Cisco Spam Blocker, Iron Port, Lotus Domino, Integration Help

Question

Hi serverfault universe,

I work for a medium sized (roughly 200 user) company. We are attempting to intagrate our new Cisco Spam Video Blocker (ironport) device into our network so that it acts as an incoming filter then passes it off to our Lotus domino mail server. And also vise versa.

The way our network is setup currently has an mx record pointing to our Domino mail SMTP incoming server which is currently setup to be an inbound gateway and filter (using symantec domino mail software). We want to replace the inbound gateway with the ironport. Our company has also invested in a pool of external IP addresses which I believe has been currently assigned to our web, email, servers. What would the proper course of action be to successfully integrate the device be? Mx record change? Replace the domino gateway completely with the ironport? We attempted to set the ironport device to the external IP of what our mx record is pointing to without much success. Any help on proper setup would be greatly appreciated.

Answer 1

Setup the Ironport on a new, public IP.
Configure your firewall to allow port 25 and DNS in/out bound from the public IP.
Setup a test domainname, TestFakeCompanyName.com, create an A record for mail.TestFakeCompanyName.com w/ the public IP.
Configure ironport to accept and filter for the TestFakeCompanyName.com. Setup a test mail server TestFakeCompanyName.com behind the ironport,
OR
Configure TestFakeCompanyName.com at a mail provider. (The ironport doesn't really care where the mail server is located, you just need to give it the IP.)
Now you can test both mail flow and the filtering rules all you want. When you are confident it's all set then add the real domain name into the ironport and copy/configure it.
8 days before you go live change the TTL on the A record the MX points to 4 hours.
8-24 hours before you go live change the TTL to 2 minutes.
To go live change the IP on the A record to the new public IP. Once you have confirmed the flow is correct then change the TTL back to 3-7 days.
What happens to the existing SMTP gateway depends on whether it's doing anything besides SMTP/filtering, hardware age, licensing cost, etc. It could be replaced completely or just moved behind the iron port which would require changing the IP to an internal one.