Knowledgebase
[Setup Step 3]: Firewall lockdown options for Email & LDAP Discovery

Use the statements in bold text below as a guide to choose the scenario most applicable to you..  They are listed in order or preference:

If you have control over your mail server and it's firewall, make sure that it can receive incoming SMTP (TCP port 25) connections from Proofpoint IP addresses, which are:

 

 

Please review our actively maintained list: IP Address List

 

If these addresses cannot deliver then no mail can arrive.

NOTEIf other IP addresses are accepted, it is possible to bypass Proofpoint completely and spammers are known to save MX records for a long time and still attempt to deliver directly to any server that is willing. You can test whether your firewall is open by launching a command prompt (in Windows: Start->Run->"cmd") and typing "telnet a.b.c.d 25" where you replace "a.b.c.d" with either the IP address or the DNS hostname of the server you wish to test.  Make sure that you do this test from a different network to the one in which the server is located. If you connect successfully the firewall is open and the server is vulnerable to direct spamming.

Also, some firewalls do not allow multiple ranges to exist in the same place. Please consult with your vendor to ensure how to add ranges with different rolls in.

If you are running a blacklist on your firewall, please ensure that you have our IPs white listed, otherwise this may result in connection problems.

 

If you are using Microsoft Exchange and do not have a firewall that can be configured to the above preference, you can configure the Microsoft Exchange access connection range to only accept email from your internal domain ( e.g companyname.local) and *.ppe-hosted.com like so:

  1. From within the Exchange systems manager: select > Administrative Groups > First Administrative Groups > Servers > Select default or bridgehead server > Protocols > Default SMTP virtual Server > right click and select properties > Access > Connection...
  2. Select "Only in the List Below" and add the following:
    - companyname.local (e.g.)
    - *.ppe-hosted.com

 

If you have no control over your mail server's firewall (eg. you use a hosting service, and/or POP, etc.), there is still a way. All email that passes through Proofpoint Essentials gets marked with the header labeled "X-MDID". So, if the firewall cannot be locked down, a filter rule should be created in your server to automatically *junk* into the recipient's spam folder every email that does NOT possess such a header field.

If you have no control over your mail server's firewall AND have no way to make global rules on the mail server, rules can still be created on users's email clients. The example here is for Microsoft Outlook, but something similar can be used for any email client. Create two rules: The first one, placed second-to-last in the list of rules, should be created from a blank template, and it must catch all messages with "X-MDID" in the header and the action should be to stop processing more rules. The second new rule, placed very last, should be to catch EVERYTHING, and Move them to the Junk folder. If this account need any more rules, they should be listed before the two rules specified here.. Be aware that, if any of those custom rules use the action to "stop processing more rules", it might circumvent this setup.

If none of the above scenarios are applicable, be aware that we cannot support spam-related queries where the email did not pass through us. Legitimate email will still pass through us, as those will use the public MX records for a domain as they should.

 


 

LDAP synchronisation requirements

For Proofpoint Essentials Email filtering LDAP synchronisation to work correctly, make sure that you can receive incoming LDAP (TCP port 389) connections from our IP addresses, which are:

Please review our actively maintained list: IP Address List

Additional Information:  These steps are also located in the Getting Started Guide

[Setup Step 1] - Instructions for activating Proofpoint Essentials for a domain's inbound email

[Setup Step 2] -  Instructions for changing MX records

[Setup Step 3] - Current Step - Firewall lockdown options for Email & LDAP Discovery

[Setup Step 4] - (Optional): Instructions on activating Proofpoint Essentials for an organization's outbound email

(7 vote(s))
This article was helpful
This article was not helpful