• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on Configuring the ISA Firewall as an Inbound Filtering SMTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Discussion about article on Configuring the ISA Firewall as an Inbound Filtering SMTP Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on Configuring the ISA Firewal... - 21.Dec.2004 6:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread if for discussing the article on Configuring the ISA Firewall as an Inbound Filtering SMTP Relay http://isaserver.org/articles/2004inboundsmtprelay.html.

Thanks!
Tom

[ December 21, 2004, 07:06 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on Configuring the ISA Fir... - 22.Dec.2004 12:22:00 AM   
John McGivern

 

Posts: 9
Joined: 21.Dec.2004
Status: offline
Hi Tom,

Thanks for all your great articles on ISA. I'm a big newbie to ISA so I'm getting alot out of them.

In the article you mention that the MX record should be the primary public IP address of ISA. Can I not just take the IP address in my MX record and put it on the external card as I will with all the other public IP addresses that need to route through my ISA firewall? That way, I don't have to wait for DNS propagation for my MX record. By "primary" I take it you mean the first IP address given to the card which will appear in the properties page of the NIC's properties. If I'm wrong about the meaning of primary plz let me know. If that is the primary IP address then why does it have to be that primary IP address?

Thanks again!

John McGivern

(in reply to tshinder)
Post #: 2
RE: Discussion about article on Configuring the ISA Fir... - 22.Dec.2004 2:33:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

Good point. The reason that I mention the primary IP address is that outbound mail always goes out the primary IP address on the external interface. That is to say, the source IP address on outbound connections through the ISA firewall will always be from the primary IP address, regardless of the number of addresses bound to the external interface.

However, it is true that for just the Server Publishing Rule, you can use any of the addresses to listen for the incoming connection.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on Configuring the ISA Fir... - 22.Dec.2004 3:08:00 PM   
Coninck

 

Posts: 7
Joined: 28.May2001
From: Amsterdam, Netherlands
Status: offline
Hi Tom,

First of all many thanks for the many great solutions you have provided us through the last couple of months in our upgrade to ISA 2004. I don't know what I would have done without your help. And I agree ISA 2004 rocks (and we aren't even using it's full potential)!
I've applied what you wrote in the article and everything works fine. But like everybody these days we receive lots of spam mails addressed to randomnames@ourdomain.com. Because these users don't exist the SMTP-relay wants to send a NDR. Because SMTP-relay is not configured for outbound traffic, the queues get filled very fast. Maybe you donĘt want to send a NDR to spammers, but what to do with external clients that misspell email-names, as they do not receive a NDR, they assume the mail has arrived. So I guess to solve this rapidly growing queue of NDRĘs I will have to configure the ISA firewall for outbound SMTP relay or is there another solution? Many thanks in advance.
DrT

(in reply to tshinder)
Post #: 4
RE: Discussion about article on Configuring the ISA Fir... - 22.Dec.2004 3:54:00 PM   
John McGivern

 

Posts: 9
Joined: 21.Dec.2004
Status: offline
Hi Tom,

Thanks for the clarification on the primary IP address. However on my soon to be old firewall, I had the option of creating a bi-directional mapping for my mail servers so that the outbound traffic always looked like it came from its actual MX record. This helps alot when you have a bunch of different mail servers behind your firewall (as we do) because it allows you to troubleshoot much easier from outside the firewall by distinguishing mail server by IP. Is there a way to make the traffic from the mailserver look like it is coming from its MX record IP? In other words can we do a bi-directional mapping with my mail servers?

thx

John

(in reply to tshinder)
Post #: 5
RE: Discussion about article on Configuring the ISA Fir... - 27.Dec.2004 6:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Coninck:
Hi Tom,

First of all many thanks for the many great solutions you have provided us through the last couple of months in our upgrade to ISA 2004. I don't know what I would have done without your help. And I agree ISA 2004 rocks (and we aren't even using it's full potential)!
I've applied what you wrote in the article and everything works fine. But like everybody these days we receive lots of spam mails addressed to randomnames@ourdomain.com. Because these users don't exist the SMTP-relay wants to send a NDR. Because SMTP-relay is not configured for outbound traffic, the queues get filled very fast. Maybe you donĘt want to send a NDR to spammers, but what to do with external clients that misspell email-names, as they do not receive a NDR, they assume the mail has arrived. So I guess to solve this rapidly growing queue of NDRĘs I will have to configure the ISA firewall for outbound SMTP relay or is there another solution? Many thanks in advance.
DrT

Hi Dre,

That is a very good question. Unfortunately, I can't think of a way that the ISA firewalls SMTP Message Screener could solve this problem. This might be a way to do this on the Exchange Server (or alternate mail server if you're not using Exchange), but I'd have to refer this to Exchange or other mail server experts to solve the problem. We could filter out the NDRs using the outbound SMTP filtering relay, but we'd have to be able to identify the unique components of the NDR to filter out those NDRs we don't want to allow outbound.

Check out my most recent article on how to configure the ISA firewall for outbound filtering SMTP relay.

HTH,
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion about article on Configuring the ISA Fir... - 27.Dec.2004 6:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by John McGivern:
Hi Tom,

Thanks for the clarification on the primary IP address. However on my soon to be old firewall, I had the option of creating a bi-directional mapping for my mail servers so that the outbound traffic always looked like it came from its actual MX record. This helps alot when you have a bunch of different mail servers behind your firewall (as we do) because it allows you to troubleshoot much easier from outside the firewall by distinguishing mail server by IP. Is there a way to make the traffic from the mailserver look like it is coming from its MX record IP? In other words can we do a bi-directional mapping with my mail servers?

thx

John

Hi John,

I know [Frown] This is a very popular request that I've heard over the last serveral years, where you could map host addresses on the Internal network to addresses on the external interface of the ISA firewall. You can even do this with the RRAS NAT service, but you can't do it with the ISA firewall's NAT.

If you had a public address DMZ and a route relationship between the DMZ and External, we could make that work.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about article on Configuring the ISA Fir... - 5.Jan.2005 4:49:00 AM   
Guest
Thomas,

If I configure an Inbound SMTP on a virtual SMTP server and I also configure an Outbound SMTP server on physicly the same server using another virtual server bounded on another tcp port (for example 24 or 26), does the message screener have any effect on the Outbound server?

I ask this because then I can have separeted delivery options for inbound (more aggressive to the exchange) and outbound to the internet with more tries and delays..

Also, for those admins who don't want to give potential hackers any presents, I found a way to have a common greeting message in the IIS smtp service. This is important because the default IIS SMTP values allows any potential hacker to see the version of your SMTP server using telnet. Thereby could conclude the OS, and use direct effective attacts on any known (unpatched) security issue.

cscript adsutil.vbs set smtpsvc/1/connectresponse "ESMTP"

You can find adsutil.vbs in the inetpub directory in the root of your systemdrive

(in reply to tshinder)
  Post #: 8
RE: Discussion about article on Configuring the ISA Fir... - 1.Feb.2005 7:41:00 PM   
jfigursky

 

Posts: 4
Joined: 7.Jan.2005
Status: offline
We are trying to configure our ISA server for SMTP relay and am receiving the following message, "ISA Server detected a single NIC configuration. Server publishing rules are not supported in a single NIC config". Any ideas, thanks in advance.

(in reply to tshinder)
Post #: 9
RE: Discussion about article on Configuring the ISA Fir... - 11.Mar.2005 6:33:00 PM   
Guest
Tom,

You article worked great, but I have one question in reguards to Open relays. I have tested my mail system for Open relay, and spam messages are getting accepted, but then being placed in the DROP folder. I am worried that this may generate alot of use as it appears, to the spammer, that my SMTP gateway is accepting the relay. I am also worried about the storage space growing.

Is there a way to prevent this from happening? I am not sending the mail, but I am accepting the request.

Thanks.

(in reply to tshinder)
  Post #: 10
RE: Discussion about article on Configuring the ISA Fir... - 13.Mar.2005 3:26:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi C,

For inbound connections, only mail configured for your remote domains is accepted, including the spam. You can configure the SMTP Message Screener to delete the messages instead of store them, then the drive won't fill up with spam files.

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion about article on Configuring the ISA Fir... - 16.Mar.2005 3:23:00 PM   
ptlinva

 

Posts: 21
Joined: 16.Mar.2005
From: Rhoadesville, VA
Status: offline
My configuration for setting up and Inbound SMTP Filtering server is a bit different. We run a small hosting company and ALL of our customers are remote (no local clients at all).

We have (2) production mail servers behind an ISA firewall. They are not Exchange boxes and users currently access their mail via POP3, IMAP, SMTP, and Web.

I'm setting up a separate machine as either a Message Screener or GFI MailSecurity/MailEssentials server to help eliviate the load that our current mail servers are performing. I'll call this machine "IMF" from here on out.

I'm under the impression that with either product (MS or GFI) I will be setting up the SMTP service on a IIS 5.0/6.0 box. I'm familiar with the SMTP service so this is not a problem. I'm also assuming that I will have to add EVERY SINGLE DOMAIN that we receive mail for (around 1,000) to the SMTP service to prevent relay through the IMF Server. So far, so good...

I currently require SMTP authentication for my users (remote) to send outgoing mail.
Most users use the following setup within their POP clients...

Incoming Mail Server: mail.thierdomain.com
Outgoing Mail Server: mail.thierdomain.com

And the MX record points to the appropriate IP of their production mail server.

If I roll out an IMF Server, then I'll have to update the 'A' record FROM their current production mail server TO the IP of the new IMF Server.

However, my users would not longer be able to relay mail remotely (which is what they all do) as they don't have individual accounts on the IMF Server.

I believe this would cause authentication prompts to my customer base (from the IMF server) and my phone would start ringing like MAD. Am I correct here?

Finally, to my questions...

Q. Can ISA determine the difference between a remote client sending an email to their SMTP Server AS COMPARED to a remote mail server delivering a new message to our network using SMTP?

If yes, I could route SMTP client request to their original mail server (to authenticate and send their mail) and other SMTP requests from remote mail servers to go to the IMF Server. If not, I'm thinking that I'll have to add every single user account (thousands) to the IMF box. BTW, our network is using stand alone member servers (not a AD network).

Not all users have the ability to relay through their local ISP either, which rules out the possiblity of closing down the relay feature for remote clients.

Q. I was also considering the possiblity of keeping the users 'A' record (which is mail.theirdomain.com) to point to the production mail server and then just add a new 'A' record that points to the IMF server and use that as the MX record.

However, I've heard that spammers circumvent that by sending directly to mail.somedomain.com without even looking at MX records or even skip the first MX record and send directly to the 2nd (or later record).

Ok, I'm beginning to ramble. If you hung with me this far, I really do appreciate it.

Any comments or suggestions you might have would be greatly appreciated.
Thanks in advance for your time and consideration.

Paul L.

(in reply to tshinder)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Discussion about article on Configuring the ISA Firewall as an Inbound Filtering SMTP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts