At 09:36 AM 12/27/99 -0500, Ng, Kenneth (US) wrote:
>The question I have in all this, why is it that Exchange does not retry
>sending the email with the other MX entries? I understand that Exchange
>sees a connection completed, and then a connection broken. At that point
>why doesn't Exchange try one of the higher MX entries? I have a Sun running
>sendmail behind a Raptor firewall and it sends email out to the internet
>just fine.
The Firewall-1 SMTP proxy (oops.. security server) is similar to the FWTK
smap/smapd pair. There's a daemon that receives the incoming mail which
dumps the message into a spooling directory (just like smap). A separate
despooling process processes the entries in the spool directory for
delivery (like smapd).
The problem with the SMTP security server is that it accepts the mail using
whatever the internal server sees as the first MX host. It records the
destination IP address of that mail host, which the delivery daemon
eventually uses to deliver the mail. The delivery agent doesn't use the
envelope to figure out where to deliver the message; it just tries the
address that the internal server originally tried.
smapd doesn't have this problem because it tosses delivery responsibility
to sendmail. The Firewall-1 security server is a simpler implementation
(it's self-contained with no reliance on an external delivery agent) and
thus arguably 'more secure' (whatever that means :-)
As far as the internal mail server is concerned, the delivery was
successful (they attempted to connect to the first MX for the domain; the
connection was successful and the message accepted.) The server has no idea
that the message hasn't really been delivered yet.
If you don't use the security server for outbound mail, there's no issue
for most folks - there's typically a single internal system that accepts
and routes incoming mail.
-Rick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
