Security Basics mailing list archives
RE: Question about "guaranteed delivery"
From: "Jose Enrique Diaz Jolly" <enrique.diaz () cbbanorte com mx>
Date: Wed, 8 Sep 2004 10:48:41 -0500
Well, I have a network similar to yours and my mail schema is more or less as follows. Incomming mail I have two dedicated sendmail boxes acting as MX, they receive all the incomming mail either if it is addressed to our global domain or to a specific server. These two boxes (Linux) live in the DMZ, they have separated names for MX functions. Any other machine in this network zone has MX records pointing to these MX servers. Once these boxes receive any incomming e-mail they scan our active directory domain controllers via LDAP to verify if the mail is addressed to a valid account. If it is not, then it is dropped or returned without having gone further in the network. If the destination address is valid, then the mail is queued to a spam blocking box (Trend) which delivers mail to exchange. Outcomming mail Once a user sends a mail it goes to exchange who uses a smarthost, which is really two boxes capable to route mail to the internet. Maybe this approach may help you to clear out -- 'Few things are harder to put up with than the annoyance of a good example' -- Mark Twain, "Pudd'nhead Wilson's Calendar" ======================================================================= José Enrique Díaz Jolly Teléfono: +52 (55) 5169-9300 x1222 Casa de Bolsa Banorte Fax: +52 (55) 5169-9470 Grupo Financiero Banorte Red: 8555-1222 Periférico Sur 4355 Fax Red: 8555-1470 Jardines en la Montaña México, D. F., 14210 e-mail: enrique.diaz () cbbanorte com mx =======================================================================
-----Original Message----- From: meaculpa [mailto:meaculpa () punkass com] Sent: Tuesday, September 07, 2004 10:43 AM To: security-basics () securityfocus com Subject: Question about "guaranteed delivery" Hi all, probably will be a long story, but pls, if you know of a product that could do this, pls let me (and the list) know. Currently we have a three-layered network, separated by firewalls (FW-DMW-FW-BE-FW-Internal). All networks are also divided in VLAN's. In the DMZ we have multiple SMTP servers to send/receive mail from the Internet/Other agencies/Private networks). ALL messages go to the BE network for decryption and content scanning. When content is considered safe, the message will be forwarded to other systems in the BE of Internal network and then processes by either scripts, e-mail clients or production processes. For outbould mail we use several Exchange servers that forward the SMTP messages to the content scanning devices. As you can imagine chanes of failures are big, they happen and e-mails and/or data gets lost. I was thinking. It must be possible to place a box in the DMZ that receives ALL SMTP messages inbound, does content scanning/decryption, sends the message to the same kind of box in the BE, checks if the message came through and then delivers the message to the endpoint. The checks as decryption/content scanning can be offloaded to other boxes if needed. I know there are proxy server out there (Blue Coat amongst others) that can do this with HTTP and the content scanning gets offloaded to other boxes via some sort of plugin solution. What we need in short is some sort of black box/software solution/method to receive e-mail and be able to guarantee the delivery to our own boxes on the DMZ, BE and Internal networks. For outbound messages we need to be able to guarantee that the outbound message got sent away. Wether it reaches it's endpoint is of no real concern since that could be solved with S/MIME (I think). Of course we need to be able to know what messages did not got delivered, why if possible and some sort of method to reprocess the message or do some sort of manual delivery. Thank you for any and all answers. Mea -------------------------------------------------------------- ------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_tra ining.html -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- Question about "guaranteed delivery" meaculpa (Sep 07)
- <Possible follow-ups>
- RE: Question about "guaranteed delivery" Jose Enrique Diaz Jolly (Sep 08)
- RE: Question about "guaranteed delivery" Michael Bellears (Sep 09)