I agree with Steve. Proper configuration requires that any server sending e-mail for your domain be listed in DNS, and have reverse PTR records as well. And, including this information for SPF use as well makes sense.
We run hosted filtering solutions that deliver the processed mail to corporate e-mail servers. The corporate servers are listed in DNS, with a lower priority (higher number). The only systems in the world allowed to reach port 25 on their server(s) from the outside is/are our filtering servers (blocked by firewall access list). That prevents any ability to 'go-around' the filter servers, but also ensures that the corporate servers are in DNS and available to the world in the event that the filter servers get kicked off line. The only thing that needs to be done to remedy the problem is to open the paths in the firewall... --- Stephen Carter <[EMAIL PROTECTED]> wrote: > >>>Daniel Bentley <[EMAIL PROTECTED]> 10/07/05 6:47 pm >>> > >We're currently dealing with one of these at my work, a Barracuda > 300 > >box. I'll have to say, it seems to be doing an okay filtering job > for > >spam it receives. > > > >-However-, I'm not sure how other boxes do things, but there's a > flaw in > >how this one's applied. Namely, you give the box an IP, and change > the > >MX record for your domain/s to point to the spam box. That's all > fine > >and dandy, -IF- the sending servers are honoring and sending > according > >to that MX record in DNS. If they're sending to an FQDN or straight > IP, > >it'll go straight to the email server anyways. So it's not exactly > a > >complete solution, so long as your email server still has an IP and > a > >connection to the 'net... We can play the IP and DNS shuffle, but > so > >long as we have records in DNS for SPF identification, the spammers > will > >be able to find out what machines in our domain are e-mail servers > and > >we'll be right at Step 1 again, with mail circumventing the > Barracuda > >box completely. > > > >YMMV (Your Model May Vary) of course, just some hands-on I've gotten > > >with one of these Barracuda boxes so far... I still think a more > >optimal setup would be one that's trully 'in-line' for the mail > server, > >comparable to a traditional firewall. When looking at getting this > box, > >my manager kept reassuring me that it was in-line. Riiiiight... At > > >least it -does- help lighten the load on the mail server. > > > > Daniel, it can easily be logically in-line. Disabling access to port > 25 on > your mail server to everything apart from the spam box and other > trusted > hosts/networks will stop strangers bypassing your spam box. > > Maybe it's something else, but from what you wrote, I can't see how > it's > any more complicated than that. > > SteveC > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, > discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > AMaViS-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
