I inherited an infrastructure a little bit ago that uses an IronPort C170 cluster for email security. I have been tasked with configuring TLS connections with our new medical benefits provider and have some issues doing so. We have 3 MX records, let's call them mail1, mail2 and mail3. Mail1 and mail2 are configured normally on our firewall to pass SMTP traffic on port 25 to the MailListener port on the IronPort which is 25. Mail3, however, is configured on the firewall to translate SMTP traffic on port 25 to port 3600 which is sent to the TLS Listener port 3600 on the IronPort. The IronPort MailInterfaces are configured as such (25,3600) Reverse configuration on the firewall takes any port 3600 traffic from the IronPort and translates it to port 25 traffic for the rest of the world.
I configured the IronPort with a new Sender Group named TLS_ACCEPT, added all the medical provider domain names/IPs to it and assigned it to the ACCEPTED Mail Flow Policy where TLS is set to Required. Likewise, for outgoing, I specified the same domain names/IPs within the Destination Controls to require TLS for sending purposes.
I replaced the guy who originally configured this so I am not too sure how it is setup on the other end for TLS connections already established. We do have a few in place that are active. I am assuming that the other end is configured to send email only to the mail3 MX record. This configuration, however, is not possible with our medical provider so I need an alternative. They have verified that they cannot contact us on mail1 or mail2 via TLS but can with mail3.
The obvious problem is if a sender from these new domains tries to send TLS_required emails to us over the mail1 and mail2 MX IPs, they will receive an NDR. If I configure the firewall to translate mail1 and mail2 incoming connections from port 25 to 3600, any email sent with TLS not prefered/required will get an NDR. This was actually tested and domains like Yahoo and Hotmail could not send to us.
Are there any options for me on the IronPort to allow these connections to be sent from all our MX IPs without having to translate the ports? If not, what would happen if I changed the TLS Listener port on the IronPort to 25 instead of 3600 and disabled all the NAT rules on the firewall for mail3? I am only to assume this translation was another security step added by the previous admin here but am not too sure what would happen if I eliminated it.
Any advice, help, questions, assistance or fun-poking would be greatly appreciated!! Thank you in advance!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...