Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5896
Views
0
Helpful
8
Replies

Ironport C170 Blocks Emails Being Sent From SMTP Relay

Julia Brown
Level 1
Level 1

‎10-29-2013 08:56 AM

I have an issue with emails being sent out through our virtual SMTP Relay from a server on the DMZ. Any emails being sent to internal email accounts on our domain works fine. However the ones sent to external accounts are being rejected by the RAT. Here is a shot of the rejection message we are getting:

29 Oct 2013 10:09:58 (GMT -05:00) Protocol SMTP interface Data 2 (IP xxx.xxx.xxx.xxx) on incoming connection (ICID xxxxxxx) from sender IP xxx.xxx.xxx.xxx. Reverse DNS host internal.domain.org verified yes.
29 Oct 2013 10:09:58 (GMT -05:00) (ICID xxxxxxx) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 0.4
29 Oct 2013 10:09:58 (GMT -05:00) Start message xxxxxx on incoming connection (ICID xxxxxxx).
29 Oct 2013 10:09:58 (GMT -05:00) Message xxxxxx enqueued on incoming connection (ICID xxxxxxx) from emailaddress@hotmail.com.
29 Oct 2013 10:09:58 (GMT -05:00) Message xxxxxx on incoming connection (ICID xxxxxxx) to emailaddress@hotmail.com was rejected by Recipient Access Table (RAT).
29 Oct 2013 10:09:58 (GMT -05:00) Message xxxxxx aborted: Receiving aborted by sender

                   

I am new to the Ironport world so I am having a hard time figuring out how to allow for my SMTP relay to send emails to external email accounts. Thanks for any advice in advance! 

Labels:
0 Helpful
8 Replies 8

Stephan Bayer
Cisco Employee
Cisco Employee

‎10-29-2013 12:55 PM

It looks like the message should be arriving via SENDERGROUP RELAYLIST instead of

ACCEPT sender group UNKNOWNLIST .

Navigate to GUI --> Mail Policies --> HAT Overview

  1. Then click the RELAYLIST sendergroup
  2. Add the IP address of your sending MTA to this group, submit and commit changes.
0 Helpful

Julia Brown
Level 1
Level 1
In response to Stephan Bayer

‎10-29-2013 01:51 PM

Thanks for the quick response! I unfortunately didn't have a RELAYLIST in the sendergroup so I created one. Then configured it appropriately but still it didn't pass emails.

My setup is this: I have a server on the DMZ that hosts our website which uses a Virtual SMTP server email relay to relay emails sent from the website to internal email recipients or to external email accounts (like the one to hotmail.com domain). Well it sends them internally fine but I still get the above rejection message on ones that are to be sent outside the domain.

0 Helpful

ravi saini
Level 1
Level 1

‎10-30-2013 07:10 AM

you can add that paticular domain in RAT table.

By Mail Polcies --> RAT --> add Recipient (add that particular Domain) and Action --> Allow

if your LDAP is not configured then you can choose bypass checkbox.

0 Helpful

Julia Brown
Level 1
Level 1
In response to ravi saini

‎10-30-2013 07:43 AM

Are you saying add the domain of where my DMZ is sending the emails through or the domian I am trying to send too? If it's the domain that I am sending too, that will not fix my issue as I am trying to avoid an open relay but allow any emails being sent from my website, whether its to send to our internal domain or out through to others' email domains.

Which by the way, I did add the domian for which the emails are being sent from and seems to pass the HAT just fine but gets blocked by the RAT.

0 Helpful

ravi saini
Level 1
Level 1
In response to Julia Brown

‎10-30-2013 11:26 AM

ok do one thing


goto

Mail policies --> HAT overview --> Select your Listener for Outgoing Mail...

You will find a sendergroup Relay with Mail Policy Relay.

you can add your domain into this sendergroup.

Because All others are bolcked there.

0 Helpful

Julia Brown
Level 1
Level 1
In response to ravi saini

‎10-30-2013 01:44 PM

There is no listener for ourtgoing email, just one listener has been configured which stipulates as an incoming email listener. Maybe that is my problem.

0 Helpful

Stephan Bayer
Cisco Employee
Cisco Employee

‎10-30-2013 08:06 AM

Julia,

It doesn't sound like it is configured for the appliance to recognize outbound mail from inbound email.  I think at this point if you could open a support request that may be the best way to take care of this for you.

Stephan


http://www.cisco.com/support

US Toll Free Customer Support +1 800 553 2447 Option #1

0 Helpful

Julia Brown
Level 1
Level 1

‎11-01-2013 11:53 AM

Both of you guys' suggestion worked Ravia nd Stephen. I tried to add in a RELAYLIST in the SENDERGROUP but choose the wrong set up for it so I deleted it. Then I submitted a ticket to the TAC and they had me recreate the RELAYLIST in the SENDERGROUP of the HAT. I left out a SRBS rating, added the sending server IP address, and moved it to slot 1 then VIOLA! It started working beautfiully. Thanks fellas, if I had done a better job of confiuguring in the first place I wouldn't have been so frustrated. ;D

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents