Hi all. I'm a new Ironport user, having just started working for a company that had a Spam and Virus Blocker already up and running.
We've been put on some blacklists for acting as an open relay. Apparently my predecessor had already done much of the work involved in fixing this problem, but we're still on blacklists. I'm not sure when the last time we really were an open relay was; it could have been before the Ironport was ever installed. I want to clear our name, but before I start requesting removals, I want to be 100% sure that the problem is addressed.
I've run some online open relay tests, and most report that we are not an open relay, but when I tried http://www.rbl.jp/svcheck.php , 5 of their 19 tests came back as "accepted".
I searched the Ironport knowledge base and found that our settings already match the recommendation -- our RAT is set to reject "all other recipients".
Here are the recipients from the tests that came back as "accepted":
>>> RCPT TO: <email@example.com> >>> RCPT TO: <"firstname.lastname@example.org"@server01.mycompany.com> >>> RCPT TO: <email@example.com> >>> RCPT TO: <"rlytest%h.rbl.jp"@mycompany.com> >>> RCPT TO: <"firstname.lastname@example.org"@mycompany.com>
"server01" is the name of our Exchange server. Our firewall is set to forward port 25 to the Ironport.
Some of the tests suggested that even an "accepted" message was not a sure sign of being an open relay, and that the mail server might accept it and then silently discard it anyway. Is this something I need to fix, or is it already handled by the Ironport? How can I tell for sure? I've considered telnet'ing in from my home PC and reproducing the commands shown on that site using a real email address of my own, but I'm not really confident in this procedure, or in the procedure of "properly" malforming email addresses. Any advice?
Can anyone recommend further steps for me to take to be sure we are not operating an open relay?
You can use the CLI (Command LIne) command "findevent" to collect all loglines that belong to a certain message and use that information to see what has happened with the message. If you search your log (using the grep command on the CLI) for "rlytest" you should find the loglines that are recorded for your relay tests. if you use the MID value found in those lines as input for the "findevent" command you get it clear.
It seems as though my Ironport does not have the "findevent" command. When I tried it I got an "unknown command: findevent" message, and the "help" message does not list findevent. Are you sure that command exists in the Spam and Virus Blocker, and not just other Ironport models?
I notice that there are two upgrades available to download for my Ironport, so maybe it's just that my current version is too old. I'm not sure I'm daring enough to install the upgrades during business hours, so I'll probably do that on the weekend.
If you have a cluster, you will have almost 'no' downtime. First upgrade the first appliance, it will continue to deliver mail during the upgrade, you only have some downtime while the system is rebooting. Then upgrade the second.
If you do have a cluster, during the reboot, your second appliance will take over the mailflow. If you don't have a cluster, I recommend to do the upgrades during non-business hours..
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :