Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Ironport C160-Best practice config for my 2 listeners?

I am trialling an Ironport C160.

I want it to scan inbound and outbound mail. I have configured a public inbound listener for mail from the internet. It is configured to accept all my domains, and forward them to my exchange server. It does LDAP lookups for recpients to ensure they are valid. It uses the Data1 interface on the ip address of the Ironport and also has the hostname ironport.mydomain.com.

What is the recommended way to configure the private outbound listener? I just want it to do simple av scanning, then pass it on to my ASA.

Should I configure a new interface o Data2, and use port 25? If so, what would the hostname be?

Or use the same interface and use port 24 instead?

What are the pros and cons of each setup?

2 REPLIES
New Member

Re: Ironport C160-Best practice config for my 2 listeners?

I tried to setup both inbound and outbound traffic to be configured on the same NIC, same  IP, same Listener, then use a different SenderGroup, and different Mail Flow Policy to allow mail from my exchange server out.

But when I test it, it seems it using the ldap lookup on my outbound emails too.

This seems to indicate that I do need an additional listener if I want to use LDAP inbound.

Cisco Employee

Ironport C160-Best practice config for my 2 listeners?

Please note that you can add your Exchange server IP address into RELAYLIST or any sender group with RELAYED mail flow policy or mail flow policy with 'Relay' connection behavior. Add IronPort listener iP as smart host on Exchange server. All emails from Exchange server will then be treated as outgoing emails and envelope recipient address will not be checked against LDAP.

Most of my customers simply use one listener for both incoming and outgoing emails. You can choose to have multiple listeners for incoming (e.g. Different domains want to have their own MX IP addresses, sender groups for whitelist, greylist, blacklist domain/IP ranges) and outgoing emails (e.g. Not adding 'Received' header for outgoing listener for security reason).

Please note that there is a restriction that you cannot configure IP addresses on same network range on different physical interfaces on IronPort.

You can also configure multiple IP interfaces or interface groups on IronPort such that you can deliver emails for different domains, normal or urgent, management or marketing or other emails by different IP addresses or IP range.

5769
Views
0
Helpful
2
Replies
CreatePlease to create content