Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smtp redirection

From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 10 May 2005 14:51:34 -0500
John wrote:


Greetings All,



We are redirecting smtp traffic inbound to some campus mail servers
via MX records in our DNS to an anti-spam appliance (Bluecat Meridius)
and find some email circumvents the appliance apparently by using DNS
IP lookup for host resolution and not using MX records to send mail to
mail servers on our campus. The vendor recommends blocking inbound
port 25 to the campus mail servers from the internet. I favor this
approach. However the mail folks are concerned that some legitimate
email may be dropped this way.



For those of you who redirect email to an anti-spam device; how are
you doing this redirection and how are you dealing with the spammers
who circumvent the MX record approach?



Before changing MX records I set a route map on a router to redirect
smtp traffic to the Meridius but the IP destination headers did not
have the Meridius address so the appliance dropped the traffic. We run
a public class B and do not do NAT.



This is perfectly valid.  No-one should be mailing direct to the
A record address when an MX record exists.  I have only ever
seen spammers do this, at least in the last few years.  Historically
(and by that I mean 5 - 10 years ago) some broken mailers would
send directly to the A record.  And of course of there is no MX
then that is sort of acceptable.

We also run a class B with no NAT.  We tried the same trick of
using our firewall (Lightspeed) to redirect all incoming port 25 to
our spam appliances, but there's a lightspeed bug that caused it to
never terminate the connection properly and we ended up with
multiple re-sends of all emails!  Maybe doing the redirect at the
Cisco would have been a better plan but we never tried that.
Instead we simply changed our MX records as you have done.

Caveats: if you change your internal mailers, you have to change
the hard-wired IPs in the spam appliances; and also you obviously
have to make sure that your spam appliances are allowed through
the firewall block.  Not so obviously, you need to have your spam
appliances do the third-party relay blocking that previously your
real MTAs did.

It also helps a lot if the MX hosts are *only* used for incoming
mail from off campus, and not as local SMTP hosts for your
on-campus clients.

Graham


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: