SA Gateway - MS Exchange -- what if MSE down?
we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: SA Gateway - MS Exchange -- what if MSE down?
Lik Evan has stated, it just queues locally. Same for Sendmail installs. If we a retalking VERY high traffic, with 1000s of users, then you better have more then one server. Or a big HD for the queue ;) --Chris -Original Message- From: E. Falk [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:16 PM To: spamassassin-users@incubator.apache.org Subject: Re: SA Gateway - MS Exchange -- what if MSE down? Hi Tony, I have this same setup, and due to the nature of Exchange it seems to go down a lot more often than the postfix box. What happens is that Postfix queues the e-mail locally and delivers it when the Exchange box comes back up. Works perfectly, no extra setup required. The mail just sits in Postfix's queue (note, it's useful to use Postfix's before-queue filtering in these cases so that all the Spamassassin work is done before it gets into the queue to avoid reprocessing the same messages later on if you requeue them). Evan Tony pace wrote: we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: SA Gateway - MS Exchange -- what if MSE down?
Tony, Your main question has already been answered, but I noticed something in your proposed setup that concerns me. You state in your diagram that you plan to have the MSE box as the secondary MX record. This would not be a good idea. From experience, we have seen that spammers try the secondary MX first in hopes of finding a server that is not protected by a spam scanner. This obviously would not be what you want to happen. Kris -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Tony pace Sent: Friday, May 27, 2005 10:05 AM To: users@spamassassin.apache.org Subject: SA Gateway - MS Exchange -- what if MSE down? we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
Re: SA Gateway - MS Exchange -- what if MSE down?
Additionally, I was going to point you to a great How-To on setting up just such a system, but it looks like the wiki was taken over by spammers! Here's a link to a clean version of the wiki... http://flakshack.com/anti-spam/wiki/index.php?page=FairlySecureAntiSpamWikiversion=43 Explains the whole Postfix-Spamassassin-Exchange thing, using Amavisd-new to call Spamassassin (and anti-virus if you want it to). And Chris is absolutely right... you want to carefully consider volume of traffic and amount of time you expect your Exchange server to be down before relying on just the Postfix queue. For a couple thousand messages a day I've never had a problem (even once when Exchange went down for nearly an entire weekend). Evan Chris Santerre wrote: Lik Evan has stated, it just queues locally. Same for Sendmail installs. If we a retalking VERY high traffic, with 1000s of users, then you better have more then one server. Or a big HD for the queue ;) --Chris -Original Message- From: E. Falk [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:16 PM To: spamassassin-users@incubator.apache.org Subject: Re: SA Gateway - MS Exchange -- what if MSE down? Hi Tony, I have this same setup, and due to the nature of Exchange it seems to go down a lot more often than the postfix box. What happens is that Postfix queues the e-mail locally and delivers it when the Exchange box comes back up. Works perfectly, no extra setup required. The mail just sits in Postfix's queue (note, it's useful to use Postfix's before-queue filtering in these cases so that all the Spamassassin work is done before it gets into the queue to avoid reprocessing the same messages later on if you requeue them). Evan Tony pace wrote: we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: SA Gateway - MS Exchange -- what if MSE down?
Kristopher Austin wrote:
You state in your diagram that you plan to have the MSE box as the
secondary MX record. This would not be a good idea. From experience,
we have seen that spammers try the secondary MX first in hopes of
finding a server that is not protected by a spam scanner. This
obviously would not be what you want to happen.
Bingo. I have a similar setup in place (s/postfix/sendmail/) and I don't have
my Exchange box listed as an MX at all. I also have port 25 to the Exchange
box firewalled off at the router to avoid portscanning.
I do allow remote users to send via the Exchange server, using SMTP AUTH, but
I'd recommend using port 587 or port 2525 for this.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: SA Gateway - MS Exchange -- what if MSE down?
Tony pace wrote: Thanks for all the input. The diagram was simplistic - the real MSE is a couple layers away. One thing that no one has mentioned is that it's vitally important that the edge gateway (the postfix system) have a way of knowing what users are valid. Otherwise you will end up with a lot of invalid user bounces caused by dictionary spammers, which will either linger in your queue or create backscatter spam. At work, where I have Exim - Exchange 5.5, I have Exim do an LDAP lookup to determine whether a user is valid. There are other ways to do it, though.
Re: SA Gateway - MS Exchange -- what if MSE down?
Frank Coons wrote: Does Exim allows LDAP queries across a DMZ or do both machines need to be either inside or outside the DMZ for it to work? I've never tried it, but it's just a TCP connection. As far as I know it should work, as long as the firewall is not blocking the connection. I use the same method, but my Perl script will not send LDAP queries back and forth across a DMZ even if I have opened up every port. Are you sure the LDAP server doesn't have some kind of restriction set on what IP addresses are allowed to connect?
Re: SA Gateway - MS Exchange -- what if MSE down?
David Brodbeck wrote: Frank Coons wrote: Does Exim allows LDAP queries across a DMZ or do both machines need to be either inside or outside the DMZ for it to work? Exim (and anything else) shouldnt care if one machine is in the DMZ. They dont both need to be in the DMZ to work. However, DMZ is a one way setup. Machines in the DMZ can not access anything behind or in front of the firewall, but machines behind the firewall should be able to contact the machine in the DMZ. It really depends on the setup of the firewall device. I've never tried it, but it's just a TCP connection. As far as I know it should work, as long as the firewall is not blocking the connection. I use the same method, but my Perl script will not send LDAP queries back and forth across a DMZ even if I have opened up every port. Back and forth may not work for reasons explained above. However if the internal (behind the firewall) machine opens a connection to the DMZ machine, data should be able to flow back and forth over that connection. However the DMZ machine will not be able to open a connection to anything else. Are you sure the LDAP server doesn't have some kind of restriction set on what IP addresses are allowed to connect? -Jim
Re: SA Gateway - MS Exchange -- what if MSE down?
[EMAIL PROTECTED] wrote: Bingo. I have a similar setup in place (s/postfix/sendmail/) and I don't have my Exchange box listed as an MX at all. I also have port 25 to the Exchange box firewalled off at the router to avoid portscanning. Not a good idea, IMHO. What happens if your SA gateway goes down for the count, and you're not around to fix it? In our case, I've documented how to change the firewall rules to allow direct connections to our internal Exchange server should the SA box go down. That way if I'm out of town for a week, my desktop tech makes the change and email continues to flow. Listing your Exchange box as a higher-cost MX doesn't really hurt anything, especially since you've firewalled your Exchange server (as any good admin should do). Additionally, if you ever need to send directly from your Exchange server, not having an MX associated with that machine *can* cause your mail to look spammy to certain hard-line sites. - S
RE: SA Gateway - MS Exchange -- what if MSE down?
Steven Dickenson wrote:
[EMAIL PROTECTED] wrote:
Bingo. I have a similar setup in place (s/postfix/sendmail/) and I
don't have my Exchange box listed as an MX at all. I also have port
25 to the Exchange box firewalled off at the router to avoid
portscanning.
Not a good idea, IMHO. What happens if your SA gateway goes down for
the count, and you're not around to fix it?
Hmmm... well, I have two of them, and they're linked in parallel. If one of
them dies, I'm still OK. A bad automatic software update could take both of
them down, it's true... but that's a risk I am willing to take.
Additionally, if you ever need to send directly from your Exchange
server, not having an MX associated with that machine *can* cause your
mail to look spammy to certain hard-line sites.
Actually, Exchange server DOES send mail, 24/7. It's covered by my SPF record.
Any recipient server that considers my mail spammy because I don't list an
outgoing mail server as an MX is misconfigured. But I haven't had a problem...
as far as I know.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
