Knowledgebase
[Setup Step 3]: Firewall lockdown options for Email & LDAP Discovery
Posted by on 01 July 2014 10:47 AM
[Setup Step 3]: Firewall lockdown options for Email & LDAP Discovery

Use the statements in bold text below as a guide to choose the scenario most applicable to you..  They are listed in order or preference:

If you have control over your mail server and it's firewall, make sure that it can receive incoming SMTP (TCP port 25) connections from Proofpoint IP addresses, which are:

 

 

Please review our actively maintained list: IP Address List

 

If these addresses cannot deliver then no mail can arrive.

NOTEIf other IP addresses are accepted, it is possible to bypass Proofpoint completely and spammers are known to save MX records for a long time and still attempt to deliver directly to any server that is willing. You can test whether your firewall is open by launching a command prompt (in Windows: Start->Run->"cmd") and typing "telnet a.b.c.d 25" where you replace "a.b.c.d" with either the IP address or the DNS hostname of the server you wish to test.  Make sure that you do this test from a different network to the one in which the server is located. If you connect successfully the firewall is open and the server is vulnerable to direct spamming.

 

If you are using Microsoft Exchange and do not have a firewall that can be configured to the above preference, you can configure the Microsoft Exchange access connection range to only accept email from your internal domain ( e.g companyname.local) and *.proofpointessentials.com like so:

  1. From within the Exchange systems manager: select > Administrative Groups > First Administrative Groups > Servers > Select default or bridgehead server > Protocols > Default SMTP virtual Server > right click and select properties > Access > Connection...
  2. Select "Only in the List Below" and add the following:
    - companyname.local (e.g.)
    - *.proofpointessentials.com

 

If you have no control over your mail server's firewall (eg. you use a hosting service, and/or POP, etc.), there is still a way. All email that passes through Proofpoint Essentials gets marked with the header labeled "X-MDID". So, if the firewall cannot be locked down, a filter rule should be created in your server to automatically *junk* into the recipient's spam folder every email that does NOT possess such a header field.

If you have no control over your mail server's firewall AND have no way to make global rules on the mail server, rules can still be created on users's email clients. The example here is for Microsoft Outlook, but something similar can be used for any email client. Create two rules: The first one, placed second-to-last in the list of rules, should be created from a blank template, and it must catch all messages with "X-MDID" in the header and the action should be to stop processing more rules. The second new rule, placed very last, should be to catch EVERYTHING, and Move them to the Junk folder. If this account need any more rules, they should be listed before the two rules specified here.. Be aware that, if any of those custom rules use the action to "stop processing more rules", it might circumvent this setup.

If none of the above scenarios are applicable, be aware that we cannot support spam-related queries where the email did not pass through us. Legitimate email will still pass through us, as those will use the public MX records for a domain as they should.

 


 

LDAP synchronisation requirements

For Proofpoint Essentials Email filtering LDAP synchronisation to work correctly, make sure that you can receive incoming LDAP (TCP port 389) connections from our IP addresses, which are:

Please review our actively maintained list: IP Address List


UPDATED For Proofpoint Essentials WEBaware LDAP synchronisation to work correctly, make sure that you can receive incoming LDAP (TCP port 389) connections from our IP addresses, which are:

Fremont, United States: 72.52.96.0/26 and 216.218.133.192/26

Atlanta, United States: 216.52.207.64/26

New York, United States: 209.51.184.0/26

Chicago, United States: 208.100.40.32/27

Frankfurt, Germany: 95.172.68.144/28

Amsterdam, Netherlands: 95.172.88.0/27

Singapore: 203.116.198.64/26


ERROR: This domain name does not match domain registered in the license key file (cms.orlinpilot.com), allowed domains: support.excelmicro.com,localhost, please change the product path to match the domain under Admin CP > Settings > General Settings
This product will not work properly unless untill that value is changed.

For more information please contact Kayako support at https://my.kayako.com