cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
0
Helpful
1
Replies

Best Practices regarding IronPort with ISP redundancy

Kevin Marcan
Level 4
Level 4

Hello!

        I am currently working through an issue with outbound email, and was curious what solutions are out there.

Basically, we have IronPort behind a ASA relaying email.  The ASA has 2 ISP's used for redundancy purposes.

ISP1 --> mail.example.com

ISP2 --> mail2.example.com

mx records --> pref 10 mail.exmaple.com

                  --> pref 20 mail2.example.com

IronPort Interface hostname --> mail.example.com

When the main ISP is up, everything is happy.

IronPort's interface is configured with the hostname mail.example.com, which in turn, is populated into the SMTP banner.   Reverse DNS checks of course pass.

The issue is if ISP1 fails, and email starts getting sent out ISP2 (mail2.example.com)

IronPort still populates the SMTP banner with mail.example.com, Resulting in reverse DNS checks failing.

My 2 questions are basically.

1) Is there a solution to deal with this? Have IronPort send out mail2.example.com in the event of a failure?

2) If no, does this even matter?  Obviously its undesirable, but according to the RFC, email servers should not actually be blocking email based on this fact.

Thanks in advance!                   

1 Reply 1

We do it by using one IP subnet for all of our public stuff and getting both ISP's to publish the BGP for it.. that way the IP doesn't change depending on which ISP is carrying the traffic.   We did this even when our subnet range was owned by one of the ISPs.