Lockdown your firewall or server to accept incoming messages only from the ProofPoint Service -
We encourage, to lockdown your firewall and/or server to accept incoming messages only from the ProofPoint Service. A common tactic spammer’s use is to spam directly to your WAN IP. This is not a conventional method of sending email as it should be sent to the lowest priority MX record. By locking down your environment you are ensuring that all email is filtered through ProofPoint and that no spam destined to your network can circumvent the filtering service. Below are the instructions for locking down.
1. The best place to lock down your environment would be via your firewall. This will prevent intranet bandwidth from being used unnecessarily. (see below for ranges)
2. If you can not lock down via the firewall, Exchange environments also provide lock down functionality. Below are the instructions for locking down Exchange. At this time this is not an officially supported method by either Excel Micro or Microsoft. We recommend locking down the firewall, if possible. See below for some of these methods.
1. Open your Exchange System Manager (Start->All Programs->Microsoft Exchange->System Manager).
2. Expand Servers. (You may have to expand First Administrative Group first).
3. Expand Protocols.
4. Expand SMTP.
5. Right-click the Default SMTP Virtual Server, select Properties.
6. Click the 'Access tab'.
7. Click on 'Connection'.
8. Check the radio button which states “Only the list below”.
9. Click Add
10. Select 'Group of Computers'
11. Enter in the Subnet Address: 220.127.116.11,
12. Enter the Subnet Mask 255.255.255.0
13. Enter in the Subnet Address: 18.104.22.168
14. Enter the Subnet Mask 255.255.255.0 (repeat steps to add other 10 subnet masks)
15. Click OK on all properties windows to save the changes.
1. Open the Exchange Management Console.
2. Expand Server Configuration, and then select Hub Transport .
3. Select the receive connector you are using for port 25 traffic. Right-click it and select Properties.
4. Select the Network tab.
5. At the bottom where it says "Receive mail from Remote Servers" that have these IP addresses select Add and then select IP.
6. Enter 22.214.171.124/24, repeat to add the other 10 CIDRs
7. By default the connector will have 0.0.0.0-255.255.255.255 as an allowed IP range; this basically opens the server up to anyone so this will need to be removed.
8. These changes should be applied instantly with no need to restart any services. If you see the changes not taking effect then you may need to restart Exchange services to force then test with telnet
• In the Exchange admin center, in the left menu, click mail flow.
• Next to Select server, specify the exchange server to configure (if there is more than one), then in the top menu, click receive connectors.
• On the receive connectors page, click the plus sign + to add a new connector. The new receive connector dialog box appears.
• Provide the following information, then click next:
o Name: Name for the receive connector
o Server: Specify your Exchange server (if there is more than one)
o Role: Hub Transport
o Type: Internet
• Under Network adapter bindings, click the plus sign + to specify the IP addresses and port that Exchange server is to allow, then click finish. (For non-SSL connections, the default is port 25.)
• After the receive connector is created, double-click it in the list.
• The receive connector's properties appear. Click security.
• Ensure the Transport Layer Security (TLS) and Anonymous users check boxes are selected, then click save.
Proofpoint Essentials must be able to deliver email to the organization mail environment. It will be necessary for exceptions to be added to the firewall for these IP addresses.
- Port 25 for SMTP Traffic
- Port 389 for LDAP (If using Active Directory to load users)
The 11 ProofPoint Ranges can be expressed in one of three ways, based on your server needs:
• 126.96.36.199/24 OR IP:188.8.131.52 and Subnet: 255.255.255.0 OR Start IP: 184.108.40.206 / End IP: 220.127.116.11
• 18.104.22.168/24 OR IP:22.214.171.124 and Subnet: 255.255.255.0 OR Start IP: 126.96.36.199 / End IP: 188.8.131.52
• 184.108.40.206/24 OR IP:220.127.116.11 and Subnet: 255.255.255.0 OR Start IP: 18.104.22.168 / End IP: 22.214.171.124
• 126.96.36.199/24 OR IP:188.8.131.52 and Subnet: 255.255.255.0 OR Start IP: 184.108.40.206 / End IP: 220.127.116.11
• 18.104.22.168/24 OR IP:22.214.171.124 and Subnet: 255.255.255.0 OR Start IP: 126.96.36.199 / End IP: 188.8.131.52
• 184.108.40.206/24 OR IP:220.127.116.11 and Subnet: 255.255.255.0 OR Start IP: 18.104.22.168 / End IP: 22.214.171.124
• 126.96.36.199/24 OR IP:188.8.131.52 and Subnet: 255.255.255.0 OR Start IP: 184.108.40.206 / End IP: 220.127.116.11
• 18.104.22.168/24 OR IP:22.214.171.124 and Subnet: 255.255.255.0 OR Start IP: 126.96.36.199 / End IP: 188.8.131.52
• 184.108.40.206/24 OR IP:220.127.116.11 and Subnet: 255.255.255.0 OR Start IP: 18.104.22.168 / End IP: 22.214.171.124
• 126.96.36.199/24 OR IP:188.8.131.52 and Subnet: 255.255.255.0 OR Start IP: 184.108.40.206 / End IP: 220.127.116.11
• 18.104.22.168/19 OR IP:22.214.171.124 and Subnet: 255.255.224.0 OR StartIP: 126.96.36.199 / End IP: 188.8.131.52
• 184.108.40.206 (Archive customers only)
• 220.127.116.11 (Archive customers only)
Once this is complete, to start filtering your email through ProofPoint, please make the following DNS changes at your earliest convenience. ProofPoint is setup to accept all mail for example.com and relay the mail to the IP listed in Delivery Manager.
The MX Changes are as follows:
If you or your client are also going to be sending your outbound email through ProofPoint, you'll need the following Smart host information:
If you are using the outbound filtering service and have a need for an SPF record on your domain, please use the record below as a starting point.
While all environments are different and you may require additional tokens, this record will authorize ProofPoint to send on behalf of your domain.
• "v=spf1 a:dispatch-us.ppe-hosted.com -all"