Workarounds for a Non-Recommended Mail Relay Configuration
A non-recommended configuration is to have the DLP Gateway scan emails as they are sent from an internal mail relay that is in My Organization to the target mail server in the Internet. In this configuration, the DLP Gateway communicates with the target mail servers on behalf of the mail relay. If the target mail server does not respond, some mail relays (such McAfee IronMail, postfix 2.0 or earlier and qmail) do not try the next DNS MX record, and so does not try to resend the email to another SMTP mail server in the same domain.
-
The internal mail server (1) and the internal relay (2) are in My Organization
Item
Description
1
Internal mail server
2
Internal mail relay
3
DLP Gateway
-
The internal mail server (1) is in My Organization, and there is no other internal mail relay
Why Some Mail Relays Do Not Resend Emails
If the mail relay does not succeed to send an email because the target mail server does not respond, the mail relay resends the email to another SMTP server in the same domain. The relay sends the mail to the next DNS MX record.
Most mail relays try the next MX record if it is impossible to get an access to the target, or if the target server returns a 4xx SMTP error. However, other mail relays (such as Mcafee IronMail, postfix 2.0 or earlier and qmail) do not connect to the next MX if the target server returns a 4xx error. They do not send the email.
In these environments, the DLP Gateway communicates with mail servers in the internet on behalf of the mail relay. If the target mail server does not respond, the DLP Gateway sends a 4xx response to the mail relay in behalf of the mail server. Therefore, if your mail relay does not try the next MX when the target server returns a 4xx error, no email goes out.
Workarounds for the Non-Recommended Configurations
-
Configure your internal mail relay to re-send when it receives a 4xx error from the target mail server.
-
If you cannot configure your mail relay in this way, configure the DLP Gateway between two internal mail servers. For example, put the DLP Gateway in the DMZ with the relay server (see Configuring a Dedicated DLP Gateway and Relay on DMZ).
-
If you cannot apply these workarounds, see sk58960.