Jo Rhett (jorhett) wrote,
Jo Rhett

  • Mood:

Postini bugs make them useless for Policy Enforcement

Postini, a wholly owned subsidiary of Google, is a global leader in
on-demand communications security, policy, and productions solutions.

Heh. So after trying to use the postini service for a few weeks now I'm going to have to call them out for being None Of The Above.

#1: There is a FATAL flaw in Postini's Quarantine. When outbound messages are quarantined by the Content Manager, only one recipient per domain gets a copy of the message.

For example, if the recipients of my e-mail are,,,, when the message is approved, only and receive the message. All other recipients are silently discarded.

Mail which is not held by the quarantine is unaffected.

In short, the outbound Content Manager is only useful as a way to discard e-mail at random. You can't use it for policy enforcement that you might actually want to approve and deliver.

Postini has confirmed that this is a bug, and that they've been aware of this bug for some time now. They have no timeline for a fix. In fact, they have no resources assigned to fix this. Yet they continue to advertise this functionality on their website and within the Google docs.

#2: Postini has no useful logs. A security/policy compliance device is only useful if you can later prove that something did or did not happen. Was an attachment received? Was it blocked? Did the quarantine manager allow it through, or not? Postini provides two logs -- 1 day and 1 week.

Legal discovery in a court of law demonstrating that you did or did not do this or that? Impossible.

#3: Postini response time is unacceptable for a security service. To be good at security you have to respond to inquiries about security issues in a timely manner. I've opened 6 tickets in the last 24 hours, 1 highest priority, and haven't gotten a single response. So far my resolve time from Postini ranges from 16 hours (for an answer to a documentation flaw) to 3 weeks and yet unsolved (for major service problems).

Oddly, their sales team is even worse. When we purchased the service we were given a receipt that said we purchased Message Archiving. For unknown reasons this was not enabled, so none of the mail was being archived. Apparently sales has to turn it on, and this issue has been escalated with them for 17 days with no response. Not a single phone call in return.

#4: Dated documentation which doesn't have the functions listed.

#5: Filter functionality which silently fails if configured in a way they don't support. It's a valid regex, but it's not a regex they support. (silent fail is not a good feature in a security compliance device)

#6: "Apply these settings and filter definitions to sub-orgs?" checkbox that after investigation proves to be "uncheck and re-check this checkbox to copy all properties from this one org down to the children, overwriting their settings." Yeah, that's not inheritance - which is what the documentation says. This means that there are
likely hundreds of postini customers unaware that their rules don't apply to child.

And yes, every time you uncheck this and recheck this you'll have to go rewrite all the custom rules you added to the sub-org.

#7: Rules that randomly reorder themselves. Yes, sometimes the rules just happen to re-order themselves. Nobody knows why. And yes, the rules are processed in order. No, Postini doesn't apparently see this as a big enough problem to create a bug report.

Conclusion: Postini might be useful for anti-spam, or attachment filtering, or something else we're not trying to do with them. But do not consider them a security company, or for use in policy compliance.
Tags: tech

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded