Security Checklist and Best Practices
Follow these recommendations to get the best performance and the most effective filtering from the message security service. Use this checklist as a guide while you review or adjust your settings:
Lock down the firewall for each of your email servers
To prevent spam and viruses from circumventing the message security service, it’s important to lock down the firewall for each of your email servers. This means limiting SMTP (port 25) traffic at the firewall to allow connections only from Postini IP addresses.
Some virus and spam senders specifically target mail servers using low-priority DNS MX records or by looking up a server directly using a common naming convention such as mail.yourdomain.com. To prevent malicious senders from bypassing the message security service, we highly recommend that you add all of your domains to the service, then configure each of your email servers to accept mail only from Postini.
Make sure you have added all of your users, aliases, and mailing lists to Postini
Make sure all of your users, user aliases, and mailing lists (distribution lists) are added to the message security service. Users that aren’t added to the service won’t receive spam and virus protection. You can quickly add users with the Add/Delete/Move Users page in the Administration Console, or you can upload a list of users using batch commands or through automated methods such as Directory Sync.
If your user list is stored on an LDAP directory server, you can use the Directory Sync utility to synchronize users from your LDAP server into Postini. Directory Sync Server Edition is a utility that you install on a machine inside your network that queries your LDAP server and adds, deletes, or moves users in Postini to match your LDAP server. Using Directory Sync requires knowledge of your LDAP directory server system, the ability to create LDAP queries, and a server inside your network that can access both your LDAP system and the Postini IP range.
Directory Sync Hosted Edition is a feature that runs from Postini and pulls information from your LDAP server. However, because this requires you to open your firewall to give HTTP query access to Postini, and install components on your LDAP server, in most cases Directory Sync Hosted Edition is not recommended. Use Directory Sync Server Edition instead.
Make sure Non-Account Bouncing is ON
Once your users are added to the message security service, we recommend that you turn on Non-Account Bouncing to block messages sent to invalid email addresses (email addresses that are not yet registered with the message security service). Non-Account Bouncing helps protect your organization from Directory Harvest Attacks. The SMTP error message: 550 No such user - psmtp is returned to the sender.
Non-Account Bouncing is set at the organization level in the Administration Console. Before you enable Non-Account Bouncing, it’s important to add every address, alias, and mailing list. Users that are not yet added won’t receive outside mail.
Make sure you have configured all of your domains to ensure they are filtered by Postini
Your service is initially set up for users in a single domain. That domain resides in your initial user org. If you have additional domains that you want to filter, you must add these domains to the message security service while making sure that each domain is pointing to Postini. Also, if you have multiple interchangeable domains (for example, jumboinc.com, jumboinc.corp.com, jumboinc.net), be sure you have set up domain aliasing.
Check your Spool Manager settings
For disaster preparedness and recovery, we recommend that you configure Spool Manager for alerts and notifications. For example, configure Spool Manager alerts for your wireless device to receive a notification if your email server becomes unavailable.
You can adjust your Spool Manager settings in the Administration Console in just five minutes. Select your email config organization, click the Inbound Servers tab, and click Spool Mgr and Alerts to adjust your settings.
Create an emergency plan for mail flow issues
You must have a plan in place in the event that you experience a mail flow issue:
- Be sure that you have set up a support contact with your email service provider for emergency service.
- Sign up for an RSS Feed with the Apps Status Dashboard to receive news and updates about service issues.
- Set up an internal process for the unlikely event of a service outage (for example, changing MX records and firewall settings).
- Be aware of the troubleshooting procedures for mail flow and filtering. See the “Test Tools & Mail Flow Troubleshooting” chapter in the Message Security Administration Guide.