Messaging Gateway

Currently, I have a static ip map of our mail public ip to the internal Exchange server on my Cisco firewall so that all SMTP packets will hit my Exchange server. All mail are filter by SMSMSE 5.0 install on the Exchange server. This works well for us. Due to the end of life of the SMSMSE 5.0 we decided to try Brightmail. I install Brightmail virtual version and configure the Controller and Scanner one vm. Installation went well, it up and running, it filtering mail well but I have an issue with external mail is no longer using the public ip that we designated for mail. All external mail now being sends using our general internet browsing ip instead.

Our public mail ip is 69.X.X.198. Now with Brightmail in place, our outside mail is indicating that is it originated from our browsing ip of 69.X.X.197 instead.

 <o p=""></o>

To make Bright mail work, I adjusted the static ip map on the Cisco firewall to map the mail public ip (69.X.X.198) to point to the Brightmail gateway with ip of 192.X.X.8.

 <o p=""></o>

My question Are:
I place the Brightmail Gateway right after the internet gateway/firewall, it this the right placement?
Where would I place it so that I would not have to change my static ip mapping?
Are outgoing mail sent by the Brigtmail Gateway or it just filter mail and then relay them back to a mail server to be sent?

Why didn't you just install Mail Security for Exchange 6.0?

Symanec Mail Security for Exchange 5.0 has not reached it's end of life yet. The EOL date will be on December 1, 2012.

The EOL Notification that was sent was for Symantec Mail Security for SMTP 5.0 that will be migrated to Brightmail Gateway 8.0.

Therefore, if you are using Symanec Mail Security for Exchange 5.0, you may just ignore the notification. I also agree with TSE-JDavis to upgrade to 6.0 (a.ka. Information Foundation) instead.

I agree, I think he mis-read the EOL for Mail Security for SMTP, which we have been seeing a lot of. I got a similar call just yesterday.

Ok, I must have mis-read. My apology. Anyhow, let put it this way. I would like to try Bightmail Gateway and needed a some help with testing this product. Thanks

Ok, in that case you would need to tell Exchange to send mail to the Brightmail gateway by creating a connector. Once that is done, and the Gateway has outbound mail scannign enabled, it will be able to scan outgoing mail for viruses and the mail will be coming from the inbound IP address. So you need to configure your firewall accordingly so it has the outgoing IP address you want it to.

You have it set up correctly from what you have described, but as far as the firewall questions, I don't know since I'm not familiar with firewalls and how to configure them.

The Brightmail installation manual did not mention any about creating a connector in the mail server.  Any info that you can point me to to create the connector in Exchange to send mail to Brightmail.

Ok let assume that once the connector has been created, the scanner will be receiving the outgoing mail from Exchange, Brighmail scans the outgoing mail, and send it out directly or is the scanned outgoing mail will be relayed back to exchange to be send out?

Thanks in advance for your comment.

The Brightmail Appliance will accept mail from any server, so those types of settings are something we direct you to your mail server's support about.

Here is some information from Microsoft about creating an SMTP connector: http://support.microsoft.com/kb/265293

Once the mail is received by the appliance we send it out from there to the outside world from our inbound IP address.

To properly configure the IP address that will be used Symantec Brightmail Gateway (SBG) to deliver mail, please see the following topics:

a) "Scanner port options for inbound and outbound email" in Symantec Brightmail Gateway 8.0 Installation guide available here:
ftp://ftp.entsupport.symantec.com/pub/support/documentation/sbg_installation_guide.pdf

b) "Message delivery phase processing details" in Symantec Brightmail Gateway 8.0 Administartion Guide available here:
ftp://ftp.entsupport.symantec.com/pub/support/documentation/sbg_administration_guide.pdf

Regards,

Adnan

Thanks for all the help thus far. Still trying!

When creating a new SMTP connector in Exchange and set the SBG as the smart host, should I use the incoming ip or the outgoing ip on the scanner?

Per one of JDavis replies, the outgoing mail will send thru the incoming ip correct? So the outgoing ip is for internal mail relay between the scanner and the mail server?

If my incoming ip is 192.X.X.8, my outoging ip is 192.X.X.9. The outbound mail will send to the outside world via 192.X.X.8?


 

Thanks for all the help thus far. Still trying!

When creating a new SMTP connector in Exchange and set the SBG as the smart host, should I use the incoming ip or the outgoing ip on the scanner?

Per one of JDavis replies, the outgoing mail will send thru the incoming ip correct? So the outgoing ip is for internal mail relay between the scanner and the mail server?

If my incoming ip is 192.X.X.8, my outoging ip is 192.X.X.9. The outbound mail will send to the outside world via 192.X.X.8?


 

The outbound IP address is the only place the appliance will accept mail to be delivered to a non-local domain, so that is where you would have Exchange send mail bound for the outside world. This is to avoid the incoming IP address from being an open relay, becuase only certain IP addresses will be allowed to connect to the outbound IP, but all IPs can connect to the inbound.

All email will come from the inbound IP by default, but this can be changed in the Advanced Settings screen when looking at the SMTP settings for the scanner.

Please take a look at the topic titled "Changing Scanner outbound mail acceptance settings" on page 109 in Symantec Brightmail Gateway 8.0 Administration Guide.

Regards,

Adnan

AdamH, are you suggesting that I change my  Outbound Mail Acceptance settings? I have done that.

Anyhow below is a copy of my reply to an old post titled "How to route  outgoing mail throught the applicance using Exhcnage 2003?"

Any additional suggestions? Thanks
_______________________________

My situation is that I'm delopying SBG 8.0 right after my internet router. So far, I'm getting outside mail in and properly relay to my mail server, but I cannot get outgoing mail to go out to the world.

Here is my setup:
I setting up a virtual version of the SBG 8.0 with two NIC on the scanner/control center. 192.X.X8 is the incoming ip & 192.X.X.9 is outgoing ip.

My current Outbound Mail Settings on the scanner:
  Outbound mail IP address is 192.X.X.9, Port 25
  Outbound Mail Acceptance ip address is set to my Exchange mail server 192.X.X.30
  Outbound Non-Local Mail Delivery is set to Use MX Lookup for Non-local Delivery

I have modified the exitiing SMTP connector in the Routing Groups node. Only change I made was set the "Forward all mail through this connector to the following smart hosts" and enter [192.X.X.9]. Save the change, restart MS Exchange Routing Engine and SMTP services.

The result is undelivered mail with error " 554 IP mail loop detected"

In the SMTP Advanced Settings, I set the non-local messages SMTP Delivery Bindings to use my inbound ip.

Thank you all for your help

Hi Douglas,

Good to know that now you got the appliance working.

I think I had pointed out in my earlier comment to look at "Message delivery phase processing details" section in the Admin Guide which talks about setting SMTP Delivery Bindings; here is the except:

QUOTE:
Delivery bindings allow you to specify the IP address from which mail is sent. In
systems where Symantec Brightmail Gateway is not deployed at the gateway, a
firewall may prevent inbound and outbound Scanners from communicating. In
such cases, you change your SMTPDeliveryBindings setting for Localmessages
to your outbound mail IP address. Or, you can change your setting for Non-local
messages to your inbound mail IP address. You can also let Symantec Brightmail
Gateway automatically decide which IP address to use.
UNQUOTE:

Regards,

Adnan

Hi Douglas,

Can you please close this thread by marking as "Solution" the suggestion that helped you resolve the issue?

Thanks

Adnan

Hi Douglas,

I would appreciate your attention to closing this thread.

Thanks

Adnan