[Setup Step 3]: Firewall lockdown options for Email & LDAP Discovery
Posted by Travis J, Last modified by David Szoke on 12 January 2018 09:19 PM
Use the statements in bold text below as a guide to choose the scenario most applicable to you.. They are listed in order or preference:
If you have control over your mail server and it's firewall, make sure that it can receive incoming SMTP (TCP port 25) connections from Proofpoint IP addresses, which are:
Please review our actively maintained list: IP Address List
If these addresses cannot connect to your mail server, no mail can arrive.
NOTE: If other IP addresses are accepted, it is possible to bypass Proofpoint completely and spammers are known to save MX records for a long time and still attempt to deliver directly to any server that is willing. You can test whether your firewall is open by launching a command prompt (in Windows: Start->Run->"cmd") and typing "telnet a.b.c.d 25" where you replace "a.b.c.d" with either the IP address or the DNS hostname of the server you wish to test. Make sure that you do this test from a different network to the one in which the server is located. If you connect successfully the firewall is open and the server is vulnerable to direct spamming.
Also, some firewalls do not allow multiple ranges to exist in the same place. Please consult with your vendor to ensure how to add ranges with different rolls in.
If you are running a blacklist on your firewall, please ensure that you have our IPs white listed, otherwise this may result in connection problems.
If you are using Microsoft Exchange and do not have a firewall that can be configured to the above preference, you can configure the Microsoft Exchange access connection range to only accept email from your internal domain ( e.g companyname.local) and *.ppe-hosted.com like so:
If you have no control over your mail server's firewall (eg. you use a hosting service, and/or POP, etc.), there is still a way. All email that passes through Proofpoint Essentials gets marked with the header labeled "X-MDID". So, if the firewall cannot be locked down, a filter rule should be created in your server to automatically *junk* into the recipient's spam folder every email that does NOT possess such a header field.
If you have no control over your mail server's firewall AND have no way to make global rules on the mail server, rules can still be created on users's email clients. The example here is for Microsoft Outlook, but something similar can be used for any email client. Create two rules: The first one, placed second-to-last in the list of rules, should be created from a blank template, and it must catch all messages with "X-MDID" in the header and the action should be to stop processing more rules. The second new rule, placed very last, should be to catch EVERYTHING, and Move them to the Junk folder. If this account need any more rules, they should be listed before the two rules specified here.. Be aware that, if any of those custom rules use the action to "stop processing more rules", it might circumvent this setup.
If none of the above scenarios are applicable, be aware that we cannot support spam-related queries where the email did not pass through us. Legitimate email will still pass through us, as those will use the public MX records for a domain as they should.
Additional Information: These steps are also located in the Getting Started Guide
[Setup Step 3] - Current Step - Firewall lockdown options for Email & LDAP Discovery
[Setup Step 4] - Instructions for changing MX records
[Setup Step 5] - (Optional): Instructions on activating Proofpoint Essentials for an organization's outbound email
[Setup Step 6] - Configuring additional features