Message Security Troubleshooting Guide • Google Message Security • Google Message Discovery
Google, Inc. 1600 Ampitheatre Parkway Mountain View, CA 94043 www.google.com Part number: TSG_R613_01 05 Februrary 2007 © Copyright 2008 Postini, Inc. All rights reserved. © Copyright 2008 Google, Inc. All rights reserved.
This software is provided “AS IS.” The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 1.8.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.
Google Compliance Policies Notice: Google assumes no responsibility in connection with the Compliance Policies lexicon-filtering feature, including any failure to recognize credit card or social security numbers that do not follow an applicable pattern as established in Postini’s systems or any failure to encrypt a credit card or social security number.
Contents Chapter 1: Frequently Asked Questions 7 Activation 7 Administration Console 8 Approved/Blocked Senders Lists 10 Attachment Manager 13 Batch Commandline Interface 16 Connection Manager 22 Content Manager 22 Delivery Manager 23 Domain 26 Message Center 28 Message Recovery 30 MX Records and IP Addresses 33 Notifications and Alerts 36 Organizations 40 Outbound Servers 41 Reports 43 Spam 45 Spool Manager 49 Users, Aliases, Mailing Lists, and Administrators 51 Virus 55 Chapter 2: Mail Flow Troubleshooti
Frequently Asked Questions Chapter 1 Activation After registering, how do I get my password? After successfully completing your registration, you will receive the setup email within 1 to 2 business days. Use the information in this email to begin the process of configuring your service. Using the setup wizard, submit details about your account, including your domain name, administrator login address, and password.
Administration Console If I forget my Administration Console login and password, what should I do? If you have forgotten your login, try your email address. If you have forgotten your password, enter an incorrect password in the login page. The next page has a Forgot Your Password link. Select this link and a temporary password will be mailed to you. To prevent easily-cracked passwords, the email security service has very strict guidelines for administrative passwords.
If you forgot your password, we suggest that you enter your correct email address and the password to your email account. If log in fails, click on the "Forgot your password?" link for specific instructions to retrieve your password. If you reached this page from a bookmark, a new bookmark will also need to be created after logging in. Thank you. This occurs when using Privately-Managed Password (PMP) authentication for all users, or only on Administrators when using POP authentication.
Where is the “Add Email Config” link in my organization list? The ‘Add Email Config’ links are only next to Account organizations. In a typical organization hierarchy, email configs are sub-organizations of your Account organization. Approved/Blocked Senders Lists Who should I add to my Approved and Blocked Senders lists? Since adding an approved sender effectively allows traffic through filters, you should be cautious when deciding which addresses and domains to add to your Approved Senders list.
Some tips are: • Remember it is not necessary to add your complete contact list to these lists. If you find messages from a particular good sender are getting quarantined, put that sender on your Approved Senders list. The same is true for blocking unwanted senders. • The list’s size includes address white spaces and commas. A comma has 2 characters: a space and a comma. Add these additional characters to get an accurate count of the list size.
To resolve this issue, please contact Support. If you are a directly supported Postini Customer, please log in to the Postini Support Portal. Otherwise, contact your vendor, who can assist you. Provide customer support the Org ID, System #, User ID, and which list the user is having an issue with (ex. approved, blocked, etc.,) Why does my Approved Senders list allow extra addresses? The approval mailing list looks for a substring in the list of recipients. For example, adding al@jumboinc.
3. Look at the organization’s Approved or Blocked Senders list: a. Select ‘View Org-Level Sender Lists’ b. Check all lists to see if the Approved or Blocked Senders list is listed Note: When using a Quarantine Redirect for either Spam or Virus messages, the address or domain needs to be added to the user Approved or Blocked Senders list, and NOT the sender list for the quarantine redirect address. For more information, see Quarantine Redirect and Approved/Blocked Senders.
How do I limit the file sizes of inbound attachments? Edit the Message Size filter. For more information, see Message Size Filter section of Create/Edit Attachment Manager Filters. Why are large attachments being bounced, even when Attachment Manager is turned off? The Message Size filter is always in effect, even if Attachment Manager is off. For more information, see Message Size Filter section of Create/Edit Attachment Manager Filters.
Can I block all incoming attachments but still allow the message through? No. The message and the attachment are treated as a single unit by the email security service. What happens if a message has several attachments, but only one triggers an attachment filter? If only one attachment triggers a filter, Attachment Manager performs the disposition of that filter on the entire message, including all of the other attachments.
For more information, see the Attachment Filter Dispositions section of the Create/Edit Attachment Manager Filters. Batch Commandline Interface How do I set up the Message Center for all of my users? To edit the Message Center at the organization-level, edit the Default User: • Locate the organization’s Default User template and Message Center access. And, if needed, enable the Message Center access. For more information, see Editing Your Message Center Access and Settings.
How do I edit Quarantine Summary notifications for all of my users? To edit organization-level Quarantine Summary notifications: • Enable the Quarantine Summary links. For more information, see Editing Quarantine Summary Notifications. modifyorg Sales, quarantine_links=on, quarsum_links=on • Edit the general Quarantine Summary notification settings. modifyorg Sales, qsum_actionable= ”basic delivery”, qsum_enable=on, lang_locale=en_us.utf8 • Edit the Quarantine Summary redirect notification settings.
How do I find and display all of my organizations, domains, and users? To list and display all of your organizations, domains, and users: • List all of your organizations starting at a top-level org and display each organization’s settings. For more information, see Listing the Organization Hierarchy. • listorgs ALL, targetOrg=Sales, childorgs=1 This examples has 3 organizations: orgname Sales ... orgname WestCoast ... orgname EUSales ...
For more information, see Adding Users and Domains to Sender Lists. • modifyorg Sales, approved_senders=”+jim@hugeisp.com, msmith@jumboinc.com” • modifyorg Sales, blocked_senders=”+msmith@jumboinc.com” How do I edit my message limit policies for all of my users? To edit the maximum size of attachments, the maximum number of messages per day, and for the message total each user has recieved: • Edit your organization’s message limit fields. For more information, see Editing Your Message Limit Policies.
How do I edit my Message Archiving settings for all of my users? To display an organization’s archive settings, modify these settings, and disable the Message Center links: • Confirm your organization’s archive setting is enabled and display the archive settings. For more information, see Editing Message Archiving Settings.
How do I modify all users in a domain? To make changes to all users you will need to adjust the individual user records, as well as the default user (the template for new user creation). This is performed most efficiently by creating a batch file using the modifyuser command: 1. Go to Orgs and Users > Users and select your Account org from the Choose Org pull-down list. 2. Type in the “%” character and then the domain name and select Search. 3.
Connection Manager What is Manual Pass Through and how do I use it? Connection Manager detects servers that send a large amount of invalid mail spam, viruses, mail bombs or directory harvest attacks -- and blocks all mail from those senders. This prevents a load on your server and shuts down malicious senders. On rare occasions, Connection Manager can accidentally detect such an attack when the sender is legitimate.
How do I catch messages that contain specific language characters? Set up a Content Manager rule that: • Looks for the language character set in the ‘font’ tag in the message header • Quarantine the message based on this criteria Note: If you need to quarantine all messages in this language, this rule will quarantine all messages with this character set. If your mail flow in this language includes good messages, this Content Manager rule is not as helpful.
For additional information, see the “How do I read the Delivery Manager graphs?” FAQ. How do I read the Delivery Manager graphs? The Delivery Manager View page gives you a summary of connection and event activity for an email server config over the past 60 minutes and 60 seconds. The data displayed on this page is updated every few seconds but the page does not automatically refresh itself. Refresh the browser window to refresh the data.
What should I do after moving my domain to a new mail server? For a new mail server or ISP, change the Delivery Manager’s email server address. For more information, see Setting Up Delivery Manager. Note: If the domain remains associated to the same user organization, the only change is the updating of the email config organization. If the domain is moved under a different email config, see Move a Domain.
Can I limit connections to my mail server so that my mail server does not go down due too much incoming mail? Yes, you can use Delivery Manager to impose connection limits. For detailed information on how to edit the Conn. Limit field, see the Conn. Limit field section in the “Setting up Delivery Manager” chapter. How do I remove persistent connections without rebooting? You can use Delivery Manager to impose connection limits. For more information about configuring the Conn.
How do I delete a domain? Before deleting a domain, make sure all users, user aliases, and domain aliases have been deleted. For more information, see Delete a Domain. What do I do when I get this error “Unable to add domain.”? For the errors “Unable to add domain 'domain.com'.” or “user@domain.com clashes with an existing address or alias”, the domain is hosted by another email security service customer.
Message Center What should I do if I forgot my password? If you forget your password, you can enter an incorrect password at the login page. A “Forgot Your Password link” appears that you can select to have a new temporary password mailed to you. For more information about Message Center passwords, see Set Message Center Passwords.
3. Set Message Center Access to Enable and select Save Note: If using POP Authentication, this error can also be caused by incorrect configuration of the Authentication Data string. For examples of Authentication Data configuration and testing information, see POP Authentication Configuration Examples. How do I change a password? An administrator can reset a user’s Message Center password. For detailed information, see Reset a User’s Password.
Why can I not delete more than a 100,000 messages in the Message Center? If more than 100,000 messages are quarantined in Message Center for a user, the Delete All button on the Junk, Trash, and Delivered tabs is removed automatically. This helps prevent performance issues in the new Message Center.
How do I access my message archive? To access your archive, you'll need your user name and password for your email security service. When activating your service, you provided this user name (the email address you use to log in to your email account) and set your password. 1. Go to https://login.postini.com 2. Log in to your email security service. 3. Select System Administration. 4. Select the Orgs and Users > Orgs. 5. Select a user organization in your organization hierarchy. 6.
Why can I not find a specific message in the archive? If you can't find a specific message in the archive, the reason might be one of the following: • The date range on the search panel is incorrect. • There's a typographical error in the search text you entered. • The search text you entered includes only parts of words instead of complete words. • The message hasn't been archived yet—it may take 30-60 minutes for a message to appear in the archive.
MX Records and IP Addresses What are the IP addresses for the email security service? The following are the IP ranges for the email security service. Note, for system 20 customers, both sets of IP ranges are applicable. System IP Range CIDR Range IP/Subnet Mask Pair 5, 6, 7, 8, 20 64.18.0.0 64.18.15.255 64.18.0.0/20 64.18.0.0 mask 255.255.240.0 20, 200, 201 207.126.144.0 207.126.159.255 207.126.144.0/ 20 207.126.144.0 mask 255.255.240.
And for detailed examples of the more common domain hosts, see Changing MX Records for a Domain. Why is the priority of MX records important, anyway? Inserting the new MX records at a higher priority than your existing records directs mail flow to email security servers where it can get filtered, instead of sending it directly to your mail server where no filtering occurs. An MX record consists of three parts: the domain name, a priority, and an email host.
Will I lose mail when I change my MX records? No. While your MX record information is being propagated, your Inbox continues to get mail delivery. Once the MX record update is completed, temporarily, your Inbox has a mix of messages sent before the update and messages filtered by the email security service. For more MX record information, see the Activation Step-by-Step Guide’s “How MX Records Work” chapter. In addition, see the “How long does it take to change my MX records?” FAQ.
For more MX record information, see the Activation Step-by-Step Guide’s How MX Records Work FAQ. For additional information about TTL, see the “What is a TTL setting?” FAQ. What should I do if the MX record test fails after just changing my MX records? If your MX Record Test failed, the test’s error message gives you troubleshooting information. For more information about the error message, see Error Messages and Next Steps in the “MX Record Test” chapter.
In addition, see the “Why do my customer notifications get bounced?” FAQ. Why do my customer notifications get bounced? Your template does not include the Date, To, From, and Subject headers listed in the default templates. The template headers are used when generating your notifications. Since the headers are common to all email messages, their absence causes your mail server to reject your notifications. For more information, see Default Notifications with Tokens.
How does a user get access to the Message Center after receiving a quarantine summary? The Quarantine Summary links to the Message Center for each individual message. For more information, see Accessing Messages from the Quarantine Summary section in About Quarantine Summary. Why am I not getting my quarantine summaries? There could be several reasons. Some examples are: 1. Your mail account has not received new spam so there is nothing to quarantine. 2. Your Quarantine Summaries are being redirected.
How do I change the quarantine summary’s sender email address and name? The Quarantine Summary Sender is your organization’s ‘Support Contact’ which can be edited in the organization’s General Settings page. For more information, see Organization General Settings. For information about the corresponding batch commandline steps, see “How do I edit Quarantine Summary notifications for all of my users?” on page 17.
3. In the Organization Management page, scroll to the Organization Settings section and select the Notifications icon. 4. Select the name of the affected notification. 5. Look for a line break at the top of the notification template. or between two of the header lines near the top of the template. 6. Remove the line break and select the Save Text button. For more information, see About Customizing User Notifications.
How do I delete an organization? Deletion of a large, complex organization, can be done after these steps are completed: 1. Confirm you have full administrative authorization privileges for this organization and any related organizations. 2. Clear any quarantine summary redirect addresses. 3. For email config organizations, clear the spool allocations. 4. Clear any references to users and domains residing outside of the organization.
What happens if reinjection fails? If reinjection fails, the message is deferred to all recipients. This means that any recipient who did receive the message during the original transmission receives duplicates of that message. Some mail servers may compensate for these duplicates. In addition, see the “What is reinjection?” FAQ. What is a smarthost? A smarthost is a common term for a server that accepts outbound mail and passes it on to the recipient.
For more information, see Set Up Reinjection in the Outbound Services Configuration Guide. • When removing an Outbound Email Server by deleting all entries under Accepted IP Range and Reinjection Host. To fix follow these steps: 1. In the Administration Console, choose the appropriate email config organization and select the Outbound Servers tab. 2. Select the Outbound IP range to be removed by selecting on the IP range under the gray Status bar. 3. Delete the entries under Accepted IP Range. 4.
For more information, see Outbound Reports. Why does my report data seem out of date? Your report data is based on data from the previous day. The report shown is the latest report available. Generally reports for the previous day are available around noon (or earlier) Pacific Time the next day. The exact time of availability fluctuates with quantity of traffic processed.
What is the difference between Messages and Account Messages in my reports? The Messages number includes all messages passing through the system that are accepted by your mail server. The Account Messages (Acct Msgs) only counts messages sent to registered accounts and aliases. Any discrepancies are accounts which the receiving mail server returns a 550 user unknown error, or accounts which an administrator has specifically chosen not to add to the email security service.
For more information, see About Content Manager. Why are these spam messages not being filtered? If too much spam is getting through: 1. First confirm that the message was not filtered. Search the message headers for X-pstn-levels header.If this header is present, the message was filtered for spam and the header shows the filter scores. For more information about this filter, see X-pstn_levels Header. 2.
Why am I suddenly getting all of this spam? If your filtering was working fine and then suddenly you get a lot of spam through the filter with messages containing GOOD RECIP in the message’s X-pstn header, check your approved sender lists. • If the user has added his/her own e-mail address or domain to his/her approved mailing list configuration, all messages sent to that user or the user's domain will be allowed through regardless of how spam-like nature of the message.
The message might have characteristics that make it look like spam, such as disclaimers, URLs, dollar signs, multiple exclamation points, and little or no body content apart from a link, image, or file attachment. The more such characteristics it has, the more likely it will be caught, depending on your filter levels. Special Offer filter -- In particular, aggressive category filters can falsely tag valid messages as spam. Try lowering category settings, beginning with the Special Offer filter.
Why do messages from a blocked domain keep getting through? There could be several reasons: 1. System misconfiguration -- The domain on the org-level Blocked Senders list and, at the user-level, there is an Approved Sender with the domain. 2. Port 25 -- Messages are flowing directly to your mail server via port 25. Set up your email server or firewall to only accept email from the email security service’s IP ranges. For information, see Setting Up Secure Mail Delivery. 3.
How do I change my spooling allocation? If you are the account administrator, you can allocate your total spool storage across all or some of your email config organizations. When you add or delete an email config, or purchase additional spool storage, you must adjust the spool allocation. For detailed information, see Allocating Spool. How do I unspool my mail? Unspooling can be controlled either automatically or manually.
Why has my mail not automatically unspooled? My mail server connection is now working and I still have spooled mail. • Either your Unspooling Control is configured to manual. The unspooling process must be manually initiated (even after your mail servers are reestablished). For more information, see the Unspooling Control section of Configuring the Spool Manager. • Alternately, your Unspooling Control is configured to automatic, and your server has not been available for three successive minutes.
How do I stop mail from external mailing lists being falsely filtered as spam? Edit the user’s Approved Recipients list (under Sender Lists), or the user can do this at the Message Center. See Approved and Blocked Sender Lists. How do I add an administrator? Before creating an administrator: • If the user does not already exist, create a user. An administrator must be a registered user before becoming an administrator. • Determine the type of administrator you want to create.
How do I switch my user’s authentication methods? Changing authentication methods can not be done by an administrator. To change authentication methods, please contact Support. If you are a directly supported Postini Customer, please log in to the Postini Support Portal. Otherwise, contact your vendor, who can assist you. How do I authenticate specific users using different methods? Each organization can only use one authentication method. 1. Create a new organization for each authentication method.
To edit the existing Daily Message Limit: 1. Go to Orgs and Users > Users. 2. Type the user address into the Find User field and select Search. (You may need to use the Choose Org pull-down menu to select the org containing the user.) 3. Select the user’s address. 4. Select Message Limits in the Inbound Services section of the page. 5. If the limit is not listed, it is imposed on the organization which contains the user, so select “View Org-Level Message Limits.” 6. Configure the limit.
You will see a list of alias addresses, sorted by organization. This information is compiled monthly, so recent changes will not be included in this report. Virus Why was this virus apparently delivered despite virus blocking? 1. Confirm your inbound virus blocking is configured correctly. It is especially important to confirm the organization’s Non-Account Virus Blocking feature and the Default User’s Virus Blocking field are enabled. For more information, see Configure Inbound Virus Blocking. 2.
Mail Flow Troubleshooting Chapter 2 Mail Flow Why am I not getting any mail at all? Follow these steps to find out why you can’t receive mail from any outside sender. Stages of Mail Flow Before you begin troubleshooting mail flow, be sure you understand how messages normally flow from a sender to your server through the message security service. Then you can find out at what stage the failure is occurring. This graph shows the normal steps of mail flow: 1.
First Steps of Troubleshooting These steps describe how to begin troubleshooting a mail flow problem. 1. Send a test message from an outside address (such as your personal Gmail account) to confirm that outside mail isn’t flowing. If the problem is only happening for a single sender, see “Why am I not getting mail from one sender?” on page 63. 2. View the Delivery Manager Graphs. a. Log in to the Administration Console. b. Select your email config organization.
The graph may instead look like this: Here are the most common causes for no activity in the Delivery Manager graphs, and the steps to resolve them: • Routing Problems There may be other routing problems. To find out more about what’s happening, run the SMTP Message Test: “Test mail flow through the data center.” For instructions, see SMTP Message Test. • Incorrect MX records If your MX records are set improperly for this domain, mail will never reach the message security service.
The graph will look like this: Here are the most common causes for blocked messages in the Delivery Manager graphs, and the steps to resolve them: • Delivery Errors Your server may be returning errors when the message security service tries to deliver mail. Run SMTP Message Test “Test an email from the data center directly to your mail host”. See SMTP Message Test. If you see problems, contact your mail server vendor or administrator to resolve these problems.
The graph will look like this: This usually indicates that messages were blocked and spooling is storing messages so that no mail data will be lost. Here are the most common causes for spooled messages in the Delivery Manager graphs, and the steps to resolve them: • Delivery Errors Your server may be returning errors when the message security service tries to deliver mail. Run SMTP Message Test “Test an email from the data center directly to your mail host”. See SMTP Message Test.
The graph will look like this: Here are the most common causes for problems with mail flow when you see accepted messages in the Delivery Manager graphs, and the steps to resolve them: • Internal Routing Your mail gateway (or mail server) may be accepting messages initially, then losing messages during internal routing. Send a test to see what happens when mail is sent directly to your mail server.
Why am I not getting mail from one sender? Follow these steps to find out why you can’t receive mail from a single sender. Common Causes If a single sender is unable to send you mail, here are some common causes: • Sender mail server: The problem may be happening on the sender’s side, either due to mail server issues, network issues, or DNS issues. • Connection Manager blocking: Sometimes the message identifies a sender as the source of an email attack and blocks mail.
The IP address will be listed in a line that begins with the word “Received:”. There will probably be several lines that start with “Received:” so use the one that is “from source” or from the sending server’s domain. For instance, if you’re looking at a message sent by someone at jumboinc.com, you might see the following header: Received: from source ([172.220.209.220]) by exprod8mx216.postini.com ([64.18.7.10]) with SMTP; Mon, 28 Jan 2008 10:48:00 PST The IP address for jumboinc.com would then be 172.
Message security service error messages If the message did come from the email security service, consult the following table. Error Message Possible Causes Action to Take 550 552 553 554 571 Connection Manager Set Up A Pass Through. See Pass Throughs: Preventing Attack Blocking. 550 no such user Non-Account Bouncing Add the recipient’s email address in the Administration Console. See Add / Delete / Move Users.
66 Message Security Troubleshooting Guide
Index A activation activation key 7 password 7 Administration Console account-level administrator 9 create an administrator 9 email config 10 login error 8 password 8 service unavailable 8 Approved/Blocked Senders add/remove error 11 address not working 12 batch modified lists 18 extra addresses 12 limit 10 list of senders 13 too many addresses error 11 who to add to these lists 10 Attachment Manager block attachments 15 block file types 14 bounced attachments 14 disposition conflict 15 file size 13 filter
change a password 29 deleting more than 100,000 messages 30 disabled quarantine categories 29 login failure 28 Message Center access 29 password 28 slow or unavailable 29 Message Recovery access archive 31 archive features 30 DNS information page 33 duplicate messages 32 empty archive 30 export or recover messages 32 MX record priority 34 MX record syntax 33 MX records overview 33 search 31 search for specific message 32 set up 30 TTL 34 view messages 31 who can search 31 MX Records how long to change a MX
