Email Spam Software (IMSS) DMZ or LAN?

Discussion in 'Networking, Telephony & Internet' started by FrankGrimes, May 9, 2005.

  1. FrankGrimes

    FrankGrimes Member

    Joined:
    Jun 27, 2001
    Messages:
    818
    Location:
    Sydney
    Hi

    I'm in the process of setting up Anti Spam software for the company I work for. The software is Trend Micro IMSS.

    I currently have a server setup in the DMZ for other things which is under-utilised. Should Anti spam software be installed in the DMZ or the LAN?

    We have about 20 branch offices, many with exchange servers, the DMZ is located in a central data centre at our ISP, so if we can block spam out at this point we can save alot of WAN traffic.

    What is the best configuration? DMZ or LAN? and what are the issues with either?

    Cheers

    Grimey
     
  2. infiltraitor

    infiltraitor Member

    Joined:
    Sep 7, 2002
    Messages:
    3,801
    Location:
    melbourne Donated:$133.70
    its up to you really. i dont see much of a difference either way.. but like you said, you have a server that is under utilised so id whack it on there
     
  3. silver6

    silver6 Member

    Joined:
    Nov 1, 2002
    Messages:
    966
    Location:
    Sydney
    We have a mailgateway in the DMZ. It does spam, filtering and antivirus.
     
  4. stalin

    stalin (Taking a Break)

    Joined:
    Jun 26, 2001
    Messages:
    4,581
    Location:
    On the move
    I would stick it in the DMZ. scrub your stuff of viruses etc BEFORE they make it into the internal LAN. We have our spam and virus cluster in a DMZ (2nd internal lan to be more correct) before its forwarded to the backend MTAs.
     
  5. OP
    OP
    FrankGrimes

    FrankGrimes Member

    Joined:
    Jun 27, 2001
    Messages:
    818
    Location:
    Sydney
    What would be the correct config?

    Allow Port 25 from the internet to spam server. Then allow port 25 from DMZ server to each internal mail server? or should I change the port Exchange is using?

    My boss is absolutely paranoid about security, so I'm having problems making a go of it!

    Can you have 3 MX records or is there some form of limitation? (We currently have two) so the config would be

    filter.company.com
    mail.company.com (current external address)
    ispforwardandstore.myisp.com
     
  6. silver6

    silver6 Member

    Joined:
    Nov 1, 2002
    Messages:
    966
    Location:
    Sydney
    This how ours is setup

    Allow SMTP incomming only from public.
    Allow FTP outing to public to AV/SPAM updates
    Allow SMTP outgoing to Private mail server
    Allow RDP incomming from Private
    Allow DNS Outgoing to Public
    Block everything else

    You can change the SMTP ports if you are very paranoid.

    You can have as many MX records as you want.
     
  7. stalin

    stalin (Taking a Break)

    Joined:
    Jun 26, 2001
    Messages:
    4,581
    Location:
    On the move
    you really only need 1 MX, but can have unlimited.
    If you have multiple MX's its normally so if you server dies (inaccessible whatever) another server can except email on your behalf. then when your box is backup you get all tat email. Although other mail servers hold email destined for you for up to 4-days so its not too much of a concern.
    Also multiple MX's are handy for load balancing.

    Have the MX point to your DMZ mail server. (or your external firewall if you multihome and NAT/PAT in.)
    Allow port 25 external to DMZ scanner.
    Allow port 25 DMZ scanner internal mail server

    Then the reverse for external email (assuming you want to scan outgoing email)

    You dont need additional MX records for your internal server, just one for external. If your external/DMZ server dies you just change your routing and firewall rules and you will still have email (just not scanned) the world would hardly even notice.
     
  8. OP
    OP
    FrankGrimes

    FrankGrimes Member

    Joined:
    Jun 27, 2001
    Messages:
    818
    Location:
    Sydney
    Thanks for the input guys.
     
  9. bsbozzy

    bsbozzy Member

    Joined:
    Nov 11, 2003
    Messages:
    3,925
    Location:
    Sydney
    We have NetIQ Mail Marshall on all of our DMZ'z, SMTP Receiver/Sender, spam filter, Virus Scanner.

    We also run Trend Scan Mail on Exchange Aswell.
     
  10. OP
    OP
    FrankGrimes

    FrankGrimes Member

    Joined:
    Jun 27, 2001
    Messages:
    818
    Location:
    Sydney
    Trend IMSS does spam and virus, so we should knock out most spam/viruses before it gets onto our LAN. But we'll still run Scanmail on all Exchange servers.
     
  11. sn0wb0ardar

    sn0wb0ardar Member

    Joined:
    Oct 11, 2002
    Messages:
    57
    Location:
    Sydney
    Im in the process of doing the same thing, im going to be implementing IMSS on a server in our companies DMZ and then routing all external inbound and outbound mail through this box.Also running Scanmail for Domino on all the other boxes.
     

Share This Page

Advertisement: