Outbound Services Configuration Guide • Google Message Security • Google Message Discovery
Google, Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 www.google.com Part number: OBCG_632_17 December 20, 2011 © Copyright 2010 Google, Inc. All rights reserved. Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc.
documentation. Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.
Contents What This Guide Contains 9 Related Documentation 9 How to Send Comments About This Guide 10 Chapter 1: Introduction to Outbound Configuration 11 About Outbound Configuration 11 How to Use This Guide 12 Prerequisites 13 Identify Your System 13 IP Ranges 13 Set Up Reinjection 14 Register Your IP in the Administration Console 15 Increase Server Timeouts 16 Option 1: Set Up Private Outbound DNS 16 Option 2: Set Up Smarthost 19 Test Outbound Mail 19 Microsoft Exchange Servers 19 Optional: Configure S
Chapter 4: Microsoft Exchange 2000/2003 Single Server (Smarthost method) 47 About Microsoft Exchange 2000/2003 Single-Server 47 Set Up Reinjection 48 Register Your IP in the Administration Console 49 Increase Server Timeouts 49 Set Up Smarthost 50 Test Outbound Mail 52 Troubleshooting 53 Chapter 5: Microsoft Exchange 2000/2003 Multi-Server (Smarthost method) 55 About Microsoft Exchange 2000/2003 Multi-Server 55 Choose Smarthost Method 56 Set Up Reinjection 57 Register Your IP in the Administration Console 5
Set Up Smarthost 104 Test Outbound Mail 105 Chapter 10: IBM Lotus Domino (Private DNS Method) About IBM Lotus Domino (Private DNS Method) 107 Choose a Private DNS Routing Method 108 Set Up Reinjection 108 Register Your IP in the Administration Console 109 Set Up Private DNS (notes.
Test Outbound Mail 135 Chapter 16: Postfix 137 About Postfix 137 Set Up Reinjection 138 Register Your IP in the Administration Console Set Up Smarthost 138 Test Outbound Mail 139 8 Outbound Services Configuration Guide 138
About This Guide What This Guide Contains The Outbound Services Configuration Guide provides information about: • General principles for setting up your mail server to route mail through Outbound Services. • Specific steps-by-step instructions to enable reinjection and smarthosts (or Private DNS) for the most common and popular mail servers. • Troubleshooting steps for the most common and popular mail servers.
How to Send Comments About This Guide Postini values your feedback. If you have comments about this guide, please send an email message to: postini-doc_comments@google.com In your email message, please specify the section to which your comment applies. If you want to receive a response to your comments, ensure that you include your name and contact information.
Introduction to Outbound Configuration Chapter 1 About Outbound Configuration This chapter introduces the setup process for Outbound Services common to all types of mail servers. Setup information unique to specific mail servers can be found in separate chapters. For successful installation, start with this general chapter, and follow with the chapter describing your mail server.
How to Use This Guide This guide is intended to provide information about how to set up your environment to use Outbound Services. Since configuration is different for different mail servers, each chapter after the introduction gives instructions for a separate mail server. Most administrators will only need to use two chapters: • This chapter. • The chapter specifically devoted to your mail server.
Prerequisites Outbound Services is an optional feature. For more information about your service package and options, contact your account manager or vendor. Before you configure Outbound Services, you need a server that can: • Allow a safe private relay from an external address • Route outbound mail using a smarthost (a server that accepts outbound mail and passes it on to the recipient) or an external DNS (a server that provides routing information, for supported servers).
Note: Both sets of IP ranges are applicable for system 20 customers. System IP Range CIDR Range IP/Subnet Mask Pair 5, 6, 7, 8, 20 64.18.0.0 64.18.15.255 64.18.0.0/20 64.18.0.0 mask 255.255.240.0 9 74.125.148.0 74.125.151.255 74.125.148.0/22 74.125.148.0 mask 255.255.252.0 10 74.125.244.0 74.125.247.255 74.125.244.0/22 74.125.244.0 mask 255.255.252.0 20, 200, 201 207.126.144.0 207.126.159.255 207.126.144.0/20 207.126.144.0 mask 255.255.240.
Register Your IP in the Administration Console Register your IP after you have set up a reinjection server, but before you set up a smarthost (or external DNS) on your mail server. This step is the same for all mail servers. You will not be able to register your IP address before setting up reinjection. If you attempt to do so, you will see an error in the Administration Console and your IP will not be registered. WARNING: Register Your IP 1. Log in to the Administration Console.
3. Click the Save button. When you click Save, the Administration Console will test your reinjection host to confirm the private relay is set up properly. If your mail server has not been set up to allow Outbound Services to act as a private relay, see “Set Up Reinjection” on page 14 for information about how to set up a private relay. 4. If you have more than one outbound server IP range, add additional records. Go back to step 2 and register each IP range separately using the same instructions.
How DNS Works for Outbound Mail All mail servers use DNS to route outbound mail through the internet. DNS (Domain Name Service) is a way to translate domain names into IP addresses, which are used to contact other machines on the Internet. When a message is sent to another domain, the sending mail server contacts a DNS host to find out the IP address for the receiving server.
Addresses for Private Outbound DNS Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names. The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13. 18 System IP Address to use for Private Outbound DNS 5 64.18.4.12 6 64.18.5.12 7 64.18.6.12 8 64.18.7.12 9 74.125.148.12 10 74.125.244.12 20 64.18.9.14 200 207.126.147.11 201 207.
Option 2: Set Up Smarthost If you are using a mail server that does not currently support Private DNS, or if you do not wish to use Private DNS, set up a smarthost on your server instead. Once you’ve set up a reinjection host and added the IP range to the Administration Console, redirect your mail to the email security service by setting up a smarthost. Smarthost is a common term for a server that accepts outbound mail and passes it on to the recipient.
For Microsoft Exchange 2000, or Microsoft Exchange 2003 without Private Outbound DNS, different instructions apply depending on whether your network includes a single mail server, or multiple linked mail servers. If you are using a single server, see “Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47. If you are using multiple linked servers, see “Microsoft Exchange 2000/2003 Multi-Server (Smarthost method)” on page 55.
Publishing an SPF record following the format described by the SPF wizard should not affect inbound mail flow. Alternate Option: Routing Outbound Mail on Your Firewall Most of this guide contains instructions for how to set up your mail server to route mail to Outbound services. Another option for routing involves setting up Postini outbound using Network address translation (NAT) and stealth-proxying port 25.
Microsoft Exchange 2003 (Private DNS Method) Chapter 2 About Microsoft Exchange 2003 (Private DNS Method) Microsoft® Exchange Server 2003 is designed as a high-end, scalable system. Microsoft Exchange 2003 servers can be set up to work together in a large email network. It is possible to route all outbound mail through the Email Security Server without affecting the flow of internal mail between servers. Smarthost solutions for Microsoft Exchange can cause mail queueing delays.
Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice.
7. Click the Connection button. 8. If the Connection list is set to “Only the list below”, then add the same IP ranges. 9) Click OK to get back to the Access tab and click OK to close the Default SMTP Virtual Server Properties. 10) If the reinjection servers are not outbound servers, then configure all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them. 11) Stop and restart the SMTP services.
2. Expand the top level -> Servers -> -> Protocols -> SMTP. 3. Right-click Default SMTP Virtual Server & select Properties. 4. Click the Delivery Tab. 5. Click Advanced to go to the Advanced Delivery dialog box.
6. If you have a Smarthost set to point to Outbound Services for mail filtering, clear the Smarthost. The Private Outbound DNS will replace your Smarthost for routing. 7. Click Configure. 8. Click Add and enter the appropriate IP address for your system. Click OK. The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13.
System IP Address to use for Private Outbound DNS 5 64.18.4.12 6 64.18.5.12 7 64.18.6.12 8 64.18.7.12 9 74.125.148.12 10 74.125.244.12 20 64.18.9.14 200 207.126.147.11 201 207.126.154.11 9. Click OK again. You should see your IP address listed as an External DNS. 10. Click OK twice to return to the System Manager. 11. In System Manager, restart your mail server.
3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab. After a minute of successful mail flow, traffic should display on the graph. 5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service.
6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection. 7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server]. 8. Press Control-C to exit nslookup.
Microsoft Exchange 2007/2010 (Private DNS Method) Chapter 3 About Microsoft Exchange 2007/2010 (Private DNS Method) Microsoft® Exchange Server 2007 is designed as a high-end, scalable system, with servers set up to work together in a large email network. Smarthost solutions for Microsoft Exchange can cause mail queueing delays. Private Outbound DNS Service is designed to ease setup and prevent queueing delays.
Legal Disclaimer This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator. Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products.
Create the Receive Connector Set up a new Receive Connector on the Hub Server to allow relaying. This step is the same for either method of reinjection setup. 1. Expand Server Configuration from the Exchange Management Console 2. Choose Hub Transport from the server roles list. 3. In the Details Pane choose the appropriate hub transport server 4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear: 5.
7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit. 8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see “IP Ranges” on page 13.
9. Click OK, then click Next to continue. 10. Click New, then click Finish on the Completion page. Method One: Apply Anonymous user access to the connector The first method to allow reinjection is to set the receive connector to allow Anonymous Users. This is recommended for most configurations. The first step in this process is to add the Anonymous Permissions Group to the connector.
1. Double click your new connector and choose the Permission Groups tab. 2. Check the Anonymous Users checkbox. 3. Choose OK. 4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 (or 2010) -> Exchange Management Shell. 5. Type the following command: Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient" 6.
Method Two: Externally Secured Connector If you do not allow Anonymous Access, you can instead create a connector as an externally secured connector. This option allows you to bypass Exchange’s antispam filters. 1. Open the newly created connector and click the Permissions Groups tab. 2. Check Exchange Servers and click Apply.
3. Click the Authentication tab. 4. Check “Externally secured.
Using the externally secured setting applies the following permissions: MS Exchange\Externally Authoritative-Domain} MS Exchange\Externally Spam} MS Exchange\Externally Size-Limit} MS Exchange\Externally Exch50} MS Exchange\Externally Routing} MS Exchange\Externally MS Exchange\Externally Any-Recipient} MS Exchange\Externally Authentication-Flag} MS Exchange\Externally Any-Sender} Secured Servers {ms-Exch-SMTP-AcceptSecured Servers {ms-Exch-Bypass-AntiSecured Servers {ms-Exch-Bypass-MessageSecured Servers
Register Your IP in the Administration Console After you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your external DNS until your IP address is registered in Outbound Servers. This can take about 15 minutes. For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.
5. Select “use these DNS servers:” and enter the appropriate IP address for your system. Press enter to add the address. The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13. System IP Address to use for Private Outbound DNS 5 64.18.4.12 6 64.18.5.12 7 64.18.6.12 8 64.18.7.12 9 74.125.148.12 10 74.125.244.12 20 64.18.9.
System IP Address to use for Private Outbound DNS 200 207.126.147.11 201 207.126.154.11 6. Click Apply, then click OK to close the dialog box. 7. In the Exchange Management Console, go to Organization Configuration -> Hub Transport. 8. Click the Send Connectors tab. 9. Select the Send Connector you use to route mail to the Internet. 10. Right-click this Send Connector and select Properties. 11. Go to the Network Tab.
12. Choose “Use domain name system (DNS) MX records to route mail automatically.” Do not route mail through a smart host. 13. Check “Use the External DNS Lookup settings on the transport server.” 14. Click OK to exit the dialog. 15. In the Exchange Management Console, restart your server. Test Outbound Mail Once you have set up Private Outbound DNS, test that your configuration is correct and mail is flowing normally. Test the configuration. 1. Go to the Queues tab in Internet Mail Service Properties.
2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality. Send a message from an outside email address to an address on your service. 4. In the Administration Console, select your email config organization and click the Outbound Servers tab.
6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection. 7. In the nslookup prompt, type server [old default server] to restore your default server. Substitute your previous default server name for [old default server]. 8. Press Control-C to exit nslookup. I am still seeing mail queueing Your mail is still being routed through a smarthost. Try the following steps: 1.
Microsoft Exchange 2000/2003 Single Server (Smarthost method) Chapter 4 About Microsoft Exchange 2000/2003 Single-Server This chapter describes how to set up Outbound Services for an environment with a single Microsoft® Exchange Server 2000/2003 using a smarthost. The recommended method for setting up Outbound Servers with Microsoft Exchange 2003 is Private Outbound DNS. For more information, see “Microsoft Exchange 2003 (Private DNS Method)” on page 23.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Configure Outbound Services IP ranges to be a trusted relay 1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP 3. Right-click Default SMTP Virtual Server and select Properties. 4.
10. Click OK to get back to the Access tab, and click OK to close the Default SMTP Virtual Server Properties. 11. If the reinjection servers are not outbound servers, then all servers along the mailflow between the reinjection server and the outbound server must be configured to allow the injection server to relay mail traffic through them. 12. Stop and restart the SMTP services.
2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP Right-click the Virtual Server used for outbound routing. 3. Click the Delivery tab. 4. At the bottom of the Properties window, click Outbound Connections. 5. Set the “Time-out (minutes)” value to 15 or more. 6. Click OK to close Outbound Connections. 7. Click OK to close Virtual Server Properties. Set Up Smarthost There are two ways to set up a smarthost in a Microsoft Exchange 2000/2003 environment.
3. On the General tab, type in the appropriate hostname listed below in the field labeled “Forward all mail through this connector to the following smart hosts”. Forward outbound mail to outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13. 4. Click OK to close the Advanced dialog and OK to save the changes and close SMTP Virtual Server Properties.
Configure the smarthost to route traffic to Outbound Services 1. Click Connectors and then right-click the SMTP Connector (or the Internet Mail SMTP Connector) and select Properties. 2. On the General tab, type in the appropriate hostname listed below in the field labeled “Smart host”. Forward outbound mail to outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13. 3.
Troubleshooting Because Microsoft Exchange is a third-party product, this document cannot include complete troubleshooting steps. For further troubleshooting information, see the Microsoft website: http://support.microsoft.com/kb/284204 In MS Exchange 2000 and 2003, the smarthost is configured in the Default Virtual Server, however mail traffic is still being sent via the Internet. A connector may be directing traffic to the Internet directly.
Microsoft Exchange 2000/2003 MultiServer (Smarthost method) Chapter 5 About Microsoft Exchange 2000/2003 Multi-Server Microsoft® Exchange Server 2000/2003 is designed as a high-end, scalable system. Microsoft Exchange 2000/2003 servers can be set up to work together in a large email network. It is possible to route all outbound mail through the Email Security Server without affecting the flow of internal mail between servers.
Legal Disclaimer This guide describes how Postini products work with Microsoft Exchange and the configurations that Postini recommends. These instructions are designed to work with the most common Microsoft Exchange scenarios. Any changes to Microsoft Exchange configuration should be made at the discretion of your Microsoft Exchange administrator. Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products.
However, SMTP connectors require some special consideration during outbound configuration, because they are primarily designed to route internal traffic. SMTP Connectors automatically detect and attempt to route around failures. If any receiving server rejects or defers a message, the connector will temporarily cease to function. This can lead to a long mail queue and delayed delivery.
8. If the Connection list is set to “Only the list below”, then add the same IP ranges. 9) Click OK to get back to the Access tab and click OK to close the Default SMTP Virtual Server Properties. 10) If the reinjection servers are not outbound servers, then configure all servers along the mail flow between reinjection and the outbound server to allow the injection server to relay mail traffic through them. 11) Stop and restart the SMTP services.
Increase server timeouts 1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager. 2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP Right-click the Virtual Server used for outbound routing. 3. Click the Delivery tab. 4. At the bottom of the Properties window, click Outbound Connections. 5. Set the “Time-out (minutes)” value to 15 or more. 6. Click OK to close Outbound Connections. 7. Click OK to close Virtual Server Properties.
Configure the new virtual server to listen on a unique port number 1. Right-click the new virtual server and select Properties. 2. On the General tab, click Advanced. 3. Highlight the IP Address and click Edit. 4. Change the TCP Port to 26 (or any other unused port). All internal servers that need to communicate with this existing server will also need to be reconfigured to use this alternate port number. As an alternative, if the machine is multihomed (i.e.
4. In the lower right corner of the Delivery tab, click Advanced. 5. Type in the appropriate smarthost hostname listed below in the field labeled “Smart host”. The appropriate smarthost is outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13. Note: If an alternate IP address was used, configuration changes to the other machines may be necessary if they are using the bridgehead as a smart host.
3. Click OK to save the changes and close the SMTP Connector properties. Option Three: Setting Up Multiple SMTP Connectors Another alternative, rather than configuring the smart host in the SMTP Virtual Server, is to use two or more SMTP Connectors and configure the them to share the mail flow load in a load-balanced fashion. This is an advanced configuration and should be carefully considered and thoroughly researched before being attempted.
In MS Exchange 2000 and 2003, the smarthost is configured in the Default Virtual Server, however mail traffic is still being sent via the Internet. A connector may be directing traffic to the Internet directly. On an MS Exchange 2000 server, connectors such as the Internet Mail Service Connector override Virtual Server settings. Modify the connector so it will not affect outbound traffic. 1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager. 2. Expand the top level -> Connectors. 3.
Microsoft Exchange 2007 without an Edge Server (Smarthost method) Chapter 6 About Microsoft Exchange 2007 without an Edge Server Microsoft® Exchange Server 2007 is designed as a high-end, scalable system, with servers set up to work together in a large email network. The recommended method for setting up Outbound Servers with Microsoft Exchange 2007 is Private Outbound DNS. For more information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.
Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice.
4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear: 5. Name the connector “Reinjection” and choose Next 6. You will see the Local Network Settings page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.
7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.
8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see “IP Ranges” on page 13. 9. Click OK, then click Next to continue.
10. Click New, then click Finish on the Completion page. Method One: Apply Anonymous user access to the connector The first method to allow reinjection is to set the receive connector to allow Anonymous Users. This is recommended for most configurations. The first step in this process is to add the Anonymous Permissions Group to the connector. 1. Double click your new connector and choose the Permission Groups tab. 2. Check the Anonymous Users checkbox. 3. Choose OK.
4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell 5. Type the following command: Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient" 6.
Method Two: Externally Secured Connector If you do not allow Anonymous Access, you can instead create a connector as an externally secured connector. This option allows you to bypass Exchange’s antispam filters. 1. Open the newly created connector and click the Permissions Groups tab. 2. Check Exchange Servers and click Apply.
3. Click the Authentication tab. 4. Check “Externally secured.
Using the externally secured setting applies the following permissions: MS Exchange\Externally Authoritative-Domain} MS Exchange\Externally Spam} MS Exchange\Externally Size-Limit} MS Exchange\Externally Exch50} MS Exchange\Externally Routing} MS Exchange\Externally MS Exchange\Externally Any-Recipient} MS Exchange\Externally Authentication-Flag} MS Exchange\Externally Any-Sender} 74 Outbound Services Configuration Guide Secured Servers {ms-Exch-SMTP-AcceptSecured Servers {ms-Exch-Bypass-AntiSecured Serv
Register Your IP in the Administration Console After you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers. For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15.
6. Click Add and enter the address space “*” so that all mail will be routed through the new connector. 7. Check “Include all subdomains.” 8. Under Network settings, select “Route mail through the following smart hosts.
9. Click Add. 10. Enter the appropriate smart host. The appropriate smart host setting is outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.
11. Under “Configure smart host authentication settings” select None. 12. Click Add and list each outbound hub server that will act as a bridgehead.
Microsoft Exchange 2007 without an Edge Server (Smarthost method) 79
13. Click New, then click Finish to complete the send connector configuration.
Test Outbound Mail Check the mail queues of the mail server. 1. In the Internet Mail Service Properties select the Queues tab. Look for items with a retry state which could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3. Test inbound mail to confirm normal functionality.
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings.
Microsoft Exchange 2007 with an Edge Server (Smarthost method) Chapter 7 About Microsoft Exchange 2007 with an Edge Server Microsoft® Exchange Server 2007 is designed as a high-end, scalable system, with servers set up to work together in a large email network. The recommended method for setting up Outbound Servers with Microsoft Exchange 2007 is Private Outbound DNS. For more information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on page 31.
Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of a Microsoft Exchange issue, you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to Microsoft Exchange Web sites are provided for your convenience. The links and their content may change without notice.
4. In the Properties Pane right click in the Receive Connectors tab and choose New Receive Connector. The following screen will appear: 5. Name the connector “Reinjection” and choose Next 6. You will see the Local Network Settings page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults. Otherwise, use the settings appropriate for your customization.
7. Click Next to go to the Remote Network settings page. Click the default range that is input by the system and click Edit.
8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For a list of IP ranges, see “IP Ranges” on page 13. 9. Click OK, then click Next to continue.
10. Click New, then click Finish on the Completion page. Method One: Apply Anonymous user access to the connector The first method to allow reinjection is to set the receive connector to allow Anonymous Users. This is recommended for most configurations. The first step in this process is to add the Anonymous Permissions Group to the connector. 1. Double click your new connector and choose the Permission Groups tab. 2. Check the Anonymous Users checkbox. 3. Choose OK.
4. Open the Exchange Management Shell from Start -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell. 5. Type the following command: Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient" 6.
Method Two: Externally Secured Connector If you do not allow Anonymous Access, you can instead create a connector as an externally secured connector. This option allows you to bypass Exchange’s antispam filters. 1. Open the newly created connector and click the Permissions Groups tab. 2. Check Exchange Servers and click Apply.
3. Click the Authentication tab. 4. Check “Externally secured.
Using the externally secured setting applies the following permissions: MS Exchange\Externally Authoritative-Domain} MS Exchange\Externally Spam} MS Exchange\Externally Size-Limit} MS Exchange\Externally Exch50} MS Exchange\Externally Routing} MS Exchange\Externally MS Exchange\Externally Any-Recipient} MS Exchange\Externally Authentication-Flag} MS Exchange\Externally Any-Sender} 92 Outbound Services Configuration Guide Secured Servers {ms-Exch-SMTP-AcceptSecured Servers {ms-Exch-Bypass-AntiSecured Serv
Register Your IP in the Administration Console After you have set up reinjection, register the IP address of your outbound mail server in the Administration Console. Do not change your smarthost until your IP address is registered in Outbound Servers. For instructions on how to register your IP in the Administration Console, see “Register Your IP in the Administration Console” on page 15. Set Up Smarthost In order to send email on an edge transport server it is required to configure a send connector.
5. On the Network tab, uncheck “Use domainK” and “Enable domainK.” 6. In the same tab, check “Route mail through the following smart hosts.” 7. Choose the Add button and enter the name of the smart host. The appropriate smarthost is outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13.
8. On the Source Server tab, verify that the appropriate edge subscription(s) are defined. 9.
10. Verify on the Edge server(s) that the new Send Connector settings have been received and look identical to those on the hub server. 11. Also be sure to check your receive connectors on the Edge server and verify the following: a. The Network tab has the IP range of all hub servers included b. The Authentication tab has the Exchange Server Authentication tab checked c. The Permission Groups tab has the Exchange Servers option checked Test Outbound Mail Check the mail queues of the mail server. 1.
Troubleshooting Installing Exchange 2007 onto an existing Exchange 2003 environment If you've installed Exchange 2007 into an existing environment with 2003, you may already have a Send Connector (SMTP Connector). If so, modify and verify your settings there. If the connector is on your 2003 server, you can only view the settings from the Exchange 2007 Management Console. Make all changes through from the Exchange 2003 System Manager (look for “SMTP Connectors”).
Microsoft Exchange 5.5 Chapter 8 About Microsoft Exchange 5.5 Microsoft® Exchange Server 5.5 is an email server designed for use in the Microsoft Windows environment. It is a legacy product and is no longer supported by Microsoft. However, because of difficulties in upgrading, some environments continue to use Exchange Server 5.5 on a Windows NT 4.0 platform. You can also set up Private Outbound DNS to route mail to Outbound Services.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Configure Outbound Services IP ranges to be a trusted relay 1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft Exchange Administrator 2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail Service. 3.
3. Right-click and select Properties and then click the Connections tab. 4. Enter the appropriate domain name in the field labeled “Forward all messages to host”. The hostname to use is: outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13. 5. Under the “Retry Interval (hrs.)” setting, type in the following: .1,.2,.3,.4 6. Click OK. 7. Stop and Restart the MS Exchange 5.
Microsoft Small Business Server 2003 Chapter 9 About Microsoft Small Business Server 2003 Microsoft® Small Business Server 2003 is a server suite designed to handle the server needs of businesses with up to 75 users. It includes both Microsoft Exchange Server and Microsoft IIS Server. You can also set up Private Outbound DNS to route mail to Outbound Services. Private Outbound DNS is often simpler and more reliable than a smarthost installation.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Configure Outbound Services IP ranges to be a trusted relay 1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager 2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP 3. Right-click Default SMTP Virtual Server and select Properties. 4.
To route outbound mail through Outbound Services: 1. In Exchange Service Manager (ESM), go to Connectors-> Small Business SMTP Connector on the General tab. 2. Select “Use DNS to route to each address space on this connector” and click Apply. 3. In the Address Space tab, select the default address space of “x”, then click Modify. 4. In the Address Space tab, change the address space to your domain name and click OK. 5.
5. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings.
IBM Lotus Domino (Private DNS Method) Chapter 10 About IBM Lotus Domino (Private DNS Method) IBM® Lotus® Domino® Server is a server product that provides enterprise-grade email, collaboration capabilities, and custom application platform. Because of the high level of customization possible, IBM Lotus Domino environments vary greatly. These instructions provide steps to route mail to Outbound Services using the Private Outbound DNS method and are designed to work with a majority of deployments.
Note: Postini Customer Care does not provide technical support for configuring mail servers or third-party products. In the event of an IBM Lotus Domino issue, you should consult your IBM Lotus Domino administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional Services for consulting services and options. Links to IBM Lotus Domino Web sites are provided for your convenience. The links and their content may change without notice.
5. At the top of the window, click Edit Server Configuration. Select the following: • Router/SMTP tab in the first row • Restrictions and Controls tab in the second row • SMTP Inbound Controls tab in the third row. 6. Under “Allow messages only from the following internet hosts to be sent to external internet domains” enter the IP range for Outbound Services. For a list of IP ranges, see “IP Ranges” on page 13. 7. Under “Exclude these Connecting Hosts From Anti-Relay Checks” enter the same IP range.
7. In the Value text box, enter the appropriate IP address. Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names. The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13. System IP Address to use for Private Outbound DNS 5 64.18.4.12 6 64.18.5.12 7 64.18.6.12 8 64.18.7.12 9 74.125.148.12 10 74.125.244.12 20 64.18.9.14 200 207.
4. Select “Use the following DNS server addresses” and enter the appropriate IP address for your system. Because DNS lookups occur before domain names are resolved, you must use an IP address for Private Outbound DNS. Private outbound DNS cannot use domain names. The appropriate IP address depends on your system. To find what system to use, see “Identify Your System” on page 13. System IP Address to use for Private Outbound DNS 5 64.18.4.12 6 64.18.5.12 7 64.18.6.12 8 64.18.7.12 9 74.125.148.
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings.
4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP address. 5. In the nslookup prompt, type server [IP address] and hit return. For instance, if you are on system 8, type server 64.18.7.12 and hit return. If you are using a different system number, use the appropriate IP address for that system. 6. In the nslookup prompt, type gmail.com again. You should see a different IP address now. If you see an error message, your network settings are blocking your DNS connection. 7.
IBM Lotus Domino (Smarthost Method) Chapter 11 About IBM Lotus Domino (Smarthost Method) This chapter describes how to set up Outbound Services for an environment with a IBM Lotus Domino directory servers using a smarthost. The recommended method for setting up Outbound Servers is Private Outbound DNS. For more information, see “IBM Lotus Domino (Private DNS Method)” on page 107. For other versions of IBM Lotus Domino (such as 5.5 and 7) these are the recommended steps.
Links to IBM Lotus Domino Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information. Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Configure Outbound Services IP ranges to be a trusted relay 1.
Set Up Smarthost After you have set up reinjection and registered the IP of your outbound mail server in the Administration Console, set the relayhost parameter to route mail to the email security system. This will set Outbound Services as the smarthost. Domino stops processing queued messages when delivery of a message fails or the relay host is perceived to be down or unreachable. Setting the Retry Interval to a lower value allows the queue to start moving again more quickly.
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings.
Novell Groupwise Chapter 12 About Novell Groupwise Novell GroupWise® is a cross-platform collaborative software product from Novell, Inc. that offers email, calendaring, instant messaging and document management. These instructions provide steps to route mail to Outbound Services and are designed to work with a majority of Novell Groupwise deployments. You can also set up Private Outbound DNS to route mail to Outbound Services.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Configure Outbound Services IP ranges to be a trusted relay 1. Open the Groupwise ConsoleOne interface. 2. Right-click the Internet Agent object and click Properties. 3. Click the Access Control tab. 4. Click SMTP Relay Settings. 5.
5. Click Apply, then click OK. Set Up Smarthost 1. Open the Groupwise ConsoleOne interface. 2. Right-click the Internet Agent object and click Properties. 3. If the SMTP/MIME Settings page is not the default page, click the “SMTP/ MIME” tab and click Settings. 4. Set the number of SMTP Send Threads to the maximum number of simultaneous connections the Groupwise server will safely support. 5. Enter the appropriate smarthost in the field entitled “Relay Host for Outbound Messages”.
Troubleshooting Messages forwarded automatically by a Novell Groupwise rule to an external mail account are not filtered as expected by Outbound Services applications. This problem occurs because Groupwise changes the SMTP envelope when forwarding a message by a rule. The MAIL FROM address in the envelope is null (MAIL FROM:<>). Because Outbound Services uses the envelope address to decide which organization's settings to use, the default is to use the settings specified in the email config organization.
3. For the new organization, on the Organization Management page, turn off Outbound Attachment Manager and Outbound Content Manager. 4. Move the Mailer-Daemon account to the new organization.
Sendmail Chapter 13 About Sendmail Sendmail is a mail transfer agent (MTA) used for delivering mail across networks. It is a well known project of the open source, free software and UNIX communities. Sendmail is distributed both as free software and proprietary software, and is a standard MTA under many variants of the UNIX operating system. These instructions were written for version 8.13 of Sendmail. Other versions may have different settings.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. To set up reinjections, add Outbound Services as a trusted relay in your sendmail.mc file. Instead of adding RELAY_DOMAIN commands to your sendmail.mc file, you can set up a relay domain file. Use this method if you have a need to list relay domains in a separate file.
Increase Server Timeouts Changing server timeouts should not be necessary. In Sendmail, server timeout is set in the value Timeout.datafinal. By default it is set to 1 hour. If Timeout.datafinal has been changed to a lower value, raise the value to 1 hour. Set Up Smarthost Set the smarthost in your sendmail.mc file. Do not change this value until you have set up the appropriate RELAY_DOMAIN setting and registered your IP in the Administration Console.
4. Confirm that your mail server is not an open relay. An open relay will make your mail server vulnerable to hijacking from spammers and will most likely cause an interruption in service. Use an external open relay test, such as http://www.mxtoolbox.com/ diagnostic.aspx or http://www.spamhelp.org/shopenrelay/. If the result shows that you have an open relay, correct your private relay settings.
Apple Macintosh OS X Chapter 14 About Apple Macintosh OS X Apple® Mac OS® X Server is the server edition of Macintosh OS X, a graphical operating system from Apple Inc. included with Macintosh computers. Mac OS X is built on a UNIX-like operating system. Mac OS X Server includes a Postfix mail server with a custom user interface. These instructions provide steps to route mail to Outbound Services and are designed to work with the mail transfer agent component of most Mac OS X Server deployments.
Links to Apple Mac OS X Server Web sites are provided for your convenience. The links and their content may change without notice. Please consult the product's Web site for the latest configuration and support information. Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14.
2. Under “Relay all mail through this host” enter: outbounds[your system number].obsmtp.com where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13. 3. Click Save to close the Server Admin. 4. Restart the mail service. Test Outbound Mail Check the mail queues of the mail server. 1. Check the mail queues of the mail server to look for items with a retry state which could indicate outbound mail delays. 2.
Qmail Chapter 15 About Qmail Qmail is a mail transfer agent that runs on UNIX. Qmail has not been updated by the author for several years and users have instead come to rely on third party patches to support new functionality. Qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the Qmail system with a different module as long as the new module retains the same interface as the original.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Configure Outbound Services IP ranges to be a trusted relay using qmail + tcpserver 1. Edit /etc/tcp.smtp to allow each of Outbound Services IP ranges to relay: IP Range:allow,RELAYCLIENT="":allow where IP Range is the appropriate IP Range.
Increase Server Timeouts The default timeout is 1200 seconds, which is long enough. If this value has been previously changed, then edit the file /var/qmail/timeoutsmtpd and increase it to at least 900 seconds. Set Up Smarthost 1. Edit (or create) the file /var/qmail/control/smtproutes and append the following line: outbounds[your system number].obsmtp.com 2. where [your system number] is your system number. To find what system to use, see “Identify Your System” on page 13. 3.
Postfix Chapter 16 About Postfix Postfix is an open-source mail transfer agent, used primarily on UNIX-based servers. It is the default mail server for several operating systems. Setting up Postfix for Outbound Services requires minimal changes. Add the IP ranges for the email security service as private relays. Then, register your mail server in the Administration Console. Last, direct outbound mail to route to Outbound Services. There is no need to increase the timeouts for Postfix servers.
Set Up Reinjection Before you can register your IP addresses in the Administrative Console or set up a smarthost, you must allow reinjection. For an overview of reinjection concepts, see “Set Up Reinjection” on page 14. Note: Do not change mynetworks and relayhost at the same time; these steps must be completed in order. Configure Outbound Services IP ranges to be a trusted relay 1. Add IP ranges for your system to the mynetworks parameter of your configuration file (example path /etc/postfix/main.cf).
2. Restart Postfix by running the following command: # sudo postfix reload Test Outbound Mail Check the mail queues of the mail server. 1. In the Internet Mail Service Properties select the Queues tab. Look for items with a retry state which could indicate outbound mail delays. 2. Send a message from a mail client inside your network to an outside address. You should see a line in the header email which indicates being received and delivered by exprodNobM.obsmtp.com, where N and M are numbers. 3.
