Exchange 2010 / Google SPAM Protection Bypass
Hello.
I support a small business (less than 20 users) who use the Google Apps for Business GMAIL mail protection, formerly known as Postini. for their email hygeine with an on premise Exchange 2010 server. It has been working very well up until the last few days. Many users are getting a large amount of SPAM that seems to be bypassing the GMAIL route all together.
I have the server set up to route all outbound and inbound mail through Google. I contacted their tech support and they found nothing wrong with the configuration both in the MX record and the filter settings.
I'm thinking that the receive connectors may have to be changed to support Google only. My thinking is that is the right way to go, but I found several other receive connectors:
Client
Default
Google Apps
Reinjection
I remember setting up Google Apps and Reinjection so that the email would come in from Google. But I'm not sure why I need Client or Default. When I read the email headers from those SPAM messages they appear NOT to go through Google.
My main question is - If I set up Google correctly in the MX records with the IP address:
Priority Points to
1 ASPMX.L.GOOGLE.COM.
5 ALT1.ASPMX.L.GOOGLE.COM.
5 ALT2.ASPMX.L.GOOGLE.COM.
10 ALT3.ASPMX.L.GOOGLE.COM.
50 xx.xxx.xxx.xxx
How are messages by passing Google and going direct to xx.xxx.xxx.xxx? (x's being used here to protect their identity)
Should I remove the other two receive connectors? Will that cause internal mail not to work?
Thanks!
I support a small business (less than 20 users) who use the Google Apps for Business GMAIL mail protection, formerly known as Postini. for their email hygeine with an on premise Exchange 2010 server. It has been working very well up until the last few days. Many users are getting a large amount of SPAM that seems to be bypassing the GMAIL route all together.
I have the server set up to route all outbound and inbound mail through Google. I contacted their tech support and they found nothing wrong with the configuration both in the MX record and the filter settings.
I'm thinking that the receive connectors may have to be changed to support Google only. My thinking is that is the right way to go, but I found several other receive connectors:
Client
Default
Google Apps
Reinjection
I remember setting up Google Apps and Reinjection so that the email would come in from Google. But I'm not sure why I need Client or Default. When I read the email headers from those SPAM messages they appear NOT to go through Google.
My main question is - If I set up Google correctly in the MX records with the IP address:
Priority Points to
1 ASPMX.L.GOOGLE.COM.
5 ALT1.ASPMX.L.GOOGLE.COM.
5 ALT2.ASPMX.L.GOOGLE.COM.
10 ALT3.ASPMX.L.GOOGLE.COM.
50 xx.xxx.xxx.xxx
How are messages by passing Google and going direct to xx.xxx.xxx.xxx? (x's being used here to protect their identity)
Should I remove the other two receive connectors? Will that cause internal mail not to work?
Thanks!
ASKER
Thanks for your response.
I like the idea of removing the ip address from the MX Record, Since Google has that IP address in their configuration for the SMTP relay service. However, won't removing that address put our server on a black list?
From the Exchange side, Is there a way that I can refuse all inbound mail except from the Google servers using the receive connectors in Exchange?
I like the idea of removing the ip address from the MX Record, Since Google has that IP address in their configuration for the SMTP relay service. However, won't removing that address put our server on a black list?
From the Exchange side, Is there a way that I can refuse all inbound mail except from the Google servers using the receive connectors in Exchange?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
ASKER
Oops. We're going to have to go to "Plan B". That ip address is also part of a FQDN for their OWA and CAS communications for web and mobile clients.
They all go to "smtp.company.com/" for OWA and ActiveSync. Their web site is hosted by AT&T on a different IP address. Below is an extract of the DNS file. the Y's represent the AT&T web host address, the X's represent the external IP of the router on prem. On prem there is a single Exchange 2010 server (not a DC) running as a web server, mailbox server, Hub Transport and Client Access
DNS Record
www IN A YY.YY.YYY.YYY
ftp IN A YY.YY.YYY.YYY
smtp IN A XX.XXX.XXX.XXX
pop IN A XX.XXX.XXX.XXX
IN MX 1 ASPMX.L.GOOGLE.COM.
IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
IN MX XX.XXX.XXX.XXX
If I delete the MX line with the XX, and leave the smtp line alone, will that stop unwanted mail servers from sending us mail, while still allowing the employees to resolve that address externally? I'm thinking "yes".
Thanks!
They all go to "smtp.company.com/" for OWA and ActiveSync. Their web site is hosted by AT&T on a different IP address. Below is an extract of the DNS file. the Y's represent the AT&T web host address, the X's represent the external IP of the router on prem. On prem there is a single Exchange 2010 server (not a DC) running as a web server, mailbox server, Hub Transport and Client Access
DNS Record
www IN A YY.YY.YYY.YYY
ftp IN A YY.YY.YYY.YYY
smtp IN A XX.XXX.XXX.XXX
pop IN A XX.XXX.XXX.XXX
IN MX 1 ASPMX.L.GOOGLE.COM.
IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
IN MX XX.XXX.XXX.XXX
If I delete the MX line with the XX, and leave the smtp line alone, will that stop unwanted mail servers from sending us mail, while still allowing the employees to resolve that address externally? I'm thinking "yes".
Thanks!
You should also configure your firewall to only allow the IP ranges of Google to come in via port 25 to the email server. That will prevent any other email coming in that already knows about the open port 25 on your firewall. Spammers tend to find these "direct to mail server" IPs and will continue to take advantage of it, even once you have changed the MX records.
If you prefer, you COULD leave the MX record in place and just reconfigure your firewall so that you are rejecting these connections. Then, in the event of Google servers being down and a dire need for direct-to-server emails, you could just change the firewall rules. This is not the preferred solution, but you could do that if you really want to leave that MX record in place.
Hope that helps. Let me know if you need more help with this.