Deploying ExchangeDefender
This is the most up-to-date guide on how to get ExchangeDefender configured for your business. It is important to understand that ExchangeDefender can be as simple or as complex as you want to make it, it is certainly flexible enough to fit your overall security configuration. Only the first two steps are required (changing MX record and creating users / policies) but we do encourage to implement as many of the recommendations as possible because they have come from years of experience and learning from mistakes businesses have made in "opening" their email systems. So let's get started!
Change Your DNS (MX) Record & Outbound Smarthost
In order for ExchangeDefender to process your messages and implement policies and business continuity systems it needs to be placed between you and the Internet. The easiest way to do this is to change your mail exchanger (MX) DNS record to ExchangeDefender and set ExchangeDefender as the outbound smarthost. This way all your incoming mail goes through ExchangeDefender in order to reach you and all your outbound mail goes through ExchangeDefender in order to reach the Internet. In effect, we engulf your entire mail infrastructure and play gatekeeper.
Note: Changing your MX record does not mean that you transfer or delegate the DNS control to us. Your mail server stays where it is, no names are ever changed, your clients do not have to be reconfigured and there are no new names to remember.
Change Your MX Record
The first step to deploying ExchangeDefender is to change your MX record on your name servers. Contact your name server administrator or your Internet Service Provider to get this change made. Really simple way to find out where your MX record needs to be changed is to use the WHOIS query at www.dnsstuff.com.
Once you have found out where your DNS zone is and who has the permissions to change it, request that they remove all current MX records and only place the following MX record in your zone:
 | |  |
|  | inbound30.exchangedefender.com |
| |
 | |  |
Note: Never use a secondary MX record or "failback" MX record in conjunction with ExchangeDefender. ExchangeDefender should be the only MX record listed under your domain. Also, never remove any host (A) records from your zone or point the MX record to an IP address.
Change Your Outbound Smarthost
Your smarthost configuration is far easier to configure because it is located on your Microsoft Exchange server (if you use a mail server other than Microsoft Exchange please consult the product manual, this feature is standard in all modern SMTP servers.)
Instead of routing mail directly over the Internet (using DNS lookups) set your smarthost to:
| | |
| | outbound.exchangedefender.com |
| |
| | |
On Microsoft Exchange 2003 this setting is located in the Exchange System Manager, under Connectors. On Microsoft Windows 2003 Small Business Server this setting is located on the General tab of the SmallBusiness SMTP connector. Just click on Forward all mail through this connector to the following smart hosts and type in outbound.exchangedefender.com.
Note: ExchangeDefender routing is IP permission based so telnet to outbound.exchangedefender.com on port 25 before you finalize your configuration, there may be internal firewalls or routing policies in place by your ISP.
ExchangeDefender Users & Policies
The second step in getting ExchangeDefender to protect your organization is to tell it who it is protecting and which policies to apply. This is a very simple process but don't worry even if you make a mistake, most changes can be applied in realtime or up to 30 minutes at worst.
Create SMTP User Dump
ExchangeDefender can enforce protection against your business on per-user basis and save you a lot of time with the setup. This is why we require an SMTP user dump on the signup so your accounts can be automatically provisioned by us and the user database mirrored for other purposes (enforcement, LiveArchive, business continuity, etc). Here is how you create the SMTP dump.
First, download the ExchangeDefender SMTP dump script from here and save it on your Exchange server. (click here to download) Locate the directory in which you saved the script and execute it with cscript:
| | |
| | cscript ExportAddresses.vbs |
| |
| | |
After a few moments (you will see Microsoft (R) Windows Script Host... output) the SMTP dump will be created in the root of the drive you executed it in. This file will contain all the mail enabled objects in your Active Directory including only their display name and email addresses. You can open this file with your text editor.
Note: SMTP address listing is a requirement for ExchangeDefender setup. If you do not use Microsoft Exchange in your organization please provide a list with at least the users name and their associated email addresses, one per line. It still beats typing in users one at a time.
Configure ExchangeDefender Policies
ExchangeDefender has a lot of policies that can be applied to control inbound and outbound mail flow, the following are just the basic account defaults that can be changed at any time.
Domain Name
Domain Name is the primary domain name of the organization.
Additional Domains
Most organizations tend to have several domain names, some for business use and some simply for vanity and legal protection. Type in all the domains the organization uses for email, if you need to provide more than 8 please open a support request.
Inbound IP Address
Inbound IP address is the public IP address of your mail server. Please note that this must be an IP address, it cannot be a dynamic DNS hostname as those are not supported by ExchangeDefender. If you have multiple external IP addresses for a multihomed setup with redundant Internet connections from multiple providers you can set ExchangeDefender to deliver mail to another MX record. To do so, click on Advanced Settings and type in the MX record of the mail server we should pass mail after we have scanned it. Again, there is no support for dynamic DNS, please do not enter dynamic DNS addresses in this area.
Outbound IP Address
Outbound IP address is the public IP address of your mail server. ExchangeDefender uses IP permission lists to relay outbound mail and will give you an open relay at the IP address you specify. If you have multiple Internet connections and want to provide an additional IP address for us to relay mail from, click on Advanced Settings and type in the extra IP address.
SPAM Action and SureSPAM Action
ExchangeDefender categorizes possible SPAM into two buckets based on the likelyhood that the message is SPAM. For messages we are 80% certain SPAM content the message is put into the SPAM category. For messages with 99% certainty, we have a SureSPAM category. Both categories have three possible actions that can be applied to them: tag & deliver, quarantine and delete. If you choose to Tag & Deliver we will only rewrite the subject to say [SPAM] before the regular subject text but will still deliver the message to your mail server immediately. If you select Delete the message will be deleted, permanently (recommended setting for SureSPAM after you have used the product for a while). Finally, our most popular action is Quarantine which will keep the SPAM from your mail server but will not delete it. If you choose to quarantine messages, your users will receive a daily report and/or intraday report indicating which messages have been flagged as SPAM with an option to deliver them or whitelist senders or most frequently just ignore.
Report Options
Report Options allow you to choose if you want daily and/or intraday reports sent to your users showing a list of messages that contain SPAM. You can also choose to disable these reports completely, for the users that don't want to be bothered. Report Schedule is used to set the time at which the report will be generated (keep in mind that this is a time when we will start the report generation, it could be delivered upwards of two hours later). The times are relative to the users home time zone. Finally, Report Contents option allows you to stop sending empty reports to your users if certain email addresses do not collect any SPAM during the reporting period you set above. This is a very convenient feature but not a very recommended one because users tend to complain and request support when they don't see all their email addresses in the list. Time Zone setting, as the name implies, is the default time zone for your organization.
SMTP Dump
SMTP Dump process was outlined above and it allows us to provision all your users and enforce your policies. Just cut and paste the SMTP dump into this section. Activations is a convenience we offer to send all of your users welcome emails on your behalf, informing them of their new ExchangeDefender account and how to use it. It is highly recommended to let us activate all users on your behalf, with a random password.
LiveArchive Business Continuity
LiveArchive setting allows us to provision all of your users accounts on our LiveArchive standby network. We recommend you enable this setting by default because even though it can usually be enabled later, nobody remembers it until something breaks. You can access LiveArchive at https://archive.exchangedefender.com with your ExchangeDefender email address and password (it can take over an hour for ExchangeDefender LiveArchive to start spooling mail once activated.)
Text and HTML Signatures
Signatures, or disclaimers, are organization-wide settings that are applied to the bottom of every outgoing message.
Configure IP Restrictions
IP restrictions play an important part in ExchangeDefender deployment because they force spammers and hackers to deal with ExchangeDefender instead of your own mail server. Mail servers are programmed to perform an MX lookup and send the message to the designated mail server - spammers, hackers, trojans and worms on the other hand scan IP ranges and attempt to deliver mail to any open SMTP port on the network. Enforcing IP restrictions tells your mail server to only accept messages from ExchangeDefender.
Your mail server should only accept SMTP connection from the following IP subnets:
| | |
| | 65.99.192.0 / 255.255.255.0
65.99.255.0 / 255.255.255.0
64.182.164.0 / 255.255.255.0
64.182.133.0 / 255.255.255.0
70.84.106.0 /255.255.255.0
72.29.99.0 / 255.255.255.0
216.123.109.0 / 255.255.255.0
64.182.140.0 / 255.255.255.0
64.182.139.0 / 255.255.255.0 |
| |
| | |
Please note that these are class C address blocks (/24 subnet mask) and every address on that range can be used to send ExchangeDefender mail. Please do not enter single IP addresses in your access lists, you must accept connections from every IP address in ranges listed above.
We recommend you place IP restrictions on your firewall, however, because there are so many different firewalls in use in the market we will show you how to make these restrictions directly on Microsoft Exchange 2003. First, open your Microsoft Exchange System Manager and navigate down to the Default SMTP Virtual Server:
Click on the Access tab and then click on the Connection button under the Connection control section.
On the Connection screen select Only the list below to restrict your connections to ExchangeDefender network only. Click on Add to add individual ranges to your access list.
Type in address ranges one at a time. Select Group of computers and type in the IP block along with the subnet mask (255.255.255.0).
When you are done entering all IP address ranges your screen will look like the one shown below.
Note: If you have any internal mail servers that need to communicate with your SMTP server on port 25 make sure you add their IP addresses here. This is common for local fax/copier machines that use the Exchange server to relay messages. Individual computers should not be on this list because they are using MAPI to connect to Exchange via Outlook, not SMTP.
Note: IP restrictions should only be configured several days after ExchangeDefender has been provisioned to allow DNS changes (MX record propagation) to take place. Configuring the IP restrictions immediately will result in delayed and perhaps eventually even returned messages. Please allow the DNS changes to propagate (at least 24-72 hours) before enforcing these restrictions.
Internal Routing Best Practices
Internal routing best practices depend on your internal topology and mail configuration. For most organizations that have a mail server on the same subnet with all computers on the same network, a firewall needs to be considered.
At the very least you should program in IP restrictions on inbound mail so that your mail server can only be contacted by ExchangeDefender. This forces remote parties to go through ExchangeDefender and be screened/filtered for inappropriate content.
Likewise, you should only allow outbound SMTP connections from your Exchange server to our outbound.exchangedefender.com network. Doing so limits the scope of damage a single computer on your network can cause if it becomes compromised and a part of a botnet. This restriction would limit it from being able to attach to the remote SMTP servers and get your IP address on a blacklist.
Finally, you should consider internal firewall rules on SMTP communications. If you are primarily a Microsoft-software organization keep in mind that your computers do not use SMTP to communicate with your Exchange server, they rely on the MAPI protocol. So, it stands to reason that SMTP conversations on your intranet should only be allowed from SMTP enabled devices that send alerts (or faxes, documents, scans) via SMTP. Putting these restrictions in place is quick and painless and limits the scope of damage these systes could eventually make.
Private SMTP Connectors
There may be partner organizations or external branch offices (external in logical sense, outside of the Active Directory domain or forest) that you would need to route SMTP mail without passing the messages through ExchangeDefender. It can be for the trust purposes, to reduce latency or just establish a separate path for internal mail. Whatever the reason, this is fully supported by ExchangeDefender.
Below is the Connector properties screen, just add the domain name and set this connector to use DNS instead of a smarthost. Also remember to allow the IP address in the connection list so these connections can be established if both servers are protected by ExchangeDefender.
Support For Multihomed Connections (Multiple inbound IPs)
ExchangeDefender supports multihomed SMTP servers. Whether through BGP4 routing for larger organisations or through multiple cable & DSL connections for the smaller organizations, ExchangeDefender can deliver messages to multiple address ranges.
One important thing to remember is that for the purpose of failover, load balancing or active-active connections, ExchangeDefender expects to hand off mail to an MX record, not an A record. Since your default zone MX record is pointed to ExchangeDefender (inbound30.exchangedefender.com), you need to create an alternate MX record for the two connections.
First, create a host (A) record for each connection. Then, create a child MX record (for example, office.testdomain.org) and set the primary mail exchanger (MX 10) as the first connection and (MX 20) as the second connection. Then tell ExchangeDefender to deliver messages to office.testdomain.org and you're done.
This method is important for a number of reasons. First, it establishes an order in which IP addresses will be tried. Second, it establishes an MX record that can be cached by our nodes and delivery can continue even if your DNS service goes down.
|
