Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

private and public listener

hi, i would like to query on using a two leg setup on my ironport 360, using data1 - private listener -relay  and data2 - public listener - accept incoming.

my mail server has a public ip which is the primary mx of my domain -

i defined another public ip for my ironport

im using a unix messaging server.

my problem is, i can't get it to work forwarding smtp traffic from the unix mail server towards my ironport.

any suggestions would be ok.

anyone familiar with this setup?

Cisco Employee

Re: private and public listener

Hi, let me try to answer your question.

In order to protect your mail server from accepting spams or malicious emails directly from Internet (since spammers will send spams to your mail host as long as it is accepting emails (open to port 25), no matter whether you publish its' public IP address in MX record or not), you should either configure your firewall to redirect inbound port 25 traffic for to IronPort private IP address, or configure (IronPort) as your primary MX instead. Your mail host should only accept incoming SMTP connections from IronPort.

Please note that you cannot configure IP addresses on same network range on two different physical interfaces on IronPort (i.e. on interface 1 and on interface 2). If you want to have separate IP addresses for accepting incoming and outgoing email traffic, you can configure two IP addresses on same physical interface (we call virtual gateway).

You can choose to use one IP address for both incoming and outgoing traffic (system setup wizard will guide you through - just click both "Accept mail on this interface" and "Relay mail on this interface" checkboxes, page 3-62 of ESA 7.0.1 Configuration Guide).

Please note that you should add your mail server's private IP address (instead of hostname) in "Relay Outgoing Mail" list or RELAYLIST on corresponding listener since your mail hostname is likely to resolve as public IP address by DNS server configured on IronPort.

If both your mail host and IronPort are on a private IP network segment behind firewall, your outgoing emails will be sent from mail host to IronPort (as smarthost) and IronPort will only see the connection from private IP address of your mail host.

I wish it helps.


New Member

Re: private and public listener

hi tommy,

  thanks for the information indeed.

  I was able to make it work after rigorous testing and these were my mistakes below;

    - i happened to defined a wrong relay on the public listener which shouldn't be the case since this will just accept all incoming mails to that particular

     trusted domain.

      relay should be on the private interface since this will be used by the mail server for smtp traffic

    - i used different hostnames on my priv and pub listener which corrected to on both

modified rules on the srx firewall.

Then configured the linux box to relay to my priv ip then tests...

  thank you for the information.

CreatePlease to create content