Failed TLS Connection to alternate SMTP Destination
I have a typical Exchange 2003 environment, all outbound mail is directed to IronPort C100 for delivery. I have a need to encrypt some outbound email, and so I created a content filter that basically says if "secure:" is in the subject line, then send mail to alternate destination host. In testing this process, it seems as if all is well until ironport tries to contact the destination host. The mail log capture indicates the following:
Info: New SMTP ICID 4561477 interface in/out (10.0.0.20) address 10.1.1.70 reverse dns host moex.uhcu.net verified yes Info: ICID 4561477 RELAY SG RELAYLIST match 10.1.1.70 SBRS rfc1918 Info: Start MID 1006256 ICID 4561477 Info: MID 1006256 ICID 4561477 From: <pgerdes> Info: MID 1006256 ICID 4561477 RID 0 To: <pgerdes66> Info: MID 1006256 Message-ID '<DB146C512E331D428A863D74E0DD9E8408916772>' Info: MID 1006256 Subject 'secure:' Info: MID 1006256 ready 9518 bytes from <pgerdes> Info: MID 1006256 matched all recipients for per-recipient policy DEFAULT in the outbound table Info: ICID 4561477 close Info: MID 1006256 interim AV verdict using Sophos CLEAN Info: MID 1006256 antivirus negative Info: MID 1006256 queued for delivery Info: DCID 361778 TLS success protocol TLSv1 cipher RC4-SHA smtp.perimeterusa.com Info: New SMTP DCID 361778 interface 10.0.0.20 address 22.214.171.124 port 25 Info: Delivery start DCID 361778 MID 1006256 to RID  Info: Bounced: DCID 361778 MID 1006256 to RID 0 - 5.1.0 - Unknown address error ('554', ['5.7.1 <pgerdes66>: Relay access denied'])
One caveat is that the email encryption provider can only provide instructions for setting up a TLS Connection directly from Exchange 2003 to their SMTP Gateway using a SmartHost connection, which requires a username and password. Do I need to configure a username/password and somehow insert that into the TLS session from IronPort to the alternate SMTP Host?
Re: Failed TLS Connection to alternate SMTP Destination
First let me say, I wish you would consider using the on-box IronPort/PostX email encryption available in the 5.5 release, in place of outsourcing this feature. I would be glad to demo this for you.
In any case, here is the solution to your problem: (details found in the “Outgoing SMTP Authentication” section of the Advanced User Guide – online help.) Step 1) Create an Outgoing SMTP Authentication Profile (This is done under the Network -> SMTP Authentication menu. Step 2) Add or Edit a SMTP Route for the IP address of the "alternate destination host" you are connecting to, set the outgoing SMTP Authentication to use the profile created in step 1).
Optional Step 3) email me and I can come by your office and help.
Erich Stokes IronPort Systems Engineer South Central Region, US firstname.lastname@example.org (Based in Austin, TX)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :