Greets. I have a question on MX Records. I'm 95% certain of the answer, I just want a sanity check.
Our email domain matches the hostname of our mail server. eg, firstname.lastname@example.org is handled by our server mail.domain.com.
We have a C350 (ironport.domain.com) sitting in front of mail.domain.com, and the MX Records for mail.domain.com look like this:
0 ironport.domain.com 10 mail.domain.com
A lot of spam is being delivered to the lowest priority MX Record, bypassing ironport.domain.com.
Can I remove the "10 mail.domain.com" MX Record? I know a lot of MTA's will look for an A Record to deliver mail to if there are no MX Records for a domain.
But in this case, there are MX Records. If I remove the 10 priority, and for some reason the C350 is offline, will all mail to email@example.com bounce, or will MTA's try delivered to the A Record after the 0 priority MX Record?
If I understand what you are saying, both the Ironport and Non-Ironport MTAs are listed in the mx record, 0 cost being the Ironport and 10 cost being the non-Ironport. Based on this, inbound connection attempts try the Ironport first and if it can not connect then try the 10 cost "Non Ironport". sounds like the spammers figured out they can't deliver to the Ironport because of Senderbase and are targeting the Non-Ironport MTA..
Short answer is "Yes" you can remove the non-Ironport from the MX record. But I am not sure if I understand what you are trying to accomplish. If it is a 2-tier architecture (Ironport facing the internet "infront of mail.domain.com"..e.g. Using Ironport as your Perimeter protection, I would remove mail.domain.com from the MX record and lock the non-Ironport down so it only delivers To/From the Ironport and to your internal domain. You can always enable multple listeners on the C350 if you'd like. Are you looking to use the non-Ironport only if the Ironport is down hard..for what ever reason?? I am not sure any MTA will try an A record if an MX record exists. Usually that is when NO MX exists.
Spammers will try every MX record they see. They'll also remember old MX records after you've removed them, and they'll use port probing to discover SMTP listeners for dictionary attacks. They're relentless. What we do with our mail server is refuse all SMTP connections that don't come from our IronPorts, so there is no "back door" for the spammers to exploit.
As for being totally dependent on your C350, don't sweat it. We've been totallly dependent on our IronPorts for a few years now. They're at least as reliable as the mail server they're protecting. And in your case, if your C350 does go down, your inbound mail won't bounce. It'll be held in the mail queues of the servers which are trying to send you mail. You'll only start losing mail if you're down for longer than their queue retention times (usually at least 24 hours).
You could increase your reliability by having two C350s, both taking traffic. That way, if one goes down then the other will handle the whole load. That takes more money, of course.
I would never name one of my MX records as IronPort because its a way of saying spammers "you won't go through here, please try the other MX record". If you want to have 2 MX records name one mail.domain.com and the second one mail1.domain.com. Still as mentioned before, spammers might send spam to any MX record they see....
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :