outbound config en

140
Outbound Services Configuration Guide Google Message Security Google Message Discovery Postini Email Security, Enterprise Edition

Upload: david-kading

Post on 21-Nov-2014

97 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Outbound Config En

Outbound ServicesConfiguration Guide

• Google Message Security• Google Message Discovery• Postini Email Security, Enterprise Edition

Page 2: Outbound Config En

Google, Inc.1600 Amphitheatre ParkwayMountain View, CA 94043www.google.com

Part number: OBCG_617_13

May 3, 2010

© Copyright 2009 Google, Inc. All rights reserved.

Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc. All other trademarks are the property of their respective owners.

Use of any Google solution is governed by the license agreement included in your original contract. Any intellectual property rights relating to the Google services are and shall remain the exclusive property of Google, Inc. and/or its subsidiaries (“Google”). You may not attempt to decipher, decompile, or develop source code for any Google product or service offering, or knowingly allow others to do so.

Google documentation may not be sold, resold, licensed or sublicensed and may not be transferred without the prior written consent of Google. Your right to copy this manual is limited by copyright law. Making copies, adaptations, or compilation works, without prior written authorization of Google. is prohibited by law and constitutes a punishable violation of the law. No part of this manual may be reproduced in whole or in part without the express written consent of Google. Copyright © by Google, Inc.

Postini, Inc. provides this publication “as is” without warranty of any either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose. Postini, Inc. may revise this publication from time to time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

GD Graphics Copyright Notice:

Google uses GD graphics.

Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health.

Portions copyright 1996, 1997, 1998, 1999, 2000 by Boutell.Com, Inc.

Portions relating to GD2 format copyright 1999, 2000 Philip Warner.

Portions relating to PNG copyright 1999, 2000 Greg Roelofs.

Portions relating to libttf copyright 1999, 2000 John Ellson ([email protected]).

Portions relating to JPEG copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane.

This software is based in part on the work of the Independent JPEG Group.

Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.

Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation.

This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the library. Credit must be given in user-accessible documentation.

This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying

2 Outbound Services Configuration Guide

Page 3: Outbound Config En

documentation.

Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Google Compliance Policies Notice:

Google assumes no responsibility in connection with the Compliance Policies lexicon-filtering feature, including any failure to recognize credit card or social security numbers that do not follow an applicable pattern as established in Postini’s systems or any failure to encrypt a credit card or social security number.

3

Page 4: Outbound Config En

4 Outbound Services Configuration Guide

Page 5: Outbound Config En

Contents

What This Guide Contains 9Related Documentation 9How to Send Comments About This Guide 10

Chapter 1: Introduction to Outbound Configuration 11About Outbound Configuration 11How to Use This Guide 12Prerequisites 13Identify Your System 13IP Ranges 13Set Up Reinjection 14Register Your IP in the Administration Console 15Increase Server Timeouts 16Option 1: Set Up Private Outbound DNS 16Option 2: Set Up Smarthost 19Test Outbound Mail 19Microsoft Exchange Servers 19Optional: Configure SPF Records for Outbound Services 20Alternate Option: Routing Outbound Mail on Your Firewall 21

Chapter 2: Microsoft Exchange 2003 (Private DNS Method) 23About Microsoft Exchange 2003 (Private DNS Method) 23Set Up Reinjection 24Register Your IP in the Administration Console 25Set Up Private Outbound DNS 25Test Outbound Mail 28Troubleshooting 29

Chapter 3: Microsoft Exchange 2007/2010 (Private DNS Method) 31About Microsoft Exchange 2007/2010 (Private DNS Method) 31Set Up Reinjection 32Register Your IP in the Administration Console 40Set Up Private Outbound DNS 40Test Outbound Mail 43Troubleshooting 44

Contents 5

Page 6: Outbound Config En

Chapter 4: Microsoft Exchange 2000/2003 Single Server (Smarthost method) 47About Microsoft Exchange 2000/2003 Single-Server 47Set Up Reinjection 48Register Your IP in the Administration Console 49Increase Server Timeouts 49Set Up Smarthost 50Test Outbound Mail 52Troubleshooting 53

Chapter 5: Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 55About Microsoft Exchange 2000/2003 Multi-Server 55Choose Smarthost Method 56Set Up Reinjection 57Register Your IP in the Administration Console 58Increase Server Timeouts 58Set Up Smarthost 59Test Outbound Mail 62Troubleshooting 62

Chapter 6: Microsoft Exchange 2007 without an Edge Server (Smarthost method) 65About Microsoft Exchange 2007 without an Edge Server 65Set Up Reinjection 66Register Your IP in the Administration Console 75Set Up Smarthost 75Test Outbound Mail 81Troubleshooting 82

Chapter 7: Microsoft Exchange 2007 with an Edge Server (Smarthost method) 83About Microsoft Exchange 2007 with an Edge Server 83Set Up Reinjection 84Register Your IP in the Administration Console 93Set Up Smarthost 93Test Outbound Mail 96Troubleshooting 97

Chapter 8: Microsoft Exchange 5.5 99About Microsoft Exchange 5.5 99Set Up Reinjection 100Register Your IP in the Administration Console 100Set Up Smarthost 100Test Outbound Mail 101

Chapter 9: Microsoft Small Business Server 2003 103About Microsoft Small Business Server 2003 103Set Up Reinjection 104Register Your IP in the Administration Console 104

6 Outbound Services Configuration Guide

Page 7: Outbound Config En

Set Up Smarthost 104Test Outbound Mail 105

Chapter 10: IBM Lotus Domino (Private DNS Method) 107About IBM Lotus Domino (Private DNS Method) 107Choose a Private DNS Routing Method 108Set Up Reinjection 108Register Your IP in the Administration Console 109Set Up Private DNS (notes.ini file) 109Set Up Private DNS (OS Settings) 110Test Outbound Mail 111Troubleshooting 112

Chapter 11: IBM Lotus Domino (Smarthost Method) 115About IBM Lotus Domino (Smarthost Method) 115Set Up Reinjection 116Register Your IP in the Administration Console 116Set Up Smarthost 117Test Outbound Mail 117

Chapter 12: Novell Groupwise 119About Novell Groupwise 119Set Up Reinjection 120Register Your IP in the Administration Console 120Increase Server Timeouts 120Set Up Smarthost 121Test Outbound Mail 121Troubleshooting 122

Chapter 13: Sendmail 125About Sendmail 125Set Up Reinjection 126Register Your IP in the Administration Console 126Increase Server Timeouts 127Set Up Smarthost 127Test Outbound Mail 127

Chapter 14: Apple Macintosh OS X 129About Apple Macintosh OS X 129Set Up Reinjection 130Register Your IP in the Administration Console 130Set Up Smarthost 130Test Outbound Mail 131

Chapter 15: Qmail 133About Qmail 133Set Up Reinjection 134Register Your IP in the Administration Console 134Increase Server Timeouts 135Set Up Smarthost 135

Contents 7

Page 8: Outbound Config En

Test Outbound Mail 135

Chapter 16: Postfix 137About Postfix 137Set Up Reinjection 138Register Your IP in the Administration Console 138Set Up Smarthost 138Test Outbound Mail 139

8 Outbound Services Configuration Guide

Page 9: Outbound Config En

About This Guide

What This Guide ContainsThe Outbound Services Configuration Guide provides information about:

• General principles for setting up your mail server to route mail through Outbound Services.

• Specific steps-by-step instructions to enable reinjection and smarthosts (or Private DNS) for the most common and popular mail servers.

• Troubleshooting steps for the most common and popular mail servers.

This guide is intended for mail server administrators who are already familiar with mail server configuration and security.

This guide is a supplement to the Message Security Administration Guide. For details about using the features and components of the email security service, see the Message Security Administration Guide. These documents are available on the Postini Support Portal. For details, see “How to Send Comments About This Guide” on page 10.

Related DocumentationFor additional information about Outbound Services and the email security service, refer to the following related documents. For details on how to send comments, see “How to Send Comments About This Guide” on page 10.

Document Description

Message Security Administration Guide

See the Outbound chapter for information about Outbound Services features, concepts, and administration.

9

Page 10: Outbound Config En

How to Send Comments About This GuidePostini values your feedback. If you have comments about this guide, please send an email message to:

[email protected]

In your email message, please specify the section to which your comment applies. If you want to receive a response to your comments, ensure that you include your name and contact information.

10 Archive Manager - Microsoft Exchange Journaling Configuration Guide

Page 11: Outbound Config En

Introduction to Outbound Configuration Chapter 1

About Outbound ConfigurationThis chapter introduces the setup process for Outbound Services common to all types of mail servers. Setup information unique to specific mail servers can be found in separate chapters. For successful installation, start with this general chapter, and follow with the chapter describing your mail server.

When Outbound Services are enabled and configured, mail from users is routed to the email security service for filtering before it reaches external contacts. You can use outbound mail processing to protect your customers and partners from virus-infected messages, enforce your corporate email policies and compliance standards, and collect information about your outgoing mail traffic.

Use of Outbound Services is bound by Postini’s Outbound Services Acceptable Use Policy. For more information, see the Message Security Administration Guide.

Before you set up Outbound Services, you will need a server that can meet the prerequisites for outbound service. For information about prerequisites, see “Prerequisites” on page 13.

There are five steps to set up Outbound Services:

• Set Up Reinjection

• Register Your IP in the Administration Console

• Increase Server Timeouts

• Set Up Smarthost (or Set Up Private Outbound DNS)

• Test Outbound Mail

Each of these steps is detailed in an individual section.

This chapter also includes information on how to find your system number, and the details of IP addresses to use. This is general information that applies to all mail servers. For information on your specific mail server software, see the appropriate chapter in this book.

Introduction to Outbound Configuration 11

Page 12: Outbound Config En

How to Use This GuideThis guide is intended to provide information about how to set up your environment to use Outbound Services. Since configuration is different for different mail servers, each chapter after the introduction gives instructions for a separate mail server. Most administrators will only need to use two chapters:

• This chapter.

• The chapter specifically devoted to your mail server.

This guide contains instructions for the following servers:

• “Microsoft Exchange 2003 (Private DNS Method)” on page 23.

• “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31

• “Microsoft Exchange 5.5” on page 99.

• “Microsoft Small Business Server 2003” on page 103.

• “IBM Lotus Domino (Private DNS Method)” on page 107.

• “IBM Lotus Domino (Smarthost Method)” on page 115.

• “Novell Groupwise” on page 119.

• “Sendmail” on page 125.

• “Apple Macintosh OS X” on page 129.

• “Qmail” on page 133.

• “Postfix” on page 137.

This guide also contains the following alternate instructions for using a smarthost with Microsoft Exchange:

• “Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47.

• “Microsoft Exchange 2000/2003 Multi-Server (Smarthost method)” on page 55.

• “Microsoft Exchange 2007 without an Edge Server (Smarthost method)” on page 65.

• “Microsoft Exchange 2007 with an Edge Server (Smarthost method)” on page 83.

Because different versions and configurations of Microsoft Exchange require different set up, there are several different chapters on Microsoft mail servers. For information about the difference between them, see “Microsoft Exchange Servers” on page 19.

12 Outbound Services Configuration Guide

Page 13: Outbound Config En

PrerequisitesOutbound Services is an optional feature. For more information about your service package and options, contact your account manager or vendor.

Before you configure Outbound Services, you need a server that can:

• Allow a safe private relay from an external address

• Route outbound mail using a smarthost (a server that accepts outbound mail and passes it on to the recipient) or an external DNS (a server that provides routing information, for supported servers).

• Send mail from a consistent IP address

Instructions are included in this guide for most common mail servers. If you are using another server not listed in this guide, consult your server documentation to find out how to allow a private relay and set up a smarthost (or external DNS server).

Also, for information about Outbound Services, see the Outbound chapter of the Message Security Administration Guide.

Identify Your SystemBefore you allow reinjection or set up a smarthost (or external DNS server), you will need to know which system number you are using. The email security service includes multiple independent systems.

To determine the system for your account: Your system number is shown the URL when you log in to the Administration Console or Message Center. The system number is prefaced by ac-s or mc-s. For example:

URL displayed for an account on System 8 when logged in to the Administration Console:

https://ac-s8.postini.com/exec/adminstart?

URL displayed for an account on System 200 when logged in to the Message Center:

https://mc-s200.postini.com/app/msgctr/junk_quarantine

IP RangesYou will need to enter an IP range to allow a private relay. The proper IP range depends on your system number in the email security service. To find your system number, see “Identify Your System” on page 13.

The following are the IP ranges for the email security service systems.

Introduction to Outbound Configuration 13

Page 14: Outbound Config En

Note: Both sets of IP ranges are applicable for system 20 customers.

Set Up ReinjectionReinjection is the process of queueing a message back to the customer’s server when it cannot be delivered due to conflicting SMTP errors after DATA. The reinjection host is often the same server as the outbound server, but this is not required.

Reinjection is necessary to avoid unexpected mail loss for a messages sent to multiple recipients. Fewer than 0.1% of all messages are reinjected. Before you can route mail through Outbound Services, the Administration Console checks that your reinjection host is configured to allow the email security service IP addresses to relay for external recipients.

You may have already set up your mail server and firewall to accept messages from the email security service, but reinjection requires further access. Your reinjection server must accept mail from the email security service and send it out again. This is called a private relay.

Configure your mail server and firewall to accept email only from the email security service. Your reinjection host needs to accept all email from the email security service’s outbound servers. From your server’s perspective, the email security service’s delivery servers should be considered a trusted server. Allow relaying only from the email security service’s IP range and other trusted relay servers.

If you have multiple mail servers, specify which server (or servers) will act as the reinjection host, and be sure that server can route mail back to the email security service.

Be careful when you set up a private relay. If you allow all IP addresses to pass mail through your server, your mail server will become an open relay. This leaves your mail server vulnerable to hijacking from malicious senders. Setting up a private relay is safer than an open relay, since malicious outsiders cannot use a private relay in the same way.

Setting up reinjection is different for every mail server type. For step-by-step instructions for setting up reinjection, see the appropriate chapter in this guide for your mail server.

System IP Range CIDR Range IP/Subnet Mask Pair

5, 6, 7, 8, 20 64.18.0.0 - 64.18.15.255

64.18.0.0/20 64.18.0.0 mask 255.255.240.0

9 74.125.148.0 - 74.125.151.255

74.125.148.0/22 74.125.148.0mask 255.255.252.0

20, 200, 201

207.126.144.0 - 207.126.159.255

207.126.144.0/20 207.126.144.0 mask 255.255.240.0

14 Outbound Services Configuration Guide

Page 15: Outbound Config En

Register Your IP in the Administration ConsoleRegister your IP after you have set up a reinjection server, but before you set up a smarthost (or external DNS) on your mail server.

This step is the same for all mail servers.

WARNING: You will not be able to register your IP address before setting up reinjection. If you attempt to do so, you will see an error in the Administration Console and your IP will not be registered.

Register Your IP

1. Log in to the Administration Console. Select your email config and go to the Outbound Servers tab.

2. Click Add Record and enter the following data.

Accepted IP Ranges

Enter a starting and ending IP for your outbound mail server. Use external IP addresses.

You must register the external IP address range of your mail servers that are sending messages to the email security service. To avoid third-party abuse, Outbound Services will reject all outbound mail from IP addresses other than those listed.

If you have only one IP address, enter that IP address in both fields.

Each range you enter must be unique. You cannot add the same IP range to multiple email configs.

Note: The address range must be within a single class C address space. The IP range must be sequential. If you have non-sequential IPs or a range that spans multiple class C addresses, add them as separate IP ranges. Add the first range, then come back and add each later range once you are done.

Reinjection Host

Enter the IP address of your reinjection host. This is the machine you set up to allow a private relay.

This should be the IP address of a mail server that will accept mail from the email security service and send that mail back out again.

You can enter multiple reinjection hosts, and specify a load balance between them. You can also specify failover servers for reinjection. Normally, this is not necessary and these fields can be left blank.

You can also enter a hostname for the reinjection server instead of an IP address. However, you should not do so if the reinjection server has an MX record that routes mail back to the email security service. Use the IP range instead.

Introduction to Outbound Configuration 15

Page 16: Outbound Config En

3. Click the Save button.

When you click Save, the Administration Console will test your reinjection host to confirm the private relay is set up properly. If your mail server has not been set up to allow Outbound Services to act as a private relay, see “Set Up Reinjection” on page 14 for information about how to set up a private relay.

4. If you have more than one outbound server IP range, add additional records. Go back to step 2 and register each IP range separately using the same instructions.

After you have successfully added your IP address, you can set up a smarthost (or external DNS) safely.

Increase Server TimeoutsExtend the timeout on your outbound server for delivering email. In most cases, a 15-minute timeout is ideal. This provides Outbound with some flexibility to handle slow receiving mail servers.

Timeout settings vary by mail server type. For some servers, it is not necessary to change timeout. For step-by-step instructions for configuring timeouts, see the appropriate chapter in this guide for your mail server.

Option 1: Set Up Private Outbound DNSPrivate Outbound DNS Service provides a simple, reliable way to route outbound mail to the message security service. It is the easiest way to route outbound mail. Using a smarthost can cause queued messages and mail delays for many mail servers, especially Microsoft Exchange mail servers.

Private Outbound DNS is generally recommended over using smarthost.

Private Outbound DNS works with all common mail servers. The documentation provides instructions verified for Lotus Domino 6 and 8.5. For other version of Lotus Domino, please refer to the product documentation on DNS configuration.

Private Outbound DNS Service is designed to ease setup and prevent queueing delays, and is recommended for any administrator using a supported mail server.

Supported Servers

Private Outbound DNS Service works with all common mail servers. Configuration steps are provided for Microsoft Exchange 2003 and 2007/2010, and IBM Lotus Domino. Other mail servers will be documented in the future. For other mail servers, please refer to your mail server product documentation on DNS configuration.

16 Outbound Services Configuration Guide

Page 17: Outbound Config En

How DNS Works for Outbound Mail

All mail servers use DNS to route outbound mail through the internet. DNS (Domain Name Service) is a way to translate domain names into IP addresses, which are used to contact other machines on the Internet. When a message is sent to another domain, the sending mail server contacts a DNS host to find out the IP address for the receiving server. The sending mail server submits the domain name to the DNS host, and the DNS host returns the IP address of the recipient’s mail server.

This diagram shows how DNS works for outbound mail.

How Private Outbound DNS Works for Outbound Mail

With Private Outbound DNS, you set your mail server to look at specially configured DNS servers on the message security service. Most DNS servers will provide the IP address for each domain name separately. The Private Outbound DNS Service, however, does not return the actual IP address of the recipient. Instead, when your mail server submits any domain name to the Private Outbound DNS Service, the DNS Service returns the IP address for the message security service.

Once you set up Private Outbound DNS, all outgoing mail will be routed through the message security service. Because your mail server is routing directly to the internet and not using a smarthost, mail will not be queued. The message security service then filters outbound mail and routes it to the Internet.

This diagram shows how Private Outbound DNS works for outbound mail.

Introduction to Outbound Configuration 17

Page 18: Outbound Config En

Addresses for Private Outbound DNS

Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names.

The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13.

System IP Address to use for Private Outbound DNS

5 64.18.4.12

6 64.18.5.12

7 64.18.6.12

8 64.18.7.12

9 74.125.148.12

20 64.18.9.14

200 207.126.147.11

201 207.126.154.11

18 Outbound Services Configuration Guide

Page 19: Outbound Config En

Option 2: Set Up SmarthostIf you are using a mail server that does not currently support Private DNS, or if you do not wish to use Private DNS, set up a smarthost on your server instead.

Once you’ve set up a reinjection host and added the IP range to the Administration Console, redirect your mail to the email security service by setting up a smarthost. Smarthost is a common term for a server that accepts outbound mail and passes it on to the recipient.

Before you make changes, note your original settings, so that you can restore your settings if any problems occur during setup.

The appropriate smarthost is

outbounds[your system number].obsmtp.com

where [your system number] is your system number. For instance, if you are using System 6, your smarthost address is

outbounds6.obsmtp.com

To find your system number, see “Identify Your System” on page 13.

Setting up a smarthost is different for every server. For step-by-step instructions for setting up a smarthost, see the appropriate chapter in this guide for your mail server.

Test Outbound MailOnce you have set up your smarthost (or private outbound DNS), test that your configuration is correct and mail is flowing normally.

Testing outbound mail is different for every mail server type. For information on testing outbound mail, see the documentation for your mail server.

Microsoft Exchange ServersSetting up reinjection and smarthosts on different versions of Microsoft Exchange Server can be especially complex. Different server types require different settings:

For Microsoft Exchange 5.5, see “Microsoft Exchange 5.5” on page 99.

For Microsoft Exchange 2003, the recommended method is Private Outbound DNS. See “Microsoft Exchange 2003 (Private DNS Method)” on page 23.

For Microsoft Exchange 2007, the recommended method is Private Outbound DNS. See “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.

For Microsoft Exchange 2010, the recommended method is Private Outbound DNS. See “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.

Introduction to Outbound Configuration 19

Page 20: Outbound Config En

For Microsoft Exchange 2000, or Microsoft Exchange 2003 without Private Outbound DNS, different instructions apply depending on whether your network includes a single mail server, or multiple linked mail servers. If you are using a single server, see “Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47. If you are using multiple linked servers, see “Microsoft Exchange 2000/2003 Multi-Server (Smarthost method)” on page 55.

If you are using Microsoft Exchange 2007 and do not want to use Private Outbound DNS, different instructions apply depending on whether your network includes an Edge Server. If you are using an Edge Server, see “Microsoft Exchange 2007 with an Edge Server (Smarthost method)” on page 83. Otherwise, see “Microsoft Exchange 2007 without an Edge Server (Smarthost method)” on page 65.

If you are using Small Business Server 2000, you can use the instructions in “Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47. Small Business Server 2003 requires more specific configuration; see “Microsoft Small Business Server 2003” on page 103.

Optional: Configure SPF Records for Outbound ServicesIf you use SPF records, set up SPF records for Outbound Services as well. Setting up SPF DNS entries will minimize non-deliveries through outbound.

Add the following record to your DNS service:

[your domain]. IN TXT "v=spf1 include:spf.[your domain] -all"

where [your domain] is the domain you use for outgoing mail. Note the trailing period in your domain.

Then add the following TXT Record to spf.[your domain]:

spf.[your domain]. IN TXT "v=spf1 ip4:207.126.144.0/20 ip4:64.18.0.0/20 ip4:74.125.148.0/22 ip4:[your IP allocations] ~all"

where [your domain] is the domain you use for outgoing mail, and [your IP allocations] are the IP addresses of your own mail servers, in CIDR format. For a list of IP addresses, see IP Ranges in the Administration Guide.

For example, if your domain is electric-automotive.com, add the following two TXT records:

electric-automotive.com. IN TXT "v=spf1 include:spf.electric-automotive.com-all"spf.electric-automotive.com. IN TXT "v=spf1 ip4:207.126.144.0/20 ip4:64.18.0.0/20 ip4:74.125.148.0/22 ip4:[your IP allocations] ~all"

If you need help with more complex SPF records, consult the SPF wizard on the Open SPF website to find out how to add your servers to the SPF entries described above:

http://www.openspf.org/wizard.html

20 Outbound Services Configuration Guide

Page 21: Outbound Config En

Publishing an SPF record following the format described by the SPF wizard should not affect inbound mail flow.

Alternate Option: Routing Outbound Mail on Your FirewallMost of this guide contains instructions for how to set up your mail server to route mail to Outbound services. Another option for routing involves setting up Postini outbound using Network address translation (NAT) and stealth-proxying port 25. This requires intimate knowledge of your firewall configuration, and is different for each firewall. If you are familiar with firewall implementation, this can be a simple, flexible way to configure Outbound Services, without the complexity and possible performance problems of a smarthost.

To do this, set your firewall to NAT outbound (i.e. non-local) TCP port 25 traffic to be from your defined external gateway IP address, and to the Postini Outbound load-balancer that is appropriate for your Postini system.

Also, use NAT to configure reinjection of mails back to your mail server. You can do this by relabelling TCP port 25 packets from the Postini IP range so they appear to come from inside your LAN. This is called Port forwarding and is a common configuration option for many IP firewalls.

Introduction to Outbound Configuration 21

Page 22: Outbound Config En

22 Outbound Services Configuration Guide

Page 23: Outbound Config En

Microsoft Exchange 2003 (Private DNS Method) Chapter 2

About Microsoft Exchange 2003 (Private DNS Method)Microsoft® Exchange Server 2003 is designed as a high-end, scalable system. Microsoft Exchange 2003 servers can be set up to work together in a large email network. It is possible to route all outbound mail through the Email Security Server without affecting the flow of internal mail between servers.

Smarthost solutions for Microsoft Exchange can cause mail queueing delays. Private Outbound DNS Service is designed to ease setup and prevent queueing delays. These steps show how to set Microsoft Exchange 2003 to use Private Outbound DNS to route mail to the email security service.

Private Outbound DNS is recommended over smarthost for Exchange 2003. To use a traditional smarthost method, see “Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47 for single-server environments, or “Microsoft Exchange 2000/2003 Multi-Server (Smarthost method)” on page 55 for multi-server environments.

These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Microsoft Exchange 2003 deployments.

An important concept in Exchange 2000/2003 multi-server environments is the bridgehead server. A bridgehead server is a mail server that connects to the Internet. Other servers will route outgoing mail to the bridgehead server, which forwards mail to the Internet. Most of this configuration in this chapter applies only to the bridgehead server.

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Microsoft Exchange 2003 (Private DNS Method) 23

Page 24: Outbound Config En

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a Private DNS Service, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

To allow reinjection, configure the IP ranges for Outbound Services to be a trusted relay.

Set up a trusted relay

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager

2. Expand the top level -> Servers -> <Your Mail Server>-> Protocols -> SMTP

3. Right-click Default SMTP Virtual Server & select Properties.

4. Click the Access tab.

5. Click Relay.

6. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see “IP Ranges” on page 13.

24 Outbound Services Configuration Guide

Page 25: Outbound Config En

7. Click the Connection button.

8. If the Connection list is set to “Only the list below”, then add the same IP ranges.

9) Click OK to get back to the Access tab and click OK to close the Default SMTP Virtual Server Properties.

10) If the reinjection servers are not outbound servers, then configure all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them.

11) Stop and restart the SMTP services.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your external DNS until your IP address is registered in Outbound Servers. This can take about 15 minutes.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up Private Outbound DNSRoute mail to Outbound Services by setting up an external DNS server. For an overview of Private Outbound DNS concepts, see “Option 1: Set Up Private Outbound DNS” on page 16.

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager.

Microsoft Exchange 2003 (Private DNS Method) 25

Page 26: Outbound Config En

2. Expand the top level -> Servers -> <Your Mail Server> -> Protocols -> SMTP.

3. Right-click Default SMTP Virtual Server & select Properties.

4. Click the Delivery Tab.

5. Click Advanced to go to the Advanced Delivery dialog box.

26 Outbound Services Configuration Guide

Page 27: Outbound Config En

6. If you have a Smarthost set to point to Outbound Services for mail filtering, clear the Smarthost. The Private Outbound DNS will replace your Smarthost for routing.

7. Click Configure.

8. Click Add and enter the appropriate IP address for your system. Click OK.

The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13.

Microsoft Exchange 2003 (Private DNS Method) 27

Page 28: Outbound Config En

9. Click OK again. You should see your IP address listed as an External DNS.

10. Click OK twice to return to the System Manager.

11. In System Manager, restart your mail server.

Test Outbound MailOnce you have set up Private Outbound DNS, test that your configuration is correct and mail is flowing normally.

Test the configuration.

1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

System IP Address to use for Private Outbound DNS

5 64.18.4.12

6 64.18.5.12

7 64.18.6.12

8 64.18.7.12

9 74.125.148.12

20 64.18.9.14

200 207.126.147.11

201 207.126.154.11

28 Outbound Services Configuration Guide

Page 29: Outbound Config En

4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 24 for the correct private relay settings.

TroubleshootingBecause Microsoft Exchange is a third party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft site for External DNS instructions:

http://technet.microsoft.com/en-us/library/bb124221(EXCHG.65).aspxport.microsoft.com/kb/284204

You can also find more information in the Microsoft Exchange Server 2003 Transport and Routing Guide:

http://www.microsoft.com/downloads/details.aspx?familyid=C092B7A7-9034-4401-949C-B29D47131622&displaylang=en

How can I be sure my firewall allows a connection to Private Outbound DNS?

Your sending mail server needs to be able to reach the message security service using DNS on UDP port 53.

If you are not sure your network settings allow your mail server to connect to an external DNS host on UDP port 53, run the following test on your mail server:

1. In a DOS command prompt, type nslookup.

2. Note your current default server.

3. In the nslookup prompt, type q=mx and hit return.

4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address.

5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system.

Microsoft Exchange 2003 (Private DNS Method) 29

Page 30: Outbound Config En

6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection.

7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server].

8. Press Control-C to exit nslookup.

30 Outbound Services Configuration Guide

Page 31: Outbound Config En

Microsoft Exchange 2007/2010 (Private DNS Method) Chapter 3

About Microsoft Exchange 2007/2010 (Private DNS Method)Microsoft® Exchange Server 2007 is designed as a high-end, scalable system, with servers set up to work together in a large email network.

Smarthost solutions for Microsoft Exchange can cause mail queueing delays. Private Outbound DNS Service is designed to ease setup and prevent queueing delays. These steps show how to set Microsoft Exchange 2007 to use Private Outbound DNS to route mail to the email security service.

Private Outbound DNS is recommended over smarthost for Exchange 2007. To use a traditional smarthost method, see “Microsoft Exchange 2007 with an Edge Server (Smarthost method)” on page 83 for networks that include an Edge server, and “Microsoft Exchange 2007 without an Edge Server (Smarthost method)” on page 65 for networks that do not include an Edge server.

These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Microsoft Exchange 2007 deployments.

Microsoft Exchange 2007 includes a concept that has not existed in previous versions of Microsoft Exchange: different servers are assigned distinct, concrete roles. Two important roles are the Hub server and the Edge server. The Hub server is the center of message routing. The Edge server provides a connection with the outside internet. not all networks use an Edge server.

You will make most changes on the Hub server.

Microsoft Exchange 2010 uses the same steps for setting up Private DNS. If you are using Microsoft Exchange 2010, follow these steps to set up outbound with Private DNS.

Microsoft Exchange 2007/2010 (Private DNS Method) 31

Page 32: Outbound Config En

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

For most configurations of Exchange 2007 and 2010, a sender must provide authentication to relay mail from outside sources. However, SMTP authentication is not possible for reinjection. Instead, create a private relay to allow reinjection.

The simplest way to create a relay in Exchange 2007 or 2010 is to create a receive connector, limit the connector to an appropriate set of IP addresses, and allow anonymous connections.

There are two ways to set up a private relay for Exchange 2007 and 2010, allowing anonymous access, or an externally secured connector:

• Allow Anonymous Access: Easier to configure, and more reliable. Reinjected messages are considered anonymous. However, this method is not compatible with ResolveP2, and messages will be filtered with Microsoft Exchange 2007/2010 anti-spam filtering.

• Externally Secured Connector: This method requires additional effort, but is compatible with ResolveP2, and reinjected messages bypass anti-spam filtering.

Allow Anonymous Access is the better choice in most cases. If you are using ResolveP2, or if reinjected messages are caught by anti-spam filters, use an Externally Secured Connector instead.

Whichever method you use, first create the receive connector.

32 Outbound Services Configuration Guide

Page 33: Outbound Config En

Create the Receive Connector

Set up a new Receive Connector on the Hub Server to allow relaying. This step is the same for either method of reinjection setup.

1. Expand Server Configuration from the Exchange Management Console

2. Choose Hub Transport from the server roles list.

3. In the Details Pane choose the appropriate hub transport server

4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear:

5. Name the connector “Reinjection” and choose Next.

6. You will see the Local Network Settings page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.

Microsoft Exchange 2007/2010 (Private DNS Method) 33

Page 34: Outbound Config En

7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.

8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see “IP Ranges” on page 13.

34 Outbound Services Configuration Guide

Page 35: Outbound Config En

9. Click OK, then click Next to continue.

10. Click New, then click Finish on the Completion page.

Method One: Apply Anonymous user access to the connector

The first method to allow reinjection is to set the receive connector to allow Anonymous Users. This is recommended for most configurations.

The first step in this process is to add the Anonymous Permissions Group to the connector.

Microsoft Exchange 2007/2010 (Private DNS Method) 35

Page 36: Outbound Config En

1. Double click your new connector and choose the Permission Groups tab.

2. Check the Anonymous Users checkbox.

3. Choose OK.

4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 (or 2010) -> Exchange Management Shell.

5. Type the following command:

Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

6. You will see a results screen:

36 Outbound Services Configuration Guide

Page 37: Outbound Config En

Method Two: Externally Secured Connector

If you do not allow Anonymous Access, you can instead create a connector as an externally secured connector. This option allows you to bypass Exchange’s anti-spam filters.

1. Open the newly created connector and click the Permissions Groups tab.

2. Check Exchange Servers and click Apply.

Microsoft Exchange 2007/2010 (Private DNS Method) 37

Page 38: Outbound Config En

3. Click the Authentication tab.

4. Check “Externally secured.”

38 Outbound Services Configuration Guide

Page 39: Outbound Config En

Using the externally secured setting applies the following permissions:

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

Microsoft Exchange 2007/2010 (Private DNS Method) 39

Page 40: Outbound Config En

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your external DNS until your IP address is registered in Outbound Servers. This can take about 15 minutes.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up Private Outbound DNSRoute mail to Outbound Services by setting up an external DNS server. For an overview of Private Outbound DNS concepts, see “Option 1: Set Up Private Outbound DNS” on page 16.

1. Open the Exchange Management Console.

2. Expand the top level -> Server Configuration

3. Right-click your Hub server and select Properties.

4. Click the External DNS Lookups Tab.

40 Outbound Services Configuration Guide

Page 41: Outbound Config En

5. Select “use these DNS servers:” and enter the appropriate IP address for your system. Press enter to add the address.

The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13.

System IP Address to use for Private Outbound DNS

5 64.18.4.12

6 64.18.5.12

7 64.18.6.12

8 64.18.7.12

9 74.125.148.12

20 64.18.9.14

200 207.126.147.11

201 207.126.154.11

Microsoft Exchange 2007/2010 (Private DNS Method) 41

Page 42: Outbound Config En

6. Click Apply, then click OK to close the dialog box.

7. In the Exchange Management Console, go to Organization Configuration -> Hub Transport.

8. Click the Send Connectors tab.

9. Select the Send Connector you use to route mail to the Internet.

10. Right-click this Send Connector and select Properties.

11. Go to the Network Tab.

42 Outbound Services Configuration Guide

Page 43: Outbound Config En

12. Choose “Use domain name system (DNS) MX records to route mail automatically.” Do not route mail through a smart host.

13. Check “Use the External DNS Lookup settings on the transport server.”

14. Click OK to exit the dialog.

15. In the Exchange Management Console, restart your server.

Test Outbound MailOnce you have set up Private Outbound DNS, test that your configuration is correct and mail is flowing normally.

Test the configuration.

1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.

Microsoft Exchange 2007/2010 (Private DNS Method) 43

Page 44: Outbound Config En

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 32 for the correct private relay settings.

TroubleshootingBecause Microsoft Exchange is a third party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft article “Configuring DNS Settings for Exchange 2007 Servers” on the Microsoft website:

http://technet.microsoft.com/en-us/library/bb124896(EXCHG.80).aspx

How can I be sure my firewall allows a connection to Private Outbound DNS?

Your sending mail server needs to be able to reach the message security service using DNS on UDP port 53.

If you are not sure your network settings allow your mail server to connect to an external DNS host on UDP port 53, run the following test on your mail server:

1. In a DOS command prompt, type nslookup.

2. Note your current default server.

3. In the nslookup prompt, type q=mx and hit return.

4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address.

5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system.

44 Outbound Services Configuration Guide

Page 45: Outbound Config En

6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection.

7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server].

8. Press Control-C to exit nslookup.

I am still seeing mail queueing

Your mail is still being routed through a smarthost. Try the following steps:

1. If you set up a smarthost to route mail to Outbound Servers, disable the smarthost.

2. Restart your mail server.

Microsoft Exchange 2007/2010 (Private DNS Method) 45

Page 46: Outbound Config En

46 Outbound Services Configuration Guide

Page 47: Outbound Config En

Microsoft Exchange 2000/2003 Single Server (Smarthost method) Chapter 4

About Microsoft Exchange 2000/2003 Single-ServerThis chapter describes how to set up Outbound Services for an environment with a single Microsoft® Exchange Server 2000/2003 using a smarthost.

The recommended method for setting up Outbound Servers with Microsoft Exchange 2003 is Private Outbound DNS. For more information, see “Microsoft Exchange 2003 (Private DNS Method)” on page 23.

If your environment has multiple mail servers, recommended configurations are slightly different. See “Microsoft Exchange 2000/2003 Multi-Server (Smarthost method)” on page 55 for information on multi-server environments.

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Microsoft Exchange 2000/2003 Single Server (Smarthost method) 47

Page 48: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager

2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP

3. Right-click Default SMTP Virtual Server and select Properties.

4. Click the Access tab.

5. Click Relay.

6. Click the Relay button.

7. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see “IP Ranges” on page 13.

8. Click the Connection button.

9. If the Connection list is set to “Only the list below”, then add the same IP ranges.

48 Outbound Services Configuration Guide

Page 49: Outbound Config En

10. Click OK to get back to the Access tab, and click OK to close the Default SMTP Virtual Server Properties.

11. If the reinjection servers are not outbound servers, then all servers along the mailflow between the reinjection server and the outbound server must be configured to allow the injection server to relay mail traffic through them.

12. Stop and restart the SMTP services.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, enter the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Increase Server TimeoutsTo improve reliability of delivery, be sure to increase the timeouts of your outbound mail server. This provides Outbound Services with some flexibility to handle slow receiving mail servers.

Increase server timeouts

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager.

Microsoft Exchange 2000/2003 Single Server (Smarthost method) 49

Page 50: Outbound Config En

2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP Right-click the Virtual Server used for outbound routing.

3. Click the Delivery tab.

4. At the bottom of the Properties window, click Outbound Connections.

5. Set the “Time-out (minutes)” value to 15 or more.

6. Click OK to close Outbound Connections.

7. Click OK to close Virtual Server Properties.

Set Up SmarthostThere are two ways to set up a smarthost in a Microsoft Exchange 2000/2003 environment. Setting up an SMTP connector alone can cause delays, since any failed outbound message will cause an interruption of mail flow.

To prevent interruption of mail flow, you can route outbound mail with a Virtual Server, or you can configure a connector and reduce the retry interval.

• Configure a Virtual Server, and point SMTP connectors to that server. This requires additional setup effort, but minimizes delays. This is the recommended method. Use this method if you do not have any connectors.

• Configure a Connector, and reduce the retry interval on your server. When an outbound message fails, the connector will continue to retry every minute. However, this method can cause delays.

Option One: Configure a Virtual Server

To filter outbound internet mail, configure your server to use an SMTP virtual server to deliver outbound mail to the email security service by smarthost.

Microsoft Exchange connectors will override the virtual server for an organization. If you are also using connectors, take an extra step to be sure that traffic is routed appropriately.

Configure the smarthost to route traffic to Outbound Services

1. Right-click “Default SMTP Virtual Server” and select Properties. Click the Delivery tab.

2. Click the Advanced button in the lower right-hand corner of the dialog.

50 Outbound Services Configuration Guide

Page 51: Outbound Config En

3. On the General tab, type in the appropriate hostname listed below in the field labeled “Forward all mail through this connector to the following smart hosts”.

Forward outbound mail to

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

4. Click OK to close the Advanced dialog and OK to save the changes and close SMTP Virtual Server Properties.

Limit Address Space

If you are using this method, and you have SMTP Connectors, check all Connectors associated with the Virtual Server. Limit the Address Space to only local domains, whose traffic should not be routed to Outbound Services.

For each connector:

1. Right click the connector and click Properties

2. Click the Address Space tab

3. Remove the asterisk (*) entry and replace it with your own domain and any other domains that should be routed locally

Option Two: Configure a Connector

With this option, a connector sends mail directly to the email security service. To avoid delays, the retry interval is decreased so if a failure occurs, your mail server recovers quickly.

Change Retry Interval

For each SMTP virtual server connector in the environment which is designated as a bridgehead.

1. Right-click the SMTP Virtual Server and select Properties.

2. Click the Delivery tab.

3. Under Outbound, change the default values to the following:

First retry interval (minutes): 1

Second retry interval (minutes): 1

Third retry interval (minutes): 3

Subsequent retry interval (minutes): 5

Microsoft Exchange 2000/2003 Single Server (Smarthost method) 51

Page 52: Outbound Config En

Configure the smarthost to route traffic to Outbound Services

1. Click Connectors and then right-click the SMTP Connector (or the Internet Mail SMTP Connector) and select Properties.

2. On the General tab, type in the appropriate hostname listed below in the field labeled “Smart host”.

Forward outbound mail to

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

3. Click OK to save the changes and close the SMTP Connector properties.

Test Outbound MailOnce you have set up your smarthost, test that your configuration is correct and mail is flowing normally.

Test the configuration

1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 48 for the correct private relay settings.

52 Outbound Services Configuration Guide

Page 53: Outbound Config En

TroubleshootingBecause Microsoft Exchange is a third-party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft website:

http://support.microsoft.com/kb/284204

In MS Exchange 2000 and 2003, the smarthost is configured in the Default Virtual Server, however mail traffic is still being sent via the Internet.

A connector may be directing traffic to the Internet directly. On an MS Exchange 2000 server, connectors such as the Internet Mail Service Connector override Virtual Server settings.

Modify the connector so it will not affect outbound traffic.

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager.

2. Expand the top level -> Connectors.

3. Right-click Default SMTP Connector & select Properties.

4. Click the Address Space tab.

5. If the SMTP address space is “*” or otherwise includes outgoing mail traffic, then click the “Modify” button and limit the connector to just traffic which should not be sent to Outbound Services.

6. Click OK as necessary to save changes and then restart the MS Exchange 2000 service.

Why does Microsoft Exchange 2000/2003 defer all outbound mail when configured to use TLS?

This can happen when Outbound Services is not configured to accept outbound mail connections using TLS. You can resolve this by configuring Outbound Services to accept outbound mail connections using TLS.

If the Exchange server is attempting to use TLS but the TLS option for outbound mail is turned off in the Administration Console, Exchange will defer all mail until it can successfully send the mail using TLS.

For instructions on configuring Outbound Services to use TLS for outbound mail, see the following page in the Message Security Administration Guide:

http://www.postini.com/webdocs/admin_ee_cu/ob_tls_config.html

Microsoft Exchange 2000/2003 Single Server (Smarthost method) 53

Page 54: Outbound Config En

54 Outbound Services Configuration Guide

Page 55: Outbound Config En

Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) Chapter 5

About Microsoft Exchange 2000/2003 Multi-ServerMicrosoft® Exchange Server 2000/2003 is designed as a high-end, scalable system. Microsoft Exchange 2000/2003 servers can be set up to work together in a large email network. It is possible to route all outbound mail through the Email Security Server without affecting the flow of internal mail between servers.

This chapter describes how to set up Outbound Services for an environment with a multi-server Microsoft® Exchange Server 2000/2003 environment using a smarthost.

The recommended method for setting up Outbound Servers with Microsoft Exchange 2003 is Private Outbound DNS. For more information, see “Microsoft Exchange 2003 (Private DNS Method)” on page 23.

An important concept in Exchange 2000/2003 multi-server environments is the bridgehead server. A bridgehead server is a mail server that connects to the Internet. Other servers will route outgoing mail to the bridgehead server, which forwards mail to the Internet. Most of this configuration in this chapter applies only to the bridgehead server.

More complex environments with non-standard routing group/bridgehead configurations may require the use of a separate outbound gateway server:

• The routing group bridgeheads must relay all outbound mail to the gateway server.

• The gateway server must forward all mail to the email security service as a smarthost.

The gateway server can be any platform: another MS Exchange server, an MS IIS server, or any other standard MTA software such as Sendmail, Postfix, etc.

Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 55

Page 56: Outbound Config En

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Choose Smarthost MethodSetting up a smarthost on an SMTP connector alone can cause delays, since any failed outbound message will cause an interruption of mail flow.

To prevent interruption of mail flow, you can either reduce the retry interval or use a new Virtual Server.

Which Method to Use

Before you set up a smarthost with Microsoft Exchange 2000/2003 in a multi-server environment, decide which method to use.

• Configure a Virtual Server, and pointing any outgoing SMTP connectors to that server, is recommended for most large environments. It causes the least delays. If you have a large environment, or you do not have connectors enabled, use this method.

• Configuring a connector, and reducing the retry interval on the bridgehead server reduces delays, but does not eliminate them completely. However, it may be easier to configure. If you have a small environment, or if you are unable to set up a virtual server, use this method.

Details About Virtual Servers and Connectors

Most configuration settings in Microsoft Exchange 2000/2003 servers are made for Virtual Servers. A Virtual Server acts as a separate machine, though it may reside on the same hardware as other Virtual Servers.

In a multi-server Exchange environment, SMTP connectors route mail traffic in a controlled manner.

56 Outbound Services Configuration Guide

Page 57: Outbound Config En

However, SMTP connectors require some special consideration during outbound configuration, because they are primarily designed to route internal traffic. SMTP Connectors automatically detect and attempt to route around failures. If any receiving server rejects or defers a message, the connector will temporarily cease to function. This can lead to a long mail queue and delayed delivery.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

To allow reinjection, configure the IP ranges for Outbound Services to be a trusted relay.

Set up a trusted relay

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager

2. Expand the top level -> Servers -> <Your Mail Server>-> Protocols -> SMTP

3. Right-click Default SMTP Virtual Server & select Properties.

4. Click the Access tab.

5. Click Relay.

6. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see “IP Ranges” on page 13.

7. Click the Connection button.

Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 57

Page 58: Outbound Config En

8. If the Connection list is set to “Only the list below”, then add the same IP ranges.

9) Click OK to get back to the Access tab and click OK to close the Default SMTP Virtual Server Properties.

10) If the reinjection servers are not outbound servers, then configure all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them.

11) Stop and restart the SMTP services.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Increase Server TimeoutsTo improve reliability of delivery, be sure to increase the timeouts of your outbound mail server. This provides Outbound Services with some flexibility to handle slow receiving mail servers.

58 Outbound Services Configuration Guide

Page 59: Outbound Config En

Increase server timeouts

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager.

2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP Right-click the Virtual Server used for outbound routing.

3. Click the Delivery tab.

4. At the bottom of the Properties window, click Outbound Connections.

5. Set the “Time-out (minutes)” value to 15 or more.

6. Click OK to close Outbound Connections.

7. Click OK to close Virtual Server Properties.

Set Up SmarthostThere are multiple ways to set up a smarthost in a Microsoft Exchange 2000/2003 multi-server environment. For a comparison of the two, see “Choose Smarthost Method” on page 56.

Option One: Configure a Virtual Server

To filter outbound internet mail while still allowing internal mail to flow properly between the servers and routing groups, configure each bridgehead server to use an SMTP virtual server to deliver outbound mail to the email security service by smarthost.

The steps below describe how to add the email security service as the smarthost for external outbound mail without interrupting internal communication for internal mail flow.

In most cases, you will need to add a new SMTP virtual server, even if one is already in use. Bind this new virtual server to a different IP address or port number to avoid interfering with the existing one.

Create a new SMTP virtual server

1. Click Start -> Programs -> Microsoft Exchange -> System Manager

2. Expand the top level -> Servers -> <Your Mail Server> -> Protocols -> SMTP

3. Right-click SMTP and select Add a New Virtual Server.

4. Accept all default configurations on the SMTP Virtual Server screens.

Note: You will see an error message that the Virtual Server is configured to use the same IP address and port as the existing server. Dismiss the error message.

Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 59

Page 60: Outbound Config En

Configure the new virtual server to listen on a unique port number

1. Right-click the new virtual server and select Properties.

2. On the General tab, click Advanced.

3. Highlight the IP Address and click Edit.

4. Change the TCP Port to 26 (or any other unused port).

All internal servers that need to communicate with this existing server will also need to be reconfigured to use this alternate port number.

As an alternative, if the machine is multihomed (i.e. has more than one network interface), you can configure the new virtual server to use a different IP address rather than a different port. This is simpler and avoids potential communication issues between this machine and the other machines in the routing group. Consult your Exchange documentation for details on how to do this.

5. Configure the new virtual server to allow other internal mail servers to relay traffic through it.

Configure the smarthost for the SMTP virtual server to route traffic to the email security service

1. In the lower right corner of the window, click Advanced.

2. Type in the appropriate smarthost hostname listed below in the field labeled “Smart host”.

The appropriate smarthost is

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

3. Click OK to close the Advanced dialog and OK to save the changes and close the SMTP Virtual Server Properties.

Configure your firewall

If necessary, configure the firewall or router to allow outbound traffic on port 26 (or whichever port was used) to ensure that traffic between the internal servers will not be blocked. (If an alternate IP address was used, this step is skipped.)

Configure other mail servers

On other machines which need to send outbound mail by way of this new virtual server, make the following configurations:

1. Right-click the Virtual Server and select Properties.

2. On the Delivery tab, click the Outbound Connections button.

3. Change the TCP port to 26 (or whatever port was chosen for the Inbound/Outbound server settings above) and click OK.

60 Outbound Services Configuration Guide

Page 61: Outbound Config En

4. In the lower right corner of the Delivery tab, click Advanced.

5. Type in the appropriate smarthost hostname listed below in the field labeled “Smart host”.

The appropriate smarthost is

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

Note: If an alternate IP address was used, configuration changes to the other machines may be necessary if they are using the bridgehead as a smart host. If not, changes may not be necessary.

Option Two: Configure a Connector

With this option, a connector sends mail directly to the email security service. To avoid delays, the retry interval is decreased so if a failure occurs your mail server will recover quickly.

This will not completely eliminate delays, but will reduce the duration of delays.

Change the Retry Interval

On each SMTP Virtual Server in the environment which is designated as a bridgehead:

1. Right-click the SMTP Virtual Server and select Properties.

2. Click the Delivery tab.

3. Under Outbound, change the default values to the following:

First retry interval (minutes): 1

Second retry interval (minutes): 1

Third retry interval (minutes): 3

Subsequent retry interval (minutes): 5

Configure the smarthost to route traffic to Outbound Services

1. Click Connectors and then right-click the SMTP Connector (or the Internet Mail SMTP Connector) and select Properties.

2. On the General tab, type in the appropriate hostname in the field labeled “Forward all mail through this connector to the following smart hosts”.

Forward outbound mail to

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 61

Page 62: Outbound Config En

3. Click OK to save the changes and close the SMTP Connector properties.

Option Three: Setting Up Multiple SMTP Connectors

Another alternative, rather than configuring the smart host in the SMTP Virtual Server, is to use two or more SMTP Connectors and configure the them to share the mail flow load in a load-balanced fashion. This is an advanced configuration and should be carefully considered and thoroughly researched before being attempted.

Test Outbound MailOnce you have set up your smarthost, test that your configuration is correct and mail is flowing normally.

Test the configuration.

1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 57 for the correct private relay settings.

TroubleshootingBecause Microsoft Exchange is a third party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft website:

http://support.microsoft.com/kb/284204

62 Outbound Services Configuration Guide

Page 63: Outbound Config En

In MS Exchange 2000 and 2003, the smarthost is configured in the Default Virtual Server, however mail traffic is still being sent via the Internet.

A connector may be directing traffic to the Internet directly. On an MS Exchange 2000 server, connectors such as the Internet Mail Service Connector override Virtual Server settings.

Modify the connector so it will not affect outbound traffic.

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager.

2. Expand the top level -> Connectors.

3. Right-click Default SMTP Connector & select Properties.

4. Click the Address Space tab.

5. If the SMTP address space is “*” or otherwise includes outgoing mail traffic, then click the “Modify” button and limit the connector to just traffic which should not be sent to Outbound Services.

6. Click OK as necessary to save changes and then restart the MS Exchange 2000 service.

Why does the queue sometimes freeze up?

Most often, mail flow problems with Outbound Services are caused by an outbound connector encountering a deferral error.

You can also find more information about how to use Queue Viewer to troubleshoot mail flow issues in Exchange Server 2003 on the Microsoft support site:

http://support.microsoft.com/kb/default.aspx?scid=kb;en-us;823489

Why does Microsoft Exchange 2000/2003 defer all outbound mail when configured to use TLS?

This can happen when Outbound Services is not configured to accept outbound mail connections using TLS. You can resolve this by configuring Outbound Services to accept outbound mail connections using TLS.

If the Exchange server is attempting to use TLS but the TLS option for outbound mail is turned off in the Administration Console, Exchange will defer all mail until it can successfully send the mail using TLS.

For instructions on configuring Outbound Services to use TLS for outbound mail, see the following page in the Message Security Administration Guide:

http://www.postini.com/webdocs/admin_ee_cu/ob_tls_config.html

Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 63

Page 64: Outbound Config En

64 Outbound Services Configuration Guide

Page 65: Outbound Config En

Microsoft Exchange 2007 without an Edge Server (Smarthost method) Chapter 6

About Microsoft Exchange 2007 without an Edge ServerMicrosoft® Exchange Server 2007 is designed as a high-end, scalable system, with servers set up to work together in a large email network.

The recommended method for setting up Outbound Servers with Microsoft Exchange 2007 is Private Outbound DNS. For more information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.

Microsoft Exchange 2007 includes a concept that has not existed in previous versions of Microsoft Exchange: different servers are assigned distinct, concrete roles. An Edge Server is one such role. The Edge Server connects all other Exchange Servers to the Internet, and provides filtering and security.

This chapter gives details of how to set up Outbound Services for Exchange 2007 if you do not have an Edge Server. In this case, set up Outbound Services on a Hub Transport server. If you do have Outbound Services, see the instructions in the chapter “Microsoft Exchange 2007 with an Edge Server (Smarthost method)” on page 83.

There is no need to increase the timeouts for Microsoft Exchange 2007 mail servers. The default timeout settings are appropriate.

For Microsoft Exchange 2010, use the Private Outbound DNS method. For more information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 65

Page 66: Outbound Config En

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

For most configurations of Exchange 2007, a sender must provide authentication to relay mail from outside sources. However, SMTP authentication is not possible for reinjection. Instead, create a private relay to allow reinjection.

The simplest way to create a relay in Exchange 2007 is to create a receive connector, limit the connector to an appropriate set of IP addresses, and allow anonymous connections.

There are two ways to set up a private relay for Exchange 2007, allowing anonymous access, or an externally secured connector:

• Allow Anonymous Access: Easier to configure, and more reliable. Reinjected messages are considered anonymous. However, this method is not compatible with ResolveP2, and messages will be filtered with Microsoft Exchange 2007 anti-spam filtering.

• Externally Secured Connector: This method requires additional effort, but is compatible with ResolveP2, and reinjected messages bypass anti-spam filtering.

Allow Anonymous Access is the better choice in most cases. If you are using ResolveP2, or if reinjected messages are caught by anti-spam filters, use an Externally Secured Connector instead.

Whichever method you use, first create the receive connector.

Create the Receive Connector

Set up a new Receive Connector on the Hub Server to allow relaying. This step is the same for either method of reinjection setup.

1. Expand Server Configuration from the Exchange Management Console

2. Choose Hub Transport from the server roles list.

3. In the Details Pane choose the appropriate hub transport server

66 Outbound Services Configuration Guide

Page 67: Outbound Config En

4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear:

5. Name the connector “Reinjection” and choose Next

6. You will see the Local Network Settings page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 67

Page 68: Outbound Config En

7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.

68 Outbound Services Configuration Guide

Page 69: Outbound Config En

8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see “IP Ranges” on page 13.

9. Click OK, then click Next to continue.

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 69

Page 70: Outbound Config En

10. Click New, then click Finish on the Completion page.

Method One: Apply Anonymous user access to the connector

The first method to allow reinjection is to set the receive connector to allow Anonymous Users. This is recommended for most configurations.

The first step in this process is to add the Anonymous Permissions Group to the connector.

1. Double click your new connector and choose the Permission Groups tab.

2. Check the Anonymous Users checkbox.

3. Choose OK.

70 Outbound Services Configuration Guide

Page 71: Outbound Config En

4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell

5. Type the following command:

Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

6. You will see a results screen:

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 71

Page 72: Outbound Config En

Method Two: Externally Secured Connector

If you do not allow Anonymous Access, you can instead create a connector as an externally secured connector. This option allows you to bypass Exchange’s anti-spam filters.

1. Open the newly created connector and click the Permissions Groups tab.

2. Check Exchange Servers and click Apply.

72 Outbound Services Configuration Guide

Page 73: Outbound Config En

3. Click the Authentication tab.

4. Check “Externally secured.”

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 73

Page 74: Outbound Config En

Using the externally secured setting applies the following permissions:

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

74 Outbound Services Configuration Guide

Page 75: Outbound Config En

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up SmarthostAfter you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, create and configure a Send Connector on your Hub Connector Server.

1. Choose Organization Configuration -> Hub Transport.

2. Select Send Connectors.

3. Right click in the actions pane and choose New Send Connector.

4. Name the connector “Outbound”.

5. Under “Select the intended use for this Send Connector,” select Internet.

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 75

Page 76: Outbound Config En

6. Click Add and enter the address space “*” so that all mail will be routed through the new connector.

7. Check “Include all subdomains.”

8. Under Network settings, select “Route mail through the following smart hosts.”

76 Outbound Services Configuration Guide

Page 77: Outbound Config En

9. Click Add.

10. Enter the appropriate smart host.

The appropriate smart host setting is

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 77

Page 78: Outbound Config En

11. Under “Configure smart host authentication settings” select None.

12. Click Add and list each outbound hub server that will act as a bridgehead.

78 Outbound Services Configuration Guide

Page 79: Outbound Config En

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 79

Page 80: Outbound Config En

13. Click New, then click Finish to complete the send connector configuration.

80 Outbound Services Configuration Guide

Page 81: Outbound Config En

Test Outbound MailCheck the mail queues of the mail server.

1. In the Internet Mail Service Properties select the Queues tab. Look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

Microsoft Exchange 2007 without an Edge Server (Smarthost method) 81

Page 82: Outbound Config En

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 66 for the correct private relay settings.

Troubleshooting

Installing Exchange 2007 onto an existing Exchange 2003 environment

If you've installed Exchange 2007 into an existing environment with 2003, you may already have a Send Connector (SMTP Connector). If so, modify and verify your settings there. If the connector is on your 2003 server, you can only view the settings from the Exchange 2007 Management Console. Make all changes through from the Exchange 2003 System Manager (look for “SMTP Connectors”). For example, if you only have a connector on the 2003 machine, then all outbound mail will go through the 2003 server. If you have one on the 2003 and one on the 2007 server, then mail will go through the closest connector. If you delete the one on 2003 and have one on the 2007 server, then all outgoing mail will pass through the 2007 server.

Anti-spam configuration

If you have previously installed the anti-spam agents onto your Hub Transport servers, disable any rules you have created and make those configurations in the email security service.

To identify if those agents have been installed, go to Exchange Management Console -> Organization Configuration -> Hub Transport and check if the Anti-Spam tab is enabled.

82 Outbound Services Configuration Guide

Page 83: Outbound Config En

Microsoft Exchange 2007 with an Edge Server (Smarthost method) Chapter 7

About Microsoft Exchange 2007 with an Edge ServerMicrosoft® Exchange Server 2007 is designed as a high-end, scalable system, with servers set up to work together in a large email network.

The recommended method for setting up Outbound Servers with Microsoft Exchange 2007 is Private Outbound DNS. For more information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.

Microsoft Exchange 2007 includes a concept that has not existed in previous versions of Microsoft Exchange: different servers are assigned distinct, concrete roles. An Edge Server is one such role. The Edge Server connects all other Exchange Servers to the Internet, and provides filtering and security.

This chapter gives details of how to set up Outbound Services for Exchange 2007 if you have an Edge Server. In this case, set up Outbound Services on your Edge Server. If you do have Outbound Services, see the instructions in the chapter “Microsoft Exchange 2007 without an Edge Server (Smarthost method)” on page 65.

There is no need to increase the timeouts for Microsoft Exchange 2007 mail servers. The default timeout settings are appropriate.

For Microsoft Exchange 2010, use the Private Outbound DNS method. For more information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 83

Page 84: Outbound Config En

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

For most configurations of Exchange 2007, a sender must provide authentication to relay mail from outside sources. However, SMTP authentication is not possible for reinjection. Instead, create a private relay to allow reinjection.

The simplest way to create a relay in Exchange 2007 is to create a receive connector, limit the connector to an appropriate set of IP addresses, and allow anonymous connections.

There are two ways to set up a private relay for Exchange 2007, allowing anonymous access, or an externally secured connector:

• Allow Anonymous Access: Easier to configure, and more reliable. Reinjected messages are considered anonymous. However, this method is not compatible with ResolveP2, and messages will be filtered with Microsoft Exchange 2007 anti-spam filtering.

• Externally Secured Connector: This method requires additional effort, but is compatible with ResolveP2, and reinjected messages bypass anti-spam filtering.

Allow Anonymous Access is the better choice in most cases. If you are using ResolveP2, or if reinjected messages are caught by anti-spam filters, use an Externally Secured Connector instead.

Whichever method you use, first create the receive connector.

Create the Receive Connector

Set up a new Receive Connector on the Hub Server to allow relaying. This step is the same for either method of reinjection setup.

1. Expand Server Configuration from the Exchange Management Console

2. Choose Hub Transport from the server roles list.

3. In the Details Pane choose the appropriate hub transport server

84 Outbound Services Configuration Guide

Page 85: Outbound Config En

4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear:

5. Name the connector “Reinjection” and choose Next

6. You will see the Local Network Settings page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 85

Page 86: Outbound Config En

7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.

86 Outbound Services Configuration Guide

Page 87: Outbound Config En

8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see “IP Ranges” on page 13.

9. Click OK, then click Next to continue.

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 87

Page 88: Outbound Config En

10. Click New, then click Finish on the Completion page.

Method One: Apply Anonymous user access to the connector

The first method to allow reinjection is to set the receive connector to allow Anonymous Users. This is recommended for most configurations.

The first step in this process is to add the Anonymous Permissions Group to the connector.

1. Double click your new connector and choose the Permission Groups tab.

2. Check the Anonymous Users checkbox.

3. Choose OK.

88 Outbound Services Configuration Guide

Page 89: Outbound Config En

4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell.

5. Type the following command:

Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

6. You will see a results screen:

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 89

Page 90: Outbound Config En

Method Two: Externally Secured Connector

If you do not allow Anonymous Access, you can instead create a connector as an externally secured connector. This option allows you to bypass Exchange’s anti-spam filters.

1. Open the newly created connector and click the Permissions Groups tab.

2. Check Exchange Servers and click Apply.

90 Outbound Services Configuration Guide

Page 91: Outbound Config En

3. Click the Authentication tab.

4. Check “Externally secured.”

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 91

Page 92: Outbound Config En

Using the externally secured setting applies the following permissions:

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

92 Outbound Services Configuration Guide

Page 93: Outbound Config En

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up SmarthostIn order to send email on an edge transport server it is required to configure a send connector. Edge Transport servers subscribed to an Exchange organization are pre-configured with the necessary elements to send and receive mail from the internet. Configuring Postini outbound services will change the default setup of these connectors.

Because send connectors are organization wide configurations and part of the synchronization process editing them takes place on the hub transport server.

Send connectors are created and edited in the Exchange Management Console by doing the following from any hub transport server:

1. Choose Organization Configuration -> Hub Transport

2. Click Send Connectors.

3. Double-click the connector named “EdgeSync – [your site] to Internet”, where [your site] is the name of your site.

4. On the Address Space tab verify that the “*” domain has been added.

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 93

Page 94: Outbound Config En

5. On the Network tab, uncheck “Use domain…” and “Enable domain….”

6. In the same tab, check “Route mail through the following smart hosts.”

7. Choose the Add button and enter the name of the smart host. The appropriate smarthost is

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

94 Outbound Services Configuration Guide

Page 95: Outbound Config En

8. On the Source Server tab, verify that the appropriate edge subscription(s) are defined.

9. From the Exchange Management Shell, run the following command:

start-edgesynchronization

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 95

Page 96: Outbound Config En

10. Verify on the Edge server(s) that the new Send Connector settings have been received and look identical to those on the hub server.

11. Also be sure to check your receive connectors on the Edge server and verify the following:

a. The Network tab has the IP range of all hub servers included

b. The Authentication tab has the Exchange Server Authentication tab checked

c. The Permission Groups tab has the Exchange Servers option checked

Test Outbound MailCheck the mail queues of the mail server.

1. In the Internet Mail Service Properties select the Queues tab. Look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 84 for the correct private relay settings.

96 Outbound Services Configuration Guide

Page 97: Outbound Config En

Troubleshooting

Installing Exchange 2007 onto an existing Exchange 2003 environment

If you've installed Exchange 2007 into an existing environment with 2003, you may already have a Send Connector (SMTP Connector). If so, modify and verify your settings there. If the connector is on your 2003 server, you can only view the settings from the Exchange 2007 Management Console. Make all changes through from the Exchange 2003 System Manager (look for “SMTP Connectors”). For example, if you only have a connector on the 2003 machine, then all outbound mail will go through the 2003 server. If you have one on the 2003 and one on the 2007 server, then mail will go through the closest connector. If you delete the one on 2003 and have one on the 2007 server, then all outgoing mail will pass through the 2007 server.

Microsoft Exchange 2007 with an Edge Server (Smarthost method) 97

Page 98: Outbound Config En

98 Outbound Services Configuration Guide

Page 99: Outbound Config En

Microsoft Exchange 5.5 Chapter 8

About Microsoft Exchange 5.5Microsoft® Exchange Server 5.5 is an email server designed for use in the Microsoft Windows environment. It is a legacy product and is no longer supported by Microsoft. However, because of difficulties in upgrading, some environments continue to use Exchange Server 5.5 on a Windows NT 4.0 platform.

You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Microsoft Exchange 5.5 deployments.

There is no interface to make timeout configuration changes for MS Exchange 5.5. The default timeout values are sufficient.

Legal Disclaimer

This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Microsoft Exchange 5.5 99

Page 100: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay

1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft Exchange Administrator

2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail Service.

3. Right-click and select Properties and then click the Routing tab.

4. Click “Routing Restrictions”.

5. Check checkbox for “Hosts and clients with these IP addresses”.

6. Add IP ranges and other trusted relay servers and click OK to return to the Routing tab. For a list of IP ranges, see “IP Ranges” on page 13.

7. Stop and restart the Exchange service.

8. If the reinjection servers are not outbound servers, then configure all servers along the mailflow between reinjection and the outbound server to allow the injection server to relay mail traffic through them.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up SmarthostIn Microsoft Exchange 5.5, a smarthost is set up by changing the Properties for your mail server.

Route mail to Outbound Services

1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft Exchange Administrator

2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail Service

100 Outbound Services Configuration Guide

Page 101: Outbound Config En

3. Right-click and select Properties and then click the Connections tab.

4. Enter the appropriate domain name in the field labeled “Forward all messages to host”.

The hostname to use is:

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

5. Under the “Retry Interval (hrs.)” setting, type in the following:

.1,.2,.3,.4

6. Click OK.

7. Stop and Restart the MS Exchange 5.5 service for the changes to take effect.

Test Outbound MailOnce you have set up your smarthost, test that your configuration is correct and mail is flowing normally.

Test the configuration.

1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 100 for the correct private relay settings.

Microsoft Exchange 5.5 101

Page 102: Outbound Config En

102 Outbound Services Configuration Guide

Page 103: Outbound Config En

Microsoft Small Business Server 2003 Chapter 9

About Microsoft Small Business Server 2003Microsoft® Small Business Server 2003 is a server suite designed to handle the server needs of businesses with up to 75 users. It includes both Microsoft Exchange Server and Microsoft IIS Server.

You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

These instructions apply to Small Business Server 2003. If you are using Small Business Server 2000, use the instructions for “Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47.

Legal Disclaimer

This guide describes how Postini products work with Microsoft Small Business Server and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Small Business Server scenarios. Any changes to Microsoft Small Business Server configuration should be made at the discretion of your Microsoft Small Business Server administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Small Business Server issue, you should consult your Microsoft Small Business Server administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Microsoft Small Business Server Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Microsoft Small Business Server 2003 103

Page 104: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager

2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP

3. Right-click Default SMTP Virtual Server and select Properties.

4. Click the Access tab, then click Relay.

5. Add IP ranges and other trusted relay servers and click OK to get back to the Access tab. For a list of IP ranges, see “IP Ranges” on page 13.

6. Click the Connection button. If the Connection list is set to “Only the list below”, add the same IP ranges.

7. Click OK to return to the Access tab and click OK to close the Default SMTP Virtual Server Properties.

8. If the reinjection servers are not outbound servers, then all servers along the mailflow between the reinjection server and the outbound server must be configured to allow the injection server to relay mail traffic through them.

9. Stop and restart the SMTP services.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up SmarthostIn Microsoft Small Business Server 2003, outbound mail routing is handled by the IIS Virtual Server. Unlike a Microsoft Exchange connector, the IIS Virtual Server will not begin queueing mail after a deferral.

The standard Microsoft installation of Small Business Server 2003 gives creates a connector in order to set local policies. Modify the connector to ensure that outbound mail is routed to the email security system while local mail is not interrupted.

104 Outbound Services Configuration Guide

Page 105: Outbound Config En

To route outbound mail through Outbound Services:

1. In Exchange Service Manager (ESM), go to Connectors-> Small Business SMTP Connector on the General tab.

2. Select “Use DNS to route to each address space on this connector” and click Apply.

3. In the Address Space tab, select the default address space of “x”, then click Modify.

4. In the Address Space tab, change the address space to your domain name and click OK.

5. In Servers->Your Server Name->Protocols->SMTP->Default SMTP Virtual Server, right click Default SMTP Virtual Server and select Properties to go to the Properties Page.

6. In the Delivery tab, click Advanced.

7. Under Smart Host, enter the following:

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

8. Click OK twice.

9. Restart the server by right-clicking the SMTP Virtual Server, selecting Stop, and then right-clicking the SMTP Virtual Server again and selecting Start.

Test Outbound MailOnce you have set up your smarthost, test that your configuration is correct and mail is flowing normally.

Test the configuration

1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry state could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

Microsoft Small Business Server 2003 105

Page 106: Outbound Config En

5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 104 for the correct private relay settings.

106 Outbound Services Configuration Guide

Page 107: Outbound Config En

IBM Lotus Domino (Private DNS Method) Chapter 10

About IBM Lotus Domino (Private DNS Method)IBM® Lotus® Domino® Server is a server product that provides enterprise-grade email, collaboration capabilities, and custom application platform. Because of the high level of customization possible, IBM Lotus Domino environments vary greatly.

These instructions provide steps to route mail to Outbound Services using the Private Outbound DNS method and are designed to work with a majority of deployments. These instructions were written for Lotus Domino with a Microsoft Windows server.

Private Outbound DNS is generally recommended over using smarthost. See “Option 1: Set Up Private Outbound DNS” on page 16 for detailed information on how this method works and the advantages of Private Outbound DNS.

Private Outbound DNS works with all common mail servers. The documentation provides instructions verified for Lotus Domino 6 and 8.5. For other version of Lotus Domino, please refer to the product documentation on DNS configuration.

Configuration notes:

• Changing the timeout configuration for Lotus Domino is not required. You can use the default timeout settings.

• If you are using Notes with a Linux server, change DNS settings on your servermanually. Exact steps to make this change vary by Linux implementation; consult your Linux documentation for more information.

Legal Disclaimer

This guide describes how Postini products work with IBM Lotus Domino and the configurations that Postini recommends. These instructions are designed to work with the most common IBM Lotus Domino scenarios. Any changes to IBM Lotus Domino configuration should be made at the discretion of your IBM Lotus Domino administrator.

IBM Lotus Domino (Private DNS Method) 107

Page 108: Outbound Config En

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to IBM Lotus Domino Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Choose a Private DNS Routing MethodThere are two methods to change outbound DNS settings for IBM Lotus Domino.

• Change DNS settings in Domino

• Change DNS settings in OS

When considering these two methods, consider the following factors.

Change DNS Settings in Domino. IBM Lotus Domino server will use the DNS server listed in notes.ini to send mail. The Domino server will contact the Private DNS Server and route mail to Outbound Services. Since this method affects only IBM Lotus Domino, and requires no changes to the underlying operating system, this is the recommended method to use Private Outbound DNS.

Change DNS settings in OS. This change is independent of the IBM Lotus Domino server. The changes affect the whole machine, and the server cannot be used for other Internet applications. All applications on the server will contact the Private DNS Server and route connections to Outbound Services. Use this method if your IBM Lotus Domino server setup can’t support DNSServer changes in notes.ini.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up private DNS, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay

1. Open Domino Administrator and click Administration.

2. Select the Configuration tab.

3. Click the triangle next to Messaging, and then select Configurations.

4. Double-click the name of your Domino Server.

108 Outbound Services Configuration Guide

Page 109: Outbound Config En

5. At the top of the window, click Edit Server Configuration. Select the following:

• Router/SMTP tab in the first row

• Restrictions and Controls tab in the second row

• SMTP Inbound Controls tab in the third row.

6. Under “Allow messages only from the following internet hosts to be sent to external internet domains” enter the IP range for Outbound Services. For a list of IP ranges, see “IP Ranges” on page 13.

7. Under “Exclude these Connecting Hosts From Anti-Relay Checks” enter the same IP range.

8. Click “Save & Close” to exit.

9. Stop and restart the Domino SMTP task for the changes to take effect.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not set up private DNS until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up Private DNS (notes.ini file)If you use this option, you will change you notes.ini settings on your server to use a new DNS server.

You can make these changes in the Domino Admin panel by changing your configuration document.

Alternately, open the notes.ini file in Lotus/Domino/notes.ini and add the line DNSSERVER=[ipaddress] where [ipaddress] is the appropriate IP address for your system.

To change the notes.ini file in the Domino Admin panel:

1. In the Domino Admin panel, go to the Configuration tab.

2. In the left-side menu, go to Server -> Configuration.

3. Select your configuration document and click Edit Configuration.

4. Click the NOTES.INI Settings tab.

5. Click Set/Modify Parameters. The Set/Modify Parameters dialog box will open.

6. In the Item text box, enter DNSServer.

IBM Lotus Domino (Private DNS Method) 109

Page 110: Outbound Config En

7. In the Value text box, enter the appropriate IP address.

Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names.

The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13.

8. Click OK to close the Set/Modify Parameters dialog box.

9. Click Save & Close.

10. Go to the Server Console.

11. In the Server Console, enter the command “tell router update config”.

12. Restart the Router and SMTP Task.

13. Restart the router task on domino console

14. Restart the SMTP task on domino console

Set Up Private DNS (OS Settings)If you use this option, change the OS DNS server IP on your Domino server.

To change outbound DNS on your Domino server:

1. Go to Control Panel->Network Connections and select your local network.

2. Click Properties, then select Internet Protocol (TCP/IP).

3. Click Properties.

System IP Address to use for Private Outbound DNS

5 64.18.4.12

6 64.18.5.12

7 64.18.6.12

8 64.18.7.12

9 74.125.148.12

20 64.18.9.14

200 207.126.147.11

201 207.126.154.11

110 Outbound Services Configuration Guide

Page 111: Outbound Config En

4. Select “Use the following DNS server addresses” and enter the appropriate IP address for your system.

Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names.

The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13.

5. Restart the domino router task via console.

6. Restart the domino SMTP task via console.

Test Outbound MailCheck the mail queues of the mail server.

1. Check the mail queues of the mail server to look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

System IP Address to use for Private Outbound DNS

5 64.18.4.12

6 64.18.5.12

7 64.18.6.12

8 64.18.7.12

9 74.125.148.12

20 64.18.9.14

200 207.126.147.11

201 207.126.154.11

IBM Lotus Domino (Private DNS Method) 111

Page 112: Outbound Config En

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 108 for the correct private relay settings.

TroubleshootingIf you encounter delays or problems with using IBM Lotus Domino with Private Outbound DNS, consider changing your Lotus notes settings. These settings are listed in notes.ini. See your IBM Lotus Domino documentation for information on how to change these settings.

Some changes to consider:

• Set the “Maximum concurrent transfer threads” equal to “Maximum transfer threads”. Increasing the maximum current transfer threads can increase bandwidth and prevent threads from locking up.

• SMTPErrorLimit set to 1.

• SMTPTimeoutMultiplier set to at least 11.

• SMTPMTA_DATA_TIMEOUT and SERVER_SESSION_TIMEOUT should be removed or commented out.

• Disable pipelining. Pipelining can cause threads to become dedicated to a single recipient address when used with Private Outbound DNS. This can cause mail delays.

Also, increase logging for troubleshooting:

• SMTPClientDebug=1

This increases the amount of information logged, which will help find any other problems. Once the problem is resolved, change this to its original setting.

How can I be sure my firewall allows a connection to Private Outbound DNS?

Your sending mail server needs to be able to reach the message security service using DNS on UDP port 53.

If you are not sure your network settings allow your mail server to connect to an external DNS host on UDP port 53, run the following test on your mail server:

1. In a DOS command prompt, type nslookup.

2. Note your current default server.

3. In the nslookup prompt, type q=mx and hit return.

112 Outbound Services Configuration Guide

Page 113: Outbound Config En

4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address.

5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system.

6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection.

7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server].

8. Press Control-C to exit nslookup.

IBM Lotus Domino (Private DNS Method) 113

Page 114: Outbound Config En

114 Outbound Services Configuration Guide

Page 115: Outbound Config En

IBM Lotus Domino (Smarthost Method) Chapter 11

About IBM Lotus Domino (Smarthost Method)This chapter describes how to set up Outbound Services for an environment with a IBM Lotus Domino directory servers using a smarthost.

The recommended method for setting up Outbound Servers is Private Outbound DNS. For more information, see “IBM Lotus Domino (Private DNS Method)” on page 107.

For other versions of IBM Lotus Domino (such as 5.5 and 7) these are the recommended steps.

IBM® Lotus® Domino® Server is a server product that provides enterprise-grade email, collaboration capabilities, and custom application platform. Because of the high level of customization possible, IBM Lotus Domino environments vary greatly.

These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of deployments. These instructions were written for Lotus Domino R5/R6.

Changing the timeout configuration for Lotus Domino R5/R6 is not required. You can use the default timeout settings.

Legal Disclaimer

This guide describes how Postini products work with IBM Lotus Domino and the configurations that Postini recommends. These instructions are designed to work with the most common IBM Lotus Domino scenarios. Any changes to IBM Lotus Domino configuration should be made at the discretion of your IBM Lotus Domino administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

IBM Lotus Domino (Smarthost Method) 115

Page 116: Outbound Config En

Links to IBM Lotus Domino Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay

1. Open Domino Administrator and click Administration.

2. Select the Configuration tab.

3. Click the triangle next to Messaging, and then select Configurations.

4. Double-click the name of your Domino Server.

5. At the top of the window, click Edit Server Configuration. Select the following:

• Router/SMTP tab in the first row

• Restrictions and Controls tab in the second row

• SMTP Inbound Controls tab in the third row.

6. Under “Allow messages only from the following internet hosts to be sent to external internet domains” enter the IP range for Outbound Services. For a list of IP ranges, see “IP Ranges” on page 13.

7. Under “Exclude these Connecting Hosts From Anti-Relay Checks” enter the same IP range.

8. Click “Save & Close” to exit.

9. Stop and restart the Domino SMTP task for the changes to take effect.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

116 Outbound Services Configuration Guide

Page 117: Outbound Config En

Set Up SmarthostAfter you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, set the relayhost parameter to route mail to the email security system. This will set Outbound Services as the smarthost.

Domino stops processing queued messages when delivery of a message fails or the relay host is perceived to be down or unreachable. Setting the Retry Interval to a lower value allows the queue to start moving again more quickly.

Set up a smarthost and adjust the Retry Interval

1. Open Domino Administrator.

2. Click Administration and select the Configuration tab.

3. Click Configurations. Double-click the name of your Domino Server

4. At the top of the window, click Edit Server Configuration.

5. Select the Router/SMTP tab in the first row. This will select the “Basics” tab of the second row of tabs.

6. Under “Relay host for messages leaving the local internet domain:”, add the following:

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

7. Select the Restrictions and Controls tab from the second row.

8. Select the Transfer Controls tab from the third row.

9. Set the configuration “Initial Transfer Retry Interval” to 1 minute or higher.

10. Click “Save & Close” to exit.

Test Outbound MailCheck the mail queues of the mail server.

1. Check the mail queues of the mail server to look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

IBM Lotus Domino (Smarthost Method) 117

Page 118: Outbound Config En

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 116 for the correct private relay settings.

118 Outbound Services Configuration Guide

Page 119: Outbound Config En

Novell Groupwise Chapter 12

About Novell GroupwiseNovell GroupWise® is a cross-platform collaborative software product from Novell, Inc. that offers email, calendaring, instant messaging and document management.

These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Novell Groupwise deployments.

You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

Legal Disclaimer

This guide describes how Postini products work with Novell Groupwise and the configurations that Postini recommends. These instructions are designed to work with the most common Groupwise scenarios. Any changes to Novell Groupwise configuration should be made at the discretion of your Novell Groupwise administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Novell Groupwise issue, you should consult your Novell Groupwise administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Novell Groupwise Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Novell Groupwise 119

Page 120: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay

1. Open the Groupwise ConsoleOne interface.

2. Right-click the Internet Agent object and click Properties.

3. Click the Access Control tab.

4. Click SMTP Relay Settings.

5. Make sure that the “Prevent message relaying” radio button in the SMTP Relay Defaults section is selected.

6. Under Exceptions, click Create.

7. In the “From:” field, enter the IP range for your system. For a list of IP ranges, see “IP Ranges” on page 13. Leave the “To:” field blank to indicate that any recipient is allowed.

8. Click OK twice to close the Properties dialog.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Increase Server Timeouts1. Open the Groupwise ConsoleOne interface.

2. Right-click the Internet Agent object and click Properties.

3. Select the SMTP/MIME Settings tab and click Timeouts.

4. Set the following values:

Commands: 5 minutesData: 3 minutesConnection Establishment: 2 minutesInitial Greeting: 5 minutesTCP Read: 5 minutesConnection Termination: 15 minutes

120 Outbound Services Configuration Guide

Page 121: Outbound Config En

5. Click Apply, then click OK.

Set Up Smarthost1. Open the Groupwise ConsoleOne interface.

2. Right-click the Internet Agent object and click Properties.

3. If the SMTP/MIME Settings page is not the default page, click the “SMTP/MIME” tab and click Settings.

4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support.

5. Enter the appropriate smarthost in the field entitled “Relay Host for Outbound Messages”.

The appropriate smarthost is

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

6. Click Apply, then click OK to exit.

Test Outbound MailCheck the mail queues of the mail server.

1. Check the mail queues of the mail server to look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 120 for the correct private relay settings.

Novell Groupwise 121

Page 122: Outbound Config En

Troubleshooting

Messages forwarded automatically by a Novell Groupwise rule to an external mail account are not filtered as expected by Outbound Services applications.

This problem occurs because Groupwise changes the SMTP envelope when forwarding a message by a rule. The MAIL FROM address in the envelope is null (MAIL FROM:<>). Because Outbound Services uses the envelope address to decide which organization's settings to use, the default is to use the settings specified in the email config organization.

To ensure that all outbound messages are filtered, be sure that the Outbound Content Manager, Outbound Attachment Manager, Outbound Virus Blocking and Compliance Footer settings are the same for the email config organization as for the user-level orgs.

Outbound messages are bounced by Outbound Attachment Manager with the error “Message too large - psmtp”. However, the user does not receive a non-delivery report (NDR).

The non-delivery report (NDR) was quarantined to the administrator's quarantine because it triggered an Outbound Attachment Manager or Outbound Content Manager filter.

In some cases, Groupwise attempts to deliver non-delivery reports (NDRs) by looking up the MX records and routing the NDR to the Internet rather than delivering it locally as expected. If the NDR includes the original attachment and therefore triggers an Outbound filter, the NDR will be quarantined rather then delivered back to the Groupwise server.

When Outbound Services processes a message from a sender who does not have a user account, it uses the Outbound Services settings from the email config organization. If Outbound Attachment Manager and Outbound Content Manager are enabled at the email config organization, then any messages sent by non-users that violate an Outbound Attachment Manager and Outbound Content Manager filter will be disposed of accordingly. By creating a user account for the email address acting as the sender of the NDR and placing it in an org with Outbound Attachment Manager and Outbound Content Manager disabled, it ensures that the email security service will never block any messages sent by the user.

You can resolve this issue by setting Groupwise to deliver the NDR locally, or you can change your filters in the Administration Console.

If you reconfigure your Groupwise server to deliver the NDR locally, Outbound Services will not be involved in the delivery of the message and it should therefore be successfully delivered.

Alternately, set up account for the Groupwise Mailer-Daemon address in the Administration Console and disable outbound filtering for that account:

1. In Add/Delete/Move Users, add an account for [email protected], where yourdomain.com is your domain.

2. Create a new organization at the same level as the existing organization containing your users.

122 Outbound Services Configuration Guide

Page 123: Outbound Config En

3. For the new organization, on the Organization Management page, turn off Outbound Attachment Manager and Outbound Content Manager.

4. Move the Mailer-Daemon account to the new organization.

Novell Groupwise 123

Page 124: Outbound Config En

124 Outbound Services Configuration Guide

Page 125: Outbound Config En

Sendmail Chapter 13

About SendmailSendmail is a mail transfer agent (MTA) used for delivering mail across networks. It is a well known project of the open source, free software and UNIX communities. Sendmail is distributed both as free software and proprietary software, and is a standard MTA under many variants of the UNIX operating system.

These instructions were written for version 8.13 of Sendmail. Other versions may have different settings. This chapter includes steps to route mail to Outbound Services and is designed to work with most major Sendmail deployments.

You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

Legal Disclaimer

This guide describes how Postini products work with Sendmail and the configurations that Postini recommends. These instructions are designed to work with the most common Sendmail scenarios. Any changes to Sendmail configuration should be made at the discretion of your Sendmail administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Sendmail issue, you should consult your Sendmail administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Sendmail Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Sendmail 125

Page 126: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

To set up reinjections, add Outbound Services as a trusted relay in your sendmail.mc file.

Instead of adding RELAY_DOMAIN commands to your sendmail.mc file, you can set up a relay domain file. Use this method if you have a need to list relay domains in a separate file.

If the reinjection servers are not outbound servers, repeat these steps for all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them.

Configure Outbound Services IP ranges to be a trusted relay

1. Add the following to the file /etc/mail/sendmail.mc:

RELAY_DOMAIN('obsmtp.com') RELAY_DOMAIN('postini.com')

2. Restart the sendmail server process.

Alternate Method: Configure a trusted relay using a separate file

1. Add the following to the /etc/mail/sendmail.mc file.

RELAY_DOMAIN_FILE('/etc/mail/relay-domains')

2. Add the domains

obsmtp.compostini.com

to the file

/etc/mail/relay-domains

3. Restart the sendmail server process.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

126 Outbound Services Configuration Guide

Page 127: Outbound Config En

Increase Server TimeoutsChanging server timeouts should not be necessary. In Sendmail, server timeout is set in the value Timeout.datafinal. By default it is set to 1 hour. If Timeout.datafinal has been changed to a lower value, raise the value to 1 hour.

Set Up SmarthostSet the smarthost in your sendmail.mc file.

WARNING: Do not change this value until you have set up the appropriate RELAY_DOMAIN setting and registered your IP in the Administration Console. If your IP is not registered in the Administration Console, Outbound Services will not deliver your mail.

Configure a smarthost to route traffic to Outbound Services

1. Add the following line to the /etc/mail/sendmail.mc file:

define('SMART_HOST',outbounds[your system number].obsmtp.com)

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

2. Stop and restart the sendmail server process.

Test Outbound MailOnce you have set up your smarthost, test that your configuration is correct and mail is flowing normally.

Test the configuration.

1. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

2. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

3. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph.

Sendmail 127

Page 128: Outbound Config En

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 126 for the correct private relay settings.

128 Outbound Services Configuration Guide

Page 129: Outbound Config En

Apple Macintosh OS X Chapter 14

About Apple Macintosh OS XApple® Mac OS® X Server is the server edition of Macintosh OS X, a graphical operating system from Apple Inc. included with Macintosh computers. Mac OS X is built on a UNIX-like operating system. Mac OS X Server includes a Postfix mail server with a custom user interface.

These instructions provide steps to route mail to Outbound Services and are designed to work with the mail transfer agent component of most Mac OS X Server deployments. Instructions are included for version 10.3 and 10.4 of Mac OS X Server.

It is not necessary to change the timeout settings for Apple Macintosh OS X Server.

You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

Legal Disclaimer

This guide describes how Postini products work with Apple Mac OS X Server and the configurations that Postini recommends. These instructions are designed to work with the most common Apple Mac OS X Server scenarios. Any changes to Apple Mac OS X Server configuration should be made at the discretion of your Apple Mac OS X Server administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of an Apple Mac OS X Server issue, you should consult your Apple Mac OS X Server administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Apple Macintosh OS X 129

Page 130: Outbound Config En

Links to Apple Mac OS X Server Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay for Mac OS X v.10.4:

1. In Server Admin, select Mail.

2. Click Settings.

3. Click Relay and enter the IP range for your system as an allowed relay address. For a list of IP ranges, see “IP Ranges” on page 13.

Configure Outbound Services IP ranges to be a trusted relay for Mac OS X v.10.3:

1. In Server Admin, select Mail.

2. Click Settings.

3. Click Filters and enter the IP range for your system as an allowed relay address. For a list of IP ranges, see “IP Ranges” on page 13.

4. Click Save to close the Server Admin.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up Smarthost1. In Server Admin, select Mail and click Settings.

130 Outbound Services Configuration Guide

Page 131: Outbound Config En

2. Under “Relay all mail through this host” enter:

outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

3. Click Save to close the Server Admin.

4. Restart the mail service.

Test Outbound MailCheck the mail queues of the mail server.

1. Check the mail queues of the mail server to look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 130 for the correct private relay settings.

Apple Macintosh OS X 131

Page 132: Outbound Config En

132 Outbound Services Configuration Guide

Page 133: Outbound Config En

Qmail Chapter 15

About QmailQmail is a mail transfer agent that runs on UNIX. Qmail has not been updated by the author for several years and users have instead come to rely on third party patches to support new functionality.

Qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the Qmail system with a different module as long as the new module retains the same interface as the original.

These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Qmail deployments.You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

Legal Disclaimer

This guide describes how Postini products work with Qmail and the configurations that Postini recommends. These instructions are designed to work with the most common Qmail scenarios. Any changes to Qmail configuration should be made at the discretion of your Qmail administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Qmail issue, you should consult your Qmail administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Qmail Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Qmail 133

Page 134: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Configure Outbound Services IP ranges to be a trusted relay using qmail + tcpserver

1. Edit /etc/tcp.smtp to allow each of Outbound Services IP ranges to relay:

IP Range:allow,RELAYCLIENT="":allow

where IP Range is the appropriate IP Range. For a list of IP ranges, see “IP Ranges” on page 13.

2. Run tcprules to reload allowed hosts:

> cd /etc > tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp

3. Verify that the tcp.smtp.cdb file is invoked in the mail server's startup script.

4. Restart tcpserver so that the new rules will take effect:

> /usr/local/bin/tcpserver -x/etc/tcp.smtp.cdb -R -H -c25 -u502 -g501 mailhost.domain.com smtp /var/qmail/bin/qmail-smtpd 2>&1 [UID '502' & GID '501' may be different depending on server configuration.]

Configure Outbound Services IP ranges to be a trusted relay using qmail + inetd + tcpd

If the qmail line in the inetd.conf file is similar to this:

smtp stream tcp nowait qmaild /usr/sbin/tcpd /var/qmail/bin/tcp-env /var/qmail/bin/qmail-smtpd

then use the following steps instead

1. Edit /etc/hosts.allow to include the Postini IP ranges and trusted servers. For a list of IP ranges, see “IP Ranges” on page 13.

2. Disallow everything else.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

134 Outbound Services Configuration Guide

Page 135: Outbound Config En

Increase Server TimeoutsThe default timeout is 1200 seconds, which is long enough. If this value has been previously changed, then edit the file /var/qmail/timeoutsmtpd and increase it to at least 900 seconds.

Set Up Smarthost1. Edit (or create) the file /var/qmail/control/smtproutes and append the

following line:

outbounds[your system number].obsmtp.com

2. where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

3. If you have certain internal domains whose traffic should not be routed to Postini, you will want to add specific routing to the appropriate mail server to the /var/qmail/control/smtproutes file using the following syntax:

<InternalDomain>:<ServerForInternalDomain>

4. Stop and restart the qmail server.

Test Outbound Mail1. Check the mail queues of the mail server to look for items with a retry state.

That could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 134 for the correct private relay settings.

Qmail 135

Page 136: Outbound Config En

136 Outbound Services Configuration Guide

Page 137: Outbound Config En

Postfix Chapter 16

About PostfixPostfix is an open-source mail transfer agent, used primarily on UNIX-based servers. It is the default mail server for several operating systems.

Setting up Postfix for Outbound Services requires minimal changes. Add the IP ranges for the email security service as private relays. Then, register your mail server in the Administration Console. Last, direct outbound mail to route to Outbound Services.

There is no need to increase the timeouts for Postfix servers. The default timeout settings are appropriate.

You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation. Private Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on page 16. For more information, see your mail server product documentation for information on changing your DNS settings.

Legal Disclaimer

This guide describes how Postini products work with Postfix and the configurations that Postini recommends. These instructions are designed to work with the most common Postfix scenarios. Any changes to Postfix configuration should be made at the discretion of your Postfix administrator.

Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Postfix issue, you should consult your Postfix administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options.

Links to Postfix Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information.

Postfix 137

Page 138: Outbound Config En

Set Up ReinjectionBefore you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.

Note: Do not change mynetworks and relayhost at the same time; these steps must be completed in order.

Configure Outbound Services IP ranges to be a trusted relay

1. Add IP ranges for your system to the mynetworks parameter of your configuration file (example path /etc/postfix/main.cf). For a list of IP ranges, see “IP Ranges” on page 13.

Note: Configuring the mynetworks parameter overrides the mynetworks_style parameter. If the mynetworks parameter was not previously used, you may need to add your own subnets as well.

2. Restart Postfix by running the following command:

# sudo postfix reload

3. If the reinjection server is not the same as your outbound mail server, perform these steps on all servers along the mailflow path between the reinjection server and your outbound mail server.

Register Your IP in the Administration ConsoleAfter you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers.

For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.

Set Up SmarthostAfter you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, set the relayhost parameter to route mail to the email security system. This will set Outbound Services as the smarthost.

Set up a smarthost

1. Add the following line to your configuration file (example path /etc/postfix/main.cf):

relayhost = outbounds[your system number].obsmtp.com

where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.

138 Outbound Services Configuration Guide

Page 139: Outbound Config En

2. Restart Postfix by running the following command:

# sudo postfix reload

Test Outbound MailCheck the mail queues of the mail server.

1. In the Internet Mail Service Properties select the Queues tab. Look for items with a retry state which could indicate outbound mail delays.

2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers.

3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service.

4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.

Use an external open relay test, such as http://www.mxtoolbox.com/diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings. If you see an uncertain response (such as “maybe” or “warning”) then check that your private relay settings are correct.

See “Set Up Reinjection” on page 138 for the correct private relay settings.

Postfix 139

Page 140: Outbound Config En

140 Outbound Services Configuration Guide