You must change the DNS mail exchange (MX) records when you implement Symantec Messaging Gateway in front of a separate MTA that receives inbound messages. The records must point incoming messages to the Symantec Messaging Gateway Scanner or Scanners.
Spammers can look up the previous MTA's MX record if you list Symantec Messaging Gateway as a higher-weighted MX record in addition to the existing MX record. If spammers have the previous MTA's MX record, they can send spam directly to the old server and bypass spam filtering.
To prevent spammers from circumventing the new spam-filtering servers, do one of the following tasks:
Point the MX record at your Symantec Messaging Gateway Scanner or Scanners. Do not point the MX record at downstream MTAs. Remove the previous MTA's MX record from DNS.
Block off the previous MTA from the Internet through a firewall.
Modify the firewall's network address translation (NAT) tables to route external IP addresses to internal non-routable IP addresses. You can then map from the old server to Symantec Messaging Gateway.
When you name Symantec Messaging Gateway, ensure that the name you choose does not imply its function. For example, antispam.yourdomain.com, symantec.yourdomain.com, or antivirus.yourdomain.com are not good choices.
If you want to send mail to a downstream MTA, you can specify a downstream load balancer.