Solved

Mail not routing to SCM 3100

Posted on 2008-10-01
9
1,369 Views
Last Modified: 2013-12-09
Anyone know anything about using the McAfee SCM3100, or more specifically, how to get mail to actually go to it?  

I've got two backend exchange servers and a front end exchange server (all Exchange 2003).  I've got an SCM3100 set up in explicit proxy mode.  In external DNS, the SCM3100 is priority 10 (the MX record, I mean), the FE exchange server is priority 20, the BE exchange server priorities are 30 and 40 respectively.

The SCM is filtering email, but not much is getting to it.  It's online and some email is going right to it, but thousands of other spam mails are getting right though without being filtered, and they fit content / spam rules that should be blocked.  I think these emails are, for whatever reason, going straight to the FE exchange server, bypassig the SCM appliance even though it's the highest priority MX record.  I must be doing something wrong in DNS; when I remove the MX record for the backend exchange servers, they can't send email, so I have to leave them up there.  

Any ideas on what I'm doing wrong?  
0
Comment
Question by:Texas_Billy
  • 4
  • 3
9 Comments
 
LVL 4

Accepted Solution

by:
deroyer earned 63 total points
ID: 22614721
It sounds like you have a misconfiguration somewhere...  I will try and go through it step by step with you here...

Q1. Anyone know anything about using the McAfee SCM3100, or more specifically, how to get mail to actually go to it?  I've got two backend exchange servers and a front end exchange server (all Exchange 2003).  I've got an SCM3100 set up in explicit proxy mode.  In external DNS, the SCM3100 is priority 10 (the MX record, I mean), the FE exchange server is priority 20, the BE exchange server priorities are 30 and 40 respectively.

A1. I am not familiar with SCM per say but very familiar with the mail routing through several different SPAM appliances, etc.  First of all on your external DNs and Firewall...  What does your interanl MX record point to, it sounds like they are pointing to both exchange and the SCM right now.  The priorities play a major role right now as even if the MX record pointing to exhange is higher than the one pointing to the SCM, the load is always higher on a SPAm filter because the scan has a load and thus the higher priority is likely getting used as the load increases.

Q2. The SCM is filtering email, but not much is getting to it.  It's online and some email is going right to it, but thousands of other spam mails are getting right though without being filtered, and they fit content / spam rules that should be blocked.  I think these emails are, for whatever reason, going straight to the FE exchange server, bypassig the SCM appliance even though it's the highest priority MX record.  I must be doing something wrong in DNS; when I remove the MX record for the backend exchange servers, they can't send email, so I have to leave them up there.  

A2.  Same rule of thumb applies here as to why the MX might not be working...  As far a MX record go they are ONLY used for incoming mail routing.  In other words, when someone sends a message to your domain, the MX record point to the mailserver and has no affect on whether you can send outbound email, so removing them is not what is making your outbound email fail.

So here is what I would check...
Netowrk Routing:
1. Double check Is if the NATsetup correctly in the Firewall so that the public IP address points to the correct Private IP address...  Also is port 25 open inbound/outbound to the SCM server...

Next:
1.Point external DNS MX record to SCM appliance... (keep in mind any changes could take some time to replicate)
2. Make sure SMTP is allowing connection from your firewall on port 25...
3. in SCM it will need a Smart host or route to know where to deliver the email.  (Not sure where that is done on this product)
4.  Make sure that exchange virtual SMTP server can accept messages from the SCM server.

For outbound you have several options...
1.  You can route all mail out through DNS directly or smarthost it outbound back through SCM if it allows the option.
2.  Directly through DNS is a fine option if you are not a domain the bulk mails it's customers and you have your external DNS configured with a reverse lookup record.

0
 
LVL 4

Expert Comment

by:AimToPlease
ID: 22622268
I'm not sure if this is what you want to hear but the way you have set up your appliance is wrong.

You are supposed to route ALL e-mail through the appliance and prevent any other way of e-mail coming in. In your MX records, you have actually provided a way to avoid spam scanning by providing redundancy.

If your appliance goes down, the e-mail will flow directly to either your front-end or backend server. It should flow to another appliance or mail relay that will store and forward your e-mail.

So you must either configure a relay server as a failover or you must configure a second appliance as failover. Either way, you must not have your exchange servers directly connected to the internet or you might as well drop the whole appliance idea.

Firewall your exchange servers and force e-mail through your appliance. :)

Hope this helps.
0
 
LVL 7

Author Comment

by:Texas_Billy
ID: 22624569
The exchange servers are firewalled, and I'm trying to route all of the email to the appliance.  The way it's set up, all email should be going to it, but it's not, and that's what I'm trying to figure out.  

I could set up another appliance with an MX priority of 20, but what good would it do if everything is already going directly to the backend server in the first place?  

I tried setting it up as a transparent bridge and making it a hard-wire barrier inside the ASA, but it bogs down, freezes and causes a bottleneck; no good.  

The whole idea of using explicit proxy is to provide redundancy so that should this appliance die on me, email delivery doesn't die, we just get spam until the appliance is fixed.  
0
 
LVL 4

Expert Comment

by:AimToPlease
ID: 22626074
I understand what you are trying to do and it seems to make sense, but let me put it this way:

If the first MX record is scanning for spam and the other MX records will allow direct delivery to the mail server, it doesn't make sense for the spammer to deliver spam to the first (appliance) address since it will be blocked. To overcome this, the spammer will probably use random MX records to deliver e-mail. You should be able to see this in the mail headers of delivered e-mail and spam. If you were writing a spam bot, would you always use the first MX record (the one with the highest priority)? You wouldn't (or shouldn't, hehe), exactly because of this kind of setup. You might want to remove the secondary and other MX records intirely for testing. May I ask for what domain you are setting this up?

Off the record: You say you are experiencing issues with bridge mode. What type of appliance are you using? Is it a 3000 or 3100 series? Beware of memory issues with older appliances and newer software (eg. any 3000 series or 3100 (Poweredge 750, 850 and 860) series with SIG software higher than v4.21 patch 5). You will experience a lot of issues related to lack of memory since these appliances come with only 512MB. Check this in the appliance status page (version 4.x); pages per second must not be greater than 0 or the CPU will max out. In version 5, you'll find it under Troubleshoot, Tools, System Load. In fact, I would recommend you use version 4.5 with the latest patch (11) instead of MWS 5. If you do use MWS 5, I would urge you to install patch 1 to overcome a lot of serious issues regarding PostGres and CPU load. :-)

I would need a network diagram and the appliance config to be more exact but I think this is going to pose a security problem ;)
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 7

Author Comment

by:Texas_Billy
ID: 22627132
That's interesting, I'll try removing the other MX records and see how it goes.  The problem I've had with that in the past is that without each server having it's own MX record, outside servers have bounced email saying they can't perform a reverse query to my server, so we can't deliver to their domains.  Seems silly to me because PTR records are set up properly for my servers in external DNS; when I've had this issue, adding MX records back fixed the problem.  It sounds crazy to me too, but it's happened at least a dozen times now.    

0
 
LVL 7

Author Comment

by:Texas_Billy
ID: 22627265
So maybe what I should do is tell my exchange servers to send outbound email througt the FE server, have a PTR record for the FE server, kill the MX records for all outside exchange servers, leaving only the SCM appliance priority 10 MX record, and that should help, no?  

Thanks for your help, by the way - I appreciate it very much.
0
 
LVL 7

Author Comment

by:Texas_Billy
ID: 22627287
Bear in mind, in regard to final comments on your original post, we are a domain that bulk emails it's customers.  Not spam, mind you; we only email customers that specifically asked us for email notifications and there's no tiny font anywhere tricking anyone into it, we don't spam ever.  

We do, however, bulk email out to upwards of 40,000 customers a few times per quarter.  
0
 
LVL 4

Assisted Solution

by:AimToPlease
AimToPlease earned 62 total points
ID: 22627556
I'm still wondering about some things, namely: what appliance software and hardware versions are you using?

As far as the MX records are concerned, removing them does not necessarily fix the problem of spam getting around the appliance, since your mail servers are still reachable from the internet. You may find that nothing has changed for some inbound e-mails. They will come in using the old route despite your DNS change. Again, check the firewall so that it corresponds to your DNS settings and the appliance is the only way to get e-mail through.

You have various options to take care of your outbound e-mail. My personal favourite would be to have it sent through the appliance by configuring the appliance as a smart host from exchange. Make sure you name your appliance properly (eg, mailserver.maildomain.com) so that reverse lookups check out from public DNS and use the right ip. From what I understand, you have several ip's.

Using the appliance as a relay for outbound e-mail will centralize your outbound e-mail and keep things simple. You might run into "false positives" nonetheless if you have anti-spam scanning on outbound e-mail enabled. Depening on the appliance software version, you either have to disable spam scanning for outbound mail in the From Inside policy (SIG4.x) or make a policy preset to take care of this (MWS5).

Always happy to help out. :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now