Exchange Server 2007 with cloud spam filter

[TAPtech]

Hi Guys,

Just want to make sure I'm doing this right as I have about, uh, 2 clients with Exchange Server 2007

I have set them up with a cloud spam filtering service. I've setup their DNS and such. I've also whitelisted the IP's of the spam filtering service in the Exchange 2007 Receive Connector whitelist.

Now how do I ignore email that comes from anyone other than the spam filter? Do I just deny all IP's? Or is it better to only allow traffic on port 25 through the firewall from the filtering service..? I think that would be my preferred method.

 

[nlinecomputers]

Do it on the firewall. Simply not allow any connection other than the IPs used by your filter. That is what a firewall is for.

 

[TAPtech]

I concur. Thank you for the input! Can't wait for the first week of spam blockage reports

These guys also did not have the Exchange spam filter enabled!!!! Relying on Outlook 2010 spam filtering with their 10 year old domain. Oof, it's horribly spammy.

 

[nlinecomputers]

Well a 9 year old server is asking to die on you. Time to move them to O365

 

[TAPtech]

Oof don't even get me started... this client is a very tough sell on anything subscription based (i've vented about them a few times on Technibble already) so it's been a long road. Now that SBS isn't a thing anymore, and with Server 2016 looming, I'm going to push a new server and O365 kick on them soon. They're on a slow and aging Dell T300 SBS2008 box... not well spec'd to begin with either... talkin' bout some Core2Duo baby, hey-o!

 

[allstarit]

yeah id do it on firewall.
I usually create a rule to block all traffic on port 25 except of the whitelisted IP's of your spam filter. This then blocks all the spam that comes direct to the mail server trying to bypass your spamfilter.
I also do this for Office 365 clients by creating a rule in the connectors to only receive mail from spam filter. Office 365 has a built in one but i like having the 3rd party antispam filter.

 

[YeOldeStonecat]

I do it both on Exchange, and on the hardware firewalls NAT.
Exchange receive connector...you set it to receive only from the range of IPs of your filtering service.
On the hardware firewall,...port forward 25...but only from the range of IPs of the filtering service.

Assuming it's a good spam/virus filtering service, I turn off Exchanges integrated spam filter...no need for 2x black holes to chase when someone says they can't receive from someone.

 

[TAPtech]

Thank you all for the input so far. I've added the rules in the SonicWall as well as the Exchange receive connector. I'm using SpamExperts, which I've set for another client with good results.

 

[YeOldeStonecat]

The reason I add the ACLs in hardware on the firewall, instead of just having port 25 wide open, is...I don't like exposing Microsoft services to the whole world. Even if you put ACLs on the Exchange Servers receive connectors...it's still just Microsoft software controlling that...and you can bet whatever you want that each and every day, it's exposed to constant grinding and exploit attacks. IMO...better to add another layer of security..and have hardware at the edge appliance greatly limit incoming port 25 to just the IPs necessary for the offsite filtering host. Instead of wide open to the whole world.