This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Got a question about configuring a ES150 appliance

I am replacing my old firewall with a UTM that is already managing email.  To avoid any downtime I got a ES150 mail appliance to manage my email before reconfiguring the UTM to replace the firewall.

 

My UTM's host name is vpn.mycompany.com (I plan to keep that and replace my old firewall) and My Exchange 2010 server host name that is publicly dns resolvable is mail.mycompany.com

 

I know the hostname is important since I have the spx portal working on the UTM.  Since VPN.mycompany.com and Mail.mycompany.com  are already taken I was thinking about using spx.mycompany.com for the ES150 mail appliance. 

 

What host name did you guys assign your email appliance?

 

 

 



This thread was automatically locked due to age.
Parents
  • Not sure if your intent is to just use the appliance as an spx device?

    or if you want to use the appliance for all of our mail.

     

    in the event you wish to only use it for spx..

     

    download the spx encryption outlook plug in (or make your own tool to change the sensitivity of the email to confidential)

    create an exchange send connector to look for that header and if found relay the email to the appliance

    create rules on the utm to allow the sea out on port 25. and omit it from an web filtering policy.

    set up the appliance as spx.dmydomain.com

    configure the spx portal to use port 10443

    create a fw rule to point inbound connections to spx.mydomain.com:10433 to the appliance.

     

    there should be no need to change anything else (other than to add the spx.appliance to your txt record, dkim and an A record)

     

    this will essentially take any outbound mail that's set for encryption.. deliver it to the appliance .. 

    if the user exists with a password .. the appliance will deliver the message

    if the user does not exist or the password is expired, it will send out a link to the portal. 

    the user can then log into the appliance and set a password, when that's done the appliance will email it out.

     

    If your wanting to move all mail flow to the SEA ..

    configure your exchange send / recieve connectors to use the appliance

    configure the appliance any way you like

    add its hostname to your txt, dkim and mx/a records as necessary..

    when your all ready to flip the switch.. simply enable the connectors in exchange and change the firewall to port forward 25 to the appliance and allow it out/unfiltered.

     

    granted your scenario is probably much more complex than this, its a simple example for you.

     

    Cheers

     

    ps: due to the nature of email and RFC's .. generally any change to email will NOT result in lost emails.  (if there is no answer from a sending or receiving server the message would be deferred for at minimum 1 day)   so if you were down for say 4 hrs.. any mail would be re-queued and resent when the server responds. 

  • Currently have all mail going through a Sophos UTM firewall and got the ES150 close to deployment but ran into a issue with licensing.  Somehow the new license was only good for 30 days and waiting for licensing to straighten that out.

    add its hostname to your txt, dkim and mx/a records as necessary

    I am trying to work on creating a spf and dkim record in the meantime.

    I made this my spf record but there is no indication of any smart host appliance in it and not sure if its best practices.

    v=spf1 ip4:12.5.52.36 a:mail.grahamrmc.com -all

    Not sure how to configure the dkim yet.


  • As long as to dig txt mydomain and it resolves to the correct ip (will be your utm pub ip as the appliance wont have a public ip) 

    The only thing you will need to consider is the -hard fail .. if you route mail any other way and the rdns resolves to another ip .. the recipient will look at that as a failure and probably reject/drop the mail.   As long as the hard fail is by design thats fine.

    DKIM is fairly straightforward to, the only thing is you will need to generate your keys as per the the site.. once you have your keys the only thing you need to do appliance side is add it under the certificates menu. 

    Once that's done just add a new outbound threat protection rule and make sure its the last rule.

     

    as I am an VERY untrusting soul in regards to computing, please do NOT use online tools to generate your keys.. refer directly to DKIM.org and generate your own certs  with openssl as per RFC here:  http://www.dkim.org/specs/rfc5585.html 

    here is a decent sample walk through  https://kb.spamexperts.com/29943-outgoing-filtering-service/227853-generate-dkim-certificate

     

     

    cheers

Reply
  • As long as to dig txt mydomain and it resolves to the correct ip (will be your utm pub ip as the appliance wont have a public ip) 

    The only thing you will need to consider is the -hard fail .. if you route mail any other way and the rdns resolves to another ip .. the recipient will look at that as a failure and probably reject/drop the mail.   As long as the hard fail is by design thats fine.

    DKIM is fairly straightforward to, the only thing is you will need to generate your keys as per the the site.. once you have your keys the only thing you need to do appliance side is add it under the certificates menu. 

    Once that's done just add a new outbound threat protection rule and make sure its the last rule.

     

    as I am an VERY untrusting soul in regards to computing, please do NOT use online tools to generate your keys.. refer directly to DKIM.org and generate your own certs  with openssl as per RFC here:  http://www.dkim.org/specs/rfc5585.html 

    here is a decent sample walk through  https://kb.spamexperts.com/29943-outgoing-filtering-service/227853-generate-dkim-certificate

     

     

    cheers

Children
  • My AT&T internet went down due to fiber cut at 9am this morning, still using a backup connection.  I deleted the spf records because mail isn't coming from my public ip now.

     

    spf=neutral (google.com: 96.46.222.140 is neither permitted nor denied by best guess record for domain of brogle@grahamrmc.com)