Sunday, November 05, 2006

Preventing Open Relay with Postini

To help in the war against spam I would recommend using Postini.com as a
front line defense for your mail server.

First lock down your firewall's inbound SMTP port (25) to only accept
mail from Postini's servers.
Their IP information is:
CIDR: 64.18.0.0/20
NetRange: 64.18.0.0 - 64.18.15.255, subnet mask 255.255.240.0

Second to prevent internal clients that happened to click on the latest
mailer virus from using your server to relay to the internet. Open
Exchange System Manager > Servers > SERVERNAME >Protocols > SMTP >
Properties of Default SMTP Virtual Server > Access Tab > Connections.
Check "Only the list below". Add 64.18.0.0 (255.255.255.240.0),
127.0.0.1, THE SERVER'S IP, and any other permitted devices to relay.

Third if you sign up for Postini's outbound scanning service. I am in
the process of doing this but the basic steps are: Configure Exchange to
forward all mail to Postini's servers. Configure your firewall's
outbound SMTP port (25) to only go to Postini's network (listed above)
from your Exchange server's IP address.

What has been done is all inbound and outbound communication thru your
firewall will only be between Postini and your Exchange server. Also
internally only trusted devices can relay.

No comments: