MX Record Priority

Unanswered Question
May 24th, 2008
User Badges:

Hi, does it really need to create another mx record for ironport ? the secondary mx record would be the mail server...


any recommendations or best practices that you can offer?

thank you.

kira

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steven_geerts Sat, 05/24/2008 - 14:40
User Badges:

Hello Kira,

If you think of adding a second MX record that points to your main mail server, I would strongly advise you to do not implement it like this.
Most spammers will not respect the priority you set in MX records. That means they will try to deliver their garbage to all hosts that are published. As a result, a lot of spam is delivered directly to your mail server, completely bypassing the nice anti SPAM functions of your Ironport.

If you are worried about your continuity, you better hire some bSMTP space somewhere on the internet. If you look around this does not have to be too expensive. The bSMTP server will queue all your mail when your Ironport is not reachable for some reason and deliver it when your machine returns.
Please remember too add the bSMTP host(s) as a "Incoming relay" (on the network tab). This makes sure your Senderbase policies will be efficient. The manual provides good info how to do this and what's important to think about.

Good Luck!

Steven

bfayne_ironport Tue, 05/27/2008 - 03:39
User Badges:

Many people use a second MX record in conjunction with two Ironports as a low-cost way of load-balancing two appliances. If you set a second MX with an equal cost that points to your second appliance, mail will tend to keep flowing even if one appliance fails.


You should not need a secondary MX that points to your backend mail server. All you need to do is define an SMTP Route pointing to your backend mail server for any domain that you recieve mail for.

This will allow you to also use the Ironport to deliver outbound mail so it can look up the correct MX for the destination.

Donald Nash Mon, 06/02/2008 - 22:57
User Badges:

If you currently have MX records pointing to your back-end mail server, then the spammers will remember that it exists and continue to attack it directly. You'll need to configure it to refuse inbound mail that isn't from your IronPort appliances.

karlyoun Tue, 06/03/2008 - 03:40
User Badges:
  • Cisco Employee,

I strongly agree with both of these comments. You want your IronPort at the perimeter, and allow no mail into your network that doesn't go through the IronPort.

An alternative to changing DNS is just to use your firewall to forward port 25 your current MX to the IronPort. This way your internal server is no longer available for spammers and you don't have to wait for DNS to propogate.

If you think of adding a second MX record that points to your main mail server, I would strongly advise you to do not implement it like this. 

Most spammers will not respect the priority you set in MX records. That means they will try to deliver their garbage to all hosts that are published. As a result, a lot of spam is delivered directly to your mail server, completely bypassing the nice anti SPAM functions of your Ironport.


If you currently have MX records pointing to your back-end mail server, then the spammers will remember that it exists and continue to attack it directly. You'll need to configure it to refuse inbound mail that isn't from your IronPort appliances.

Actions

This Discussion