OT: Need some system advice please

Ken Goods KGoods at AIAInsurance.com
Mon Feb 26 19:17:35 CET 2007 

Set up: Sendmail/Mailscanner/SA/Clamav/Bitdefender as a gateway to our
internal Exchange Server serving several domains. Gateway server is
designated secondary mailserver (MX 20) in DNS and the exchange server
(which has both public and private IP's) is MX 10. All outbound mail is sent
directly from the Exchange Server. (We're a small shop and not really
concerned with scanning outbound mail. Inbound mail is routed to the
MailScanner box by blocking port 25 to the Exchange Server from the big "I"
(inbound mail then gets resent to the secondary).
 
Goal: Have some of our Outlook users connect directly to our exchange server
through our VPN (already implemented and working well), and have others that
have no need for scheduling and calendar connect using POP to save resources
and support calls. 
 
Problem: Using a guide (from where I can't remember) I have blocked port 25
inbound to our Exchange Server and this does a couple things. It cuts down
the spam that is sent directly to the primary mail server as these are, for
the most part, not resent to the secondary if a connection to the primary
can't be made. It also keeps dictionary attacks from hitting our Exchange
server. (I use virtusertables in sendmail on the filter box to only accept
email to real users)
But I need to allow the POP users to send outbound from the Primary
(Exchange Server) and they can't do this with port 25 blocked. I do have
port 110 open from the internet to the Exchange I like the idea of being
able to open port 25 to the Exchange server if something goes wrong with the
MailScanner box and have no interruption in mail, even though it wouldn't be
scanned until the MailScanner box was up and running again. 
 
I like the way everything is set up now and it's working wonderfully so I'm
not happy about the thought of changing the DNS MX records and making the
MailScanner box the primary. For one thing, a lot of spam is sent directly
to the secondary servers in the hopes that they would have no filtering done
on them which would be the case here. This would increase spam getting
through greatly. 
 
Possible solutions: 
As far as I know there are only a couple reasonable ways to do this. I'm
sure there are many others that I haven't thought of and that's why I posted
this here. I know this isn't the best place to post this type of question
but the email admins on this list are the most knowledgeable and helpful I
have found anywhere on the net.
 
1. Have Exchange inbound SMPT listen on an alternate port and configure the
email clients to use this as their outgoing mail server port.
Pros: Allows me to continue blocking port 25 to the Exchange Server from the
internet. Fairly easy to implement.
Cons: If something when wrong with the MailScanner box I would have to
change the port back to 25 and open it to get regular mail and this would
break the POP users accounts. It's possible (though not likely) that
spammers could discover the port that SMTP is listening on and direct their
spam to that port effectively rendering filtering useless. And there could
be other problems that changing the SMTP port could do on an Exchange Server
that I don't even know about. :)  
 
2. Set up the MailScanner box to relay outgoing email from POP users (and/or
possibly just set up mailboxes for all POP users and never have their mail
even delivered to the Exchange Box.
Pros: This would keep the POP user accounts completely off of the Exchange
box which would be a Good Thing (tm).
Cons: I'm not sure exactly how this would be accomplished. i.e. Can *some*
users of the same domain have their email stored locally on the MailScanner
box while the rest gets forwarded to the Exchange Server? Seems like this is
possible but could be an administration nightmare. LDAP is not available (NT
4.0 domain controllers... I know... don't ask) :)
 
If anyone has any ideas or offerings I'd be more than happy to hear them.
Anyone done something similar? Keep in mind I'm only fairly comfortable with
*nix boxes and have multiple systems to administer, AS400, Oracle server, a
couple MS SQL servers, Citrix server, IIS, proxy server, SNA server, DNS,
etc...etc... so whatever I come up with must be stable and semi-easy to
administer and maintain.
 
Thanks for any and all suggestions....  
 
Kind Regards,
Ken
 
Ken Goods
Network Administrator
CropUSA Insurance, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070226/7e202346/attachment.html

More information about the MailScanner mailing list