Question: how do you handle mail coming in via relays

Unanswered Question
Jul 16th, 2007
User Badges:

I discovered a problem I'd like your opinions on.

Assume my external DNS entries look like MX 10 MX 20

The first entry points to an Ironport, well protected. But the spammers know that, so they deliberately pick the second - the provider's sendmail. That accepts everything and tries to get it off to Of course, there will be a lot of unknown recipients, so the directory harvest protection kicks in and blocks. As a result, the queues fill up there with thousands of mails.

Now you could say: just drop all mail coming in that way. But of couse I cannot. There might be the odd legitimate mail in there.

What now?

Option a) Accept all mail coming in from that host even if the recipient is invalid an drop it silently. Don't know how to do that. Apparently the listener cannot discriminate between connecting hosts.

Option b) get rid of that secondary MX. Won't help anyway, as it is always cluttered with junk.

Option c) host your own secondary MX. Ok if you have redundant connections as well. But not if you need a buffer for mails in case your connection is down.

Option d) pick a provider that offers Spam-protection. Well, what would I need the Ironport for then?

Share your thoughts. Give me a hint. Tell me the page in the manual I overlooked.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ironport99 Mon, 07/16/2007 - 16:58
User Badges:

Create a sender group under the Host Access Table to cover the IP range of your providers's mail servers and then apply a mailflow policy with the DHAP set to an unlimited number of invalid recipients (in effect turns off DHAP for your providers's servers). The HAT is processed in the email pipeline before the LDAP acceptance. Once you have set that up - I would configure incoming relays to recognise your provider's mail servers so that the "real" host sender SBRS information can be used to determine spam messages more accurately.

hazetblue_ironport Tue, 07/17/2007 - 09:07
User Badges:

Do I get a chance to use the LDAP-query results nonetheless? Via a message-filter, maybe? Apparently not. But that is what I'd need. Let all messages from these provider hosts in, check the recipients and drop all to non-existing recipients silently.


ironport99 Tue, 07/17/2007 - 10:38
User Badges:


You will still be doing LDAP acceptance from your provider just not stopping DHA. To achieve what you want the only way I can think is to move the LDAP acceptance to the work queue for your listener - or setup a separate listener that only your provider relays to that has LDAP acceptance in the work queue rather than the SMTP conversation.

hazetblue_ironport Tue, 07/17/2007 - 10:54
User Badges:

I feared that. Thanks nonetheless. I cannot set up a different listener, though. And I'd rather reject mail in the SMTP-dialogue. Would be nice if we had the result of the LDAP-query for a filter. Well, I'll try to find something else then.


tminchin_ironport Wed, 07/18/2007 - 06:22
User Badges:

I'd just get rid of the secondary MX.

If your link goes down - there's not much difference between your provider collecting the mail and the originating mail server queuing it for you.

Getting rid of the secondary MX will also improve the performance of the ironport as you can use Senderbase more effectively.

Donald Nash Wed, 07/18/2007 - 22:19
User Badges:

Tminchin is right, just get rid of the secondary MX. It really doesn't do you any good. We did so years ago and have been much happier for it.

hazetblue_ironport Thu, 07/19/2007 - 10:54
User Badges:

That is what I was recommending first place. Thanks for supporting me there.



This Discussion