Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 7451 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email appliance as second spam filter

Peter Millard

Hi there,


We ae trying to implement the Virtual Email Appliance as the second level of email scanning in our infrastructure.

As such we have another vendor's spam filters sitting outside our network as the initial filtering point and then we have a pair of Sophos spam filters in an active active load balanced pair sitting inside our network.

 

We have set our other vendor's spam filter's up in the Sophos as trusted relays.

As these are set as trusted relays does that mean the Sophos will not scan any mail from those devices for virus etc, we are not fussed about the spam side as we want the original devices to handle the spam side. We just want these to do another level of scanning on the email for anything malicious.

 

How do I go about configuring this?

Many thanks

 

Pete



This thread was automatically locked due to age.
Parents
  • 0

    Hi Peter,

    You can definitely do that, but there are some issues.. Some of the features of the applaince may need to be configured and or will not function. 

    because your upstream devices are delivering mail downstream and the actual mta is not connecting to the appliance you will loose the delayqueue feature and will have to adjust the filtering options (by default the blocker will drop known bad hosts) 

     

    under configuration / policy / filtering options

    check off "enable policy-level blocking of mail from known bad senders"

    Enable proactive ip connection control for suspicious hosts

    action is usually set to discard, but because you are disabling the blocker service you are automatically accepting the message, so whether you discard or quarantine doesn't matter.

     

    Unfortunately you will not be able to use delay queue, this feature requires the MTA to connect to the appliance for tracking.. In your case the appliance will see mail as been accepted form 10.10.2.1 or whatever the upstream device is. 

     

    The purpose of a trusted relay does not omit AV and policy checking.  It simply tells the appliance to ignore that hop in the message headers for things like RBL checking and RDNS

     

    For example:

    if your upstream device is NOT a trusted relay.

    mail from jimmy.bob@gmail.com comes into your upstream device, the appliance receives it from 10.10.2.1 as far as the appliance is concerned the FUR (First untrusted relay) is internal.  Services like the blocker would never trigger as internal addresses are never blacklisted.

    by setting the upstream device as a trusted relay .. now the same email would ignore 10.10.2.1 and start RDNS and RBL checking at 74.125.25.25 (or whatever the first hop before 10.10.2.1 is)

     

    notes:

    Honestly, multiple layers of spam checking is never recomend.  It's often a real PITA and can cause all sorts of problems.  For example your chance of FP/FN increases as company A rates the email at X% and company B at Y% .  Then you have multiple quarantines etc.  For that reason I would recommend experimenting what works the best up front, and secondary appliance would use a tag subject and deliver policy.

    Having dual AV scanning is always a benefit.

Reply
  • 0

    Hi Peter,

    You can definitely do that, but there are some issues.. Some of the features of the applaince may need to be configured and or will not function. 

    because your upstream devices are delivering mail downstream and the actual mta is not connecting to the appliance you will loose the delayqueue feature and will have to adjust the filtering options (by default the blocker will drop known bad hosts) 

     

    under configuration / policy / filtering options

    check off "enable policy-level blocking of mail from known bad senders"

    Enable proactive ip connection control for suspicious hosts

    action is usually set to discard, but because you are disabling the blocker service you are automatically accepting the message, so whether you discard or quarantine doesn't matter.

     

    Unfortunately you will not be able to use delay queue, this feature requires the MTA to connect to the appliance for tracking.. In your case the appliance will see mail as been accepted form 10.10.2.1 or whatever the upstream device is. 

     

    The purpose of a trusted relay does not omit AV and policy checking.  It simply tells the appliance to ignore that hop in the message headers for things like RBL checking and RDNS

     

    For example:

    if your upstream device is NOT a trusted relay.

    mail from jimmy.bob@gmail.com comes into your upstream device, the appliance receives it from 10.10.2.1 as far as the appliance is concerned the FUR (First untrusted relay) is internal.  Services like the blocker would never trigger as internal addresses are never blacklisted.

    by setting the upstream device as a trusted relay .. now the same email would ignore 10.10.2.1 and start RDNS and RBL checking at 74.125.25.25 (or whatever the first hop before 10.10.2.1 is)

     

    notes:

    Honestly, multiple layers of spam checking is never recomend.  It's often a real PITA and can cause all sorts of problems.  For example your chance of FP/FN increases as company A rates the email at X% and company B at Y% .  Then you have multiple quarantines etc.  For that reason I would recommend experimenting what works the best up front, and secondary appliance would use a tag subject and deliver policy.

    Having dual AV scanning is always a benefit.

Children
No Data
Unfiltered HTML