Best practices for deploying Symantec Messaging Gateway (SMG) appliances.

Physical location

Symantec recommends multiple SMG hosts are placed in the same physical location.

If Messaging Gateway hosts must be deployed in different remote locations and communication issues occur between hosts (i.e. outdated statistics, timeouts, host status not available on the GUI, etc), Symantec recommends that you have one Messaging Gateway Control Center at each location.

DNS records for each host

Each hostname must have a proper A and PTR record in your DNS. To ensure you have proper entries, use nslookup.

The following commands must return the same results for each host that you query.

Command:

nslookup mx.example.com

Note: This command asks if you have an A record against the hostname mx.example.com.

Example results:

Server: dnsserver.example.com
Address: 192.0.2.1
Name: mx.example.com
Address: 192.0.2.2

Command:

nslookup 192.0.2.2

Note: This command asks if you have a PTR record against the IP address 192.0.2.2

Example results:

Server: dnsserver.example.com
Address: 192.0.2.1
Name: mx.example.com
Address: 192.0.2.2

Note: This means that host mx.example.com resolves to IP address 192.0.2.2. The opposite is also true: IP address 192.0.2.2 resolves back to mx.example.com

SPF records

Sender Policy Framework helps protect against email forgery, and Symantec highly recommended you have DNS records for it.

To set up these records, see:

• SPF

Sender ID records

Sender ID is DNS-based, and helps maintain your sender reputation. See Sender ID on Microsoft.com.

Note: Symantec also supports this technology with Messaging Gateway, accessible by clicking Spam > Settings, and then clicking the Sender Authentication tab. Here we perform the same check against other external domains.

Enable outbound spam scanning on Messaging Gateway

By default, Messaging Gateway will not enable antispam scanning for outbound traffic. However, there are cases where this may help mitigate threats coming from your internal environment to the Internet that were previously unknown.

To enable outbound spam scanning

1. Log in to the SMG Control Center.
2. Click Administration > Users > Policy Groups.
3. In the right pane, click Default.
4. Click the Spam tab.
5. Check Enable outbound email spam scanning for this group.
6. In the drop-down menu, select the appropriate policies for Spam and Suspected Spam.
   
   Note: You can customize these policies later under the Spam tab.
    
7. Click Save.

Additional best practices

• Messaging Gateway and Cisco PIX firewalls
• Spam control best practices
• Symantec IP Reputation Investigation

Postmaster and SMTP error code resources

• AOL SMTP Error Messages
• Windows Live & Hotmail Mail Troubleshooting (includes SMTP Error Codes)

DNS and Open Relay testing tools

• intoDNS
• MXToolbox

Blacklist removal and bulk senders guidelines

• Gmail - Bulk Senders Guidelines