design using EFA in production

General eFa discussion
Post Reply
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

design using EFA in production

Post by jamerson »

Dear all,
we are happy with the EFA, lately have configured it in our production.
everything works fine thank you for the hard work.
i need your advise about the senario i've designed.
we have
Internet >>>>> firewall >>>>> EFA >>>>>> Exchange
EFA is filter.domain.com and is our mx records with IP 55.66.7.8
Exchange uses mail.domain.com so the users access it using owa https and it IP 55.66.7.10

Our SPF records v=spf1 mx a ip4:55.66.7.10 ~all and it has been validated on the next website https://vamsoft.com/support/tools/spf-syntax-validator

we can send and recieve emails file.

on the EFA option 8 Mail settings 1 outband mail relay we have on the host the EFA internal IP 10.10.20.30

is this the correct way sending using the EFA even out SPF records has the mail.doman.com ip on it ? or need to configured it differently?

Please advise or share your experience with me.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: design using EFA in production

Post by pdwalker »

Exchange:
You configure your Exchange server to use EFA as the "smarthost" for mail delivery "hub transport, send connector, domain, route mail through the following smart hosts"

EFA:
You configure your "outbound mail relay (8,1) as the network address of your mail clients, or just the ip of your exchange server

You configure your "outbound smarthost" (8,2) "Smart-host: disabled" since you want EFA to deliver the mail directly

You configure your "Transport settings" (8,4) as "domain.com" "<internal ip address of your exchange server"


That should do it.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: design using EFA in production

Post by jamerson »

Thank you for your answer,
after configuring this which IP ( external IP) would be used to send the emails out ? the External IP of the EFA or the Exchange ?
the reason i am asking is to configure the spf records to use the right IP.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: design using EFA in production

Post by pdwalker »

Efa.

But I’d suggest configuring both ips for your spf record.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: design using EFA in production

Post by jamerson »

Thank you for your answer,
let assum the Exchange IP is 10.10.20.30 and EFA is 10.10.20.31
Exchange DNS name is mail.domain.com and EFA is spam.domain.com
Exchange :
Configure the Exchange the send using smarthost which is spam.domain.com ( EFA DNS Name)

EFA
in the EFA "outbound mail relay (8,1) configure the mail.domain.com or the IP of the Exhange 10.10.20.30
You configure your "outbound smarthost" (8,2) "Smart-host: disabled" since you want EFA to deliver the mail directly, i am not sure i understand, if i check the option 8 and 2 the smarthost is disabled on the EFA, does this mean i am set to go and just have to change the exchange to send using smarthost ( EFA as it smarthost? )

You configure your "Transport settings" (8,4) as "domain.com" "<internal ip address of your exchange server" this already been configured, all internal accepted domain are there.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: design using EFA in production

Post by pdwalker »

smarthost means - "will deliver the mail for you".

in your environment, EFA is your "smarthost" so it doesn't need a smarthost - therefore disable this.

If you set your EFA smarthost setting to your exchange server, you're telling your exchange server to deliver the outgoing mail. If you've configured your exchange server to use EFA to delivery the mail, then you've just created a mail loop and your mail will get bounced around until it expires.

So, if "smarthost" is disabled on your EFA box, then you should be good to go.

Now test it:

- Try sending a message from the EFA box to an external address

Code: Select all

[itsupport@efa ~]$ mail pdwalker@example.com
Subject: test2
test
EOT (I pressed CTRL-D here to finish the message)
[itsupport@efa ~]$
- try sending a message from the exchange server to an external address

Both messages should get delivered assuming a valid destination address.
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: design using EFA in production

Post by jamerson »

Thank you for your answer Paul,
i've followed your instruction and the emails are working fine.

option 8.1 configured the IP of the Exchange there
Option 8.2 Smarthost is disabled
Option 8.4 i have all the domain names there as our compnay hosting 3 domain names in one exchange


i've noticed on the DNS Reccursion on the EFA is disabled, so i Enabled it but the emails are still traveling. is this something i have to leave disabled?

Code: Select all

--------------------------------------------------------------
---        Welcome to the EFA Configuration program        ---
---                https://www.efa-project.org              ---
--------------------------------------------------------------

Current IP settings for eth0 are:
1) IP                   :  10.10.20.30
2) Netmask              :  255.255.255.0
3) Gateway              :  10.10.20.1
4) DNS Recursion        :  ENABLED
5) Primary DNS          :
6) Secondary DNS        :
7) Hostname             :  spamfilter
8) Domain Name          :  domain.com

e) Return to main menu
Also i would like to know the size limite EFA allows through the Email, or this something on the smarthost of the Exchange ?

Thank you for your support.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: design using EFA in production

Post by pdwalker »

DNS recursion enabled allows EFA to do Real time Black List (RBL) lookups using DNS. This means your efa instance can detect more spam.

One restriction for RBLs is the number of queries you make per day. If you make too many requests, they don't give you a useful answer as they effectively block you, and this is especially true if you use a well trafficed DNS server, like google for instance.

So, best leave it on, and let EFA to RBL lookups.

The size limits depend on every server in the chain. If you want to increase the limits in your system you need to:
- make several changes inside your exchange configuration and that depends on your exchange version
- edit the efa /etc/postfix/main.cf message_size_limit parameter

Of course, the receiving systems may have smaller size limits than you allow, which means your system can send out messages that'll get bounced by the receiving system.

Does that clear things up?
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: design using EFA in production

Post by jamerson »

Thank you so much for your explenation well explained.
i have a issue now, on the Exchange i configured the exchange to send using the smarthost using the LAn ip of the EFA however today i got a call the emails can't be sent and hangs on the query of the exchange with the error

Code: Select all

[{LED=450 4.7.1 Client host rejected: cannot find your reverse hostname,
the PTR record of the EFA is correct,
am i supposed to use the external IP of the EFA on the smarthost of the exchange ?
now i have removed the EFA as smarthost so we can send emails untill we get this fixed.

Thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: design using EFA in production

Post by shawniverson »

Simple fix is to at an entry to /etc/hosts for the exchange, then postfix can resolve name and ip.

Other fix is to set up unbound for conditional forwarding, such as described in this post.

viewtopic.php?t=2567

Since this is a common problem, and we encourage use of full recursion, we need to modify EFA-Configure to modify /etc/hosts during configuration of the Outbound Relay.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: design using EFA in production

Post by shawniverson »

jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: design using EFA in production

Post by jamerson »

Thank you so much guys for your support,
spammy helped me well on the EFA-project chanel,
big thank you guys for your support really appreciate it
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Post Reply