Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Question: how do you handle mail coming in via relays

I discovered a problem I'd like your opinions on.

Assume my external DNS entries look like

mydomain.com MX 10 mail.mydomain.com
mydomain.com MX 20 mail.myprovider.com

The first entry points to an Ironport, well protected. But the spammers know that, so they deliberately pick the second - the provider's sendmail. That accepts everything and tries to get it off to mail.mydomain.com. Of course, there will be a lot of unknown recipients, so the directory harvest protection kicks in and blocks. As a result, the queues fill up there with thousands of mails.

Now you could say: just drop all mail coming in that way. But of couse I cannot. There might be the odd legitimate mail in there.

What now?

Option a) Accept all mail coming in from that host even if the recipient is invalid an drop it silently. Don't know how to do that. Apparently the listener cannot discriminate between connecting hosts.

Option b) get rid of that secondary MX. Won't help anyway, as it is always cluttered with junk.

Option c) host your own secondary MX. Ok if you have redundant connections as well. But not if you need a buffer for mails in case your connection is down.

Option d) pick a provider that offers Spam-protection. Well, what would I need the Ironport for then?

Share your thoughts. Give me a hint. Tell me the page in the manual I overlooked.

Cheers
Henrik

7 REPLIES
New Member

Re: Question: how do you handle mail coming in via relays

Create a sender group under the Host Access Table to cover the IP range of your providers's mail servers and then apply a mailflow policy with the DHAP set to an unlimited number of invalid recipients (in effect turns off DHAP for your providers's servers). The HAT is processed in the email pipeline before the LDAP acceptance. Once you have set that up - I would configure incoming relays to recognise your provider's mail servers so that the "real" host sender SBRS information can be used to determine spam messages more accurately.

Re: Question: how do you handle mail coming in via relays

Do I get a chance to use the LDAP-query results nonetheless? Via a message-filter, maybe? Apparently not. But that is what I'd need. Let all messages from these provider hosts in, check the recipients and drop all to non-existing recipients silently.

Thanks
Henrik

New Member

Re: Question: how do you handle mail coming in via relays

Henrik,

You will still be doing LDAP acceptance from your provider just not stopping DHA. To achieve what you want the only way I can think is to move the LDAP acceptance to the work queue for your listener - or setup a separate listener that only your provider relays to that has LDAP acceptance in the work queue rather than the SMTP conversation.

Re: Question: how do you handle mail coming in via relays

I feared that. Thanks nonetheless. I cannot set up a different listener, though. And I'd rather reject mail in the SMTP-dialogue. Would be nice if we had the result of the LDAP-query for a filter. Well, I'll try to find something else then.

Henrik

New Member

Re: Question: how do you handle mail coming in via relays

I'd just get rid of the secondary MX.

If your link goes down - there's not much difference between your provider collecting the mail and the originating mail server queuing it for you.

Getting rid of the secondary MX will also improve the performance of the ironport as you can use Senderbase more effectively.

New Member

Re: Question: how do you handle mail coming in via relays

Tminchin is right, just get rid of the secondary MX. It really doesn't do you any good. We did so years ago and have been much happier for it.

Re: Question: how do you handle mail coming in via relays

That is what I was recommending first place. Thanks for supporting me there.

Cheers
Henrik

168
Views
0
Helpful
7
Replies
CreatePlease to create content