Educause Security Discussion mailing list archives

Re: smtp redirection

From: David Shettler <dshettle () HOLYCROSS EDU>
Date: Tue, 10 May 2005 19:08:55 -0400

Our gateway MTA's are the only port 25 holes in the firewall, the main
mail servers are not open to the internet.  We're using MX records to
redirect to our load balanced postfix MTA's with
spamassassin/uvscan/clamav, which have transports setup to the
user-accessible mail servers.

We took a little time before blocking port 25 after implementing the
MTA's, but not more than a month.  If mail is arriving without using MX
records, something isn't right as far as we're concerned.

David C. Shettler - GCFA
Senior Technical Services Engineer
College of the Holy Cross
508-793-3073

jgarner () SFASU EDU 05/10/05 3:32 PM >>>

Greetings All,



We are redirecting smtp traffic inbound to some campus mail servers via
MX
records in our DNS to an anti-spam appliance (Bluecat Meridius) and find
some email circumvents the appliance apparently by using DNS IP lookup
for
host resolution and not using MX records to send mail to mail servers on
our
campus. The vendor recommends blocking inbound port 25 to the campus
mail
servers from the internet. I favor this approach. However the mail folks
are
concerned that some legitimate email may be dropped this way.



For those of you who redirect email to an anti-spam device; how are you
doing this redirection and how are you dealing with the spammers who
circumvent the MX record approach?



Before changing MX records I set a route map on a router to redirect
smtp
traffic to the Meridius but the IP destination headers did not have the
Meridius address so the appliance dropped the traffic. We run a public
class
B and do not do NAT.



I very much appreciate your solutions, ideas, critiques and war stories.



Cheers,



John Garner

jgarner () sfasu edu

Stephen F. Austin State U


**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: smtp redirection, (continued)
- Re: smtp redirection Tom Bossie (May 10)
- Re: smtp redirection Flagg, Martin D. (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Paul Russell (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Mark Borrie (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection John (May 10)
- Re: smtp redirection Les LaCroix (May 10)
- Re: smtp redirection Mark Borrie (May 10)
- Re: smtp redirection David Shettler (May 10)
- Re: smtp redirection Chris Edwards (May 11)
- Re: smtp redirection Michael_Maloney (May 11)