While we have our Ironport mail box and are loving it, we've got an existing MX record (set higher for use as a backup) which sometimes receives mail, either due to the internet link the IP box is on being saturated or rejected due to SBRS, etc. It's set to send to the IP, but we're a little unsure how to set it up.
While we've got it set under Incoming Relays so that the IP can scan the headers to do some spam filtering, etc, where do we put it in the HAT? At the moment it's in a mail flow policy set as RELAY, with spam checking disabled.
Should antispam be enabled? Should the server even be entered in the HAT?
Since the emails being passed from your second "relay server" to the IronPort appliance may still contain spam, you should probably set it to an ACCEPTED mail flow policy. You may want to create a specific one just for the relay server's ip/hostname so that you can have more control. And yes, you'll want to still runs antispam/antivirus on mail that comes from the relay server.
Also, since you do have it in the "incoming relay" setting, you'll have the SBRS score of the true connecting host. I would recommend implementing a message filter to analyze the SBRS score and potential drop low SBRS connections. Here is a summary of how to do this. Post back or contact Customer Support if you need help implementing this:
Since there is a portion of your mail that comes in behind the incoming relay (ie. Bigfish servers), the sbrs score of "true mta" is not seen since we only see the relay server.
So, to address this, we'll need to do two things. Number 1, enable incoming relay and try and capture the sbrs score of the "true mta". Number 2, once we obtain the SBRS score of the "true mta", apply a blacklist sbrs score message filter that will drop the mail if the SBRS score is below your threshold. (i.e Blacklist drop between -10 and -3, for example.)
1. How to identify what the Incoming Relay entry looks like in the mail logs
Kluu answered your question directly, but I've got a different angle entirely for you to consider.
I've found higher-weight MX records more trouble than they're worth, since spammers deliberately send to them with the expectation that the spam defenses there will be sub-par. We don't use them any more. But we also have multiple connections to the Internet via different providers, and a high availability mail server architecture, so we're much less likely to need them. But even still, the best place for your mail is either on the sender's server or your own. If the sending server has transient difficulties reaching you, then it'll just try again later.
If important mail is being blocked due to SBRS issues, then you can address that by adjusting your HAT. We have a sender group that doesn't do SBRS enforcement, and selectively put friendly hosts in that SG when they have SBRS problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :