SMTP, DMZ, Rev. lookup dilemma.



  • Hi All.

    I have a big problem on my SSG 520.

    The problem is that I cant use both VIP to forward SMTP to my SMTP spam scanner in my DMZ as well as using MIP or DIP for sourcenatting to avoid mismatch when remote SMTP servers do reverse DNS lookup as a simple check for spam senders.

    The spam scanner (Baracuda) is only supporting incomming or outgoing scanning at any one time. Not both. Therefore I would like to make a VIP directing SMTP traffic to the IP of the Baracuda in the DMZ and a DIP to use for SMTP from our exchange in trust zone and to untrust zone.

    There must be other people having the same problem as me, since spam scanners are almost impossible to live without.

    Any thoughts?

    Best Regards
    Martin



  • @Atom:

    Jon3: I had a feeling that this wasn’t a “RFC compliant solution” to filter out mail basend on whether the MX and src IP matches or not. But if I don’t make changes my users wont be able to send mail to those “hand crafted silly SMTP servers” and this is unacceptable to then, and thereby me. So I have to come up with some solution for this. I have a few now I can use, but none of them seems possible or practical.

    [snip]

    I wouldn’t worry about those mailservers, as they won’t be able to get mail from other people whose MTA and MX services are segregated like, oh, say, Gmail, Hotmail, and Yahoo and nearly every large mail implementation around.  One of the easiest ways to offload overloaded mail systems is to break out those two functions.

    😉



  • Just want to update you on this:

    We have A customer who’s using the Barracuda model 300 and I logged on to it to see if it sends mail in both directions. Though it isn’t enabled by default you can use the relay feature which makes it possible to send mail from clients to internet through the barracuda simultanious with it scanning incomming mails. I also got a response from Barracuda sales department saying this is possible.

    So this solved my problem.

    Thanks for your time and best regards
    Martin



  • Glad to hear the barracuda “most likley” can hadle mail in both directions 🙂 If this is the case: problem solved.

    😄
    /oldO



  • Oldo: As far as I can see in the administrators guide there’s inbound or outbound/relay operation. But I’ll look into if there’s a seperate relay function I can use simutanious with the inbound mode.

    This is what I would prefer but if the Barracuda doesn’t support it, ther’s nothing I can do. The nat-dst nat-src is messing up the nat loopback ability of the juniper which means users from our SMTP server can’t send mail to the small other SMTP server we are hosting for a seperate company.

    Jon3: I had a feeling that this wasn’t a “RFC compliant solution” to filter out mail basend on whether the MX and src IP matches or not. But if I don’t make changes my users wont be able to send mail to those “hand crafted silly SMTP servers” and this is unacceptable to then, and thereby me. So I have to come up with some solution for this. I have a few now I can use, but none of them seems possible or practical.

    I would prefer if the Barracuda actually have some simple relay built in that doesn’t neccesarily scan outgoing mails but at least relays them and scan incomming mail.

    Thank you all for your time. This is a great forum.
    Best Regards

    edit
    I found some more info on the Barracuda beeing able to relay SMTP outbound while keeping inbound operation. Not much info on this but I have sent a mail to Barracuda, and are searching the forums for info. Just wanna say thanks to you guys for putting me on the right track.
    /edit



  • Mail does not need to come and go from the same IP.  The MX record is only a reference to where mail should be delivered for a given domain, it doesn’t specify where mail for that domain is sourced from.  SPF is an attempt to implement a form of MX records for mail senders.

    See RFC 821/2821.  If there is a poorly configured mail system that is trying to count on sending mail servers having MX records (usually some hand crafted sillyness to try to block spam) then simply add an MX record with a far too high weight for the second address.



  • First off, I’ve worked with a few anti-spam/anti-virus gateways, but never ran cross one that only could route mail in one direcation (at a time)… Are you sure the barracuda only supports mail-flows in one direction?? I took a glance at the Barracuda Quick-start guide:

    (Step 10) Important Items
    • Do not try to route outgoing email through the Barracuda Spam Firewall
    unless you have configured Relay operation or are using the Barracuda
    Spam Firewall in Outbound Mode.

    From what I understand you can route mail through it as long as you configure it to relay? (really sounds to me like it should work) In other words you should be able to route all incoming and outgoing mail through your gateway, (and thats the way I’d do it in most cases).

    Now, if you don’t want to for some reason, then go for a nat-dst/nat-src.



  • Because the whole point of this is that SMTP traffic has to come from and go to the the same public IP. If I create seperate MIP’s this will have to be on 2 different IP’s.

    The reason I want it to be the same IP is that some outside SMTP server checks to see if the MX record IP is the same as the one I send mail from…

    I can’t believe Juniper SSG’s cant do this…

    The only fix I can see now is to change my MX record to use the one IP of my public interface and just use VIP to forward SMTP to the right SMTP scanner on the inside.

    I have also tried making a MIP for my SMTP server and then force SMTP traffic to my SMTP scanner by making a route on my MX record pub. IP to my SMTP scanner and then make a policy with dist nat on SMTP traffic to the same SMTP scanner. This will do the job BUT… Sadly I have another SMTP server which we host for a customer and when that tries to send mail to out SMTP server it fails since the dist-nat messes the natloopback feature of the SSG up. Arrgh this is anoying.

    I would love to love the SSG as much af I did before I ran into this problem, but I just cant.

    Btw. My reseller isn’t helping me out here, can anyone tell me if I can start a case directly at Juniper regarding this issue?



  • Why not just use a different MIP for both?



  • #1
    Thanks for your reply.

    MIP wont work since the email is supposed to be natted from untrust to DMZ to lets say, 1.1.1.1 but when I’m sending mail out its comming from my exchange in trust zone, for example ip 2.2.2.2



  • The simple answer would be to use a MIP instead of a VIP.  Then it will source from the same NAT you’re doing the inbound on.


 

28
Online

38.4k
Users

12.7k
Topics

44.5k
Posts