Re: Cisco PIX Version 6.3(3) SMTP Problem

[Gregory Hicks <ghicks () cadence com>]

> From: "Paul D. Robertson" <paul () compuwar net>
> To: "David M. Nicksic" <dnicksic () mossbaygroup com>
> Cc: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem
> Date: Wed, 6 Jul 2005 08:51:15 -0400 (EDT)
>
> On Tue, 5 Jul 2005, David M. Nicksic wrote:
>
> > I am using a PIX 520 v 6.3.3 and having a spam problem. A spam service
> > Postini is employed. I want to deny all SMTP traffic unless it comes 
from
> > one of the Postini servers. Can the PIX be configured to accomplish 
this?
> >
> [...snip...]
>
> Note that Postini rejects mail if your server isn't reachable by it-

Paul/David:

The above statement is not 100% true.

Postini spools mail if the server is not reachable - up to a limit.
THEN it starts refusing connections - which is not the same as
"rejecting" because the mail is still spooled on the sender's machine.
It is possible to configure Postini to page, notify, whatever you
during the period of time the server is unreachable.

When the server(s) come back online, Postini can automatically deliver
the "spooled" mail at a rate less than "normal" or wait for admin
intervention before starting mail delivery again.  (Personally, I opted
for "notification" and "automatic unspooling"...)

I would think it advisable to have multiple mail servers configured
that do the receiving though just as you would have multiple DNS
servers...  And for the same reason: availability...

> it's not all that resilient if you're under attack or having server
> issues[1].  Personally, I'd rather run Mailscanner on a Postfix instance
> than
> outsource something as critical as e-mail.

For a home or SMALL business, I'd rather run my own mail scanner as
well.  For a medium to large business, I'd almost rather outsource the
spam suppression.

Regards,
Gregory Hicks

[Disclaimer - just a Postini customer...]

> Paul
> [1] Theoretically most things will retry, but you may want to test
> critical pager/cell/alert stuff to make sure it won't just give up if
> you're under conditions where contacting you becomes important.
----------------------------------------------------------------------------
-
> Paul D. Robertson      "My statements in this message are personal 
opinions
> paul () compuwar net       which may have no basis whatsoever in fact."
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

---------------------------------------------------------------------
Gregory Hicks                           | Principal Systems Engineer
Cadence Design Systems                  | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1             | Fax:      408.894.3479
San Jose, CA 95134                      | Internet: ghicks () cadence com

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards