Configuration Guide
Google Message Security Google Message Discovery
documentation. Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Google Compliance Policies Notice: Google assumes no responsibility in connection with the Compliance Policies lexicon-filtering feature, including any failure to recognize credit card or social security numbers that do not follow an applicable pattern as established in Postinis systems or any failure to encrypt a credit card or social security number.
Contents
What This Guide Contains 9 Related Documentation 9 How to Send Comments About This Guide
10
Chapter 1: Introduction to Outbound Configuration 11 About Outbound Configuration 11 How to Use This Guide 12 Prerequisites 13 Identify Your System 13 IP Ranges 13 Set Up Reinjection 14 Register Your IP in the Administration Console 15 Increase Server Timeouts 16 Option 1: Set Up Private Outbound DNS 16 Option 2: Set Up Smarthost 19 Test Outbound Mail 19 Microsoft Exchange Servers 19 Optional: Configure SPF Records for Outbound Services 20 Alternate Option: Routing Outbound Mail on Your Firewall 21 Chapter 2: Microsoft Exchange 2003 (Private DNS Method) About Microsoft Exchange 2003 (Private DNS Method) 23 Set Up Reinjection 24 Register Your IP in the Administration Console 25 Set Up Private Outbound DNS 25 Test Outbound Mail 28 Troubleshooting 29 23
Chapter 3: Microsoft Exchange 2007/2010 (Private DNS Method) About Microsoft Exchange 2007/2010 (Private DNS Method) 31 Set Up Reinjection 32 Register Your IP in the Administration Console 40 Set Up Private Outbound DNS 40 Test Outbound Mail 43 Troubleshooting 44
31
Contents
Chapter 4: Microsoft Exchange 2000/2003 Single Server (Smarthost method) 47 About Microsoft Exchange 2000/2003 Single-Server 47 Set Up Reinjection 48 Register Your IP in the Administration Console 49 Increase Server Timeouts 49 Set Up Smarthost 50 Test Outbound Mail 52 Troubleshooting 53 Chapter 5: Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 55 About Microsoft Exchange 2000/2003 Multi-Server 55 Choose Smarthost Method 56 Set Up Reinjection 57 Register Your IP in the Administration Console 58 Increase Server Timeouts 58 Set Up Smarthost 59 Test Outbound Mail 62 Troubleshooting 62 Chapter 6: Microsoft Exchange 2007 without an Edge Server (Smarthost method) 65 About Microsoft Exchange 2007 without an Edge Server 65 Set Up Reinjection 66 Register Your IP in the Administration Console 75 Set Up Smarthost 75 Test Outbound Mail 81 Troubleshooting 82 Chapter 7: Microsoft Exchange 2007 with an Edge Server (Smarthost method) 83 About Microsoft Exchange 2007 with an Edge Server 83 Set Up Reinjection 84 Register Your IP in the Administration Console 93 Set Up Smarthost 93 Test Outbound Mail 96 Troubleshooting 97 Chapter 8: Microsoft Exchange 5.5 99 About Microsoft Exchange 5.5 99 Set Up Reinjection 100 Register Your IP in the Administration Console Set Up Smarthost 100 Test Outbound Mail 101
100
Chapter 9: Microsoft Small Business Server 2003 About Microsoft Small Business Server 2003 103 Set Up Reinjection 104 Register Your IP in the Administration Console 104
103
Set Up Smarthost 104 Test Outbound Mail 105 Chapter 10: IBM Lotus Domino (Private DNS Method) About IBM Lotus Domino (Private DNS Method) 107 Choose a Private DNS Routing Method 108 Set Up Reinjection 108 Register Your IP in the Administration Console 109 Set Up Private DNS (notes.ini file) 109 Set Up Private DNS (OS Settings) 110 Test Outbound Mail 111 Troubleshooting 112 Chapter 11: IBM Lotus Domino (Smarthost Method) About IBM Lotus Domino (Smarthost Method) 115 Set Up Reinjection 116 Register Your IP in the Administration Console 116 Set Up Smarthost 117 Test Outbound Mail 117 Chapter 12: Novell Groupwise 119 About Novell Groupwise 119 Set Up Reinjection 120 Register Your IP in the Administration Console Increase Server Timeouts 120 Set Up Smarthost 121 Test Outbound Mail 121 Troubleshooting 122 Chapter 13: Sendmail 125 About Sendmail 125 Set Up Reinjection 126 Register Your IP in the Administration Console Increase Server Timeouts 127 Set Up Smarthost 127 Test Outbound Mail 127 Chapter 14: Apple Macintosh OS X 129 About Apple Macintosh OS X 129 Set Up Reinjection 130 Register Your IP in the Administration Console Set Up Smarthost 130 Test Outbound Mail 131 Chapter 15: Qmail 133 About Qmail 133 Set Up Reinjection 134 Register Your IP in the Administration Console Increase Server Timeouts 135 Set Up Smarthost 135 107
115
120
126
130
134
Contents
135
Chapter 16: Postfix 137 About Postfix 137 Set Up Reinjection 138 Register Your IP in the Administration Console Set Up Smarthost 138 Test Outbound Mail 139
138
This guide is intended for mail server administrators who are already familiar with mail server configuration and security. This guide is a supplement to the Message Security Administration Guide. For details about using the features and components of the email security service, see the Message Security Administration Guide. These documents are available on the Postini Support Portal. For details, see How to Send Comments About This Guide on page 10.
Related Documentation
For additional information about Outbound Services and the email security service, refer to the following related documents. For details on how to send comments, see How to Send Comments About This Guide on page 10.
Document Description
See the Outbound chapter for information about Outbound Services features, concepts, and administration.
In your email message, please specify the section to which your comment applies. If you want to receive a response to your comments, ensure that you include your name and contact information.
10
Chapter 1
Each of these steps is detailed in an individual section. This chapter also includes information on how to find your system number, and the details of IP addresses to use. This is general information that applies to all mail servers. For information on your specific mail server software, see the appropriate chapter in this book.
11
This guide contains instructions for the following servers: Microsoft Exchange 2003 (Private DNS Method) on page 23. Microsoft Exchange 2007/2010 (Private DNS Method) on page 31 Microsoft Exchange 5.5 on page 99. Microsoft Small Business Server 2003 on page 103. IBM Lotus Domino (Private DNS Method) on page 107. IBM Lotus Domino (Smarthost Method) on page 115. Novell Groupwise on page 119. Sendmail on page 125. Apple Macintosh OS X on page 129. Qmail on page 133. Postfix on page 137.
This guide also contains the following alternate instructions for using a smarthost with Microsoft Exchange: Microsoft Exchange 2000/2003 Single Server (Smarthost method) on page 47. Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) on page 55. Microsoft Exchange 2007 without an Edge Server (Smarthost method) on page 65. Microsoft Exchange 2007 with an Edge Server (Smarthost method) on page 83.
Because different versions and configurations of Microsoft Exchange require different set up, there are several different chapters on Microsoft mail servers. For information about the difference between them, see Microsoft Exchange Servers on page 19.
12
Prerequisites
Outbound Services is an optional feature. For more information about your service package and options, contact your account manager or vendor. Before you configure Outbound Services, you need a server that can: Allow a safe private relay from an external address Route outbound mail using a smarthost (a server that accepts outbound mail and passes it on to the recipient) or an external DNS (a server that provides routing information, for supported servers). Send mail from a consistent IP address
Instructions are included in this guide for most common mail servers. If you are using another server not listed in this guide, consult your server documentation to find out how to allow a private relay and set up a smarthost (or external DNS server). Also, for information about Outbound Services, see the Outbound chapter of the Message Security Administration Guide.
URL displayed for an account on System 200 when logged in to the Message Center:
https://mc-s200.postini.com/app/msgctr/junk_quarantine
IP Ranges
You will need to enter an IP range to allow a private relay. The proper IP range depends on your system number in the email security service. To find your system number, see Identify Your System on page 13. The following are the IP ranges for the email security service systems.
13
System
IP Range
CIDR Range
64.18.0.0 mask 255.255.240.0 74.125.148.0 mask 255.255.252.0 74.125.244.0 mask 255.255.252.0 207.126.144.0 mask 255.255.240.0
Set Up Reinjection
Reinjection is the process of queueing a message back to the customers server when it cannot be delivered due to conflicting SMTP errors after DATA. The reinjection host is often the same server as the outbound server, but this is not required. Reinjection is necessary to avoid unexpected mail loss for a messages sent to multiple recipients. Fewer than 0.1% of all messages are reinjected. Before you can route mail through Outbound Services, the Administration Console checks that your reinjection host is configured to allow the email security service IP addresses to relay for external recipients. You may have already set up your mail server and firewall to accept messages from the email security service, but reinjection requires further access. Your reinjection server must accept mail from the email security service and send it out again. This is called a private relay. Configure your mail server and firewall to accept email only from the email security service. Your reinjection host needs to accept all email from the email security services outbound servers. From your servers perspective, the email security services delivery servers should be considered a trusted server. Allow relaying only from the email security services IP range and other trusted relay servers. If you have multiple mail servers, specify which server (or servers) will act as the reinjection host, and be sure that server can route mail back to the email security service. Be careful when you set up a private relay. If you allow all IP addresses to pass mail through your server, your mail server will become an open relay. This leaves your mail server vulnerable to hijacking from malicious senders. Setting up a private relay is safer than an open relay, since malicious outsiders cannot use a private relay in the same way. Setting up reinjection is different for every mail server type. For step-by-step instructions for setting up reinjection, see the appropriate chapter in this guide for your mail server.
14
Register Your IP
1. Log in to the Administration Console. Select your email config and go to the Outbound Servers tab. 2. Click Add Record and enter the following data.
Accepted IP Ranges
Enter a starting and ending IP for your outbound mail server. Use external IP addresses. You must register the external IP address range of your mail servers that are sending messages to the email security service. To avoid third-party abuse, Outbound Services will reject all outbound mail from IP addresses other than those listed. If you have only one IP address, enter that IP address in both fields. Each range you enter must be unique. You cannot add the same IP range to multiple email configs.
Note: The address range must be within a single class C
address space. The IP range must be sequential. If you have non-sequential IPs or a range that spans multiple class C addresses, add them as separate IP ranges. Add the first range, then come back and add each later range once you are done.
Reinjection Host
Enter the IP address of your reinjection host. This is the machine you set up to allow a private relay. This should be the IP address of a mail server that will accept mail from the email security service and send that mail back out again. You can enter multiple reinjection hosts, and specify a load balance between them. You can also specify failover servers for reinjection. Normally, this is not necessary and these fields can be left blank. You can also enter a hostname for the reinjection server instead of an IP address. However, you should not do so if the reinjection server has an MX record that routes mail back to the email security service. Use the IP range instead.
15
3. Click the Save button. When you click Save, the Administration Console will test your reinjection host to confirm the private relay is set up properly. If your mail server has not been set up to allow Outbound Services to act as a private relay, see Set Up Reinjection on page 14 for information about how to set up a private relay. 4. If you have more than one outbound server IP range, add additional records. Go back to step 2 and register each IP range separately using the same instructions. After you have successfully added your IP address, you can set up a smarthost (or external DNS) safely.
Supported Servers
Private Outbound DNS Service works with all common mail servers. Configuration steps are provided for Microsoft Exchange 2003 and 2007/2010, and IBM Lotus Domino. Other mail servers will be documented in the future. For other mail servers, please refer to your mail server product documentation on DNS configuration.
16
17
18
where [your system number] is your system number. For instance, if you are using System 6, your smarthost address is
outbounds6.obsmtp.com
To find your system number, see Identify Your System on page 13. Setting up a smarthost is different for every server. For step-by-step instructions for setting up a smarthost, see the appropriate chapter in this guide for your mail server.
19
For Microsoft Exchange 2000, or Microsoft Exchange 2003 without Private Outbound DNS, different instructions apply depending on whether your network includes a single mail server, or multiple linked mail servers. If you are using a single server, see Microsoft Exchange 2000/2003 Single Server (Smarthost method) on page 47. If you are using multiple linked servers, see Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) on page 55. If you are using Microsoft Exchange 2007 and do not want to use Private Outbound DNS, different instructions apply depending on whether your network includes an Edge Server. If you are using an Edge Server, see Microsoft Exchange 2007 with an Edge Server (Smarthost method) on page 83. Otherwise, see Microsoft Exchange 2007 without an Edge Server (Smarthost method) on page 65. If you are using Small Business Server 2000, you can use the instructions in Microsoft Exchange 2000/2003 Single Server (Smarthost method) on page 47. Small Business Server 2003 requires more specific configuration; see Microsoft Small Business Server 2003 on page 103.
where [your domain] is the domain you use for outgoing mail. Note the trailing period in your domain. Then add the following TXT Record to spf.[your domain]:
spf.[your domain]. IN TXT "v=spf1 ip4:207.126.144.0/20 ip4:64.18.0.0/20 ip4:74.125.148.0/22 ip4:[your IP allocations] ~all"
where [your domain] is the domain you use for outgoing mail, and [your IP allocations] are the IP addresses of your own mail servers, in CIDR format. For a list of IP addresses, see IP Ranges in the Administration Guide. For example, if your domain is electric-automotive.com, add the following two TXT records:
electric-automotive.com. IN TXT "v=spf1 include:spf.electricautomotive.com-all" spf.electric-automotive.com. IN TXT "v=spf1 ip4:207.126.144.0/20 ip4:64.18.0.0/20 ip4:74.125.148.0/22 ip4:[your IP allocations] ~all"
If you need help with more complex SPF records, consult the SPF wizard on the Open SPF website to find out how to add your servers to the SPF entries described above:
http://www.openspf.org/wizard.html
20
Publishing an SPF record following the format described by the SPF wizard should not affect inbound mail flow.
21
22
Chapter 2
Microsoft Exchange Server 2003 is designed as a high-end, scalable system. Microsoft Exchange 2003 servers can be set up to work together in a large email network. It is possible to route all outbound mail through the Email Security Server without affecting the flow of internal mail between servers. Smarthost solutions for Microsoft Exchange can cause mail queueing delays. Private Outbound DNS Service is designed to ease setup and prevent queueing delays. These steps show how to set Microsoft Exchange 2003 to use Private Outbound DNS to route mail to the email security service. Private Outbound DNS is recommended over smarthost for Exchange 2003. To use a traditional smarthost method, see Microsoft Exchange 2000/2003 Single Server (Smarthost method) on page 47 for single-server environments, or Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) on page 55 for multi-server environments. These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Microsoft Exchange 2003 deployments. An important concept in Exchange 2000/2003 multi-server environments is the bridgehead server. A bridgehead server is a mail server that connects to the Internet. Other servers will route outgoing mail to the bridgehead server, which forwards mail to the Internet. Most of this configuration in this chapter applies only to the bridgehead server.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
23
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a Private DNS Service, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14. To allow reinjection, configure the IP ranges for Outbound Services to be a trusted relay.
Set up a trusted relay
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> <Your Mail Server>-> Protocols -> SMTP 3. Right-click Default SMTP Virtual Server & select Properties. 4. Click the Access tab. 5. Click Relay.
6. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see IP Ranges on page 13.
24
7. Click the Connection button. 8. If the Connection list is set to Only the list below, then add the same IP ranges.
9) Click OK to get back to the Access tab and click OK to close the Default SMTP Virtual Server Properties. 10) If the reinjection servers are not outbound servers, then configure all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them. 11) Stop and restart the SMTP services.
25
2. Expand the top level -> Servers -> <Your Mail Server> -> Protocols -> SMTP. 3. Right-click Default SMTP Virtual Server & select Properties.
26
6. If you have a Smarthost set to point to Outbound Services for mail filtering, clear the Smarthost. The Private Outbound DNS will replace your Smarthost for routing. 7. Click Configure.
8. Click Add and enter the appropriate IP address for your system. Click OK.
The appropriate IP address depends on your system. To find what system to use, see Identify Your System on page 13.
27
IP Address to use for Private Outbound DNS 64.18.4.12 64.18.5.12 64.18.6.12 64.18.7.12 74.125.148.12 74.125.244.12 64.18.9.14 207.126.147.11 207.126.154.11
9. Click OK again. You should see your IP address listed as an External DNS.
10. Click OK twice to return to the System Manager. 11. In System Manager, restart your mail server.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.
28
3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph. 5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 24 for the correct private relay settings.
Troubleshooting
Because Microsoft Exchange is a third party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft site for External DNS instructions: http://technet.microsoft.com/en-us/library/ bb124221(EXCHG.65).aspxport.microsoft.com/kb/284204 You can also find more information in the Microsoft Exchange Server 2003 Transport and Routing Guide: http://www.microsoft.com/downloads/details.aspx?familyid=C092B7A7-90344401-949C-B29D47131622&displaylang=en
How can I be sure my firewall allows a connection to Private Outbound DNS?
Your sending mail server needs to be able to reach the message security service using DNS on UDP port 53. If you are not sure your network settings allow your mail server to connect to an external DNS host on UDP port 53, run the following test on your mail server: 1. In a DOS command prompt, type nslookup. 2. Note your current default server. 3. In the nslookup prompt, type q=mx and hit return. 4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address. 5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system.
29
6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection. 7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server]. 8. Press Control-C to exit nslookup.
30
Chapter 3
Smarthost solutions for Microsoft Exchange can cause mail queueing delays. Private Outbound DNS Service is designed to ease setup and prevent queueing delays. These steps show how to set Microsoft Exchange 2007 to use Private Outbound DNS to route mail to the email security service. Private Outbound DNS is recommended over smarthost for Exchange 2007. To use a traditional smarthost method, see Microsoft Exchange 2007 with an Edge Server (Smarthost method) on page 83 for networks that include an Edge server, and Microsoft Exchange 2007 without an Edge Server (Smarthost method) on page 65 for networks that do not include an Edge server. These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Microsoft Exchange 2007 deployments. Microsoft Exchange 2007 includes a concept that has not existed in previous versions of Microsoft Exchange: different servers are assigned distinct, concrete roles. Two important roles are the Hub server and the Edge server. The Hub server is the center of message routing. The Edge server provides a connection with the outside internet. not all networks use an Edge server. You will make most changes on the Hub server. Microsoft Exchange 2010 uses the same steps for setting up Private DNS. If you are using Microsoft Exchange 2010, follow these steps to set up outbound with Private DNS.
31
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14. For most configurations of Exchange 2007 and 2010, a sender must provide authentication to relay mail from outside sources. However, SMTP authentication is not possible for reinjection. Instead, create a private relay to allow reinjection. The simplest way to create a relay in Exchange 2007 or 2010 is to create a receive connector, limit the connector to an appropriate set of IP addresses, and allow anonymous connections. There are two ways to set up a private relay for Exchange 2007 and 2010, allowing anonymous access, or an externally secured connector: Allow Anonymous Access: Easier to configure, and more reliable. Reinjected messages are considered anonymous. However, this method is not compatible with ResolveP2, and messages will be filtered with Microsoft Exchange 2007/2010 anti-spam filtering. Externally Secured Connector: This method requires additional effort, but is compatible with ResolveP2, and reinjected messages bypass anti-spam filtering.
Allow Anonymous Access is the better choice in most cases. If you are using ResolveP2, or if reinjected messages are caught by anti-spam filters, use an Externally Secured Connector instead. Whichever method you use, first create the receive connector.
32
5. Name the connector Reinjection and choose Next. 6. You will see the Local Network Settings page. If you havent made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.
33
7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.
8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see IP Ranges on page 13.
34
35
1. Double click your new connector and choose the Permission Groups tab. 2. Check the Anonymous Users checkbox. 3. Choose OK.
4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 (or 2010) -> Exchange Management Shell. 5. Type the following command:
Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient"
36
37
38
39
40
5. Select use these DNS servers: and enter the appropriate IP address for your system. Press enter to add the address. The appropriate IP address depends on your system. To find what system to use, see Identify Your System on page 13. System 5 6 7 8 9 10 20 IP Address to use for Private Outbound DNS 64.18.4.12 64.18.5.12 64.18.6.12 64.18.7.12 74.125.148.12 74.125.244.12 64.18.9.14
41
6. Click Apply, then click OK to close the dialog box. 7. In the Exchange Management Console, go to Organization Configuration -> Hub Transport. 8. Click the Send Connectors tab. 9. Select the Send Connector you use to route mail to the Internet.
10. Right-click this Send Connector and select Properties. 11. Go to the Network Tab.
42
12. Choose Use domain name system (DNS) MX records to route mail automatically. Do not route mail through a smart host. 13. Check Use the External DNS Lookup settings on the transport server. 14. Click OK to exit the dialog. 15. In the Exchange Management Console, restart your server.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.
43
2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph. 5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 32 for the correct private relay settings.
Troubleshooting
Because Microsoft Exchange is a third party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft article Configuring DNS Settings for Exchange 2007 Servers on the Microsoft website: http://technet.microsoft.com/en-us/library/bb124896(EXCHG.80).aspx
How can I be sure my firewall allows a connection to Private Outbound DNS?
Your sending mail server needs to be able to reach the message security service using DNS on UDP port 53. If you are not sure your network settings allow your mail server to connect to an external DNS host on UDP port 53, run the following test on your mail server: 1. In a DOS command prompt, type nslookup. 2. Note your current default server. 3. In the nslookup prompt, type q=mx and hit return. 4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address. 5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system.
44
6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection. 7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server]. 8. Press Control-C to exit nslookup.
I am still seeing mail queueing
Your mail is still being routed through a smarthost. Try the following steps: 1. If you set up a smarthost to route mail to Outbound Servers, disable the smarthost. 2. Restart your mail server.
45
46
Chapter 4
This chapter describes how to set up Outbound Services for an environment with a single Microsoft Exchange Server 2000/2003 using a smarthost. The recommended method for setting up Outbound Servers with Microsoft Exchange 2003 is Private Outbound DNS. For more information, see Microsoft Exchange 2003 (Private DNS Method) on page 23. If your environment has multiple mail servers, recommended configurations are slightly different. See Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) on page 55 for information on multi-server environments.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
47
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP 3. Right-click Default SMTP Virtual Server and select Properties. 4. Click the Access tab. 5. Click Relay. 6. Click the Relay button.
7. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see IP Ranges on page 13. 8. Click the Connection button. 9. If the Connection list is set to Only the list below, then add the same IP ranges.
48
10. Click OK to get back to the Access tab, and click OK to close the Default SMTP Virtual Server Properties. 11. If the reinjection servers are not outbound servers, then all servers along the mailflow between the reinjection server and the outbound server must be configured to allow the injection server to relay mail traffic through them. 12. Stop and restart the SMTP services.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager.
49
2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP Right-click the Virtual Server used for outbound routing. 3. Click the Delivery tab. 4. At the bottom of the Properties window, click Outbound Connections. 5. Set the Time-out (minutes) value to 15 or more. 6. Click OK to close Outbound Connections. 7. Click OK to close Virtual Server Properties.
Set Up Smarthost
There are two ways to set up a smarthost in a Microsoft Exchange 2000/2003 environment. Setting up an SMTP connector alone can cause delays, since any failed outbound message will cause an interruption of mail flow. To prevent interruption of mail flow, you can route outbound mail with a Virtual Server, or you can configure a connector and reduce the retry interval. Configure a Virtual Server, and point SMTP connectors to that server. This requires additional setup effort, but minimizes delays. This is the recommended method. Use this method if you do not have any connectors. Configure a Connector, and reduce the retry interval on your server. When an outbound message fails, the connector will continue to retry every minute. However, this method can cause delays.
1. Right-click Default SMTP Virtual Server and select Properties. Click the Delivery tab. 2. Click the Advanced button in the lower right-hand corner of the dialog.
50
3. On the General tab, type in the appropriate hostname listed below in the field labeled Forward all mail through this connector to the following smart hosts. Forward outbound mail to
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 4. Click OK to close the Advanced dialog and OK to save the changes and close SMTP Virtual Server Properties.
Limit Address Space
If you are using this method, and you have SMTP Connectors, check all Connectors associated with the Virtual Server. Limit the Address Space to only local domains, whose traffic should not be routed to Outbound Services. For each connector: 1. Right click the connector and click Properties 2. Click the Address Space tab 3. Remove the asterisk (*) entry and replace it with your own domain and any other domains that should be routed locally
For each SMTP virtual server connector in the environment which is designated as a bridgehead. 1. Right-click the SMTP Virtual Server and select Properties. 2. Click the Delivery tab. 3. Under Outbound, change the default values to the following: First retry interval (minutes): 1 Second retry interval (minutes): 1 Third retry interval (minutes): 3 Subsequent retry interval (minutes): 5
51
1. Click Connectors and then right-click the SMTP Connector (or the Internet Mail SMTP Connector) and select Properties. 2. On the General tab, type in the appropriate hostname listed below in the field labeled Smart host. Forward outbound mail to
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 3. Click OK to save the changes and close the SMTP Connector properties.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph. 5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 48 for the correct private relay settings.
52
Troubleshooting
Because Microsoft Exchange is a third-party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft website: http://support.microsoft.com/kb/284204
In MS Exchange 2000 and 2003, the smarthost is configured in the Default Virtual Server, however mail traffic is still being sent via the Internet.
A connector may be directing traffic to the Internet directly. On an MS Exchange 2000 server, connectors such as the Internet Mail Service Connector override Virtual Server settings. Modify the connector so it will not affect outbound traffic. 1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager. 2. Expand the top level -> Connectors. 3. Right-click Default SMTP Connector & select Properties. 4. Click the Address Space tab. 5. If the SMTP address space is * or otherwise includes outgoing mail traffic, then click the Modify button and limit the connector to just traffic which should not be sent to Outbound Services. 6. Click OK as necessary to save changes and then restart the MS Exchange 2000 service.
Why does Microsoft Exchange 2000/2003 defer all outbound mail when configured to use TLS?
This can happen when Outbound Services is not configured to accept outbound mail connections using TLS. You can resolve this by configuring Outbound Services to accept outbound mail connections using TLS. If the Exchange server is attempting to use TLS but the TLS option for outbound mail is turned off in the Administration Console, Exchange will defer all mail until it can successfully send the mail using TLS. For instructions on configuring Outbound Services to use TLS for outbound mail, see the following page in the Message Security Administration Guide: http://www.postini.com/webdocs/admin_ee_cu/ob_tls_config.html
53
54
Chapter 5
Microsoft Exchange Server 2000/2003 is designed as a high-end, scalable system. Microsoft Exchange 2000/2003 servers can be set up to work together in a large email network. It is possible to route all outbound mail through the Email Security Server without affecting the flow of internal mail between servers. This chapter describes how to set up Outbound Services for an environment with a multi-server Microsoft Exchange Server 2000/2003 environment using a smarthost. The recommended method for setting up Outbound Servers with Microsoft Exchange 2003 is Private Outbound DNS. For more information, see Microsoft Exchange 2003 (Private DNS Method) on page 23. An important concept in Exchange 2000/2003 multi-server environments is the bridgehead server. A bridgehead server is a mail server that connects to the Internet. Other servers will route outgoing mail to the bridgehead server, which forwards mail to the Internet. Most of this configuration in this chapter applies only to the bridgehead server. More complex environments with non-standard routing group/bridgehead configurations may require the use of a separate outbound gateway server: The routing group bridgeheads must relay all outbound mail to the gateway server. The gateway server must forward all mail to the email security service as a smarthost.
The gateway server can be any platform: another MS Exchange server, an MS IIS server, or any other standard MTA software such as Sendmail, Postfix, etc.
55
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
56
However, SMTP connectors require some special consideration during outbound configuration, because they are primarily designed to route internal traffic. SMTP Connectors automatically detect and attempt to route around failures. If any receiving server rejects or defers a message, the connector will temporarily cease to function. This can lead to a long mail queue and delayed delivery.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14. To allow reinjection, configure the IP ranges for Outbound Services to be a trusted relay.
Set up a trusted relay
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> <Your Mail Server>-> Protocols -> SMTP 3. Right-click Default SMTP Virtual Server & select Properties. 4. Click the Access tab. 5. Click Relay.
6. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see IP Ranges on page 13. 7. Click the Connection button.
57
8. If the Connection list is set to Only the list below, then add the same IP ranges.
9) Click OK to get back to the Access tab and click OK to close the Default SMTP Virtual Server Properties. 10) If the reinjection servers are not outbound servers, then configure all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them. 11) Stop and restart the SMTP services.
58
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager. 2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP Right-click the Virtual Server used for outbound routing. 3. Click the Delivery tab. 4. At the bottom of the Properties window, click Outbound Connections. 5. Set the Time-out (minutes) value to 15 or more. 6. Click OK to close Outbound Connections. 7. Click OK to close Virtual Server Properties.
Set Up Smarthost
There are multiple ways to set up a smarthost in a Microsoft Exchange 2000/2003 multi-server environment. For a comparison of the two, see Choose Smarthost Method on page 56.
1. Click Start -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> <Your Mail Server> -> Protocols -> SMTP 3. Right-click SMTP and select Add a New Virtual Server. 4. Accept all default configurations on the SMTP Virtual Server screens.
Note: You will see an error message that the Virtual Server is configured to
use the same IP address and port as the existing server. Dismiss the error message.
59
1. Right-click the new virtual server and select Properties. 2. On the General tab, click Advanced. 3. Highlight the IP Address and click Edit. 4. Change the TCP Port to 26 (or any other unused port). All internal servers that need to communicate with this existing server will also need to be reconfigured to use this alternate port number. As an alternative, if the machine is multihomed (i.e. has more than one network interface), you can configure the new virtual server to use a different IP address rather than a different port. This is simpler and avoids potential communication issues between this machine and the other machines in the routing group. Consult your Exchange documentation for details on how to do this. 5. Configure the new virtual server to allow other internal mail servers to relay traffic through it.
Configure the smarthost for the SMTP virtual server to route traffic to the email security service
1. In the lower right corner of the window, click Advanced. 2. Type in the appropriate smarthost hostname listed below in the field labeled Smart host. The appropriate smarthost is
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 3. Click OK to close the Advanced dialog and OK to save the changes and close the SMTP Virtual Server Properties.
Configure your firewall
If necessary, configure the firewall or router to allow outbound traffic on port 26 (or whichever port was used) to ensure that traffic between the internal servers will not be blocked. (If an alternate IP address was used, this step is skipped.)
Configure other mail servers
On other machines which need to send outbound mail by way of this new virtual server, make the following configurations: 1. Right-click the Virtual Server and select Properties. 2. On the Delivery tab, click the Outbound Connections button. 3. Change the TCP port to 26 (or whatever port was chosen for the Inbound/ Outbound server settings above) and click OK.
60
4. In the lower right corner of the Delivery tab, click Advanced. 5. Type in the appropriate smarthost hostname listed below in the field labeled Smart host. The appropriate smarthost is
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13.
Note: If an alternate IP address was used, configuration changes to the
other machines may be necessary if they are using the bridgehead as a smart host. If not, changes may not be necessary.
On each SMTP Virtual Server in the environment which is designated as a bridgehead: 1. Right-click the SMTP Virtual Server and select Properties. 2. Click the Delivery tab. 3. Under Outbound, change the default values to the following: First retry interval (minutes): 1 Second retry interval (minutes): 1 Third retry interval (minutes): 3 Subsequent retry interval (minutes): 5
Configure the smarthost to route traffic to Outbound Services
1. Click Connectors and then right-click the SMTP Connector (or the Internet Mail SMTP Connector) and select Properties. 2. On the General tab, type in the appropriate hostname in the field labeled Forward all mail through this connector to the following smart hosts. Forward outbound mail to
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13.
61
3. Click OK to save the changes and close the SMTP Connector properties.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph. 5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 57 for the correct private relay settings.
Troubleshooting
Because Microsoft Exchange is a third party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft website: http://support.microsoft.com/kb/284204
62
In MS Exchange 2000 and 2003, the smarthost is configured in the Default Virtual Server, however mail traffic is still being sent via the Internet.
A connector may be directing traffic to the Internet directly. On an MS Exchange 2000 server, connectors such as the Internet Mail Service Connector override Virtual Server settings. Modify the connector so it will not affect outbound traffic. 1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager. 2. Expand the top level -> Connectors. 3. Right-click Default SMTP Connector & select Properties. 4. Click the Address Space tab. 5. If the SMTP address space is * or otherwise includes outgoing mail traffic, then click the Modify button and limit the connector to just traffic which should not be sent to Outbound Services. 6. Click OK as necessary to save changes and then restart the MS Exchange 2000 service.
Why does the queue sometimes freeze up?
Most often, mail flow problems with Outbound Services are caused by an outbound connector encountering a deferral error. You can also find more information about how to use Queue Viewer to troubleshoot mail flow issues in Exchange Server 2003 on the Microsoft support site: http://support.microsoft.com/kb/default.aspx?scid=kb;en-us;823489
Why does Microsoft Exchange 2000/2003 defer all outbound mail when configured to use TLS?
This can happen when Outbound Services is not configured to accept outbound mail connections using TLS. You can resolve this by configuring Outbound Services to accept outbound mail connections using TLS. If the Exchange server is attempting to use TLS but the TLS option for outbound mail is turned off in the Administration Console, Exchange will defer all mail until it can successfully send the mail using TLS. For instructions on configuring Outbound Services to use TLS for outbound mail, see the following page in the Message Security Administration Guide: http://www.postini.com/webdocs/admin_ee_cu/ob_tls_config.html
63
64
Chapter 6
This chapter gives details of how to set up Outbound Services for Exchange 2007 if you do not have an Edge Server. In this case, set up Outbound Services on a Hub Transport server. If you do have Outbound Services, see the instructions in the chapter Microsoft Exchange 2007 with an Edge Server (Smarthost method) on page 83. There is no need to increase the timeouts for Microsoft Exchange 2007 mail servers. The default timeout settings are appropriate. For Microsoft Exchange 2010, use the Private Outbound DNS method. For more information, see Microsoft Exchange 2007/2010 (Private DNS Method) on page 31.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
65
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14. For most configurations of Exchange 2007, a sender must provide authentication to relay mail from outside sources. However, SMTP authentication is not possible for reinjection. Instead, create a private relay to allow reinjection. The simplest way to create a relay in Exchange 2007 is to create a receive connector, limit the connector to an appropriate set of IP addresses, and allow anonymous connections. There are two ways to set up a private relay for Exchange 2007, allowing anonymous access, or an externally secured connector: Allow Anonymous Access: Easier to configure, and more reliable. Reinjected messages are considered anonymous. However, this method is not compatible with ResolveP2, and messages will be filtered with Microsoft Exchange 2007 anti-spam filtering. Externally Secured Connector: This method requires additional effort, but is compatible with ResolveP2, and reinjected messages bypass anti-spam filtering.
Allow Anonymous Access is the better choice in most cases. If you are using ResolveP2, or if reinjected messages are caught by anti-spam filters, use an Externally Secured Connector instead. Whichever method you use, first create the receive connector.
66
4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear:
5. Name the connector Reinjection and choose Next 6. You will see the Local Network Settings page. If you havent made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.
67
7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.
68
8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see IP Ranges on page 13.
69
70
4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell 5. Type the following command:
Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient"
71
72
73
74
Set Up Smarthost
After you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, create and configure a Send Connector on your Hub Connector Server. 1. Choose Organization Configuration -> Hub Transport. 2. Select Send Connectors. 3. Right click in the actions pane and choose New Send Connector. 4. Name the connector Outbound. 5. Under Select the intended use for this Send Connector, select Internet.
75
6. Click Add and enter the address space * so that all mail will be routed through the new connector.
8. Under Network settings, select Route mail through the following smart hosts.
76
9. Click Add. 10. Enter the appropriate smart host. The appropriate smart host setting is
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13.
77
12. Click Add and list each outbound hub server that will act as a bridgehead.
78
79
13. Click New, then click Finish to complete the send connector configuration.
80
81
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 66 for the correct private relay settings.
Troubleshooting
Installing Exchange 2007 onto an existing Exchange 2003 environment
If you've installed Exchange 2007 into an existing environment with 2003, you may already have a Send Connector (SMTP Connector). If so, modify and verify your settings there. If the connector is on your 2003 server, you can only view the settings from the Exchange 2007 Management Console. Make all changes through from the Exchange 2003 System Manager (look for SMTP Connectors). For example, if you only have a connector on the 2003 machine, then all outbound mail will go through the 2003 server. If you have one on the 2003 and one on the 2007 server, then mail will go through the closest connector. If you delete the one on 2003 and have one on the 2007 server, then all outgoing mail will pass through the 2007 server.
Anti-spam configuration
If you have previously installed the anti-spam agents onto your Hub Transport servers, disable any rules you have created and make those configurations in the email security service. To identify if those agents have been installed, go to Exchange Management Console -> Organization Configuration -> Hub Transport and check if the AntiSpam tab is enabled.
82
Chapter 7
Microsoft Exchange 2007 includes a concept that has not existed in previous versions of Microsoft Exchange: different servers are assigned distinct, concrete roles. An Edge Server is one such role. The Edge Server connects all other Exchange Servers to the Internet, and provides filtering and security. This chapter gives details of how to set up Outbound Services for Exchange 2007 if you have an Edge Server. In this case, set up Outbound Services on your Edge Server. If you do have Outbound Services, see the instructions in the chapter Microsoft Exchange 2007 without an Edge Server (Smarthost method) on page 65. There is no need to increase the timeouts for Microsoft Exchange 2007 mail servers. The default timeout settings are appropriate. For Microsoft Exchange 2010, use the Private Outbound DNS method. For more information, see Microsoft Exchange 2007/2010 (Private DNS Method) on page 31.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
83
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14. For most configurations of Exchange 2007, a sender must provide authentication to relay mail from outside sources. However, SMTP authentication is not possible for reinjection. Instead, create a private relay to allow reinjection. The simplest way to create a relay in Exchange 2007 is to create a receive connector, limit the connector to an appropriate set of IP addresses, and allow anonymous connections. There are two ways to set up a private relay for Exchange 2007, allowing anonymous access, or an externally secured connector: Allow Anonymous Access: Easier to configure, and more reliable. Reinjected messages are considered anonymous. However, this method is not compatible with ResolveP2, and messages will be filtered with Microsoft Exchange 2007 anti-spam filtering. Externally Secured Connector: This method requires additional effort, but is compatible with ResolveP2, and reinjected messages bypass anti-spam filtering.
Allow Anonymous Access is the better choice in most cases. If you are using ResolveP2, or if reinjected messages are caught by anti-spam filters, use an Externally Secured Connector instead. Whichever method you use, first create the receive connector.
84
4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear:
5. Name the connector Reinjection and choose Next 6. You will see the Local Network Settings page. If you havent made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.
85
7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.
86
8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see IP Ranges on page 13.
87
88
4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell. 5. Type the following command:
Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient"
89
90
91
92
Set Up Smarthost
In order to send email on an edge transport server it is required to configure a send connector. Edge Transport servers subscribed to an Exchange organization are pre-configured with the necessary elements to send and receive mail from the internet. Configuring Postini outbound services will change the default setup of these connectors. Because send connectors are organization wide configurations and part of the synchronization process editing them takes place on the hub transport server. Send connectors are created and edited in the Exchange Management Console by doing the following from any hub transport server: 1. Choose Organization Configuration -> Hub Transport 2. Click Send Connectors. 3. Double-click the connector named EdgeSync [your site] to Internet, where [your site] is the name of your site.
4. On the Address Space tab verify that the * domain has been added.
93
5. On the Network tab, uncheck Use domain and Enable domain. 6. In the same tab, check Route mail through the following smart hosts. 7. Choose the Add button and enter the name of the smart host. The appropriate smarthost is
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13.
94
8. On the Source Server tab, verify that the appropriate edge subscription(s) are defined. 9. From the Exchange Management Shell, run the following command:
start-edgesynchronization
95
10. Verify on the Edge server(s) that the new Send Connector settings have been received and look identical to those on the hub server. 11. Also be sure to check your receive connectors on the Edge server and verify the following: a. The Network tab has the IP range of all hub servers included b. The Authentication tab has the Exchange Server Authentication tab checked c. The Permission Groups tab has the Exchange Servers option checked
96
Troubleshooting
Installing Exchange 2007 onto an existing Exchange 2003 environment
If you've installed Exchange 2007 into an existing environment with 2003, you may already have a Send Connector (SMTP Connector). If so, modify and verify your settings there. If the connector is on your 2003 server, you can only view the settings from the Exchange 2007 Management Console. Make all changes through from the Exchange 2003 System Manager (look for SMTP Connectors). For example, if you only have a connector on the 2003 machine, then all outbound mail will go through the 2003 server. If you have one on the 2003 and one on the 2007 server, then mail will go through the closest connector. If you delete the one on 2003 and have one on the 2007 server, then all outgoing mail will pass through the 2007 server.
97
98
Chapter 8
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
99
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay
1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft Exchange Administrator 2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail Service. 3. Right-click and select Properties and then click the Routing tab. 4. Click Routing Restrictions. 5. Check checkbox for Hosts and clients with these IP addresses. 6. Add IP ranges and other trusted relay servers and click OK to return to the Routing tab. For a list of IP ranges, see IP Ranges on page 13. 7. Stop and restart the Exchange service. 8. If the reinjection servers are not outbound servers, then configure all servers along the mailflow between reinjection and the outbound server to allow the injection server to relay mail traffic through them.
Set Up Smarthost
In Microsoft Exchange 5.5, a smarthost is set up by changing the Properties for your mail server.
Route mail to Outbound Services
1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft Exchange Administrator 2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail Service
100
3. Right-click and select Properties and then click the Connections tab. 4. Enter the appropriate domain name in the field labeled Forward all messages to host. The hostname to use is:
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 5. Under the Retry Interval (hrs.) setting, type in the following:
.1,.2,.3,.4
6. Click OK. 7. Stop and Restart the MS Exchange 5.5 service for the changes to take effect.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph. 5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 100 for the correct private relay settings.
101
102
Chapter 9
Legal Disclaimer
This guide describes how Postini products work with Microsoft Small Business Server and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Small Business Server scenarios. Any changes to Microsoft Small Business Server configuration should be made at the discretion of your Microsoft Small Business Server administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Small Business Server issue, you should consult your Microsoft Small Business Server administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Small Business Server Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
103
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP 3. Right-click Default SMTP Virtual Server and select Properties. 4. Click the Access tab, then click Relay. 5. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see IP Ranges on page 13. 6. Click the Connection button. If the Connection list is set to Only the list below, add the same IP ranges. 7. Click OK to return to the Access tab and click OK to close the Default SMTP Virtual Server Properties. 8. If the reinjection servers are not outbound servers, then all servers along the mailflow between the reinjection server and the outbound server must be configured to allow the injection server to relay mail traffic through them. 9. Stop and restart the SMTP services.
Set Up Smarthost
In Microsoft Small Business Server 2003, outbound mail routing is handled by the IIS Virtual Server. Unlike a Microsoft Exchange connector, the IIS Virtual Server will not begin queueing mail after a deferral. The standard Microsoft installation of Small Business Server 2003 gives creates a connector in order to set local policies. Modify the connector to ensure that outbound mail is routed to the email security system while local mail is not interrupted.
104
1. In Exchange Service Manager (ESM), go to Connectors-> Small Business SMTP Connector on the General tab. 2. Select Use DNS to route to each address space on this connector and click Apply. 3. In the Address Space tab, select the default address space of x, then click Modify. 4. In the Address Space tab, change the address space to your domain name and click OK. 5. In Servers->Your Server Name->Protocols->SMTP->Default SMTP Virtual Server, right click Default SMTP Virtual Server and select Properties to go to the Properties Page. 6. In the Delivery tab, click Advanced. 7. Under Smart Host, enter the following:
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 8. Click OK twice. 9. Restart the server by right-clicking the SMTP Virtual Server, selecting Stop, and then right-clicking the SMTP Virtual Server again and selecting Start.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.
105
5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 104 for the correct private relay settings.
106
Chapter 10
Legal Disclaimer
This guide describes how Postini products work with IBM Lotus Domino and the configurations that Postini recommends. These instructions are designed to work with the most common IBM Lotus Domino scenarios. Any changes to IBM Lotus Domino configuration should be made at the discretion of your IBM Lotus Domino administrator.
107
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to IBM Lotus Domino Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
When considering these two methods, consider the following factors. Change DNS Settings in Domino. IBM Lotus Domino server will use the DNS server listed in notes.ini to send mail. The Domino server will contact the Private DNS Server and route mail to Outbound Services. Since this method affects only IBM Lotus Domino, and requires no changes to the underlying operating system, this is the recommended method to use Private Outbound DNS. Change DNS settings in OS. This change is independent of the IBM Lotus Domino server. The changes affect the whole machine, and the server cannot be used for other Internet applications. All applications on the server will contact the Private DNS Server and route connections to Outbound Services. Use this method if your IBM Lotus Domino server setup cant support DNSServer changes in notes.ini.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up private DNS, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay
1. Open Domino Administrator and click Administration. 2. Select the Configuration tab. 3. Click the triangle next to Messaging, and then select Configurations. 4. Double-click the name of your Domino Server.
108
5. At the top of the window, click Edit Server Configuration. Select the following: Router/SMTP tab in the first row Restrictions and Controls tab in the second row SMTP Inbound Controls tab in the third row.
6. Under Allow messages only from the following internet hosts to be sent to external internet domains enter the IP range for Outbound Services. For a list of IP ranges, see IP Ranges on page 13. 7. Under Exclude these Connecting Hosts From Anti-Relay Checks enter the same IP range. 8. Click Save & Close to exit. 9. Stop and restart the Domino SMTP task for the changes to take effect.
109
7. In the Value text box, enter the appropriate IP address. Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names. The appropriate IP address depends on your system. To find what system to use, see Identify Your System on page 13. System 5 6 7 8 9 10 20 200 201 IP Address to use for Private Outbound DNS 64.18.4.12 64.18.5.12 64.18.6.12 64.18.7.12 74.125.148.12 74.125.244.12 64.18.9.14 207.126.147.11 207.126.154.11
8. Click OK to close the Set/Modify Parameters dialog box. 9. Click Save & Close. 10. Go to the Server Console. 11. In the Server Console, enter the command tell router update config. 12. Restart the Router and SMTP Task. 13. Restart the router task on domino console 14. Restart the SMTP task on domino console
1. Go to Control Panel->Network Connections and select your local network. 2. Click Properties, then select Internet Protocol (TCP/IP). 3. Click Properties.
110
4. Select Use the following DNS server addresses and enter the appropriate IP address for your system. Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names. The appropriate IP address depends on your system. To find what system to use, see Identify Your System on page 13. System 5 6 7 8 9 10 20 200 201 IP Address to use for Private Outbound DNS 64.18.4.12 64.18.5.12 64.18.6.12 64.18.7.12 74.125.148.12 74.125.244.12 64.18.9.14 207.126.147.11 207.126.154.11
5. Restart the domino router task via console. 6. Restart the domino SMTP task via console.
111
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 108 for the correct private relay settings.
Troubleshooting
If you encounter delays or problems with using IBM Lotus Domino with Private Outbound DNS, consider changing your Lotus notes settings. These settings are listed in notes.ini. See your IBM Lotus Domino documentation for information on how to change these settings. Some changes to consider: Set the Maximum concurrent transfer threads equal to Maximum transfer threads. Increasing the maximum current transfer threads can increase bandwidth and prevent threads from locking up. SMTPErrorLimit set to 1. SMTPTimeoutMultiplier set to at least 11. SMTPMTA_DATA_TIMEOUT and SERVER_SESSION_TIMEOUT should be removed or commented out. Disable pipelining. Pipelining can cause threads to become dedicated to a single recipient address when used with Private Outbound DNS. This can cause mail delays.
This increases the amount of information logged, which will help find any other problems. Once the problem is resolved, change this to its original setting.
How can I be sure my firewall allows a connection to Private Outbound DNS?
Your sending mail server needs to be able to reach the message security service using DNS on UDP port 53. If you are not sure your network settings allow your mail server to connect to an external DNS host on UDP port 53, run the following test on your mail server: 1. In a DOS command prompt, type nslookup. 2. Note your current default server. 3. In the nslookup prompt, type q=mx and hit return.
112
4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address. 5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system. 6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection. 7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server]. 8. Press Control-C to exit nslookup.
113
114
Chapter 11
Legal Disclaimer
This guide describes how Postini products work with IBM Lotus Domino and the configurations that Postini recommends. These instructions are designed to work with the most common IBM Lotus Domino scenarios. Any changes to IBM Lotus Domino configuration should be made at the discretion of your IBM Lotus Domino administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.
115
Links to IBM Lotus Domino Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay
1. Open Domino Administrator and click Administration. 2. Select the Configuration tab. 3. Click the triangle next to Messaging, and then select Configurations. 4. Double-click the name of your Domino Server. 5. At the top of the window, click Edit Server Configuration. Select the following: Router/SMTP tab in the first row Restrictions and Controls tab in the second row SMTP Inbound Controls tab in the third row.
6. Under Allow messages only from the following internet hosts to be sent to external internet domains enter the IP range for Outbound Services. For a list of IP ranges, see IP Ranges on page 13. 7. Under Exclude these Connecting Hosts From Anti-Relay Checks enter the same IP range. 8. Click Save & Close to exit. 9. Stop and restart the Domino SMTP task for the changes to take effect.
116
Set Up Smarthost
After you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, set the relayhost parameter to route mail to the email security system. This will set Outbound Services as the smarthost. Domino stops processing queued messages when delivery of a message fails or the relay host is perceived to be down or unreachable. Setting the Retry Interval to a lower value allows the queue to start moving again more quickly.
Set up a smarthost and adjust the Retry Interval
1. Open Domino Administrator. 2. Click Administration and select the Configuration tab. 3. Click Configurations. Double-click the name of your Domino Server 4. At the top of the window, click Edit Server Configuration. 5. Select the Router/SMTP tab in the first row. This will select the Basics tab of the second row of tabs. 6. Under Relay host for messages leaving the local internet domain:, add the following:
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 7. Select the Restrictions and Controls tab from the second row. 8. Select the Transfer Controls tab from the third row. 9. Set the configuration Initial Transfer Retry Interval to 1 minute or higher. 10. Click Save & Close to exit.
117
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 116 for the correct private relay settings.
118
Novell Groupwise
Chapter 12
Legal Disclaimer
This guide describes how Postini products work with Novell Groupwise and the configurations that Postini recommends. These instructions are designed to work with the most common Groupwise scenarios. Any changes to Novell Groupwise configuration should be made at the discretion of your Novell Groupwise administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Novell Groupwise issue, you should consult your Novell Groupwise administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Novell Groupwise Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Novell Groupwise
119
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay
1. Open the Groupwise ConsoleOne interface. 2. Right-click the Internet Agent object and click Properties. 3. Click the Access Control tab. 4. Click SMTP Relay Settings. 5. Make sure that the Prevent message relaying radio button in the SMTP Relay Defaults section is selected. 6. Under Exceptions, click Create. 7. In the From: field, enter the IP range for your system. For a list of IP ranges, see IP Ranges on page 13. Leave the To: field blank to indicate that any recipient is allowed. 8. Click OK twice to close the Properties dialog.
120
Set Up Smarthost
1. Open the Groupwise ConsoleOne interface. 2. Right-click the Internet Agent object and click Properties. 3. If the SMTP/MIME Settings page is not the default page, click the SMTP/ MIME tab and click Settings. 4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support. 5. Enter the appropriate smarthost in the field entitled Relay Host for Outbound Messages. The appropriate smarthost is
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 6. Click Apply, then click OK to exit.
Novell Groupwise
121
Troubleshooting
Messages forwarded automatically by a Novell Groupwise rule to an external mail account are not filtered as expected by Outbound Services applications.
This problem occurs because Groupwise changes the SMTP envelope when forwarding a message by a rule. The MAIL FROM address in the envelope is null (MAIL FROM:<>). Because Outbound Services uses the envelope address to decide which organization's settings to use, the default is to use the settings specified in the email config organization. To ensure that all outbound messages are filtered, be sure that the Outbound Content Manager, Outbound Attachment Manager, Outbound Virus Blocking and Compliance Footer settings are the same for the email config organization as for the user-level orgs.
Outbound messages are bounced by Outbound Attachment Manager with the error Message too large - psmtp. However, the user does not receive a nondelivery report (NDR).
The non-delivery report (NDR) was quarantined to the administrator's quarantine because it triggered an Outbound Attachment Manager or Outbound Content Manager filter. In some cases, Groupwise attempts to deliver non-delivery reports (NDRs) by looking up the MX records and routing the NDR to the Internet rather than delivering it locally as expected. If the NDR includes the original attachment and therefore triggers an Outbound filter, the NDR will be quarantined rather then delivered back to the Groupwise server. When Outbound Services processes a message from a sender who does not have a user account, it uses the Outbound Services settings from the email config organization. If Outbound Attachment Manager and Outbound Content Manager are enabled at the email config organization, then any messages sent by nonusers that violate an Outbound Attachment Manager and Outbound Content Manager filter will be disposed of accordingly. By creating a user account for the email address acting as the sender of the NDR and placing it in an org with Outbound Attachment Manager and Outbound Content Manager disabled, it ensures that the email security service will never block any messages sent by the user. You can resolve this issue by setting Groupwise to deliver the NDR locally, or you can change your filters in the Administration Console. If you reconfigure your Groupwise server to deliver the NDR locally, Outbound Services will not be involved in the delivery of the message and it should therefore be successfully delivered. Alternately, set up account for the Groupwise Mailer-Daemon address in the Administration Console and disable outbound filtering for that account: 1. In Add/Delete/Move Users, add an account for MailerDaemon@yourdomain.com, where yourdomain.com is your domain. 2. Create a new organization at the same level as the existing organization containing your users.
122
3. For the new organization, on the Organization Management page, turn off Outbound Attachment Manager and Outbound Content Manager. 4. Move the Mailer-Daemon account to the new organization.
Novell Groupwise
123
124
Sendmail
Chapter 13
About Sendmail
Sendmail is a mail transfer agent (MTA) used for delivering mail across networks. It is a well known project of the open source, free software and UNIX communities. Sendmail is distributed both as free software and proprietary software, and is a standard MTA under many variants of the UNIX operating system. These instructions were written for version 8.13 of Sendmail. Other versions may have different settings. This chapter includes steps to route mail to Outbound Services and is designed to work with most major Sendmail deployments. You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in Option 1: Set Up Private Outbound DNS on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Sendmail and the configurations that Postini recommends. These instructions are designed to work with the most common Sendmail scenarios. Any changes to Sendmail configuration should be made at the discretion of your Sendmail administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Sendmail issue, you should consult your Sendmail administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Sendmail Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Sendmail
125
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14. To set up reinjections, add Outbound Services as a trusted relay in your sendmail.mc file. Instead of adding RELAY_DOMAIN commands to your sendmail.mc file, you can set up a relay domain file. Use this method if you have a need to list relay domains in a separate file. If the reinjection servers are not outbound servers, repeat these steps for all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them.
Configure Outbound Services IP ranges to be a trusted relay
to the file
/etc/mail/relay-domains
126
Set Up Smarthost
Set the smarthost in your sendmail.mc file.
WARNING: Do not change this value until you have set up the appropriate RELAY_DOMAIN setting and registered your IP in the Administration Console. If your IP is not registered in the Administration Console, Outbound Services will not deliver your mail.
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 2. Stop and restart the sendmail server process.
1. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 2. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 3. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.
Sendmail
127
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as maybe or warning) then check that your private relay settings are correct. See Set Up Reinjection on page 126 for the correct private relay settings.
128
Apple Macintosh OS X
Chapter 14
Legal Disclaimer
This guide describes how Postini products work with Apple Mac OS X Server and the configurations that Postini recommends. These instructions are designed to work with the most common Apple Mac OS X Server scenarios. Any changes to Apple Mac OS X Server configuration should be made at the discretion of your Apple Mac OS X Server administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of an Apple Mac OS X Server issue, you should consult your Apple Mac OS X Server administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.
Apple Macintosh OS X
129
Links to Apple Mac OS X Server Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay for Mac OS X v.10.4:
1. In Server Admin, select Mail. 2. Click Settings. 3. Click Relay and enter the IP range for your system as an allowed relay address. For a list of IP ranges, see IP Ranges on page 13.
Configure Outbound Services IP ranges to be a trusted relay for Mac OS X v.10.3:
1. In Server Admin, select Mail. 2. Click Settings. 3. Click Filters and enter the IP range for your system as an allowed relay address. For a list of IP ranges, see IP Ranges on page 13. 4. Click Save to close the Server Admin.
Set Up Smarthost
1. In Server Admin, select Mail and click Settings.
130
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 3. Click Save to close the Server Admin. 4. Restart the mail service.
Apple Macintosh OS X
131
132
Qmail
Chapter 15
About Qmail
Qmail is a mail transfer agent that runs on UNIX. Qmail has not been updated by the author for several years and users have instead come to rely on third party patches to support new functionality. Qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the Qmail system with a different module as long as the new module retains the same interface as the original. These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Qmail deployments.You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in Option 1: Set Up Private Outbound DNS on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Qmail and the configurations that Postini recommends. These instructions are designed to work with the most common Qmail scenarios. Any changes to Qmail configuration should be made at the discretion of your Qmail administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Qmail issue, you should consult your Qmail administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Qmail Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Qmail
133
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Configure Outbound Services IP ranges to be a trusted relay using qmail + tcpserver
where IP Range is the appropriate IP Range. For a list of IP ranges, see IP Ranges on page 13. 2. Run tcprules to reload allowed hosts:
> cd /etc > tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp
3. Verify that the tcp.smtp.cdb file is invoked in the mail server's startup script. 4. Restart tcpserver so that the new rules will take effect:
> /usr/local/bin/tcpserver -x/etc/tcp.smtp.cdb -R -H -c25 -u502 -g501 mailhost.domain.com smtp /var/qmail/bin/qmail-smtpd 2>&1 [UID '502' & GID '501' may be different depending on server configuration.]
Configure Outbound Services IP ranges to be a trusted relay using qmail + inetd + tcpd
then use the following steps instead 1. Edit /etc/hosts.allow to include the Postini IP ranges and trusted servers. For a list of IP ranges, see IP Ranges on page 13. 2. Disallow everything else.
134
Set Up Smarthost
1. Edit (or create) the file /var/qmail/control/smtproutes and append the following line:
outbounds[your system number].obsmtp.com
2. where [your system number] is your system number. To find what system to use, see Identify Your System on page 13. 3. If you have certain internal domains whose traffic should not be routed to Postini, you will want to add specific routing to the appropriate mail server to the /var/qmail/control/smtproutes file using the following syntax:
<InternalDomain>:<ServerForInternalDomain>
Qmail
135
136
Postfix
Chapter 16
About Postfix
Postfix is an open-source mail transfer agent, used primarily on UNIX-based servers. It is the default mail server for several operating systems. Setting up Postfix for Outbound Services requires minimal changes. Add the IP ranges for the email security service as private relays. Then, register your mail server in the Administration Console. Last, direct outbound mail to route to Outbound Services. There is no need to increase the timeouts for Postfix servers. The default timeout settings are appropriate. You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in Option 1: Set Up Private Outbound DNS on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Postfix and the configurations that Postini recommends. These instructions are designed to work with the most common Postfix scenarios. Any changes to Postfix configuration should be made at the discretion of your Postfix administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Postfix issue, you should consult your Postfix administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Postfix Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.
Postfix
137
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see Set Up Reinjection on page 14.
Note: Do not change mynetworks and relayhost at the same time; these steps
1. Add IP ranges for your system to the mynetworks parameter of your configuration file (example path /etc/postfix/main.cf). For a list of IP ranges, see IP Ranges on page 13.
Note: Configuring the mynetworks parameter overrides the mynetworks_style parameter. If the mynetworks parameter was not
previously used, you may need to add your own subnets as well. 2. Restart Postfix by running the following command:
# sudo postfix reload
3. If the reinjection server is not the same as your outbound mail server, perform these steps on all servers along the mailflow path between the reinjection server and your outbound mail server.
Set Up Smarthost
After you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, set the relayhost parameter to route mail to the email security system. This will set Outbound Services as the smarthost.
Set up a smarthost
1. Add the following line to your configuration file (example path /etc/postfix/ main.cf):
relayhost = outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to use, see Identify Your System on page 13.
138
Postfix
139
140