Educause Security Discussion mailing list archives
Re: smtp redirection
From: Bruce Hudson <Bruce.Hudson () DAL CA>
Date: Tue, 10 May 2005 17:03:55 -0300
We are redirecting smtp traffic inbound to some campus mail servers via MX records in our DNS to an anti-spam appliance (Bluecat Meridius) and find some email circumvents the appliance apparently by using DNS IP lookup for host resolution and not using MX records to send mail to mail servers on our campus. The vendor recommends blocking inbound port 25 to the campus mail servers from the internet. I favor this approach. However the mail folks are concerned that some legitimate email may be dropped this way. For those of you who redirect email to an anti-spam device; how are you doing this redirection and how are you dealing with the spammers who circumvent the MX record approach?
I would say that for a central anti-spam system to work, an access list that forces mail through it is absolutely required. Voluntary MX records will fail because spammers just do not play by the rules. We used to add A records for our mail domains for years to take care of the odd broken mailer that did not understand MX records. We stopped 6-7 years ago and I have not heard of any major problems. By definition, any mail that ignores an MX for delivery is not legitimate. You can only support broken software so far. For client mail that needs access to the internal servers we offer a submission service that requires authentication on port 587 and a VPN that will bring the client systems into the internal network. -- Bruce A. Hudson | Bruce.Hudson () Dal CA UCIS, Networks and Systems | Dalhousie University | Halifax, Nova Scotia, Canada | (902) 494-3405 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- smtp redirection John (May 10)
- <Possible follow-ups>
- Re: smtp redirection Aaron Childs (May 10)
- Re: smtp redirection Flagg, Martin D. (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Geoff (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Bruce Hudson (May 10)
- Re: smtp redirection Tom Bossie (May 10)
- Re: smtp redirection Flagg, Martin D. (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Paul Russell (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Mark Borrie (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection John (May 10)
- Re: smtp redirection Les LaCroix (May 10)
- Re: smtp redirection Mark Borrie (May 10)
(Thread continues...)