Chapter 24 Configuring Outbound Servers : Setting Up Outbound Filtering
Setting Up Outbound Filtering
Steps for setting up outbound filtering are different for each mail server. For instructions specific to your mail server, see the Outbound Services Configuration Guide.
There are four steps to activate outbound mail filtering:
1.
Configure reinjection on at least one of your mail servers.
Configure your mail server and firewall to accept email only from the message security service. This is called a private relay. Your reinjection host needs to accept all email from the message security service’s outbound servers. From your server’s perspective, the message security service’s delivery servers should be considered a trusted server. Allow relaying only from the message security service’s IP range and other trusted relay servers.
Important: See About Reinjection for details on reinjection.
If you have multiple mail servers, specify which server (or servers) will act as the reinjection host, and be sure that server can route mail back to the message security service.
Following are IP ranges:
To determine the system for your account: Your system number is shown the URL when you log in to the Administration Console or Message Center. The system number is prefaced by “ac-s” or “mc-s”, for example:
URL displayed for an account on System 8 when logged in to the Administration Console: 
https://ac-s8.postini.com/exec/adminstart?
URL displayed for an account on System 200 when logged in to the Message Center: 
https://mc-s200.postini.com/app/msgctr/junk_quarantine\
Important: For system 20 customers, both sets of IP ranges are applicable.
System
IP Range
CIDR Range
IP/Subnet Mask Pair
5, 6, 7, 8, 20
64.18.0.0 - 64.18.15.255
64.18.0.0/20
64.18.0.0
mask 255.255.240.0
9
74.125.148.0 - 74.125.151.255
74.125.148.0/22
74.125.148.0
mask 255.255.252.0
10
74.125.244.0 - 74.125.247.255
74.125.244.0/22
74.125.244.0
mask 255.255.252.0
11, 20, 200, 201
207.126.144.0 - 207.126.159.255
207.126.144.0/20
207.126.144.0
mask 255.255.240.0
Contact your vendor for support and tips on setting up reinjection for your specific type of server.
Ensure that you are not an Open Relay (a machine that will accept email from anyone) by testing to see if an external IP can send an email through your reinjection host. You should see an error similar to “relaying denied.”
2.
Configure your sending server’s SMTP timeout to 15 minutes (recommended).
Extend the timeout on your outbound server for delivering email. We recommend a 15-minute timeout. This provides Outbound with some flexibility to handle slow receiving mail servers.
For step-by-step instructions for configuring timeouts, contact your vendor for support and tips on configuring your specific type of server.
3.
Add sending service IP addresses to the Outbound Servers tab.
Log in to the Administration Console. Select your email config and go to the Outbound Servers tab.
Click Add Record and enter the following data.
 
Accepted IP Ranges
Enter a starting and ending IP for your email services address range. Be sure to use external IP addresses.
When you send outbound email to the message security service for filtering, we need to know the external IP address range of your servers that are sending us email so that we can accept those messages. Outbound Services will reject all outbound mail unless the IP address is listed.
The address range must be within a single class C address space. The IP range must be sequential. If you have non-sequential IPs, just add multiple records.
If you have only one IP address, enter that IP address in both fields.
When you save your IP range, Outbound Services will test to be sure that your IP addresses are unique.
Reinjection Host
Enter the IP address of your reinjection host.
This should be the IP address of a mail server that will accept mail from the message security service and relay that mail back out again.
You can enter multiple reinjection hosts, and specify a load balance between them. You can also specify failover servers for reinjection. Normally, this is not necessary and these fields can be left blank.
You can also enter a hostname for the reinjection server instead of an IP address. However, you should not do so if the reinjection server has an MX record that routes mail back to the message security service. Use the IP range instead.
Note: Enabling a reinjection host usually requires special configuration. For instructions specific to your mail server, see the Outbound Services Configuration Guide.
If your mail server has not been set up to allow Outbound Services to act as a private relay, you’ll need to configure your mail server before you can proceed.
Click the Save button.
Outbound services will test your reinjection host. If your mail server has not been set up to allow Outbound Services to act as a private relay, you’ll need to configure your mail server before you can proceed.
If you have more than one outbound server IP range, add additional records.
4.
Configure a smarthost (or private DNS) on your sending servers.
Once you’ve set up a reinjection host and added the IP range to the Administration Console, redirect your mail to the message security service by setting up a smarthost. Smarthost is a common term for a server that accepts outbound mail and passes it on to the recipient.
Before you make changes, be sure to note your old settings in case problems occur. If there are problems with setup, mail flow can be delayed or interrupted.
The hostnames used in smarthost configuration depend on your system in the email protection service. Your system number is shown the URL when you log in to the Administration Console or Message Center. The system number is prefaced by “ac-s” or “mc-s”, for example:
URL displayed for an account on System 8 when logged in to the Administration Console:
https://ac-s8.postini.com/exec/adminstart?
URL displayed for an account on System 200 when logged in to the Message Center:
https://mc-s200.postini.com/app/msgctr/junk_quarantine
Hostnames for smarthosts:
System
Hostname
5
outbounds5.obsmtp.com
(previously named: outbound1.obsmtp.com)
6
outbounds6.obsmtp.com
(previously named: outbound3.obsmtp.com)
7
outbounds7.obsmtp.com
(previously named outbound5.obsmtp.com)
8
outbounds8.obsmtp.com
9
outbounds9.obsmtp.com
10
outbounds10.obsmtp.com
11
outbounds11.obsmtp.com
20
outbounds20.obsmtp.com
200
outbounds200.obsmtp.com
201
outbounds201.obsmtp.com
Setting up a smarthost is different for every server. Contact your vendor for support on steps for setting up a smarthost on your particular mail server.
If you are using a mail server that supports private DNS settings, you can set up Private DNS Service instead of setting a smarthost. For information about private DNS service as an alternative to a smarthost, see the Outbound Services Configuration Guide.
5.
If applicable for your mail server (for example, if you are using Microsoft Exchange), you can configure Outbound services to quarantine or blackhole undeliverable bounce messages. See Handling Undeliverable Bounce Messages for step to set up.
6.
Configure outbound services, such as outbound virus filtering or a compliance footer. See Outbound Services for more information.
Deleting an Outbound Servers Entry
If you change IP address ranges, or begin using a new mail server for outbound mail, you may need to remove an entry from Outbound Servers.
To remove an IP range:
1.
Log in to the Administration Console.
2.
Click the Outbound Servers tab and select the proper email config from the Choose Org pull-down menu.
3.
Click the IP range you wish to delete.
4.
Clear the IP range for the outbound server, but leave the reinjection server settings untouched.
5.
Click Save to remove the IP range.
*
Related Topics
*
Outbound Concepts
*
Handling Undeliverable Bounce Messages
*
Outbound Services
*
Compliance Footer
*
Transport Layer Security for Outbound Mail
*
Setting Up Outbound TLS
*
Reinjection Test
*
Troubleshooting: Outbound