Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
1
Replies

What i need for outgoing mail?

Go to solution
Alibek Ismailov
Level 1
Level 1

‎03-17-2014 01:14 AM

Hello, i need some help with configuring outgoing mail, i know how to configure IP Interface and Listeners, but after i would do it,

Would it works automatically that all outgoing mail would pass through Ironport OR i need somehow send mail to Ironport. Do i need to write record in DNS for outgoing mail? 
 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎03-17-2014 05:42 AM

You would need to have DNS correctly configured to allow mail to move to your ESA appliance, and then out to the world, or to internal mail, as needed:

A) MX records point to Firewall

Either the MX records point to the external (internet) interface of your firewall and your firewall has a redirect rule for all SMTP traffic to your relay server(s) on the DMZ – which typically has a private IP range in this case. 

Then the action is simple, just change the SMTP redirect rule from the current relay servers to the IronPort.

B) MX records point directly to mailrelays

If you have a public DMZ, the MX-records are pointing directly to the hostname of your relay-servers. In that case you need to change the mx-records to point to the new hostnames (that you have registered in the public DNS of your ISP) of the IronPort.

Example Before:

MX    @domain.com            currentmail.domain.com        [10]
A    currentmail.domain.com        192.168.1.34

Example After IronPort

MX    @domain.com            IronPortincoming.domain.com        [10]
A    currentmail.domain.com        192.168.1.34
A    IronPortincoming.domain.com    192.168.1.35

When changing MX-records, please take into account that DNS propagation on the internet can take as long as 48 hours. You can have the customer prepare this in advance by adding the A-record and a backup MX 

MX    @domain.com            currentmail.domain.com        [10]
MX    @domain.com            IronPortincoming.domain.com        [10]
A    currentmail.domain.com        192.168.1.34
A    IronPortincoming.domain.com    192.168.1.35

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎03-17-2014 05:42 AM

You would need to have DNS correctly configured to allow mail to move to your ESA appliance, and then out to the world, or to internal mail, as needed:

A) MX records point to Firewall

Either the MX records point to the external (internet) interface of your firewall and your firewall has a redirect rule for all SMTP traffic to your relay server(s) on the DMZ – which typically has a private IP range in this case. 

Then the action is simple, just change the SMTP redirect rule from the current relay servers to the IronPort.

B) MX records point directly to mailrelays

If you have a public DMZ, the MX-records are pointing directly to the hostname of your relay-servers. In that case you need to change the mx-records to point to the new hostnames (that you have registered in the public DNS of your ISP) of the IronPort.

Example Before:

MX    @domain.com            currentmail.domain.com        [10]
A    currentmail.domain.com        192.168.1.34

Example After IronPort

MX    @domain.com            IronPortincoming.domain.com        [10]
A    currentmail.domain.com        192.168.1.34
A    IronPortincoming.domain.com    192.168.1.35

When changing MX-records, please take into account that DNS propagation on the internet can take as long as 48 hours. You can have the customer prepare this in advance by adding the A-record and a backup MX 

MX    @domain.com            currentmail.domain.com        [10]
MX    @domain.com            IronPortincoming.domain.com        [10]
A    currentmail.domain.com        192.168.1.34
A    IronPortincoming.domain.com    192.168.1.35

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents