I've never worked with Ironport before, so I'm trying to estimate the amount of effort required to install and configure a C160 appliance. This would be a small site deployment of approximately 150 users.
I have to test it our lab before start using it , so as if now we have a switch and all(Mail Server , Mail client and ESA) are connected to the same switch in same subnet .
Switch --------------ESA (192.168.42.42)
------Mail Server (MDamen 192.168.42.43)
-------Mail Client 1 , this same client is used to access ESA WUI.
-------Mail Client 2
I run SSW in ESA and given ip for Mail Server as repaly .Now, i am sending mail from client one to client two and do not see anything on ESA monitoring . please let me know if this is wrong deployement .
I do have ASA in lab which i can use it for this if required.
I'm assuming you have configured the appliance to take connections from the IP 192.168.42.43 to go through the RELAYLIST on your appliance's listener (sendergroup) for outbound mail flows ?
When you said you checked the monitoring, is this on the message tracking on the GUI ?
Is your SMTP routes configured to send emails internally ?
I'd say an effective way to troubleshoot ot see if the appliance is seeing this connection and how it's being treated is.
Log into appliance command line interface (PuTTy)
Use this command "tail mail_logs"
Go on your mial client and attempt to send a test email, which should route to the mail server which connects to your appliance
After which it should trace it into the mail logs where you can review what is happening after.
yes , I have configured the appliance to take connections from the IP 192.168.42.43 to go through the RELAYLIST on your appliance's listener (sendergroup) for outbound mail flows
not the message tracking , i click on monitor and overview to see incoming and outgoing mail and do not see anything ,
yes SMTP route just says my test domain . so i suppose this is done.
one thing : -
if my topology, if i access mail client on pc 1 and send mail to mail client 2 , so my mail from the client is going to mail server then how come ESA comes in picture , i just got confused
By default the ESA appliance would not come into the routing of mails from internal users, it would be sent from internal user -> internal MTA -> internal recipient user inbox.
If you wish to have the ESA come into the topology you have for your internal mail, you would need it to be explictly defined on the internal MTA to route the emails to the ESA appliance, then the ESA appliance will deliver it to the MTA (as defined in the SMTP routes)
Then you would also need to ensure the internal MTA is set up so that when it receives connections from the ESA it will be sent to the end user mail box from the MTA -- otherwise there will be a loop that may occur.
## this action is not a recommeded setup as it puts additional load on the appliance -- which is why the default action would be to let the internal MTA handle internal mail rather than routing to the appliance then back out.
thanks for the reply
are MTA and ESA two different thing ? where can i find MTA in my topology and do these setting ?
An MTA(Mail Transfer Agent) is any systems which transfers the mails.
Your MTA in this discussion is your Mail Server (MDamen 192.168.42.43).
The ESA is also an MTA, but in this instance, the internal MTA i am speaking of is the Mail server you have defined.
You will need to investigate on this mail server for the changes you wish to make.
However my expertise is not within other exchange/mail servers as my knowledge is in the Ironport ESA appliance.
thank you so much for your help and quick responce, i will surely check the mail server and will try to fix it or i am planing to setup a firewall and change the topoligy as following :_
outside user with mail client
Firewall---------(DMZ)------------ESA and Mail server.
Inside user with mail clients
on outside interfacre of the firewall i will apply access list for ESA with required ports and not the ip for Mail Server ? if yes , then i can i access the mail client on outside user as it works like http://192.168.42.43:3000
or what ACL i should apply on firewall and how traffic will go to ESA
any suggestion would be highly appriciated.
For firewall enquiries on rules you wish to implement, i would suggest contacting your firewall engineer to assist you further with this.
Yes outside users will connect through to the ESA appliance which will handle the external traffic flow then the appliance will route it to your mail server for delivery to the end user.
Below is the Error i am getting on tail mail_logs
any suggestion ?
Press Ctrl-C to stop.
Mon Jul 29 10:35:51 2013 Info: Double bounce: MID 1209805 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up mailedge.centamin.com (MX): NXDomain'
Mon Jul 29 10:35:51 2013 Info: Message finished MID 1209805 done
Mon Jul 29 10:35:51 2013 Info: Bounced: DCID 0 MID 1209806 to RID 0 - Bounced by destination server with response: 5.1.2 - Bad destination host ('000', ['DNS Hard Error looking up mailedge.centamin.com (MX): NXDomain'])
Mon Jul 29 10:35:51 2013 Info: Double bounce: MID 1209806 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up mailedge.centamin.com (MX): NXDomain'
Mon Jul 29 10:35:51 2013 Info: Message finished MID 1209806 done
Mon Jul 29 10:35:51 2013 Info: Bounced: DCID 0 MID 1209807 to RID 0 - Bounced by destination server with response: 5.1.2 - Bad destination host ('000', ['DNS Hard Error looking up mailedge.centamin.com (MX): NXDomain'])
Mon Jul 29 10:35:51 2013 Info: Double bounce: MID 1209807 to 0 - 5.1.2 - Bad destination host 'DNS Hard Error looking up mailedge.centamin.com (MX): NXDomain'
Mon Jul 29 10:35:51 2013 Info: Message finished MID 1209807 done
Mon Jul 29 11:07:46 2013 Info: Queue: Checkpoint Started
Mon Jul 29 11:07:46 2013 Info: Queue: Checkpoint Finished
looks like your appliance may not be configured for DNS.
Via CLI: dnsconfig
Test DNS using nslookup:
AsyncOS 8.0.0 for Cisco IronPort X1070 build 671
Welcome to the Cisco IronPort X1070 Messaging Gateway(tm) Appliance
tarheel.rtp> nslookup cisco.com
A=22.214.171.124 TTL=19h 2m
Currently using the local DNS cache servers:
1. Priority: 0 172.18.108.34
Alternate DNS servers:
1. cisco.com: 172.18.108.43
Choose the operation you want to perform:
- NEW - Add a new server.
- EDIT - Edit a server.
- DELETE - Remove a server.
- SETUP - Configure general settings.