MAILGUARD AND MICROSOFT EXCHANGE 2013 MailGuard Secure Email Filtering MailGuard: support@mailguard.com.au Phone: 1300 30 65 10 www.mailguard.com.au
TABLE OF CONTENTS Introduction 3 Document and Naming Conventions 4 Getting started 5 Outbound email protection 6 Inbound email protection 11 Contact MailGuard 17 2
INTRODUCTION Viruses are becoming more prevalent and sophisticated every day, often causing productivity and financial loss, and at times leading to catastrophic events within corporate networks. To effectively mitigate the risks associated with infection, businesses rely on stringent, proven security solutions. Microsoft Exchange, when used in conjunction with MailGuard, can offer full protection from email-borne viruses even before they ve been officially recognised and anti-virus software is capable of detecting them. This document is a step by step guide to configuring Microsoft Exchange Server 2013 for MailGuard email filtering. The sections in this document outline the procedures for setting up your Exchange server to send and receive email via the MailGuard service, ensuring virus emails cannot reach nor originate from your organisation. 3
DOCUMENT AND NAMING CONVENTIONS Document Conventions In order to achieve full understanding of the instructions given in this guide, note that the following standards will be followed: The names of sections and pages are referred to in Bold Italic letters. For example, the recipients page or the Address space page section. The names of interactive components (i.e. Buttons, menus, text boxes, etc.), in-page sections (i.e. Information separated into sections), and column headers are referred to in Bold letters. For example, the General menu or the Next button. The values of fields (i.e. data entered by the user in a window s given fields) are referred to in Italic letters. For example, Yes or No as options in a dropdown box. Actions that link to other sections in the document are referred to in Underlined letters. For example, the Outbound email protection section. Flags are used where additional notes are included in this document, for example, when decisions may need to be made which are outside of the scope of this document. Alerts are used to highlight important information such as warnings. Naming Conventions Left-pane Referred to by Microsoft as the Feature pane, the left-pane is the left hand side of a page in the Exchange Admin Centre, separated from the rest of the page by a border. The left-pane typically contains a list of selectable Exchange grouped features, each one changing the content of the remainder of the Admin Centre when selected. Centre-pane This is the centre of a page in the Exchange Admin Centre, separated from the rest of the page by borders. Included in the centre-pane are page elements referred to by Microsoft as follows: Tabs a list of features grouped under the feature area selected in the left-pane Toolbar a selection of tools (e.g. new, edit, delete) available for the selected tab, for management of objects under a selected feature List View a list of the defined objects under a selected feature Right-pane Referred to by Microsoft as the Details pane, the right-pane is the right hand side of a page in the Exchange Admin Centre, separated from the rest of the page by a border. The right-pane typically contains details about a defined object in the list view in the centre-pane, as well as tools available for the selected tab. 4
GETTING STARTED In Exchange 2013, the graphical management interface has changed. Whereas this interface has traditionally been in the form of the Exchange Management Console MMC snap-in, it is now the Exchange Admin Centre (a web interface, similar visually and in functionality to the Hotmail / Office365 interfaces). The Exchange Admin Centre is typically accessible at https://servername/ecp - where servername is the dns alias that resolves to your Exchange Edge Transport Server s local IP address. In order to complete the changes outlined in this document, you will need to have this interface open and will need to be logged in with an administrator account that has sufficient permissions to manage the mail flow settings of the server. 5
OUTBOUND EMAIL PROTECTION To begin, open the Exchange Admin Centre and log in. Select mail flow from the left-pane. Create a new Send Connector 6
1. Select send connectors in the centre-pane, and click the + button to add a new Send Connector. 2. Enter a meaningful Name for the Send Connector, for example MailGuard Outbound. Ensure the Send Connector Type is set to Custom. Click next. 3. On the next page in the Network settings section, select the Route mail through smart hosts option. Press the + button. 4. In the add smart host window, enter the MailGuard smart host provided to you in your welcome pack, e.g. filter.custmr-1.mailguard.com.au. Click save. 7
5. Leave Use the External DNS Lookup settings on servers with transport roles checkbox unchecked. Click next. 6. On the next window under the Smart host authentication section, select the Basic authentication option, and for the User name and Password settings, enter the SMTP Username and SMTP Password credentials for your MailGuard smart host, included in your welcome pack. Click next. If you no longer have a record of your smart host or the SMTP authentication credentials, please log in to the MailGuard Console and navigate to the Domains page, then click the > button to the right of your domain and select Configuration - your smart host will be listed in the Outbound Configuration section along with your SMTP authentication credentials. 8
7. On the next window, click the + button in the Address space section to configure the Address space for the Send Connector. The add domain window will appear. 8. Leave the Type as SMTP and enter * as the Full Qualified Domain Name (FQDN). 9. Leave the Cost as 1. This will ensure that the new Send Connector will route all outbound mail to MailGuard, with the exception of mail to domains that match the Full Qualified Domain Name (FQDN) value of other Send Connectors configured on your Exchange server. Click the save button when finished, then next to complete the Address space configuration. Under most typical configurations, the Scoped Send connector checkbox will remain unchecked. Consult your Administrator if you are unsure whether this Connector should be made available to all Hub and/or Edge Transport servers in your Exchange Organization. Click Next to continue. 10. On the next window in the Source server section, click the + button to configure the Source server(s) for the Send Connector. Be sure to include all the Exchange Servers in your organisation that will be using this Send Connector and that have Edge subscriptions or perform one of the Transport Roles. If you are unsure of the correct options to select, please consult your Administrator. 11. Click finish to complete the creation of your Send Connector. OPTIONAL. Now that you have created the Send Connector required to route your outbound mail via MailGuard, a few additional configuration changes can be made to ensure an optimal setup. 9
12. In the list of send connectors in the centre-pane, select your new Send Connector and click on the pencil button to open the Send Connector properties. 13. It is recommended that you enter a brief description in the Comment section under General, which describes the purpose of the Send Connector, for example: This send connector is used to route all outbound mail via MailGuard for filtering. It is recommended that the Protocol logging level be left at None for now Microsoft recommends using logging in a minimal fashion, as it can lead to rapid storage space utilisation. Should you encounter any issues with routing your outbound email via MailGuard, we recommend that you revisit this setting so that your Exchange server can record SMTP protocol logs for you to review and provide to MailGuard s Service Desk for troubleshooting if required. 14. Set the Maximum send message size (MB) to 50 (50MB), as this is the maximum message size that MailGuard will accept. You may need to set the Maximum send message size to a lower value if you have experienced issues with SMTP data transfer in the past. Consult your administrator if you are unsure. 15. From the left-pane, select the scoping option. Scroll to the bottom of the window and enter a Fully-Qualified Domain Name (FQDN) for your server to send to MailGuard along with the SMTP HELO/EHLO command. The FQDN should be publicly resolvable and should in most cases be your domain name (e.g. customer.com.au). Click save to apply these configuration changes. 10
INBOUND EMAIL PROTECTION Updating your Receive Connector configurations By default, Exchange 2013 comes with Receive Connectors relevant to the Role(s) your Exchange Server performs (e.g.client Access and/or Mailbox). For a brief explanation of Receive Connectors in Exchange 2013, please refer to the following: http://technet.microsoft.com/en-au/library/aa996395%28v=exchg.150%29.aspx To ensure that you are fully protecting your Exchange server from threats originating from inbound SMTP traffic, you will need a full understanding of the configuration of your Receive Connector(s) you do not want to have locked down one Receive Connector with access control only to find another Receive Connector s configuration allows bypass of the access control. Please consult with your Administrator if you are unsure about the scope(s) of your current Receive Connector(s). 11
This guide presumes that you are configuring MailGuard settings on an Exchange Server at your network perimeter (i.e. Client Access Role), and that you therefore have the following default Receive Connectors: Client Frontend Default Frontend Outbound Proxy Frontend Given this, the guide suggests changes are made to the Default Frontend Receive Connector. Regarding the remaining default Receive Connectors: The Outbound Proxy Frontend Receive Connector should be locked down to only accept connections from internal IP addresses, given it is intended to only accept connections from internal sources. Of course, consult with your administrator if you are unsure of the correct scoping requirements. The Client Frontend Receive Connector is designed for email clients to use for submitting mail to your Exchange Server. As email clients can be located anywhere, you cannot lock down this Receive Connector with our recommended access control configuration. Instead, we recommend that you ensure that only the Exchange users option is selected under permission groups in the security section of this Receive Connector s properties. This will ensure that only users whom provide correct Exchange account credentials will be allowed to deliver mail to your server via the Mail Submission Agent service. This configuration should go hand in hand with a rigid password policy to ensure passwords cannot be easily guessed and therefore used by unauthorised third parties with the intent of using your server as an SMTP proxy. Changing the configuration of the Default Frontend Receive Connector The Default Frontend Receive Connector is designed to receive all incoming SMTP connections from third parties. To ensure that the only third party connecting to your Exchange server is MailGuard, you will need to configure an Access Control List based on the public IP addresses of our perimeter. MailGuard maintains a dedicated subset of servers in our network for relaying inbound mail to customers, to ensure Access Control Lists require minimal maintenance. The current list of IP addresses assigned to these servers is available from our website, at the following address: http://www.mailguard.com.au/landing/acl/ Please retrieve an up-to-date list of the IP addresses from this location before proceeding with the next steps. 12
1. In the list of receive connectors in the centre-pane, select the Default Frontend Receive Connector and click on the pencil button to open the Receive Connector properties. 13
2. In the security section, under permission groups, ensure that Anonymous users option is checked. 14
3. In the scoping section, under Remote network settings, remove the current settings and enter the IP addresses retrieved from http://www.mailguard.com.au/landing/acl. OPTIONAL. Set the Maximum receive message size (MB) under the general section to 50 (50MB). You may need to set the Maximum send message size to a lower value if you have experienced issues with SMTP data transfer in the past. Consult your administrator if you are unsure. 15
Global Message Size Limits This configuration step is also optional, but is recommended if you have already made message size limit changes whilst following this guide. You can change the global message size limits for your Exchange server to match the changes you have made to the Maximum send message size and Maximum receive message size based on the steps in the Outbound email protection and Inbound email protection sections of this document. To do this, with mail flow still selected in the left-pane, select the button in the centre-pane. Change the default size limits to the same limits set for the send and receive connectors. This will ensure your global message size limits are in line with the limits of your connectors. 16
CONTACT MAILGUARD For any queries, comments or suggestions regarding this guide, please feel free to contact the MailGuard Service Desk on 1300 30 65 10 or via email at: support@mailguard.com.au MailGuard Pty Ltd 68-72 York Street, South Melbourne Victoria, 3205 Australia Support: 1300 30 65 10 Phone: +61 3 9694 4444 from overseas Fax: +61 3 9011 6110 Visit www.mailguard.com.au to request a free trial of MailGuard solutions. 17