We recently started using an upstream host to scan our E-mail for spam/viruses and then deliver them to our mail server. We're currently using Exchange 2003 with an Astaro 220 acting as the SMTP proxy/gateway. I have the mail service's IP addresses defined in the Upstream hosts section on the Astaro and am only allowing traffic from the upstream host. I'm not sure this is the best way to set things up, however...

1. Since our mail provider is now scanning everything, I'd like to lessen the load on our firewall and not have it provide spam/av scanning. If I still want the Astaro to function as a mail proxy, is it best to just exclude the upstream host's IP addresses from all scanning?

2. Would it be better to just disable the SMTP processing on the Astaro and have E-mail flow directly to/from the Exchange server? An advantage of the Astaro SMTP is the TLS setup. TLS on Exchange seems a bit more cumbersome to configure, especially if you need to allow both TLS and non-TLS traffic.

Thoughts/suggestions/advice appreciated. Thanks.

If you really don't need AV & Spam scanning, I'd turn them off completely instead of adding an exception, as they'll still be using memory.

You can disable SMTP on the firewall, and create packetfilter rules, and if needed DNAT, for the SMTP traffic.
It's up to you.

Barry

__________________
http://DealBert.net
Home & business end-user since v1.x

• ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
  
• ASL 7.3x, Dell PE1550 Dual PIII 1GHz, 1GB RAM, 2 NICs, 50-IP Platinum License
  
• ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
  Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
  Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb

I'd also recommend to do just what Barry said. If you don't need mail filtering, then shut the proxy off completely, and create a DNAT rule to forward traffic to your mail server.

In your scenario, be sure to set the source in the DNAT rule to be your upstream SMTP scanner, and not "Any".

Hmmm... Any way to turn off av/spam scanning and still use the proxy? I like that TLS is already configured and working on the Astaro. Plus I like having the Astaro between the Internet and my Exchange server

You can disable all spam filtering options, and antivirus on the Astaro, but leave the proxy active. This will work. The problem with this is that the proxy will listen for connections from anywhere, not just from your upstream filter. So, if you would prefer to leave the proxy active, I would recommend leaving all filtering active, but create an exception for your upstream filter, exempting it from all checks.

This might also provide a valid backup plan, should your upstream filter ever fail. You could set a second MX with a lower priority which points to your Astaro. Then, mail will continue to arrive and be filtered even if your upstream proxy fails.

Great suggestion, Alan, about the backup.

Cobra, the other thing you might want to understand is that the basic SMTP Proxy does not require an Email Security subscription. The subscription is necessary only for Anti-Virus, Anti-Spam and Encryption.

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

I thought there was an option to only allow access to the Upstream members and other authorized relay hosts.

I considered this, but it is an awfully expensive backup MX (maintaining the mail security subscription).

Thanks.

Thanks... so is it possible to use the smtp proxy and actually disable AV and SPAM scanning (as opposed to excluding hosts from scanning)?

What I said was stronger than that: you can use the SMTP proxy even if you CAN'T enable AV and spam scanning. The SMTP and HTTP Proxies are a part of the basic Astaro license.

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!