Educause Security Discussion mailing list archives
Re: smtp redirection
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 10 May 2005 14:51:34 -0500
John wrote:
Greetings All, We are redirecting smtp traffic inbound to some campus mail servers via MX records in our DNS to an anti-spam appliance (Bluecat Meridius) and find some email circumvents the appliance apparently by using DNS IP lookup for host resolution and not using MX records to send mail to mail servers on our campus. The vendor recommends blocking inbound port 25 to the campus mail servers from the internet. I favor this approach. However the mail folks are concerned that some legitimate email may be dropped this way. For those of you who redirect email to an anti-spam device; how are you doing this redirection and how are you dealing with the spammers who circumvent the MX record approach? Before changing MX records I set a route map on a router to redirect smtp traffic to the Meridius but the IP destination headers did not have the Meridius address so the appliance dropped the traffic. We run a public class B and do not do NAT.
This is perfectly valid. No-one should be mailing direct to the A record address when an MX record exists. I have only ever seen spammers do this, at least in the last few years. Historically (and by that I mean 5 - 10 years ago) some broken mailers would send directly to the A record. And of course of there is no MX then that is sort of acceptable. We also run a class B with no NAT. We tried the same trick of using our firewall (Lightspeed) to redirect all incoming port 25 to our spam appliances, but there's a lightspeed bug that caused it to never terminate the connection properly and we ended up with multiple re-sends of all emails! Maybe doing the redirect at the Cisco would have been a better plan but we never tried that. Instead we simply changed our MX records as you have done. Caveats: if you change your internal mailers, you have to change the hard-wired IPs in the spam appliances; and also you obviously have to make sure that your spam appliances are allowed through the firewall block. Not so obviously, you need to have your spam appliances do the third-party relay blocking that previously your real MTAs did. It also helps a lot if the MX hosts are *only* used for incoming mail from off campus, and not as local SMTP hosts for your on-campus clients. Graham ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- smtp redirection John (May 10)
- <Possible follow-ups>
- Re: smtp redirection Aaron Childs (May 10)
- Re: smtp redirection Flagg, Martin D. (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Geoff (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Bruce Hudson (May 10)
- Re: smtp redirection Tom Bossie (May 10)
- Re: smtp redirection Flagg, Martin D. (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Paul Russell (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
(Thread continues...)