Setting up new IronPort with Exchange 2007

Unanswered Question
Aug 7th, 2008

Hi,

I am currently setting up a new IronPort to scan all incoming mail from the internet and then forward it to an exchange 2007 server for deliver. The question I have is related to spammers doing a dictionary attack against valid users to our domain.

Our current Anti-spam servers is based on MailScanner and all users and valid addresses are controlled by the mail aliases. The aliases just forward a valid recipient to the exchange server. Any attacks get shutdown on this server.

On the IronPort, we would like to get away from maintaining users with in the aliases file. This will reduce another step in creating or deleting user accounts. What would be the preferred method for setting this up?

So far I played with adding a smtp route for the domain. My concern with that is will the IronPort forward all messages regardless if the user is valid or not? I know that it does not know about the users. Should authentication take place on the IronPort with active Directory or is it better to let exchange deal with the user dictionary attacks.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Thu, 08/07/2008 - 22:14

Great question! It's recommended that you use LDAP if you have a Domain Controller/Active Directory server available. The benefits is that the IronPort appliance won't need to do unnecessary anti-spam scanning for invalid recipients and it will free up resources on your Exchange.

Here's a good kb article to start with,


How do I configure my IronPort C-Series appliance to validate email addresses using Microsoft Active Directory (LDAP)?

http://tinyurl.com/hjsn4


Let me know if you have any questions.


Hi,

I am currently setting up a new IronPort to scan all incoming mail from the internet and then forward it to an exchange 2007 server for deliver. The question I have is related to spammers doing a dictionary attack against valid users to our domain.

Our current Anti-spam servers is based on MailScanner and all users and valid addresses are controlled by the mail aliases. The aliases just forward a valid recipient to the exchange server. Any attacks get shutdown on this server.

On the IronPort, we would like to get away from maintaining users with in the aliases file. This will reduce another step in creating or deleting user accounts. What would be the preferred method for setting this up?

So far I played with adding a smtp route for the domain. My concern with that is will the IronPort forward all messages regardless if the user is valid or not? I know that it does not know about the users. Should authentication take place on the IronPort with active Directory or is it better to let exchange deal with the user dictionary attacks.

Thanks in advance.
jloehler_ironport Fri, 08/08/2008 - 08:46

If you have an Exchange 2007 server you have also at least one domain controller (DC). Use LDAP and validate addresses against the active directory.

fhardwick_ironport Fri, 08/08/2008 - 15:30

A couple of things I learned while implementing this:

1. If you have multiple domains, use TCP port 3268 instead of the standard LDAP port 389. This will direct the LDAP query to the Global Catalog service that has info from ALL domains in your forest.

2. We set up dedicated Global Catalog servers on isolated subnets so that these servers would only have to service requests from Ironport appliances, and not users/clients/Outlook.

This took a HUGE load off of our Exchange servers from not having to generate and handle NDR's.

dworth_ironport Fri, 08/08/2008 - 16:03

Our AD is running on the same box as our exchange 2007, will auth to ldap reduce the load oppose to letting mail go to the exchange server. Letting user authentication happen through the exchange server?

I am guessing the ldap transaction will be lighter.

Thanks

kluu_ironport Fri, 08/08/2008 - 16:20

Verifying if a recipient is valid or not earlier on in the scanning process will help with the overall mail flow on the IronPort system since it will not have to run through the Antispam and Antivirus processes for those invalid recipients.

Also, I think offloading the duty of verifying if the recipient is valid onto the IronPort appliance instead of having it done by the AD server is better. If you had a separate domain controller, that would be better too.

I think for most folks are satisifed with configuring the IronPort appliance to take on that extra task and find it frees of resources on the Exchange server. You may want to run a test, don't enable LDAP on the IronPort appliance and somehow track how many invalid recipients is received and dropped by the Exchange server.

Our AD is running on the same box as our exchange 2007, will auth to ldap reduce the load oppose to letting mail go to the exchange server.  Letting user authentication happen through the exchange server?

I am guessing the ldap transaction will be lighter.

Thanks

Actions

This Discussion