Messaging Gateway

Hi,

We are trialling BMG to replace Trend Micro's IMSVA.

Our email system is currently setup as follows

MX servers (which are our own development of sendmail)
       then onto
IMSVA (Now testing BrightMail)
      Then onto
Exchange

Our MX servers do all the checking for IP spam, valid email address etc..  We basically want to catch viruses and other spam at the brightmail gateway

I'm using my PC to send test emails

So in my testing, any email to our domain is sent through to exchange fine

however where I switch the from / to address and the to address is an external email  bright mail reports that the user is unknown.

In IMSVA configuration you setup domain name and ip address for delivery.. and as a catch all for all other domains (i.e external) you added '*' which we pointed to our MX servers as this handed delivery outbound.

Does that all make sense?

So the question  is - where do I configure brightmail to delivery emails to an external domain (i.e gmail.com) to our MX server?

Inbound:  Under protocols, domains, configure all your local (internal) domains and provide a delivery DNS name.
Outbound:  Outbound mail should be talking to the OUTBOUND interface of the SBG,  on each scanner config (admin/config/<scanner>/SMTP, Outbound Non-Local Mail Delivery, check Use MX (if you're at the edge), or specify the next outbound hop.


I think long term you'll move the SBG in front of your Sendmail servers.  I do 6.8 M message per 97% get dropped during the initial IP connection by the IP reputation filters.

Instead of having us hidden behind other servers which incapacitates a lot of our features, you should consider the Symantec Brightmail Message FIlter product which integrates with sendmail: http://www.symantec.com/business/brightmail-message-filter

Cricket 17,

I have that all setup - however everytime I send an email it says that the recipiant (to my yahoo.com email address) user known.

If I add a domain yahoo.com and point it to our next hop (which is at the edge) it gets delivered!

any other thoughts?

You have it pointing to the Inbound IP still, the Outbound IP will not check LDAP and report User Unknown.

I think the plan will be to trial the spam capabilities that get through our sendmail servers (that already do IP filtering, sender verification etc..) and if that goes well then move it to the edge... but for the moment... just want to see how it handles emails that get past all the usual checks ..

IMSVA 7.0 was hopeless at it - marking NDR as spam, legtimate emails as spam, and then passing other stuff as normal emails that were not spam.  their previous version 5.7 was fantastic, we only switched to 7.0 due to end of life for 5.7

TSE -

Just to be clear .. I goto Admin -> Config -> Click on the only scanner -> smtp -> Outboundf non-local mail delivery  and I've selected relay non-local mail to 10.20.2.11 (which is our mx server)

even if I change this to use MX lookup for non-local mail it fails reporting unknown user

?  or are you referring to another location

Thanks for your help

p.s 10.20.2.11 (and 10.20.2.17) which have a DNS entry of esmtp.xxxx.com (internal domain) receive incoming and deal with out going mail  so maybe the configuration of these IP addresses else were is confusing SBG?

On the scanner config page,

On the ethernet tab:  do you have two IP address configured?  (a VIP IP on the 1st i/f is ok)
On the smtp tab,
   Have you selected " Inbound and outbound mail filtering" - Sorry, you do based on your response
   Have you specifed an IP address for both the inbound mail IP address, and the outbound mail address.
   Are you sending to the outbound mail IP address?

Hi Cricket17


I have configured only 1 IP address and thay IP address has been selected for inbound and outbound.  I've also select inbound and outbound mail filtering.

I cannot seperate the two functions to two different IP address as we have internal systems that email both internal and external parties hence how would that application know with IP address to connect to when the to field has a mixture of both?

Thanks  if there was a way to attach my configuration I would... I'm obviously doing something wrong.. but what?

If you are using the same port and IP address for inbound and outbound, you need to just make sure the IP addresses of the senders are in the list of Outbound Mail Acceptance IPs. You can only have 3 though, so if you have a lot of clients that need to send outbound mail, they should be sending to your mail server instead of trying to relay through us directly.

From page 93 of the Administration Guide:

You can configure a Scanner to accept outbound connections from up to three
mail servers. By allowing connections from only certain IP addresses and domains,
you exclude all other hosts from sending messages at connection time.
Note: If you use the same IP address and port for inbound and outbound email,
the Scanner uses outbound mail acceptance settings to determine if a message is
inbound or outbound. The Scanner first checks outbound mail acceptance settings.
If the mail is not accepted, the Scanner then checks inbound mail acceptance
settings.

In the case above, the IP address you were connecting from was not in the Outbound Mail Acceptance list.

TSE-JDavis,

THanks for the response.

I did have my workstation ip address is both the inbound and outbound list.  and it still didn't work.  I changed the outbound port number and now it seems to work? 

i.e inbound  10.20.1.75:25 outbound 10.20.1.75:1975

sending both internal mail and external mail to the outbound port number delivers both .. however sending to port 25 only delivers inbound email


however you've just raised something that will be a show stopper for Brightmail.
You can only have 3 IP address configured to be able to send outbound email?    is this a hard limit or a suggested limit?

We have a number of appliances (such as EMC centera's, celerra's etc..) that email 'home' (EMC) daily with health reports. They all go via Trend Micro's IMSVA (which we hoped brightmail would replace).    in total we have

4 exchange servers - (which is 99% of the volume)
20 other appliances that send between 1-100 emails per day

We don't want them to connect directly to our MX servers because that means opening up more internal IP address to the DMZ where our MX servers (obviously) are and we don't want exchange having to route them as we know they are more or less outbound emails.

Advice is appreciated.
Justin

I actually got some feedback that the documentation is in error and there is no limit.

Can you maybe post a screen shot of the whole SMTP tab?

Minke, you found the issue.  An IP:Port combination is inbound or outbound.   JDavis is incorrect on the oubound connection list.  Not only isn't limited, you can even use CIDR addressing format.  

That you internal systems send both outbound and inbound addresses isn't a problem for SBG.  I suggest you add a virtual address to your scanner, configure it on for outbound on port 25.    Make that IP the address you use as Next Hop on internal servers.  SBG will deliver to your internal hosts based on the domains listed in Reputation, Domains, that have "Local" checked.  Any domains not listed, will be delivered to the default outbound route (probably your MX servers).


So:

Internet --> MX servers --->  SBG inbound i/f  ->  Delivery based on "local" domains.
Internal Senders -> SBG outbound IP/interface -> Deliver to default next hop (MX Servers oubound i/f)
                                                                                    -> Deliver to inside hosts based on domains listed in Protocols with Local domain checked.

Also,  you will only need a single IP address opened between the MX servers and SBG.  See under Admin/<scanner>/SMTP/Advance/Delivery Tab.  You can specify which interface is used to deliver  non-local mail.  Set that to your inbound interface and the mail will go out to your MX hosts using the same IP as the MX hosts are using to hand mail inbound.