Lock Down Procedures

Note: Any changes to mail server configuration should be made at the discretion of your mail administrator. We do not support mail server configuration.

Why do we highly recommend you lock your server down?

Your server may be open for anyone in the world to establish an SMTP (Port 25) connection for inbound/outbound mail delivery. Locking down your server to only accept port 25 connections from our IP range ensures all inbound/outbound mail must be filtered through us before reaching your server. In effect, you can gain significant security advantages by taking your server off of the “public” Internet. As a more practical matter, spammers very often attempt to bypass your MX records and send spam and viruses directly to your server. This will inevitably allow some spam to “leak through” to your end users.

Note: If your company uses a fax, copier, web form etc that uses an external IP to send to your server, you may also want to add that IP to the list of trusted ranges. As always, adding any additional IP ranges to the trusted list does open a hole in your security, so this should only be done as a last resort.

There are two equally effective ways of accomplishing the objective:

1. You can configure your mail server to not accept incoming port 25 connections from any network except ours.
2. You can configure your firewall to not accept incoming port 25 connections from any Network except Postini. This document only provides instructions for the former option, on a Microsoft Exchange 2003 server. Otherwise, you should consult your mail server or firewall documentation.

Our IP range is as follows:

208.123.79.0/24

and

64.18.0.0/20

Alternately you can phrase it as:

Subnet IP: 208.123.79.0 with mask: 255.255.255.0

and

Subnet IP: 64.18.0.0 with mask: 255.255.240.0

Procedure Overview for Exchange 2003

1. Select the Start Menu -> Programs -> Microsoft Exchange -> System Manager
2. Expand the top level -> Servers -> Your Mail Server -> Protocols -> SMTP
3. Right-click on Default SMTP Virtual Server & select Properties.
4. Click on the Access tab
5. Click on the Connection button.
6. Click on the Add button and add the Postini IP ranges for your system.
7. Check the "Only the list below" checkbox.
8. Click Add, select group of computers, and the following:

Subnet IP: 208.123.79.0 with mask: 255.255.255.0

and

Subnet IP: 64.18.0.0 with mask: 255.255.240.0

9. Click OK to get back to the Access tab and click on OK to close the Dialog

Note: If you have mobile / remote users who use your server as an Outbound SMTP server, this configuration will not work. You should consider other ways your remote users can send through your server, such as Outlook Web Access, VPN software or RPC over HTTP. Otherwise you should change your mobile users’ client configurations to send email through their ISP or other SMTP gateway service.

Note: Once this configuration has been completed, please email support@mxtoolbox.com. so we can test the configuration.

Note: After lock down has been tested you are ready to move on to adding your IP to the Outbound Relay (Smarthost) List:

Outbound Relay (Smarthost) for Exchange 2003

Outbound Relay (Smarthost) for Exchange 2007

Please let us know if you need anything else by emailing us at support@mxtoolbox.com, calling us at 866-MxToolBox or you can open a Service Ticket on the web by visiting: http://mxtoolbox.com/support.aspx.

Back to the Support Home