Procedures (policy?) to implement email virus scanning

We want to scan email:
(1) incoming (from external site to within Uni)
(2) outgoing (from within Uni to external site)
(3) inter-department
(4) intra-department

Once scanning on mail.usyd is running, managers of departmental mail
servers are requested to set their primary MX records to mail.usyd, with
secondaries pointing to themselves. The incentive for this is twofold: get
the mail scanned, and get it for free (of network traffic charges).

Objections to this setup might be:
(a) slower email. It takes time to scan, but only minutes.
(b) lost email. Assure that the scanner is not permitted to lose email.
(c) crash of mail.usyd. Ensure there is a secondary MX record.
(d) wish to handle it within department. Scanner should not lose
    information: record envelope addresses and sending host in header.

Compliance may be monitored on the perimeter router, and could be enforced
by banning incoming port 25 connections. (Such a ban may need to be lifted
if mail.usyd is out of action for an extended period of time.)

This setup almost achieves objectives (1) and (3). Departmental mail
servers could only be attacked by purposely mis-configured mailers (that
send messages directly without reference to MX): servers should be set to
accept messages from mail.usyd only. (A ban on incoming port 25 would
protect from an outside attack.)

To scan outgoing email, departmental mail servers are requested to send
messages via mail.usyd. The incentive is to be "good neighbours".
Compliance may be monitored at the perimeter router, and could be enforced
by banning outgoing port 25 connections.

Should departments wish, they could set their mail servers to send even
intra-department mail to mail.usyd to be scanned.

Bans on port 25 traffic should normally be placed only with the agreement
of each department; should be enforced only if the department becomes a
known source of "email nasties".

There is no need to implement scanning on departmental mail servers.