Wierd question

[Ken Goods]

Chuck Rock wrote:
> Excellent, I will test.
> 
> Basically for the other guy, I had a mail server running MS and
> clamAV and SpamAssassin. All free stuff, works nice mostly.
> 
> I purchased a Barracuda to "add" domains to with an extra fee for the
> expensive commercial spam filter.
> 
> The final destination server is still the same. I just changed MX so
> only the Barracuda was listed.
> 
> What I've found through experience though, servers will continue to
> send mail to the old MX record even though it doesn't exist. I still
> have servers receiving messages for domains we haven't hosted for
> years. 
> 
> To keep the spammers from bypassing the new Barracuda filter inserted
> in the mail flow, I must make the final destination server ignore
> messages from all other IP's for incoming mail destined for specific
> domains and only allow them from the new spam filter device IP.
> 
> If any of you have a filter like this, and you haven't limited the
> old MX server from receiving mail from just any IP for the domain,
> spam is probably getting past your new filter.
> 
> Thanks,
> Chuck

Hi Chuck,
I had a similar problem come up recently. We were using a MS/SA/Clam box in
front of our Exchange box. I had closed port 25 to the Exchange box from the
big "I" so only mail coming from the filter box would make it to the
Exchange server although both had MX DNS records with the Exchange box being
the primary. We had people outside connecting to the Exchange box with
Outlook (in corporate mode) through OpenVPN. 

Then it seems that the powers that be wanted people to be able to connect
directly to the Exchange box using standard email clients (POP/SMTP) and
obviously that couldn't be done with port 25 blocked. What I did was
this.... I made the filter box the primary, removed the DNS entries for the
Exchange box and opened port 25 to the Exchange box. I still get a few spams
a day (very few) that are connecting via IP address but other than that it
works a charm.

If you don't need anyone connecting to your final destination server from
the outside, simply block port 25 incoming to it. If both servers are within
your DMZ this should work perfectly and you won't have to mess with rules or
other configurations. Outgoing mail will still flow from the final
destination server since you're not blocking 25 outgoing. I ran my
mailserver like that for almost 2 years without problems.

Just another option, as always YMMV...

Kind regards,
Ken


Ken Goods
Network Administrator
CropUSA Insurance, Inc.