On Fri, 18 Jan 2013 17:59:33 -0500, Lawrence K. Chen, P.Eng.
<[email protected]> wrote:
So, does this mean users on our system that have their account
configured to forward to another service....as in most current and all
former students (Alumni get forwarding for life). That FOPE would not
accept mail originating from outside our mail system to these accounts?
The way these systems are designed to run, they're intended to be used as
the final delivery step of the systems configured to use them. At $oldJob
we were using this service (a few name-changes ago) to handle email coming
from the central Exchange system (faculty/staff) to the Internet.
We configured an Endpoint Connector in the Exchange system to deliver mail
destined for the students. and alumni. domains to their specific systems.
As it happens, it was Microsoft Live for both. They allowed us to provide
whitelisted IP addresses for sending into the system. It was through this
white-list setup that we were able to guarantee (as much as email delivery
can be guaranteed these days) that mail coming from fac/staff actually
delivered to students.
The reverse path went through the FOPE path, but as it was microsoft to
microsoft extremely few messages ended up in the Exchange spam-bins. We
set up some rules in the FOPE system to whitelist certain domains, which
is dangerous but was the only way to make sure that mail from students
delivered to fac/stafff (and, er, make sure the Chronicle of Education
emails arrived). The rules set a specific header, and we used rules in the
Exchange system to adjust the internal Exchange spam values so that email
with those headers just delivered.
So, mail delivery paths:
- Fac/Staff -> Students: Exchange end-point connector direct to MS-Live
via whitelisted IPs.
- Students -> Fac/Staff: Direct to FOPE, with rules to set headers, and
Exch rules to deliver headered mail to mailboxes
- Fac/Staff -> Internet: Straight through FOPE
- Students -> Internet: Normal delivery through MS-Live
It sounds like you're still running your own mail-server for students,
though. We had /long/ standing policy that anyone who forwards mail out of
University controlled accounts acknowledges that delivery is NOT
guaranteed. We had a regular flow of forward-to-gmail users wondering how
mail from us ended up in the google spam bins, and getting told that's the
price of not using the University mail-systems.
So, in skimming the docs....I found:
Outbound access through the FOPE service network is IP and
domain-restricted. All outbound email messages that pass
through the FOPE pool of outbound email servers are scanned
for viruses, matches to policy filter rules, and spam
characteristics before they are sent.
* Important:
Outbound email from domains listed in the FOPE Administration
Center will be delivered as normal by one outbound pool of IP
addresses. Email classified as possible junk will still be
delivered, but through a separate pool of IPs, known as the
higher risk delivery pool. This process ensures that junk email
generated by compromised computers or improperly configured
domains does not affect the flow of legitimate email.
So, does this mean users on our system that have their account
configured to forward to another service....as in most current and all
former students (Alumni get forwarding for life). That FOPE would not
accept mail originating from outside our mail system to these accounts?
This would be a problem...since the reason its so important to get
Microsoft to stop blocking emails from us, is so that we can send email
to (current) students that forward all their email to Microsoft. (As
well as allow faculty to send personal emails to friends and colleagues
with hotmail accounts without requiring them to get their own personal
email account from say....hotmail.)
----- Original Message -----
Even though we outsourced our email (Zimbra), landing on Microsoft's
blocklist has been a chronic problem. But, apparently through our
Microsoft Campus agreement we can get access to their "Forefront
Online Protection for Exchange" (FOPE) service. Which they said
will guarantee to keep us off of their blocklists.
From what I understand its just a spam/virus filtering service...so
we need to get our hosting provider to send all our email to them,
and then deliver the emails we get back.
Though apparently this is hard for them to do....and they think their
own IronPort cluster would probably be just as effective. Except
that after a couple of years of talking about it, they still haven't
done it.
I'm wondering what people know about FOPE, and how well it works,
doesn't work, etc. And, how to do it for a Zimbra environment.
FWIW, our on campus smtp has always been doing filtering through
clamav (which has the SANESECURITY filters, which on occasion does
stop a compromised host sending phishing emails) and about a year
and half ago I threw in spamassassin on the outgoing (though that
has turned into a quite a bit of work in dealing with false
positives, without increasing the flow of false negatives....people
on campus can't seem to write non-spammy looking emails) Which is
why their doing outbound spamfiltering has always been so
controversial.
========================
MS FOPE link:
http://www.microsoft.com/exchange/en-us/forefront-online-protection-for-exchange.aspx
FOPE User Guide:
http://technet.microsoft.com/en-us/library/ff715254.aspx
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems
Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: [email protected]
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System
Administrators
http://lopsa.org/
--
Law of Probable Dispersal:
Whatever it is that hits the fan will not be evenly distributed.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
