Roger Rustad said: > Why not just set in your firewall to only allow traffic and connections > from whatever relay you've set? > > I'm worried about all of these Exchange users, though. How do I make > sure that they can connect anywhere (cafe, cable modem, etc) and still > make sure that spammers don't send crap to exchange.domain.com?
This is a valid response for non-public mailers. If you have an MX record published then of course it needs to be open to all. However, if you wish to have a hands-off failover system you really need to have adequate MX records and any MX record needs to be backed up with a fully capable mail server that meets your business needs, functionally. Performance wise, it can be a slow system as SMTP is blissfully gentle with slow systems, but it does need to handle the crap the world is tossing your way. Your architecture needs to be built around acceptable system failures. In most cases the primary systems are sufficiently redundant that they can be your only MX records. From a business perspective, though, it means all your email eggs are in one basket and if that basket fails owing to a bankruptcy or other non-technical failure you are left explaining it to the boss. That's where your own systems come into play - if you outsource this critical service you need a hands-off recover for any failure of your primary. Failing that you need to keep your DNS TTL times quite short so you can redirect your MX records to your systems and have the world respond in a timely fashion. What you are facing is a classic trust scenario - if you don't support MX records with your own servers you are at the mercy of your mail service provider 100% + time to redirect MX records + TTL. On the other hand, if you publish MX records for your own systems you need to provide all anti-spam/anti-virus services your business requires because not everyone is honorable about selecting mail servers in the order you define - especially spammers. Kind of reminds me of a Dirty Harry movie - so punk; did I shoot five or six? Go ahead.... :) This is why it is hugely important to know exactly what you need and what your ESP can provide. In the best case the ESP is adequately redundant, solvent, and competent, so you can omit your own systems's MX records. Being a krusty old geek I'd not, but I also don't have to. That's the best position to be in. What does this buy you? Quite a bit, actually. Right now, for some businesses, up to 80% of all email is unwanted. Either spam or viruses, etc. An ESP can filter all this for you, well, a hell of a lot of it, at least, using expensive processes you don't have to replicate, nor train to learn. They distribute the costs across their customer base. Good return on economies of scale and all that. You get only the healty 20% of mail so your tech requirements are quite a bit less, and you don't spend a lot of time building inane regular expressions for SpamAssassin, et al, to get rid of the debris. Costs are quite a bit less for you - effectively fighting spam is not cheap if you are carrying the entire cost burden. And we haven't even talked about keep your domain off blacklists - that is a whole nuther off-topic. When you shop around, ask. You have a right to know. dp _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
