We help IT Professionals succeed at work.

Exchange 2010 / Google SPAM Protection Bypass

167 Views
Last Modified: 2016-01-19
Hello.

I support a small business (less than 20 users) who use the Google Apps for Business GMAIL mail protection, formerly known as Postini.  for their email hygeine with an on premise Exchange 2010 server.  It has been working very well up until the last few days.  Many users are getting a large amount of SPAM that seems to be bypassing the GMAIL route all together.

I have the server set up to route all outbound and inbound mail through Google.  I contacted their tech support and they found nothing wrong with the configuration both in the MX record and the filter settings.

I'm thinking that the receive connectors may have to be changed to support Google only.  My thinking is that is the right way to go, but I found several other receive connectors:

Client
Default
Google Apps
Reinjection

I remember setting up Google Apps and Reinjection so that the email would come in from Google.  But I'm not sure why I need Client or Default.  When I read the email headers from those SPAM messages they appear NOT to go through Google.

My main question is - If I set up Google correctly in the MX records with the IP address:

Priority      Points to
1      ASPMX.L.GOOGLE.COM.
5      ALT1.ASPMX.L.GOOGLE.COM.
5      ALT2.ASPMX.L.GOOGLE.COM.
10      ALT3.ASPMX.L.GOOGLE.COM.
50      xx.xxx.xxx.xxx

How are messages by passing Google and going direct to xx.xxx.xxx.xxx?  (x's being used here to protect their identity)

Should I remove the other two receive connectors?  Will that cause internal mail not to work?

Thanks!
Comment
Watch Question

Ken ConradieNetwork Manager
CERTIFIED EXPERT

Commented:
I think your best bet would be to remove the final MX record altogether. Your server shouldnt be able to receive emails directly from the internet in this configuration. You want ALL mail to go via Google servers to your server. This will ensure that the email flow is scrubbed for SPAM and viruses. Going directly to your server circumvents all of these checks, which you DO NOT want.

You should also configure your firewall to only allow the IP ranges of Google to come in via port 25 to the email server. That will prevent any other email coming in that already knows about the open port 25 on your firewall. Spammers tend to find these "direct to mail server" IPs and will continue to take advantage of it, even once you have changed the MX records.

If you prefer, you COULD leave the MX record in place and just reconfigure your firewall so that you are rejecting these connections. Then, in the event of Google servers being down and a dire need for direct-to-server emails, you could just change the firewall rules. This is not the preferred solution, but you could do that if you really want to leave that MX record in place.

Hope that helps. Let me know if you need more help with this.

Author

Commented:
Thanks for your response.

I like the idea of removing the ip address from the MX Record,  Since Google has that IP address in their configuration for the SMTP relay service.  However, won't removing that address put our server on a black list?

From the Exchange side, Is there a way that I can refuse all inbound mail except from the Google servers using the receive connectors in Exchange?
Network Manager
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks!

Author

Commented:
Oops.  We're going to have to go to "Plan B".  That ip address is also part of a FQDN for their OWA and CAS communications for web and mobile clients.

They all go to "smtp.company.com/" for OWA and ActiveSync.  Their web site is hosted by AT&T on a different IP address. Below is an extract of the DNS file.  the Y's represent the AT&T web host address, the X's represent the external IP of the router on prem. On prem there is a single Exchange 2010 server (not a DC) running as a web server, mailbox server, Hub Transport and Client Access

DNS Record

www IN A YY.YY.YYY.YYY
ftp IN A YY.YY.YYY.YYY
smtp IN A XX.XXX.XXX.XXX
pop IN A XX.XXX.XXX.XXX
IN MX 1 ASPMX.L.GOOGLE.COM.
IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
IN MX XX.XXX.XXX.XXX

If I delete the MX line with the XX, and leave the smtp line alone, will that stop unwanted mail servers from sending us mail, while still allowing the employees to resolve that address externally?  I'm thinking "yes".

Thanks!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.