I'am trying to configure my ESA C170 and all works as expected. But now I want to add support for relay function for authed external user. I add a SMTP Auth Profile against LDAP that works. Next Step is to configure HAT and the sender group. If I add the Mail Flow Policy to HAT Relay and add my own IP to Sendergroup than it works but I need for all the internet. What I'am looking for is a rule that allows only authed User from 0.0.0.0/0 to relay and all other should match to accepted if the Address is listed in the transport section. In the manual for the ASYNC OS I found the section "Configuring AsyncOS for SMTP Authentication"
SMTP Authentication and HAT Policy Settings
Because senders are grouped into the appropriate sender group before the SMTP Authentication negotiation begins, Host Access Table (HAT) settings, are not affected. When a remote mail host connects, the appliance first determines which sender group applies and imposes the Mail Policy for that sender group. For example, if a remote MTA “suspicious.com” is in your SUSPECTLIST sender group, the THROTTLE policy will be applied, regardless of the results of “suspicious.com’s” SMTPAUTH negotiation.
However, senders that do authenticate using SMTPAUTH are treated differently than “normal” senders. The connection behavior for successful SMTPAUTH sessions changes to “RELAY,” effectively bypassing the Recipient Access Table (RAT) and LDAPACCEPT. This allows the sender to relay messages through the appliance. As stated, any Rate Limiting or throttling that applies will remain in effect.
I'am searching for the configuration path of "senders that do authenticate using SMTPAUTH are treated differently" but there is nothing like that.
Heres my current HAT
if I add my own IP to sender list of sendergroup RELAYLIST than I can see the AUTHMECH in SMTP Dialog.
How can I change the Sendergroups to show SMTP AUTH like this
Connected to 192.168.100.3.
Escape character is '^]'.
220 ironport.domain.tld ESMTP
ehlo test
250-ironport.domain.tld
250-8BITMIME
250 SIZE 10485760
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
For all external Users to Login. If I change the senderlist to 0.0.0.0/0 than everyone must authenticate against the iron port so I cannot accept Messages for the own recipients.
