RE: Message Screener vs. GFI - First time setup...

  • From: "Paul Laudenslager" <paul@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 Mar 2005 19:55:17 -0500

Hi John,

Thank you for taking the time to respond.

Yes, I don't mind having remote clients change an IP.  Is there a reason why
you chose port 587..??  Is this a common practice?

I assume then that if something comes in on the standard SMTP port, there's
no way to differintiate between an SMTP server sending mail and a legitimate
user relaying mail.  Correct?

Thanks again! :)

Paul

Ps. I did some research and was not aware of the support for moving ot 587.
Imagine that...  Thanks!

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, March 16, 2005 9:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Message Screener vs. GFI - First time setup...

http://www.ISAserver.org

One thing you can do is change the SMTP listening port of the production
servers to 587 and have all clients configure their e-mail client to that
port for SMTP.

You do not want to have the users send via the gateways which is what the
message screener/GFI box is to your production servers.

Depending on which flavor of mail server you are using, you may be able to
configure it to only receive from either authenticated users or from listed
IP addresses. (Those of your gateway server)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Paul Laudenslager [mailto:paul@xxxxxxxxxxxx]
> Sent: Wednesday, March 16, 2005 5:34 AM
> To: [ISAserver.org Discussion List]
> Cc: support-team@xxxxxxxxxxxx
> Subject: [isalist] Message Screener vs. GFI - First time setup...
> 
> http://www.ISAserver.org
> 
> Hi Everyone,
> 
> First, I'd like to thank you for your time in reading this email.  I 
> could use some help in planning and rolling out some spam/virus 
> filtering
services
> for our network.
> 
> We have (2) production mail servers behind an ISA firewall.  They are 
> not Exchange boxes and users currently access their mail via POP3, 
> IMAP, SMTP, and Web.
> 
> I'm setting up a separate machine as either a Message Screener or GFI 
> MailSecurity/MailEssentials server to help eliviate the load that our 
> current mail servers are performing.  I'll call this machine "IMF" 
> from
here
> on out.
> 
> I'm under the impression that with either product (MS or GFI) I will 
> be setting up the SMTP service on a IIS 5.0/6.0 box.  I'm familiar 
> with the SMTP service so this is not a problem.  I'm also assuming 
> that I will have to add EVERY SINGLE DOMAIN that we receive mail for 
> (around 1,000) to the SMTP service to prevent relay through the IMF
Server.  So far, so good...
> 
> I currently require SMTP authentication for my users to send outgoing
mail.
> Most users use the following setup within their POP clients...
> 
>       Incoming Mail Server: mail.thierdomain.com
>       Outgoing Mail Server: mail.thierdomain.com
> 
> And the MX record points to the appropriate IP of their production 
> mail server.
> 
> If I roll out an IMF Server, then I'll have to update the 'A' record 
> FROM their current production mail server TO the IP of the new IMF Server.
> However, my users would not longer be able to relay mail remotely 
> (which
is
> what they all do) as they don't have individual accounts on the IMF
Server.
> I believe this would cause authentication prompts to my customer base 
> and
my
> phone would start ringing like MAD. Am I correct here?
> 
> Finally, to my questions...
> 
> Q.  Can ISA determine the difference between a remote client sending 
> an email to their SMTP Server AS COMPARED to a remote mail server 
> delivering
a
> new message to our network using SMTP?
> 
> If so, I could route SMTP client request to their original mail server 
> (to authenticate and send their mail) and other SMTP requests from 
> remote mail servers to go to the IMF Server.  If not, I'm thinking 
> that I'll have to
add
> every single user account (thousands) to the IMF box.  BTW, our 
> network is using stand alone member servers (not a AD network).
> 
> Not all users have the ability to relay through their local ISP 
> either, which rules out the possiblity of closing down the relay 
> feature for
remote
> clients.
> 
> Q.  I was also considering the possiblity of keeping the users 'A' 
> record (which is mail.theirdomain.com) to point to the production mail 
> server and then just add a new 'A' record that points to the IMF 
> server and use that
as
> the MX record.
> 
> However, I've heard that spammers circumvent that by sending directly 
> to mail.somedomain.com without even looking at MX records or even skip 
> the first MX record and send directly to the 2nd (or later record).
> 
> Ok, I'm beginning to ramble.  If you hung with me this far, I really 
> do appreciate it.
> 
> Any comments or suggestions you might have would be greatly appreciated.
> Thanks in advance for your time and consideration.
> 
> Paul L.
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
paul@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx





Other related posts: