Configure Beta ESA to Accept Production ESA Traffic

Introduction

This document describes how to configure a Beta Cisco Email Security Appliance (ESA) in order to accept production ESA traffic via a message filter.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure Beta Appliance

Listener Configuration for Beta ESA

The initial Listener configuration is to be completed on the Beta ESA.

1. From the GUI, navigate to Network > Listeners.
2. Click Add Listener...
3. Name and setup a Public Listener that runs on TCP port 25.
4. Click Submit in order to save the changes to the Public Listener.
5. Repeat the same steps and add a second listener.
6. Name and setup a Private Listener that runs on TCP port 26. (This listener is used for outbound mail.) You may use port 25 if there is an additional interface available and configured for your environment. CES Hosted Beta environment has reserved port 587 for outbound.
7. Submit to save changes to the Listener.
8. Commit to save all changes to the configuration.

Sender Group for Beta ESA

For relayed traffic or outbound messages, add in the appropriate IP address(es) for the Beta ESA in order to accept and relay messages from the Production ESA.

1. From the GUI, navigate to Mail Policies > HAT Overview.
2. Select the appropriately named Relay Sender Group. (This is usually named RELAY, or RELAYLIST.)
3. Click Add Sender...
4. For Sender, use the IP address of the Production ESA.
5. Enter any administrative comments, as needed.
6. Submit to save changes to the Relay Sender Group.
7. Commit to save all changes to the configuration.

Simple Mail Transfer Protocol (SMTP) Routes for Beta ESA

SMTP Route changes that need to be made on the Beta ESA are as follows:

1. From the GUI, navigate to Network > SMTP Routes.
2. If there are current SMTP routes, you may need to select those and Delete before you proceed. (Ensure to review the the Beta Lab Setup Guide.)
3. Click Add Route...
4. Set the Receiving Domain as cisco.com and Destination as USEDNS.
5. Click Submit.
6. Repeat the same steps and add in a second SMTP route.
7. Set Receiving Domain for ironport.com and Destination as USEDNS.
8. Click Submit.
9. Finally, select All Other Domains from Receiving Domain.
10. Set the Destination as /dev/null. (This prevents routing mail from the Beta appliance for any domains not configured.)
11. Click Submit.
12. Commit to save all changes to the configuration.

At this time, SMTP Routes on the Beta appliance is as shown in the image:

Note:  Add the appropriate routes to deliver emails to test end-users for domains as needed.

Incoming Relay for Beta ESA

Incoming relay configuration allows the beta to retrieve the SBRS score beyone that of the Production ESA.

Most configurations will work with one Hop.

1. GUI, navigate to Network Incoming Relay.
2. Click "Enable" turning it white in color.
3. Click Add Relay.
4. "Name" choose a name.
5. "IP Address" value of the production ESA delivering to the Beta ESA. Partial hostname is acceptable if multiple hosts are delivering.
6. "Hop:" 1
7. Submit and Commit Changes

Incoming Relay: Disabled State.

Incoming Relay: Enabled State, colored white.

Incoming Relay: Sample Template

Incoming Relay: Summary view after Submit.

Sample mail log entry:

Mon Apr 8 12:48:28 2019 Info: MID 2422822 IncomingRelay(PROD_hc2881-52): Header Received found, IP 54.240.35.22 being used, SBRS 3.5 country United States

Enable Log Headers to capture the Spam Verdict within the mail logs

• Webui > System Adminstration >  Log Subscriptions > Global Settings (bottom) > Headers >(add)   X-IronPort-Anti-Spam-Result

Log Spam Headers to Mail Logs

END OF BETA SIDE CONFIGURATION.

Configure Production Appliance

Caution: You are about to make changes to a Production ESA. Ensure that you backup the current configuration.

1. From the GUI, navigate to System Administration > Configuration File.
2. From the Current Configuration section, select one of the options to back up the current configuration as a file: 
   • Download file to local computer to view or save.
   • Email file to: <your_email_address@domain.com>
3. Click Submit.

SMTP Routes for Production ESA

SMTP routes must be added in order to allow BCC for all inbound and outbound emails from the Production ESA to the Beta ESA. For this example, inbound.beta.com and outbound.beta.com are used.

1. From the GUI, navigate to Network > SMTP Routes.
2. Click Add Route...
3. Set Receiving Domain as inbound.beta.com with Destination as the IP address of the Beta appliance Public Listener created earlier, with the port set to 25.
4. Click Submit to save changes to this new SMTP route.
5. Repeat the same steps, Add Route...
6. Set the Receiving Domain as outbound.beta.com, Destination Hosts as the IP address of the Beta appliance private Listener created earlier, and the port to 26.
7. Submit to save the changes to this new SMTP route.
8. Commit to save all changes to the configuration.

At this time, SMTP Routes on the Production ESA as shown in the image:

Bounce Profile creation

A combination  Bounce Profile and Destination Control Profile will protect the production mail flow from complications associated with delays or failures to deliver messages to the Beta Hosts. This configuration will only apply to the beta messages.

1. From the GUI, navigate to Network > Bounce Profiles > Add Bounce Profile.
2. Maximum Number of Retries: 15
3. Maximum time in Queue: 130
4. Initial time to wait per Message: 60
5. Maximum time to wait per Message: 60
6. Send Hard bounce Messages: NO
7. Send Delay Warning Messages: NO
8. Use Domain Key Signing for Bounce and Delay Messages: NO
9. Submit to save the changes to this new Bounce Profile.
10. Committo save all changes to the configuration. 

Bounce Profile Creation

Note: The numbered values above are configured very aggressively to prevent Delivery Queue Backups in the event of a delivery interruption to the Beta Hosts. The values may be modified to preference. The notification settings are intentionally set to NO to prevent any user notifications from being delivered from the BCC Filters. 

Destination Controls Profile Creation

1. From the GUI, navigate to Mail Policies > Destination Controls > Add Destination.
2. Destination: inbound.beta.com
3. Bounce Verification: > Perform address tagging: NO > or Default (NO)
4. Bounce Profile: BETA_BOUNCE
5. The other values may be configured based on the administrator's preference.
6. Submit to save the changes to this new Destination Control Profile.
7. Repeat steps 2 - 6 using the Destination: outbound.beta.com
8. Submit to save the changes to this new Destination Control Profile.
9. Commit to save all changes to the configuration.

Add Destination Control Profiles.Summary View of New Destination Control Profiles.

Message Filter Construction for Production ESA

From the CLI on the Production ESA, construct a message filter that can BCC emails to the appropriate Listener on the Beta ESA.

1. Navigate to Filters > NEW.
2. Copy and Paste this message filter example and make the changes wherever appropriate:

   bcc-EFT: if sendergroup == "RELAY" {
    bcc ("$enveloperecipients", "$Subject", "$EnvelopeFrom", "outbound.beta.com");
    log-entry("<=====BCC COPY TO BETA ESA=====>");
    } else {
    bcc ("$enveloperecipients", "$Subject", "$EnvelopeFrom", "inbound.beta.com");
    log-entry("<=====BCC COPY TO BETA ESA=====>");
   }
   .

3. Return until you are back to the main CLI prompt.
4. Commit to save all changes to the configuration.

Note:  Limit the traffic copied in the message filter based on sendergroup, recv-listener, mail-from, or other available rules and syntax. Consult the ESA User Guide for complete Message Filter Rules and Filter Rules Summary.

Bounce Profile creation

Destination Controls Profile Creation

Verify

Use this section in order to confirm that your configuration works properly.

At this time, the Beta appliance accepts email traffic from Production appliance. In order to verify from CLI on the Beta appliance, run tail mail_logs:

Wed Mar 23 17:28:43 2016 Info: New SMTP ICID 2 interface Management (172.18.250.222) address 172.18.250.224 reverse dns host dhcp-172-18-250-224.cisco.com verified yes
Wed Mar 23 17:28:43 2016 Info: ICID 2 RELAY SG RELAY match 172.18.250.1/24 SBRS not enabled
Wed Mar 23 17:28:43 2016 Info: Start MID 2 ICID 2
Wed Mar 23 17:28:43 2016 Info: MID 2 ICID 2 From: <test@test.com>
Wed Mar 23 17:28:43 2016 Info: MID 2 ICID 2 RID 0 To: <robsherw@ironport.com>
Wed Mar 23 17:28:43 2016 Info: MID 2 Message-ID '<a033ed$2@9.9.5-038.local>'
Wed Mar 23 17:28:43 2016 Info: MID 2 Subject 'TEST 2'
Wed Mar 23 17:28:43 2016 Info: MID 2 ready 320 bytes from <test@test.com>
Wed Mar 23 17:28:43 2016 Info: MID 2 matched all recipients for per-recipient policy DEFAULT in the outbound table
Wed Mar 23 17:28:43 2016 Info: MID 2 queued for delivery
Wed Mar 23 17:28:43 2016 Info: New SMTP DCID 3 interface 172.18.250.222 address 173.37.93.161 port 25
Wed Mar 23 17:28:43 2016 Info: Delivery start DCID 3 MID 2 to RID [0]
Wed Mar 23 17:28:44 2016 Info: Message done DCID 3 MID 2 to RID [0]
Wed Mar 23 17:28:44 2016 Info: MID 2 RID [0] Response '2.0.0 u2NHSipG018673 Message accepted for delivery'
Wed Mar 23 17:28:44 2016 Info: Message finished MID 2 done
Wed Mar 23 17:28:48 2016 Info: ICID 2 close
Wed Mar 23 17:28:49 2016 Info: DCID 3 close

The SMTP communication establishes on 172.18.250.222 (Beta appliance). The address from which the traffic is sent is from is 172.18.250.224 (Production appliance).

The Sender Group that receives the communication is RELAY, relayed traffic from the 172.18.250.1/24 network.

The rest is the communication of the TEST 2 message.

On the Production appliance, verify and run tail mail_logs.  The MID processed on Production would show:

Wed Mar 23 14:50:10 2016 Info: MID 242 was generated based on MID 241 by bcc filter 'bcc-EFT'

This would be a clear cut splintering of the email message as received and BCC'd over to the Beta appliance and test end-user as intended for receipt.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Additional Information

A content filter may be considered in order to help differentiate Production vs. Beta email traffic for test end-users.

1. From the GUI on the Beta ESA, navigate to Mail Policies > Incoming Content Filters or Mail Policies > Outgoing Content Filters.
2. Construct a basic content filter in order to perform an action of Add/Edit Header.
3. Click Submit in order to save changes to the content filter constructed.
4. Mail Policies > Incoming Mail Policies or Mail Policies > Outgoing Mail Policies, enable and add the new content filter to the Policy name.
5. Click Submit in order to save the content filter to that policy.
6. Click Commit in order to save all changes to the configuration.

At this time, the content filter on the Beta ESA is as shown in the images:

Now, when an email message is received on the Beta ESA you can see this in the Subject line of the email once processed as shown in the image:

Related Information

• How to configure an ESA/SMA for staging updates

• Technical Support & Documentation - Cisco Systems