bypassing your spam filtering. To prevent spammers from circumventing the new
spam-filtering servers, you should do one of the following:
■
The MX record should point at your Symantec Mail Security. Do not point the
MX record at downstream MTAs.
■
Remove the previous MTA's MX record from DNS.
Block off the MTA from the Internet using a firewall.
■
Modify the firewall's network address translation (NAT) tables to route external
IP addresses to internal non-routable IP addresses. You can then map from
the old server to Symantec Mail Security.
■
When naming Symantec Mail Security, ensure that the name you choose does
not imply its function. For example, antispam.yourdomain.com,
symantec.yourdomain.com, or antivirus.yourdomain.com are not good choices.
■
If you want to send mail to a downstream MTA, you can use a load balancer.
Deployment models
You can deploy Symantec Mail Security in the following ways:
■
Basic gateway deployment
■
Multi-tier gateway deployment
■
Post-gateway deployment
Basic gateway deployment
This is the simplest deployment model. Symantec Mail Security resides at the
outermost gateway layer inside the enterprise firewall. It provides Secure Email
Services by relaying inbound mail to other relay layers or to the user-facing mail
server layer. Symnatec Mail Security routes outbound mail through local relay
for delivery to local domain addresses or through the firewall to the Internet.
Inbound and outbound mail are both processed on one Ethernet NIC through a
single IP address. Inbound and outbound traffic can be logically separated by
assigning one to the physical IP and the other to a virtual IP address or by assigning
inbound and outbound traffic to separate ports (such as 25 and 26).
On all configured server computers, port 443 must be configured to permit
outbound connections to Symantec to download content updates.
Figure 1-1
shows Symantec Mail Security deployed at the gateway, behind a
firewall.
Planning your deployment
Deployment models
14