Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NorthernNetGuy
Advisor

MTA first tier or not

We currently have our MTA as first tier, and in sk114034 it is stated that this is not recommended.

 

We see the problems indicated, like invalid recipients not being detected. 

Instead of just following the non-recommended solution, I wanted to know how other have their MTA and mail servers configured, and set up topology wise.

We use the checkpoint gateway as the first tier, and a secondary spam server as second tier, and then our mail server.

Do you have an additional spam filtering server in front of the firewall? how do you handle this?

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee

We see both, can depend if this is a perimeter gateway or dedicated TE appliance performing the MTA role. 
(That said cloud hosted anti-spam services are common place, naturally these are outside... )

Historically the recommended topology helped to mitigate the risk of RBL / Back scatter challenges and help manage potential sizing constraints.

To your point avoiding system resources being consumed by unnecessary scanning / emulations due to processing of mail with spoofed sender addresses or lack of recipient verification is the way to go.

 

CCSM R77/R80/ELITE
0 Kudos
NorthernNetGuy
Advisor

We're running our checkpoint device with all blades enabled. our second anti spam is hosted internally.

 

I'm just wondering if I should put our second anti spam outside of the firewall, in which case I'd want to assign it it's own public IP and ensure it is hardened. I'm not sure if alternatively I could pass the mail directly to the internal anti spam, on the DMZ, for it to then pass back to the firewall to process with the MTA, to hand off to the exchange.

 

I'm mostly cautious of enabling VRFY on our internal exchange server for the MTA to query for recipient verification.

0 Kudos
Benedikt_Weissl
Advisor

Are there any plans to implement recipient verification soon?
0 Kudos
Chris_Atkinson
Employee Employee
Employee

A quick search returns sk142433 but will enquire further and revert here.
CCSM R77/R80/ELITE
0 Kudos
Benedikt_Weissl
Advisor

That was quick, thank you! It would be great if one could use the data provided by identity awareness (i.e. ad-attributes) to verify incoming mails, maybe even apply different mail security settings depending on the recipients ad-group.
0 Kudos
NorthernNetGuy
Advisor

That is one of the most poorly written SK's I've seen. I've submitted some feedback on it.

I'm not sure why the gateway can't just do ldap lookups or use it's relationship with active directory to do address verification, it seems almost every other product can do it.

We're going to look into a third party spam appliance to put at our perimeter, as suggested by checkpoint best practices. Hopefully checkpoint can become self sufficient in this area eventually.

0 Kudos
Institut_fuer_R
Participant

I also wish CheckPoint would improve on that subject.. Are there any news?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events