IT Security Standard: Administration of Decentralized Email Systems

Brief Description:

Administration standards for Cal Poly campus decentralized email systems.   


Information Technology Services (ITS) currently provides centralized email services to all Cal Poly departments.  Those services include:

  1. Email Gateway service.  The ITS email gateway receives all email destined for email servers on campus.  The email gateway checks all email for viruses and spam and, if appropriate, delivers the email.
  2. Mailbox service.  ITS provides email mailboxes for students, faculty, staff, departments, and some campus organizations and affiliated users on the ITS Zimbra Collaboration server. 
  3. Email Distribution List services.

Centralized email services provided by ITS must be used unless a compelling business reason exists.   This standard describes the requirements for implementation and use of a decentralized email service.

This standard is intended to promote consistent implementation and use of secure processes for decentralized campus email services in order to increase the security of the campus network and protect campus information assets.


This standard applies to any email services administered outside of Cal Poly’s centralized email service that accepts and/or sends email via SMTP.  The target audience is staff with administrative rights to establish and administer email services. This includes email services managed or contracted by the campus.



A department or organization on campus that deploys its own mailbox or mailing list service must meet the following requirements:

  1. Notify the campus Information Security Officer and Vice Provost/Chief Information Officer describing the compelling business need and confirming standard compliance.
  2. Message delivery destined for all email services on campus must route through the ITS Email Gateway service for email originating off-campus. 
  3. A designated systems administrator must maintain the server that hosts the email service. 
  4. The email services administrator must monitor communications directed to administrator mailboxes (e.g. abuse@, postmaster@)and report suspected violations to
  5. Email service logs must be kept for 60 days and be made available to authorized Cal Poly security personnel upon request.


  1. Email services should run on either a dedicated server or only in conjunction with applications requiring the email service to support the defined business processes.
  2. Mailbox and Mailing List services should forward all outgoing mail to the ITS Email Gateway for delivery.
  3. The email service administrator should provide ITS with a 24 hour contact phone number for the email service.


Directory Harvest Attack - A brute force method using SMTP protocols to discover valid email address for a domain.

Email Service - Any service that accepts and/or sends email via SMTP


Managers - Expected to ensure email service administrators are trained and knowledgeable in best practices for email administration.

Non-Compliance and Exceptions:

If a distributed email service is unable to comply with this stanard, a request for exception must accompany the required notification documenting the compelling business reason for operating a distributed email service.

As part of the exception request, the administrator must document how the email service provides secure service and conforms to email best practices including the following: 

  1. How the email service is configured to prevent use by third parties as email relay platforms.
  2. How the email service prevents directory harvest attacks.
  3. How the email service stops email that has not been filtered for spam and viruses.
  4. How the email service detects and blocks emails containing viruses.
  5. How the email service protects student information covered by FERPA and other sensitive information.


Effective Date: 09/30/2010
Review Frequency: Annual
Responsible Officer: Vice Provost/Chief Information Officer

Revision History

Date Action Pages
09/30/2010 Release of New Document All
10/04/2010 Updates based on internal reviews All


Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips