Matt,
It is the responsibility of both of you. The Exchange team need to setup
there servers so that they only relay from your domain to your domain and
sub-domains. The exchange team also need to setup access lists for sites
that you receive mail that do not use DNS. Some legitimate sites do not
answer reverse lookups from mail servers (A records), although there are
valid MX records. Preventing relays is the exchange teams responsibility.
Now, onto the "meat and potatoes" I would suggest that you only allow your
ISP's relay servers to talk to your exchange server. Talk to your ISP and
get the IP addresses of the servers that will send mail to your domain. In
CP restrict SMTP traffic to your exchange servers to the servers from your
ISP. That should help you out. Hopefully, I interpreted your email
correctly.
Nathan
-----Original Message-----
From: Matt Arntsen [mailto:Matt.Arntsen AT FRANKLINCOVEY DOT COM]
Sent: Tuesday, May 25, 2004 2:43 PM
To: FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com
Subject: [FW-1] exchange 2003 best practices
In an attempt to limit email relaying, I was wondering how others have set
up their email routing with an exchange 2003 email server in conjunction
with their NG-AI R55 firewall. What is the best way to set it up? I
currently have a static NAT rule to send all email inbound. Our email
engineers want to prevent relays and are convinced it is the firewall's
responsibility. The also want to limit authorized IP addresses which can
connect to the email server. The problems I see with this is that you cannot
block the Internet from sending you an email.
Perhaps I am wrong but I keep telling them it is the function of the email
server to only allow emails destined to our domain and refuse all others
rather than forcing the firewall to do this. Perhaps I am wrong and so I am
hoping I can get some feedback. Thanks!
Matt
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
