A sliver of the marketing department at $client feels very strongly about wheeling email that originates from one of a trusted $cloudvendor (that rhymes with SmalesHorse) through the MEGs rather than it being sent from the vendor's cloud directly. For the sake of argument, assume there are compelling business reasons to do so to make the most of $cloudvendor's services and metrics. Unfortunately, I don't entirely trust $marketDepartment's customer database on that cloud vendor is 100% double opt in, and the frequency of their mailings even for double opt in folks is always dancing the line of what folks will eventually get irritated enough with to report as spam.
Accordingly, I'd like our upstream firewall to be able to NAT this outbound email to a separate IP address such that--should spam complaints start coming from this group's mailings--they don't go against our main mail IP's that handle more business-critical mail.
To achieve this goal, I'd like MEG to be able to send certain outbound email out a virtual NIC that has a different IP than the primary interface... so that the upstream firewall can cheerfully NAT it to a separate IP address outbound.
Thoughts... (other than telling the requester to go fly a kite?)?
Due to the way the Linux network stack works I don't think what you want is possible.
What I'd do, if I was asked to do this, is to set up a second virtual appliance dedicated for this group of users and to then relay the mail domain over to that server to then forward for your cloud provider.
Tris is correct. Your best bet is to set up a VM appliance for just these folks send out that way.
It's a great idea I hadn't considered. Then again I'd like another box and policy to manage like I'd like root canal work. :-) If it's not possible in policy, though we know what we're up against and can push back accordingly. We'll see how it pans out. :-) Thanks for the feedback!
the virtual hosting feature on MEG would allow you to specify a separate outbound address pool and allow you you to use policy-based routing to manage this scenario in a single appliance.
Hope this helps.