Avatar of Ted Williamson
Ted WilliamsonFlag for United States of America asked on

Exchange 2010 / Google SPAM Protection Bypass

Hello.

I support a small business (less than 20 users) who use the Google Apps for Business GMAIL mail protection, formerly known as Postini.  for their email hygeine with an on premise Exchange 2010 server.  It has been working very well up until the last few days.  Many users are getting a large amount of SPAM that seems to be bypassing the GMAIL route all together.

I have the server set up to route all outbound and inbound mail through Google.  I contacted their tech support and they found nothing wrong with the configuration both in the MX record and the filter settings.

I'm thinking that the receive connectors may have to be changed to support Google only.  My thinking is that is the right way to go, but I found several other receive connectors:

Client
Default
Google Apps
Reinjection

I remember setting up Google Apps and Reinjection so that the email would come in from Google.  But I'm not sure why I need Client or Default.  When I read the email headers from those SPAM messages they appear NOT to go through Google.

My main question is - If I set up Google correctly in the MX records with the IP address:

Priority      Points to
1      ASPMX.L.GOOGLE.COM.
5      ALT1.ASPMX.L.GOOGLE.COM.
5      ALT2.ASPMX.L.GOOGLE.COM.
10      ALT3.ASPMX.L.GOOGLE.COM.
50      xx.xxx.xxx.xxx

How are messages by passing Google and going direct to xx.xxx.xxx.xxx?  (x's being used here to protect their identity)

Should I remove the other two receive connectors?  Will that cause internal mail not to work?

Thanks!
Google WorkspaceExchangeAntiSpam

Avatar of undefined
Last Comment
Ted Williamson

8/22/2022 - Mon
Ken Conradie

I think your best bet would be to remove the final MX record altogether. Your server shouldnt be able to receive emails directly from the internet in this configuration. You want ALL mail to go via Google servers to your server. This will ensure that the email flow is scrubbed for SPAM and viruses. Going directly to your server circumvents all of these checks, which you DO NOT want.

You should also configure your firewall to only allow the IP ranges of Google to come in via port 25 to the email server. That will prevent any other email coming in that already knows about the open port 25 on your firewall. Spammers tend to find these "direct to mail server" IPs and will continue to take advantage of it, even once you have changed the MX records.

If you prefer, you COULD leave the MX record in place and just reconfigure your firewall so that you are rejecting these connections. Then, in the event of Google servers being down and a dire need for direct-to-server emails, you could just change the firewall rules. This is not the preferred solution, but you could do that if you really want to leave that MX record in place.

Hope that helps. Let me know if you need more help with this.
ASKER
Ted Williamson

Thanks for your response.

I like the idea of removing the ip address from the MX Record,  Since Google has that IP address in their configuration for the SMTP relay service.  However, won't removing that address put our server on a black list?

From the Exchange side, Is there a way that I can refuse all inbound mail except from the Google servers using the receive connectors in Exchange?
ASKER CERTIFIED SOLUTION
Ken Conradie

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Ted Williamson

Thanks!
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Ted Williamson

Oops.  We're going to have to go to "Plan B".  That ip address is also part of a FQDN for their OWA and CAS communications for web and mobile clients.

They all go to "smtp.company.com/" for OWA and ActiveSync.  Their web site is hosted by AT&T on a different IP address. Below is an extract of the DNS file.  the Y's represent the AT&T web host address, the X's represent the external IP of the router on prem. On prem there is a single Exchange 2010 server (not a DC) running as a web server, mailbox server, Hub Transport and Client Access

DNS Record

www IN A YY.YY.YYY.YYY
ftp IN A YY.YY.YYY.YYY
smtp IN A XX.XXX.XXX.XXX
pop IN A XX.XXX.XXX.XXX
IN MX 1 ASPMX.L.GOOGLE.COM.
IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
IN MX XX.XXX.XXX.XXX

If I delete the MX line with the XX, and leave the smtp line alone, will that stop unwanted mail servers from sending us mail, while still allowing the employees to resolve that address externally?  I'm thinking "yes".

Thanks!