Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Ironport C160 installation and configuration effort : New User

I've  never worked with Ironport before, so I'm trying to estimate the amount  of effort required to install and configure a C160 appliance.  This  would be a small site deployment of approximately 150 users.

I have to test it our lab before start using it , so as if now we have a switch and all(Mail Server , Mail client and ESA) are connected to the same switch in same subnet .

Switch --------------ESA (192.168.42.42)

                  |

                  ------Mail Server (MDamen 192.168.42.43)

                  |

                  -------Mail Client 1 , this same client is used to access ESA WUI.

                  |

                  -------Mail Client 2

I run SSW in ESA and given ip for Mail Server as repaly .Now, i am sending mail from client one to client two and do not see anything on ESA monitoring . please let me know if this is wrong deployement .

I do have ASA in lab which i can use it for this if required.

Thanks,

9 REPLIES
Cisco Employee

Ironport C160 installation and configuration effort : New User

Hello Riyasat,

I'm assuming you have configured the appliance to take connections from the IP 192.168.42.43 to go through the RELAYLIST on your appliance's listener (sendergroup) for outbound mail flows ?

When you said you checked the monitoring, is this on the message tracking on the GUI ?

Is your SMTP routes configured to send emails internally ?

I'd say an effective way to troubleshoot ot see if the appliance is seeing this connection and how it's being treated is.

Log into appliance command line interface (PuTTy)


Use this command "tail mail_logs"
Go on your mial client and attempt to send a test email, which should route to the mail server which connects to your appliance

After which it should trace it into the mail logs where you can review what is happening after.

New Member

Re: Ironport C160 installation and configuration effort : New Us

yes , I have configured the appliance to take connections from the IP  192.168.42.43 to go through the RELAYLIST on your appliance's listener  (sendergroup) for outbound mail flows

not the message tracking , i click on monitor and overview to see incoming and outgoing mail  and do not see anything ,

yes SMTP route just says my test domain . so i suppose this is done.

one thing : -

if my topology, if i access mail client on pc 1 and send mail to mail client 2 , so my mail from the client is going to mail server then how come ESA comes in picture , i just got confused

Cisco Employee

Re: Ironport C160 installation and configuration effort : New Us

Hello Riyasat,

By default the ESA appliance would not come into the routing of mails from internal users, it would be sent from internal user -> internal MTA -> internal recipient user inbox.

If you wish to have the ESA come into the topology you have for your internal mail, you would need it to be explictly defined on the internal MTA to route the emails to the ESA appliance, then the ESA appliance will deliver it to the MTA (as defined in the SMTP routes)

Then you would also need to ensure the internal MTA is set up so that when it receives connections from the ESA it will be sent to the end user mail box from the MTA -- otherwise there will be a loop that may occur.

## this action is not a recommeded setup as it puts additional load on the appliance -- which is why the default action would be to let the internal MTA handle internal mail rather than routing to the appliance then back out.

New Member

Re: Ironport C160 installation and configuration effort : New Us

thanks for the reply

are MTA and ESA two different thing ? where can i find MTA in my topology and do these setting ?

Cisco Employee

Re: Ironport C160 installation and configuration effort : New Us

An MTA(Mail Transfer Agent) is any systems which transfers the mails.

Your MTA in this discussion is your Mail Server (MDamen 192.168.42.43).

The ESA is also an MTA, but in this instance, the internal MTA i am speaking of is the Mail server you have defined.

You will need to investigate on this mail server for the changes you wish to make.

However my expertise is not within other exchange/mail servers as my knowledge is in the Ironport ESA appliance.

New Member

Re: Ironport C160 installation and configuration effort : New Us

thank you so much for your help and quick responce,  i will surely check the mail server and will try to fix it or i am planing to setup a firewall and change the topoligy as following :_

outside user with mail client

    |

Firewall---------(DMZ)------------ESA and Mail server.

   |

Inside user with mail clients

on outside interfacre of the firewall i will apply access list for ESA with required ports and not the ip for Mail Server ? if yes , then i can i access the mail client on outside user as it works like http://192.168.42.43:3000

or what ACL i should apply on firewall and how traffic will go to ESA

any suggestion would be highly appriciated.

Cisco Employee

Re: Ironport C160 installation and configuration effort : New Us

Hello Riyasat,

For firewall enquiries on rules you wish to implement, i would suggest contacting your firewall engineer to assist you further with this.

Yes outside users will connect through to the ESA appliance which will handle the external traffic flow then the appliance will route it to your mail server for delivery to the end user.

New Member

Re: Ironport C160 installation and configuration effort : New Us

Below is the Error i am getting on tail mail_logs

any suggestion ?

Press Ctrl-C to stop.

Mon Jul 29 10:35:51 2013 Info: Double bounce: MID 1209805 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up mailedge.centamin.com (MX):  NXDomain'

Mon Jul 29 10:35:51 2013 Info: Message finished MID 1209805 done

Mon Jul 29 10:35:51 2013 Info: Bounced: DCID 0 MID 1209806 to RID 0 - Bounced by destination server with response: 5.1.2 - Bad destination host ('000', ['DNS Hard Error looking up mailedge.centamin.com (MX):  NXDomain'])

Mon Jul 29 10:35:51 2013 Info: Double bounce: MID 1209806 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up mailedge.centamin.com (MX):  NXDomain'

Mon Jul 29 10:35:51 2013 Info: Message finished MID 1209806 done

Mon Jul 29 10:35:51 2013 Info: Bounced: DCID 0 MID 1209807 to RID 0 - Bounced by destination server with response: 5.1.2 - Bad destination host ('000', ['DNS Hard Error looking up mailedge.centamin.com (MX):  NXDomain'])

Mon Jul 29 10:35:51 2013 Info: Double bounce: MID 1209807 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up mailedge.centamin.com (MX):  NXDomain'

Mon Jul 29 10:35:51 2013 Info: Message finished MID 1209807 done

Mon Jul 29 11:07:46 2013 Info: Queue: Checkpoint Started

Mon Jul 29 11:07:46 2013 Info: Queue: Checkpoint Finished

Cisco Employee

Re: Ironport C160 installation and configuration effort : New Us

looks like your appliance may not be configured for DNS.

Via CLI: dnsconfig

Test DNS using nslookup:

AsyncOS 8.0.0 for Cisco IronPort X1070 build 671

Welcome to the Cisco IronPort X1070 Messaging Gateway(tm) Appliance

tarheel.rtp> nslookup cisco.com

A=72.163.4.161 TTL=19h 2m

tarheel.rtp> dnsconfig

Currently using the local DNS cache servers:

1. Priority: 0  172.18.108.34

Alternate DNS servers:

1. cisco.com: 172.18.108.43

Choose the operation you want to perform:

- NEW - Add a new server.

- EDIT - Edit a server.

- DELETE - Remove a server.

- SETUP - Configure general settings.

[]>

1525
Views
0
Helpful
9
Replies