Re: SMTP lockdown, MessageLabs

Create an destination set with the MessageLabs IPs. On your mail server publishing rule, *listen to requests only from* this destination set (instead of External).

--
Shijaz Abdulla
MVP, MCSE:Security, CCNA

Articles: www.shijaz.com/isaserver
Forums: www.tech-links.org

"If the only tool you have is a hammer, every problem begins to look like a nail."

"JosephV" <JosephV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3985DFE1-2A61-458F-9ECA-2F92CBCB3D7D@xxxxxxxxxxxxxxxx
Sorry I wasn't clear. MessageLabs is a third-party vendor on the Internet
that handles spam and antivirus filtering then passes the email to us. The
problem is some spammers avoid sending email through them and send email
directly to our ISA Server using its external IP address. The ISA Server
receives email from MessageLabs and from everywhere else. I would like to
configure our ISA Server to accept SMTP email only from the MessageLabs IPs
and reject other email requests and also maintain RPC over HTTP for Outlook
too.

"Phillip Windell" wrote:

So the MessageLabs thing is a "box"?

If yes,...you have two options

Option #1
The MessageLabs box needs to be multihomed and it needs to be positioned
side-by-side with the ISA so that the two operate independently of each
other.

Then the MessageLabs box will be configured to directly use the internet and
*not* be an ISA client of any type.

The Exchange machine needs to be configured (in Exchange itself) to use the
MessageLabs software as a "SMTP smart host" and all outbound mail will have
to be sent to the "smart host". Then the "smart host" (MessageLabs) will
have to be properly configured to process the messages and send them out to
their destinations. If this is not done properly, the Exchange box will
send directly to the Internet and the path will end up being the ISA server
and hence your source IP# for outbound mail won't match the DNS MX record
which is the MessageLabs box.

Option #2
The MessageLabs box will have only one nic and will sit behind the ISA. The
ISA will have its smtp mail publishing rule set to the MessageLabs box,
*not* the Exchange box. Your DNS MX records needs to point the *primary*
external IP# on the ISA Server. The Exchange Server can then, while
operating as an ISA SecureNAT Client, send mail direct to the Internet
without involving the MessageLabs box for the outbound mail. But if you
want outbound mail filtered as well, then the MessageLabs box will have to
be setup as a "smart host" like I mentioned in #1 and the Exchange will have
to be reconfigured to use it, also as in #1

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



"JosephV" <JosephV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EEB7F32A-5A5E-4C91-AC4B-D34BF7705CD4@xxxxxxxxxxxxxxxx
> Systems: ISA Server 2004 & Exchange 2003. All email is supposed to pass
> through MessageLabs before getting to our ISA Server and to the > Exchange
> Server. However, according to some headers from spam messages some spam
> email
> goes directly to our ISA Server. What do I have to configure > specifically
> so
> that mail is ONLY received and sent only from MessageLabs? They already
> provided me with the IP ranges so I just need to know how to set ISA
> Server
> for this.




.

Relevant Pages

  • Re: ISA Server 2004, Exchange 2003, RPC over HTTP, SMTP lockdown
    ... Put the MessageLabs in parallel to the ISA with one NIC sticking into your internal network and the other NIC connected to your internet router/gateway. ... Set the default gateway of your Exchange server to the internal IP of your MessageLabs and on your SMTP connector, set the smart host to the internal IP of the MessageLabs device within square brackets. ...
    (microsoft.public.isa.publishing)
  • SUMMARY: ES40 Server Crash
    ... Subject: ES40 Server Crash ... This email has been scanned for all viruses by the MessageLabs Email ... Security System. ... For more information on a proactive email security ...
    (Tru64-UNIX-Managers)
  • Re: Exchange IMS Connector Issue
    ... Did this start after you introduced the MessageLabs AV? ... > Hits the IMS on the remote site. ... > If I create a new email address on a remote server, ...
    (microsoft.public.exchange.admin)
  • Re: Messagelabs issue with remote workers
    ... >MessageLabs servers from being able to connect to the Exchange 2000 Virtual ... >SMTP Server. ... not your SMTP server. ... >allow the remote workers to function and prevent the unwanted messages from ...
    (microsoft.public.exchange.admin)
  • Re: How to allow POP3 SSL connections w ISA 2004
    ... I am at SP3 for ISA Server 2004. ... Yes, you are correct, this is mostly an Outlook settings issue, you can try ... Please also help to gather the ISA logs: ...
    (microsoft.public.windows.server.sbs)