Thanks Jason.
I would love to get rid of OL Express but it is a Legacy thing. I have
promoted this beast because of my fears of viruses in the past. Now I have
been so convincing that nobody will allow me to change their stance on
internal mail and external mail.
--------------------------------------------------
From: "Jason Gurtz" <jasongu...@npumail.com>
Sent: Tuesday, October 27, 2009 3:14 PM
To: "MS-Exchange Admin Issues" <exchangelist@lyris.sunbelt-software.com>
Subject: RE: Weird problem
If you already have an email server (Exchange) and all the other necessary
items why not simplify and just (get rid of Outlook Express):
Public IP Private IP
-------------------- ========================
Internet<-->ASA<-->Ironport<-->Exchange<-->Outlook
^ ^
| |
Mail Gateway ---------+ |
(DNS MX record) |
|
Mail Relay ------------------------+
Am I missing something?
the ASA will do PAT of port 25 to/from the Ironport (so public MX record
actually points to ASA public IP). Best practice would be to have the ASA
block port 25 to and from anything other than the Ironport (clients should
not ever send directly to the Internet); Exchange box will use Ironport as
the "smarthost." Configure the Ironport to LDAP lookups against a domain
controller to avoid delivery to non-existent users. If you really want to
retain OL Express, enable POP/IMAP and point your OL Express at the
Exchange box. At any rate, the Ironport is an smtp relay only; you cannot
enable a client access protocol such as POP or IMAP on it.
Your Co. is paying a lot of money for the Ironport; utilize the support
resources to help you get the configuration done right. There are many
small details involved, but thankfully most only have to be dealt with
once, when it's first set up.
~JasonG
-----Original Message-----
From: David W. McSpadden [mailto:dav...@imcu.com]
Sent: Tuesday, October 27, 2009 14:37
To: MS-Exchange Admin Issues
Cc: David McSpadden
Subject: Re: Weird problem
Would I set my internal dns to have pop.imcu.com and smtp.imcu.com point
to
the smtp relay of the ironport?
That way when the outlook express accounts resolved their addresses they
would be forced to come through the ironport?
I can set up the ASA to funnel all port 25 and port 110 traffic to go
through the ironport?
Current:
----------------- ---------------
--
----------------
/ Internet E-Mail\---------/ASA FireWall\-----------/Outlook Express\
-------------------- -----------------
-------
--------------
Proposed:
----------------- ---------------
--
-------
-------------------
/ Internet E-Mail\---------/ASA
FireWall\-----------/Ironport\-----------/Outlook Express\
-------------------- -----------------
-------
-----
---------------------
--------------------------------------------------
From: "Carl Houseman" <c.house...@gmail.com>
Sent: Tuesday, October 27, 2009 2:26 PM
To: "MS-Exchange Admin Issues" <exchangelist@lyris.sunbelt-software.com>
Subject: RE: Weird problem
> Usually, anti-spam devices that sit on the network edge talk SMTP, not
> POP, for inbound mail delivery.
>
> Check your Ironport spec sheet to be sure, or look in the
configuration
> menus for setting up POP mail retrieval, and if you don't find that
> capability, you can't get there from here.
>
> Carl
>
> -----Original Message-----
> From: David W. McSpadden [mailto:dav...@imcu.com]
> Sent: Tuesday, October 27, 2009 1:54 PM
> To: MS-Exchange Admin Issues
> Subject: Weird problem
>
> I have Exchange 2003.
> We use it for internal email only. We connect to it using Outlook
2003.
>
> I have a mail provider, mailanyone.net.
> We use it for external email only. We connect to it using Outlook
> Express,
> pop.imcu.com and smtp.imcu.com.
>
> I have an ironport that sits on the edge of my network.
> Currently if I set up an smtp address in Outlook 2003 I can get my
email
> sent out the ironport device from exchange.
> I can not get any mail into exchange through the ironport.
>
>
> I have a requirement to keep the two clients but send all the smtp and
> receive all the pop mail through the ironport.
> If that means relaying off of the exchange that is fine or not even
using
> it
> is also fine.
>
> Does anyone know of away to do this?
>
>
>
>
>
>
>
>
