Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

smtp auth without hat access defined

Hello community!!!

We are configuring an appliance and came across a doubt that we would like to share to see if anyone can help us.

We first configured the appliance by setting up a RELAY policy wich included the networks that were allowed to send mail through our IronPort. Before we applied that configuration, there was no way of sending mail, perhaps there are other more efficient ways but we fail to see another one.

After this path was OK, we then configured the IronPort to use SMTP auth in a forwarding fashion to verify that clients we know are the only ones allowed to send mail. To do this we authenticate against our internal SMTP server, which contains the mailboxes of our users.

This configuration tested OK, without issues at all.

Now that we have this architecture working we would like to allow multiple IPs, not just the ones we defined to use our IronPort to send mail. In our scenario, we provide email services to serveral cilents that have dynamic IP. So we cannot guaranty that a given time, they will be able to send mails through our IronPort if their IP falls out of the range we defined.

So, within HAT policies, is there a way to allow "anyone" or "any IP" to access the IronPort to send mail? The security will be enforced though our SMTP auth policy which only allows authorized personnel to send mail.

Thank you in advanced for your thoughts and comments!!!

Best regards!!!


Everyone's tags (6)
Cisco Employee

Re: smtp auth without hat access defined

Yes, you can do this where the connecting external IP or sender is not known in advance.

You would probably need to LDAP with either SMTP Auth enabled or External Authentication Queries enabled.

So as to not *bog* down your HAT Overview with smtp auth attempts, I think it would be helpful to find a range where the incoming connection would be, then try to assign it to a SMTP Authentication Sender Group and corresponding Mail Flow Policy where the SMTP was turned on.

I can see that this type of scenario would come into play in situations where you have traveling salespeople and you're not always sure what IP they're coming from, but they still need to relay via the IronPort.  It's best to collect as much of the information about these external relayers  as possible  and the  LDAP system, then contact Customer Support, presenting the information/facts that you have and how best to configure the IronPort HAT/LDAP/MAIL FLOW Policy section to get that working.

Good luck,


CreatePlease to create content