Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 6830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email Appliance and Puremessage – Best Practice

BopBop

We have Exchange 2010 – 2 servers, Both server have  Sophos PureMessage  installed

Puremessage Configuration

1)      Anti-Virus Turned on

2)      Anti-Spam turned  on

3)      Content Filtering turned on

We also have Sophos Email appliance – ES1000

Email Appliance Configuration

1)      Anti-Virus – on

2)      Anti-Spam -on

3)      Content Filtering on

4)      Data Policy -on

In our Allow/ White list we have over 1000 email address/ domain as exception, and in Block list we  have over 700 email address/ domain.

Few weeks ago we had a Health check with Sophos Technician and they suggested to delete all allow and Block list from email appliance, turn of Spam and content filtering from Purmessgae.

We took the advise and implemented as instructed.

We are not using Microsoft Spam felting which is available in Exchange 2010.

The  challenge we have ( I know most of you have this too) is that IT best practice vs high demand management staff. Many of our management staff don’’’’t want to see their legitimate email are quarantine or in the junk mail folder and  they have to either  approve the message or contact IT to release the email, thus they request to make  those email   White listed or even ask us to put the entire domain in White list so anyone from certain domain can send them email.

I am wondering what others are doing and what are the best practice  configuring- PureMessage and Email appliance?

:24575


This thread was automatically locked due to age.
  • 0

    Hello,

    Incorporating both the email appliance and PureMessage for Exchange can present some planning intricacies in a way to ensure that:

    1. endusers have a clear place to look at a quarantine
    2. certain users can be exempt from any quarantine action

    It usually comes down to organization requirements as to how to configure policies.

    For the first point, some customers opt to quarantine messages at the appliance end, whereby the policy on the appliance is more strict when it comes to discarding or quarantining email. This leaves PureMessage for Exchange to have a lighter policy without any quarantine actions, but still allowing the Exchange information store scan to work for later virus definitions. Part of the reason for this could be tied to the enduser experience, as the digests that can be sent out contain more information pertaining to what's quarantined and the enduser web portal allows for individuals to manage their own personalized allow/block lists. Other reasons include perimeter protection and minimal redundancy.

    Some other customers elect to use the quarantine within PureMessage, so the policy on the appliance handles IP reputation filtering and blocks viruses and other material that don't need to be quarantined; PureMessage can then quarantine email based on its policy. This may come into play if there are internal messages that need to be quarantined and the email administrator would prefer to look in the PureMessage console for all messages, then decide to control allow/blocks at a global level.

    There are a few customers that elect to run two quarantines if their security practices rely on redundant or secondary scans, based on late breaking definitions or possible upstream reliability or maintenance.

    Otherwise, there are some customers that choose not to do any quarantine action and then look at subject or header tagging, which would append custom text to either give a visual indication to the end user about possible warnings, or allow for another downstream email solution to detect those tags and then handle them accordingly. This may come into play for organizations that need to retain email at an individual level, if other email retention options such as journalling aren't available.

    For the second point, if there are recipients within your organization that would not rather deal with quarantines or block lists, you can exempt those users or groups from certain scans. Within the appliance, you can configure policies to continue processing messages based on either AD information (if synchronized) or locally managed lists. Within PureMessage, each policy rule has the ability to add exceptions based on recipient using the double chevron icon beside each rule definition. Message tagging could be used so at least the recipient is aware of a potential concern, but a decision like that comes down to what level of email filtering is considered appropriate.

    Hope that helps.

    :24649