OT: Need some system advice please

Peter Nitschke email at ace.net.au
Mon Feb 26 21:26:30 CET 2007


Just a quick off the cuff reply.

Delist the exchange server as an MX, so only have the MailScanner box
accept email from the outside world.

Use sendmail mailertable to route the processed mail to the Exchange box.

Use smf-sav to verify users on the exchange box - eliminates dictionary etc
attacks.

Store no mail on the MS box, users can either pop or use Outlook from the
Exchange box.

Have external users also use the MS box for smtp even though they are
popping from Exchange.

Have done a few recently, works really well.

Peter


*********** REPLY SEPARATOR  ***********

On 26/02/2007 at 10:17 AM Ken Goods wrote:

>Set up: Sendmail/Mailscanner/SA/Clamav/Bitdefender as a gateway to our
>internal Exchange Server serving several domains. Gateway server is
>designated secondary mailserver (MX 20) in DNS and the exchange server
>(which has both public and private IP's) is MX 10. All outbound mail is
>sent
>directly from the Exchange Server. (We're a small shop and not really
>concerned with scanning outbound mail. Inbound mail is routed to the
>MailScanner box by blocking port 25 to the Exchange Server from the big
"I"
>(inbound mail then gets resent to the secondary).
> 
>Goal: Have some of our Outlook users connect directly to our exchange
>server
>through our VPN (already implemented and working well), and have others
>that
>have no need for scheduling and calendar connect using POP to save
>resources
>and support calls. 
> 
>Problem: Using a guide (from where I can't remember) I have blocked port
25
>inbound to our Exchange Server and this does a couple things. It cuts down
>the spam that is sent directly to the primary mail server as these are,
for
>the most part, not resent to the secondary if a connection to the primary
>can't be made. It also keeps dictionary attacks from hitting our Exchange
>server. (I use virtusertables in sendmail on the filter box to only accept
>email to real users)
>But I need to allow the POP users to send outbound from the Primary
>(Exchange Server) and they can't do this with port 25 blocked. I do have
>port 110 open from the internet to the Exchange I like the idea of being
>able to open port 25 to the Exchange server if something goes wrong with
>the
>MailScanner box and have no interruption in mail, even though it wouldn't
>be
>scanned until the MailScanner box was up and running again. 
> 
>I like the way everything is set up now and it's working wonderfully so
I'm
>not happy about the thought of changing the DNS MX records and making the
>MailScanner box the primary. For one thing, a lot of spam is sent directly
>to the secondary servers in the hopes that they would have no filtering
>done
>on them which would be the case here. This would increase spam getting
>through greatly. 
> 
>Possible solutions: 
>As far as I know there are only a couple reasonable ways to do this. I'm
>sure there are many others that I haven't thought of and that's why I
>posted
>this here. I know this isn't the best place to post this type of question
>but the email admins on this list are the most knowledgeable and helpful I
>have found anywhere on the net.
> 
>1. Have Exchange inbound SMPT listen on an alternate port and configure
the
>email clients to use this as their outgoing mail server port.
>Pros: Allows me to continue blocking port 25 to the Exchange Server from
>the
>internet. Fairly easy to implement.
>Cons: If something when wrong with the MailScanner box I would have to
>change the port back to 25 and open it to get regular mail and this would
>break the POP users accounts. It's possible (though not likely) that
>spammers could discover the port that SMTP is listening on and direct
their
>spam to that port effectively rendering filtering useless. And there could
>be other problems that changing the SMTP port could do on an Exchange
>Server
>that I don't even know about. :)  
> 
>2. Set up the MailScanner box to relay outgoing email from POP users
>(and/or
>possibly just set up mailboxes for all POP users and never have their mail
>even delivered to the Exchange Box.
>Pros: This would keep the POP user accounts completely off of the Exchange
>box which would be a Good Thing (tm).
>Cons: I'm not sure exactly how this would be accomplished. i.e. Can *some*
>users of the same domain have their email stored locally on the
MailScanner
>box while the rest gets forwarded to the Exchange Server? Seems like this
>is
>possible but could be an administration nightmare. LDAP is not available
>(NT
>4.0 domain controllers... I know... don't ask) :)
> 
>If anyone has any ideas or offerings I'd be more than happy to hear them.
>Anyone done something similar? Keep in mind I'm only fairly comfortable
>with
>*nix boxes and have multiple systems to administer, AS400, Oracle server,
a
>couple MS SQL servers, Citrix server, IIS, proxy server, SNA server, DNS,
>etc...etc... so whatever I come up with must be stable and semi-easy to
>administer and maintain.
> 
>Thanks for any and all suggestions....  
> 
>Kind Regards,
>Ken
> 
>Ken Goods
>Network Administrator
>CropUSA Insurance, Inc.
>
>
>-- 
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!





More information about the MailScanner mailing list