Co-Relay Issues

Unanswered Question
Dec 12th, 2008

While we have our Ironport mail box and are loving it, we've got an existing MX record (set higher for use as a backup) which sometimes receives mail, either due to the internet link the IP box is on being saturated or rejected due to SBRS, etc. It's set to send to the IP, but we're a little unsure how to set it up.

While we've got it set under Incoming Relays so that the IP can scan the headers to do some spam filtering, etc, where do we put it in the HAT? At the moment it's in a mail flow policy set as RELAY, with spam checking disabled.

Should antispam be enabled? Should the server even be entered in the HAT?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Fri, 12/12/2008 - 17:43

Since the emails being passed from your second "relay server" to the IronPort appliance may still contain spam, you should probably set it to an ACCEPTED mail flow policy. You may want to create a specific one just for the relay server's ip/hostname so that you can have more control. And yes, you'll want to still runs antispam/antivirus on mail that comes from the relay server.

Also, since you do have it in the "incoming relay" setting, you'll have the SBRS score of the true connecting host. I would recommend implementing a message filter to analyze the SBRS score and potential drop low SBRS connections. Here is a summary of how to do this. Post back or contact Customer Support if you need help implementing this:


Since there is a portion of your mail that comes in behind the incoming
relay (ie. Bigfish servers), the sbrs score of "true mta" is not seen
since we only see the relay server.

So, to address this, we'll need to do two things. Number 1, enable
incoming relay and try and capture the sbrs score of the "true mta".
Number 2, once we obtain the SBRS score of the "true mta", apply a
blacklist sbrs score message filter that will drop the mail if the SBRS
score is below your threshold. (i.e Blacklist drop between -10 and -3,
for example.)


1. How to identify what the Incoming Relay entry looks like in the
mail logs

Verifying IncomingRelay in the mail logs
http://tinyurl.com/38o9x5


2. How do I add a new message filter to my IronPort Appliance?

http://tinyurl.com/mg8kp

In your case, you will want to use a message filter like the following.

Enforce_blacklist_after_IncomingRelay:
if ( reputation < -3 )
{
drop();
}


-Kevin

Donald Nash Mon, 12/15/2008 - 22:07

Kluu answered your question directly, but I've got a different angle entirely for you to consider.

I've found higher-weight MX records more trouble than they're worth, since spammers deliberately send to them with the expectation that the spam defenses there will be sub-par. We don't use them any more. But we also have multiple connections to the Internet via different providers, and a high availability mail server architecture, so we're much less likely to need them. But even still, the best place for your mail is either on the sender's server or your own. If the sending server has transient difficulties reaching you, then it'll just try again later.

If important mail is being blocked due to SBRS issues, then you can address that by adjusting your HAT. We have a sender group that doesn't do SBRS enforcement, and selectively put friendly hosts in that SG when they have SBRS problems.

Actions

This Discussion