Solved

SMTP call-ahead for recipient validation

Posted on 2014-02-12
2
2,448 Views
Last Modified: 2014-02-21
We have two Cisco IronPort C360 appliances doing antispam and antivirus filtering before mail makes its way into Exchange. These have not been in a DMZ, and we're now making the effort to move these into a DMZ.

We use our corporate AD servers for LDAP recipient validation (so that invalid recipients are dropped). We were planning to move an LDAP server into the DMZ with the appliances, with email addresses pushed to it from production, for recipient validation. *BUT* I came across SMTP call-ahead, which seems like it would suit our needs better since we wouldn't need a dedicated LDAP server and our architecture would be more secure...

IronPort would open an SMTP session to Exchange to verify the recipient. Exchange hub servers don't do this out of the box, antispam agents need to be installed. This fellow has a good guide: This fellow has a good guide: http://www.jjclements.co.uk/2010/09/23/exchange-2010-recipient-filtering-on-a-hub-transport-server/

I'm wondering if what we're doing is a terrible idea. Does anyone have any experience with SMTP call-ahead? I would appreciate any thoughts, validation, or feedback.
0
Comment
Question by:msghydron
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39854028
I enable recipient filtering on all servers that I deploy and it is something I think should be on all email servers.
The problem you will have is that Exchange has tarpit enabled by default, which can cause email delivery days. It will depend on whether the appliances are able to cache the results or not (I haven't used them myself, so don't know). If they are able to cache results then it shouldn't be a problem, as they will only have the tarpit delay the first time they connect. However if they are doing it "live" each time, then you may well have to reconfigure Exchange to remove the tarpit.

Simon.
0
 

Author Closing Comment

by:msghydron
ID: 39878382
We are proceeding with SMTP call-ahead on the IronPort C360 appliances, switching from LDAP recipient validation. We've removed the 5-second tarpit delay. I think this is a better configuration, when the C360's are in a DMZ.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question