Solved: Re: SMTP Authentication Function

kyono_marin · ‎03-29-2012

Hi, i want to ask the function of smtp authentication in ironport. Is it used to authenticate with the exchange server or per client using LDAP? When i configure the smtp authentication, is it used for incoming or outgoing connection ? Thanks.

Regards

Alkuin Melvin

Andreas Mueller · ‎04-04-2012

Hello Alkuin,

SMTP authentication is usually used to allow users outside their network to relay email trough the appliance. So authentication enables relaying on inbound connection, but only after the client has been authenticated by SMTP authentication. Like I said, this is the most common usage. Another possibility SMTP Auth is used for is when an (internal) mailserver only accepts traffic from authenticated hosts, so to be able to forward messages to that host, the appliance needs to autheticate itself against that server before delivering that traffic.

For the authentication itself, you can either use LDAP, or forward the authentication request to another mailserver (SMTP Auth with forwarding).

Hope that helps,

Andreas

View solution in original post

Tze Tai Mak · ‎04-04-2012

Dear Alkuin,

For SMTP authentication configuration, you can configure SMTP auth profile under 'Network'-'SMTP Authentication' (LDAP, forward and outgoing).

In my opinion, you can choose to enable SMTP AUTH in mail flow polic(ies) of existing listener (port 25) and/or a new listener using another port (say port 8025). The reason to use 'port number other than port 25' is that some residential ISP or hotel internet connection will block outgoing port 25 connection (due to antispam reason - blocking botnet/malware infected hosts to send spams and ISP IP address gets blacklisted).

For existing listener, you can configure SMTP AUTH "Preferred" setting in default mail flow policy, and then users can authenticate and then relay emails through IronPort from public IP address (configure email client's outgoing SMTP gateway with IronPort public IP address and port 25). One point to note is that if the user is sending from a poor reputation IP, their SMTP connection may be blocked or throttled.

For listener using port number other than 25 (e.g. 8025) , you can configure to have just one sender group with default mail flow policy configured with SMTP AUTH "Required". The email client needs to configure with outgoing SMTP gateway with IronPort listener's public IP address and specific port number (say port 8025). In this way, only authenticated user can relay emails through this listener and they can avoid port 25 blocking issue or sending host's reputation issue as mentioned above.

Cheers,

Tommy

View solution in original post

Andreas Mueller · ‎04-04-2012

Hello Alkuin,

SMTP authentication is usually used to allow users outside their network to relay email trough the appliance. So authentication enables relaying on inbound connection, but only after the client has been authenticated by SMTP authentication. Like I said, this is the most common usage. Another possibility SMTP Auth is used for is when an (internal) mailserver only accepts traffic from authenticated hosts, so to be able to forward messages to that host, the appliance needs to autheticate itself against that server before delivering that traffic.

For the authentication itself, you can either use LDAP, or forward the authentication request to another mailserver (SMTP Auth with forwarding).

Hope that helps,

Andreas

kyono_marin · ‎04-04-2012

Hello Andreas,

Thank you so much for the answer, i have been told by one of the vendor engineer that i should use SMTP Authentication on another listener with a different port. Is that true?

Regards

Alkuin Melvin

Tze Tai Mak · ‎04-04-2012

Dear Alkuin,

For SMTP authentication configuration, you can configure SMTP auth profile under 'Network'-'SMTP Authentication' (LDAP, forward and outgoing).

In my opinion, you can choose to enable SMTP AUTH in mail flow polic(ies) of existing listener (port 25) and/or a new listener using another port (say port 8025). The reason to use 'port number other than port 25' is that some residential ISP or hotel internet connection will block outgoing port 25 connection (due to antispam reason - blocking botnet/malware infected hosts to send spams and ISP IP address gets blacklisted).

For existing listener, you can configure SMTP AUTH "Preferred" setting in default mail flow policy, and then users can authenticate and then relay emails through IronPort from public IP address (configure email client's outgoing SMTP gateway with IronPort public IP address and port 25). One point to note is that if the user is sending from a poor reputation IP, their SMTP connection may be blocked or throttled.

For listener using port number other than 25 (e.g. 8025) , you can configure to have just one sender group with default mail flow policy configured with SMTP AUTH "Required". The email client needs to configure with outgoing SMTP gateway with IronPort listener's public IP address and specific port number (say port 8025). In this way, only authenticated user can relay emails through this listener and they can avoid port 25 blocking issue or sending host's reputation issue as mentioned above.

Cheers,

Tommy

kyono_marin · ‎04-11-2012

Hi Tze Tai Mak,

Thanks for the information. Really helpful for me to understand the authentication.

Thanks all.

Alkuin Melvin