Solved: C160 as internal smtp relay

Andrew Collado · ‎10-04-2010

Has anyone used the second NIC on a C160 as a relay for internal smtp senders? Instead of pointing machines that need to use smtp to our MS Exchange environment, we have been asked to consider using IronPort as our internal relay. We would like to use the rate limiting features to control some of our alerting services that have on occation let loose 150,000 messages into our environment. Are there any gotchas or configuration issues I should be wary of?

Thanks,

Andy

Andreas Mueller · ‎10-05-2010

Hello Andy,

I don't see any general problems with this setup of using the second NIC for relaying messages from the internal network to the Internet, it's actually quiet common I'd say. The only think you maybe want to consider is if you only want to allow specific hosts to connect and relay, or whole network segments. The latter comes with a big drawback that when a PC or server gets infected with malware it has a direct access to send tons of spam outside the network, which will not only clogg your IronPort and cause delays on mail delivery, also your Senderbase reputation will be affected. So instead we recomment to still limit any relaying sendergroup to a few hosts, like the alerting servers you been talking about, and let the rest of the network still have to use your Exchange server. Also like you already mentioned it is a good idea to use any throttling on your alerting servers to prevent that the IronPort gets flodded with alerts. A possible setup would be something like this:

- enable the second network interface

- enable a private listener on it

- put the Exchange server on the RELAYLIST of this private listener

- add a new mail flow policy (GUI: mail Policies->Mail Flow Policies->Add Policy) to the private listener. Make sure the correct listener is selected, as there is a different set for each listener. In that new mail flow policy, set the connection behavior to "Relay", and adjust the settings to your requirements.

- add a new sendergroup to the HAT of that private listener (gain, make sure the correct listener is selected first). Use the new relay mail flow policy you have just created, and add all the alerting servers to this sendergroup.

-Submit and commit

You may also add virus scanning and filters to the outbound mail policies of this appliance.

Hope that helps,

regards, Andreas

View solution in original post

Andreas Mueller · ‎10-05-2010

Hello Andy,

I don't see any general problems with this setup of using the second NIC for relaying messages from the internal network to the Internet, it's actually quiet common I'd say. The only think you maybe want to consider is if you only want to allow specific hosts to connect and relay, or whole network segments. The latter comes with a big drawback that when a PC or server gets infected with malware it has a direct access to send tons of spam outside the network, which will not only clogg your IronPort and cause delays on mail delivery, also your Senderbase reputation will be affected. So instead we recomment to still limit any relaying sendergroup to a few hosts, like the alerting servers you been talking about, and let the rest of the network still have to use your Exchange server. Also like you already mentioned it is a good idea to use any throttling on your alerting servers to prevent that the IronPort gets flodded with alerts. A possible setup would be something like this:

- enable the second network interface

- enable a private listener on it

- put the Exchange server on the RELAYLIST of this private listener

- add a new mail flow policy (GUI: mail Policies->Mail Flow Policies->Add Policy) to the private listener. Make sure the correct listener is selected, as there is a different set for each listener. In that new mail flow policy, set the connection behavior to "Relay", and adjust the settings to your requirements.

- add a new sendergroup to the HAT of that private listener (gain, make sure the correct listener is selected first). Use the new relay mail flow policy you have just created, and add all the alerting servers to this sendergroup.

-Submit and commit

You may also add virus scanning and filters to the outbound mail policies of this appliance.

Hope that helps,

regards, Andreas

Andrew Collado · ‎10-08-2010

Awesome. I have my interface setup and we'll start testing this soon.

Thanks!

Andy

dtorre919 · ‎11-08-2010

Andreas, we're deploying a pair of C370s with the M160. We get about 10 million messages a day. (Mabe 100K legit, the rest SPAM)

How common is it for organizations with this amount of email volume to dual home their Ironports? For example, stick one leg (Data1) out onto the Untrusted network then the other port (Data2) in the Trusted LAN?

I'm trying to weigh security versus performance. I prefer to use only one interface and put it into a DMZ controlled by a firewall. However, I'm worried that one interface may not be enough for this load? If, dual homing the Ironport will effectively bypass our firewall (just for SMTP of course) but if the Ironport is ever compromised, we would obviously have issues. Thoughts?