Why and how to migrate corporate email security to the cloud. Part 2
In the first part of this article, we talked about the main problems and needs of enterprises related to ensuring email security, as well as the general advantages and disadvantages of SaaS-solutions for protecting corporate mail. Actually, we tried to answer the question “why.”
The second part of the article is already devoted to the purely technical question of “how”: here we will show the basic steps for pre-setting the SaaS email security solution using the example of Panda Email Protection . Having done the preliminary configuration, it will already be possible to safely switch the mx-records of the domain and enjoy the “clean” mail.
Panda Email Protection is provided as a service, and therefore each mailbox protected by the solution requires a separate license from the pool of licenses available to the user.
The administrator can view the number of available and used licenses in Management → Dashboard → Status of subscriptions.
Consider the following points when calculating the total number of licenses required for your organization:
If the platform protects an existing domain (for example, “pandatest.ru”) with users already created under this domain, and you have another domain that is an alias of an existing domain (for example, “pandatest.com”), then the domain alias may be configured as a primary domain. All users represented in the primary domain will be simultaneously configured on the domain alias. These users do not require additional licenses.
aliases Each license protects up to 5 email address aliases associated with a primary mailbox using a single license.
In order for the system to recognize aliases of a mailing address under a single license, it is necessary that these aliases be correctly configured in the system. Mail address aliases can be configured manually or using automatic authorization via LDAP, provided that the Enable alias detection option is enabled. Please note that alias detection is not available when using automatic authorization via SMTP. Therefore, it is recommended that you use integration with LDAP if your organization has a large number of mail address aliases.
If your organization has mail address aliases protected by this solution, but they are not configured correctly as email protection aliases, the platform will spend one license for each such alias. In this case, you will need to check the mailbox configuration in Email Protection.
Initial Email Protection Account Setup
Before securing domains and corporate email users, you must complete some initial setup steps. All configuration steps are performed from the management console. The management console is available at mep.pandasecurity.com/admin . For authorization, you must use your unique registration data.
If the initial configuration is not fully completed before changing the MX records in your DNS to Email Protection, then incoming and outgoing messages will be returned with a permanent error code. In this case, the letters will never reach the addressee.
The configuration steps described when configuring outgoing mail filtering should be performed only if you want Email Protection to filter outgoing mail.
So, the basic steps for initial setup:
• Configure the domain (s) that must be protected by the platform
• Configure email addresses that must be protected by the platform
• Configure the platform if you want to change the user interface design and communications sent to the mail addresses, protected by the solution
• Change your MX records to redirect your mail to the Panda platform
Next, we will describe each of these steps in detail.
The first step is to configure the domain or domains that should be protected by Email Protection. To do this, go to Management → Domains . For each protected mail domain, configure a new domain by clicking Create Domain .
The following information is required for each new domain:
Check the Register domain option is an alias if the custom domain is an alias of an existing domain that is already configured in the platform. In the Name fieldindicate the name of the protected domain (for example, “pandatest.ru”). Specify the contact mail address for notifications about this domain (for example, notifications about the process of user synchronization or when the domain has reached the maximum available number of licenses).
You can limit the maximum number of licenses that can be used by users of this domain.
In addition, you can select the default language that will be used for the domain. All notifications for end users, as well as management consoles for users of this domain will be available in the specified language.
Then you need to configure the host name or IP address where Panda Email Protection will deliver incoming messages after filtering them. This should be the current address where your email server is located. If you still have not redirected your MX records in DNS to Email Protection, use the Get SMTP button to automatically populate the MX Host fields . Verify that this field indicates the current location of the mail server where the mailboxes that you want to protect are located.
The platform allows you to configure several servers to which filtered messages will be delivered. Each of them can be configured with a different priority. Verify that the Priority field contains a non-zero value, and also note that the MX host with the highest priority should have a minimum value.
After all the necessary MX hosts are configured correctly, click on SMTP Check to verify that the platform can communicate with the specified MX hosts.
If you have connection problems, check that the Panda Email Protection data centers can establish an SMTP connection with your mail servers. Below are the ranges of IP addresses of data centers:
Here you can either complete the configuration of the protected domain or define the Domain Administrator . Using the provided registration data, the domain administrator will be able to enter the management console with his registration data in order to change the domain configuration parameters:
After all the fields are configured, save the domain parameters and proceed to the next step: setting up mail addresses.
Panda Email Protection requires that you configure each mailbox that should be protected by the platform. If you do not do this manually or in the automatic authorization mode, Panda Email Protection will reject all incoming and / or outgoing emails if the solution processes your organization's incoming / outgoing mail .
There are two ways to configure protected mailboxes:
• Manually: The administrator manually registers each mailbox (or aliases of mail addresses) individually. An administrator can also import a list of users (in .TXT or .CSV format).
• Automatic: The administrator must configure protected domains using one of the available automatic registration procedures: SMTP or LDAP.
By the way, these methods are not mutually exclusive: the administrator can configure some of the mailboxes manually, and the rest - automatically. Both procedures can be used in parallel.
Manual user setup
Mailing addresses that must be protected by the solution can be added manually through the management console. Go to Management → Users. This screen allows the administrator to create users with a primary mail address or an alias for the mail address associated with a primary mailbox that already exists in the system.
To create a user with a primary mail address, click Create User :
To create a new user in the system, the following minimum information is required:
• Domain : Select the domain that will contain the primary mailbox of the protected user.
• Language: The default language. It will be used for the management console and notifications for the user. By default, the system will select the language that was selected when creating the protected domain.
• First Name, Last Name : This information is used for administrative purposes when compiling a list of users with their first and last names.
• User login : The email address associated with the user in the protected domain. You only need to enter the name of the mailbox without the domain to which it belongs.
• Password : The system requires each user to have a password to access the user management console.
In the example above, we registered the following mailbox, which should be protected by the platform: "firstname.lastname@example.org". After you have entered all the data of the protected user, save the settings.
To configure an alias for the mail address associated with the primary mailbox, go to Management → Users and click Create user alias .
To create a user alias, the following information is required:
• Domain in which the alias will be created : The domain on which the alias of the mailing address is located. It must not match the domain that hosts the primary email address.
• Primary domain: The domain containing the primary email address with which you want to associate the created mail address alias.
• Alias : The alias name of the mailing address to be protected by the solution, without the "@" and domain.
• Primary account : Select the name of an existing primary email account.
After entering all the alias data, save the settings.
Import mailboxes from a list
Email Protection allows an administrator to manually import a list of users from a file. To do this, go to Management → Users → Import .
Before importing the list, prepare a file containing the names of the mailboxes (and aliases) that should be protected by Email Protection. The imported file must be in the form of a .CSV or .TXT file in the following format:
• Name, email address, password
• Name, email address
• Name, email address, password, comma-separated list of alias mail addresses.
A password and a comma-separated list of aliases are optional. If there is no password, then Email Protection will generate a random password during user import. Please pay attention to the following tips when creating complex passwords for users:
• Use uppercase and lowercase letters from “a” to “z”. Use numbers 0 to 9
• Valid characters: _. -
• Length: 8 to 64 characters.
The email address included in the imported file must be in either of the following two formats:
• including the domain to which the mailbox belongs:
Michael Perk, email@example.com, aras249gt
Anthony Perkins, firstname.lastname@example.org, 32kios5d
Anthony Perkins, email@example.com, firstname.lastname@example.org, email@example.com
• not including the domain to which the mailbox belongs:
Michael Perk, mperk, aras249gt
Anthony Perkins, aperkins, 32kios5d
Anthony Perkins, aperkins, aperkins.alias1, aperkins.alias2
It is very important to correctly import the file depending on whether the imported list of mailboxes contains a domain or not. If the domain is present in the file, then you must leave the "Domain:" field empty in the import menu. Otherwise, the import will fail.
Based on the previous paragraphs, select the file to import and click Import. The import process does not occur immediately. It may take several minutes depending on the number of users imported. Email Protection will notify the account administrator of the results of the import process by email.
Automatic user registration through SMTP
Email Protection can be configured to automatically register users using the SMTP protocol. This automatic mechanism allows you to automatically initialize users who are not yet represented in the system at the time of processing the first message addressed to the protected mailbox.
Automatic user registration through SMTP is configured by domain. Go to Management → Subscription Type and select SMTP, as shown in the picture:
Then save the settings. After saving the settings, the system will ask the administrator to specify the mail address of an existing user in the domain that needs to be protected.
This is to check if the email server is valid for automatic user registration through SMTP. If the check fails, then your mail server is not suitable for automatic user registration.
As a rule, this is due to the fact that the mail server is not able to reject mail addresses from non-existent users in the organization. In Microsoft Exchange, this feature is known as “Recipient Validation” and must be enabled for automatic registration to work.
If this check fails, Email Protection will not allow you to configure automatic user registration through SMTP.
After setting up automatic registration through SMTP, the system will automatically initialize a new user when the first message is received for him in Email Protection.
One important point to consider when enabling automatic registration through SMTP: all mail addresses in your organization (it does not matter, these are the main mailboxes or aliases of mail addresses) will be added to Email Protection as the main mailbox. This is an important aspect when calculating the required number of licenses for an organization. If your organization actively uses mailbox aliases, we advise you to enable automatic registration through LDAP, as well as alias detection.
Automatic user registration through LDAP (Active Directory)
Another automatic registration mechanism provided by the platform is the use of LDAP queries to the directory service in your organization. This is the recommended registration mechanism for medium and large organizations.
The main difference between automatic registration through SMTP and LDAP is that LDAP initialization allows you to detect mailbox aliases and automatically associate them with primary mailboxes.
Automatic LDAP registration can be enabled globally or for each domain. We recommend that you configure it globally if all the domains protected by the solution are regulated by the same domain controller or the LDAP directory service. Configure automatic registration through LDAP for each domain if your organization has an independent directory server for each domain.
Minimum requirements for setting up automatic registration through LDAP:
• Panda Security cloud servers must be able to connect to your directory service (Active Directory / Lotus / LDAP) using a public IP address or using a fully-qualified domain name available on the Internet.
• Panda Security cloud servers will request your directory service using LDAP or LDAPS.
• Panda Security cloud servers can make anonymous requests, although we recommend that you create a dedicated user to perform LDAP requests.
• The ranges of IP addresses from which we will send requests to your directory service:
When integrating automatic registration through LDAP with Active Directory, you need to create a user who belongs to the group "Domain Users", with their registration data. Follow these steps in your organization’s primary domain controller to create this user:
1. Create a user who belongs to the Domain Users group.
2. The password assigned to the user may contain only letters, numbers, and the symbols "_" and "-". Please do not use other characters.
3. Indicate that the password cannot be changed by the user and that it never expires.
After you have created the user, you should get the path to the unique name (Distinguished Name) of the user. To do this, open a command prompt window in your domain controller and run the following command:
dsquery.exe user –name [USER]
Example: If the user you created for LDAP queries was named “panda”, then the command to be launched and its output will be:
dsquery.exe user –name pandaCN = panda, CN = Computers, DC = dctest, DC = local
The user for queries that must be configured in the management console will be the same as returned by the previous command:
'CN = panda, CN = Computers, DC = dctest, DC = local'
After you receive a unique user name (Distinguished Name) of the user , configure automatic registration through LDAP under Management -> Subscription Type -> LDAP [Configure] .
The following section describes the most common settings used to configure automatic registration through LDAP using Microsoft Active Directory:
• Active Directory. If you have a different directory service, enter it here.
• Host: The IP address of the service or FQDN to be able to connect to your domain controller. Please note that this IP / FQDN must be accessible from Panda cloud servers.
• Port : 389 (default).
• Anonymous connection : [Unchecked] Microsoft Active Directory does not allow anonymous connections. This option should remain unchecked.
• Username : A valid CN path must be entered here. Enter the CN path returned by the dsquery.exe command running on the domain controller: CN = panda, CN = Computers, DC = dctest, DC = local
• Password : Specify the password assigned to the user that was created for LDAP queries.
After all the data has been entered correctly, click the Check button. The system will check if the Panda Security cloud servers can connect to the specified host and port, and whether the specified login information is correct. If an error occurs, please check again whether the connection from the Panda Security cloud servers to your infrastructure is allowed, and if the user registration information is correct.
• Unique Unique Name: The starting point in the LDAP tree from which Email Protection will “look” at users in your organization.
It is recommended that you set the starting point as close as possible to the root of the organization tree so that the solution can find all users, regardless of the organizational unit in which they are configured. The primary unique name can be obtained from the CN of the user created for LDAP queries. When setting up Active Directory, as a rule, it matches the part of the user's CN that starts with DC. In our example, it will be: DC = dctest, DC = local
• Level: Select this option if all users in your organization are located at the point where the search is performed.
• Under the tree:Select this option to search for users at this level and all other levels specified above in the LDAP structure. It is recommended to select this option when the Primary unique name has been configured close to the root of the tree.
In our example, it is necessary to use the Subtree option to be able to search for users at levels located above the selected path.
User Name Search
These values will be filled in automatically when you select the type of directory service used in your organization (Active Directory / Open LDAP / Lotus Domino). If you have configured Active Directory, you usually need to select the Attribute option, which contains the email address.
Then click the Check button.to verify that the settings for the directory service are correct. Administrators will be asked to enter a valid primary email address for your organization (not an alias email address!), And the system will check if it can find it upon request to check the current settings.
If the specified email address was not found during the check, please check the configuration specified in this section with the administrator of your domain. The layout used in your organization may differ from the examples used here.
Search for aliases
This feature makes automatic user registration through LDAP much more attractive than using SMTP. We strongly recommend that you enable this option if you have configured registration through LDAP.
•An attribute that contains an alias : proxyAddresses. Most Active Directory + Exchange installations will use this attribute (proxyAddresses) to specify the alias of this user's email address.
• LDAP filter : (objectclass = *). You can specify various filter options here to receive only the required information.
• Is the field ambiguous? No
• Alias delimiter : Enter ':'
• Is the alias in the same object as the mailing address? Yes
These values are common with the standard Active Directory schema. After you have configured this section, you must check the settings using the "Check" button. Enter a valid email alias in your organization. The system should return the appropriate primary email address for the alias. The following figure shows how to configure this section, as well as the result of the verification:
If the verification did not return the primary email address associated with the specified alias of the mailing address, please check the values specified in this section again with your domain administrator, etc. to. Your corporate layout may differ from the standard layout that ships with Microsoft products.
User data recovery
In this section, you can specify which attributes within your directory scheme contain full user names in order to make it easier to determine when automatically registering with the system. A typical configuration for Microsoft Active Directory is as follows:
• An attribute that contains the user's last name : displayName
• Stores the first and last name together : Selected.
After specifying all the necessary information, save the settings.
Pay attention to the following points when specifying the necessary information to configure the registration mode through LDAP.
You must make the following settings:
• Verify that the connection to your domain controller is correct.
• Check that Email Protection is able to find users on your directory server (section Search for username).
• If the Enable alias detection option is enabled, check that Email Protection is able to return the primary email address by the alias of the email address.
If an error occurs during any of the previous checks, then save the configuration and return to the appropriate section later to reconfigure the options after checking the values with your Domain Administrator.
This example corresponds to the Active Directory directory service. The specific configuration may vary greatly depending on the schema used in your organization, or if the default Microsoft Active Directory schema has been changed.
After completing the configuration of the domain and users, the platform is ready to protect users belonging to the configured domains. The next step is to personalize the platform itself using the Personalization menu . We recommend that you configure the following basic parameters:
Message on the topic Welcome
If you selected any of the available automatic registration modes (SMTP or LDAP), you can configure the platform to send invitation letters to automatically registered users. This message will contain registration data that will allow the user to access their user console. If you want your users to know that there is a control panel where they can manage their email filtering options and access spam messages stored in the system quarantine, enable the corresponding option (it is disabled by default) .
The administrator can download its logo, which will be included in all system notifications for users who are protected by this solution, as well as in the user management console. To do this, go to the Personalization -> Logos section .
Please note that all personalization settings can be performed globally or for each domain individually. The level at which personalization options will be applied can be selected using the “Show Settings” option at the top of the page.
Setting up MX records for your DNS server
After all the previous steps have been completed, the platform will be ready to protect incoming letters intended for your organization. To integrate Email Protection into the email delivery system in your organization, change the MX records of the protected domains so that they point to the following service hosts:
The MX records listed here may differ in depending on your configuration. Check your current MX-records of the service, for which go to Manuals -> Settings Information . Check this section before making any changes to the DNS.
We advise you to specify the same priority (for example, “10”) for both MX records to achieve load balancing within the Email Protection platform.
Please note that Panda Security does not have access to your MX records. This task must be completed by you, as DNS records are available only to you.
After making the appropriate changes, Email Protection will begin to process incoming mail intended for your organization, blocking spam messages and delivering only "clean" emails to your mail servers.
Additional security settings (firewall)
Once the MX records of the domains protected by this solution have been changed, you can restrict the delivery of incoming messages to mail servers protected by Email Protection by allowing the delivery of incoming messages only from a certain range of IP addresses belonging to Panda Security cloud servers. Below are the ranges of IP addresses from which incoming mail is delivered to your organization:
Configure Outbound Filtering in Email Protection
Email Protection can also be configured to filter outgoing mail sent from your organization to the Internet. This step is optional. Outbound filtering is independent of incoming filtering. However, for outgoing mail filtering to work correctly, you must correctly configure incoming filtering (domains and users must be correctly configured in Email Protection).
To configure outgoing mail filtering through Email Protection, you need to define a “Smart Host” on your company's mail server so that all outgoing messages are delivered to the Panda Security cloud. Email Protection will filter your outgoing messages by sending only "clean" mail to the recipient's mail server.
When setting up “Smart Host”, use the following hostname of the service:
steps to configure the host of the service used to send outgoing mail may vary depending on your configuration. The Smart Host used is specified in the management console (Manuals -> Settings Information). Please check this section before making any changes to your mail service.
The SMTP session with your Smart Host must be configured as an Authenticated SMTP session. Use the same credentials (user and password) that were provided to you to access the management console: mep.pandasecurity.com/admin .
Configure SPF records in your DNS
Regardless of whether you configured outgoing mail filtering or only configured incoming filtering in Email Protection, we recommend that you change the SPF records of your domains to include the IP address ranges of our data centers. Do this if your outgoing traffic is filtered through the Panda Email Protection solution. In this way, you can prevent situations when the recipient's mail servers will refuse to deliver messages arriving from the Panda Security cloud servers. To do this, add the following IP address ranges to your SPF records:
Example domain- specific SPF record:
“v = spf1 ip4: 126.96.36.199/25 ip4: 188.8.131.52/24 ip4: 184.108.40.206/24 ip4: [OTHER CUSTOMER IP ADDRESSES] ~ all »
We recommend that you add the IP addresses of the Panda Security cloud servers to your current SPF records in your DNS.
So, after completing all the above steps, you can pre-configure your account and redirect mail through the Panda Security servers. Moreover, the Email Protection options configured by default allow you to immediately start filtering mail. Well, after that the most interesting part comes when you, having the unique “execute or pardon” rights, can configure all the necessary filtering options to get the optimal level of corporate email security.
Email Protection to help you!
PS If you want to get free access to the service within a month, fill out the form on the website or send this information to the address .