Back to Posts List

A Guide to Postini Message Security Transition to Google Apps

Share this article





Posted on October 15th, 2013 by Websitepulse in Tech

Transition of Postini accounts to Google Apps

Postini

If you are a Postini client, you are probably aware of the ongoing transition of all Postini accounts to Google Apps, which was announced on August 15, 2012. Since then, I have received several emails, spent a lot of time on the Postini transition website and read of lot articles on how the transition is expected to proceed. There is a lot of information on the web and the Postini transition website has several video tutorials that you might find useful. What I didn't find was a simple check list on how to proceed with the migration of the account settings from Postini. So far I have completed the transition for two domains and am getting ready to migrate our main domain so here is what you'll need to do.

N.B! I should mention that we are using only the Postini Message Security service, so if you need more information regarding the transition from Message Discovery to Google Apps Vault, the information in this post might not be relevant.

  1. The transition process starts after you receive a message on your administrators email with the subject “Postini Transition to Google Apps: Your action is required to begin your transition.”At the same time, a message saying “Your Postini service is ready for transition to Google Apps. Your access to Postini will be going away soon! To get started, click Begin >>,” will appear in your Postini System Administration console. Do not click ‘Begin’ yet. There are a few things I recommend you should do first.
  1. Export your user settings from Postini – on the ‘List Users’ page click the ‘Download Users/Settings’ link and save the output somewhere – you will need it later to update your approved/blocked sender lists in Google Apps. Additionally, download a copy of your ‘Settings Summary’ - from my experience, the user aliases are quite often not transitioned so you will probably need to add them manually.

Adding user aliases manually

  1. Check if you have either postmaster@domain.com or abuse@domain.com users or aliases. This is important since Google Apps handles those addresses differently. During the transition, any user or alias named ‘postmaster’ or ‘abuse’ will not be copied to your Google Apps account.  You will have to create those users manually after the account is copied to Google Apps. Another option - and the one that I chose - was to rename the users and the aliases to ‘xpostmaster’ and ‘xabuse’, add them to my mail server configuration and activate a catchall user so no mail to postmaster and abuse was lost during the migration.
  1. If you are using SPF verification or some other IP-based delivery control, you should allow the following IP ranges on your mail server:

    64.18.0.0/20
    64.233.160.0/19
    66.102.0.0/20
    66.249.80.0/20
    72.14.192.0/18
    74.125.0.0/16
    173.194.0.0/16
    207.126.144.0/20
    209.85.128.0/17
    216.239.32.0/19

      If your mail server is using tcprules-based configuration, the rules that allow the Google Apps IP ranges should look something like this:

    64.18.0-15.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    64.233.160-191.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    66.102.0-15.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    66.249.80-95.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    72.14.192-255.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    74.125.0-255.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    173.194.0-255.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    207.126.144-159.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    209.85.128-255.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"
    216.239.32-63.:allow, BADMIMETYPE="", SPFBEHAVIOR="0", BADLOADERTYPE="M", CHKUSER_RCPTLIMIT="15", CHKUSER_WRONGRCPTLIMIT="3"

  1. Postini and your domain has a SPF record, you should add the following rule to allow messages to be delivered via the Google Apps servers: include:_spf.google.com.
  1. Now that you are ready, let’s begin the actual transition. Click the link ‘Begin’ from the message in your System Administration console. You will see a page like the one below:

 Google Postini transition

If you have domain aliases, you will first have to choose which the primary domain is. Otherwise just click the big blue button ‘Begin Transition Now.’ According to Google, it should take a few minutes, but really - don't count on that. I had a domain which stayed eight days in transition although it had only two users – one of the users was postmaster with a few aliases, and at the end it was not imported.

  1. When Google finishes with their magic, you will receive the following two emails: “Postini transition to Google Apps: Your service transition is beginning” and “Postini transition to Google Apps: Your mail is now routing through Google.” I actually received the second one first, but usually they arrive simultaneously.
  1. Login to your Google Apps Admin  and use the Postini admin user credentials. The 'Admin checklist: Getting started with your Google settings' covers most of the topics. Here is what I believe is important:
    • Check the Users settings – add names and create the aliases which were not transitioned.
    • Add your blocked/approved sender lists
    • Create abuse and postmaster groups and add the respective users to those groups.  You will not be able to create a user or an alias called ‘abuse’ or ‘postmaster.’ The process is described at 'How are reports of abuse, spam, and technical problems handled?'.
  1. Change the MX records of your domain to:

    1800 IN MX 1 ASPMX.L.GOOGLE.com.
    1800 IN MX 5 ALT1.ASPMX.L.GOOGLE.com.
    1800 IN MX 5 ALT2.ASPMX.L.GOOGLE.com.
    1800 IN MX 10 ASPMX2.GOOGLEMAIL.com.
    1800 IN MX 10 ASPMX3.GOOGLEMAIL.com.

    You should remove all .psmtp.com MX records. For more information, see 'Change your MX records to Google Apps'.

    Google will take some time before confirming that the MX records are set correctly. So, in order to test if the new MX records were propagated successfully around the world, you can use the WebSitePulse Test Tools. A successful test result should look like this:

    Domain tested: domain.com
    Test performed from: New York, NY
    Test performed at: 2013-09-27 16:46:06 (GMT +00:00)
    Known MX records:
       ALT2.ASPMX.L.GOOGLE.com (74.125.136.26)
       ASPMX2.GOOGLEMAIL.com (173.194.78.26)
       ASPMX3.GOOGLEMAIL.com (173.194.65.26)
       ASPMX.L.GOOGLE.com (173.194.76.26)
       ALT1.ASPMX.L.GOOGLE.com (173.194.67.26)

  1. Ensure that the mails are delivered correctly by sending test messages from an external domain or using an email round-trip monitoring service like this – 'How the email round-trip monitoring works.'

Conclusion

The transition from Postini Message Security to Google Apps is straightforward, and you should be able to complete it without downtime or loss of emails. There are a few differences in the mail-flow and the administration, and there are some issues you should be aware of. Here is my list of grievances:

  • The account will be transitioned to the old Google Apps interface, and at some point it will move to the new one without any deliberate action on my side.
  • Email aliases are not transitioned and need to be created manually.
  • Some users are not transitioned while a separate user was created for the billing account which, in my case, was created automatically by Google and was never used.
  • Approved/Blocked sender lists are not transitioned and need to be created manually.
  • Messages released from Google Apps quarantine are not being delivered to alias address. They are sent to the primary user email instead.
  • If you use the Gmail inbox to mark a quarantined message as 'not spam', it will stay in the Gmail inbox, and it cannot be routed to your mail server. If you want to keep your mail flow like Postini – do not use the Gmail inboxes. Use the ‘Quarantine Summary’ emails instead.
  • Messages are being held in the Gmail inbox, and are never routed to the on-premises mail server – this is not be confirmed by Google but I noticed it actually was in several cases. A possible reason is that I was logged at the time in the Gmail inbox for that user.

Websitepulse

WebSitePulse is a leading provider of advanced, independent and remote monitoring services that enable clients to increase the efficiency of their mission-critical e-business operations, and to reduce their risk of failed Internet transactions and loss of revenue.

comments powered by Disqus