Using Google/Gmail Apps as a Lightweight Postini Replacement

I work for a large company that uses Postini for Enterprise spam filtering and it does a fantastic job. It’s actually famous for being one of the very few spam filter capable of blocking UCEs from the “Cajun Spam King” (No, Scelson doesn’t sound very Cajun to me…). And in researching for this article, I even found out that Postini will provide spam and anti-virus filtering for Gmail.

To use Postini, you pay them a good amount of money, change your company’s MX record to point to their servers and then they filter your email, removing nearly all the spam. From there, the Postini servers forward the scrubbed emails to your own mail gateway, presumably a sendmail or Exchange machine. They may also keep archives of it if you pay them extra. The whole process looks something like the visual seen below:

Last week, I realized that Google Apps can actually do something similar, free of charge. The service, formerly called Google Apps For Your Domain, offers an unlimited amount of email accounts for your domain, each with 2GB of space each, mobile access (including Blackberry access) all for free with the Standard account. The Premier Edition ($50/year per mailbox) offers 10GB of disk space, API stuff, guaranteed uptime, phone support, and e-mail migration tools coming soon.

So I saw that Google was offering e-mail hosting, but didn’t really know how it could apply to me. I like having control over my mail – I’ve been hosting my own for about a decade and it never really crossed my mind to point my MX records to anywhere but my own machines. Exchange’s NS-IMF (Not-so-Intelligent Mail Filtering) spam filtering is really weak and inaccurate, however, and overwhelming false positives were becoming a pain. After thinking it out, I realized that I could outsource my spam filtering to Google/Gmail Apps by taking an approach similar to the way that Postini sets up their own customers.

I signed up netnerds.net for an Application account on Google Apps and started the process. I deleted my MX record and in its place, added the 7 or so MX records that Google gave me. Now my records look something like this:

netnerds.net MX preference = 5, mail exchanger = alt2.aspmx.l.google.com
netnerds.net MX preference = 10, mail exchanger = aspmx2.googlemail.com
netnerds.net MX preference = 10, mail exchanger = aspmx3.googlemail.com
netnerds.net MX preference = 10, mail exchanger = aspmx4.googlemail.com
netnerds.net MX preference = 10, mail exchanger = aspmx5.googlemail.com
netnerds.net MX preference = 1, mail exchanger = aspmx.l.google.com
netnerds.net MX preference = 5, mail exchanger = alt1.aspmx.l.google.com

Then I logged in to Google Apps e-Mail (which I’ve addressed as “Gmail For Your Domain” in the illustration below) and created the two whole user accounts/mailboxes that are valid on netnerds.net. Next, I went and added a new A record for a supersecret subdomain and (one by one), told Gmail to forward all the email to [email protected] I then setup Exchange’s recipient policy to accept e-mails for supersecrethost.netnerds.net and then ensured each of the two user accounts and their aliases were set as valid recipients. I also disabled IMF at the host level (SMTP -> Default SMTP -> Properties -> General -> Advanced -> Edit -> Uncheck Apply Intellingent Mail Filter) and instructed my other user to disable it at the Outlook level (Actions -> Junk E-mail -> Junk E-mail Options -> Poke around). So here’s sorta what it looks like:

Using Google’s Admin interface, I also added a subdomain http://gmail.netnerds.net that automatically directs to the Gmail Apps e-mail login page. Now we can use one of three interfaces to check our mail: Outlook Web Access, Exchange/Outlook, or Google. I decided to use Office 2007 as my primary e-mail client but I login to gmail.netnerds.net every couple days to check my spam box for false positives.

    

Because of the manual creation of the email accounts and the subsequent forwarding, this doesn’t scale without a huge time investment. Using the Google API’s that come with the Premier Edition, however, it would probably be easy to setup something similar on a mass scale. I also considered wildcards forwarding at Google’s end (which is supported) then filtering again at my end using Exchange Sinks but my setup is too small to justiy the kind of time I’d spend doing that.

Two final notes: first, by selecting the forwarding option “Forward then Delete” and thus preventing Google Apps from being a Store and Forward, the 2GB storage limit wouldn’t pose any sort of restriction for those needing super large mailboxes. The drawback, of course, is if you choose that option, you can no longer use the Gmail interface to check your mail. Second, Google Apps does provide support for additional domains — I’m currently using it for RealCajunRecipes.com.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Exchange, Security
11 comments on “Using Google/Gmail Apps as a Lightweight Postini Replacement
  1. carlo says:

    How do you find the spam filtering to work using Gmail for your domain? I’m really unhappy with how much junk Spamcop’s hosted email service lets through, and have been looking for a Postini provider for my single email account. I had thought of using Google Apps for my domain, but I currently have all my email copied to a regular Gmail account, and its spam filter really doesn’t work well at all.

  2. Blendah Tom says:

    Re: Carlo

    I have been using Google apps for Domains for the past couple of months and I love the Spam filter.. I have only had one false/positive and I get between 50-100 emails a day..

  3. Chrissy says:

    (whoops! I forgot to respond to this)

    I’ve been using Gmail & Google Apps and have had only a few false positives. It’s been the most effective spam filter I’ve worked with. That and Akismet which could possibly be ported for email apps (I just use it for the web).

  4. carlo says:

    Cool, thanks!

  5. Legolas says:

    Strange that you like the gmail spamfilter. I just use(d) gmail as a pop3 mailbox, but I’ve stopped using almost completely because every time I enter my gmail address at a new website/forum/.., whatever mail they send ends up in the spam folder in gmail. Not only that, but unless I go to the gmail website, I’d never even know…. (And I don’t want to go to the website, which is why I use outlook to pop the mail in the first place.)

  6. Chrissy says:

    I’ve had a lot of luck with it, honestly. Keep in mind, though.. at one point, I had a whitelist-only spam filter because I was so overwhelmed. Gmail has worked really really well so far.. my one other user was skeptical because he ran into similar problems that you did but he said he’s happier overall with Gmail’s filtering for App Domains than what we’ve had in the past.

    Maybe things have improved since you used them? Or maybe I have a high tolerance for crappy spam filters ;)

  7. Andrew says:

    Hi

    I have configured gmail so that I can read my domain emails from gmail, but as my server host name is, eg:
    host.mysite.com then email sent from the server will have a reply as [email protected] not [email protected]

    Any clues as how to set mx records so I can easily view any email sent to the [email protected] email address via gmail?

  8. Robert says:

    Google announced today that they are buying Postini for $625 million. Perhaps they’ll be offering up Postini for free to Google Apps users?!?! :-)

    Thanks for the guide.

  9. Chrissy says:

    Hey Andrew,
    Sorry for the late response. You can change your Reply-From in both Google and Exchange.

    In Google go to Settings -> Accounts -> Send Mail As…

    In Exchange, make the e-mail address the primary e-mail (it will be bolded) in the Active Directory tab.

  10. Don says:

    Great idea. I was just thinking of how to do this for my small organization, as the spam filtering from Google seems to be outstanding, and couldn’t quite come up with the concept. Thanks for working out the details.

  11. Scot Hacker says:

    See the link at the bottom of:

    http://www.google.com/a/help/intl/en/security/compare.html

    Google acquired Postini, and now offers an MX-only spam filtering solution for $3/year/user (see small link toward bottom of page). Easy to implement, hands-free… sounds effective. Anyone have experience with this tool?

Leave a Reply

Your email address will not be published. Required fields are marked *

*