Texas_Billy
asked on
Mail not routing to SCM 3100
Anyone know anything about using the McAfee SCM3100, or more specifically, how to get mail to actually go to it?
I've got two backend exchange servers and a front end exchange server (all Exchange 2003). I've got an SCM3100 set up in explicit proxy mode. In external DNS, the SCM3100 is priority 10 (the MX record, I mean), the FE exchange server is priority 20, the BE exchange server priorities are 30 and 40 respectively.
The SCM is filtering email, but not much is getting to it. It's online and some email is going right to it, but thousands of other spam mails are getting right though without being filtered, and they fit content / spam rules that should be blocked. I think these emails are, for whatever reason, going straight to the FE exchange server, bypassig the SCM appliance even though it's the highest priority MX record. I must be doing something wrong in DNS; when I remove the MX record for the backend exchange servers, they can't send email, so I have to leave them up there.
Any ideas on what I'm doing wrong?
I've got two backend exchange servers and a front end exchange server (all Exchange 2003). I've got an SCM3100 set up in explicit proxy mode. In external DNS, the SCM3100 is priority 10 (the MX record, I mean), the FE exchange server is priority 20, the BE exchange server priorities are 30 and 40 respectively.
The SCM is filtering email, but not much is getting to it. It's online and some email is going right to it, but thousands of other spam mails are getting right though without being filtered, and they fit content / spam rules that should be blocked. I think these emails are, for whatever reason, going straight to the FE exchange server, bypassig the SCM appliance even though it's the highest priority MX record. I must be doing something wrong in DNS; when I remove the MX record for the backend exchange servers, they can't send email, so I have to leave them up there.
Any ideas on what I'm doing wrong?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The exchange servers are firewalled, and I'm trying to route all of the email to the appliance. The way it's set up, all email should be going to it, but it's not, and that's what I'm trying to figure out.
I could set up another appliance with an MX priority of 20, but what good would it do if everything is already going directly to the backend server in the first place?
I tried setting it up as a transparent bridge and making it a hard-wire barrier inside the ASA, but it bogs down, freezes and causes a bottleneck; no good.
The whole idea of using explicit proxy is to provide redundancy so that should this appliance die on me, email delivery doesn't die, we just get spam until the appliance is fixed.
I could set up another appliance with an MX priority of 20, but what good would it do if everything is already going directly to the backend server in the first place?
I tried setting it up as a transparent bridge and making it a hard-wire barrier inside the ASA, but it bogs down, freezes and causes a bottleneck; no good.
The whole idea of using explicit proxy is to provide redundancy so that should this appliance die on me, email delivery doesn't die, we just get spam until the appliance is fixed.
I understand what you are trying to do and it seems to make sense, but let me put it this way:
If the first MX record is scanning for spam and the other MX records will allow direct delivery to the mail server, it doesn't make sense for the spammer to deliver spam to the first (appliance) address since it will be blocked. To overcome this, the spammer will probably use random MX records to deliver e-mail. You should be able to see this in the mail headers of delivered e-mail and spam. If you were writing a spam bot, would you always use the first MX record (the one with the highest priority)? You wouldn't (or shouldn't, hehe), exactly because of this kind of setup. You might want to remove the secondary and other MX records intirely for testing. May I ask for what domain you are setting this up?
Off the record: You say you are experiencing issues with bridge mode. What type of appliance are you using? Is it a 3000 or 3100 series? Beware of memory issues with older appliances and newer software (eg. any 3000 series or 3100 (Poweredge 750, 850 and 860) series with SIG software higher than v4.21 patch 5). You will experience a lot of issues related to lack of memory since these appliances come with only 512MB. Check this in the appliance status page (version 4.x); pages per second must not be greater than 0 or the CPU will max out. In version 5, you'll find it under Troubleshoot, Tools, System Load. In fact, I would recommend you use version 4.5 with the latest patch (11) instead of MWS 5. If you do use MWS 5, I would urge you to install patch 1 to overcome a lot of serious issues regarding PostGres and CPU load. :-)
I would need a network diagram and the appliance config to be more exact but I think this is going to pose a security problem ;)
If the first MX record is scanning for spam and the other MX records will allow direct delivery to the mail server, it doesn't make sense for the spammer to deliver spam to the first (appliance) address since it will be blocked. To overcome this, the spammer will probably use random MX records to deliver e-mail. You should be able to see this in the mail headers of delivered e-mail and spam. If you were writing a spam bot, would you always use the first MX record (the one with the highest priority)? You wouldn't (or shouldn't, hehe), exactly because of this kind of setup. You might want to remove the secondary and other MX records intirely for testing. May I ask for what domain you are setting this up?
Off the record: You say you are experiencing issues with bridge mode. What type of appliance are you using? Is it a 3000 or 3100 series? Beware of memory issues with older appliances and newer software (eg. any 3000 series or 3100 (Poweredge 750, 850 and 860) series with SIG software higher than v4.21 patch 5). You will experience a lot of issues related to lack of memory since these appliances come with only 512MB. Check this in the appliance status page (version 4.x); pages per second must not be greater than 0 or the CPU will max out. In version 5, you'll find it under Troubleshoot, Tools, System Load. In fact, I would recommend you use version 4.5 with the latest patch (11) instead of MWS 5. If you do use MWS 5, I would urge you to install patch 1 to overcome a lot of serious issues regarding PostGres and CPU load. :-)
I would need a network diagram and the appliance config to be more exact but I think this is going to pose a security problem ;)
ASKER
That's interesting, I'll try removing the other MX records and see how it goes. The problem I've had with that in the past is that without each server having it's own MX record, outside servers have bounced email saying they can't perform a reverse query to my server, so we can't deliver to their domains. Seems silly to me because PTR records are set up properly for my servers in external DNS; when I've had this issue, adding MX records back fixed the problem. It sounds crazy to me too, but it's happened at least a dozen times now.
ASKER
So maybe what I should do is tell my exchange servers to send outbound email througt the FE server, have a PTR record for the FE server, kill the MX records for all outside exchange servers, leaving only the SCM appliance priority 10 MX record, and that should help, no?
Thanks for your help, by the way - I appreciate it very much.
Thanks for your help, by the way - I appreciate it very much.
ASKER
Bear in mind, in regard to final comments on your original post, we are a domain that bulk emails it's customers. Not spam, mind you; we only email customers that specifically asked us for email notifications and there's no tiny font anywhere tricking anyone into it, we don't spam ever.
We do, however, bulk email out to upwards of 40,000 customers a few times per quarter.
We do, however, bulk email out to upwards of 40,000 customers a few times per quarter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are supposed to route ALL e-mail through the appliance and prevent any other way of e-mail coming in. In your MX records, you have actually provided a way to avoid spam scanning by providing redundancy.
If your appliance goes down, the e-mail will flow directly to either your front-end or backend server. It should flow to another appliance or mail relay that will store and forward your e-mail.
So you must either configure a relay server as a failover or you must configure a second appliance as failover. Either way, you must not have your exchange servers directly connected to the internet or you might as well drop the whole appliance idea.
Firewall your exchange servers and force e-mail through your appliance. :)
Hope this helps.