Email Security Server Best Practices Guide

Written By Marissa Fegan (Super Administrator)

Updated at August 22nd, 2024

1 Introduction

The guide that follows is a collection of the best installation and configuration practices compiled by VIPRE Security for use with the VIPRE Email Security—Server Edition software. This guide is in no way meant to be all-inclusive of every installation environment but is meant to serve as a general overview of our best suggestions for deployment, configuration, and use of VIPRE within the scope of our customers' unique and diverse IT environments.

1.1 What does this guide cover?

The purposeof this document is to aid you in the use and installation of VIPRE, and help you understandthebest practices recommended byVIPRE's Support and Development groups. Throughout this guide,you will find generalized best practices to improve the securityof your enterprise, the level of impact our software places on your system, and the way to get the maximumoutput from your purchase.

This guide is divided into five sections:

Environmental Setup Installation

Configuration

Antispam/Antivirus Setup General Usage

It will begin by recommending changes you can make to your environment to aid in the installation of VIPRE.Then, we’ll dive into the installation and setup of the software,and conclude with some strongly recommended operatingpractices. By the end of this document,you should be very familiarwith VIPRE and feelcomfortable using it in your infrastructure.

We assume that you're familiar with administrative concepts, such as port forwarding, Exchange administration, Windows administration, and application-level firewall configuration.

 

2 Environmental Setup

The method in which you install and utilize VIPREis highly dependent on two factors: The version of Exchange in use

The number of servers in the environment

Thus, in this area of our guide, we’re going to discuss how to tailoryour VIPRE installation based around your messaging platformand the amount of computers associated with it.

2.1 Exchange roles

Within Exchange, there are five roles,two of which VIPRE installsupon. These roles are the:

Edge Transport –(VIPRE) Hub Transport – (VIPRE) Mailbox Server

Client Access Server

Unified Messaging Server

For the sake of completeness, we’ll briefly explainthe roles VIPREinstalls upon and how this will affect your messaging infrastructure.

EdgeTransport: This is a separate box that sits on the edge of the network (between the internet and any other servers in the network) and does pre-filtering. VIPRE performs connection filtering on this role.

Transport Hub:This role handlesthe flow of messages and routes them to the right mailbox.Connection filtering will be performed on this role onlyif an Edge server is not in use. Antispam, Antivirus, Attachmentfiltering, and Disclaimers work on this role.

The reasonthis is important to know is because Exchangedoes not necessarily contain “clusters,” but itcertainly supports multipleservers to distribute load. What this means for you as an administrator is that the installation of VIPRE will depend on whether or not you have a singleserver or multipleserver installation.

Single Server Instructions

With a singleserver installation, allExchange roles are consolidated into one area, making the installation of Exchange much easier. In this case,you can installVIPRE normally, withoutany special considerations.

Multiple Server Installation

The installation of VIPRE with multiple serversis a fairly straight forwardprocess, but it does requireyou to understand the Exchange rolesand to know which portions of VIPREyou should install upon your servers, depending on which role they’re functioning as within your environment. The instructions for each depend upon whetherthe server is runningthe Edge or Hub roles.

Edge Transport instructions

On the edge transport, VIPRE performs connection filtering and anti-spoofing. When you installVIPRE on your edge transport,you need to make sure these are enabled.

Hub Transport instructions

On the hub transport, VIPRE performs attachment filtering, anti-spam, antivirus, and disclaimers.Connection filtering is also performed if there is no edge role. To make sure these are all setupcorrectly, you need to make sure these are enabled.

3 Installation

This area of the best practices guide will familiarize you with the best practices involved with installing VIPRE. Keep in mind,this is not a substitute for the full version of the VIPRE Email Security - Server Edition UserGuide.

VIPRE must be installed on an Exchange server. A member server or workstation will only allow the quarantine and report viewers to install.

 

You may begin the installation by following the User’s Guide and ensuring you follow the general guidelines we discuss below.

3.1 Databases and backup scripts

VIPRE installsan Access Databaseand it is stronglyrecommended that you implement an SQLServer 2005 or above database. Similarly, you should also follow the backup scriptsand 3rd party installationrecommendations (if applicable). Failure to this can resultin unexpected behaviorand possible server crashes.

Additionally, we need to do a few special checks:

 

Test OutlookWeb Services

In order to install VIPRE in an Exchange environment and have these roles work properly with VIPRE, you should complete the following steps:

a) On the ExchangeHub Transport server, run the following command from the Exchange Management Shell:

Test-OutlookWebServices | FL

 

   
 


 

 

 

 

Create a Service Account

You will need to create a new user account for the VIPREPlug-in Manager serviceto use. It must only be a member of the DomainUsers built-in group and nothing else! It does not need a mailboxor any additional rights.All rights will be assignedby the install utility. However,be sure to set the password to never expire.

Test Impersonation

On Exchange, we need to make sure that the PIMsvc account can impersonate. To do this, you can follow these instructions:

1. In the address bar, type in the path to your server’s outlookweb access site. It will normally look like this:

localhost/owa/user@domain.com

2. This will bringyou to the OWA login page. Here you will log in with the PIM Serviceaccount credentials you created, which should look like this:

UserName: domain\PIMSVCACCOUNT

Password:*******

3. Once in, if you can access and modify another user’s account with the same credentials, then impersonation will work, and your server will function properly. If you cannot, then you should contact VIPRE Security Support:

Open a case online - https://helpdesk.vipre.com/hc/en-us/requests/new

4 VIPRE Configuration

This area of the best practices guide will familiarize you with the VIPRE Securityconfiguration recommendationsfor VIPRE.

4.1 Domain Settings

VIPRE integrates directly with the active directory domain to retrieve information from your Exchange server. Accordingly, in the “Domains” tab, you can place your active directorydomain information.

Note that this should not be your email domain. VIPRE will retrieve your recipient email domains from Exchange.

4.2 Setup Antispoofing

VIPRE anti-spoofing prevents spoofedmessages from being marked as internal and then bypassing the Antispam plug-in.The fact that an “X-Ninja-Antispam:” headeris present tellsus that eitherthe message was external and was flagged as spoofed.A reason a spoofed messagewould make it to the inboxis because this email address is either in the users allowed sendersor contact list. One way to prevent this would be to removethat email address from the offending list. The secondway is to enableanti- spoofing. This section concentrates on this method.

 

   
 


 

 

 

 

 

Enable Antispoofing:

1. Open the VIPRE Management Console.

2. Navigate to Settings>Domains>Antispoofing.

3. Check Enable Antispoofing.

4. Add the IP address of all mail sending devicesto this list.

 

   
 


 

 

 

Enable Antispoofing on the Antispam Policy:

1. ExpandPolicies & Recipients.

2. Expand Antispam.

3. SelectDefault Antispam Policy.

4. Choosethe Policy Settings tab.

5. Ensurethat the Spoofing area on the bottom of the policysettings is set to Quarantine them.

4.3 Register Agents

When you’vefirst installed VIPRE,you will want to make sure that the transport agents have been registered. Agent Registration will appear in the VIPRE console like what you see below.

 

   
 


 

 

 

 

 

4.4 Ensure product is registering

You shouldmake sure that your productis properly registering. You should followthese steps to ensureyour license is registered and properly functioning.

1. Open the VIPRE Console.

2. Select the Settings area.

3. Click Updates & Licensing.

4. Enteryour registration key into the box and click Register.

5. Depending on which products you’ve licensed, you should see various modulesdisplay. If you have a full license, you will see:

Antispam Antivirus

Attachment Filtering Disclaimers

6. If thesedo not show up, retypeyour key and press registeragain. This will request a new authen- ticationfrom VIPRE.

4.5 Setup Email Notifications

In the event that your system experiences errors or critical stop points, you need to be notified and prepared to react.Accordingly, the experienced administrator should setupemail notifications to alertthem of any critical alerts or errors. To do so, you can follow these steps:

1. Navigate to Settings

2. Select the Notifications & Logging dropdown

3. Under Email Notifications, select Add

4. In the dialog box, enter your administrator's email address.

5. Click the Apply button.

6. Check the Enable email notifications checkbox

7. Click the Apply button again.

 

4.6 Network Configuration

Because VIPRE takes advantage of manynetworking capabilities, including the abilityto retrieve multiple updates from various servers throughout the internet,we have drafteda set ofrecommended best networkconfiguration practices that should allow VIPRE to operate unhampered in your environment.

SOAP requirements

In order for your system to properlyretrieve updates, you must configure any hardware or software protocols to allow the SOAP protocolto be transmitted across the internet. If this is not done, updateswill not completeproperly.

Port 80 Exclusions

To retrieve updates from our update servers, you will need to ensure that port 80 is open for outbound connections to:

licensing.sunbeltsoftware.com (Port:80)

updates.sunbeltsoftware.com/spursspurs.aspx (Port: 80)

ec.sunbeltsoftware.com (Port: 80)

Unless properlyaccounted for, Proxy servers can be the bane of your updatesexistence with VIPRE.To ensure that you’reproperly retrieving updates, make certainthat you enteryour proxy server information on the Proxy tab of the Updatesand Licensing submenu within settings. The exact configuration will depend on the type of proxy you’re operating.

5 Antispam

Antispam consistsof connection filteringtechnology, as well as the Antispam Enginewith custom rules, Real-time Blocked Lists, and DNS/reverse DNS authentication (SPF).Below are our recommended settings for these features.

5.1 RBLsettings

RBL standsfor Real-time blockedlists; we recommendensuring that both of our RBL lists are applied. Pressing the RBLSettings button will enable the two default engines:

zen.spamhaus.org bl.spamcop.net

These shouldboth be checkedand operating. Additionally, you will need to make sure the Enable RBL Check box is selected. If it’s not (like in the figure below) it will not work!

 

   
 


 

 

 

 

 

 

 

 

 

If you have to enable the Enable RBL Check checkbox, make sure you hit the applybutton when you are finished.

5.2 SPFSettings

SPF stands for SenderPolicy Framework; it is a DNSand Reverse DNS frameworkdesigned to authenticate mail senders and prevent spoofingand spam practices. VIPRE uses SPF to enhanceits security and aid users in preventing unwanted email.

If “EnableSender Policy Framework” is checked, there will be an “X-Ninja-Spf” header added to everyreceived message. This header will contain the result of the SPF check.

Possible resultsare: Pass, None,SoftFail, Fail, TempError, PermError, Neutral. (Fail is the same thingas HardFail)

SPF should be turned on with the EnableSender Policy Framework checkbox. You then need to select either Block soft fail (allow) or Block hard fail (hard rejection).

 

   
 


 

 

5.3 Enable Default policy

To allow administrators the abilityto configure VIPRE before deployment, VIPRE comes with the Default Antispam Policy set to disabled. To guard againstspam, you shouldenable this policyby right-clicking on thepolicy and selecting enable,like you see in the screenshot below.

 

   
 


 

 

 

 

 

5.4 Scores and email header explanation

To help you furtherrefine your rules and monitormailflow within your organization, we’d like to showyou how VIPRE x-headers operate.Thus, here is the anatomy of the header from the Antispam plug-in:

1. The name of the plug-in

2. The Antispam policy the recipients were on (The number is the policy ID)

3. The action that was taken (This can be "Allowed," "Quarantined," or "Deleted")

4. The reason that action was taken. The possibleentries here can be any of those listed in the dialog at Policies & Recipients ->Antispam-> [Policy] -> Rules -> Set Order...

5. The score given to a message:

a. Score from Antispamcustom rules that modify points

b. Scorefrom Antispam policy custom rules that modify points

c. Score from the AntispamEngine

d. The total of a, b, and c. This is what gets checked against the thresholds

If Part 4 of the headers says anything other than "Final Score," the score will almost always be 0. This is because in this case it matcheda rule that had an action other than modifyscore. In this case, we

already know what to do with the message,so the engine is never run againstit and no modify weight rules are run against it.

An exampleof one of the "almosts" wouldbe if a messageis going to several recipients on the same policy and one recipient has the senderin their personalAllowed Senders folderand none of the other recipients do.

That one recipient may see something like:

X-Ninja-Antispam: Policy 4 - Allowed - Allowed Senders (Personal) - 0,-50,25 (- 25)

 

5.5 Attachment Filtering

We highly recommend the use of VIPRE“SMART rules,” that can block all email attachments other thanthose specifically defined by you. For example, if you wanted to block all attachments other than PDF files, you could define two rules: one that allows PDF and one that quarantines all attachments. This will allow the rule that's defined first (allow pdf) to be applied, and then for the other rule to disallow all other attachments.

 

   
 


 

 

 

You could, of course, repeatthis procedure and allow commonfile types, such as .jpg, .gif, etc. In the wizard to add a filter, VIPREincludes many common file types, and allows you to defineyour own safe types.

Also, to ensure that your emailattachments are properlybeing delivered to your recipients, you should make sure that you are filtering in the proper direction. Briefly summarized, filteringdirections work like this:

Inbound Internal: Messages from internal user to internal recipient

Inbound External: Messages sent to an internal recipient from an external source

Outbound Internal: An outgoing message from an internal user to an internal recipient

Outbound External: An outgoing message from an internal user to an external recipient (any email sent outside of the internal network)

6 General Usage

This area of the best practicesguide will show you some general usage best practicesand how to make the most out of yourpurchase.

6.1 Disclaimers

When adding disclaimers to your VIPREconsole, you should ensurethat you firstcopy the text of the HTML template and pasteit into the Plain Text template editorarea as well. If you do not do this, thetemplate will notdisplay properly in both HTML andplain text format.

6.2 Conserving Licenses

Because VIPRE is a licensed per-mailbox product, there will probably be occasions when you will want to conserve the number of licenses you have in use. By default, VIPRE will consider a mailbox as active so long as that mailbox has a policy applied to it. However,  as routine business operations (such as turnover and restructuring) occur, mailbox licenses will still be occupied as long as there is a policy applied to that mailbox, whether or not it’s sending or receiving mail.

To correct this and conserve your licenses, you can navigate to the recipient's area and perform a global search for the mailbox you’d like to exclude. Once you've found the mailbox, you can open it up and select “no policy” for the Antispam, Attachment Filtering, and Disclaimers policies. This will deactivate the mailbox from use, and also stop VIPRE from applying any sort of filtering. For the sake ofclarity, we’ve included a screenshot.

AV protection is policy-based; you can, therefore, remove users from individual AV policies.

 

   
 


 

 

 

 

 

 

 

6.3 Disable “Junk Email Folder”

To provide a centralized method for SPAM management, you should disable the junk email folder from Outlook for your users. Otherwise, you may experience conflicts between the Junk Email Folder and the

VIPRE Spam folder that causes SPAM to be caught in both areas. You can disable the Junk Email Folder through the Exchange Management Console.

 

   
 


 

 

 

6.4 Allowed Senders folder Usage

As a best practice, the Allowed Senders folder in VIPRE should only be used for very rare false positive emails. Outlook contacts do not need to be added to this folder,as they are added by default.

6.5 Blocked Senders folder usage

The BlockedSenders folder is best used as a folder for emails that are not from a SPAM provider but emails you still wish to consider email. For example, if you have a former employee who is constantly sending you irritating emails, you could add this employee to the “BlockedSenders” folder. This will count all the employee’s email as SPAM.

When configuring custom SPAM handling rules and exceptions, you should do your best to avoid getting emails deleted upon being flagged. If this is done, the email will be removed as soon as it is sent. This means that in the case of a rare false positive, the email will be unrecoverable.

Contacting VIPRE Support or Sales