Using Google/Gmail Apps as a Lightweight Postini Replacement

I work for a large company that uses Postini for Enterprise spam filtering and it does a fantastic job. It’s actually famous for being one of the very few spam filter capable of blocking UCEs from the “Cajun Spam King” (No, Scelson doesn’t sound very Cajun to me…). And in researching for this article, I even found out that Postini will provide spam and anti-virus filtering for Gmail.

To use Postini, you pay them a good amount of money, change your company’s MX record to point to their servers and then they filter your email, removing nearly all the spam. From there, the Postini servers forward the scrubbed emails to your own mail gateway, presumably a sendmail or Exchange machine. They may also keep archives of it if you pay them extra. The whole process looks something like the visual seen below:

Last week, I realized that Google Apps can actually do something similar, free of charge. The service, formerly called Google Apps For Your Domain, offers an unlimited amount of email accounts for your domain, each with 2GB of space each, mobile access (including Blackberry access) all for free with the Standard account. The Premier Edition ($50/year per mailbox) offers 10GB of disk space, API stuff, guaranteed uptime, phone support, and e-mail migration tools coming soon.

So I saw that Google was offering e-mail hosting, but didn’t really know how it could apply to me. I like having control over my mail – I’ve been hosting my own for about a decade and it never really crossed my mind to point my MX records to anywhere but my own machines. Exchange’s NS-IMF (Not-so-Intelligent Mail Filtering) spam filtering is really weak and inaccurate, however, and overwhelming false positives were becoming a pain. After thinking it out, I realized that I could outsource my spam filtering to Google/Gmail Apps by taking an approach similar to the way that Postini sets up their own customers.

I signed up netnerds.net for an Application account on Google Apps and started the process. I deleted my MX record and in its place, added the 7 or so MX records that Google gave me. Now my records look something like this:

netnerds.net MX preference = 5, mail exchanger = alt2.aspmx.l.google.com
netnerds.net MX preference = 10, mail exchanger = aspmx2.googlemail.com
netnerds.net MX preference = 10, mail exchanger = aspmx3.googlemail.com
netnerds.net MX preference = 10, mail exchanger = aspmx4.googlemail.com
netnerds.net MX preference = 10, mail exchanger = aspmx5.googlemail.com
netnerds.net MX preference = 1, mail exchanger = aspmx.l.google.com
netnerds.net MX preference = 5, mail exchanger = alt1.aspmx.l.google.com

Then I logged in to Google Apps e-Mail (which I’ve addressed as “Gmail For Your Domain” in the illustration below) and created the two whole user accounts/mailboxes that are valid on netnerds.net. Next, I went and added a new A record for a supersecret subdomain and (one by one), told Gmail to forward all the email to [email protected] I then setup Exchange’s recipient policy to accept e-mails for supersecrethost.netnerds.net and then ensured each of the two user accounts and their aliases were set as valid recipients. I also disabled IMF at the host level (SMTP -> Default SMTP -> Properties -> General -> Advanced -> Edit -> Uncheck Apply Intellingent Mail Filter) and instructed my other user to disable it at the Outlook level (Actions -> Junk E-mail -> Junk E-mail Options -> Poke around). So here’s sorta what it looks like:

Using Google’s Admin interface, I also added a subdomain http://gmail.netnerds.net that automatically directs to the Gmail Apps e-mail login page. Now we can use one of three interfaces to check our mail: Outlook Web Access, Exchange/Outlook, or Google. I decided to use Office 2007 as my primary e-mail client but I login to gmail.netnerds.net every couple days to check my spam box for false positives.

    

Because of the manual creation of the email accounts and the subsequent forwarding, this doesn’t scale without a huge time investment. Using the Google API’s that come with the Premier Edition, however, it would probably be easy to setup something similar on a mass scale. I also considered wildcards forwarding at Google’s end (which is supported) then filtering again at my end using Exchange Sinks but my setup is too small to justiy the kind of time I’d spend doing that.

Two final notes: first, by selecting the forwarding option “Forward then Delete” and thus preventing Google Apps from being a Store and Forward, the 2GB storage limit wouldn’t pose any sort of restriction for those needing super large mailboxes. The drawback, of course, is if you choose that option, you can no longer use the Gmail interface to check your mail. Second, Google Apps does provide support for additional domains — I’m currently using it for RealCajunRecipes.com.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Exchange, Security