05-24-2008 12:04 PM
Hi, does it really need to create another mx record for ironport ? the secondary mx record would be the mail server...
any recommendations or best practices that you can offer?
thank you.
kira
05-24-2008 02:40 PM
Hello Kira,
If you think of adding a second MX record that points to your main mail server, I would strongly advise you to do not implement it like this.
Most spammers will not respect the priority you set in MX records. That means they will try to deliver their garbage to all hosts that are published. As a result, a lot of spam is delivered directly to your mail server, completely bypassing the nice anti SPAM functions of your Ironport.
If you are worried about your continuity, you better hire some bSMTP space somewhere on the internet. If you look around this does not have to be too expensive. The bSMTP server will queue all your mail when your Ironport is not reachable for some reason and deliver it when your machine returns.
Please remember too add the bSMTP host(s) as a "Incoming relay" (on the network tab). This makes sure your Senderbase policies will be efficient. The manual provides good info how to do this and what's important to think about.
Good Luck!
Steven
05-27-2008 03:39 AM
Many people use a second MX record in conjunction with two Ironports as a low-cost way of load-balancing two appliances. If you set a second MX with an equal cost that points to your second appliance, mail will tend to keep flowing even if one appliance fails.
You should not need a secondary MX that points to your backend mail server. All you need to do is define an SMTP Route pointing to your backend mail server for any domain that you recieve mail for.
This will allow you to also use the Ironport to deliver outbound mail so it can look up the correct MX for the destination.
06-02-2008 10:57 PM
If you currently have MX records pointing to your back-end mail server, then the spammers will remember that it exists and continue to attack it directly. You'll need to configure it to refuse inbound mail that isn't from your IronPort appliances.
06-03-2008 03:40 AM
I strongly agree with both of these comments. You want your IronPort at the perimeter, and allow no mail into your network that doesn't go through the IronPort.
An alternative to changing DNS is just to use your firewall to forward port 25 your current MX to the IronPort. This way your internal server is no longer available for spammers and you don't have to wait for DNS to propogate.
If you think of adding a second MX record that points to your main mail server, I would strongly advise you to do not implement it like this.
Most spammers will not respect the priority you set in MX records. That means they will try to deliver their garbage to all hosts that are published. As a result, a lot of spam is delivered directly to your mail server, completely bypassing the nice anti SPAM functions of your Ironport.
If you currently have MX records pointing to your back-end mail server, then the spammers will remember that it exists and continue to attack it directly. You'll need to configure it to refuse inbound mail that isn't from your IronPort appliances.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide