RE: Question about "guaranteed delivery"

["Jose Enrique Diaz Jolly" <enrique.diaz () cbbanorte com mx>]

Well, I have a network similar to yours and my mail schema is more or less as follows.

Incomming mail
I have two dedicated sendmail boxes acting as MX, they receive all the incomming mail either if it is addressed to our 
global domain or to a specific server. These two boxes (Linux) live in the DMZ, they have separated names for MX 
functions. Any other machine in this network zone has MX records pointing to these MX servers. Once these  boxes 
receive any incomming e-mail they scan our active directory domain controllers via LDAP to verify if the mail is 
addressed to a valid account. If it is not, then it is dropped or returned without having gone further in the network. 
If the destination address is valid, then the mail is queued to a spam blocking box (Trend) which delivers mail to 
exchange.

Outcomming mail
Once a user sends a mail it goes to exchange who uses a smarthost, which is really two boxes capable to route mail to 
the internet.

Maybe this approach may help you to clear out 

-- 

 'Few things are harder to put up with than the annoyance of a good example'
                -- Mark Twain, "Pudd'nhead Wilson's Calendar"

=======================================================================
José Enrique Díaz Jolly         Teléfono: +52 (55) 5169-9300 x1222
Casa de Bolsa Banorte                Fax: +52 (55) 5169-9470
Grupo Financiero Banorte             Red: 8555-1222
Periférico Sur 4355              Fax Red: 8555-1470
Jardines en la Montaña             
México, D. F., 14210              e-mail: enrique.diaz () cbbanorte com mx
=======================================================================
  

> -----Original Message-----
> From: meaculpa [mailto:meaculpa () punkass com] 
> Sent: Tuesday, September 07, 2004 10:43 AM
> To: security-basics () securityfocus com
> Subject: Question about "guaranteed delivery"
>
> Hi all,
>
> probably will be a long story, but pls, if you know of a 
> product that could do this, pls let me (and the list) know.
>
> Currently we have a three-layered network, separated by 
> firewalls (FW-DMW-FW-BE-FW-Internal). All networks are also 
> divided in VLAN's. In the DMZ we have multiple SMTP servers 
> to send/receive mail from the Internet/Other agencies/Private 
> networks). ALL messages go to the BE network for decryption 
> and content scanning. When content is considered safe, the 
> message will be forwarded to other systems in the BE of 
> Internal network and then processes by either scripts, e-mail 
> clients or production processes.
> For outbould mail we use several Exchange servers that 
> forward the SMTP messages to the content scanning devices. As 
> you can imagine chanes of failures are big, they happen and 
> e-mails and/or data gets lost.
>
> I was thinking. It must be possible to place a box in the DMZ 
> that receives ALL SMTP messages inbound, does content 
> scanning/decryption, sends the message to the same kind of 
> box in the BE, checks if the message came through and then 
> delivers the message to the endpoint. The checks as 
> decryption/content scanning can be offloaded to other boxes 
> if needed. I know there are proxy server out there (Blue Coat 
> amongst others) that can do this with HTTP and the content 
> scanning gets offloaded to other boxes via some sort of 
> plugin solution.
>
> What we need in short is some sort of black box/software 
> solution/method to receive e-mail and be able to guarantee 
> the delivery to our own boxes on the DMZ, BE and Internal 
> networks. For outbound messages we need to be able to 
> guarantee that the outbound message got sent away. Wether it 
> reaches it's endpoint is of no real concern since that could 
> be solved with S/MIME (I think). Of course we need to be able 
> to know what messages did not got delivered, why if possible 
> and some sort of method to reprocess the message or do some 
> sort of manual delivery.
>
> Thank you for any and all answers.
>
> Mea
>
>
> --------------------------------------------------------------
> -------------
> Computer Forensics Training at the InfoSec Institute. All of 
> our class sizes are guaranteed to be 12 students or less to 
> facilitate one-on-one interaction with one of our expert 
> instructors. Gain the in-demand skills of a certified 
> computer examiner, learn to recover trace data left behind by 
> fraud, theft, and cybercrime perpetrators. Discover the 
> source of computer crime and abuse so that it never happens again.
>
> http://www.infosecinstitute.com/courses/computer_forensics_tra
> ining.html
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------