The Internal Policy Layer:
Why is it so important in a modern messaging infrastructure?

The Internal Policy Layer is arguably the most critical element in a modern email infrastructure. To understand its importance, it is helpful to examine the overall messaging infrastructure and its layers.

Modern Messaging Infrastructure Overview

An efficiently architected email messaging infrastructure typically consists of three “messaging layers” including the:

1. External Protection layer in the DMZ for inbound message management, threat protection and simple routing
2. Internal Policy layer for intelligent policy and routing decisions.
3. Groupware layer for Exchange, Domino and other message stores.

External Protection Layer

Primary Function

• Stop unwanted mail
• Accept valid/wanted mail

Secondary Function

• Simple routing and delivery

The External Protection layer (also referred to as the email boundary, mail gateway, perimeter, border, edge, filtering layer, security layer, etc.) is in the DMZ protected by firewalls and depending on the complexity of the enterprise's requirements may include the following functions:

• Directory-driven protection for recipient validation. Often a directory replica is kept in a special “Data DMZ” or is kept in the Internal Policy layer
• Connection controls for traffic management/throttling and protecting against denial-of-service and dictionary harvesting attacks
• Reputation services to stop known spammers based on reputation
• Inbound content scanning for Anti-virus and Spam
• Simple inbound routing and outbound message delivery based upon email envelope information

The functions of this layer are often taken care of using filtering appliances or are outsourced via SaaS providers.

Internal Policy Layer

Due to mergers, acquisitions, and other business specific requirements, many organizations end up with multiple domains, groupware solutions and directories. This poses many challenges for IT messaging teams. These types of environments typically require an internal messaging layer to handle complex routing and content policy decisions.

Primary Function

• Make decisions and take actions on mail policy, routing and delivery

Secondary Function

• Outbound Anti-virus scanning

The Internal Policy layer (also referred to as the mail hub, internal routing, mail relay, content inspection, routing layer, etc.) is behind the DMZ protected by firewalls and provides these important functions:

• Makes intelligent policy-based message routing decisions by leveraging directory attributes (from multiple sources such as MS Active Directory and IBM Lotus Domino) for inbound/outbound, intra-company/division and mixed groupware systems. Routing decisions are based upon message content and email envelope information
• Provides deep message and attachment inspection and outbound content policy decisions for data leakage protection (DLP), encryption and more. Also protects sensitive internal messages from being delivered to inappropriate users
• Provides policy and system reporting, notifications and alerts

Do your routing requirements go beyond what standard offerings for SMTP email can handle?

The Internal Policy Layer is perhaps one of the most important layers in a modern architecture. This layer handles all of the critical outbound policy enforcement and routing decisions between the firm and the Internet or between business units within the firm. Due to security and confidentiality reasons, Sendmail has found that virtually all of its customers keep this layer within the control of their internal data center operations, even if they outsource the External Protection layer.

LDAP (Lightweight Directory Access Protocol) integration is an important component of the Internal Policy Layer because directories are the source of much of the sender- and recipient-specific information used to make policy and email routing decisions. To take advantage of directories for intelligent policy enforcement and mail routing, businesses must be able to cleanse, normalize and synchronize the different directories that have emerged throughout the organization. In addition, the built-in fault tolerance and security features of LDAP directories ensure that the information used to make email policy and routing decisions is always available only to the applications and users who require access to the information. A well-designed messaging infrastructure based on LDAP enables large enterprises with complex policies and routing requirements to easily integrate policy enforcement into the real-time message stream.

Modern Messaging Infrastructure Example

Sentrion Message Processors

In order to achieve this level of modernization, high-performance Message Processors are required. Typical Gateway products designed to operate in the External Protection layer do not have the required architecture to handle these types of complex messaging environments. This is especially true of the Internal Policy layer.

Sendmail Sentrion Message Processors are used in the External Protection layer; however they are especially well-suited to manage the Internal Policy layer. The flexibility and power of Sentrion's Message Processing and Policy Engine enable businesses to create a limitless number of sophisticated and nested message conditions and actions (such as: reject, clean, quarantine, notify, deliver, encrypt, redirect, record compliance event, etc.) for enforcing complex policies and message routing requirements. In addition, Sentrion's Message Processing Engine has a built-in LDAP directory and/or can be synchronized with multiple directories for both External Protection and Internal Policy and Routing purposes.

Learn more about Sentrion Appliances