Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

hat access: permit access to anyone, restrict using stmp auth


We have a question regarding who can send mail through the appliance. Is there a way to allow anyone to send mail through the appliance (not defining a specific network or IP in the Relay mail flow policy)? After this is done we would only allow users to send mail who succesfully authenticate in our smtp server by employing SMTP auth profile.

Thank you for your thoughts!!

Best Regards,


Everyone's tags (3)
New Member

Re: hat access: permit access to anyone, restrict using stmp aut

this is quite possible, but a really bad idea.  perhaps you can share some more details about your initial requirements, end goals, and existing setup.

to be honest though, you don't need too much extra configuration to 'open up' access from any IP address.  try first to configure SMTP authentication with the following directions and then see if it suits your needs:

let us know how you make out.


New Member

Re: hat access: permit access to anyone, restrict using stmp aut

Thank you Andrew,

We have already configured SMTP auth with forwarding profile and tested it OK. We first had a HAT policy, a Relay one that only allowed certain networks (our corporate networks) to send mail through the IronPort and this policy worked fine until our scenarios changed. On the other hand, we provide email services to several custumers that get their IP in a dynamic way so it is very difficult to know wich IP they will be getting any given day. Because of this scenario, when upgrading our email infrastructure to employ IronPort we thoght of only allowing our users to send mail previosly by checking their identity, thus allowing us to accept multiple ranges of dynamic IPs.

Another item regarding our design is that VIP users within our organization like to access their mail from home (through their MUAs configured not through a webmail-kind-of-service). This also gave us an inconvenience of allowing only our corporate network to be able to send mail through the appliance.

Again thank you for your comments,

Best regards