How to configure a Beta ESA to accept
production ESA traffic
Contents
Introduction
Configure Beta Appliance
Listener Configuration for Beta ESA
Sender Group for Beta ESA
SMTP Routes for Beta ESA
Configure Production Appliance
Backup configuration on Production ESA
SMTP Routes for Production ESA
Message Filter construction for Production ESA
Verify
Additional Information
Related Information
Introduction
This document describes how to configure a Beta Cisco Email Security Appliance (ESA) to accept
production ESA traffic for testing purposes via a message filter utilizing the bcc (Blind Carbon
Copy) option.
Configure Beta Appliance
Listener Configuration for Beta ESA
The initial Listener configuration will need to be completed on the Beta ESA.
Please complete the following:
1. From the GUI, navigate to Network > Listeners > Add Listener...
2. Name and setup a Public Listener using port 25.
3. Click Submit to save the changes to the Public Listener.
4. Repeat the same steps, and add in a second listener.
5. Name and setup a Private Listener (for Outbound mail) using port 26, or you may use port 25
if there is an additional interface available and configured for your environment.
6. Click Submit to save changes to the Listener.
7. Click Commit to save all changes to the configuration.
Sender Group for Beta ESA
For relayed traffic or outbound messages, you will need to add in the appropriate IP address(es) in
order for the Beta ESA to accept and relay messages from the Production ESA.
Please complete the following:
1. From the GUI, navigate to Mail Policies > HAT Overview.
2. Select the appropriately named Relay Sender Group. (This is usually named RELAY, or
RELAYLIST.)
3. Click Add Sender...
4. For Sender, use the IP address of the Production ESA.
5. Enter any administrative comments, as needed.
6. Click Submit.
7. Complete the configuration changes by clicking Commit Changes.
SMTP Routes for Beta ESA
SMTP Route changes that need to be made on the Beta ESA are as follows:
1. From the GUI, navigate to Network > SMTP Routes.
2. Delete any existing SMTP routes.
3. Click Add Route...
4. Set Receiving Domain for 'cisco.com' with Destination to 'USEDNS'.
5. Click Submit.
6. Repeat, and add in a second route.
7. Set Receiving Domain for 'ironport.com' with Destination to 'USEDNS'.
8. Click Submit.
9. Click on 'All Other Domains' and set to '/dev/null' in order to avoid routing mail from the Beta
appliance.
10. Click Submit.
11. Complete configuration changes by clicking Commit Changes.
At this time, SMTP Routes on the Beta appliance will be similar to:
Note: Please add the appropriate routes to deliver emails to test end-users for domains as
needed. *This would include Spam notification emails, as these will need to be delivered to
test end-users for testing Message Digest modification and other features described in the
Lab Setup Guide.
Configure Production Appliance
Backup configuration on Production ESA
Caution: Changes will be made to a Production ESA at this time. Please assure that you
backup the existing configuration before continuing.
1. From the GUI, navigate to System Administration > Configuration File.
2. From the Current Configuration section, choose either of the following options to make a
current backup of the configuration file for safe keeping: Download file to local computer to
view or saveEmail file to: <[email protected]>
3. Be sure to click the radio dial for Plain passwords in the Configuration Files.
4. Click Submit.
SMTP Routes for Production ESA
SMTP routes must be added in order to allow BCC for all inbound and outbound emails from the
Production ESA to the Beta ESA. For this example, inbound.beta.com and outbound.beta.com
are used.
1. From the GUI, navigate to Network > SMTP Routes.
2. Click Add Route...
3. Set Receiving Domain as "inbound.beta.com" with Destination as the IP address of the Beta
appliance Public Listener created earlier, with Port set to 25.
4. Click Submit to save changes to this new SMTP route.
5. Repeat the same steps, Add Route...
6. Set the Receiving Domain as "outbound.beta.com", Destination Hosts as the IP address of
the Beta appliance private Listener created earlier, and the Port to 26.
7. Click Submit to save the changes to this new SMTP route.
8. Complete configuration changes by clicking Commit Changes.
At this time, SMTP Routes on the Production ESA will be similar to:
Note: In the example above, the destination hosts have been marked through, as the
appliance used different SMTP routing for repro purposes.
Message Filter construction for Production ESA
From the CLI on the Production ESA, construct a message filter that will BCC emails to the
appropriate Listener on the Beta ESA.
1. Log-in to the CLI on the Production appliance.
2. Run the following: filters > NEW
3. Copy & Paste the following message filter example, making changes where appropriate: bccEFT: if sendergroup == "RELAY" {
bcc ("$enveloperecipients", "$Subject", "$EnvelopeFrom", "outbound.beta.com");
log-entry("<=====BCC COPY TO BETA ESA=====>");
} else {
bcc ("$enveloperecipients", "$Subject", "$EnvelopeFrom", "inbound.beta.com");
log-entry("<=====BCC COPY TO BETA ESA=====>");
}
.
4. Be sure to use "." at the end of the filter to end adding in a new message filter.
5. Hit Return until you are back to the main CLI prompt.
6. Run Commit to save all changes.
Note: You may wish to limit the traffic copied in the message filter based on sendergroup,
recv-listener, mail-from, or other available rules and syntax. Please consult the ESA User
Guide for complete Message Filter Rules and Filter Rules Summary.
Verify
At this time, the Beta appliance should be accepting email traffic from Production appliance.
Verify from CLI on the Beta appliance, and running tail mail_logs. Mail logs should show similar:
Wed Mar 23 17:28:43 2016 Info: New SMTP ICID 2 interface Management (172.18.250.222) address
172.18.250.224 reverse dns host dhcp-172-18-250-224.cisco.com verified yes
Wed Mar 23 17:28:43 2016 Info: ICID 2 RELAY SG RELAY match 172.18.250.1/24 SBRS not enabled
Wed Mar 23 17:28:43 2016 Info: Start MID 2 ICID 2
Wed Mar 23 17:28:43 2016 Info: MID 2 ICID 2 From: <[email protected]>
Wed Mar 23 17:28:43 2016 Info: MID 2 ICID 2 RID 0 To: <[email protected]>
Wed Mar 23 17:28:43 2016 Info: MID 2 Message-ID '<[email protected]>'
Wed Mar 23 17:28:43 2016 Info: MID 2 Subject 'TEST 2'
Wed Mar 23 17:28:43 2016 Info: MID 2 ready 320 bytes from <[email protected]>
Wed Mar 23 17:28:43 2016 Info: MID 2 matched all recipients for per-recipient policy DEFAULT in
the outbound table
Wed Mar 23 17:28:43 2016 Info: MID 2 queued for delivery
Wed Mar 23 17:28:43 2016 Info: New SMTP DCID 3 interface 172.18.250.222 address 173.37.93.161
port 25
Wed Mar 23 17:28:43 2016 Info: Delivery start DCID 3 MID 2 to RID [0]
Wed Mar 23 17:28:44 2016 Info: Message done DCID 3 MID 2 to RID [0]
Wed Mar 23 17:28:44 2016 Info: MID 2 RID [0] Response '2.0.0 u2NHSipG018673 Message accepted for
delivery'
Wed Mar 23 17:28:44 2016 Info: Message finished MID 2 done
Wed Mar 23 17:28:48 2016 Info: ICID 2 close
Wed Mar 23 17:28:49 2016 Info: DCID 3 close
In the above, we can see the SMTP communication establish on 172.18.250.222 (Beta appliance).
The address the traffic is sent from is 172.18.250.224 (Production appliance).
The Sender Group that receives the communication is "RELAY", allowing relayed traffic from the
172.18.250.1/24 network.
The rest is the MID communication and processing of the "TEST 2" message.
On the Production appliance, when running the same tail mail_logs and watching mail logs, the
MID processed on Production would show:
Wed Mar 23 14:50:10 2016 Info: MID 242 was generated based on MID 241 by bcc filter 'bcc-EFT'
This would be a clear cut splintering of the email message as received and BCC'd over to the Beta
appliance and test end-user as intended for receipt.
Additional Information
A content filter may be considered in order to help differentiate Production vs. Beta email traffic for
test end-users.
1. From the GUI on the Beta ESA, navigate to Mail Policies > Incoming Content
Filters or Mail Policies > Outgoing Content Filters.
2. Construct a basic content filter to perform an action of Add/Edit Header. No condition needs
to be set.
3. Click Submit to save changes to the content filter being constructed.
4. From Mail Policies > Incoming Mail Policies or Mail Policies > Outgoing Mail Policies,
enable and add the new content filter to the Policy name.
5. Click Submit to save the content filter to that policy.
6. Click Commit to save all changes to the configuration.
At this time, content filter should be Beta ESA will be similar to:
Now, when an email message is received on the Beta ESA you will see the following in the
Subject line of the email once processed:
Related Information
●
●
How to configure an ESA/SMA for staging updates
Technical Support & Documentation - Cisco Sys