RE: Message Screener vs. GFI - First time setup...
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 16 Mar 2005 06:13:45 -0800
You have an interesting problem...
A1 - No; ISA has no way to know if the host making an SMTP connection is
a client or server application. That would require:
1. knowing all the "helo" banners for every SMTP server and
client app out there
2. being able to tell when someone is lying about being a client
or server app
A2 - Do Not mix up the public MX and A records for you mail server.
This will cause you no end of grief. Wile most mail servers use the MX
lookup, many also use the A and PTR records to validate the sending
host.
Spammers don't "circumvent" MX records any more than they "circumvent"
you're a records unless you've somehow made your DNS server publicly
changeable.
-----Original Message-----
From: Paul Laudenslager [mailto:paul@xxxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 5:34 AM
To: [ISAserver.org Discussion List]
Cc: support-team@xxxxxxxxxxxx
Subject: [isalist] Message Screener vs. GFI - First time setup...
http://www.ISAserver.org
Hi Everyone,
First, I'd like to thank you for your time in reading this email. I
could
use some help in planning and rolling out some spam/virus filtering
services
for our network.
We have (2) production mail servers behind an ISA firewall. They are
not
Exchange boxes and users currently access their mail via POP3, IMAP,
SMTP,
and Web.
I'm setting up a separate machine as either a Message Screener or GFI
MailSecurity/MailEssentials server to help eliviate the load that our
current mail servers are performing. I'll call this machine "IMF" from
here
on out.
I'm under the impression that with either product (MS or GFI) I will be
setting up the SMTP service on a IIS 5.0/6.0 box. I'm familiar with the
SMTP service so this is not a problem. I'm also assuming that I will
have
to add EVERY SINGLE DOMAIN that we receive mail for (around 1,000) to
the
SMTP service to prevent relay through the IMF Server. So far, so
good...
I currently require SMTP authentication for my users to send outgoing
mail.
Most users use the following setup within their POP clients...
Incoming Mail Server: mail.thierdomain.com
Outgoing Mail Server: mail.thierdomain.com
And the MX record points to the appropriate IP of their production mail
server.
If I roll out an IMF Server, then I'll have to update the 'A' record
FROM
their current production mail server TO the IP of the new IMF Server.
However, my users would not longer be able to relay mail remotely (which
is
what they all do) as they don't have individual accounts on the IMF
Server.
I believe this would cause authentication prompts to my customer base
and my
phone would start ringing like MAD. Am I correct here?
Finally, to my questions...
Q. Can ISA determine the difference between a remote client sending an
email to their SMTP Server AS COMPARED to a remote mail server
delivering a
new message to our network using SMTP?
If so, I could route SMTP client request to their original mail server
(to
authenticate and send their mail) and other SMTP requests from remote
mail
servers to go to the IMF Server. If not, I'm thinking that I'll have to
add
every single user account (thousands) to the IMF box. BTW, our network
is
using stand alone member servers (not a AD network).
Not all users have the ability to relay through their local ISP either,
which rules out the possiblity of closing down the relay feature for
remote
clients.
Q. I was also considering the possiblity of keeping the users 'A'
record
(which is mail.theirdomain.com) to point to the production mail server
and
then just add a new 'A' record that points to the IMF server and use
that as
the MX record.
However, I've heard that spammers circumvent that by sending directly to
mail.somedomain.com without even looking at MX records or even skip the
first MX record and send directly to the 2nd (or later record).
Ok, I'm beginning to ramble. If you hung with me this far, I really do
appreciate it.
Any comments or suggestions you might have would be greatly appreciated.
Thanks in advance for your time and consideration.
Paul L.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
