Symantec Messaging Gateway (SMG) - Best Practices: New Deployments.
|Article:TECH122730|||||Created: 2010-01-26|||||Updated: 2012-08-15|||||Article URL http://www.symantec.com/docs/TECH122730|
You are planning to deploy a new architecture with Symantec Messaging Gateway (SMG) appliances and want to know the best practices.
Before deploying new mail gateways some steps are required in order to make the new environment a trusted source of mail.
Today due to the high number of spam , ISP's and companies have become very strict about accepting mail from new sources of mail.
Here this document we outline some steps that are necessary to make sure you meet the standards required by some ISP's and companies in general.
If you are going to deploy multiple SMG hosts Symantec suggests that all of them are placed within the same geographical location.
If SMG hosts must be deployed in different remote locations and communication issues occur between hosts (outdated statistics, timeouts, host status not available on the GUI ), it is suggested to have one Control Center on each location.
Make sure you have DNS records for the Symantec Messaging Gateway scanners, most ISP's and companies will rely on accurate information so make sure the hostnames in your DNS match the MTA hostname on the Symantec Messaging Gateway scanners.
Keep in mind that you might have different hostnames and MTA hostnames across Symantec Messaging Gateway appliances, the MTA hostname is the one used to validate the MX record and it can be easily changed.
You must have at least two MX records and then proper A and PTR record for each host that will handle email.
For more information about where to configure the MTA hostname (per SMG scanner host) please check this article:
Some outbound messages are not delivered to certain domains due to mismatched host name
To find out your domain's MX record you can run nslookup:
> nslookup -type=mx example.com
example.com MX preference = 10, mail exchanger = mx.example.com
DNS records for each host
Each hostname must have proper A and PTR record in your DNS, to make sure you have proper entries you can use nslookup.
The following commands must return the same results for each host that you query:
> nslookup mx.example.com (this command will ask if we have an A record against the hostname mx.domain.com)
> nslookup 10.10.10.2 (this command will ask if we have a PTR record against the IP address 10.10.10.2)
NOTE: This means that host mx.example.com resolves to IP 10.10.10.2 and the opposite is also true, the IP 10.10.10.2 resolves back to mx.example.com
Sender Policy Framework helps against email forgery and it is highly recommended to have DNS records for it.
For more information and details about how to set these records up, please check the following links:
Sender Policy Framework (SPF) Introduction
SPF - Record Syntax
SPF - Setup Wizard
Sender ID records
Sender ID Overview Page
Sender ID Framework SPF Record Wizard
NOTE: This technology is DNS based and it will help maintaining your sender reputation, we also support this technology with Symantec Messaging Gateway , found under the Spam -> Settings -> Sender Authentication TAB where we do the same check against other external domains.
Enable outbound spam scanning on Symantec Messaging Gateway
By default, Symantec Messaging Gateway will not enable antispam scanning for outbound traffic, however, there are some cases where this might help mitigate threats coming from your internal outside to the Internet that were unknown before.
To enable outbound spam scanning, please follow these steps:
- Login to the Control Center
- Navigate to Administration -> Users -> Groups
- On the right-hand side click on "Default"
- Navigate to the Spam TAB
- Check the box "Enable outbound email spam scanning for this group"
- Using the dropdown lists available, select the appropriate policies for Spam and Suspected Spam
NOTE: These policies can be customized under the "Spam" tab of the product later if needed.
- Click Save
This setting can be enabled per group so if you want it is possible to enable it only for a set of addresses/users, for an example, please check this article to see how would you whitelist users if needed:
How to whitelist outbound traffic when you have email spam scanning enabled for outbound messages
Other Symantec Messaging Gateway (SMG) Best practice articles
Symantec Brightmail Gateway/Symantec Messaging Gateway and Cisco PIX firewalls
Symantec Messaging Gateway (SMG) - Best Practices: Spam Control
Symantec - IP Reputation Investigation
Here you can find tools and guidelines that will help you solve issues around deployments.
Postmaster & SMTP Error Code Resources
Yahoo Mail SMTP Error Codes
AOL SMTP Error Messages
Windows Live & Hotmail Mail Troubleshooting (includes SMTP Error Codes)
Delivery status notifications in Exchange Server and in Small Business Server
DNS and Open Relay testing tools
Mail relay testing
Blacklist removal and bulk senders guidelines
Gmail - Bulk Senders Guidelines
AOL - Sender Best Practices and Whitelist guides
Yahoo - Mail Bulk Sender Form
NOTE: All the links provided here are just for reference, they might be changed/removed without warning and Symantec will not be responsible on that.
Article URL http://www.symantec.com/docs/TECH122730