destination

I have a typical Exchange 2003 environment, all outbound mail is directed to IronPort C100 for delivery. I have a need to encrypt some outbound email, and so I created a content filter that basically says if "secure:" is in the subject line, then send mail to alternate destination host. In testing this process, it seems as if all is well until ironport tries to contact the destination host. The mail log capture indicates the following:

Info: New SMTP ICID 4561477 interface in/out ( address reverse dns host verified yes
Info: ICID 4561477 RELAY SG RELAYLIST match SBRS rfc1918
Info: Start MID 1006256 ICID 4561477
Info: MID 1006256 ICID 4561477 From: <pgerdes>
Info: MID 1006256 ICID 4561477 RID 0 To: <pgerdes66>
Info: MID 1006256 Message-ID '<DB146C512E331D428A863D74E0DD9E8408916772>'
Info: MID 1006256 Subject 'secure:'
Info: MID 1006256 ready 9518 bytes from <pgerdes>
Info: MID 1006256 matched all recipients for per-recipient policy DEFAULT in the outbound table
Info: ICID 4561477 close
Info: MID 1006256 interim AV verdict using Sophos CLEAN
Info: MID 1006256 antivirus negative
Info: MID 1006256 queued for delivery
Info: DCID 361778 TLS success protocol TLSv1 cipher RC4-SHA
Info: New SMTP DCID 361778 interface address port 25
Info: Delivery start DCID 361778 MID 1006256 to RID [0]
Info: Bounced: DCID 361778 MID 1006256 to RID 0 - 5.1.0 - Unknown address error ('554', ['5.7.1 <pgerdes66>: Relay access denied'])

One caveat is that the email encryption provider can only provide instructions for setting up a TLS Connection directly from Exchange 2003 to their SMTP Gateway using a SmartHost connection, which requires a username and password. Do I need to configure a username/password and somehow insert that into the TLS session from IronPort to the alternate SMTP Host?

New Member

Re: Failed TLS Connection to alternate SMTP Destination

First let me say, I wish you would consider using the on-box IronPort/PostX email encryption available in the 5.5 release, in place of outsourcing this feature. I would be glad to demo this for you.

In any case, here is the solution to your problem: (details found in the “Outgoing SMTP Authentication” section of the Advanced User Guide – online help.)
Step 1) Create an Outgoing SMTP Authentication Profile (This is done under the Network -> SMTP Authentication menu.
Step 2) Add or Edit a SMTP Route for the IP address of the "alternate destination host" you are connecting to, set the outgoing SMTP Authentication to use the profile created in step 1).

Optional Step 3) email me and I can come by your office and help.

Erich Stokes
IronPort Systems Engineer
South Central Region, US
(Based in Austin, TX)

CreatePlease to create content