Re: SMTP lockdown, MessageLabs
- From: JosephV <JosephV@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Jan 2007 11:18:01 -0800
I'm guessing the steps are:
1) Create Destination Set
Firewall Policy > Toolbox > Network Objects > New > Network Set
2) Create A New Network & Create A New Network Set
Configuration > Networks
3) Create (or edit) Mail Server Publishing Rule
Firewall Policy > New > Mail Server Publishing Rule
Client Access: RPC, IMAP, POP3, SMTP > Standard & Secure ports > Internal
(mail) server IP address > Listen for requests from these networks (select
from new network created in steps 1 to 2 above)
"Shijaz Abdulla [MVP]" wrote:
Create an destination set with the MessageLabs IPs. On your mail server.
publishing rule, *listen to requests only from* this destination set
(instead of External).
--
Shijaz Abdulla
MVP, MCSE:Security, CCNA
Articles: www.shijaz.com/isaserver
Forums: www.tech-links.org
"If the only tool you have is a hammer, every problem begins to look like a
nail."
"JosephV" <JosephV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3985DFE1-2A61-458F-9ECA-2F92CBCB3D7D@xxxxxxxxxxxxxxxx
Sorry I wasn't clear. MessageLabs is a third-party vendor on the Internet
that handles spam and antivirus filtering then passes the email to us. The
problem is some spammers avoid sending email through them and send email
directly to our ISA Server using its external IP address. The ISA Server
receives email from MessageLabs and from everywhere else. I would like to
configure our ISA Server to accept SMTP email only from the MessageLabs
IPs
and reject other email requests and also maintain RPC over HTTP for
Outlook
too.
"Phillip Windell" wrote:
So the MessageLabs thing is a "box"?
If yes,...you have two options
Option #1
The MessageLabs box needs to be multihomed and it needs to be positioned
side-by-side with the ISA so that the two operate independently of each
other.
Then the MessageLabs box will be configured to directly use the internet
and
*not* be an ISA client of any type.
The Exchange machine needs to be configured (in Exchange itself) to use
the
MessageLabs software as a "SMTP smart host" and all outbound mail will
have
to be sent to the "smart host". Then the "smart host" (MessageLabs) will
have to be properly configured to process the messages and send them out
to
their destinations. If this is not done properly, the Exchange box will
send directly to the Internet and the path will end up being the ISA
server
and hence your source IP# for outbound mail won't match the DNS MX record
which is the MessageLabs box.
Option #2
The MessageLabs box will have only one nic and will sit behind the ISA.
The
ISA will have its smtp mail publishing rule set to the MessageLabs box,
*not* the Exchange box. Your DNS MX records needs to point the *primary*
external IP# on the ISA Server. The Exchange Server can then, while
operating as an ISA SecureNAT Client, send mail direct to the Internet
without involving the MessageLabs box for the outbound mail. But if you
want outbound mail filtered as well, then the MessageLabs box will have
to
be setup as a "smart host" like I mentioned in #1 and the Exchange will
have
to be reconfigured to use it, also as in #1
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
The views expressed are my own (as annoying as they are), and not those
of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------
"JosephV" <JosephV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EEB7F32A-5A5E-4C91-AC4B-D34BF7705CD4@xxxxxxxxxxxxxxxx
Systems: ISA Server 2004 & Exchange 2003. All email is supposed to pass
through MessageLabs before getting to our ISA Server and to the
Exchange
Server. However, according to some headers from spam messages some spam
goes directly to our ISA Server. What do I have to configure
specifically
so
that mail is ONLY received and sent only from MessageLabs? They already
provided me with the IP ranges so I just need to know how to set ISA
Server
for this.
- References:
- Re: SMTP lockdown, MessageLabs
- From: JosephV
- Re: SMTP lockdown, MessageLabs
- From: Shijaz Abdulla [MVP]
- Re: SMTP lockdown, MessageLabs
- Prev by Date: ISA 2000, Is it possible to prevent a given website from caching?
- Next by Date: Re: ISA06 and Exchange 2007
- Previous by thread: Re: SMTP lockdown, MessageLabs
- Next by thread: ISA 2006 Web Browser Configuration of Direct Access
- Index(es):
Relevant Pages
|
Loading
