Re: smtp redirection

[John <jgarner () SFASU EDU>]

I am very pleased to hear of the success when redirecting ALL email through
the mailhub. I like the idea. My question now is how best to do this. My
preferred way is to simply disallow incoming smtp to any other host by a
router acl or a firewall rule. Is this the method you use?  Is there another
way to accomplish routing ALL incoming smtp to the mailhup/anti-spam
appliance?

John

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Borrie
Sent: Tuesday, May 10, 2005 3:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] smtp redirection


We have strictly managed our smtp traffic for nearly 5 years. All
incoming AND outgoing smtp traffic must pass through our mailhubs.
This is achived by using MX records that point to the mailhubs which
then pass the mail onto the correct host.

Our DNS service is the same on each side of our firewall so this
means that internal email also potentially passes though the
mailhubs. That hasn't caused any problems and in fact has helped
clean up virus outbreaks on campus.

With our config we have been able to managed spam, viruses, open
relays, malicious attachments and avoid our systems being used as
spamming botnets.

The hardest part was to get buy in from some sys admins. Initially we
made all mail servers register and permitted those systems to
continue to receive and send smtp directly. When these admins saw
the advantages of the mailhubs they joined in. After 6 months or so
we made it compulsary to use the mailhubs and haven't looked back.

Having only a small number of systems that can receive smtp traffic
has helped keep our mail systems pretty clean. On one occasion
during an email virus outbreak I simply stopped accepting incoming
email for an hour or so on the mailhubs while we waited on new virus
signatures. This let us clean up without worrying about more viruses
getting in the way.

Mark.

On 10 May 2005 at 14:32, John wrote:

> Greetings All,
>
> We are redirecting smtp traffic inbound to some campus mail servers via MX
records in our DNS
> to an anti-spam appliance (Bluecat Meridius) and find some email
circumvents the appliance
> apparently by using DNS IP lookup for host resolution and not using MX
records to send mail to
> mail servers on our campus. The vendor recommends blocking inbound port 25
to the campus
> mail servers from the internet. I favor this approach. However the mail
folks are concerned that
> some legitimate email may be dropped this way.
>
> For those of you who redirect email to an anti-spam device; how are you
doing this redirection and
> how are you dealing with the spammers who circumvent the MX record
approach?
> Before changing MX records I set a route map on a router to redirect smtp
traffic to the Meridius
> but the IP destination headers did not have the Meridius address so the
appliance dropped the
> traffic. We run a public class B and do not do NAT.
>
> I very much appreciate your solutions, ideas, critiques and war stories.
>
> Cheers,
>
> John Garner
> jgarner () sfasu edu
> Stephen F. Austin State U
>
> ********** Participation and subscription information for this EDUCAUSE
Discussion Group
> discussion list can be found at http://www.educause.edu/groups/.

--
Mark Borrie
IT Security Officer,
Information Technology Services, University of Otago,
Dunedin, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.