Symantec Messaging Gateway (SMG) - Best Practices: New Deployments.

Article:TECH122730  |  Created: 2010-01-26  |  Updated: 2012-08-15  |  Article URL http://www.symantec.com/docs/TECH122730
Article Type
Technical Solution


Issue



You are planning to deploy a new architecture with Symantec Messaging Gateway (SMG) appliances and want to know the best practices.

Before deploying new mail gateways some steps are required in order to make the new environment a trusted source of mail.

Today due to the high number of spam , ISP's and companies have become very strict about accepting mail from new sources of mail.


Here this document we outline some steps that are necessary to make sure you meet the standards required by some ISP's and companies in general.


Solution



Physical Location

If you are going to deploy multiple SMG hosts Symantec suggests that all of them are placed within the same geographical location.

If SMG hosts must be deployed in different remote locations and communication issues occur between hosts (outdated statistics, timeouts, host status not available on the GUI ), it is suggested to have one Control Center on each location.


DNS Records

Make sure you have DNS records for the Symantec Messaging Gateway scanners, most ISP's and companies will rely on accurate information so make sure the hostnames in your DNS match the MTA hostname on the Symantec Messaging Gateway scanners.
Keep in mind that you might have different hostnames and MTA hostnames across Symantec Messaging Gateway appliances, the MTA hostname is the one used to validate the MX record and it can be easily changed.

You must have at least two MX records and then proper A and PTR record for each host that will handle email.

For more information about where to configure the MTA hostname (per SMG scanner host) please check this article:

Some outbound messages are not delivered to certain domains due to mismatched host name
http://www.symantec.com/docs/TECH94715

To find out your domain's MX record you can run nslookup:
> nslookup -type=mx example.com
Server: dnsserver.example.com
Address: 192.168.1.1

example.com MX preference = 10, mail exchanger = mx.example.com

DNS records for each host
Each hostname must have proper A and PTR record in your DNS, to make sure you have proper entries you can use nslookup.

The following commands must return the same results for each host that you query:

> nslookup mx.example.com (this command will ask if we have an A record against the hostname mx.domain.com)
Server: dnsserver.example.com
Address: 192.168.1.1

Name: mx.example.com
Address: 10.10.10.2

> nslookup 10.10.10.2 (this command will ask if we have a PTR record against the IP address 10.10.10.2)
Server: dnsserver.example.com
Address: 192.168.1.1

Name: mx.example.com
Address: 10.10.10.2

NOTE: This means that host mx.example.com resolves to IP 10.10.10.2 and the opposite is also true, the IP 10.10.10.2 resolves back to mx.example.com

SPF records

Sender Policy Framework helps against email forgery and it is highly recommended to have DNS records for it.
For more information and details about how to set these records up, please check the following links:
 

Sender Policy Framework (SPF) Introduction
http://www.openspf.org/Introduction

SPF - Record Syntax
http://www.openspf.org/SPF_Record_Syntax

SPF - Setup Wizard
http://old.openspf.org/wizard.html

Sender ID records

Sender ID Overview Page
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx/

Sender ID Framework SPF Record Wizard
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

NOTE: This technology is DNS based and it will help maintaining your sender reputation, we also support this technology with Symantec Messaging Gateway , found under the Spam -> Settings -> Sender Authentication TAB where we do the same check against other external domains.

Enable outbound spam scanning on Symantec Messaging Gateway

By default, Symantec Messaging Gateway will not enable antispam scanning for outbound traffic, however, there are some cases where this might help mitigate threats coming from your internal outside to the Internet that were unknown before.

To enable outbound spam scanning, please follow these steps:
 

  1. Login to the Control Center
  2. Navigate to Administration -> Users -> Groups
  3. On the right-hand side click on "Default"
  4. Navigate to the Spam TAB
  5. Check the box "Enable outbound email spam scanning for this group"
  6. Using the dropdown lists available, select the appropriate policies for Spam and Suspected Spam
    NOTE: These policies can be customized under the "Spam" tab of the product later if needed.
  7. Click Save
     

This setting can be enabled per group so if you want it is possible to enable it only for a set of addresses/users, for an example, please check this article to see how would you whitelist users if needed:
How to whitelist outbound traffic when you have email spam scanning enabled for outbound messages
http://www.symantec.com/docs/TECH96506

Other Symantec Messaging Gateway (SMG) Best practice articles

Symantec Brightmail Gateway/Symantec Messaging Gateway and Cisco PIX firewalls

http://www.symantec.com/docs/TECH92486

Symantec Messaging Gateway (SMG) - Best Practices: Spam Control
http://www.symantec.com/docs/TECH90043

Symantec - IP Reputation Investigation
http://ipremoval.sms.symantec.com/lookup


Technical References

Here you can find tools and guidelines that will help you solve issues around deployments.

Postmaster & SMTP Error Code Resources

Yahoo Mail SMTP Error Codes
http://help.yahoo.com/l/us/yahoo/mail/postmaster/errors/;_ylt=AgjG.HjzHefhFptnWLagInBvMiV4

AOL SMTP Error Messages
http://postmaster.aol.com/Postmaster.Errors.html

Windows Live & Hotmail Mail Troubleshooting (includes SMTP Error Codes)
http://mail.live.com/mail/troubleshooting.aspx

Delivery status notifications in Exchange Server and in Small Business Server
http://support.microsoft.com/kb/284204

DNS and Open Relay testing tools

intoDNS
http://www.intodns.com

MXToolbox
http://www.mxtoolbox.com/

Mail relay testing
http://www.abuse.net/relay.html

Blacklist removal and bulk senders guidelines

Gmail - Bulk Senders Guidelines
http://mail.google.com/support/bin/answer.py?hl=en&answer=81126

AOL - Sender Best Practices and Whitelist guides
http://postmaster.aol.com/guidelines/bulksenderbp.html
http://postmaster.aol.com/tools/whitelist_guides.html

Yahoo - Mail Bulk Sender Form
http://help.yahoo.com/l/us/yahoo/mail/postmaster/bulkv2.html


NOTE: All the links provided here are just for reference, they might be changed/removed without warning and Symantec will not be responsible on that.





 

 



Legacy ID



2010012610451754


Article URL http://www.symantec.com/docs/TECH122730


Terms of use for this information are found in Legal Notices