Académique Documents
Professionnel Documents
Culture Documents
Configuration Guide
May 3, 2010
Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the
Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and
PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc. All other trademarks are the property of
their respective owners.
Use of any Google solution is governed by the license agreement included in your original contract. Any intellectual property
rights relating to the Google services are and shall remain the exclusive property of Google, Inc. and/or its subsidiaries
(“Google”). You may not attempt to decipher, decompile, or develop source code for any Google product or service offering,
or knowingly allow others to do so.
Google documentation may not be sold, resold, licensed or sublicensed and may not be transferred without the prior written
consent of Google. Your right to copy this manual is limited by copyright law. Making copies, adaptations, or compilation works,
without prior written authorization of Google. is prohibited by law and constitutes a punishable violation of the law. No part of
this manual may be reproduced in whole or in part without the express written consent of Google. Copyright © by Google, Inc.
Postini, Inc. provides this publication “as is” without warranty of any either express or implied, including but not limited to the
implied warranties of merchantability or fitness for a particular purpose. Postini, Inc. may revise this publication from time to
time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000 by Cold Spring Harbor Laboratory. Funded under Grant P41-
RR02188 by the National Institutes of Health.
Portions relating to JPEG copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane.
This software is based in part on the work of the Independent JPEG Group.
Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application,
provided that this notice is present in user-accessible supporting documentation.
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd,
not to interfere with your productive use of gd. If you have questions, ask. “Derived works” includes all programs that utilize the
library. Credit must be given in user-accessible documentation.
This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not
limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying
Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue
Software Corporation for their prior contributions.
Google assumes no responsibility in connection with the Compliance Policies lexicon-filtering feature, including any failure to
recognize credit card or social security numbers that do not follow an applicable pattern as established in Postini’s systems or
any failure to encrypt a credit card or social security number.
3
4 Outbound Services Configuration Guide
Contents
Contents 5
Chapter 4: Microsoft Exchange 2000/2003 Single Server (Smarthost
method) 47
About Microsoft Exchange 2000/2003 Single-Server 47
Set Up Reinjection 48
Register Your IP in the Administration Console 49
Increase Server Timeouts 49
Set Up Smarthost 50
Test Outbound Mail 52
Troubleshooting 53
Contents 7
Test Outbound Mail 135
• General principles for setting up your mail server to route mail through
Outbound Services.
• Troubleshooting steps for the most common and popular mail servers.
This guide is intended for mail server administrators who are already familiar with
mail server configuration and security.
Related Documentation
For additional information about Outbound Services and the email security
service, refer to the following related documents. For details on how to send
comments, see “How to Send Comments About This Guide” on page 10.
Document Description
9
How to Send Comments About This Guide
Postini values your feedback. If you have comments about this guide, please send
an email message to:
postini-doc_comments@google.com
In your email message, please specify the section to which your comment applies.
If you want to receive a response to your comments, ensure that you include your
name and contact information.
When Outbound Services are enabled and configured, mail from users is routed
to the email security service for filtering before it reaches external contacts. You
can use outbound mail processing to protect your customers and partners from
virus-infected messages, enforce your corporate email policies and compliance
standards, and collect information about your outgoing mail traffic.
Before you set up Outbound Services, you will need a server that can meet the
prerequisites for outbound service. For information about prerequisites, see
“Prerequisites” on page 13.
• Set Up Reinjection
This chapter also includes information on how to find your system number, and
the details of IP addresses to use. This is general information that applies to all
mail servers. For information on your specific mail server software, see the
appropriate chapter in this book.
• This chapter.
This guide also contains the following alternate instructions for using a smarthost
with Microsoft Exchange:
Before you configure Outbound Services, you need a server that can:
• Route outbound mail using a smarthost (a server that accepts outbound mail
and passes it on to the recipient) or an external DNS (a server that provides
routing information, for supported servers).
Instructions are included in this guide for most common mail servers. If you are
using another server not listed in this guide, consult your server documentation to
find out how to allow a private relay and set up a smarthost (or external DNS
server).
Also, for information about Outbound Services, see the Outbound chapter of the
Message Security Administration Guide.
To determine the system for your account: Your system number is shown the URL
when you log in to the Administration Console or Message Center. The system
number is prefaced by ac-s or mc-s. For example:
https://ac-s8.postini.com/exec/adminstart?
URL displayed for an account on System 200 when logged in to the Message
Center:
https://mc-s200.postini.com/app/msgctr/junk_quarantine
IP Ranges
You will need to enter an IP range to allow a private relay. The proper IP range
depends on your system number in the email security service. To find your system
number, see “Identify Your System” on page 13.
The following are the IP ranges for the email security service systems.
Set Up Reinjection
Reinjection is the process of queueing a message back to the customer’s server
when it cannot be delivered due to conflicting SMTP errors after DATA. The
reinjection host is often the same server as the outbound server, but this is not
required.
You may have already set up your mail server and firewall to accept messages
from the email security service, but reinjection requires further access. Your
reinjection server must accept mail from the email security service and send it out
again. This is called a private relay.
Configure your mail server and firewall to accept email only from the email
security service. Your reinjection host needs to accept all email from the email
security service’s outbound servers. From your server’s perspective, the email
security service’s delivery servers should be considered a trusted server. Allow
relaying only from the email security service’s IP range and other trusted relay
servers.
If you have multiple mail servers, specify which server (or servers) will act as the
reinjection host, and be sure that server can route mail back to the email security
service.
Be careful when you set up a private relay. If you allow all IP addresses to pass
mail through your server, your mail server will become an open relay. This leaves
your mail server vulnerable to hijacking from malicious senders. Setting up a
private relay is safer than an open relay, since malicious outsiders cannot use a
private relay in the same way.
Setting up reinjection is different for every mail server type. For step-by-step
instructions for setting up reinjection, see the appropriate chapter in this guide for
your mail server.
WARNING: You will not be able to register your IP address before setting up
reinjection. If you attempt to do so, you will see an error in the Administration
Console and your IP will not be registered.
Register Your IP
1. Log in to the Administration Console. Select your email config and go to the
Outbound Servers tab.
Accepted Enter a starting and ending IP for your outbound mail server. Use
IP Ranges external IP addresses.
Each range you enter must be unique. You cannot add the same
IP range to multiple email configs.
You can also enter a hostname for the reinjection server instead
of an IP address. However, you should not do so if the reinjection
server has an MX record that routes mail back to the email
security service. Use the IP range instead.
When you click Save, the Administration Console will test your reinjection
host to confirm the private relay is set up properly. If your mail server has not
been set up to allow Outbound Services to act as a private relay, see “Set Up
Reinjection” on page 14 for information about how to set up a private relay.
4. If you have more than one outbound server IP range, add additional records.
Go back to step 2 and register each IP range separately using the same
instructions.
After you have successfully added your IP address, you can set up a smarthost
(or external DNS) safely.
Timeout settings vary by mail server type. For some servers, it is not necessary to
change timeout. For step-by-step instructions for configuring timeouts, see the
appropriate chapter in this guide for your mail server.
Private Outbound DNS works with all common mail servers. The documentation
provides instructions verified for Lotus Domino 6 and 8.5. For other version of
Lotus Domino, please refer to the product documentation on DNS configuration.
Private Outbound DNS Service is designed to ease setup and prevent queueing
delays, and is recommended for any administrator using a supported mail server.
Supported Servers
Private Outbound DNS Service works with all common mail servers. Configuration
steps are provided for Microsoft Exchange 2003 and 2007/2010, and IBM Lotus
Domino. Other mail servers will be documented in the future. For other mail
servers, please refer to your mail server product documentation on DNS
configuration.
Once you set up Private Outbound DNS, all outgoing mail will be routed through
the message security service. Because your mail server is routing directly to the
internet and not using a smarthost, mail will not be queued. The message security
service then filters outbound mail and routes it to the Internet.
This diagram shows how Private Outbound DNS works for outbound mail.
The appropriate IP address depends on your system. To find what system to use,
see “Identify Your System” on page 13.
5 64.18.4.12
6 64.18.5.12
7 64.18.6.12
8 64.18.7.12
9 74.125.148.12
20 64.18.9.14
200 207.126.147.11
201 207.126.154.11
Once you’ve set up a reinjection host and added the IP range to the
Administration Console, redirect your mail to the email security service by setting
up a smarthost. Smarthost is a common term for a server that accepts outbound
mail and passes it on to the recipient.
Before you make changes, note your original settings, so that you can restore
your settings if any problems occur during setup.
where [your system number] is your system number. For instance, if you are
using System 6, your smarthost address is
outbounds6.obsmtp.com
To find your system number, see “Identify Your System” on page 13.
Testing outbound mail is different for every mail server type. For information on
testing outbound mail, see the documentation for your mail server.
For Microsoft Exchange 5.5, see “Microsoft Exchange 5.5” on page 99.
If you are using Microsoft Exchange 2007 and do not want to use Private
Outbound DNS, different instructions apply depending on whether your network
includes an Edge Server. If you are using an Edge Server, see “Microsoft
Exchange 2007 with an Edge Server (Smarthost method)” on page 83. Otherwise,
see “Microsoft Exchange 2007 without an Edge Server (Smarthost method)” on
page 65.
If you are using Small Business Server 2000, you can use the instructions in
“Microsoft Exchange 2000/2003 Single Server (Smarthost method)” on page 47.
Small Business Server 2003 requires more specific configuration; see “Microsoft
Small Business Server 2003” on page 103.
where [your domain] is the domain you use for outgoing mail. Note the trailing
period in your domain.
where [your domain] is the domain you use for outgoing mail, and [your IP
allocations] are the IP addresses of your own mail servers, in CIDR format. For a
list of IP addresses, see IP Ranges in the Administration Guide.
If you need help with more complex SPF records, consult the SPF wizard on the
Open SPF website to find out how to add your servers to the SPF entries
described above:
http://www.openspf.org/wizard.html
To do this, set your firewall to NAT outbound (i.e. non-local) TCP port 25 traffic to
be from your defined external gateway IP address, and to the Postini Outbound
load-balancer that is appropriate for your Postini system.
Also, use NAT to configure reinjection of mails back to your mail server. You can
do this by relabelling TCP port 25 packets from the Postini IP range so they
appear to come from inside your LAN. This is called Port forwarding and is a
common configuration option for many IP firewalls.
Smarthost solutions for Microsoft Exchange can cause mail queueing delays.
Private Outbound DNS Service is designed to ease setup and prevent queueing
delays. These steps show how to set Microsoft Exchange 2003 to use Private
Outbound DNS to route mail to the email security service.
These instructions provide steps to route mail to Outbound Services and are
designed to work with a majority of Microsoft Exchange 2003 deployments.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the
configurations that Postini recommends. These instructions are designed to work
with the most common Microsoft Exchange scenarios. Any changes to Microsoft
Exchange configuration should be made at the discretion of your Microsoft
Exchange administrator.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a Private DNS Service, you must allow reinjection. For an overview of reinjection
concepts, see “Set Up Reinjection” on page 14.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager
2. Expand the top level -> Servers -> <Your Mail Server>-> Protocols -> SMTP
5. Click Relay.
6. Add IP ranges and other trusted relay servers and click OK to get back to the
Access tab. For a list of IP ranges, see “IP Ranges” on page 13.
8. If the Connection list is set to “Only the list below”, then add the same IP
ranges.
9) Click OK to get back to the Access tab and click OK to close the Default SMTP
Virtual Server Properties.
10) If the reinjection servers are not outbound servers, then configure all servers
along the mail flow between reinjection and the outbound server to allow the
injection server to relay mail traffic through them.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager.
7. Click Configure.
8. Click Add and enter the appropriate IP address for your system. Click OK.
5 64.18.4.12
6 64.18.5.12
7 64.18.6.12
8 64.18.7.12
9 74.125.148.12
20 64.18.9.14
200 207.126.147.11
201 207.126.154.11
9. Click OK again. You should see your IP address listed as an External DNS.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry
state could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
5. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 24 for the correct private relay settings.
Troubleshooting
Because Microsoft Exchange is a third party product, this document cannot
include complete troubleshooting steps. For further troubleshooting information,
see the Microsoft site for External DNS instructions:
http://technet.microsoft.com/en-us/library/
bb124221(EXCHG.65).aspxport.microsoft.com/kb/284204
You can also find more information in the Microsoft Exchange Server 2003
Transport and Routing Guide:
http://www.microsoft.com/downloads/details.aspx?familyid=C092B7A7-9034-
4401-949C-B29D47131622&displaylang=en
Your sending mail server needs to be able to reach the message security service
using DNS on UDP port 53.
If you are not sure your network settings allow your mail server to connect to an
external DNS host on UDP port 53, run the following test on your mail server:
4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP
address.
5. In the nslookup prompt, type server [IP address] and hit return. For
instance, if you are on system 8, type server 64.18.7.12 and hit return. If
you are using a different system number, use the appropriate IP address for
that system.
7. In the nslookup prompt, type server [old default server] to restore your
default server. Substitute your previous default server name for [old default
server].
Smarthost solutions for Microsoft Exchange can cause mail queueing delays.
Private Outbound DNS Service is designed to ease setup and prevent queueing
delays. These steps show how to set Microsoft Exchange 2007 to use Private
Outbound DNS to route mail to the email security service.
These instructions provide steps to route mail to Outbound Services and are
designed to work with a majority of Microsoft Exchange 2007 deployments.
Microsoft Exchange 2007 includes a concept that has not existed in previous
versions of Microsoft Exchange: different servers are assigned distinct, concrete
roles. Two important roles are the Hub server and the Edge server. The Hub
server is the center of message routing. The Edge server provides a connection
with the outside internet. not all networks use an Edge server.
Microsoft Exchange 2010 uses the same steps for setting up Private DNS. If you
are using Microsoft Exchange 2010, follow these steps to set up outbound with
Private DNS.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue,
you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS
NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact
Postini Professional Services for consulting services and options.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
For most configurations of Exchange 2007 and 2010, a sender must provide
authentication to relay mail from outside sources. However, SMTP authentication
is not possible for reinjection. Instead, create a private relay to allow reinjection.
There are two ways to set up a private relay for Exchange 2007 and 2010,
allowing anonymous access, or an externally secured connector:
Allow Anonymous Access is the better choice in most cases. If you are using
ResolveP2, or if reinjected messages are caught by anti-spam filters, use an
Externally Secured Connector instead.
4. In the Properties Pane right click in the Receive Connectors tab and choose
New Receive Connector. The following screen will appear:
6. You will see the Local Network Settings page. If you haven’t made any
customization to the IP settings of the Hub Server, keep the defaults.
Otherwise, use the settings appropriate for your customization.
8. You will see the Edit Remote Servers box. Enter the appropriate IP range. For
a list of IP ranges, see “IP Ranges” on page 13.
The first step in this process is to add the Anonymous Permissions Group to the
connector.
3. Choose OK.
4. Open the Exchange Management Shell from Start -> Programs -> Microsoft
Exchange Server 2007 (or 2010) -> Exchange Management Shell.
1. Open the newly created connector and click the Permissions Groups tab.
5 64.18.4.12
6 64.18.5.12
7 64.18.6.12
8 64.18.7.12
9 74.125.148.12
20 64.18.9.14
200 207.126.147.11
201 207.126.154.11
9. Select the Send Connector you use to route mail to the Internet.
13. Check “Use the External DNS Lookup settings on the transport server.”
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry
state could indicate outbound mail delays.
4. In the Administration Console, select your email config organization and click
the Outbound Servers tab. After a minute of successful mail flow, traffic
should display on the graph.
5. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 32 for the correct private relay settings.
Troubleshooting
Because Microsoft Exchange is a third party product, this document cannot
include complete troubleshooting steps. For further troubleshooting information,
see the Microsoft article “Configuring DNS Settings for Exchange 2007 Servers”
on the Microsoft website:
http://technet.microsoft.com/en-us/library/bb124896(EXCHG.80).aspx
Your sending mail server needs to be able to reach the message security service
using DNS on UDP port 53.
If you are not sure your network settings allow your mail server to connect to an
external DNS host on UDP port 53, run the following test on your mail server:
4. In the nslookup prompt, type gmail.com and hit return to get the gmail.com IP
address.
5. In the nslookup prompt, type server [IP address] and hit return. For
instance, if you are on system 8, type server 64.18.7.12 and hit return. If
you are using a different system number, use the appropriate IP address for
that system.
7. In the nslookup prompt, type server [old default server] to restore your
default server. Substitute your previous default server name for [old default
server].
Your mail is still being routed through a smarthost. Try the following steps:
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the
configurations that Postini recommends. These instructions are designed to work
with the most common Microsoft Exchange scenarios. Any changes to Microsoft
Exchange configuration should be made at the discretion of your Microsoft
Exchange administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue,
you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS
NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact
Postini Professional Services for consulting services and options.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager
2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP
5. Click Relay.
7. Add IP ranges and other trusted relay servers and click OK to get back to the
Access tab. For a list of IP ranges, see “IP Ranges” on page 13.
9. If the Connection list is set to “Only the list below”, then add the same IP
ranges.
11. If the reinjection servers are not outbound servers, then all servers along the
mailflow between the reinjection server and the outbound server must be
configured to allow the injection server to relay mail traffic through them.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager.
Set Up Smarthost
There are two ways to set up a smarthost in a Microsoft Exchange 2000/2003
environment. Setting up an SMTP connector alone can cause delays, since any
failed outbound message will cause an interruption of mail flow.
To prevent interruption of mail flow, you can route outbound mail with a Virtual
Server, or you can configure a connector and reduce the retry interval.
• Configure a Virtual Server, and point SMTP connectors to that server. This
requires additional setup effort, but minimizes delays. This is the
recommended method. Use this method if you do not have any connectors.
• Configure a Connector, and reduce the retry interval on your server. When
an outbound message fails, the connector will continue to retry every minute.
However, this method can cause delays.
Microsoft Exchange connectors will override the virtual server for an organization.
If you are also using connectors, take an extra step to be sure that traffic is routed
appropriately.
1. Right-click “Default SMTP Virtual Server” and select Properties. Click the
Delivery tab.
2. Click the Advanced button in the lower right-hand corner of the dialog.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
4. Click OK to close the Advanced dialog and OK to save the changes and close
SMTP Virtual Server Properties.
If you are using this method, and you have SMTP Connectors, check all
Connectors associated with the Virtual Server. Limit the Address Space to only
local domains, whose traffic should not be routed to Outbound Services.
3. Remove the asterisk (*) entry and replace it with your own domain and any
other domains that should be routed locally
For each SMTP virtual server connector in the environment which is designated
as a bridgehead.
1. Click Connectors and then right-click the SMTP Connector (or the Internet
Mail SMTP Connector) and select Properties.
2. On the General tab, type in the appropriate hostname listed below in the field
labeled “Smart host”.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
3. Click OK to save the changes and close the SMTP Connector properties.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry
state could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. In the Administration Console, select your email config organization and click
the Outbound Servers tab. After a minute of successful mail flow, traffic
should display on the graph.
5. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 48 for the correct private relay settings.
http://support.microsoft.com/kb/284204
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager.
5. If the SMTP address space is “*” or otherwise includes outgoing mail traffic,
then click the “Modify” button and limit the connector to just traffic which
should not be sent to Outbound Services.
Why does Microsoft Exchange 2000/2003 defer all outbound mail when
configured to use TLS?
This can happen when Outbound Services is not configured to accept outbound
mail connections using TLS. You can resolve this by configuring Outbound
Services to accept outbound mail connections using TLS.
If the Exchange server is attempting to use TLS but the TLS option for outbound
mail is turned off in the Administration Console, Exchange will defer all mail until it
can successfully send the mail using TLS.
For instructions on configuring Outbound Services to use TLS for outbound mail,
see the following page in the Message Security Administration Guide:
http://www.postini.com/webdocs/admin_ee_cu/ob_tls_config.html
This chapter describes how to set up Outbound Services for an environment with
a multi-server Microsoft® Exchange Server 2000/2003 environment using a
smarthost.
• The routing group bridgeheads must relay all outbound mail to the gateway
server.
• The gateway server must forward all mail to the email security service as a
smarthost.
The gateway server can be any platform: another MS Exchange server, an MS IIS
server, or any other standard MTA software such as Sendmail, Postfix, etc.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue,
you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS
NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact
Postini Professional Services for consulting services and options.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
To prevent interruption of mail flow, you can either reduce the retry interval or use
a new Virtual Server.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager
2. Expand the top level -> Servers -> <Your Mail Server>-> Protocols -> SMTP
5. Click Relay.
6. Add IP ranges and other trusted relay servers and click OK to get back to the
Access tab. For a list of IP ranges, see “IP Ranges” on page 13.
9) Click OK to get back to the Access tab and click OK to close the Default SMTP
Virtual Server Properties.
10) If the reinjection servers are not outbound servers, then configure all servers
along the mail flow between reinjection and the outbound server to allow the
injection server to relay mail traffic through them.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager.
2. Expand the top level -> Servers -> = Your Mail Server = -> Protocols -> SMTP
Right-click the Virtual Server used for outbound routing.
Set Up Smarthost
There are multiple ways to set up a smarthost in a Microsoft Exchange 2000/2003
multi-server environment. For a comparison of the two, see “Choose Smarthost
Method” on page 56.
The steps below describe how to add the email security service as the smarthost
for external outbound mail without interrupting internal communication for internal
mail flow.
In most cases, you will need to add a new SMTP virtual server, even if one is
already in use. Bind this new virtual server to a different IP address or port
number to avoid interfering with the existing one.
1. Click Start -> Programs -> Microsoft Exchange -> System Manager
2. Expand the top level -> Servers -> <Your Mail Server> -> Protocols -> SMTP
Note: You will see an error message that the Virtual Server is configured to
use the same IP address and port as the existing server. Dismiss the error
message.
All internal servers that need to communicate with this existing server will also
need to be reconfigured to use this alternate port number.
5. Configure the new virtual server to allow other internal mail servers to relay
traffic through it.
Configure the smarthost for the SMTP virtual server to route traffic to the email
security service
2. Type in the appropriate smarthost hostname listed below in the field labeled
“Smart host”.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
3. Click OK to close the Advanced dialog and OK to save the changes and close
the SMTP Virtual Server Properties.
If necessary, configure the firewall or router to allow outbound traffic on port 26 (or
whichever port was used) to ensure that traffic between the internal servers will
not be blocked. (If an alternate IP address was used, this step is skipped.)
On other machines which need to send outbound mail by way of this new virtual
server, make the following configurations:
3. Change the TCP port to 26 (or whatever port was chosen for the Inbound/
Outbound server settings above) and click OK.
5. Type in the appropriate smarthost hostname listed below in the field labeled
“Smart host”.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
This will not completely eliminate delays, but will reduce the duration of delays.
1. Click Connectors and then right-click the SMTP Connector (or the Internet
Mail SMTP Connector) and select Properties.
2. On the General tab, type in the appropriate hostname in the field labeled
“Forward all mail through this connector to the following smart hosts”.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry
state could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. In the Administration Console, select your email config organization and click
the Outbound Servers tab. After a minute of successful mail flow, traffic
should display on the graph.
5. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 57 for the correct private relay settings.
Troubleshooting
Because Microsoft Exchange is a third party product, this document cannot
include complete troubleshooting steps. For further troubleshooting information,
see the Microsoft website:
http://support.microsoft.com/kb/284204
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager.
5. If the SMTP address space is “*” or otherwise includes outgoing mail traffic,
then click the “Modify” button and limit the connector to just traffic which
should not be sent to Outbound Services.
Most often, mail flow problems with Outbound Services are caused by an
outbound connector encountering a deferral error.
You can also find more information about how to use Queue Viewer to
troubleshoot mail flow issues in Exchange Server 2003 on the Microsoft support
site:
http://support.microsoft.com/kb/default.aspx?scid=kb;en-us;823489
Why does Microsoft Exchange 2000/2003 defer all outbound mail when
configured to use TLS?
This can happen when Outbound Services is not configured to accept outbound
mail connections using TLS. You can resolve this by configuring Outbound
Services to accept outbound mail connections using TLS.
If the Exchange server is attempting to use TLS but the TLS option for outbound
mail is turned off in the Administration Console, Exchange will defer all mail until it
can successfully send the mail using TLS.
For instructions on configuring Outbound Services to use TLS for outbound mail,
see the following page in the Message Security Administration Guide:
http://www.postini.com/webdocs/admin_ee_cu/ob_tls_config.html
Microsoft Exchange 2007 includes a concept that has not existed in previous
versions of Microsoft Exchange: different servers are assigned distinct, concrete
roles. An Edge Server is one such role. The Edge Server connects all other
Exchange Servers to the Internet, and provides filtering and security.
This chapter gives details of how to set up Outbound Services for Exchange 2007
if you do not have an Edge Server. In this case, set up Outbound Services on a
Hub Transport server. If you do have Outbound Services, see the instructions in
the chapter “Microsoft Exchange 2007 with an Edge Server (Smarthost method)”
on page 83.
There is no need to increase the timeouts for Microsoft Exchange 2007 mail
servers. The default timeout settings are appropriate.
For Microsoft Exchange 2010, use the Private Outbound DNS method. For more
information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on
page 31.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the
configurations that Postini recommends. These instructions are designed to work
with the most common Microsoft Exchange scenarios. Any changes to Microsoft
Exchange configuration should be made at the discretion of your Microsoft
Exchange administrator.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
There are two ways to set up a private relay for Exchange 2007, allowing
anonymous access, or an externally secured connector:
Allow Anonymous Access is the better choice in most cases. If you are using
ResolveP2, or if reinjected messages are caught by anti-spam filters, use an
Externally Secured Connector instead.
6. You will see the Local Network Settings page. If you haven’t made any
customization to the IP settings of the Hub Server, keep the defaults.
Otherwise, use the settings appropriate for your customization.
The first step in this process is to add the Anonymous Permissions Group to the
connector.
1. Double click your new connector and choose the Permission Groups tab.
3. Choose OK.
1. Open the newly created connector and click the Permissions Groups tab.
Set Up Smarthost
After you have set up reinjection and registered the IP of your outbound mail
server in the Administration Console, create and configure a Send Connector on
your Hub Connector Server.
3. Right click in the actions pane and choose New Send Connector.
5. Under “Select the intended use for this Send Connector,” select Internet.
8. Under Network settings, select “Route mail through the following smart
hosts.”
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
12. Click Add and list each outbound hub server that will act as a bridgehead.
1. In the Internet Mail Service Properties select the Queues tab. Look for items
with a retry state which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
See “Set Up Reinjection” on page 66 for the correct private relay settings.
Troubleshooting
If you've installed Exchange 2007 into an existing environment with 2003, you
may already have a Send Connector (SMTP Connector). If so, modify and verify
your settings there. If the connector is on your 2003 server, you can only view the
settings from the Exchange 2007 Management Console. Make all changes
through from the Exchange 2003 System Manager (look for “SMTP Connectors”).
For example, if you only have a connector on the 2003 machine, then all outbound
mail will go through the 2003 server. If you have one on the 2003 and one on the
2007 server, then mail will go through the closest connector. If you delete the one
on 2003 and have one on the 2007 server, then all outgoing mail will pass through
the 2007 server.
Anti-spam configuration
If you have previously installed the anti-spam agents onto your Hub Transport
servers, disable any rules you have created and make those configurations in the
email security service.
Microsoft Exchange 2007 includes a concept that has not existed in previous
versions of Microsoft Exchange: different servers are assigned distinct, concrete
roles. An Edge Server is one such role. The Edge Server connects all other
Exchange Servers to the Internet, and provides filtering and security.
This chapter gives details of how to set up Outbound Services for Exchange 2007
if you have an Edge Server. In this case, set up Outbound Services on your Edge
Server. If you do have Outbound Services, see the instructions in the chapter
“Microsoft Exchange 2007 without an Edge Server (Smarthost method)” on
page 65.
There is no need to increase the timeouts for Microsoft Exchange 2007 mail
servers. The default timeout settings are appropriate.
For Microsoft Exchange 2010, use the Private Outbound DNS method. For more
information, see “Microsoft Exchange 2007/2010 (Private DNS Method)” on
page 31.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the
configurations that Postini recommends. These instructions are designed to work
with the most common Microsoft Exchange scenarios. Any changes to Microsoft
Exchange configuration should be made at the discretion of your Microsoft
Exchange administrator.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
There are two ways to set up a private relay for Exchange 2007, allowing
anonymous access, or an externally secured connector:
Allow Anonymous Access is the better choice in most cases. If you are using
ResolveP2, or if reinjected messages are caught by anti-spam filters, use an
Externally Secured Connector instead.
6. You will see the Local Network Settings page. If you haven’t made any
customization to the IP settings of the Hub Server, keep the defaults.
Otherwise, use the settings appropriate for your customization.
The first step in this process is to add the Anonymous Permissions Group to the
connector.
1. Double click your new connector and choose the Permission Groups tab.
3. Choose OK.
1. Open the newly created connector and click the Permissions Groups tab.
Set Up Smarthost
In order to send email on an edge transport server it is required to configure a
send connector. Edge Transport servers subscribed to an Exchange organization
are pre-configured with the necessary elements to send and receive mail from the
internet. Configuring Postini outbound services will change the default setup of
these connectors.
Because send connectors are organization wide configurations and part of the
synchronization process editing them takes place on the hub transport server.
Send connectors are created and edited in the Exchange Management Console
by doing the following from any hub transport server:
4. On the Address Space tab verify that the “*” domain has been added.
6. In the same tab, check “Route mail through the following smart hosts.”
7. Choose the Add button and enter the name of the smart host. The appropriate
smarthost is
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
11. Also be sure to check your receive connectors on the Edge server and verify
the following:
a. The Network tab has the IP range of all hub servers included
b. The Authentication tab has the Exchange Server Authentication tab
checked
c. The Permission Groups tab has the Exchange Servers option checked
1. In the Internet Mail Service Properties select the Queues tab. Look for items
with a retry state which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 84 for the correct private relay settings.
If you've installed Exchange 2007 into an existing environment with 2003, you
may already have a Send Connector (SMTP Connector). If so, modify and verify
your settings there. If the connector is on your 2003 server, you can only view the
settings from the Exchange 2007 Management Console. Make all changes
through from the Exchange 2003 System Manager (look for “SMTP Connectors”).
For example, if you only have a connector on the 2003 machine, then all outbound
mail will go through the 2003 server. If you have one on the 2003 and one on the
2007 server, then mail will go through the closest connector. If you delete the one
on 2003 and have one on the 2007 server, then all outgoing mail will pass through
the 2007 server.
You can also set up Private Outbound DNS to route mail to Outbound Services.
Private Outbound DNS is often simpler and more reliable than a smarthost
installation. Private Outbound DNS is described in “Option 1: Set Up Private
Outbound DNS” on page 16. For more information, see your mail server product
documentation for information on changing your DNS settings.
These instructions provide steps to route mail to Outbound Services and are
designed to work with a majority of Microsoft Exchange 5.5 deployments.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Exchange and the
configurations that Postini recommends. These instructions are designed to work
with the most common Microsoft Exchange scenarios. Any changes to Microsoft
Exchange configuration should be made at the discretion of your Microsoft
Exchange administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Exchange issue,
you should consult your Microsoft Exchange administrator. POSTINI ACCEPTS
NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact
Postini Professional Services for consulting services and options.
Links to Microsoft Exchange Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft
Exchange Administrator
2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail
Service.
3. Right-click and select Properties and then click the Routing tab.
6. Add IP ranges and other trusted relay servers and click OK to return to the
Routing tab. For a list of IP ranges, see “IP Ranges” on page 13.
8. If the reinjection servers are not outbound servers, then configure all servers
along the mailflow between reinjection and the outbound server to allow the
injection server to relay mail traffic through them.
Set Up Smarthost
In Microsoft Exchange 5.5, a smarthost is set up by changing the Properties for
your mail server.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> Microsoft
Exchange Administrator
2. Select Your Mail Server -> Configuration -> Connections -> Internet Mail
Service
4. Enter the appropriate domain name in the field labeled “Forward all messages
to host”.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
6. Click OK.
7. Stop and Restart the MS Exchange 5.5 service for the changes to take effect.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry
state could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. In the Administration Console, select your email config organization and click
the Outbound Servers tab. After a minute of successful mail flow, traffic
should display on the graph.
5. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 100 for the correct private relay settings.
You can also set up Private Outbound DNS to route mail to Outbound Services.
Private Outbound DNS is often simpler and more reliable than a smarthost
installation. Private Outbound DNS is described in “Option 1: Set Up Private
Outbound DNS” on page 16. For more information, see your mail server product
documentation for information on changing your DNS settings.
These instructions apply to Small Business Server 2003. If you are using Small
Business Server 2000, use the instructions for “Microsoft Exchange 2000/2003
Single Server (Smarthost method)” on page 47.
Legal Disclaimer
This guide describes how Postini products work with Microsoft Small Business
Server and the configurations that Postini recommends. These instructions are
designed to work with the most common Microsoft Small Business Server
scenarios. Any changes to Microsoft Small Business Server configuration should
be made at the discretion of your Microsoft Small Business Server administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Microsoft Small Business
Server issue, you should consult your Microsoft Small Business Server
administrator. POSTINI ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY
PRODUCTS. You may also contact Postini Professional Services for consulting
services and options.
Links to Microsoft Small Business Server Web sites are provided for your
convenience. The links and their content may change without notice. Please
consult the product's Web site for the latest configuration and support information.
1. Select the Start Menu -> Programs -> Microsoft Exchange -> System
Manager
2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP
5. Add IP ranges and other trusted relay servers and click OK to get back to the
Access tab. For a list of IP ranges, see “IP Ranges” on page 13.
6. Click the Connection button. If the Connection list is set to “Only the list
below”, add the same IP ranges.
7. Click OK to return to the Access tab and click OK to close the Default SMTP
Virtual Server Properties.
8. If the reinjection servers are not outbound servers, then all servers along the
mailflow between the reinjection server and the outbound server must be
configured to allow the injection server to relay mail traffic through them.
Set Up Smarthost
In Microsoft Small Business Server 2003, outbound mail routing is handled by the
IIS Virtual Server. Unlike a Microsoft Exchange connector, the IIS Virtual Server
will not begin queueing mail after a deferral.
The standard Microsoft installation of Small Business Server 2003 gives creates a
connector in order to set local policies. Modify the connector to ensure that
outbound mail is routed to the email security system while local mail is not
interrupted.
2. Select “Use DNS to route to each address space on this connector” and click
Apply.
3. In the Address Space tab, select the default address space of “x”, then click
Modify.
4. In the Address Space tab, change the address space to your domain name
and click OK.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
8. Click OK twice.
9. Restart the server by right-clicking the SMTP Virtual Server, selecting Stop,
and then right-clicking the SMTP Virtual Server again and selecting Start.
1. Go to the Queues tab in Internet Mail Service Properties. Items with a retry
state could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. In the Administration Console, select your email config organization and click
the Outbound Servers tab. After a minute of successful mail flow, traffic
should display on the graph.
See “Set Up Reinjection” on page 104 for the correct private relay settings.
These instructions provide steps to route mail to Outbound Services using the
Private Outbound DNS method and are designed to work with a majority of
deployments. These instructions were written for Lotus Domino with a Microsoft
Windows server.
Private Outbound DNS works with all common mail servers. The documentation
provides instructions verified for Lotus Domino 6 and 8.5. For other version of
Lotus Domino, please refer to the product documentation on DNS configuration.
Configuration notes:
• Changing the timeout configuration for Lotus Domino is not required. You can
use the default timeout settings.
• If you are using Notes with a Linux server, change DNS settings on your
servermanually. Exact steps to make this change vary by Linux
implementation; consult your Linux documentation for more information.
Legal Disclaimer
This guide describes how Postini products work with IBM Lotus Domino and the
configurations that Postini recommends. These instructions are designed to work
with the most common IBM Lotus Domino scenarios. Any changes to IBM Lotus
Domino configuration should be made at the discretion of your IBM Lotus Domino
administrator.
Links to IBM Lotus Domino Web sites are provided for your convenience. The
links and their content may change without notice. Please consult the product's
Web site for the latest configuration and support information.
Change DNS Settings in Domino. IBM Lotus Domino server will use the DNS
server listed in notes.ini to send mail. The Domino server will contact the Private
DNS Server and route mail to Outbound Services. Since this method affects only
IBM Lotus Domino, and requires no changes to the underlying operating system,
this is the recommended method to use Private Outbound DNS.
Change DNS settings in OS. This change is independent of the IBM Lotus
Domino server. The changes affect the whole machine, and the server cannot be
used for other Internet applications. All applications on the server will contact the
Private DNS Server and route connections to Outbound Services. Use this
method if your IBM Lotus Domino server setup can’t support DNSServer changes
in notes.ini.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
private DNS, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
6. Under “Allow messages only from the following internet hosts to be sent to
external internet domains” enter the IP range for Outbound Services. For a list
of IP ranges, see “IP Ranges” on page 13.
7. Under “Exclude these Connecting Hosts From Anti-Relay Checks” enter the
same IP range.
9. Stop and restart the Domino SMTP task for the changes to take effect.
You can make these changes in the Domino Admin panel by changing your
configuration document.
Alternately, open the notes.ini file in Lotus/Domino/notes.ini and add the line
DNSSERVER=[ipaddress] where [ipaddress] is the appropriate IP address for
your system.
Because DNS lookups occur before domain names are resolved, you must
use an IP address for Private Outbound DNS. Private outbound DNS cannot
use domain names.
5 64.18.4.12
6 64.18.5.12
7 64.18.6.12
8 64.18.7.12
9 74.125.148.12
20 64.18.9.14
200 207.126.147.11
201 207.126.154.11
11. In the Server Console, enter the command “tell router update config”.
3. Click Properties.
Because DNS lookups occur before domain names are resolved, you must
use an IP address for Private Outbound DNS. Private outbound DNS cannot
use domain names.
5 64.18.4.12
6 64.18.5.12
7 64.18.6.12
8 64.18.7.12
9 74.125.148.12
20 64.18.9.14
200 207.126.147.11
201 207.126.154.11
1. Check the mail queues of the mail server to look for items with a retry state
which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
See “Set Up Reinjection” on page 108 for the correct private relay settings.
Troubleshooting
If you encounter delays or problems with using IBM Lotus Domino with Private
Outbound DNS, consider changing your Lotus notes settings. These settings are
listed in notes.ini. See your IBM Lotus Domino documentation for information on
how to change these settings.
• SMTPErrorLimit set to 1.
• SMTPClientDebug=1
This increases the amount of information logged, which will help find any other
problems. Once the problem is resolved, change this to its original setting.
Your sending mail server needs to be able to reach the message security service
using DNS on UDP port 53.
If you are not sure your network settings allow your mail server to connect to an
external DNS host on UDP port 53, run the following test on your mail server:
5. In the nslookup prompt, type server [IP address] and hit return. For
instance, if you are on system 8, type server 64.18.7.12 and hit return. If
you are using a different system number, use the appropriate IP address for
that system.
6. In the nslookup prompt, type gmail.com again. You should see a different IP
address now. If you see an error message, your network settings are blocking
your DNS connection.
7. In the nslookup prompt, type server [old default server] to restore your
default server. Substitute your previous default server name for [old default
server].
For other versions of IBM Lotus Domino (such as 5.5 and 7) these are the
recommended steps.
These instructions provide steps to route mail to Outbound Services and are
designed to work with a majority of deployments. These instructions were written
for Lotus Domino R5/R6.
Changing the timeout configuration for Lotus Domino R5/R6 is not required. You
can use the default timeout settings.
Legal Disclaimer
This guide describes how Postini products work with IBM Lotus Domino and the
configurations that Postini recommends. These instructions are designed to work
with the most common IBM Lotus Domino scenarios. Any changes to IBM Lotus
Domino configuration should be made at the discretion of your IBM Lotus Domino
administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of an IBM Lotus Domino issue,
you should consult your IBM Lotus Domino administrator. POSTINI ACCEPTS
NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact
Postini Professional Services for consulting services and options.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
5. At the top of the window, click Edit Server Configuration. Select the following:
6. Under “Allow messages only from the following internet hosts to be sent to
external internet domains” enter the IP range for Outbound Services. For a list
of IP ranges, see “IP Ranges” on page 13.
7. Under “Exclude these Connecting Hosts From Anti-Relay Checks” enter the
same IP range.
9. Stop and restart the Domino SMTP task for the changes to take effect.
5. Select the Router/SMTP tab in the first row. This will select the “Basics” tab of
the second row of tabs.
6. Under “Relay host for messages leaving the local internet domain:”, add the
following:
outbounds[your system number].obsmtp.com
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
7. Select the Restrictions and Controls tab from the second row.
1. Check the mail queues of the mail server to look for items with a retry state
which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
See “Set Up Reinjection” on page 116 for the correct private relay settings.
These instructions provide steps to route mail to Outbound Services and are
designed to work with a majority of Novell Groupwise deployments.
You can also set up Private Outbound DNS to route mail to Outbound Services.
Private Outbound DNS is often simpler and more reliable than a smarthost
installation. Private Outbound DNS is described in “Option 1: Set Up Private
Outbound DNS” on page 16. For more information, see your mail server product
documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Novell Groupwise and the
configurations that Postini recommends. These instructions are designed to work
with the most common Groupwise scenarios. Any changes to Novell Groupwise
configuration should be made at the discretion of your Novell Groupwise
administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Novell Groupwise issue, you
should consult your Novell Groupwise administrator. POSTINI ACCEPTS NO
RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may also contact
Postini Professional Services for consulting services and options.
Links to Novell Groupwise Web sites are provided for your convenience. The links
and their content may change without notice. Please consult the product's Web
site for the latest configuration and support information.
5. Make sure that the “Prevent message relaying” radio button in the SMTP
Relay Defaults section is selected.
7. In the “From:” field, enter the IP range for your system. For a list of IP ranges,
see “IP Ranges” on page 13. Leave the “To:” field blank to indicate that any
recipient is allowed.
Set Up Smarthost
1. Open the Groupwise ConsoleOne interface.
3. If the SMTP/MIME Settings page is not the default page, click the “SMTP/
MIME” tab and click Settings.
5. Enter the appropriate smarthost in the field entitled “Relay Host for Outbound
Messages”.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
1. Check the mail queues of the mail server to look for items with a retry state
which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 120 for the correct private relay settings.
This problem occurs because Groupwise changes the SMTP envelope when
forwarding a message by a rule. The MAIL FROM address in the envelope is null
(MAIL FROM:<>). Because Outbound Services uses the envelope address to
decide which organization's settings to use, the default is to use the settings
specified in the email config organization.
To ensure that all outbound messages are filtered, be sure that the Outbound
Content Manager, Outbound Attachment Manager, Outbound Virus Blocking and
Compliance Footer settings are the same for the email config organization as for
the user-level orgs.
When Outbound Services processes a message from a sender who does not
have a user account, it uses the Outbound Services settings from the email config
organization. If Outbound Attachment Manager and Outbound Content Manager
are enabled at the email config organization, then any messages sent by non-
users that violate an Outbound Attachment Manager and Outbound Content
Manager filter will be disposed of accordingly. By creating a user account for the
email address acting as the sender of the NDR and placing it in an org with
Outbound Attachment Manager and Outbound Content Manager disabled, it
ensures that the email security service will never block any messages sent by the
user.
You can resolve this issue by setting Groupwise to deliver the NDR locally, or you
can change your filters in the Administration Console.
If you reconfigure your Groupwise server to deliver the NDR locally, Outbound
Services will not be involved in the delivery of the message and it should therefore
be successfully delivered.
About Sendmail
Sendmail is a mail transfer agent (MTA) used for delivering mail across networks.
It is a well known project of the open source, free software and UNIX
communities. Sendmail is distributed both as free software and proprietary
software, and is a standard MTA under many variants of the UNIX operating
system.
These instructions were written for version 8.13 of Sendmail. Other versions may
have different settings. This chapter includes steps to route mail to Outbound
Services and is designed to work with most major Sendmail deployments.
You can also set up Private Outbound DNS to route mail to Outbound Services.
Private Outbound DNS is often simpler and more reliable than a smarthost
installation. Private Outbound DNS is described in “Option 1: Set Up Private
Outbound DNS” on page 16. For more information, see your mail server product
documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Sendmail and the
configurations that Postini recommends. These instructions are designed to work
with the most common Sendmail scenarios. Any changes to Sendmail
configuration should be made at the discretion of your Sendmail administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Sendmail issue, you should
consult your Sendmail administrator. POSTINI ACCEPTS NO RESPONSIBILITY
FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional
Services for consulting services and options.
Links to Sendmail Web sites are provided for your convenience. The links and
their content may change without notice. Please consult the product's Web site for
the latest configuration and support information.
Sendmail 125
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
If the reinjection servers are not outbound servers, repeat these steps for all
servers along the mail flow between reinjection and the outbound server to allow
the injection server to relay mail traffic through them.
to the file
/etc/mail/relay-domains
Set Up Smarthost
Set the smarthost in your sendmail.mc file.
WARNING: Do not change this value until you have set up the appropriate
RELAY_DOMAIN setting and registered your IP in the Administration Console. If
your IP is not registered in the Administration Console, Outbound Services will not
deliver your mail.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
1. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
3. In the Administration Console, select your email config organization and click
the Outbound Servers tab. After a minute of successful mail flow, traffic
should display on the graph.
Sendmail 127
4. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 126 for the correct private relay settings.
These instructions provide steps to route mail to Outbound Services and are
designed to work with the mail transfer agent component of most Mac OS X
Server deployments. Instructions are included for version 10.3 and 10.4 of Mac
OS X Server.
You can also set up Private Outbound DNS to route mail to Outbound Services.
Private Outbound DNS is often simpler and more reliable than a smarthost
installation. Private Outbound DNS is described in “Option 1: Set Up Private
Outbound DNS” on page 16. For more information, see your mail server product
documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Apple Mac OS X Server and
the configurations that Postini recommends. These instructions are designed to
work with the most common Apple Mac OS X Server scenarios. Any changes to
Apple Mac OS X Server configuration should be made at the discretion of your
Apple Mac OS X Server administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of an Apple Mac OS X Server
issue, you should consult your Apple Mac OS X Server administrator. POSTINI
ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS. You may
also contact Postini Professional Services for consulting services and options.
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
2. Click Settings.
3. Click Relay and enter the IP range for your system as an allowed relay
address. For a list of IP ranges, see “IP Ranges” on page 13.
2. Click Settings.
3. Click Filters and enter the IP range for your system as an allowed relay
address. For a list of IP ranges, see “IP Ranges” on page 13.
Set Up Smarthost
1. In Server Admin, select Mail and click Settings.
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
1. Check the mail queues of the mail server to look for items with a retry state
which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 130 for the correct private relay settings.
About Qmail
Qmail is a mail transfer agent that runs on UNIX. Qmail has not been updated by
the author for several years and users have instead come to rely on third party
patches to support new functionality.
These instructions provide steps to route mail to Outbound Services and are
designed to work with a majority of Qmail deployments.You can also set up
Private Outbound DNS to route mail to Outbound Services. Private Outbound
DNS is often simpler and more reliable than a smarthost installation. Private
Outbound DNS is described in “Option 1: Set Up Private Outbound DNS” on
page 16. For more information, see your mail server product documentation for
information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Qmail and the configurations
that Postini recommends. These instructions are designed to work with the most
common Qmail scenarios. Any changes to Qmail configuration should be made at
the discretion of your Qmail administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Qmail issue, you should
consult your Qmail administrator. POSTINI ACCEPTS NO RESPONSIBILITY
FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional
Services for consulting services and options.
Links to Qmail Web sites are provided for your convenience. The links and their
content may change without notice. Please consult the product's Web site for the
latest configuration and support information.
Qmail 133
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
where IP Range is the appropriate IP Range. For a list of IP ranges, see “IP
Ranges” on page 13.
3. Verify that the tcp.smtp.cdb file is invoked in the mail server's startup script.
Set Up Smarthost
1. Edit (or create) the file /var/qmail/control/smtproutes and append the
following line:
outbounds[your system number].obsmtp.com
2. where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
3. If you have certain internal domains whose traffic should not be routed to
Postini, you will want to add specific routing to the appropriate mail server to
the /var/qmail/control/smtproutes file using the following syntax:
<InternalDomain>:<ServerForInternalDomain>
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 134 for the correct private relay settings.
Qmail 135
136 Outbound Services Configuration Guide
Postfix Chapter 16
About Postfix
Postfix is an open-source mail transfer agent, used primarily on UNIX-based
servers. It is the default mail server for several operating systems.
Setting up Postfix for Outbound Services requires minimal changes. Add the IP
ranges for the email security service as private relays. Then, register your mail
server in the Administration Console. Last, direct outbound mail to route to
Outbound Services.
There is no need to increase the timeouts for Postfix servers. The default timeout
settings are appropriate.
You can also set up Private Outbound DNS to route mail to Outbound Services.
Private Outbound DNS is often simpler and more reliable than a smarthost
installation. Private Outbound DNS is described in “Option 1: Set Up Private
Outbound DNS” on page 16. For more information, see your mail server product
documentation for information on changing your DNS settings.
Legal Disclaimer
This guide describes how Postini products work with Postfix and the
configurations that Postini recommends. These instructions are designed to work
with the most common Postfix scenarios. Any changes to Postfix configuration
should be made at the discretion of your Postfix administrator.
Note: Postini Customer Care does not provide technical support for configuring
mail servers or third-party products. In the event of a Postfix issue, you should
consult your Postfix administrator. POSTINI ACCEPTS NO RESPONSIBILITY
FOR THIRD-PARTY PRODUCTS. You may also contact Postini Professional
Services for consulting services and options.
Links to Postfix Web sites are provided for your convenience. The links and their
content may change without notice. Please consult the product's Web site for the
latest configuration and support information.
Postfix 137
Set Up Reinjection
Before you can register your IP addresses in the Administrative Console or set up
a smarthost, you must allow reinjection. For an overview of reinjection concepts,
see “Set Up Reinjection” on page 14.
Note: Do not change mynetworks and relayhost at the same time; these steps
must be completed in order.
3. If the reinjection server is not the same as your outbound mail server, perform
these steps on all servers along the mailflow path between the reinjection
server and your outbound mail server.
Set Up Smarthost
After you have set up reinjection and registered the IP of your outbound mail
server in the Administration Console, set the relayhost parameter to route mail to
the email security system. This will set Outbound Services as the smarthost.
Set up a smarthost
1. Add the following line to your configuration file (example path /etc/postfix/
main.cf):
where [your system number] is your system number. To find what system to
use, see “Identify Your System” on page 13.
1. In the Internet Mail Service Properties select the Queues tab. Look for items
with a retry state which could indicate outbound mail delays.
2. Send a message from a mail client inside your network to an outside address.
You should see a line in the header email which indicates being received and
delivered by exprodNobM.obsmtp.com, where N and M are numbers.
4. Confirm that your mail server is not an open relay. An open relay will make
your mail server vulnerable to hijacking from spammers and will most likely
cause an interruption in service.
See “Set Up Reinjection” on page 138 for the correct private relay settings.
Postfix 139
140 Outbound Services Configuration Guide