The primary tasks for a domain administrator, regarding Postini services, are: to enable or to disable the Google Apps services, to define categories of users, and to grant them different rights for different applications.
The Postini console should not be confused with the Google Apps administration console (which we shall cover in Chapter 7, Managing a Google Apps Domain).
The administration console for the Postini services
Once the Postini services have been activated, each user is granted default rights. These can be changed later by the administrator, either globally or individually. This last possibility is not recommended, however.
In the Postini administration console, users in a Google Apps domain are arranged into hierarchies of organizations:
The hierarchy of organizations in the Postini console
By the time the system is activated, this hierarchy contains only two organizations. At the top level, there is the «Account Administrators org», which groups the administrator defined when the system was activated and a template user account called Default User. This model defines default user authorizations for any newly created user in the domain. Directly below the «Account Administrators org» we have «Users org», which contains all user accounts that were originally defined in the Google Apps console (see Chapter 7, Managing a Google Apps Domain).
Creating sub-organizations in this hierarchy is the preferred way to grant specific rights to some categories of users. By default, each sub-organization inherits the rights from the organization which is immediately above in the hierarchy. These default rights can be modified or refined.
Administrators who are in charge of security should be aware of the default rights granted to users regarding their access to the Message Center. The following list summarizes the most important ones. By default, each user is granted the following authorizations:
|
Security or Search Feature |
Access |
|---|---|
|
Enabling/disabling the anti-spam filter |
Granted |
|
Modifying the global threshold of the anti-spam filter |
Granted |
|
Modifying the threshold of the explicit content filter |
Denied |
|
Disabling the antivirus filter |
Denied |
|
Changing the locale |
Granted |
|
Searching the personal archive |
Granted |
|
Recovering messages from the personal archive |
Granted |
|
Reading the reasons for why a message was routed to quarantine |
Granted |
|
Having a message analyzed |
Denied |
|
Reading the attachments of a message in the quarantine |
Granted |
Default access rights granted to users
C onsidering the complexity of the Postini console, we will not attempt here a thorough coverage of each feature. That would far exceed the scope of this book. We will only present the most important ones and we refer the reader to the online documentation for more detailed information.
Recall that the various settings apply either to specific users or to organizations. Options are not quite the same in both cases, as the following two figures show:
The settings for the Postini services for a user organization
The settings for the Postini services for a specific user
Whe n a message infected by a virus is received, the default behavior of Postini is the following:
- Return the message to the sender whether it is inbound our outbound
- Delete all infected messages whose recipient does not correspond to any user defined within the Google Apps domain
The administrator can choose to route messages to the quarantine rather than sending them back to the sender.
The administrator can also decide to send messages whose recipient is unknown to a specific account.
The early detection mechanism may route some messages that were only suspected to be infected to the provisional quarantine (for a period of 8 hours); they will be analyzed further once the malware database has been updated. The administrator can enable or disable this service.
We indicate below which settings can be adjusted for the spam filter, both for individual users and for user organizations. Recall that messages whose recipients are on a white list (defined either by the user or the administrator) automatically bypass any filtering.
The administrator can enable or disable the spam filter, adjust its global threshold, and the threshold for different categories:
Adjusting the anti-spam filter.
At t he level of an organization, the user can define the following parameters:
- Enabling "return to sender" and deleting blatant spam
- What to do with messages that lack an SMTP envelope: return to sender, route to quarantine, or delete
- What to do with usual spam: route to quarantine, route to the quarantine of a specific user, or tag the message for separate processing on the mail server
This category of filter analyzes the content of messages and attachments in order to identify illicit or confidential content. Specific words or patterns of characters can be declared as illicit and blocked. These filters are defined at the level of an organization. Among the most common uses, let's quote, for instance:
- Blocking illicit content
- Routing messages to quarantine when outbound messages with proprietary and confidential content are detected
- Routing messages to quarantine when outbound messages with private information or credit card numbers are detected
- Monitoring inbound and outbound messages but letting the recipients receive their mail
When messages are routed to the quarantine, a user will find them in his personal quarantine. The column labeled "reason for blocking" will display "Content" in this case. It is also possible to route illicit messages to the administrator's quarantine rather than to that of the user.
Regular expressions are a powerful tool for defining patterns of characters such as URLs, social security numbers, or account numbers. It is actually a standard notation used in many scripting tools such as PERL, for instance.
Without going into too much detail, here are a few examples of useful regular expressions:
- To filter URLs containing "badmail" use the following regular expression:
badmail(w.+%-){0,25}.com - To filter a word such as "Viagra" including many different spellings, use the following regexp:
v[i!1][a@]gr[a@]
- To filter a list of words such as (
word1,word2,word3 word4) use the following regexp:(W|^)(word1|word2|word3word4)(W|$)
The Postini system supports the POSIX Extended Regular Expression (ERE).
The order in which the filters are applied has its importance in defining the result of filtering. This order can be changed at any time.
An ordered list of content filters. The first two are the predefined filters. The last one was defined by the administrator.
A content filter is defined by at most three rules; each of them specifies the scope of the search and the type of rule that is being enforced. Either all rules apply or at least one of them.
A filter is defined by at most three rules.
Each filter from a list can be separately enabled or disabled. The action to take when a message is caught can also be defined for each filter. Predefined filters cannot be deleted but can be disabled.
Like c ontent filters, attachment filters are defined at the level of an organization. Among the most common uses for this kind of filter, let us mention, in particular:
- Block inbound or outbound messages whose attachments are too large
- Block messages that contain at least one executable file in their attachments
- Block messages that contain at least one file whose type is prohibited by the enterprise's security policy
Summarizing, filtering on attachment is both on the type of files and their size.
The settings that can be adjusted are:
For each kind of file (executable, archive, Office document, image, sound, multimedia, and so on.) the administrator can define one of the following kinds of actions:
- Approve the message
- Return the message to the sender with an error message
- Route the message to the user's quarantine
- Route the message to the quarantine specified by the administrator without sending it to the original recipient
- Route the message to the quarantine specified by the administrator while at the same time routing it without any warning to the original recipient
It is also possible to identify attachments through binary analysis rather than by the file extensions and to enable the analysis inside compressed archives.
The quarantine summary is a message sent automatically by Postini. It contains the list of the messages that were recently routed to the quarantine. The frequency of these messages can be defined by the administrator but cannot exceed one per day.
An example of a quarantine message that informs users when one of their messages is routed to quarantine or when one was deleted
Besides the quarantine summary, there are other notification messages that the administrator can enable:
- The welcome message informs new users when they connect for the first time that their messages are protected by Postini. The message also contains a link to the Message Center.
- The virus alert that informs the user that a message is infected and was put in quarantine.
- The early detection alert informs the user that a message was suspected to be infected by malware and was routed to the temporary quarantine.
- The message for the first spam alerts users that have never accessed their Message Center before that spam is being stored in a quarantine.
Recall that the message archive securely stores a copy of each message that goes through the Google Apps systems except for spam. The administrator has full access to this archive and can also delegate those rights to other users. Finally, the administrator can choose to grant individual users the authorization to access their personal archives.
The primary tasks of an administrator, regarding the management of archives, are the followin g:
- To make sure that all messages are actually archived, even those that were sent to unknown recipients, the administrator should disable in Postini the option that returns mail to the sender in case of an unknown user (Non-Account Bouncing).
- Furthermore he must check that sub-domains were properly added to the Google Apps domain aliases and that MX-records were modified accordingly to have mail flow through Postini.
- To avoid spam cluttering the archive, the option to automatically route towards a specific address in the case of an unknown recipient should be disabled.
Archiving can be enabled for a specific set of users.
The maximal retention time for a message is 10 years, provided you have subscribed to the Message Discovery service for that period of time. Should the retention period be modified, it will only apply to the newly archived messages. The previous retention period remains valid for the messages that are already in the archive.
As we ha ve already seen, it is possible to adjust both an overall threshold and a threshold per category. Both kinds of settings have five levels. By default, the overall threshold is set to level "2" while the others are disabled. If the majority of users in a domain receive spam from just one category regularly, then, and only then, should the specific filter be activated. You should be aware, though, that specific filtering increases the chances that a valid message will be wrongly routed to the quarantine.
Another possibility for the administrator is to delegate the responsibility of filtering to users themselves. Users should however be warned in this case that they should check the quarantine regularly to make sure no desirable messages were wrongly deleted by an overzealous filter.
Clever usage of a few white lists and black lists that are updated on a regular basis often provides for the most efficient filtering.
Both the Google Apps and the Message Security services from Postini have their own filters and their own quarantines. Therefore, when a user decides to recover a message that was routed to the quarantine, it may happen that this message is then considered as spam by Gmail's filter! The obvious solution is to explicitly declare this message as non-spam directly in Gmail.