We were thinking about doing something similar as well. As you stated, you would want to ensure that all mail was dropped, or quarantined. When we finalize our process, i'll let you know.
now we are 3 of us!
I'm starting to migrate all the configuration from our live Ironmail to a test MEG 7.5 and I also want redirect/copy some of the original traffic, that pass the Ironmail, to the test MEG 7.5.
So fare I could not find such options at the Ironmail.
Is there an option to send a copy of certain e-mails to the MEG?
If you are supporting multiple internal domains, you could reroute per domain from IM6 to the MEG (but there is only one copy).
You could also selectively copy email to another address (Content analysis) and use the previous option (now you have 2 copies but not original)
Or but don't know if it's possible, use address rewrite (Address Masquerade) to another domain and add this address as a secondary smtp address to the recipients. Evidently, email have to flow first to IM6 then to MEG
Thank you for the informations.
For the moment I test with the "copy message" option at the "Envelope Analysis" (I believe you meant this instead of "Content analysis").
I builded a rule where I "copy message" for recipient "Type Group", where all the email addesses are in, and send this to a subdomain email address. The subdomain address is set in the IM6 at "Mail Routing" to my MEG7.
This works, but there are to points:
1. the copied email has no sender address (MAIL FROM:<>)
2. the copied email contains all the spam checks from the IM6 in it
So, this mails are not that original as they are arrive at the IM6 when they get to the MEG7.
I will see how I can prepare or optimize all the filters in MEG7 with this emails.
3 others things that maybe McAfee can comment on:
- You can log all received e-mail using FTP and SCP in IM6 (Reporting/message archive). I wonder if an SMTP option existe in MEG7?
- You can send a copie of all email to McAfee for their internal analysis of real mail (Intrusion Defender/Mail Firewall/Configure Mail services/Global config). I wonder how this is sent and if it could be rerouted?
- What about a small agent that could do the mail duplication?
Maybe McAfee can explain how they run this in a test environment ?
I am not sure if the logged emails in IM6 are not somehow treated and so they can't be imported in the MEG7.5 if we really want to test properly.
I really do not think there is a way to run these in parallel. Since SMTP is based on the handshake between two mail servers, you can't just copy that traffic to another port. Some options would be to create another MX record for the 7.5 and run some low level traffic through that MX record. You could also run them in series; put the 7.5 first with just a few rules enabled, then start to migrate rules over from the 6.7.2
As you mention, there is no true way to do this in parallel. The copy action, or mail routing options would work OK, but of course the sending IP address will be changed.
Another option is to use the MEG 7 in a transparent mode. Set up the rules so that nothing will be blocked, and just have it log everything and evaluate what it may have done that way. To do a drop-in replacement of the IronMail you would then need to change the operating mode back to explicit proxy and make sure the mail routing rules are corrected. Of course, if MEG 7 took an action in this mode it would be in addition to whatever the IronMail would have done.