Cisco Email Security Appliance

ESA Outbound Traffic Relay Configuration Example

Document ID: 117798

Updated: Jun 11, 2014

Contributed by Jerry Orona, Andy Lau, and Robert Sherwin, Cisco TAC Engineers.



This document describes how to relay outbound traffic on the Email Security Appliance (ESA).


The ESA GUI provides a convenient interface with which to configure outbound relay hosts. You can configure relay hosts in the Host Access Table (HAT) if you click the Mail Policies tab and navigate to the HAT Overview menu item. In a standard configuration, hosts relay from your system over a private listener. You can also choose to relay over a public listener. In each case, select the appropriate listener from the Listener drop-down menu in order to display the Sender Groups for that listener.

Private Listener

  1. When a private listener is configured, click the RelayList hyperlink in order to edit this Sender Group.

  2. From the Edit Sender Group page, you can add senders to the RelayList Sender Group by IP address, IP Range, Host or Domain Name, SenderBase Reputation Score, or DNS list.

  3. Once you have added your host to the RelayList, that host is allowed to relay mail through your ESA.

Public Listener

When you relay through a public listener, no RelayList SenderGroup or Mail Flow Policy exists. Therefore, you must manually add them.

Complete these steps in order to manually add Sender Groups:

  1. Under Mail Flow Policies, click Add Policy.

  2. Assign a name to the policy and choose Relay from the Connection Behavior drop-down menu.

  3. Click Submit and Commit Changes.

  4. Go to HAT Overview and click Add Sender Group, after you choose the listener from the drop-down menu.

  5. After you enter a name for the Sender Group, choose the Mail Flow you recently added from the Policy drop-down menu.

  6. Click Submit and Add Senders in order to add your first relay host.


Review of the mail_logs for the IP address or host via grep or tail, or use findevent to search via message from, message ID, subject, or message to in order to assure the relay host is configured as expected.


There is currently no specific troubleshooting information available for this configuration.

Updated: Jun 11, 2014
Document ID: 117798