OT: Need some system advice please

Res res at ausics.net
Mon Feb 26 22:25:12 CET 2007


And perhaps next time he will not ask such questions on this list,
there are thousands of micro$lop newsgroups/lists/forums out there, and 
there is always the sendmail newsgroup/mailing list


On Tue, 27 Feb 2007, Peter Nitschke wrote:

> Just a quick off the cuff reply.
>
> Delist the exchange server as an MX, so only have the MailScanner box
> accept email from the outside world.
>
> Use sendmail mailertable to route the processed mail to the Exchange box.
>
> Use smf-sav to verify users on the exchange box - eliminates dictionary etc
> attacks.
>
> Store no mail on the MS box, users can either pop or use Outlook from the
> Exchange box.
>
> Have external users also use the MS box for smtp even though they are
> popping from Exchange.
>
> Have done a few recently, works really well.
>
> Peter
>
>
> *********** REPLY SEPARATOR  ***********
>
> On 26/02/2007 at 10:17 AM Ken Goods wrote:
>
>> Set up: Sendmail/Mailscanner/SA/Clamav/Bitdefender as a gateway to our
>> internal Exchange Server serving several domains. Gateway server is
>> designated secondary mailserver (MX 20) in DNS and the exchange server
>> (which has both public and private IP's) is MX 10. All outbound mail is
>> sent
>> directly from the Exchange Server. (We're a small shop and not really
>> concerned with scanning outbound mail. Inbound mail is routed to the
>> MailScanner box by blocking port 25 to the Exchange Server from the big
> "I"
>> (inbound mail then gets resent to the secondary).
>>
>> Goal: Have some of our Outlook users connect directly to our exchange
>> server
>> through our VPN (already implemented and working well), and have others
>> that
>> have no need for scheduling and calendar connect using POP to save
>> resources
>> and support calls.
>>
>> Problem: Using a guide (from where I can't remember) I have blocked port
> 25
>> inbound to our Exchange Server and this does a couple things. It cuts down
>> the spam that is sent directly to the primary mail server as these are,
> for
>> the most part, not resent to the secondary if a connection to the primary
>> can't be made. It also keeps dictionary attacks from hitting our Exchange
>> server. (I use virtusertables in sendmail on the filter box to only accept
>> email to real users)
>> But I need to allow the POP users to send outbound from the Primary
>> (Exchange Server) and they can't do this with port 25 blocked. I do have
>> port 110 open from the internet to the Exchange I like the idea of being
>> able to open port 25 to the Exchange server if something goes wrong with
>> the
>> MailScanner box and have no interruption in mail, even though it wouldn't
>> be
>> scanned until the MailScanner box was up and running again.
>>
>> I like the way everything is set up now and it's working wonderfully so
> I'm
>> not happy about the thought of changing the DNS MX records and making the
>> MailScanner box the primary. For one thing, a lot of spam is sent directly
>> to the secondary servers in the hopes that they would have no filtering
>> done
>> on them which would be the case here. This would increase spam getting
>> through greatly.
>>
>> Possible solutions:
>> As far as I know there are only a couple reasonable ways to do this. I'm
>> sure there are many others that I haven't thought of and that's why I
>> posted
>> this here. I know this isn't the best place to post this type of question
>> but the email admins on this list are the most knowledgeable and helpful I
>> have found anywhere on the net.
>>
>> 1. Have Exchange inbound SMPT listen on an alternate port and configure
> the
>> email clients to use this as their outgoing mail server port.
>> Pros: Allows me to continue blocking port 25 to the Exchange Server from
>> the
>> internet. Fairly easy to implement.
>> Cons: If something when wrong with the MailScanner box I would have to
>> change the port back to 25 and open it to get regular mail and this would
>> break the POP users accounts. It's possible (though not likely) that
>> spammers could discover the port that SMTP is listening on and direct
> their
>> spam to that port effectively rendering filtering useless. And there could
>> be other problems that changing the SMTP port could do on an Exchange
>> Server
>> that I don't even know about. :)
>>
>> 2. Set up the MailScanner box to relay outgoing email from POP users
>> (and/or
>> possibly just set up mailboxes for all POP users and never have their mail
>> even delivered to the Exchange Box.
>> Pros: This would keep the POP user accounts completely off of the Exchange
>> box which would be a Good Thing (tm).
>> Cons: I'm not sure exactly how this would be accomplished. i.e. Can *some*
>> users of the same domain have their email stored locally on the
> MailScanner
>> box while the rest gets forwarded to the Exchange Server? Seems like this
>> is
>> possible but could be an administration nightmare. LDAP is not available
>> (NT
>> 4.0 domain controllers... I know... don't ask) :)
>>
>> If anyone has any ideas or offerings I'd be more than happy to hear them.
>> Anyone done something similar? Keep in mind I'm only fairly comfortable
>> with
>> *nix boxes and have multiple systems to administer, AS400, Oracle server,
> a
>> couple MS SQL servers, Citrix server, IIS, proxy server, SNA server, DNS,
>> etc...etc... so whatever I come up with must be stable and semi-easy to
>> administer and maintain.
>>
>> Thanks for any and all suggestions....
>>
>> Kind Regards,
>> Ken
>>
>> Ken Goods
>> Network Administrator
>> CropUSA Insurance, Inc.
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
>
>
>

-- 
Cheers
Res

"We can be Heroes, just for one day" - Davey (Jones) Bowie




More information about the MailScanner mailing list