Educause Security Discussion mailing list archives
Re: smtp redirection
From: Mark Borrie <mark.borrie () OTAGO AC NZ>
Date: Wed, 11 May 2005 08:59:05 +1200
We have strictly managed our smtp traffic for nearly 5 years. All incoming AND outgoing smtp traffic must pass through our mailhubs. This is achived by using MX records that point to the mailhubs which then pass the mail onto the correct host. Our DNS service is the same on each side of our firewall so this means that internal email also potentially passes though the mailhubs. That hasn't caused any problems and in fact has helped clean up virus outbreaks on campus. With our config we have been able to managed spam, viruses, open relays, malicious attachments and avoid our systems being used as spamming botnets. The hardest part was to get buy in from some sys admins. Initially we made all mail servers register and permitted those systems to continue to receive and send smtp directly. When these admins saw the advantages of the mailhubs they joined in. After 6 months or so we made it compulsary to use the mailhubs and haven't looked back. Having only a small number of systems that can receive smtp traffic has helped keep our mail systems pretty clean. On one occasion during an email virus outbreak I simply stopped accepting incoming email for an hour or so on the mailhubs while we waited on new virus signatures. This let us clean up without worrying about more viruses getting in the way. Mark. On 10 May 2005 at 14:32, John wrote:
Greetings All, We are redirecting smtp traffic inbound to some campus mail servers via MX records in our DNS to an anti-spam appliance (Bluecat Meridius) and find some email circumvents the appliance apparently by using DNS IP lookup for host resolution and not using MX records to send mail to mail servers on our campus. The vendor recommends blocking inbound port 25 to the campus mail servers from the internet. I favor this approach. However the mail folks are concerned that some legitimate email may be dropped this way. For those of you who redirect email to an anti-spam device; how are you doing this redirection and how are you dealing with the spammers who circumvent the MX record approach? Before changing MX records I set a route map on a router to redirect smtp traffic to the Meridius but the IP destination headers did not have the Meridius address so the appliance dropped the traffic. We run a public class B and do not do NAT. I very much appreciate your solutions, ideas, critiques and war stories. Cheers, John Garner jgarner () sfasu edu Stephen F. Austin State U ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- Mark Borrie IT Security Officer, Information Technology Services, University of Otago, Dunedin, N.Z. Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: smtp redirection, (continued)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Geoff (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Bruce Hudson (May 10)
- Re: smtp redirection Tom Bossie (May 10)
- Re: smtp redirection Flagg, Martin D. (May 10)
- Re: smtp redirection Graham Toal (May 10)
- Re: smtp redirection Paul Russell (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection Mark Borrie (May 10)
- Re: smtp redirection Valdis Kletnieks (May 10)
- Re: smtp redirection John (May 10)
- Re: smtp redirection Les LaCroix (May 10)
- Re: smtp redirection Mark Borrie (May 10)
- Re: smtp redirection David Shettler (May 10)
- Re: smtp redirection Chris Edwards (May 11)
- Re: smtp redirection Michael_Maloney (May 11)