Proofpoint Administration Guide

Size: px
Start display at page:

Download "Proofpoint Administration Guide"

Transcription

1 Proofpoint Administration Guide Proofpoint Protection Server Proofpoint Messaging Security Gateway Proofpoint Messaging Security Gateway Virtual Edition Release 7.0 Proofpoint, Inc. 892 Ross Drive Sunnyvale CA

2 Website: Toll-free telephone: POINT Technical support: https://support.proofpoint.com Administration Guide Proofpoint Protection Server Proofpoint Messaging Security Gateway February 2012 Revision A

3 Proofpoint Protection Server Copyright and Trademark Notices The Proofpoint Protection Server is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is Copyright Proofpoint Inc. The copying, modification or distribution of the Proofpoint Protection Server is subject to the terms of the Proofpoint Software License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws of other countries, and by international treaty. Proofpoint and Proofpoint Protection Server are trademarks of Proofpoint Inc. McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by McAfee, Inc. Copyright 2012 McAfee, Inc. All Rights Reserved. F-Secure Anti-Virus Copyright , F-Secure Corp. VMware, the VMware boxes logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the Marks ) of VMware, Inc. MariaDB licensing information is available in the directory ${PROOFPOINT_ROOT}/opt/mariadb. Apache 2.2 licensing information is available at Perl (Practical Extraction and Report Language) is copyrighted by Larry Wall. It is free software and it is redistributed by Proofpoint under the terms of the Artistic License that comes with the Perl Kit, Version 5.0. Source is available at Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England. Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/. Some database support in this solution is provided by MySQL. Copyright 1997, 2011, 2012Oracle and/or its affiliates. All rights reserved. Copyright , 1998, 2004 Thomas Williams, Colin Kelley Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you 1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries, 2. add special version identification to distinguish your version in addition to the base release version number, 3. provide your name and address as the primary contact for the support of your modified version, and 4. retain our contact information in regard to use of the base software. Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This software is provided "as is" without express or implied warranty to the extent permitted by applicable law. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the developer nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

4 Portions of this software are Copyright The FreeType Project (www.freetype.org). All rights reserved. Additional graphical support is provided by libgd: Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson Portions relating to gdft.c copyright 2001, 2002 John Ellson Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README- JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. Derived works includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided AS IS. The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) zlib.h interface of the zlib general purpose compression library version 1.2.2, October 3rd, 2004 Copyright Jean-loup Gailly and Mark Adler This software is provided as-is, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler Unifont copyright Paul Hardy of Unifoundry.com released under the terms of the GNU General Public License (GNU GPL) version 2.0. Tomcat, Log4j, Apache CXF Apache Copyright Apache Software Foundation Java JRE, JDK, JavaMail, Sun JavaServerFaces Copyright 1997, 2011, 2012, Oracle and/or its affiliates. All rights reserved. JBoss RichFaces Copyright Red Hat. Red Hat is a registered trademark of Red Hat, Inc. Copyright 2012 Sendmail, Inc. All Rights Reserved. Proofpoint gratefully acknowledges contributions of the open source community to the Proofpoint Protection Server. References to open source software used with the Proofpoint Protection Server is collected into a single repository which can be found in the installed Proofpoint Protection Server package in src/opensource/opensource. That repository, consisting of the contributions from open source projects but not including the proprietary Proofpoint Protection Server software referred to above is a collective work that is Copyright Proofpoint Inc. You will find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice, that was used in the Proofpoint Protection Server. Copyright 2005, Google Inc. All rights reserved.

5 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright , Daniel Stenberg, All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Copyright Proofpoint, Inc. All rights reserved. PROOFPOINT is a trademark of Proofpoint, Inc. All other product names and brands are the property of their respective owners.

6

7 Contents Chapter 1 - Welcome... 1 Introduction to the Proofpoint Protection Server... 1 Product Overview... 1 Licensing Overview... 1 Proofpoint Messaging Security Gateway... 1 Clusters and Services... 2 Master, Agents, Clusters, and Instances... 2 Navigating the Management Interface... 2 Links on Every Page... 3 Display and Hide Icons... 4 Expand and Collapse Navigation Pane Icons... 4 Minimize and Maximize Panes on a Page... 4 Paging through Entries... 4 Expanding and Collapsing the Menus... 4 Refresh Page Icon... 4 Editing or Viewing Table Elements... 5 Selecting Items in a Table on a Page... 5 Persistent Views... 5 Managing Your Proofpoint Portal... 5 About Workspaces... 6 About Widgets... 6 Editing, Updating and Deleting Widgets... 6 Chapter 2 - Evaluation... 7 Start Filtering Filter Sample Filter Your Filter from a POP Account... 8 Disabling Forwarding from a POP Account... 8 Chapter 3 - Appliance Network Interface Settings Providing or Changing Network Interface Settings for the Appliance Configuring Appliance Network Interfaces Configuring Static Routing for the Network Interfaces IPv6 Network Routes Changing Hostnames for Masters and Agents Network Precedence Settings vii

8 Proofpoint Administration Guide Host Firewall Selections Inbound Mail Configurations Importing a List of Mail Routes Adding Domain Groups for Inbound Mail Routes Searching for Inbound Mail Routes About Outbound Mail Filtering All Outbound Mail Allow Relay Importing Entries Outbound Mail Routes Importing Entries Adding Domain Groups for Outbound Mail Routes About SMTP Settings General SMTP Settings Advanced SMTP Settings Filter Settings Queue Settings Relay Settings Mailer Settings Default and Unique LDAP Profiles Selecting a Default LDAP Profile Configuring Unique LDAP Configurations LDAP Routing Access Importing and Exporting Entries Importing and Exporting sendmail Data Aliases Virtual Domains Rewrite Domains Rewrite Header Masquerade Domains About TLS Configuring TLS Settings Adding and Managing TLS Domains Adding TLS Domains Searching for TLS Domains Deleting TLS Domains Editing TLS Domains Importing and Exporting TLS Domain Entries TLS Fallback to Proofpoint Encryption viii

9 Contents Setting the Date and Time SNMP Configurations Chapter 4 - Proofpoint Protection Servers Creating and Managing Workspaces Create or Clone a Workspace Rename a Workspace and Change Permissions Selecting a Default Workspace Working with Pages and Widgets Creating and Managing Pages Adding, Deleting, and Moving Widgets on a Page Organizing Widgets with Columns Server Status Message Traffic Spam Classification Table Virus Ranking Table Rule Statistics Table Quarantine Summary SMTP Server Summary SMTP Queue Summary Queue List Data Displaying Queue Data Selecting and Applying Actions to Queues SMTP Messages SMTP Messages Data Searching for Messages in a Queue Managing Individual Messages Selecting and Applying Actions to Messages Individual and Displayed Messages All Messages in the List Viewing and Managing Individual Messages About Expanded or Original Envelope Addresses Configuring SMTP Profiles and Parameters Creating SMTP Profiles Testing the SMTP Connection Sending Mail to the SMTP Host Checking the Buffer Queue Editing an SMTP Profile Configuring LDAP Profiles and Parameters LDAP Failover and Load Balancing Creating LDAP Profiles Testing the Connection to the LDAP Server Editing an LDAP Profile ix

10 Proofpoint Administration Guide Deleting an LDAP Profile Configuring DNS Parameters Filter DNS Timeout Adding DNS IP Addresses Configuring the DNS Order Deleting a DNS System Configuring Proxy Server Parameters Proxy Server Connection to the Internet About Certificates Managing Certificates Requesting Certificates Importing Certificates Downloading Certificates Deleting a Certificate Service Certificates Publisher Certificates Importing Publisher Certificates Downloading Publisher Certificates Deleting Publisher Certificates About Custom MIME Types Overview of Conditions and Sub Conditions Manually Adding Custom MIME Types Comparing Files to Add Custom MIME Types Managing Custom MIME Types Testing a Mime Type File Searching Entries Displaying Number of Entries Deleting Custom MIME Types Importing MIME Types System MIME Types Searching for System MIME Types Displaying Number of MIME Type Entries DNS Block List Setting Safe Routes for DNS Block Lists Adding DNSBL Domains Adding a Domain for Proofpoint Dynamic Reputation Enabling and Disabling DNSBL Domains About System Settings Using Evaluation Audit Mode Sending Host IP Splitting All Recipient Groups x

11 Contents Splitting Envelope by Recipient Policy Route Using the Recipient Domain Mapper Scope Enabling the Domain Mapper Using the Recipient Address Enabling Traffic Statistics Reporting Enabling Honeypoint Inspect Compressed Archives and PE Encrypted Messages Detect Document Type Detect Document Type and uuencoded Messages Extract Text Content Enabling Sub-addressing Enabling ICAP Example: Inspect Compressed Archive and Extract Text Content Admin Server Settings Setting the Session Timeout for the Management Interface Login Settings Navigation Menu Settings Evaluation Settings Communication Channel Settings External Admin Access Settings Viewing Server Status Information Process Details Database Utilities Adding and Deleting Agents About the Import Agent Sendmail Configuration Parameter About Cloning an Agent About Server Profiles and Services Quarantine Node Smart Search Node Log Node Mail Filter and Secure Reader Service Adding an Agent Deleting an Agent Starting and Stopping Processes Changing Server Configuration Parameters About Alerts General Alert Settings Creating and Managing Alert Profiles Creating Rules for Alerts xi

12 Proofpoint Administration Guide About Alert Suppression Adding a Rule or Rules to a Profile Testing a Rule Previewing a Rule About Policy Routes Policy Routes and Filtering Modules Policy Routes and Rules Policy Routes and Groups Default Policy Routes Creating and Modifying Policy Routes Creating a Policy Route Changing the Logical Operator Deleting a Condition Changing a Condition Custom Modules Adding a Module Enabling or Disabling a Module Changing the Module Filtering Order Deleting a Custom Module About Licenses and the Dynamic Update Service System Upgrade Checklist Contacting Proofpoint Technical Support Alternative Mail Routing Estimating the Time to Upgrade Freeing up Disk Space and Reducing Data to Migrate Automatic Database Check Check Firewall Rules Managing the System Upgrade Process System Upgrade Checklist Errors and Failed Upgrades Displaying and Saving Log Data Handling Databases and Log files Updating Modules and Upgrading System Software Checking and Deploying the Latest Module Updates Checking and Installing the Latest Software Upgrade Activating Updates and Managing Licenses Activating the Dynamic Update Service Automatically Updating Modules and Software Patches Direct Agent Updates Viewing Update History Removing Previously Installed System Upgrades Removing Previously Installed Patches xii

13 Contents Viewing Configuration History Creating a Configuration Version Restoring to a Previous Configuration About Backup and Restore Backing Up the Proofpoint Protection Server Backing Up Data Immediately Creating a Backup Schedule Downloading Backup Configurations to Your Local System Restoring the Proofpoint Protection Server Importing a Backup Configuration Restoring a Backup Configuration Downloading the System Data File Testing Network Connectivity Testing the Connection Testing LDAP to sendmail Connectivity Reviewing the System Status Chapter 5 - Accounts and Passwords About Administration Privileges Viewing the Administrator List Adding and Deleting Administrators Folder Access Control Changing Administrator Parameters Changing Account and Password Information Administrator Password Policy Chapter 6 - Logs and Reports Log Concepts Reporting Concepts System Reports Firewall Module Reports Virus Protection Module Reports Zero-Hour Module Reports Spam Detection Module Reports Regulatory Compliance Module Reports Digital Assets Module Reports Proofpoint Encryption Reports Saved Reports Log Configuration Settings Viewing and Searching the Logs Viewing Logs Searching Logs xiii

14 Proofpoint Administration Guide Configuring Reports High Volume Reports Viewing Reports Custom Reports Summary Dashboard Report Printing and ing Reports Saved Reports Publishing Reports Viewing the Report Publishing History Scheduling Reports for Automatic Distribution Exporting Raw Log Data Taking Action on a Report Alert Settings Alert Viewer Searching For Alerts Viewing Alert Details Downloading Alert Viewer Data Chapter 7 - Quarantine About the Quarantine About Message Reporting Quarantine General Settings Enabling and Disabling Message Reporting Handling Quarantine and User Repository Errors Queue Consolidation Creating Message Templates Setting Layout Defaults Introduction to Quarantine Folders Folders and Message Expiration Folder Disposition Parameters Advanced Expiration Modes Keeping Messages Indefinitely Encrypting Folder Content System Folders Creating a Folder Managing Folders Changing Folder Settings Viewing Messages in a Folder Deleting a Folder xiv

15 Contents Viewing and Managing Messages Message Indicators Simple Searches Searching for Messages by Age in a Specific Folder Advanced Searches Displaying Only Messages Released by Users Controlling the Number of Fields to Display Controlling the Number of Messages to Display Creating and Managing Search Queries Temporarily Disabling Fast Query Sorting Messages Viewing Message Details in Folders Navigation Bar Selecting Messages for Actions Selecting Individual Messages Selecting Messages on a Display Page Selecting All of the Messages from a Query Message List Actions Folder Menu Options Menu Folder Actions Moving Messages between Folders Viewing and Restoring Deleted Messages Emptying the Deleted Folder Releasing Messages Redirecting Messages Resubmitting Messages for Filtering Generating a Digest from the Quarantine Automatically Adding Senders to the Global Blocked List Automatically Adding Senders to the Global Safe List Adding Recipients to the Global Safe List Administrators Reporting False Negatives and Positives Updating the Virus Status Changing the Status and Adding Comments to Messages Chapter 8 - Groups and Users About Groups and Users Envelope Splitting Enabling Automatic Domain Groups, User Repository, and POP Forwarder xv

16 Proofpoint Administration Guide POP Forwarder Configuring the Layout for the Users List and Groups List About Attributes Inbound Attributes Outbound Attributes Services Attributes Authentication Attributes POP3 Forwarder Attributes Global Attributes Password Policies for Groups and Users Password Policies Settings General Settings Expiration Settings Syntax Settings Login Failure Settings Password Reset About the User Repository Importing Users into the Repository Creating an Import or Authentication Profile About Fallback Authentication General Parameters Settings on the General Tab Advanced Parameters Advanced LDAP Options Universal Authentication Immediately Updating the User Repository Option to Customize the LDAP Query Filter for Authentication Advanced Import Options Limiting the Number of User Profiles to Delete Upon Import Command Options Notes for the insertmode, replacemode, and updatemode Options Import Attributes and Values CSV File Format Scheduling an Import Profile Deleting and Modifying Import Profiles Automatically Adding a User to the User Repository About Groups Group List Indicators Adding Groups and Assigning Attributes Adding a User Group xvi

17 Contents Adding a Domain Group Managing and Deleting Groups Viewing Members of a Group Deleting Groups Making Changes to a Group Generating Lists and Digests for Groups Immediately Setting Policy Precedence for Attributes About Users User List Indicators Adding Users and Mailing Lists and Assigning Attributes Managing and Deleting Users Deleting Users or Mailing Lists Making Changes to a Single User or Mailing List Adding and Removing Users from Groups Generating Lists and Digests for Users Immediately Importing and Exporting Users Immediately Exporting Users Immediately Searching for Users Chapter 9 - End User Services About End User Services About the End User Digest Benefits of Allowing End Users to Manage Digests Types of End User Digests Digest Configurations Overview of Safe Senders and Blocked Senders Lists Managing Branding Templates Adding a Branding Template General Settings Digest Web Application Secure Reader Encryption Logo Title Enabling and Setting Up the End User Digest Generating a Summary Digest Immediately Creating Digest Headers and Footers Creating Text for Safe or Blocked Messages Configuring the Error Template Configuring Labels and Help xvii

18 Proofpoint Administration Guide xviii Command Label Options Web-based Command Processor based Command Processor Setting Up a Local Mailbox Setting Up a POP3 Server Web Application Scheduling Digest Generation Enabling SMTP Verify General Filter Configurations Creating the List of Digest Users Users Who Receive a Digest Users Who Are Not in the Repository Apply Inclusions to the List Apply Exclusions to the List Controlling Digest Content with Folders Controlling Digest Content with Modules Editing Modules and Selecting User Commands Selecting Command Options Available Commands for Modules Selecting Audit Options Changing the Default Heading and Description Displayed for the Modules Authenticating End Users Custom Login Authentication by Token Access Token Users Reporting False Negatives and Positives Enabling and Providing Commands to End Users About Resources Smart Send Chapter Firewall Module About the Firewall Module About Proofpoint Dynamic Reputation and netmlx Firewall Settings Selecting Policy Routes About Recipient Verification Data Connector Verification Profile Verification Rules Per-Message or Per-Recipient Dispositions General Recipient Verification Settings

19 Contents Enabling Recipient Verification Selecting Policy Routes Invalid Recipients Global Setting Verification Failure Setting Verification Data Connector Adding Custom Connector Modules Verification Profile Profile Precedence by Domains Verification Rules Verification Rule Conditions Creating Recipient Verification Rules About SPF Enabling SPF Selecting Policy Routes Creating SPF Policies Creating, Editing, and Enabling SPF Rules Selecting Policy Routes Enabling and Disabling SPF Rules Creating or Editing SPF Rules About Dictionaries Managing Dictionaries Enabling and Disabling a Dictionary Adding and Deleting Words in a Dictionary Example: Adding a Regular Expression Match Editing Words, Weights, or Conditions Importing Words into a Dictionary Exporting a Dictionary Traffic Shaping with SMTP Rate Control SMTP Rate Control Configurations Example: Rule for DHA DHA Settings and Recipient Verification Enabling the Rule for a DHA Creating SMTP Rate Control Rules Adding a Rate Control Rule Adding and Deleting a List of Non-throttled Hosts Importing and Exporting Non-throttled Hosts Managing Host or IP Connections Displaying Statistics Filtering for Specific Data Refreshing the Data xix

20 Proofpoint Administration Guide xx Connections Table Information Connection Management Tasks Firewall Rules and Filtering Order Default Firewall Rules Filtering Order Creating Firewall Rules Creating and Populating an Access List Importing and Entries into an Access List Exporting Entries from an Access List Deleting and Modifying Entries on an Access List Enabling or Disabling a Rule Deleting or Editing a Rule About Bounce Management Enabling Bounce Management Enabling Automatic Key Rotation Generating Keys Sharing Keys between Clusters Creating Bounce Management Policies and Rules Creating and Changing Validation Rules Creating a Bounce Management Policy Adding or Editing Validation Rules About DKIM Overview Enabling DKIM and Editing the DKIM Error Rule Editing the DKIM Error Rule DKIM Key Management Applying Policy Routes Viewing and Publishing the Public Key Testing the DNS Lookup Searching for Domain Entries Importing and Exporting DKIM Key Information Rotating Keys Chapter 11 - Virus Protection Module About the Virus Protection Module Virus Signatures and Identity Files Message Conditions Virus Protection Settings Enabling or Disabling the Virus Protection Module Selecting Policy Routes Ignoring Corrupt Files Ignoring Encrypted Files

21 Contents Virus Protection Error - Reject Temporarily Module Summary and Update History Tables Creating Virus Protection Policies and Rules Creating a Virus Policy Ordering the Default Policy Editing Predefined Policy Rules Message Is Not Infected Message Is Infected Edit the Existing Rule for Message Contains a Virus Create a Rule for a Specific Virus Message with Errors No Further Analysis Protected Message - Continue to Process Message Contains Riskware or Spyware Chapter 12 - Zero-Hour Anti-Virus Module About the Zero-Hour Anti-Virus Module Zero-Hour Settings Enabling the Zero-Hour Module Selecting Policy Routes Configuring the Zero-Hour Proxy Server Creating and Managing Zero-Hour Policies Creating a Zero-Hour Policy Ordering the Default Zero-Hour Policy Deleting a Policy Creating and Managing Zero-Hour Rules Cloning a Zero-Hour Rule Selecting Policy Routes Adding a Zero-Hour Rule Chapter 13 - Spam Detection Module About the Spam Detection Module Spam Detection Settings Disabling the Spam Detection Module Treating Bulk as Spam Selecting Policy Routes Module Summary Update History About Global Lists Managing Safe and Blocked List Entries Adding and Deleting Entries Changing Entries Searching for Entries xxi

22 Proofpoint Administration Guide Matching Entries Match Any Entries Viewing Entries by Type Importing Entries Exporting a Global List Introduction to Policies and Rules Spam Policies Additional Rules Default Spam Policy and Rules Default Policy Rules Adding Rules to the Default Policy Creating Spam Policies and Rules Create a Policy Adding Rules to a Policy Editing a Spam Rule Deleting a Spam Rule Custom Spam Classifications Enabling a Spam Detection Rule Adding Custom Rules Editing a Spam Rule Deleting a Spam Rule Chapter 14 - Smart Search About Smart Search Client-Server Architecture Smart Search Settings Finding Messages with Smart Search Search Criteria Final Action Examples Multiple Values in a Search Field Recent Searches Viewing Details for a Message Viewing MTA Data from the Logs Exporting Search Results Data Chapter 15 - Rules and Delivery Dispositions About Delivery Dispositions Delivery Methods and Priority About Conditions and Operators Deliver Now Continue xxii

23 Contents Reject Retry Discard Re-route Secure Encrypt Options Quarantine Option Delivery Options Placing a Copy in the Quarantine Placing a Copy in the Incident Queue (DLP) Including Messages in the Audit Folder Changing the Subject Changing Message Headers Annotating the Message Body Adding Recipients to the Message Deleting an Attachment Redirecting a Message Replying to the Original Sender Sending a New Message to the Original Recipient Stopping Other Rules from Triggering In the Same Module Smart Send Influence Spam MLX Score Policy Routes Restricting Messages and Connections for a Policy Route Disabling Messages and Connections for a Policy Route Restricting and Disabling Messages and Connections for a Policy Route Conditions in Rules Examples Severity Levels Using Variables in Rules Creating and Managing Composite Rules Basic and Advanced Views Changing a Logical Operator for a Condition Deleting Conditions Changing Conditions Nesting Conditions Cloning Rules Controlling Rule and Policy Order Conditions Common Conditions Rate Control Proofpoint Dynamic Reputation xxiii

24 Proofpoint Administration Guide Firewall Module, Spam Detection Module, Regulatory Compliance Module, and Policy Routes Spam Detection Module - Global Safe Lists and Blocked Lists Zero-Hour Anti-Virus Module Firewall Module, Spam Detection Module, and SMTP Rate Control Matching Document Type Using Regular Expressions Metacharacters Operators Chapter 16 - Data Loss Prevention (DLP) DLP Dashboard Customizing the DLP Dashboard Incident Status Incident Templates Incidents Display Layout Introduction to DLP Folders DLP Folders and Incident Expiration DLP Folder Disposition Parameters Advanced Expiration Modes Keeping Incidents Indefinitely Encrypting DLP Folder Content DLP System Folders Creating a DLP Folder Managing DLP Folders Changing Folder Settings Viewing Incidents in a DLP Folder Deleting a DLP Folder Viewing and Managing Incidents Incident Indicators Searching for Incidents and Controlling Display Options Simple Searches Searching for Incidents by Age in a Specific Folder Advanced Searches Displaying Only Incidents Released by Users Controlling the Number of Incident Fields to Display Controlling the Number of Incidents to Display Creating and Saving Incident Search Queries Creating an Incident Search Query Temporarily Disabling Fast Query on the Incidents Page Viewing Incident Details xxiv

25 Contents Viewing Incident Details in the Asset Folder Viewing Incident Details in the Regulation Folder Selecting a View for the Details Pane Selecting Incidents Selecting Individual Incidents Selecting Incidents on a Display Page Selecting All of the Incidents from a Query Deleting Incidents and Restoring Deleted Incidents Emptying the Deleted Folder Viewing and Restoring Deleted Incidents Restoring Incidents Moving Incidents between Folders Folder Options Releasing, Redirecting, and Resubmitting Incidents Releasing Incidents Redirecting Incidents Resubmitting Incidents for Filtering Incident Options Updating the Virus Status Downloading Incidents to a CSV or XML File Adding a Comment or Status to an Incident Chapter 17 - Smart Send About Smart Send Using Smart Send Chapter 18 - Encryption About Encryption Licensing Proofpoint Encryption About Proofpoint Encryption Authentication Fallback Authentication and Proofpoint Encryption Mail Filter/Secure Reader Node About the Secure Reader Proxy Size Limits for Secure Messages Secure Delivery Method Reports for Proofpoint Encryption Alerts for Proofpoint Encryption Using Proofpoint Encryption - Initial Setup Tasks General Encryption Settings Fully Qualified Domain Name for Secure Reader Primary Encryption Domain Branding Template Response Profile External Password Policy xxv

26 Proofpoint Administration Guide xxvi Network Configuration Options Secure Reader Settings Domain Restrictions Secure Reader Allowed Domains Secure Reader Save Message Authentication Cache Premium Outlook Plug-in Settings Diagnostics for Proofpoint Encryption Creating Domain Profiles About Trusted Partner Encryption General Trusted Partner Encryption Settings Managing Trusted Partner Encryption Partners Managing Response Profiles Adding a Response Profile General Parameters Reply Parameters Forward Parameters Overriding Response Profiles with Rules Finding and Managing Encryption Keys Search Criteria for Keys Viewing Details for a Message Encryption Key Disabling Message Access Deleting a Key Changing the Key Expiration Configuring the Secure Reader Proxy Proofpoint Encryption on Software Installations Chapter 19 - ICAP (Internet Content Adaptation Protocol) About ICAP Creating DLP Rules for HTTP Content Delivery Options Chapter 20 - Regulatory Compliance Module About the Regulatory Compliance Module Ensures Compliance with HIPAA, GLBA and Other Regulations Detects All Types of Privacy Data Inside and HTTP Content Pre-defined and Custom Dictionaries NPI Identifiers Flexible Privacy Rules and Policy Definitions Encryption Support Reporting About Regulatory Compliance Rules Applications for Regulatory Compliance Rules

27 Contents Privacy Rules and Compressed Archives Regulatory Compliance Settings Disabling the Regulatory Compliance Module Selecting Policy Routes Business Partners Smart Identifiers Smart Identifier Details Smart Identifiers and Delimiters Importing a Custom Smart Identifier Adding and Managing Compliance Dictionaries Adding a Dictionary Deleting a Dictionary Checking for Dictionary Updates Adding Words to a Custom Compliance Dictionary Deleting Words Adding a Regular Expression Match Compliance Dictionary Deleting Words from a Compliance Dictionary Editing Words, Weights, or Conditions in a Compliance Dictionary Importing Words into a Compliance Dictionary Exporting Words from a Compliance Dictionary Creating Regulatory Compliance Privacy Rules Creating a Rule Business Partner Condition Protocol Condition Dictionary Score Condition Smart Identifier Score Smart Identifier Match Term Smart Identifier Match Data Proximity Match Condition Chapter 21 - Digital Assets Module About the Digital Assets Module Important Constraints Populating the Document Repository Digital Assets Terminology General Settings Disabling the Digital Assets Module Selecting Policy Routes Document Processor Settings WebDav Data Connector Settings and Profiles xxvii

28 Proofpoint Administration Guide General WebDav Data Connector Settings Creating Document Source Profiles Document Filter Settings Documentum Enterprise Data Connector Settings and Profiles Documentum Enterprise Data Connector Requirements Documentum Enterprise Data Connector Settings Creating Document Source Profiles Document Filter Settings Digital Assets Settings Setting Enforcement Levels and Content Parameters Creating and Managing Categories Adding a Negative Case Category Deleting a Category Managing Documents in the Repository Uploading Documents to the Repository Searching for Documents Viewing Documents Moving Documents between Categories Deleting a Document Guidelines for Creating Digital Assets Rules Creating Digital Assets Rules Creating a Rule Deleting and Modifying Digital Assets Rules Deleting a Digital Assets Rule Changing a Digital Assets Rule Disabling a Digital Assets Rule Chapter 22 - Frequently Asked Questions How do I force a mailing list owner when the owner does not exist on my LDAP server? How do I import from LDAP or Active Directory? Initial Setup Common Error Messages Advanced Options Command Options LDAP Server Comparison How do I prevent bounces which contain spam (backscatter)? How do I set up Recipient Verification with LDAP? IBM Domino/Notes Active Directory How do I submit a false-negative for analysis from an client? How do I use uid instead of an address for an LDAP import? How do I configure TLS fallback to Proofpoint Encryption? xxviii

29 Contents How do I support multiple domains for Proofpoint Encryption? Glossary Index xxix

30

31 Chapter 1 - Welcome Introduction to the Proofpoint Protection Server Welcome to the Proofpoint Protection Server. The Proofpoint Protection Server is a powerful software application that integrates virus protection, spam detection, message encryption, regulatory compliance, and digital asset protection technologies into an extensible message management platform. The Proofpoint Protection Server is designed to fit easily into your corporate environment, taking advantage of the existing corporate messaging infrastructure. It provides efficient performance, accurate message analysis, and a web-based interface (the management interface) for reporting, configuration, and management tasks. Product Overview The Proofpoint Protection Server is comprised of these components: Filtering modules - the Firewall, Virus Protection, Spam Detection, and Regulatory Compliance Modules filter SMTP messages for envelope criteria, connection criteria, virus infections, spam, and message content. The Digital Assets Module protects your organization from accidental or deliberate disclosure of confidential information or trade secrets. The Data Loss Prevention (DLP) dashboard provides a centralized and consolidated overview of DLP activity across your organization with custom views of DLP reports and an incident manager console. Administrators and security practitioners can view real-time DLP statistics and trends as well as manage current incidents. Data can be viewed in high level reports or as detailed incidents so that administrators can quickly focus on the critical areas of interest. The DLP dashboard consolidates data from the Regulatory Compliance Module and the Digital Assets Module. You will not see the DLP Dashboard in the management interface if you have not licensed the Regulatory Compliance and Digital Assets modules. If you have an ICAP-enabled web proxy server (Internet Content Adaptation Protocol) on your network, you can also filter and block HTTP content for data loss prevention by enabling rules for HTTP content in the Regulatory Compliance and Digital Assets modules. Proofpoint Encryption - provides a fully integrated message encryption and decryption solution. Administrators have granular control over the filtering policies and dispositions of messages that are infected, designated as spam, or contain inappropriate or confidential content. Messages designated as suspicious can be stored in a Quarantine folder or an Incident Queue for further analysis and disposition. Message Processing Hub this multi-protocol hub accepts all incoming messages and commands, passes messages to the Analysis Modules, exposes the functions of the Management Services, and handles final message dispositions. Management Services centralized management services include administration, message tracing, reporting, and monitoring. Licensing Overview Administrators purchase licenses for the modules they want to use in their Proofpoint deployments. Once you activate the product, the management interface displays only the parameters and navigation links for the modules for which you are licensed to use. The basic license includes the Firewall Module and all of the system administration, Reporting, Logging, Digest, and Quarantine functions. Proofpoint Messaging Security Gateway A common problem facing most administrators and end users today is the growing proliferation of spam and virus. The flood of such unwanted sent by spammers and hackers has large cost implications for corporate 1

32 Proofpoint Administration Guide organizations. The unwanted traffic results in lowered productivity and consumes valuable IT resources. This impact is particularly worse on businesses that maintain in-house mail servers and have limited administrative resources. The Proofpoint Messaging Security Gateway (appliance) is an affordable and compact solution ideal for mid-sized organizations looking for a turn-key solution to address spam, virus, and other message-borne threat protection capabilities. Without the hassle of configuring hardware and operating systems, the Proofpoint Messaging Security Gateway is pre-installed with the Proofpoint Protection Server software, can be up and running quickly, and is easily maintained by a single administrator. Clusters and Services You can deploy several Proofpoint Protection Servers or appliances in a cluster and assign them to different services. For example, one system can serve as the master administration console (the Config Master) and the other systems as filtering services. Related Topics: See Master, Agents, Clusters, and Instances for definitions of these Proofpoint Protection Server terms. Master, Agents, Clusters, and Instances You can deploy several Proofpoint Protection Servers to provide various services. For example, you can install the Proofpoint Protection Server software on three systems, deploy one system as the master Management Services console (the Config Master), and deploy the other two systems as the filtering services (agents). The system running the administrative interface is designated as master during installation, and the two systems running the filtering services are designated as agents during installation. The master server pushes configuration changes to the agent servers. The server root is the directory location for the Proofpoint Protection Server software. This location is arbitrary, and varies from installation to installation. For documentation purposes, this directory is referred to as ${PROOFPOINT_ROOT}. A cluster is a collection of instances managed as one logical unit. An instance is an instantiation (working process) of the Proofpoint Protection Server software. Proofpoint supports one instance per server root, and one server root per host configuration. Internally, the Proofpoint Protection Server identifies a fully qualified instance name by hostname, administration port number (one per server root), and instance name. Administrators can give an instance a display name - an alphanumeric string that identifies the instance by a name that makes sense. If there is no display name for the instance, the fully qualified instance name appears in the webbased management interface by default. Related Topics: For information about adding agents to a cluster, see Adding and Deleting Agents. Navigating the Management Interface The left side of the management interface provides the navigation pane. Each top-level link expands (to reveal) and contracts (to hide) the links to the Proofpoint Protection Server components. You will only see the modules for which you have purchased licenses. 2

33 Chapter 1 - Welcome Collapsed Navigation Pane Click a top-level navigation link to expand it Links on Every Page The following links appear by default on each page of the management interface. Logged in as displays the name of the administrator currently logged in to the management interface. Logout logs the administrator out of the Proofpoint Protection Server management interface. 3

34 Proofpoint Administration Guide Switch to Advanced Mode displays all of the navigation links in the management interface. Toggles between the Advanced and Basic modes. Switch to Basic Mode hides the more advanced configuration links. Toggles between the Advanced and Basic modes. Add Shortcut adds a shortcut to the bottom of the navigation pane for the page that is currently displayed. Shortcuts are displayed with a shortcut icon. You can have up to five shortcuts at a time. Older shortcuts are moved off the list as you add new ones. Tooltips provide more detailed information about each shortcut. Refresh Config if more than one administrator is making changes to the configuration, this link ensures that all changes are applied before anyone logs out of the management interface. If only one administrator is making configuration changes, this link ensures the changes are applied immediately. Enter Search - searches the Call Tracking System forums for the word you enter into the field. Help provides context-sensitive help for the current page. Display and Hide Icons The Display and Hide icons display or hide the navigation pane. Expand and Collapse Navigation Pane Icons The Expand and Collapse icons expand and collapse the links under each top-level entry in the navigation pane. Minimize and Maximize Panes on a Page The Minimize and Maximize icons hide and display panes on a page. Paging through Entries Use the Previous, Next, First and Last icons to page through entries on a page or in a pane. Expanding and Collapsing the Menus Click the up-arrow or down-arrow to display or hide the menus for each entry in the navigation pane. See Admin Server Settings. Refresh Page Icon The Refresh Page icon updates the page or table with the latest data. 4

35 Chapter 1 - Welcome Editing or Viewing Table Elements To make changes to an element in a table or on a page, click the name of the element. For example, to view or make changes to an administrator, a server, a rule, or a Policy Route, click its name. To view message details for a message in a Quarantine folder, click the message. Selecting Items in a Table on a Page If you want to select all of the items in a table displayed on a page, select the all check box. There are two all check boxes: one is labeled All, and the other one is not labeled. Click this check box to select all items displayed in a table or list. Click this check box to select all of the items returned from a query, whether or not they are displayed in a table or list. Persistent Views When an administrator logs off from the management interface, then logs back in, his or her view from the previous session will display. For example, if an administrator was working on the System > Settings > SMTP page when the administrator logs off, this is the page that displays when the administrator logs back in to the management interface. Persistent views are stored per browser and per user. If you are working in Basic Mode, and then switch to Advanced Mode and go to a link exposed in Advanced Mode, when you switch back to Basic Mode, the link from the Advanced Mode will appear in the Basic Mode. That is, navigation links that you view in Advanced Mode are promoted to Basic Mode. You can enable or disable persistent views and change the persistence expiration period on the System > Settings > Admin Server page. Managing Your Proofpoint Portal The Proofpoint Portal allows administrators to organize their views for status, reporting, and management of a cluster of Proofpoint Protection Servers or appliances. Administrators can customize and save unique views of information and functionality by creating a portal to the Proofpoint cluster. A portal is comprised of one or more customized workspaces. Each workspace is comprised of one or more pages of information. Each page contains widgets - a widget is a UI element (management interface element) that serves as a container for functionality. For details on how to create, delete, and manage workspaces, see Creating and Managing Workspaces and Working with Pages and Widgets. Examples: You are the security officer for your organization. You are only interested in the data collected by the Regulatory Compliance Module. You create a workspace on the DLP Summary > Dashboard page named Security and choose the widgets for that workspace that report on messages that are sent to the Incident Queue because they triggered rules in the Regulatory Compliance Module. Your responsibility as a network administrator is to monitor and manage connections to your organization, and throttle IP addresses or domains that are sending spam to your organization or attacking your network. You create a workspace on the System > Summary page named Connections and select the widgets for that workspace that are relevant to your monitoring responsibilities. The portal you create only contains the information that is important to you. You can access your portal from System > Summary or DLP Summary > Dashboard in the navigation pane. Creating a portal is a three-step process: Create a workspace and give it a name. 5

36 Proofpoint Administration Guide Add pages to the workspace. Add widgets to each page. There is no limit to the number of workspaces you can add to your portal. About Workspaces A default workspace named Default view is already included with the Proofpoint Protection Server software. The default workspace contains preconfigured pages that you can modify or delete. You can also add new pages to the default workspace. The following pages are included with the Default view for System > Summary: Server Status - displays summary status information for the entire cluster and for each Proofpoint Protection Server or appliance in the cluster individually. For details about the data displayed on the Server Status page, see Server Status in "System Summary." Message Traffic - for each analysis module, the table displays the number of messages processed by the rules for the module. The data in the tables is aggregated for all of the Proofpoint Protection Servers in the cluster. For the Quarantine, the table displays the number of messages sent to the Quarantine because they triggered rules in the filtering modules. The data is aggregated for all of the systems in a cluster and summed for different time periods. For details about the data displayed on the Message Traffic page, see Message Traffic in "System Summary." Reports - several preconfigured reports appear on this page. You can add more report widgets, delete report widgets, or re-arrange the reports. News - several preconfigured news articles and RSS (Really Simple Syndication) feeds appear on this page. You can add more news widgets, delete news widgets, and re-arrange the news articles on this page. The default DLP Dashboard view (DLP Summary > Dashboard) contains reports for Top Regulation Senders, Regulation Rule Trends, the Compliance Incident Manager, and trends for Proofpoint Encryption. About Widgets Widgets are the management interface (UI) elements that serve as containers for functionality. The Proofpoint Protection Server software includes a menu of widgets. When you select a widget in the menu a description or graphic describes the functionality for that widget. Editing, Updating and Deleting Widgets Each widget on a page has a title bar. If you place the mouse pointer over the title bar, the following icons appear: Pad and pencil - displays an edit screen with the following choices (choices vary between widgets). Cache. Enables or disables the internet cache. If enabled, the graph for the data is cached for one hour. If disabled, the graph is redrawn on the next Refresh. Period. Select a time period for which you want collected data to be graphed. Refresh. Select a time period for the data in the widget to be automatically refreshed. Image Size. Select large or small icons for the widget. Chart. Displays a list of available reports. Update icon. Refreshes the data for the widget immediately. Delete icon. Removes the widget from the page. 6

37 Chapter 2 - Evaluation Start Filtering This page is your starting point for filtering to see how the Proofpoint Messaging Security Gateway (appliance) catches and quarantines spam and messages containing a virus. You have these choices for getting into the appliance: You can inject sample provided by Proofpoint into the appliance. This is the fastest way to see messages in the Quarantine, and after an hour or so, you can view graphs and reports describing data collected from the Quarantine. To use this method, click the Filter sample collection icon. You can inject a corpus of messages that you collected into the appliance. To use this method, you must first create a zip archive that contains a collection of messages in RFC 822 format. Click the Upload and filter your icon if you want to use this choice. You can set up forwarding directly from your personal POP account to the appliance for filtering. All messages directed to your POP account (for example, or are forwarded to the appliance, filtered, and then delivered to the address that you specify for forwarded . Click the Filter from any POP account icon to use this method. Filter Sample Use this page to inject sample provided by Proofpoint into the appliance. Enter your address into the Recipient Address field, and click the Start icon. Your address will be added to the User Repository and you will receive a sample User Digest. The Digest lists the messages addressed to you that have been quarantined because they are spam or contain a virus. When the message injection process finishes, click the View the Quarantine icon to go directly to the Quarantine to see your quarantined messages. Note: You need to wait at least one hour before you can create reports. Be sure to check your account for a Digest sent to you by the appliance. The Digest contains a list of messages that are addressed to you and are stored in the Quarantine. (The Digest is sent to the account that you entered into the Recipient Address field.) Filter Your Use this page to inject your own corpus of messages into the appliance. Create a zip archive that contains a collection of messages in RFC 822 format. Before you create the zip archive, you should clean up the headers in the corpus. For example, if the messages are addressed to no legitimate recipients, or to multiple recipients, that information is stored in the Quarantine along with the message. If you release a message from the Quarantine, or send Digests to all recipients who have messages in the Quarantine, you can potentially generate countless bounces. 1. Enter a new address for the recipient for the filtered in your corpus. This is an optional but recommended step. For example, if you enter your address into the Recipient address (optional) field, the messages injected into the Quarantine from your corpus will be addressed to you, and will show up in your Digest. 2. Enter the directory path and filename for your zip archive into the Filename field, or use the Browse button to locate it. 3. Click the Start icon to begin injecting the messages. When the message injection process finishes, click the View the Quarantine icon to go directly to the Quarantine to see your quarantined messages. Note: You need to wait at least one hour before you can create reports. 7

38 Proofpoint Administration Guide Be sure to check your account for a Digest, sent to you by the appliance. The Digest contains a list of messages that are addressed to you. The Digest is sent to the account that you entered into the Recipient address (optional) field. Filter from a POP Account Use this page to set up forwarding directly from your personal POP account to the appliance for filtering. All messages directed to your personal POP account (for example, or are forwarded to the appliance first, filtered, and then delivered to the address that you specify for forwarded . Note: Some ISPs charge a fee for forwarding. You need the following information: The name of the mail server for your POP account. The user name and password for your POP account. Some POP accounts require the port number. Some POP servers require SSH for communication. A new address to which forwarded messages will be sent. To set up forwarding from a POP account: 1. Fill in the fields according to the information you gathered above about your POP account and ISP. 2. Click Verify POP Settings to check if the appliance can connect to your POP account. 3. Enter a new address into the Forward address field. This address should not be the same as your POP account address. 4. Click the Start icon to configure the POP forwarder. You can create more than one forwarding profile. For example, if you have several different POP accounts, you can create a forwarding profile for each one. Check the Quarantine for messages that were forwarded and filtered by the appliance by clicking Quarantine > Messages in the navigation pane. Note: You need to wait at least one hour before you can create reports. Be sure to check your account for a Digest, sent to you by the appliance. The Digest contains a list of messages that are addressed to you. (The Digest is sent to the account that you entered into the Forward address field.) Disabling Forwarding from a POP Account If you have more than one forwarding profile, you can disable all of them at once. Follow these steps: 1. Log in to the appliance. 2. Click the Users link under Groups and Users in the navigation pane. 3. In the User List, click the entry for your address to see the Attributes pop-up window. Or select the check box for your account in the User List and click Attributes. 4. Click the Attributes tab in the Attributes pop-up window. 5. Select No for the Enable Forwarder attribute. 6. Click Save Changes. Follow these steps to disable forwarding from a specific POP account: 1. Log in to the appliance. 2. Click the Users link under Groups and Users in the navigation pane. 3. In the User List, click the entry for your address, or select the check box for your account and click Attributes. 4. Click the POP3 Forwarder tab in the Attributes pop-up window. 5. Select the name of the profile you want to disable. 8

39 Chapter 2 - Evaluation 6. Click the Off radio button for the Enable parameter. 7. Click Save Changes. If several users in your organization have forwarding profiles, you can disable all of the profiles at once by changing a Global attribute. Follow these steps: 1. Log in to the appliance, and be sure you are in the Advanced mode so you see all of the links in the navigation pane. 2. Click Global under Groups and Users in the navigation pane. 3. On the Groups and Users > Global page, select No for the Enable Forwarder attribute. 4. Click Save Changes. 9

40

41 Chapter 3 - Appliance Network Interface Settings After you log in, the data you entered during the initial setup appears on the Appliance > Network > Interface page. If necessary, you can change the appliance network interface settings. Providing or Changing Network Interface Settings for the Appliance To enter network interface data for the appliance: 1. If you have a cluster, select the server for which you want to enter or change network data from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. Enter or modify the following parameters for your network: Hostname - the name you entered during the initial setup appears For example, proofpointappliance. Important: To change the hostname of a master Proofpoint Protection Server or an agent in a cluster, see Changing Hostnames for Masters and Agents in this topic. Domain Name - the name you entered during the initial setup appears. If necessary, enter a different domain name. Enter a Fully Qualified Domain Name (FQDN). For example, example.com. (Do not enter an IP address or hostname.) DNS Settings - Primary Name Server, Secondary Name Server, Tertiary Name Server. By default the IPv4 address for the public Primary Name Server appears or the address or addresses you entered during the initial setup. The secondary and tertiary name servers are optional. Change or add addresses as necessary. (Use IPv4 addresses; do not use domain names or IPv6 addresses.) Depending upon how your network is set up, the DNS servers may not recognize the IP addresses or hostnames of the Proofpoint Protection Servers on your network. In this case, you will want to add the IP address and hostname or hostnames of each Proofpoint Protection Server to the Hostname Override text box. The data that you enter in the Hostname Override text box populates the /etc/hosts file on the appliance. Enter the IP address first, and then a blank space followed by the hostname or hostnames for each Proofpoint Protection server. Entering a fully-qualified domain name (FQDN) is preferable, but the system will accept IP addresses and hostnames. For example: pps1 proofpointmaster pps2 proofpoint2 proofpointagent proofpoint3.proofpoint.com You must enter an IP address and at least one hostname for each Proofpoint Protection Server. Configuring Appliance Network Interfaces The appliance supports a minimum of two network interfaces, network 1 and network 2, depending upon how the appliance hardware is configured. The IPv4 network address and netmask addresses you entered during the initial setup appear on the Appliance > Network > Interface page. Each Ethernet port installed on an appliance displays as a separate network interface on the Appliance > Network > Interface page. Configure each one separately. Network 1 is always in use; it cannot be disabled. Network 2 is optional. If you do not enter an IPv4 network address and netmask for Network 2, or for any additional network interfaces, they will be disabled. 11

42 Proofpoint Administration Guide If you choose to bind Network 2 to Network 1, Network 2 will adopt the IPv4 address and netmask address of Network 1. Binding provides active-standby. Should Network 1 fail, Network 2 will take over operations. Both network interfaces need to be connected to the same subnet if you select binding for Network 2. You also need to decide whether or not to use auto-negotiation for each network interface. If you do not use autonegotiation, enter your own parameters for speed and duplex. If you select binding for Network 2, it will not adopt the auto-negotiation selections made for Network 1; auto-negotiation selections are independent. To configure each network interface for the appliance: 1. Enter the IPv4 address you want to assign to the network interface in the IPv4 Address field. (Use an IPv4 address; do not use a domain name.) 2. Enter the accompanying netmask address you want to assign to the network interface in the Netmask field. (Use an IP address; do not use a domain name.) 3. For each Network Interface that appears on the Appliance > Network > Interface page, you have the option to select Manual Configuration for the Ethernet Interface parameter. If you select Manual Configuration, enter your own parameters for Speed and Duplex. However, Proofpoint strongly recommends that you leave Auto-Negotiation selected, unless you have specific network requirements. 4. To add IPv6 addresses to the network interface, enter each one into the IPv6 Address field and use the arrow buttons to populate the list. The Prefix variable is a decimal value that indicates the number of contiguous, higher-order bits of the addresses that make up the network portion of the address. 5. Click Save Changes. The Link Status for each Network Interface will display Detected or Not Detected to indicate whether or not the network interfaces are connected correctly. Verify the Ethernet cables are properly connected to the ports on the appliance and to the network switch or hub. The gateway address you entered during the initial setup appears in the Default Gateway field. Enter a new address if necessary. (Use an IP address; do not use a domain name.) Configuring Static Routing for the Network Interfaces To ensure connectivity for the appliance, configure the static network routes for each network interface on the appliance. To configure routing for the appliance network interfaces: Enter data for the IPv4 address, netmask, gateway, and select the network interface each of the routing parameters before adding them to the Routing List and then save your changes. Click the right-arrow (>>) button to add all the data for a specific network interface to the Routing List at the same time. Important: Be sure to enter the correct information when configuring static routes for the appliance. Also ensure that you do not enter information for a network interface that uses binding. Entering incorrect information can result in a lost connection. IPv6 Network Routes For every IPv6 address you add to the network interface, the network portion of the address displays in the IPv6 Routes box. The appliance listens to IPv6 router advertisements and displays them here. The "default via" address is the IPv6 gateway address discovered through an IPv6 router advertisement. Changing Hostnames for Masters and Agents Before changing the hostname for a master in a cluster, you must first delete all of the agents. See Adding and Deleting Agents in "Proofpoint Protection Servers" for more information. 12

43 Chapter 3 - Appliance To change the hostname of a master in a cluster: 1. Delete all of the agents on the System > Servers page. 2. Change the hostname of the master on the Appliance > Network page. (Do not use an IP address or domain name.) 3. Re-add the agents to the cluster on the System > Servers page. You cannot change the hostnames for agents in a cluster using the Appliance > Network page. To change the hostname for an agent: 1. Use the management interface to delete the agent from the cluster on the System > Servers page. 2. Log in to the agent as admin with SSH or start the console from a terminal connected to the agent. 3. Start the Setup Assistant Guide to set up and re-configure the agent with a different hostname. Important: The hostname must resolve to the correct IP address for the agent. 4. Use the management interface to re-add the agent to the cluster on the System > Servers page. Network Precedence Settings The Appliance > Network > Precedence page is the management interface to the /etc/gai.conf (getaddrinfo) configuration file. When the appliance makes outbound network connections to other hosts which have multiple IP addresses, use the Precedence page to manage the order in which the IP addresses are used. Host Firewall Selections Use the Appliance > Host Firewall page to set up the firewall for an appliance by determining host access to the following ports: Admin Server (TCP Port 10000) - The Admin Server port allows access to the management interface (administrator interface) in a web browser. If you select Allow Specific Addresses, only connections from the IP addresses you specify will be allowed to log in to the appliance. Remote Access SSH (TCP Port 22) - The IP addresses that are allowed remote SSH access for support are listed in System Rules. These addresses are used by Technical Support to access your systems for purposes of troubleshooting problems. It is recommended that you leave these IP addresses enabled. However, if you must disable the support IP addresses due to security policies or firewall rules, clear the Enable support access check box. SSH Disclaimer - If you want to display a disclaimer to anyone who logs in to the appliance using SSH, enter the text here. The disclaimer appears when a user provides his login name - before he provides a password. Here is an example of a typical disclaimer: "Property of <your_organization>. Do Not Attempt To Access Without Permission. This system belongs to <your_organization> and is for the exclusive use of <your_organization's> employees. If you are not a <your_organization> employee, do not attempt to log in." SMTP (TCP Port 25) - The SMTP service receives from clients and other MTAs. Note that restricting the SMTP service will impact the ability of the appliance to filter . Note: If you select Deny All Addresses sendmail (bundled with the appliance) will lose its connection and the appliance will be unable to filter . SNMP (TCP/UDP Port 161) - Should you want to restrict the SNMP connection, for example to the SNMP central manager, select Allow Specific Addresses and enter the IP address in the User Rules text box specific to the central manager. Use the Appliance > SNMP page to enable and configure SNMP for the appliance. See SNMP Configurations for more information. API Service (TCP Port 10010) - This port is the communication interface between the master and agents in a cluster. When you add an agent, Allow Specific Addresses becomes selected and the text boxes are populated with the hostname and IP address of the agent. Enduser Web (TCP Port 10020) - Access to the HTTP processor port allows users to view and manage their messages in the Quarantine using a web browser. Typically, Allow All Addresses should be selected. 13

44 Proofpoint Administration Guide ICAP (TCP 1344) - This is the port used to accept connections from a proxy server. Typically you would select Allow Specific Addresses and enter the IP addresses for the proxy servers on your network. Database (TCP/UDP Port 3306) - This is the port used to communicate with the Proofpoint database that stores the Quarantine, User Repository, and log data tables. When you add an agent, Allow Specific Addresses becomes selected and the text boxes are populated with the hostname and IP addresses of the agent. Smart Search Queries (TCP Port 10946) - This port is required for searches, search results, and Smart Search settings. Smart Search Log Transfer (TCP Port 10947) - This port is required to transfer sendmail logs and filterd logs from a Log node (if applicable), or from the Config Master to Smart Search for indexing. For each port, decide whether to Allow All Addresses, Deny All Addresses, or Allow Specific Addresses. If you added agent systems to a cluster, system rules and user rules will appear for each network interface when you select Allow Specific Addresses. You can change user rules, but you cannot change system rules. The selections available on the Appliance > Host Firewall page vary depending upon whether you select an agent or master system to configure. If you select an agent, some selections will not be available to prevent you from disconnecting the agent from the master Proofpoint Protection Server. To configure the firewall for the appliance: 1. Click the Host Firewall link under Appliance in the navigation pane. 2. If you have a cluster, select the name of the server for which you want to configure access information from the Server drop-down list. (Click Save Changes after making configurations for each server that you select from the drop-down list.) 3. Make selections from the following parameters for each port: Allow All Addresses - select if you want all hosts to have access to the port. Deny All Addresses - select if you want to deny all hosts access to the port. Allow Specific Addresses - select if you want to limit access to the port for a specific range of IP addresses. - System Rules text box. The IP addresses in System Rules ensure that Proofpoint Protection Server services can access each other correctly. The system rules are automatically configured and are always on. You cannot delete or modify them. The system rules for the Admin Server guarantee that agents can communicate with the master Proofpoint Protection Server. The system rules for Remote Access SSH ensure that Proofpoint will be able to provide support to your appliance. - User Rules text box. The range of IP addresses that appear in the User Rules is an addition to the system rules. They are a range of IP addresses for the internal network. For example, you may want to change the range of IP addresses for the user rules to make your firewall more secure. Refer to the CDIR standards for information about specifying a range of IP addresses. 4. After making access selections for each port, click Save Changes. Inbound Mail Configurations Use the System > Inbound Mail page to configure the inbound mail routes to which you want to apply filtering. If you are managing hundreds of inbound mail routes, you can use the search facility to display the route or routes you are interested in viewing or changing. You need to determine which host, IP address, or domain will accept mail for filtering, and if necessary, decide which mail servers will be responsible for delivering the filtered mail. Important: You must click Save Changes to save the inbound mail routes you add to the System > Inbound Mail page. When you save the changes, any duplicate entries that already exist on the Outbound Mail Routes list are removed from the Outbound Mail Routes list - you are not allowed to save the same routes to both the Inbound Mail Routes list and the Outbound Mail Routes list. The entries on the Inbound Mail Routes list will always take precedence. New entries are appended to the list. 14

45 Chapter 3 - Appliance When you create or import new inbound mail routes, you have the option of creating a Domain Group for the domain or mail route. See Adding Domain Groups for Inbound Mail Routes in this topic. A default_inbound Policy Route on the System > Policy Routes page is automatically created based on the information you provide for the Mail for Host/Domain and Route to Host(s)/Domain(s) fields. The default_inbound Policy Route determines which host and domain will accept for filtering, and determines the destination host or hosts responsible for delivering the mail. Should you change the information, the default_inbound Policy Route is automatically updated. You cannot directly edit the default_inbound Policy Route, although you can create additional inbound Policy Routes on the System > Policy Routes page. See About Policy Routes for more information. When you add or import entries to the System > Inbound Mail page, those entries are added to the sendmail relay_domains and mailertable tables. Note that only SMTP/ESMTP entries are added to the mailertable. Note: The smart host is not available for Proofpoint Enterprise customers. To configure filtering for inbound mail: 1. Click the Inbound Mail link under System in the navigation pane. 2. If you have a cluster, select the name of the server for which you want to enter or change routing information from the Server drop-down list. (Click Save Changes after making configurations for each server that you select from the drop-down list.) 3. Click Add. 4. Enter information or make selections for the following configurations on the System > Inbound Mail page: Mail for Host/Domain field - enter the hostname, IP address, or domain name that will accept inbound mail for filtering. After filtering, the mail is routed to the destination host (Route to Host(s)/Domain(s)). This field accepts both IPv4 and IPv6 addresses. You can enter multiple entries, one per line. Route By drop-down list - specify the mailer program for routing mail to the destination host (Route to Host(s)/Domain(s)). - DNS. The mail route is determined by DNS to resolve the mail server used in the recipient's address. (If you choose to use a smart host, DNS will no longer be available from the Route By drop-down list.) - ESMTP. Route mail to a destination host that uses ESMTP. (Preferred routing protocol for inbound mail.) - SMTP. Route mail to a destination host that uses SMTP. - Smart Host. Route for this host/domain to the server specified as the Smart Host on the Appliance > SMTP Settings > Advanced page. (Smart Host only appears in the Route By drop-down when the Smart Host value is configured.) Route to Host(s)/Domain(s) field - enter the hostname, IP address, or domain name to which filtered mail is routed. You can enter multiple entries, one per line. (The selection you make for the Route By parameter determines whether or not you need to enter information in this field.) Lookup By radio buttons - select a lookup method that will verify the name of the destination host. (The selection you make for the Route By parameter determines the available lookup methods.) - A record only. Route mail for the domain directly to the specified server. - MX and A records. Route to the mail server specified by the MX record lookup of the recipient's domain. This option is rarely used. Delivery Type radio buttons - select the delivery method for routing filtered mail to the destination host. (The selection you make for the Route By parameter determines the available delivery type methods.) - Ordered. The appliance cycles through the list of destination hosts, in order, until it finds one to which the inbound mail can be delivered. If the end of the list is reached before successfully connecting to a destination host, mail delivery temporarily fails. - Load Balanced. The list of destination hosts is cycled through in a continuous loop, until a connection is successful. 5. Click Save Changes. To edit an entry, click on the information in any of the columns. 15

46 Proofpoint Administration Guide After making your configurations, you can select the number of entries you want to display in the Inbound Mail Routes table by making a selection from the Entries drop-down list. Importing a List of Mail Routes To import a text file that contains a list of mail routes, use the following format for the entries in the text file and separate each entry with a new line. When you enter multiple entries for Route to Host(s)/Domain(s), you can influence the Delivery Type by separating the entries with colons (Ordered) or commas (Load-Balanced). Note: After import, the entries will be sorted in ascending order in the management interface, no matter what order they were in the text file. Examples Entry in text file Translates to this in the management interface example.com SMTP:exampleA.com Mail for Host/Domain example.com Route by SMTP Route to Host(s)/Domain examplea.com Lookup By MX and A records example1.com SMTP:exampleB.com Mail for Host/Domain example1.com Route by SMTP Route to Host(s)/Domain exampleb.com Lookup By MX and A records example2.com ESMTP:[ ],[ ],[ ] Mail for Host/Domain example2.com Route by ESMTP Route to Host(s)/Domain , , Lookup By A records Load Balanced Delivery Type example3.com ESMTP:[ ]:[ ]:[ ] Mail for Host/Domain example3.com Route by ESMTP Route to Host(s)/Domain , , Lookup By A record only Ordered Delivery Type example4.com DNS: Mail for Host/Domain example4 Route by DNS Sample text file example.com SMTP:[exampleA.com] example1.com SMTP:[exampleB.com] example2.com ESMTP:[ ],[ ],[ ] example3.com ESMTP:[ ]:[ ]:[ ] example4.com DNS: 16

47 Chapter 3 - Appliance Adding Domain Groups for Inbound Mail Routes You can create Domain Groups for the domains that you create or import into the Inbound Mail Routes table by selecting one domain or several domains in the table and clicking the Create Domain Group Per Domain link. This is a convenient way to create several Domain Groups at once. After creating Domain Groups, go to the Groups and Users > Groups page to add a description for each Domain Group and to select the attributes to apply to each Domain Group. The Domain Group name will match the name of the domain, with an underscore separating the name and domain, like this: a Domain Group for example1.com will be named example1_com, a Domain Group for example2.org will be named example2_org, and so forth. You have the option of automatically creating a Domain Group for each domain that you add to the System > Inbound Mail page. See Enabling Automatic Domain Groups, User Repository, and POP Forwarder in "Groups and Users" for more information. Important: Automatic creation of Domain Groups applies only to domains added after you enable the feature on the Groups and Users > Settings page. Pre-existing domains or inbound mail routes will not automatically have Domain Groups created for them. You must click Save Changes each time you populate the Inbound Mail Routes page. See Adding Groups and Assigning Attributes for more information about Domain Groups and selecting attributes for Domain Groups. Searching for Inbound Mail Routes You can search for specific hosts, domains, or mail routes by entering text into the Filter field and clicking Search. You can enter hostnames, domains, and routing criteria into the Filter field. You can enter partial strings into the Filter field. For example, if you enter "example" into the Filter field, the search will return "example1.com," "example2.com," "example3.com," and so forth. Click Reset to clear the search results and display the entire list of inbound mail routes. The Filter field accepts regular expressions. See Using Regular Expressions in "Rules and Delivery Dispositions" for information about constraints with regular expressions. About Outbound Mail Use the System > Outbound Mail > Mail Routes page to configure filtering for outbound mail. Filtering outbound mail is optional; it depends upon your organization's policies. You can filter all outbound mail or outbound mail sent to specific hosts or domains. If you want to filter all outbound mail, you need to make additional configurations for the mail server that delivers the mail to be filtered (for example, an Exchange server). Configure the parameters on the Mail Routes page to filter and route destined to specific hosts or domains to another host or domain. For example, all addressed to the domain example1.com will be filtered and routed to the host hostname1 before it is allowed out of your organization. An entry on this page is added to the sendmail mailertable table. Use the System > Outbound Mail > Allow Relay page to filter destined to specific domains or hosts, or from specific IP addresses before allowing the out of your organization. For example, all addressed to example2.com or to hostname2 will be filtered before leaving your organization. All from IPaddress will be filtered before leaving your organization. An entry on this page is added to the sendmail relay_domains table. These methods are not mutually exclusive; you can populate the table on the Outbound Mail > Mail Routes page and leave the Allow Relay list empty, or vice-versa. If you happen to place the same domain, for example, on both the Outbound Mail Routes table and the Allow Relay list, the entry on the Outbound Mail Routes will take precedence and Allow Relay will be ignored. 17

48 Proofpoint Administration Guide Filtering All Outbound Mail To filter all outbound mail, fulfill these requirements: Configure a smart host on the mail server (for example an Exchange server) that relays the outbound mail to be filtered. Note: The smart host is not available for Proofpoint Enterprise customers. Allow relaying from the mail server for all outbound mail. Allow Relay The entries on the System > Outbound Mail > Allow Relay page define from which domains, hosts, and IP addresses can be accepted for filtering. Entries added or imported to the Allow Relay tab are appended to the sendmail relay_domains table. See About Outbound Mail for general information. Entering an IP address for the Allow Relay parameter ensures that based on the From: address in the mail envelope is accepted and filtered. Entering a hostname or domain name for the Allow Relay parameter ensures that based on the recipient's address or the RCPT To: address in the mail envelope is accepted and filtered. If you have a cluster, select the server for which you want to enter or change relay configurations from the Server drop-down list on the Allow Relay page. (Click Save Changes after making configurations for each server that you select from the drop-down list.) For Allow Relay: - Enter a domain name or a host into the field if you want to accept and filter to or from this host or domain. - Enter an IP address (partial or complete) into the field if you want to filter originating from this IP address. This field accepts both IPv4 and IPv6 addresses. You cannot enter a netmask or wildcards into this field. If you enter a partial IP address - for example, it is expanded to /16. Click the right-arrow (>>) button to add the entry to the Domain, Hostname or IP Address List. All entries added for this parameter use DNS for routing purposes, unless you choose to use a smart host. Note: The smart host is not available for Proofpoint Enterprise customers. Importing Entries To import entries to the System > Outbound Mail > Allow Relay page, see "Importing a List of Mail Routes" in Inbound Mail Configurations for the text file format. Outbound Mail Routes If the Proofpoint Protection Server filters and delivers outbound mail to the Internet, you do not need to populate the Outbound Mail Routes table. If not, all outbound mail is routed to the smart host. The Outbound Mail Routes define how to route any mail that is not routed to the smart host. For example, any mail not addressed to your_organization.com is outbound and can be relayed to another host. Note: The smart host is not available for Proofpoint Enterprise customers. Entries added to the Outbound Mail Routes page are added to the sendmail mailertable table. Important: You must click Save Changes each time you populate the Outbound Mail Routes page. When you save the changes, any duplicate entries that already exist on the Inbound Mail Routes list are not added to the Outbound Mail Routes list - you are not allowed to save the same routes to both the Inbound Mail Routes list and the Outbound Mail Routes list. The entries on the Inbound Mail Routes list will always take precedence. See About Outbound Mail for general information. Use cases: - If you are not using a smart host you may want to filter and route any mail not defined by the Inbound Mail Routes to an outbound gateway. 18

49 Chapter 3 - Appliance - You want to filter and route outbound mail to another host or domain that you have control over. For example, mail addressed to an associate or business partner that you want routed to a host other than the host that would be determined by the DNS server. Use the Outbound Mail Routes page to filter and route addressed to specific hosts or domains to another host or domain. If you configured a smart host on the Appliance > SMTP Settings > Advanced page, it will display in the Outbound Mail Routes table heading. To configure filtering and routing addressed to specific domains or hosts to another domain or host: 1. If you have a cluster, select the server for which you want to enter or change routing configurations from the Server drop-down list on the Outbound Mail Routes tab. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. Click Add in the Outbound Mail > Mail Routes table. 3. Mail for Host/Domain field - enter a hostname or domain name into this field. addressed to the host or domain will be filtered and routed to a destination host (Route to Host(s)/Domain(s)). If you enter a dot (.) in this field it means "route mail for all domains not explicitly defined in the Mail for Host/Domain column." This field supports both IPv4 and IPv6 addresses. 4. Route By drop-down list - specify the mailer program for routing mail to a destination host (Route to Host(s)/Domain(s)). Select either ESMTP or SMTP. 6. Route to Host(s)/Domain(s) field enter the hostname or domain name to which filtered mail will be routed (the source host in the Mail for Host/Domain). This typically would be a mail server responsible for routing mail to the Internet. You can enter multiple entries, one per line. This field supports both IPv4 and IPv6 addresses. 7. Lookup By radio buttons - select a lookup method that will verify the name of the destination host. (The selection you make for the Route By parameter determines the available lookup methods.) - A record only. Ignores mail server specified by recipient domain lookup and sends to literal host. - MX and A records. Mail server specified by recipient domain lookup. 8. Delivery Type radio buttons select the delivery method for routing filtered mail to the destination host. (The selection you make for the Route By parameter determines the available delivery type methods.) - Ordered. The list of mail servers is checked, in order, until one is found to which the inbound mail can be delivered. If the end of the list is reached before successfully connecting to a destination host, mail delivery temporarily fails. - Load Balanced. The list of mail servers is checked in a continuous loop, until a successful connection is made. 9. Click Save Changes. To edit an entry, click on the information in any of the columns. After making your configurations, you can select the number of entries you want to display in the Outbound Mail Routes table by making a selection from the Entries drop-down list. Importing Entries To import entries to the System > Outbound Mail > Mail Routes page, see "Importing a List of Mail Routes" in Inbound Mail Configurations for the text file format. Adding Domain Groups for Outbound Mail Routes You can create Domain Groups for the domains that you create or import into the Outbound Mail Routes table by selecting one or more domains in the table and clicking the Create Domain Group Per Domain link. This is a convenient way to create several Domain Groups at once. After creating Domain Groups, go to the Groups and Users > Groups page to add a description for each Domain Group and to select the attributes to apply to each Domain Group. The Domain Group name will match the name of the domain, with an underscore separating the name and domain, like this: a Domain Group for example1.com will be named example1_com, a Domain Group for example2.org will be named example2_org, and so forth. 19

50 Proofpoint Administration Guide You have the option of automatically creating a Domain Group for each domain that you add to the System > Outbound Mail > Mail Routes page. See Enabling Automatic Domain Groups, User Repository, and POP Forwarder in "Groups and Users" for more information. Important: Automatic creation of Domain Groups applies only to domains added after you enable the feature on the Groups and Users > Settings page. Pre-existing domains or outbound mail routes will not automatically have Domain Groups created for them. See Adding Groups and Assigning Attributes for more information about Domain Groups and selecting attributes for Domain Groups. About SMTP Settings SMTP settings provide administrators with the ability to manage delivery options, sendmail queues, and rewrite sendmail envelopes and message headers for both incoming and outgoing messages on the appliance. In addition, SMTP settings allow access to pre-existing corporate data stored on LDAP servers. This data is used to define LDAP routing and can also be used in conjunction with sendmail tables to determine message delivery. You can configure unique sendmail and LDAP configurations for each server in a cluster, apply the same configurations to multiple servers, and import and export sendmail data as necessary. Determine delivery options and sendmail queues General page - configure delivery options for incoming mail to help manage network traffic and CPU usage on the appliance. See General SMTP Settings for instructions. Advanced page - controls the messages in the SMTP queue to ensure fast delivery of messages. See Advanced SMTP Settings for instructions. About SMTP Turbocharge When enabled, SMTP Turbocharge allows SMTP connections to be directed to the filtering daemon without using the Milter interface to sendmail. The filtering daemon forwards messages directly to sendmail on the appliance. The advantages are increased connection speed and reduction in memory use per connection. Note that SMTP Turbocharge will not impact the number of messages processed per second. Enable SMTP Turbocharge when the information in the sendmail (MTA) log in Logs and Reports > Log Viewer indicates the following conditions are present: Incoming messages are being delayed. The appliance stops accepting connections because it has achieved the maximum number of connections it can accept. If you enable SMTP Turbocharge be aware of the following caveats: The When Filter Unavailable settings are disabled. When the filtering engines are unavailable, messages will be retried. The Appliance > SMTP Settings > Access (sendmail Access Database table) is affected in the following manner: - The "From" lookup is not supported. - The "Connect" and "To" lookups only support the "RELAY" right-side values. The "To" lookups do not support looking up users or addresses. - The "Srv_Features" lookup only supports the "s" and "v" right-side characters. - The "CERTSUBJECT" and "CERTISSUER" lookups are not supported. The parameter Use Original Recipient Address For Filtering on the System > Settings > System page is enabled (always on). 20

51 Chapter 3 - Appliance SMTP Turbocharge and Proofpoint Smart Search When Turbocharge is enabled, the Final Action for a message reflects the disposition of the message from the filtering engines (from the Filter log). Clicking the plus sign icon updates the display with the final disposition of the message from sendmail (the MTA log). For example, a message with a Final Action of Quarantine, Continued can change to Quarantine, Sent once the message is processed by sendmail. Rewrite sendmail envelopes and message headers Aliases page - add an alias for a recipient's address to the sendmail aliases table. See Aliases for instructions. Virtual Domains page - rewrite a recipient's address and domain in the message envelope. See Virtual Domains for instructions. Rewrite Domains page - rewrite a recipient's domain in both the envelope and message header. See Rewrite Domains for instructions. Rewrite Header page - rewrite the sender's address and domain in both the envelope and message header. See Rewrite Header for instructions. Masquerade Domains page - rewrite the sender's domain in both the envelope and message header. See Masquerade Domains for instructions. Configure default and unique LDAP profiles You can configure a default LDAP profile as well as unique LDAP profiles to use in conjunction with the sendmail tables for any server in a cluster. See Default and Unique LDAP Profiles for more information. For some sendmail tables, you can use both an LDAP server and a sendmail table configuration for mapping and querying data. In these cases, the Proofpoint Messaging Security Gateway will first query the sendmail table. If the query for the sendmail table is unsuccessful, the appliance then searches the LDAP server configured for that 21

52 Proofpoint Administration Guide sendmail table. When both a sendmail table and the LDAP server contain viable data, the sendmail data takes precedence. You can use several methods to query sendmail tables and LDAP servers for the purpose of routing mail: sendmail tables only. sendmail tables in conjunction with LDAP for some tables. LDAP only. Enable LDAP routing Enable LDAP routing to use the data stored on your organization's LDAP server that determines routing for the mail filtered by the appliance. See LDAP Routing for instructions. Customize the sendmail Access Database File Administrators can add custom entries to the sendmail access database file (/etc/mail/access). Custom settings are merged with the Proofpoint settings to augment the file. See Access for more information. Import and export sendmail data The sendmail data you enter or specify for the appliance is saved directly to the sendmail tables bundled with the appliance. You can export the sendmail data on the appliance, as well as import pre-existing sendmail data from your organization's SMTP servers to the appliance. See Importing and Exporting sendmail Data for instructions. General SMTP Settings Use the Appliance > SMTP Settings > General page to change the welcome banner for outgoing mail, change the hostname that displays for incoming mail, and edit notification settings. To change the MTA host and notice settings: 1. If you have a cluster, select the server for which you want to make delivery option configurations from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. The Banner Hostname specifies what hostname is used in the initial SMTP banner. If Turbocharge is enabled, it also affects what hostname is used in the other SMTP replies that include a hostname. If left blank, it defaults to the local hostname. 3. The Banner Text field specifies what text, beyond the information required by the protocol, is sent in the initial SMTP banner. If left blank, it defaults to the time of the connection. Note that the Banner Text field is restricted to ASCII text. 4. The local hostname for the appliance is used for the HELO Hostname (HeloName). If you want to modify the hostname that is used in outgoing SMTP HELO and EHLO commands, enter the new text into this field - for example, mail.company_name.com. This value is automatically updated if you change the hostname entered in the Hostname field on the Appliance > Network page. If you manually change the hostname in the HELO Hostname field, it becomes fixed, and can only be updated manually from that point forward. 5. Enter your Postmaster address in the Postmaster Address field. Mail servers require a Postmaster account for handling problematic mail - for example, mail that cannot be delivered. Mail servers also require that the Postmaster account belongs to an individual - someone responsible for handling mail delivery issues. 6. If you want to have messages about system level activity delivered to your system administrator account, enter your address in the System Administrator Address field. 7. If you have a cluster, the Apply Cluster Settings pop-up window displays when you click Save Changes so that you can apply your configurations to multiple servers. 22

53 Chapter 3 - Appliance Advanced SMTP Settings Use the Appliance > SMTP Settings > Advanced page to determine delivery options for incoming mail to help manage network traffic and CPU usage on the appliance. If you have a cluster, first select the server for which you want to make configuration changes from the Server dropdown list. Click Save Changes each time after making configuration changes for each server that you select from the drop-down list. If you have a cluster, the Apply Cluster Settings pop-up window displays so that you can apply your configurations to multiple servers. Filter Settings These settings control Turbocharge, mail delivery options from the mail server, and what to do with if the filtering engines are temporarily unavailable. To configure the delivery options for incoming mail: 1. Select Off or On for SMTP Turbocharge. See "About SMTP Turbocharge" in About SMTP Settings for more information about this feature. 2. Make selections for the Mail Delivery Options parameters: Refuse connections radio button - select if you do not want the appliance to accept from the mail server. Accept Connections radio button - allows the appliance to accept mail from the mail server. 3. Make a selection for the When Filter Unavailable parameter. Select Retry Messages to reject a message if filtering is not available. Select Deliver Unfiltered to accept a message if filtering is not available. Queue Settings The Queue Settings control the messages in the SMTP queue to ensure that messages are delivered quickly. Determine how long messages remain in the queue, the amount of time between attempts to deliver messages in the queue, and the minimum amount of time the messages should remain in the queue. To configure the message queue: 1. In the Message Expiration field, enter the number of days to hold messages before they expire. For example, if you enter 5, the messages will expire after they have been in the message queue for 5 days. 2. From the Message Queue Interval drop-down list, select the amount of time between attempts to deliver or clear the messages in the queue. 3. From the Message Queue Minimum Age drop-down list, select the minimum amount of time you want messages to remain in the queue before attempting delivery. 4. Select a choice from the Alert Sender Message Is Still In Queue After list. This value represents how long a message remains in the queue before a notification is sent to the message sender informing him or her that the message has not been delivered but is still in the queue. The default is 4 hours. Relay Settings The Relay Settings are global settings to determine how the appliance relays or routes mail after filtering. Any settings that you configure on the Appliance > Outbound Mail > Allow Relay page will override the global settings. 23

54 Proofpoint Administration Guide To configure the relay settings: 1. A Smart Host is a server which relays for your organization. The appliance relays inbound and outbound mail to the smart host only if no other hosts or routes are specified for the recipient of an message. The most common reason for using a smart host is when you need to route all outbound mail to another server which is then responsible for delivery. If necessary, enter the appropriate hostname or IP address into the Smart Host field. (See Inbound Mail Configurations and Outbound Mail Routes for more information.) 2. Make your selection for the Relay Option: Relay Subdomains - the appliance relays mail to your organization's subdomains. Relay Hosts Only - the appliance relays mail only to the hosts specified on the Appliance > Inbound Mail page. 3. Make a selection for the Unresolvable Domains parameter. Select Accept if you want the appliance to accept inbound mail from senders for which it cannot resolve the domain for the sender envelope address. Select Reject if you want the appliance to reject inbound mail from senders for which it cannot resolve the domain for the sender envelope address. Notes about the Smart Host Even when using a Smart Host, you may need mail to alternate among one or more mail servers. If you want failover between multiple hosts, enter each host IP address into the Smart Host field. Separate the IP addresses with a colon and always enclose the entries in square brackets. For example: [ ]:[ ]:[ ] For load balancing, use a comma to separate the entries. For example: [ ],[ ],[ ] If you remove the brackets, routing is accomplished by a MX record lookup on the hostname first, and an A record lookup. This is a rare configuration. Aside from using multiple entries in the Smart Host field, you can also use DNS to alternate delivery among multiple hosts. You can create multiple A records (which will balance roughly equally across all hosts), or a single hostname with MX records (in which the MX ordering should be applied). Mailer Settings The Mailer Settings allow administrators to specify the number of messages per connection for downstream mail servers or other downstream hosts. The parameters represent SMTP_MAILER_MAXMSGS and SMTP_MAILER_MAXRCPTS in the sendmail.mc file. The empty fields represent the default value - unlimited. Default and Unique LDAP Profiles You can select a default LDAP server or profile for some of the sendmail tables on the Appliance > SMTP Settings > Default LDAP page. For the same sendmail tables, you can also select and configure a unique LDAP server that will override the default LDAP profile selection. If you have a cluster, you can choose a different LDAP server for each system that appears in the Server drop-down list. The LDAP servers adhere to the LDAPDefaultSpec sendmail option. The built-in default specifications provide lookups that match against either an LDAP server's fully qualified hostname or an LDAP cluster. An LDAP cluster allows you to share LDAP entries among several systems without having to enter each of the systems' hostnames into each LDAP entry. You can select an existing LDAP profile as the default profile from the LDAP Profile drop-down list. The LDAP servers that appear in this list map directly to the LDAP profiles that were created on the System > Settings > LDAP page. The LDAP profiles that you create on any of the Appliance > SMTP Settings sendmail pages will also be added to the System > Settings > LDAP page. See Configuring LDAP Profiles and Parameters in "Proofpoint Protection Servers" for instructions on adding LDAP profiles. 24

55 Chapter 3 - Appliance When you save your changes to an LDAP profile, the Apply Cluster Settings pop-up window appears, where you can apply your configurations to multiple servers if you have a cluster of agents. Selecting a Default LDAP Profile To select a default LDAP profile: 1. Navigate to the Appliance > SMTP Settings > Default LDAP page. 2. If you have a cluster, select a server from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 3. Select a default LDAP profile from the LDAP Profile drop-down list. The LDAP Query String displays the query used by the LDAP default specification for sendmail. If you want to create a new profile, click New Profile and follow the instructions in Configuring LDAP Profiles and Parameters. The profiles you create are added to the System > Settings > LDAP page. To modify the existing profile selected in the LDAP Profile list click Edit Profile. Note: If you are creating a new profile for an LDAP cluster, enter the hostnames, separated by commas, for each LDAP server into the Host(s) field in the Add Profile pop-up window. Configuring Unique LDAP Configurations These instructions apply to the sendmail table for which you want to configure a unique LDAP server. Each sendmail table is represented by the following pages: Aliases, Virtual Domains, Rewrite Domains, Rewrite Header, and Masquerade Domains. You do not need to include LDAP switches with any of the strings you enter because the switches are already hard coded for each relevant LDAP parameter. To configure a unique LDAP server for a sendmail table: 1. Navigate to the page that corresponds to the sendmail table for which you want to configure a unique LDAP server. 2. Select the Use LDAP Configuration check box near the bottom of the page. Make selections or enter the appropriate information for the following parameters: LDAP Profile drop-down list - select the LDAP server or profile you want to use for the query. If you select Use LDAPDefaultSpec the default LDAP mapping will be used to locate the LDAP server. LDAP Scope drop-down list - select one of the following choices: - Restricted to the base entry (base). Searches only at the base DN level. - All entries one level under the base entry (one). Searches only one level below the base DN. Does not search the base DN or any other levels. - All levels under the base entry (sub). Searches all entries at all levels under and including the specified DN. LDAP Follow Referral - click the On radio button if you want to allow an LDAP server to reference another LDAP server to fulfill the request for information. Click Off if you do not want to allow an LDAP server to refer a request. Exactly One Match Is Found - click the On radio button if you want to return only one match for the query if multiple matches are found. Click the Off radio button if you do not want to limit the number of matches returned. LDAP Limit Return Size field - enter the number to represent the limit of returns if multiple values are found. For example, if you enter 2, and the LDAP query finds 4 matches, LDAP will only return the first two values. LDAP Attribute field - enter the attribute for which you want to query. For example, mail. LDAP Query field - enter the query for the attribute. For example, uid=%0. LDAP Query String field - displays the LDAP query string which is comprised of the selection you made and the information you entered for the Use LDAP Configuration parameter. 25

56 Proofpoint Administration Guide LDAP Routing You need to enable and configure LDAP routing on the Appliance > SMTP Settings > LDAP Routing page to access and use the routing data stored on your organization's LDAP server. Unless otherwise specified, LDAP routing uses the default LDAP profile selected on the Default LDAP page. To configure and specify domains for LDAP routing: 1. Navigate to the Appliance > SMTP Settings > LDAP Routing page. 2. If you have a cluster, select a server from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 3. For LDAP Routing Settings make the following selections or enter the appropriate data: Enable LDAP Routing radio buttons - by default, On is selected. Mail Host field - enter the query used to locate an LDAP mail host based on search criteria pertinent to your organization. Example query: ldap -1 -v mailhost -k (&(objectclass=inetlocalmailrecipient)(maillocaladdress=%0)) Mail Routing Address field - enter the query used to determine the mail routing address based on search criteria pertinent to your organization. Example query: ldap -1 -v mailroutingaddress -k (&(objectclass=inetlocalmailrecipient)(maillocaladdress=%0)) Note: Unless you specify an LDAP server or host and base DN for both the Mail Host and Mail Routing Address fields, LDAP routing will use the default server you selected on the Default LDAP page. Action on LDAP Lookup failure (Sendmail Bounce Option) drop-down list - make a selection that determines how to handle mail for invalid recipients: - Pass Through (default). Sends mail for an invalid recipient to a downstream server. - Bounce. Rejects mail for an invalid recipient. +detail Syntax Handling (Sendmail Detail Option) drop-down list - determines how to handle a recipient's address that uses the sendmail +detail option. - Strip - Lookup without +detail if no match found (default). Looks up the recipient after stripping or removing the +detail portion of the address. - Preserve - Modify LDAP returns value and strip. Strips the +detail portion of the address and if a mailroutingaddress match is found, the +detail information is copied to the new address. For example: original address - stripped address - matching address in LDAP - matching address rewritten with +detail - Domain Lookup drop-down list - determines how to handle a message if the full address is not found in LDAP. - lookup if full address is not found in LDAP (default) - Do not lookup if full address is not found in LDAP. Tempfail drop-down list - determines how the MTA will handle a temporary failure. - MTA will locally queue the mail if the LDAP server returns a temporary failure. - Return SMTP temporary error if the LDAP server returns a temporary failure. Sends an SMTP 4XX temporary error if the LDAP server gives the MTA a temporary failure. 5. For LDAP Route Domain, enter the names of the domains for which to apply LDAP routing into the LDAP Route text box. Enter one domain name per line. 26

57 Chapter 3 - Appliance For example: example.com example2.com example3.com 6. For the LDAP Route Equivalent, if necessary, enter the hostnames of any subdomains into the LDAP Route Equivalent text box for the domains you entered in the LDAP Route text box. Enter one hostname per line. For example: hostname.example.com hostname.example2.com hostname.example3.com 7. Click Save Changes. If you have a cluster, the Apply Cluster Settings pop-up window appears, where you can apply your configurations to multiple servers. Access Administrators can use the Appliance > SMTP Settings > Access page to add custom entries to the sendmail access database (/etc/mail/access). The entries you add are merged with the default entries on the appliance. To add entries to the access database: Type directly into the Access Database Configuration text box. Hosts can be listed as OK, REJECT, RELAY, or simply passed to sendmail's error handling routine with a mailer error. Separate multiple entries by entering them on separate lines. Examples: spammer.com 550 We do not accept mail from spammers spammer.example.com REJECT example.com OK RELAY Importing and Exporting Entries Click Import to import entries into the access database. Browse to the file in the Import Access File pop-up window. The import file must be a text file with the format shown in the table above. Click Export to save the entries to a text file. You will be prompted to open the file or save it to a directory location. Importing and Exporting sendmail Data On the appliance, you can import or export an existing sendmail configuration file. Important: When you import a configuration file, you overwrite the pre-existing sendmail file on the appliance - Save Changes is not required. If you have enabled the concurrent login feature for administrators (Password Policies for Groups and Users) be aware that if two administrators are making changes to sendmail tables at the same time, the changes from one administrator will overwrite the other administrator's changes. Each sendmail table is represented by the following pages: Aliases, Virtual Domains, Rewrite Domains, Rewrite Header, and Masquerade Domains. Note: When you import sendmail data, select the appropriate check boxes for the Apply Setting To Servers parameter. 27

58 Proofpoint Administration Guide Aliases Use the Appliance > SMTP Settings > Aliases page to add an alias or aliases for a recipient's address to the sendmail aliases table. The address is only rewritten in the envelope. For descriptions of the LDAP parameters, see Default and Unique LDAP Profiles for instructions. To import or export sendmail data, see Importing and Exporting sendmail Data for instructions. The sendmail data you enter or specify is saved directly to the sendmail table bundled with the appliance. To add aliases to the aliases table: 1. Navigate to the Appliance > SMTP Settings > Aliases page. 2. If you have a cluster, select a server from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 3. For Replace Recipient Address (aliases), use one or both of the following methods: Alias File Configuration - by default, the appliance uses the sendmail aliases table bundled with the appliance. Add additional addresses and their aliases if necessary. Use LDAP Configuration - select if you want the appliance to use LDAP to search for aliases. 5. For Alias File Configuration, populate the text box with the addresses and their aliases. If you enter a comma at the end of a line, it concatenates with the next line in the text box. If you do not enter a comma at the end of a line, the next line is considered a separate entry. Enter one set of addresses per line. For example: tech_pubs: sales_leads: 6. If you select the Use LDAP Configuration check box, see Default and Unique LDAP Profiles for information about the LDAP parameters common to the sendmail tables. For instructions specific to the aliases table, proceed to Step For Use LDAP Configuration, the information you enter depends upon how your LDAP directory is structured. Example entries for LDAP Attribute and LDAP Query: LDAP Attribute - sendmailmtaaliasvalue LDAP Query - (&(objectclass=sendmailmtaaliasobject)(sendmailmtakey=%0)) 8. Click Save Changes. If you have a cluster, the Apply Cluster Settings pop-up window appears where you can apply your configurations to multiple servers. Virtual Domains Use the Appliance > SMTP Settings > Virtual Domains page to rewrite a recipient's address and domain in the message envelope. Add the domains that allow address rewriting to the virtuserdomains table. Add the addresses you want to rewrite to the virtusertable table. For descriptions of the LDAP parameters, see Default and Unique LDAP Profiles for instructions. To import or export sendmail data, see Importing and Exporting sendmail Data for instructions. The sendmail data you enter or specify is saved directly to the sendmail table bundled with the appliance. To specify the domains that allow rerouting: 1. If you have a cluster, select a server from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. For Configure Routing Of Virtual Domains (virtuserdomains), use one of the following methods: 28

59 Chapter 3 - Appliance Use Virtual Domain File Configuration radio button - select to add domain names to the sendmail virtuserdomains table for which you want to reroute addresses. Use LDAP Configuration radio button - select if you want the appliance to use LDAP to search for domain names. 3. For Configure Routing Of Virtual Domains (virtuserdomains), populate the text box with the domains for which you want to reroute mail. Enter one domain name per line. For example: example1.com example3.com 6. If you select the Use LDAP Configuration check box, see Default and Unique LDAP Profiles for information about the LDAP parameters common to the sendmail tables. For instructions specific to the virtuserdomains table, proceed to Step For Use LDAP Configuration, the information you enter depends upon how your LDAP directory is structured. Example entries for LDAP Attribute and LDAP Query: LDAP Attribute - sendmailmtamapvalue LDAP Query - (&(objectclass=sendmailmtaobject)(sendmailmtamapname=%0)) To reroute for the specified domains: The addresses you enter in the virtusertable table must map directly to the domains you entered in the virtuserdomains table. 1. For Configure Routing Of Virtual Domains and Addresses (virtusertable), use one or both of the following methods: Use Virtual User Table File Configuration check box - select to add addresses to the virtusertable sendmail table for which you want to reroute . Use LDAP Configuration check box - select if you want the appliance to use LDAP to search for addresses. 2. For Use Virtual User Table File Configuration, populate the text box with the addresses you want to reroute. On a single line, enter the address that you want to reroute, followed by the address to which you want to reroute the mail. For example: 3. If you select the Use LDAP Configuration check box, see Default and Unique LDAP Profiles for information about the LDAP parameters common to the sendmail tables. For instructions specific to the virtusertable table, proceed to Step The string you enter for Use LDAP Configuration depends upon how your LDAP directory is structured. Example entries for LDAP Attribute and LDAP Query: LDAP Attribute - sendmailmtaaliasvalue LDAP Query - (&(objectclass=sendmailmtaaliasobject)(sendmailmtakey=%0)) 5. Click Save Changes. If you have a cluster, the Apply Cluster Settings pop-up window appears where you can apply your configurations to multiple servers. Rewrite Domains Use the Appliance > SMTP Settings > Rewrite Domains page to rewrite the recipient's domain in both the envelope and message header. Map the original domain name to its new domain name in the sendmail domaintable table. For descriptions of the LDAP parameters, see Default and Unique LDAP Profiles for instructions. To import or export sendmail data, see Importing and Exporting sendmail Data for instructions. 29

60 Proofpoint Administration Guide The sendmail data you enter or specify is saved directly to the sendmail table bundled with the appliance. To specify domains that allow recipient messages to be rewritten: 1. If you have a cluster, select a server from the Server drop-down list. (Click Save Changes after making configurations for each server that you select from the drop-down list.) 2. For Rewrite Old Domain As Equivalent To New Domain (domaintable), use one of the following methods: Use Domaintable File Configuration radio button - select to use existing sendmail domaintable bundled with the appliance. Use LDAP Configuration radio button - select if you want the appliance to use LDAP to search for domains. 3. For Use Domaintable File Configuration, populate the text box with original domain names and their corresponding new domain names. To map an original domain name to its new domain name, enter the original domain first followed by the new domain name on a single line. For example: original_domain_name.com new_domain_name.com us.example.com example.com 4. If you select the Use LDAP Configuration check box, see Default and Unique LDAP Profiles for information about the LDAP parameters common to the sendmail tables. For instructions specific to the domaintable table, proceed to Step For Use LDAP Configuration, the information you enter depends upon how your LDAP directory is structured. Example entries for LDAP Attribute and LDAP Query: LDAP Attribute - sendmailmtamapvalue LDAP Query - (&(objectclass=sendmailmtaobject)(sendmailmtamapname=%0)) 6. Click Save Changes. If you have a cluster, the Apply Cluster Settings pop-up window appears, where you can apply your configurations to multiple servers. Rewrite Header Use the Appliance > SMTP Settings > Rewrite Header page to rewrite the sender's address and domain in both the envelope and message header. Add the domains that allow address rewriting to the sendmail genericsdomain table. Add the addresses you want to rewrite to in the genericstable table. For descriptions of the LDAP parameters, see Default and Unique LDAP Profiles for instructions. To import or export sendmail data, see Importing and Exporting sendmail Data for instructions. The sendmail data you enter or specify is saved directly to the sendmail tables bundled with the appliance. To specify domains that allow sender addresses to be rewritten: 1. If you have a cluster, select a server from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. For Enable Domain for Sender, use one of the following methods: Use Generics Domain File Configuration radio button - select to add the domains that allow sender addresses to be rewritten to the sendmail genericsdomain table. Use LDAP Configuration radio button - select if you want the appliance to use LDAP to search for domain names. 3. For Use Generics Domain File Configuration, populate the text box with the domains that allow address rewriting. Enter one domain name per line. 30

61 Chapter 3 - Appliance For example: example.com example2.com 4. If you select the Use LDAP Configuration check box, see Default and Unique LDAP Profiles for information about the LDAP parameters common to the sendmail tables. The information you enter in the genericsdomain table depends upon how your LDAP directory is structured. Example entries for LDAP Attribute and LDAP Query: LDAP Attribute - sendmailmtamapvalue LDAP Query - (&(objectclass=sendmailmtaobject)(sendmailmtamapname=%0)) To specify the sender addresses for specified domains: The addresses you enter in the genericstable table must map directly to the domains you entered in the genericsdomain table. 1. For Rewrite Sender, use one or both of the following methods: Use Generics Table File Configuration check box - select to add addresses to the genericstable sendmail table that you want to rewrite. Use LDAP Configuration check box - select if you want the appliance to use LDAP to search for addresses. 2. For the Use Generics Table File Configuration, on a single line, enter the sender's address that you want to rewrite followed by its new address. For example: If you select the Use LDAP Configuration check box, see Default and Unique LDAP Profiles for information about the LDAP parameters common to the sendmail tables. For the genericstable table, the string you enter depends upon how your LDAP directory is structured. Example entries for LDAP Attribute and LDAP Query: LDAP Attribute - sendmailmtaaliasvalue LDAP Query - (&(objectclass=sendmailmtaaliasobject)(sendmailmtakey=%0)) 4. Click Save Changes. If you have a cluster, the Apply Cluster Settings pop-up window appears, where you can apply your configurations to multiple servers. Masquerade Domains Use the Appliance > SMTP Settings > Masquerade Domains page to rewrite the sender's domain in both the envelope and message header. Specify the domains and the domain to which they will be re-mapped in the sendmail masquerade-domains table. To import or export sendmail data, see Importing and Exporting sendmail Data for instructions. The sendmail data you enter or specify is saved directly to the sendmail table bundled with the appliance. To specify the domains you want to re-map: 1. If you have a cluster, select a server from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. Enter the domain to which you want to re-map other domains into the Masquerade Domain As field. You can only enter one domain. For example: example.com 3. If you select On for the Masquerade Entire Domain parameter, all domains you enter in the Use Masquerade File Configuration text box under Masquerade Domains will be masqueraded. For example: 31

62 Proofpoint Administration Guide Masquerade Domain As: example.com Use Masquerade File Configuration text box under Masquerade Domains: example.com company.com With these set, all subdomains of example.com and company.com will masquerade as example.com (that is, support.example.com, support.company.com). You do not need to use wildcards - enter the main domain and all subdomains will masquerade correctly. 4. If you Select Off for the Masquerade Entire Domain parameter, then you need to specify which domains you want to mask by entering them in the Use Masquerade File Configuration text box under Masquerade Domains. Enter each domain on a new line, like this: uk.example.com us.example.com 5. Select On for the Masquerade Envelope parameter if you want to rewrite the domain for both the envelope and the From address of the message header. Select Off if you only want to rewrite the domain for the message header. 6. Click Save Changes. If you have a cluster, the Apply Cluster Settings pop-up window appears, where you can apply your configurations to multiple servers. About TLS Transport Layer Security (TLS), when used with digital certificates, provides a secure method for encrypting . You can process encrypted by using sendmail with TLS for both inbound and outbound mail. In addition, you can specify domains that require encryption, and if necessary, certificate verification for outbound . If TLS is enabled, sendmail will attempt TLS encryption for all inbound and outbound mail. You can also determine on a per-domain basis to which domains should TLS encryption should not be attempted, which domains should receive encrypted mail if TLS supports it, and which domains should always receive encrypted mail. If a domain is not on the TLS Domain List, and TLS is enabled, TLS encryption will be attempted if the domain's mail server advertises support for TLS. If TLS is disabled the behavior is to never encrypt for any domain. There are three factors considered in TLS policies: For incoming mail, the domain identified from reverse-resolving the connecting IP. For outgoing mail, the domain of the recipient. For outgoing mail, the domain of the MX server to which the mail is delivered. If mail to a domain fails due to TLS, you can disable TLS encryption for that domain by creating an entry in the TLS Domains List for that domain and selecting Never for the Encrypted parameter. TLS configurations: TLS Recipient TLS Enabled with Certificate Recipient is TLS Enabled with No Certificate or certificate is from an untrusted issuer Recipient is not TLS Enabled TLS disabled Clear text is delivered Clear text is delivered Clear text is delivered TLS enabled, recipient is on TLS Domain List, Encrypted is Never Clear text is delivered Clear text is delivered Clear text is delivered TLS enabled and recipient is not on TLS Domain List Encrypted data is delivered Encrypted data is delivered Clear text is delivered TLS enabled and recipient is on TLS Encrypted data is delivered Encrypted data is delivered Clear text is delivered 32

63 Chapter 3 - Appliance Domain List and Encrypted is If Available TLS enabled, recipient is on TLS Domain List, Encrypted is Always, and Require Valid Certificate is Off Encrypted data is delivered Encrypted data is delivered Message is not delivered TLS enabled, recipient is on TLS Domain List, Encrypted is Always, and Require Valid Certificate is On Encrypted data is delivered Message is not delivered Message is not delivered Note: If you have a Proofpoint Protection Server software installation and want to send encrypted mail, for example to a Regulatory Compliance business partner, you can configure TLS in sendmail to utilize the same functionality. In addition, you can purchase Proofpoint Encryption or use the Re-route disposition to direct the mail to that business partner to a server that provides encryption services. Configuring TLS Settings To enable and configure TLS: 1. Navigate to the System > SMTP Encryption > Settings page, and select On. 2. Make a selection from the Minimum Cipher Strength for TLS Domains drop-down list. If the recipient does not support the predefined cipher strength, message delivery will fail. Proofpoint suggests that you select the highest cipher strength on the list, Enable the certificate request settings, if applicable: Request Client Certificate - when enabled, the receiving server requests a certificate from the sending server. Request Sending of the Client Certificate - when enabled, the sending server sends a certificate to the receiving server when the receiving server requests one. 4. Click Save Changes. Related Topics: For a general description about the appliance and TLS, see About TLS. Also see Adding and Managing TLS Domains for additional instructions. Adding and Managing TLS Domains To add Transfer Layer Security (TLS) domains, provide fully qualified domain names (FQDN) for the domains that require encryption, decide whether or not you want to verify their certificates, and what action to take if verification fails. If you choose to verify the recipient's certificate, you can either choose to immediately reject the message and notify the sender, or temporarily fail the message delivery and attempt delivery again later. Once you add a domain to the list, you can select Never for Encrypted to temporarily disable the encryption requirement; you do not need to remove the domain name from the list. Adding TLS Domains To add TLS domains: 1. Navigate to the System > SMTP Encryption > TLS Domains page and click Add. 33

64 Proofpoint Administration Guide 2. Enter information or make selections for the following parameters in the TLS Record pop-up window: Domain/IP/Host - enter the FQDN of the organization, IP address, or hostname of an individual server for which you require encrypted mail. Encrypted - make a choice from one of the following selections: - Never. Never send encrypted mail. - If Available. Send mail encrypted if the SMTP server for the recipient supports TLS encryption. - Always. Always send mail encrypted. Require Valid Certificate - applies only to outgoing connections. On is selected by default. If you do not need to verify the recipient's certificate, select Off. This choice is available only for the Always parameter. Action If Verification Failed - make a choice from one of the following selections: - Reject (Notify Sender). Reject mail and notify sender. - Retry (Temporary Failure). Delivery fails temporarily. Attempt to deliver message again later. 3. Click Add and New if you want to save the current domain and add another, or click Add Entry if you are finished adding domains. See Importing and Exporting TLS Domain Entries for information about populating the TLS Domains list with several entries at once. Searching for TLS Domains If you have a long list of domains, enter a word specific to the domain you want to find in the Find field instead of scrolling through the domain names on the list. Make a selection from the Entries drop-down list to determine how many domains to display at a time. Use the arrow keys to scroll through the list of displayed domain names. The domain names that most closely match the text entered in the Find field appear at the top of the TLS Domain List. Deleting TLS Domains Click the check box next to the domain name you want to delete and click Delete. You cannot undo a deletion. Editing TLS Domains Select the name of the entry for a given domain name in the TLS Domain List. You can change the selections in the TLS Record pop-up window. You cannot change the domain name. Click Save Changes when you are don. Related Topics: See About Certificates for information about certificates and the TLS protocol. 34

65 Chapter 3 - Appliance Importing and Exporting TLS Domain Entries You can add several entries to the TLS Domain List at once by importing them from a CSV (comma-separated values) text file. Separate each entry with a line break and separate values for each entry with a comma. The following table maps the management interface elements to the values in the CSV file: Management Interface CSV File Domain/IP/Host Domain name, IP address, or hostname Encrypted Never If Available Always Require Valid Certificate Off On Action If Verification Failed Reject (Notify Sender) Retry (Temporary Failure) v f t f t reject tempfail Example Management interface: Domain Encrypted Require Valid Certificate a.com Always Yes Retry b.com If Available No Retry c.com Never No Retry If Verification Fails CSV file: a.com,t,t,tempfail b.com,f,f,tempfail c.com,v,f,tempfail When you import the CSV file, any entry in the text file that does not already exist in the system will be added. If an entry (hostname) exists in both the CSV file and in the TLS Domain List, that entry will be ignored during the import. The import will not replace or update the entry in the TLS Domain List. The import process does not remove any entries from the system; it only appends entries that do not already exist. TLS Fallback to Proofpoint Encryption If your deployment is licensed for Proofpoint Encryption, you can configure the Proofpoint Protection Server to try TLS encryption first and then fall back to Proofpoint Encryption if the TLS connection fails. The Proofpoint Protection Server includes a Policy Route named tls_fallback, and an SMTP Buffer Queue named tlsfallback. The Proofpoint Protection Server attempts TLS encryption first and then routes back to the tlsfallback Buffer Queue if the TLS connection fails. Modify the rules for which you want TLS encryption to fall back to Proofpoint Encryption by following these steps: 1. Select the rule to make changes to it. 35

66 Proofpoint Administration Guide 2. Under Policy Routes, select the Disable processing for selected policy routes check box and move the tls_fallback Policy Route from the Available list to the Disable For Any Of list. 3. Set the Delivery Method to Re-route. 4. Select tlsfallback from the SMTP Profile drop-down list. 5. Save your changes. Setting the Date and Time By default, the appliance is configured to use Proofpoint's Network Time Protocol (NTP) server, ntp.proofpoint.com. If time synchronization is important or you have multiple NTP servers, you should set the date and time on the Appliance > Date/Time page. You have these choices: you can use ntp.proofpoint.com, your own NTP server or servers, or you can set the time on the appliance independently of an NTP server. To set up the date and time for the appliance: 1. If you have a cluster, select the server from the Server drop-down list for which you want to set the date and time. Click Save Changes after making configurations for each server that you select from the drop-down list. 2. From the Time Zone drop-down list, select a time zone. By default America/Los Angeles (Pacific Time) is selected. 3. Make selections for, or enter data for the following parameters: Network Time Protocol - by default is On. If you do not want to use an NTP server, select Off. When you select Off, the Current Time drop-down lists become available so that you can select a specific date and time. NTP Server #1, #2, and #3 - by default the name of the Proofpoint NTP server appears. If you want to change it, enter a new name and address. Click Save Changes when you are done. Click Sync Now to ensure that the time of the Proofpoint Protection Server is synchronized with the listed NTP servers. Click Reset to Default to reset the settings on the Date and Time page to the original or default settings. SNMP Configurations The appliance supports all three versions of Simple Network Management Protocol (SNMP): Version 1, Version 2c, and Version 3. You can use your SNMP installation to monitor and manage the appliance on your network. For information about setting up the SNMP connection, see Host Firewall Selections. The SNMP feature has a read-only configuration for monitoring an appliance. You cannot use the SNMP feature to modify network or configuration information stored in the management information base (MIB) on an appliance; the appliance can only read or query the MIB. All versions of the SNMP clients query the appliance. However, trap or event notification is available only for SNMP Version 1 and SNMP Version 2c. SNMP Version 3 does not support trap notification. Version 1 and Version 2c do not require authentication. Version 3 does require authentication with the User-based Security Model. You need to provide a password that at a minimum includes eight characters. To configure SNMP for the appliance: 1. Navigate to the Appliance > SNMP page. 2. If you have a cluster, select the server you want to manage from the Server drop-down list. Click Save Changes after making configurations for each server that you select from the drop-down list. 3. Select On for the versions of SNMP you want to use to monitor the appliance. SNMP Version 1 and SNMP Version 2c - support trap notification. SNMP Version 3 - does not support trap notification. 36

67 Chapter 3 - Appliance Note: Because Version 3 supports the User-based Security Model, you need to provide the network management station with the admin login and SNMP password used to access the Proofpoint Protection Server. 4. If you selected On for SNMP Version 3, enter a password with a minimum of eight characters in the SNMP Version 3 Password field. 5. Enter the unique identifier of the SNMP network management station and agent (this setting is on the management station) in the Community String field. By default the community string is public. (A community string is similar to a password; it is used to identify a station and agent when attempting to communicate with an agent from a station). 6. For SNMP Trap Receivers, enter the hostname or IP address of the SNMP management station that will receive trap notifications into the fields. For example, proofpoint or xxx. Click the right-arrow (>>) button to add the entry. Note: You cannot leave this field empty. 7. Click Save Changes. 37

68

69 Chapter 4 - Proofpoint Protection Servers Creating and Managing Workspaces The Proofpoint Protection Server includes default workspaces for System > Summary information and DLP Summary > Dashboard information. Administrators can add or delete pages from the default workspace, and add or delete widgets from the pages of the default workspace. You can also clone the default workspace to use it as a starting point to customize your own workspace. For an introduction to the workspace terminology, see Managing Your Proofpoint Portal. Creating and managing workspaces involves the following tasks: Create a workspace - clone an existing workspace or create a new one. When you create a new workspace it will include at least one page named Default page. Clone a workspace - you can clone an existing workspace, customize it, and then rename it. Delete a workspace. Edit a workspace - make modifications to an existing workspace. Designate a default workspace. Each time you log in to the appliance or Proofpoint Protection Server, the default workspace will display first. Add or delete pages from a workspace. Add and delete widgets, and move widgets on a page. Add and modify permissions for a workspace. Add and delete columns on a workspace page. Move widgets into columns on a workspace page. Select a workspace from the Current Workspace drop-down list. Every workspace you have permission to view appears in the Current Workspace drop-down list. For information on adding pages and widgets to a workspace, see Working with Pages and Widgets. Create or Clone a Workspace To create a new workspace or clone an existing workspace: 1. Select Manage Workspace from the Options menu to open the Workspace pop-up window. 2. Click Create New Workspace or click Clone to clone an existing workspace. The new workspace appears in the Name column of the Workspace pop-up window. Select the name of the workspace in the Name column to display that workspace. Rename a Workspace and Change Permissions Use Change in the Workspace pop-up window to rename a workspace and to change permissions for that workspace. The list of available administrator accounts for permission control settings on the Workspace pop-up window are configured on the Administrator > Administrators page. To change the name and permissions of a workspace: 1. Select Manage Workspace from the Options menu to open the Workspace pop-up window. 2. Click Change for the workspace you want to rename or modify account permissions. 3. Click in the text box in the Name column and enter a new name for the workspace. 4. Modify account permissions: - The User column displays a drop-down list from which you can select an account. The entries on this list originate from the Administrator > Administrators page. 39

70 Proofpoint Administration Guide - The Allow To Read check box controls read-only permissions. - The Allow To Modify check box controls write permissions. - To delete the account and its permission settings from the workspace, click the red X. - To add more account permissions, click Add More Permissions. 5. Click Save when you are done. The Workspace pop-up window displays Public or Private in the Permission column depending upon the account permission settings you have set for the workspace. Selecting a Default Workspace Once you have several workspaces, you can designate one of them as the default workspace by selecting Set As Default in the Workspace pop-up window. Working with Pages and Widgets A workspace is comprised of one or more pages, and each page is comprised of one or more widgets. Pages that you create appear as tabs in the workspace. Widgets are UI elements (management interface elements) that serve as containers for functionality. When you customize a page, you select widgets from a Widget Menu - the Widget Menu is a pop-up window that displays a catalog of available widgets and a short description for each one. You can move widgets around on a page by dragging them by the widget header and you can also organize widgets into columns on a page. Creating and Managing Pages Organize your Proofpoint Portal by adding your own workspaces to the System > Summary page or the DLP Summary > Dashboard page. First create a workspace, add pages to the workspace, and finally add widgets to each page. See Creating and Managing Workspaces for information on adding workspaces to your portal. To add a page, rename, or delete a page in your workspace: 1. Select the workspace you want to customize from the Current Workspace drop-down list. 2. Select Add Page or Delete Current Page from the Options menu. To rename a page, click the name of the page (place the cursor over the name in the tab), enter a new name for the page into the edit field, and then click anywhere else to close the edit field. Adding, Deleting, and Moving Widgets on a Page To add a widget to a page in your workspace: 1. Select the workspace you want to customize from the Current Workspace drop-down list. 2. Select the page. 3. Click Add Widget to display the Widget Menu. 4. Under Widgets Catalog, expand or collapse the categories by clicking the plus sign (+) icon. Select a widget to see a description for it under Widget Details. 5. Click the Add Widget button to add the selected widget to the page. 6. To close the Widget Menu, click the red X in the upper right corner of the Widget Menu window. To move a widget on a page: Point to the widget header (the bar that describes the name of the widget) and drag it to a new location on the page. The cursor changes to a cross when you point to the widget header. 40

71 Chapter 4 - Proofpoint Protection Servers To view and save widget options: 1. Point the cursor to the widget header. 2. Click the note icon to display widget options. The options will vary according to the type of widget you are viewing. The following options appear for every widget: - Refresh. Controls how often data is gathered from the master Proofpoint Protection Server. - Save. Saves the view of the workspace. - Reset. Resets the value in a field to what it was before you saved the view. To refresh the widget details, point the cursor to the widget header and then click the refresh icon. To delete a widget from a page, point the cursor to the widget header, click the red X, and then confirm the deletion. To save the workspace view, click Save View if you want to save the location of the widgets on the page. The next time you view the workspace, the widgets will be located where you last moved them on the page. Organizing Widgets with Columns You can add columns to a page to further organize the widgets on a page by dragging the widgets into the new columns. If you delete a column from a page, the widgets in the column are also deleted. To add a column to a page: 1. Select the workspace from the Current Workspace list. 2. Select the page (tab). 3. Select Add Column from the Options menu. 4. Drag existing widgets or add new widgets to the column. 5. Click Save View to save your changes. Note: You can resize a column by pointing and dragging the column border. To delete the last column you added, select Delete Last Column from the Options menu, confirm the deletion, and then click Save View. Note: You can only delete the last column that you added. Deleting a column will also delete the widgets in that column. Server Status The Server Status tab for the default workspace provides a summary of message processing status for the Proofpoint Protection Server. To view the default workspace included with the Proofpoint Protection Server software, navigate to the System > Summary page. If you have more than one server in a cluster, the Cluster Status table displays a summary for the entire cluster. The Server Summary table displays status for each server in a cluster. You can expand and collapse the information for each server in the Server Summary table by selecting the plus sign (+) next to the server name or selecting the icons that represent Services, Connections, Filter, and Storage. The Report Summary graphs display an aggregation of data across all the servers in the cluster. You can customize the reports that display under Report Summary by adding widgets for the graphs that you are interested in monitoring. See Working with Pages and Widgets for more information about customizing the System > Summary page. Note: The presentation of data for the graphs on the System > Summary page is dynamic. If a graph contains more than five lines of legends, or if the legends are long, the legends are truncated. Click the graph to expand the view and display all of the legends for the graph. For each system component, status is represented by an icon on the Server Status page. A green check mark means running (Running), a red X means stopped (Stopped), and a grey check mark indicates an unknown or disabled status. 41

72 Proofpoint Administration Guide If you have a cluster, the Sync Configuration link will appear when spam definitions, virus definitions, software, and so forth are not synchronized across all of the agents. Click Sync Configuration to synchronize all the servers in the cluster. The Cluster Status table displays the following data: Quarantine Status - displays status for the Quarantine and the command processors for both and web services. - Quarantine. This is the master repository for messages that have been filtered and sent to the Quarantine. - Command Processor ( ). This is the program on the master Proofpoint Protection Server that handles requests from End User Digests to release messages. - Command Processor (Web). This is the web server that provides the web-based interface for user requests such as releasing messages from the Quarantine or adding senders to Safe Senders and Blocked Senders Lists. - Quarantine Messages. Displays number of messages and disk usage in Kilobytes (KB) for the Quarantine. The number in parenthesis represents the disk space used by the messages. Module Version - displays the version number for the Spam Engine, Spam Detection Module definition files and the Virus Protection Module and virus definition files. A green check mark indicates the versions are upto-date, a yellow attention icon indicates that they are out of date. For each server or appliance in the cluster, the Server Summary table displays the following data: Services - represents the running processes on the Proofpoint Protection Server or appliance. - Config Master. This is an arbitrary display name that you gave to the server or appliance - an alphanumeric string that identifies the Proofpoint Protection Server instance. If there is no display name for the instance, the fully qualified instance name displays, which consists of the hostname, administration port number, and instance name. Click the plus sign (+) icon to expand the data for the server or appliance. - Configuration. Applies to a cluster. Displays whether or not the agents in a cluster have synchronized (In Sync) their software configuration with the master. - SMTP. Passes message content to the Proofpoint Protection Server filtering engines using the Milter interface. - Filter. Represents the filtering engines. - Repository. Represents the database where the logs, Quarantine, User Repository, and Document Repository are maintained. - Buffer Queues. Represents all of the buffer queues. Each SMTP profile has a buffer queue. If one buffer queue is not running, the display indicates Stopped. - API Service. Represents message queue consolidation and Digest command processing. - Offline. Displays next to an agent in a cluster that is offline. Connections - connection level information. - Current. Displays the current number of sendmail connections and the percentage of the total connections currently in use. The total number of possible connections varies depending upon the product (Proofpoint Protection Server or appliance). - Total. Displays the number of total sendmail connections since the Proofpoint Protection Server was last restarted. - Unique IPs. Displays the number of unique connections to the Proofpoint Protection Server. - Throttled IPs. Displays the number of current (Current) throttled connections and the total (Total) number of throttled connections since the Proofpoint Protection Server was restarted. Filter - data for the filtering engines. - Uptime. How long the Proofpoint Protection Server or appliance has been processing messages since it was last restarted. - Msg Count. Displays the number of messages the server has processed since it was last restarted. - Msg Size. Represents a sum of the size of all messages processed by the server in Bytes (B). - Msg Rate. Number of messages (Msgs) being processed per second (sec). 42

73 Chapter 4 - Proofpoint Protection Servers - Recipients. Number of messages processed for valid (Valid) recipients and total (Total) number of messages processed for all recipients, valid or not. - Virus. Appears if you are using the Virus Protection Module and provides the number of infected (Infected) messages that were caught and the number of messages that were skipped (Skipped) by the filtering engines. - Zero-Hour. If you are using the Virus Protection Module and have enabled the optional Zero-Hour Anti-Virus Module, this display indicates the total number of high and medium risk viruses intercepted by the Zero-Hour module. Storage - includes disk space usage for the Proofpoint Protection Server and appliance, number of queued messages, and the number and size of messages stored in an system's Quarantine cache. - CPU I/O Wait. Displays the percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request. - Swap. Indicates available swap space and percentage of swap space in use. - System Disk Space (appliance only). Indicates how much disk space is currently in use and how much disk space is available for the sendmail queue. - Sendmail Messages (appliance only). The mail parameter displays the number of queued messages and the system parameter displays the number of queued messages for the alerts sent to the postmaster. - PPS Disk Space. Indicates how much disk space is currently in use and how much disk space is available for the server software and Repository. - Buffer Queue Messages. Displays the number of queued messages for the default, alert, and other queues. - Quarantine Cache. Displays the number of cached messages and total size of cached messages for the systems in a cluster waiting to be consolidated and transferred to the Quarantine. - Data Queues. If the Enable Traffic Statistics Feedback to Proofpoint parameter is enabled on the System > Settings > System page, Data Queues displays the number of queues of statistical data sent to Proofpoint for analysis. Message Traffic The Message Traffic tab for the default workspace provides information about the Spam Detection and Virus Protection filtering modules, rules triggered across all modules, and messages sent to the Quarantine. Spam Classification Table Displays the percentage of messages classified as spam. The data is aggregated for all the systems in a cluster and summed for different time periods. Virus Ranking Table Displays the number of messages caught containing a virus. The data is aggregated for all the systems in a cluster and summed for different time periods. The Top Virus Summary table displays a ranking of the top viruses caught by the Virus Protection Module. Rule Statistics Table For each analysis module, the table displays the number of messages processed by the rules for the module. The data in the tables is aggregated for all Proofpoint Protection Servers in the cluster. Quarantine Summary This table displays the number of messages sent to the Quarantine because they triggered rules in the filtering modules. The data is aggregated for all the systems in a cluster and summed for different time periods. The Total 43

74 Proofpoint Administration Guide column displays the number of messages sent to the Quarantine by a specific module and the % column displays what percentage of the total messages in the Quarantine triggered rules for a specific module. SMTP Server Summary The System > SMTP Server Summary page displays helpful information about message delivery errors and the status of the queues for individual servers in a cluster. There are two types of queues: buffer and sendmail. A sendmail queue represents a queue on an appliance, and a buffer queue represents a queue for both the appliance and Proofpoint Protection Server software. Use this information about queues to assess how efficiently messages are being processed and delivered and to help you understand errors that might occur. You can only view information about the queues on this page; you cannot apply any actions. To make changes to a buffer queue or sendmail queue for a system in a cluster, click on the corresponding row for that system. The System > SMTP Queue Summary page displays, where you can manage the queues on a serverby-server basis. See SMTP Queue Summary for instructions. To manage the individual messages in a queue, go to the System > SMTP Messages page. See SMTP Messages for instructions. Click the Expand and Collapse icon to the left of the cluster or an individual server name to show or hide data. The total number of queued messages display next to the cluster or server name. The tables on the System > SMTP Server Summary page contain the following data: Queue Name - name of the SMTP profile. Queue type - buffer queue or sendmail (appliance only) queue. Current - number of unprocessed and undelivered messages waiting in the queue. In Process - number of messages per queue currently being reprocessed and redelivered. Connection Errors DNS Lookup Failure - DNS server failed to look up mail server. Refused - connection refused by mail server. Reset - connection was interrupted when delivering mail to the mail server. Timed Out - mail server stopped responding after initial delivery. Temporary Failure Reasons (400 series error messages) Mailbox Unavailable (450) - recipient's mailbox was not available. Unable To Process Request (451) - mail server cannot process request. Out Of Disk Space (452) - the Proofpoint Protection Server is out of disk space. SMTP Service Unavailable (421) - mail server was not running. Other 4xx Errors - mail server temporarily failed to process and deliver messages for other reasons. Other Errors and Total Messages Other Errors - failed to deliver messages for unknown reasons. Total - number of messages per queue waiting to be processed and delivered. SMTP Queue Summary The System > Queue Summary page allows you to view queue information and take action on the sendmail and buffer queues for an entire cluster and individual Proofpoint Protection Servers. The actions you take apply to all of the messages in a queue or queues. You cannot take actions on individual messages. To select individual messages in a queue, click on the corresponding row. The System > SMTP Messages page displays, where you can apply actions to the messages on a server-by-server basis. See SMTP Messages and Viewing and Managing Individual Messages for instructions. 44

75 Chapter 4 - Proofpoint Protection Servers Queue List Data Select a column heading in the queue list to display the up-arrow or down-arrow icon, which you can use to sort data in an ascending or descending order. See SMTP Server Summary for descriptions for most of the data displayed in the queue list on the System > SMTP Queue Summary page. In addition, the list contains the following data for a specified server and queue: First column - the selection you make from the Group By drop-down list appears in the first column of the table. Oldest - oldest message for the group you selected from the Group By drop-down list. Newest - newest message for the group you selected from the Group By drop-down list. Displaying Queue Data To make selections for displaying a queue or queues in the list: 1. From the Server drop-down list, select <All> or select an individual server for which to display a queue. 2. From the Queue drop-down list, select <All> or select an individual queue for the server you selected from the Server drop-down list. 3. From the Entries drop-down list, select the number of queues to display in the list of queues. 4. From the Group By drop-down list, make a selection from one of the following choices to determine which data to display for the queues in the list: Sender Address Domain Sender Address Recipient Address Domain Recipient Address 5. In the Find field, enter data that corresponds to the choice you made for the Group By drop-down list, and click Search. For example, if you select Sender Address for the Group By drop-down list, you would enter the sender's address you want to find into the Find field. For example: Selecting and Applying Actions to Queues With the exception of minor differences, selecting and applying actions to queues in the list is very similar to selecting and applying actions to message on the Message List on the System > SMTP Messages page. See Selecting and Applying Actions to Messages for more information. To select and apply actions to queues in the list: Click Queue to take an action on all queues in the list. You do not need to make any selections; all queues in the list are selected for you. Select the check box to the left of a queue to select individual queues. Select the check box in the table column heading to select all displayed queues. Select Delete or Process to take action on selected and displayed queues. SMTP Messages The System > SMTP Messages page displays the individual messages currently in a queue waiting to be redelivered. Use this page to search, sort, and apply actions to individual messages in a queue. SMTP Messages Data Select a column heading to display the up-arrow or down-arrow icon, which you can use to sort data in a ascending or descending order. 45

76 Proofpoint Administration Guide The SMTP Messages list contains the following information: Reason - the reason the message is in the queue, waiting to be redelivered. For example, the message might be deferred because the mail server is busy, or the mail server does not have enough disk space, or a recipient's mailbox is not available. Sender Recipients Date - the date the message arrived in the queue. Size Queue ID - the ID assigned to the message by sendmail. Queue - information about the queue, which includes hostname, port, instance, and name of the queue. Searching for Messages in a Queue Important: The list of displayed messages results from a query. If you do not select any search criteria for a query and click Reset followed by Search, the query returns all of the messages in the queue. However, the list only includes the number of entries you selected to display. For example, your search query may return 3,000 entries, but you will only see 20 of them at a time in the list of messages. The search fields are not case-sensitive. To complete a simple search for messages in a queue: 1. Make your selections from the search criteria and enter search criteria into the search fields. When you use Starts with or Equals, it expedites the search. 2. To sort data for a specific column in the SMTP Messages list, select the column heading from the Sort By drop-down list. For example, you can search for and sort messages from a particular Sender. Select either Descending or Ascending from the Order drop-down list for the selection you made from the Sort By drop-down list. 3. To temporarily disable the Fast Query feature, clear the Fast Query check box. If you clear the Fast Query check box, you will see a message warning you that the query will slow down considerably. The Fast Query feature noticeably speeds up a query when you are searching for messages that meet specific search criteria. 4. Click Search to complete your search, or click Reset to reset the search criteria to the default selections. You can narrow the scope of a search even further by using the advanced search criteria. To complete an advanced search for messages in a queue: 1. Click the Advanced Search icon to see the advanced search options and make your selections for the search criteria. The message Queue IDis assigned to messages by sendmail and is unique to each message in a queue. Use this field to track a specific message. For example, you have noticed that a message in the queue has not been processed yet and you want to track its progress. Make note of the message ID. To check on the message at a later date, enter the message ID into the Queue ID field and click Search. 2. Select the number of messages to display per page from the Display drop-down list. The Default is 20 messages. Important: Click the Reset button after an advanced search. If you hide the advanced search criteria without resetting, the advanced criteria will continue to apply to a simple search. Managing Individual Messages To access the contents of an individual message, click on the row for that message. The Message Details page appears, displaying the header and contents of the message. See Viewing and Managing Individual Messages for instructions. 46

77 Chapter 4 - Proofpoint Protection Servers Selecting and Applying Actions to Messages Select messages for actions from the System > SMTP Messages page. It is important to understand which messages you are selecting before you apply an action to them. Important: The messages displayed in the SMTP Messages list result from a query. If you do not select any search criteria for a query and click the Reset button followed by the Search button, the query returns all of the messages in the queue. However, the SMTP Messages list only displays as many entries as you have configured to display. For example, your search query may return 3,000 entries, but you will only see 20 of them at a time in the SMTP Messages list. Before you apply actions to messages in the SMTP Messages list on the System > SMTP Messages page, you need to select them. You can make the following selections: Individual messages. All displayed messages. All messages in the list, displayed or not. Individual and Displayed Messages The queue drop-down list displays <all selections> initially. This list displays the available queues sorted by server name and type of queue. If you want to apply actions to messages in a specific queue on a specific Proofpoint Protection Server or appliance, select it from the list. Each message in the SMTP Messages list has a check box to the left of it. To select individual messages, click the corresponding check box. Displayed messages are the entries that appear in your browser, regardless of how many entries you chose to display. To select all displayed messages, select the check box in the table column heading. To apply an action on individual messages or all displayed messages, click one of the following actions. Delete Process All Messages in the List When you apply actions to all messages in the SMTP Messages list, whether displayed or not, you do not need to select them; the action you select automatically selects all of the messages for you. To apply an action to all messages in the list, click Queue, and make one of the following selections: Delete All Messages Process All Messages Note: If you want to select and apply an action to all of the messages in all the queues, you must first clear all of the search criteria by clicking the Reset button, then click the Search button. After the query returns all of the messages in all the queues, select either Process All Messages or Delete All Messages. Viewing and Managing Individual Messages The Message Detail pane allows you to view the contents of a single message and delete or process the message. Access the Message Detail page by selecting a single message in the SMTP Messages list on the System > SMTP Messages page. See SMTP Messages for more information. 47

78 Proofpoint Administration Guide To select a single message for viewing: 1. Click on the row of a message in the SMTP Messages list to view its contents on the Message Detail page. 2. Select the information you want to view from the View drop-down list: Message displays the envelope information and contents of the message. Headers provides standard header information about the message. Source provides information about the source of the message. You can take the following actions on a message: Click Delete to delete the message from the queue. Click Process to process and deliver the message. Click Save Message from the Options menu to open the File Download dialog box. Click Save and provide a name and location for the file. Click View Source from the Options menu if you would like to view the source in a separate browser or save the information to a file. About Expanded or Original Envelope Addresses After processing messages or releasing messages from the Quarantine, the Proofpoint Protection Server routes messages to a gateway mail server for delivery to your intranet. This gateway mail server or SMTP (Simple Mail Transfer Protocol) server can be running sendmail, such as on the appliance, or it can be another SMTP server on the intranet. You can configure an SMTP server to use any of these recipient envelope addresses for delivering mail: Use Original Recipient Address - uses the original recipient address in the mail envelope. Use Expanded Recipient Address - the recipient address is determined by alias expansion. Use Expanded Recipient Address and Strip BATV Signature - the recipient address is determined by alias expansion, and the Bounce Management signature key is stripped from the recipient address for inbound mail. Use Expanded Recipient Address, Add BATV Signature to Sender Address - the recipient address is determined by alias expansion, and the Bounce Management signature key is added to the sender address for outbound mail. See Configuring SMTP Profiles and Parameters for instructions to create an SMTP Profile. See About Bounce Management for an introduction to Bounce Management and instructions on how to enable and configure Bounce Management. Depending upon how you deployed the Proofpoint Protection Server in your environment, it might be important whether an SMTP server uses an original envelope address or addresses or the expanded envelope address or addresses. For example, if an original envelope message is addressed to the expanded envelope address for the message would look like this: 48

79 Chapter 4 - Proofpoint Protection Servers Related Topics: The Proofpoint Protection Server uses DNS servers for examining and routing mail. You can add more DNS systems or delete them from the Proofpoint Protection Server. See Configuring DNS Parameters for instructions. Configuring SMTP Profiles and Parameters The default SMTP profiles that are used to deliver mail processed by the Proofpoint Protection Server are prepopulated with data that is configured during the installation process for the software, or during the setup process for the appliance. All default profiles use port 25 and each one has its own buffer queue, with the exception of the verify profile. You can change the parameters for each profile if necessary. The Proofpoint Protection Server provides these default SMTP profiles: default - used as the default SMTP server to process all filtered . alert - ensures that alert messages are sent in the case of an upgrade failure or if the mail server is temporarily disabled. tlsfallback - messages can be re-routed to the tlsfallback buffer queue to attempt delivery via TLS encryption. If the receiving MTA does not support TLS, or responds with any error condition during SMTP connection, messages are re-routed back through the filtering engine to be encrypted by Proofpoint Encryption. See About TLS for more information about TLS encryption. verify - uses the SMTP VRFY protocol to verify legitimate recipients for the Firewall Module. The verify profile is the only profile (direct profile type) that by default does not support a buffer queue. The only purpose of the verify profile is to verify recipients, so it does not require a buffer queue to ensure that messages get delivered or re-injected back into the filtering process. If you have more than one SMTP server, you can create additional profiles from which to choose for different Proofpoint Protection Server operations. For example, you might create a profile for re-routing filtered mail to another SMTP server for encryption. If you have multiple SMTP servers in your organization, Proofpoint strongly recommends that you take advantage of the SMTP profile feature. You will save time by selecting one of the preconfigured SMTP profiles from a drop-down list when you are configuring other parameters in the management interface. Creating SMTP Profiles To create and configure parameters for an SMTP profile: 1. Navigate to the System > Settings > SMTP page. 2. Click Add Profile to create additional SMTP host profiles. 3. In the Add Profile pop-up window, enter an name and description for the profile. 4. Select the type of profile from the Profile Type drop-down list: Buffer Queue - selected by default. This profile type supports a buffer queue. Direct Profile - this profile type does not support a buffer queue. This profile type is used to verify recipients using the SMTP VRFY protocol. If you configure Recipient Verification to use an SMTP profile for verifying recipients, you need to select an SMTP profile that uses the direct profile type. See About Recipient Verification in " Firewall Module" for more information. TLS Profile - supports the buffer queue for Transport Layer Security. 5. Enter the hostname for the SMTP server and port number for communication between the SMTP host and the Proofpoint Protection Server. 6. The default timeout is 60 seconds in the Timeout field. This value represents how long the Proofpoint Protection Server or appliance tries to connect to the host in the profile before giving up. 7. The address in the From Address field is the address that appears in the From field of the message header when the disposition for a message is Send Message To. 8. Enter your organization's domain into the HELO Domain field. 9. For SMTP Address, make one of the following selections: Use Original Recipient Address - uses the original recipient address in the mail envelope. 49

80 Proofpoint Administration Guide Use Expanded Recipient Address - the recipient address is determined by alias expansion. Use Expanded Recipient Address and Strip BATV Signature - the recipient address is determined by alias expansion, and the Bounce Management signature key is stripped from the recipient address for inbound mail. Use Expanded Recipient Address, Add BATV Signature to Sender Address - the recipient address is determined by alias expansion, and the Bounce Management signature key is added to the sender address for outbound mail. 10. If the mail server is password-protected, enter the authorized user name and password into the respective fields. 11. Click Save Changes. Note: You cannot delete the default SMTP profiles; you can only delete profiles that you create. You will not be able to delete an SMTP profile that is used by any filtering module, end user service, or rule. Testing the SMTP Connection To test if the SMTP host, port, and authorization are correct, click Test SMTP Connection button in the Add Profile pop-up window. The Testing SMTP Connection pop-up window displays a "Connection Successful" message if the Proofpoint Protection Server connected to the SMTP host. Sending Mail to the SMTP Host To test if the Proofpoint Protection Server can send a message to the SMTP host, click Send SMTP Mail, fill in the fields of the Testing Send pop-up window, and click Send. Checking the Buffer Queue With the exception of verify, each SMTP profile uses a buffer queue to store messages that cannot be delivered or processed right away. The buffer queue helps control the rate at which messages are processed by an SMTP server, eliminating heavy traffic which could potentially overload the server. The Buffer Queue column indicates how many messages are waiting in the queue for each SMTP server and whether or not the queue is running or stopped. The messages in the buffer queue are automatically processed every five minutes. A Process button will display for each SMTP host that has any number of messages greater than zero waiting to be processed. Click the Process button to initiate message processing immediately. Editing an SMTP Profile To edit an SMTP profile, click Edit for the profile and make your changes in the Change SMTP pop-up window. Configuring LDAP Profiles and Parameters LDAP profiles allow administrators to create and use different LDAP data sources. Once LDAP profiles are created, they can be used for Recipient Verification in the Firewall Module, and if you have an appliance, you can use the LDAP profiles with the SMTP settings on the Appliance > SMTP Settings pages. If the filtering agents in a cluster are located at different geographical locations, each filtering agent can use the local LDAP server for Recipient Verification. For example, if your organization has remote offices and each office has a unique LDAP server for the employees at that office, you can configure the Proofpoint Protection Server to use the appropriate LDAP server for the filtering agent for the remote office. Note: When you enable Recipient Verification in the Firewall Module, you have several choices for which data source to use for verifying legitimate recipients. If you choose LDAP as the verification source, the profiles you create on the System > Settings > LDAP page appear as choices on a drop-down list. Important: The Proofpoint Protection Server includes an LDAP profile named verify that you can edit but cannot delete. If you plan to use this profile you must modify it to specify the LDAP parameters for the profile. 50

81 Chapter 4 - Proofpoint Protection Servers LDAP Failover and Load Balancing When you create an LDAP profile, you can enter more than one LDAP server into the profile. If one LDAP server is busy, or cannot be connected to, the Proofpoint Protection Server will try to connect to the next host on the list. The first host on the list is the primary host, and all other hosts on the list are used as failover hosts. For a basic implementation of load balancing, you can assign a different primary host to each agent in your cluster. Note: Failover is only applicable when the LDAP profile is used by the Firewall Module for recipient verification. Failover follows this sequence of steps: 1. The Proofpoint Protection Server always connects to the first host on the list until a connection failure occurs. 2. Another host on the list is chosen at random. 3. When a connection is made to a failover host, the Proofpoint Protection Server continues to attempt to connect to the primary host every 15 minutes. When the connection to the primary host is successful, it will stop using the failover host. Creating LDAP Profiles To create and configure parameters for an LDAP profile: 1. Navigate to the System > Settings > LDAP page. 2. Click Add Profile. 3. In the Add Profile pop-up window, enter an identification name and description into for the profile into the fields. 4. Enter a hostname and port number for the LDAP server into the Host/IP Address field. For example, host1:port. You can enter more than one host by separating each entry with a comma. For example, host1:port,host2:port. If you enter more than one host, you will have failover support. 5. Click the On radio button for Secure Socket Layer (SSL) if you want communication between the Proofpoint Protection Server and the LDAP server to use Secure Socket Layer (SSL). 6. Enter the Base DN for the LDAP server into the Base DN field. For example, dc=company, dc=com. 7. The Default Timeout value is 15 seconds. This is how long the Proofpoint Protection Server tries to connect to the LDAP data source. This value also represents how long the Proofpoint Protection Server searches the LDAP source for recipient verification purposes before giving up if the recipient is not found in the verification source. 8. For Authentication, click the simple radio button if you want to enforce a login name and password to connect to the LDAP server and enter values for Bind DN field and Bind Password field. If you leave these fields blank, the login is anonymous. 9. Click Save Changes. Testing the Connection to the LDAP Server To test if the LDAP profile parameters are correct, click the Test LDAP button in the Add Profile pop-up window to verify that you can connect to the LDAP server. Editing an LDAP Profile To edit an LDAP profile, click the Edit button for the LDAP profile you want to edit and make the necessary changes in the Change Profile pop-up window. Deleting an LDAP Profile You cannot delete the verify LDAP profile. You can delete any profile that you create by clicking the Delete button for the profile and confirming the deletion. 51

82 Proofpoint Administration Guide Configuring DNS Parameters The Proofpoint Protection Server uses DNS servers for examining and routing . Use the System > Settings > Filter DNS page to add, delete, and change the order in which the Proofpoint Protection Server uses DNS servers. Filter DNS Timeout You can configure how long to try to connect to a DNS server with the timeout parameter. If the connection fails to the first DNS server on the list, the Proofpoint Protection Server will try to connect to the second one on the list, and so forth, until it successfully makes a connection. Adding DNS IP Addresses Enter an IP address for each DNS server, one at a time, and click the right-arrow (>>) to populate the IP address list. Configuring the DNS Order You can configure the order in which the Proofpoint Protection Server uses the DNS servers to check for legitimate hostnames and IP addresses by selecting an IP address and using the up arrow or down arrow to move it higher or lower on the list. Deleting a DNS System To delete a DNS system from the list, select its IP address and move it to the left using the left-arrow (<<). Related Topics: See Configuring SMTP Profiles and Parameters for instructions on creating SMTP profiles. See Configuring Proxy Server Parameters if your organization uses a proxy server to connect to the Internet. Configuring Proxy Server Parameters The Proofpoint Protection Server uses HTTPS for outbound communication to Proofpoint for different services such as the Dynamic Update Service, Proofpoint Encryption, heartbeat reporting, and false positive reporting. If you configured all HTTPS communication at your organization to go through a proxy server, you need to configure the Proofpoint Protection Server with the hostname, login, and password for the proxy server. If you do not use a proxy server, you can simply choose a direct connection to the Internet for communication to Proofpoint with HTTPS. (The Proofpoint Protection Server is configured by default not to use a proxy server.) Proxy Server Connection to the Internet If you use a proxy server for connecting to the Internet using HTTPS, navigate to the System > Settings > Proxy page, and click the Use Proxy radio button. Enter values into the fields. The Custom Proxy User Agent is the string that identifies Proofpoint to the proxy server. By default, this string is PPS. For the Connection Method, select the connection method you want to use - either HTTP Upgrade to SSL/TLS (secure and encrypted) or Standard HTTP Proxy (not encrypted). Note: Proofpoint Encryption will always use the HTTP Upgrade to SSL/TLS connection method. Click Test Connection to verify that the connection through the proxy server is valid. Save your changes when you are done. Related Topics: See Configuring SMTP Profiles and Parameters for information on creating SMTP profiles. 52

83 Chapter 4 - Proofpoint Protection Servers See Configuring DNS Parameters to add DNS servers for use by the filtering engines. About Certificates Digital Certificates are essential for successfully encrypting data using the Transport Layer Security (TLS) protocol, the Secure Socket Layer (SSL) protocol, or any of the supported security transport protocols. Before encrypted data can be delivered to a recipient, a certificate must be present. The Proofpoint Protection Server provides a self-signed certificate that supports specific Proofpoint services, including the Administration Server, End User Digest, and Secure Reader Domain Profiles. If you have an appliance, the same self-signed certificate is used for the SMTP server (sendmail) that ships with the appliance, so that the Proofpoint Protection Server can successfully receive encrypted mail over the Internet. Managing Digital Certificates includes requesting, importing, and downloading certificates, as well as selecting different certificates for Proofpoint Protection Server services, either self-signed or certificates purchased from a Certificate Authority (CA). The Proofpoint Protection Server also provides a list of the most commonly recognized Certificate Authorities to which you can add or delete from the Proofpoint Protection Server, or download to a local system. The Proofpoint Protection Server supports Certificate Authority chained certificates by indicating the number of certificates and displaying each certificate sequentially. The certificates managed on the Proofpoint Protection Server have these distinct purposes: Allow the Proofpoint Protection Server to deliver encrypted data to the user community. Allow the Proofpoint Protection Server to successfully send encrypted mail to and receive encrypted mail from business partners or external organizations. Both the End User Digest and the Administration Server services use Secure Socket Layer (SSL) to transfer encrypted data over HTTPS. The SMTP server uses Transport Layer Security (TLS) to transfer encrypted data over SMTP. End users cannot verify the default self-signed certificate the Proofpoint Protection Server uses to send encrypted data. As a result, a message box indicates that secure data is being sent, but the certificate cannot be verified. Users can only verify self-signed certificates if they have been distributed and installed on the end users' web browsers. To bypass the message box, users can either choose to trust the default self-signed certificate, even if it cannot be verified, or you can replace the default self-signed certificate with a certificate that has been signed by a Certificate Authority. Managing Certificates Managing certificates on the System > Certificates > Certificates page includes tasks such as: Requesting from a Certificate Authority. Importing to the Proofpoint Protection Server. Downloading to a local system. You can request a certificate from a Certificate Authority (CA), or if you do not want to purchase a certificate, you can you can create your own self-signed certificate. Requesting Certificates To request a new certificate: 1. Click Generate Certificate Request or Generate Self-signed Certificate. 2. In the Request Certificate pop-up window provide information for each field. For Organizational Unit, enter the equivalent of a department name for example, Marketing or Engineering. Note: Do not abbreviate the state - for example, use ''California,'' not ''CA.'' Click Request Certificate. The Subject Alternative Names text box and Include all domain profiles check box apply to the Proofpoint Encryption Domain Profiles feature. You can leave these parameters blank if you are not using Domain Profiles. If you are using Domain Profiles, see Creating Domain Profiles for more information. 53

84 Proofpoint Administration Guide A secondary Request Certificate pop-up window displays the certificate signing request, (CSR) which is the information you entered in an encrypted format. Select and copy the CSR in the secondary Request Certificate popup window and paste it into a certificate, either self-signed or a certificate purchased from a CA. Importing Certificates To import a new certificate: 1. Click Import on the Certificates page. 2. Either enter the entire path of the file name for the certificate in the Certificate File field, or click the Browse button to locate the certificate. 3. Make a selection from the Format drop-down list: PEM - text-based file that includes the certificate, but may or may not include a key. If you select PEM for the format, and the certificate was generated on the appliance, the certificate does not require a key. However, if the certificate was generated on a system other than the appliance, the PEM certificate must include a private key. If necessary, you can edit the PEM certificate to include the key before attempting the import. You can also import a PEM certificate chain. A certificate chain file includes the server certificate followed by one or more intermediate CA certificates. If a server certificate was issued by an intermediate CA, you need to import the certificate followed by each intermediate CA certificate. If the PEM file you received from the CA does not include the intermediate CA certificates, then you need to download them from the Certificate Authority's web site and append them to the PEM file before importing. PKCS12 - binary file, which you cannot edit, that includes both the certificate and key. 4. A password is optionally required for a certificate that uses the PKCS12 format. If you selected the PKCS12 format for a certificate that requires a password, you must enter the certificate's password in the Password field. (Provide the same password you used when you downloaded the certificate.) 5. Click Import. The newly-imported certificate displays in the Certificates list. The Status column indicates whether the certificate is valid, invalid, or self-signed. The other columns in the list display the serial number, to whom the certificate was issued, who issued it, the date it was issued, and the date it expires. To view the details of the certificate, click the data in the Certificates list. Downloading Certificates When you download a certificate, you are copying an existing certificate in the Certificates list to another location. Download a certificate to your local system where you are logged into the Proofpoint Protection Server management interface. To download a certificate to your local system: 1. Select the certificate you want to copy on the Certificates tab. 2. Click Download. 3. In the Download Certificate pop-up window, enter a password for the encrypted certificate into the Backup Certificate Passphrase field. Re-type the password, and then click Download. 4. From the File Download pop-up window, click Save. The Save as window displays, where you browse for a location to save the certificate file. If necessary, enter a different file name in the File name field. 5. Click Save. A "Download complete" message box indicates the certificate has been successfully copied. Deleting a Certificate You cannot delete a certificate assigned to a Proofpoint Protection Server service. Select the check box of the certificate and then click Delete. 54

85 Chapter 4 - Proofpoint Protection Servers Service Certificates The System > Certificates > Services page displays the services that require certificates for delivering encrypted data. The Administration Server and End User Digest services always appear. If you have an appliance, and you have enabled TLS on the Appliance > SMTP Encryption page, the SMTP Server service also displays. If you created Domain Profiles, services for each one also display as Secure Reader: <FQDN_for_the_profile> on the Services page. Note that only the Config Master will display entries for Domain Profiles. If you have a cluster and select an agent from the drop-down list, entries for the Domain Profiles do not display. When you assign a certificate to a Domain Profile, the certificate is applied to all Secure Reader agents in the cluster. The self-signed digital certificate provided by Proofpoint for these services appears in the Certificate list. If you imported additional certificates, they will also appear in the Certificate list, allowing you to select different certificates for the services. The list only reflects the certificates currently being managed in the Certificates list on the System > Certificates > Certificates page. If you add or delete a certificate from this list, the Certificate list is updated accordingly. Publisher Certificates The Proofpoint Protection Server provides a list of certificates for the most commonly trusted Certificate Authorities. If necessary, you can copy the certificates for these publishers to your local system or import new publisher certificates to the Proofpoint Protection Server. Use the System > Certificates > Publishers (CA) page to view, download, import, and delete certificates. Importing Publisher Certificates To import additional publisher certificates, click Import and enter the certificate file or browse to the file in the Import CA Certificate pop-up window. The Status column indicates whether the certificate is valid or expired. The Issued To column displays to whom the certificate was issued. The Expires column displays the date the certificate will expire, and the Chain column indicates the number of certificates in a chain. To view the details of the certificate in the Display Certificate pop-up window, click the data in the Certification Authorities list. If the certificate is a chained certificate the Display Certificate pop-up window will display each certificate sequentially. Downloading Publisher Certificates To download a publisher certificate to your local system, click Download and save the file to a location on your system. A "Download complete" message box appears when the certificate is successfully copied. Deleting Publisher Certificates To delete a publisher certificate, select the check box for it and click Delete. About Custom MIME Types The scanning engine packaged with the Proofpoint Protection Server can detect nearly 400 document types. In addition, nearly 400 MIME types are supported and listed in the System MIME Type list. However, your organization may have unique MIME types or documents not already supported by the Proofpoint Protection Server. If you want the Proofpoint Protection Server to be able to identify and filter for your organization's unique MIME types, use the MIME Types feature to add and define them using a set of conditions. Signatures are created for the MIME types you create, which can then be used to identify other like MIME types attached to or included in an 55

86 Proofpoint Administration Guide message. The filtering modules use the same method of comparing signatures to scan and identify MIME types that contain partial or full matches in the body, attachments, or compressed archives. Once you have added custom MIME types, create a rule that determines how these MIME types are handled when filtered by the Proofpoint Protection Server modules. For example, you may want to create a rule that quarantines any message with an attachment identified as a CAD file (.catiav5). Note: The custom MIME types you add override any existing MIME types of the same document type supported by the scanning engine. You can create conditions for custom MIME types by using either of the following methods independently or in combination: Manually build a condition by entering the characters and offset. You can build composite conditions by using the AND or OR logical operators. Automatically build a condition by comparing up to three files of the same type that already exist on your system or network. Overview of Conditions and Sub Conditions When you add two or more conditions, the logical operator for each condition is OR. When you add two or more sub-conditions, the logical operator between the sub-conditions is OR and the logical operator between the condition and the sub-conditions is AND. For example: Condition A AND sub-condition B OR sub-condition C. Condition A OR condition D. Manually Adding Custom MIME Types You can add a custom MIME type to the Proofpoint Protection Server by manually building conditions that define the MIME type. Use this method independently of the file comparison method, or use it in combination to define and create a condition for a custom MIME type. (See Comparing Files to Add Custom MIME Types.) To manually create a custom MIME type condition: Click Add on the System > File Type Profiler > User Defined page. 2. For the Basic Information, enter the following information in the Add MIME Type pop-up window: MIME Type enter the MIME type. It is important that you use the proper syntax when entering the MIME type. You must enter the content type first, a forward slash, followed by the sub type. For example, application/x-catiav5. Description enter a description for the file. For example, CAD tool. Extensions enter the file extension for the file type. For example, catiav5. Do not include a dot (.) before the file extension. 3. Click Next. 4. For Document Attributes, build the conditions and if applicable, the sub-conditions for the MIME type. Enter the characters you want to detect in the Match field.

87 Chapter 4 - Proofpoint Protection Servers Enter a value that represents the location in the file where the characters are located in the Offset field. For example, 0 (zero) corresponds to the beginning of the file, and 10 corresponds to the tenth character in the file. 5. Click Add to add the MIME type condition. The Edit, Delete, Add Sub Condition, and Add New OR Condition links appear. If needed, continue building the condition by adding additional AND or OR sub conditions. 6. Click Next when you complete the condition. Finish displays the condition. 7. Click Finish. The new MIME type displays in the MIME Type list. Comparing Files to Add Custom MIME Types You can add a custom MIME type to the Proofpoint Protection Server by comparing the conditions of up to three existing similar documents. Use this method independently of the manual method (Manually Adding Custom MIME Types) or use it in combination to define and create a condition for a custom MIME type. To create a custom MIME type condition by comparing two documents: 1. Click the Settings link under System in the navigation pane. 2. Click the File Type Profiler tab. Click the User Defined tab. 3. Click Add in the User Defined MIME Type list. 4. In the Add MIME Type pop-up window, enter the following information for Basic Information: MIME Type enter the MIME type. It is important that you use the proper syntax when entering the MIME type. You must enter the content type first, a forward slash, followed by the sub type. For example, application/x-catiav5. Description enter a description for the file. For example, CAD tool. Extensions enter the file extension for the file type. For example, catiav5. Do not include a dot (.) before the file extension. 5. Click Next. 6. Click the Compare Files For Matching Conditions button. 7. For File 1 and File 2, browse to locate the files you want to use for comparison. File 3 is optional. 8. In the Compare Files for Matching pop-up window, enter or provide information for the following parameters: Scan Size how much of the file should be scanned in bytes. If the value is zero (0), the entire file is scanned. Scan Bytes Offset where in the file should scanning begin. If the value is zero (0), the scanning starts at the very first character in the file. Max Number of Matches maximum number of shared values that have to match. For example, if you enter 4, no more than 4 shared values will be matched. Maximum Match Length number of characters that need to comprise the shared values. 9. Click Compare. The matching values appear as a condition in the File Matching Condition text box. 10. If needed, you can add additional conditions and sub conditions. Click Add, then click the Add New Or Condition and Add Sub Condition links. 11. Click Next when you complete the condition. Step 3 displays the completed condition. 12. Click Finish. The new MIME type displays in the MIME Type list. Once you finish defining MIME types and creating conditions for them, create rules in the Firewall, Spam Detection, and Digital Assets modules to determine how to process mail containing any of the custom MIME types. 57

88 Proofpoint Administration Guide Related Topics: See Creating Firewall Rules for information about creating rules for MIME Types in " Firewall Module." See Adding Custom Rules for information about creating rules for MIME Types in "Spam Detection Module." See Creating Digital Assets Rules for information about creating rules for MIME Types in "Digital Assets Module." Managing Custom MIME Types Managing MIME types includes the following tasks: Determine the number of entries to display. Search for custom MIME types. Identify or test existing MIME types on your system. Delete custom MIME types. Import custom MIME types. Testing a Mime Type File If the MIME type of a file is uncertain, use the Test File link to determine its true MIME type. You can use the results of the test to help you determine if a particular MIME type is already supported by the existing system MIME types or if you need to add it to the User Defined MIME Type list. 1. Click the Settings link under System in the navigation pane. 2. Click the File Type Profiler tab. Click the User Defined tab. 3. Click Test File in the User Defined MIME Type list. 4. From the Test MIME Type File pop-up window, click the Browse button to locate and select the file you want to test. 5. Click the Test button. If the file is recognized (one of the nearly 400 supported MIME types) a message displays identifying the type of file. If the MIME type is not recognized, a message displays indicating the file type was not identified. Note: If the Proofpoint Protection Server does not recognize the MIME type, it may be an indication that you need to add the MIME type to the User Defined MIME Type list. Searching Entries To determine if you have already added a custom MIME type to the User Defined MIME Type list, for example, you would enter the extension (xls), file type (Excel), or description (Microsoft) in the Find MIME Type field, and click Search. If the custom MIME type is detected, it displays in the list. Displaying Number of Entries Select the number of entries you would like to display in the User Defined MIME Type list from the Entries drop-down list. Deleting Custom MIME Types To delete a custom MIME type from the User Defined MIME Type list, select the check box next to the entry on the list you want to delete, and click Delete. 58

89 Chapter 4 - Proofpoint Protection Servers Importing MIME Types One or more custom MIME types can be imported from a shared-mime-info XML file. For example: <?xml version="1.0" encoding="utf-8"?><mime-info xmlns="http://www.freedesktop.org/standards/sharedmime-info"> <mime-type type="test/sample"> <comment>sample MIME</comment> <magic priority="100"> <match value="sample text" type="string" offset="0"> </match> </magic> <glob pattern="*.sample"/> </mime-type> </mime-info> The specification can be found here: System MIME Types The Proofpoint Protection Server provides nearly 400 predefined MIME types. Use the list of predefined MIME types to determine which types the server supports and which user-defined MIME types you may need to add. You cannot delete or add MIME types to the list of system MIME types, you can only view and search for the predefined system MIME types. Searching for System MIME Types You might need to search for a system MIME type for these reasons: to determine if a certain MIME type is already supported so you do not need to add it, or to determine if the correct version of a MIME type is supported. For example, you might be running an older version of Microsoft Excel and you want to see if it is supported in the System MIME Type list. 1. Click the Settings link under System in the navigation pane. 2. Click the File Type Profiler tab. Click the System tab. 3. Enter the MIME type in the Find MIME Type field, and click Search. If the custom MIME type is detected, it displays at the top of the list. You can search by the extension (xls), file type (Excel), or description (Microsoft). Note: If you have difficulty determining if your file type is supported in the System MIME Type list, you can check the type of the file in question by clicking Test File on the User Defined tab. See Managing Custom MIME Types for more information. Displaying Number of MIME Type Entries Select the number of entries you would like to display in the File Type Profiler list from the Entries dropdown list. DNS Block List Domain Name Server Block List (DNSBL) servers maintain lists of IP addresses that continuously send spam. Organizations can subscribe to these lists, so they can block mail originating from the IP addresses on the DNS block lists. If your organization subscribes to one or more DNS block lists, you can configure the Proofpoint Protection Server to look up the IP addresses in the lists to help curtail the flow of spam attempting to enter your organization's infrastructure. The DNSBL domains added to the DNS block list only control the lookup, they do not actually block the mail originating from the IP addresses on the DNS block lists. Create Firewall and Spam Detection rules that allow you to create conditions to reject originating from specific DNS block lists. See Creating Firewall Rules in " Firewall" and see Adding Custom Rules in "Spam Detection Module" for more information. 59

90 Proofpoint Administration Guide The DNS Block List feature also allows you to select "safe routes," or IP addresses that will not be looked up or blocked by the DNS block lists. Setting Safe Routes for DNS Block Lists The Proofpoint Protection Server provides default Policy Routes that can be used to direct and control traffic. Connections from IP addresses that match a safe route are exempt from DNSBL lookups. This is particularly important if you use a private IP network space, because these networks are likely to be listed on DNS block lists. Being exempt from lookups prevents information about an IP address from being leaked to DNSBL servers. You need to add your own internal networks to the internalnet Policy Route, so originating from your network is not blocked if any of your networks' IP addresses are listed on one of the DNS block lists. Before adding additional DNSBL domains to the DNS Block List, add your internal networks to the internalnet Policy Route on the Policy Routes page. See Creating and Modifying Policy Routes in "Proofpoint Protection Server" for instructions. To select a safe route for the DNS block lists: 1. Use the System > DNS Block List > Safe Routes page to add safe routes. 2. Select a safe Policy Route or several Policy Routes in the Available list to move it to the Disable for any of list. Select more than one route by pressing the Ctrl key. The internalnet Policy Route is provided by default, which you should update with your own internal network information before configuring the DNSBL domain. 3. Click Save Changes. Note: Selected (highlighted) routes on the list represent the safe Policy Routes when you save the changes. Any time you select different routes or make changes to the list, your changes overwrite the previous settings. For an introduction to Policy Routes, see Policy Routes in "Rules and Delivery Dispositions." Adding DNSBL Domains When you add a DNSBL domain, it is configured to check for TXT records, which the majority of DNSBL servers support. If a DNSBL domain on the DNS Block List is configured to check the TXT records, but does not support them, the IP addresses on the list will be looked up, but the results of the lookup will always return negative. To add a DNSBL domain to the Proofpoint Protection Server: 1. Use the System > DNS Block List > DNS Block List page to add the domains you want to block. 2. Click Add. 3. In the DNS Block List pop-up window, enter information or make selections for the following parameters: ID enter a name for the DNS domain. Domain enter the fully qualified domain name of the server that provides the DNS block list. Resolver the Resolver represents a set of parameters used to resolve lookups. You should select default unless instructed otherwise by Proofpoint technical support. The prs resolver is used by Proofpoint Reputation Services. Has TXT record by default, Yes is selected. If the DNSBL server does not support TXT records, select No. 4. Click Test to verify the domain name is a valid one. 5. Click Add and New if you want to save the current DSNBL domain and add another, or click Add Entry if you are finished adding DSNBL domains. 6. Click Close when you are done. 60

91 Chapter 4 - Proofpoint Protection Servers Adding a Domain for Proofpoint Dynamic Reputation If you deployed Proofpoint Dynamic Reputation, you received a URL from Proofpoint that points to a database of IP addresses gathered by netmlx technology. Enter this URL in the Domain field when you create the entry for Dynamic Reputation in the DNS Block List. Enabling and Disabling DNSBL Domains To enable a DNSBL domain, select the check box next to the domain you want to enable. For the Proofpoint Protection Server to complete a lookup, the domain must be enabled. To disable a DNSBL domain, clear the check box next to the domain. Save your changes when you are done. About System Settings There are several system settings that affect general operations of the Proofpoint Protection Server, including auditing mail, inspecting compressed archives, detecting document types, and deciding which recipient address to use. Read these specific instructions for the settings on the System > Settings > System page: Using Evaluation Audit Mode Sending Host IP Using the Recipient Address Splitting All Recipient Groups Splitting Envelope Based on Recipient Policy Routes Enabling Traffic Statistics Reporting Enabling Honeypoint Inspect Compressed Archive Extract Text Content Enabling Sub-addressing Enabling ICAP Document Type Detection Using the Recipient Domain Mapper Using Evaluation Audit Mode This feature allows administrators to evaluate, test, and analyze the value added by the Proofpoint Protection Server without affecting the flow of in the organization. The following audit modes are available to administrators: full system audit and Quarantine audit. When the Proofpoint Protection Server is operating in Full System Audit it means administrators can audit everything the Proofpoint Protection Server would do without actually altering the original mail stream. For example, if you create a rule to remove an attachment from a message before delivering it to the original recipient and place a copy in the Quarantine, the original message will be delivered to the original recipient with the attachment still included. The copy of the message in the Quarantine will have the attachment stripped. If you create a rule to add a new Subject header [Spam] to the message and place a copy in the Quarantine, the original message that is delivered to the original recipient will not include the new subject header, but the copy in the Quarantine will. The user community receives their messages as if no filtering is taking place, while the administrator can view the logs, create reports, and see message details in the Quarantine to analyze how messages would be processed and modified by the Proofpoint Protection Server. 61

92 Proofpoint Administration Guide In Quarantine Audit mode the Proofpoint Protection Server applies dispositions and delivery options to messages as it normally would - for example, adding headers, scoring for spam, removing attachments, and so forth, according to the rules applied by the filtering engines. If you create a rule to add a new Subject header [Spam] to the message and place a copy in the Quarantine, the message delivered to the original recipient and the copy in the Quarantine will both contain the new Subject header. In Quarantine Audit mode only the Reject and Discard delivery dispositions are ignored. That is, if a rule is triggered that either discards or rejects the original message, the original recipient will indeed receive the original message. To enable auditing, navigate to the System > Settings > System page and then click the On radio button for Enable Audit Mode. Click the corresponding radio button for the type of auditing you want to enable, and then save your changes. Related Topics: See About the Quarantine in "Quarantine" for general information about messages in the Quarantine. See Viewing and Managing Messages in "Quarantine" for information about viewing messages, and Simple Searches for information about searching for messages in the Quarantine. Sending Host IP For Sending Host IP, determine if you want to use the traffic from the sending host (from the Internet) for data analysis. If you have intermediate MTAs between the Internet sending host and the Proofpoint Protection Server, select the value for which received header to use so that the Proofpoint Protection Server can determine which IP address to use for data analysis and reputation services. Use actual sending host IP. Click this radio button if there are no MTAs between the Internet and the Proofpoint Protection Server. Look back <value> hops to determine the sending host IP address. Click this radio button if you do have MTAs between the Internet and the Proofpoint Protection Server and select a value from the list. For example, if you have one MTA between the Internet and the Proofpoint Protection Server, select 1. If you have two MTAs, select 2. Important: If you select the Look back <value> hops to determine the sending host IP address radio button, you do not want to enable the default restrict rule, or any rules that limit acceptance rate, since your organization has already accepted the traffic. Splitting All Recipient Groups If a message is addressed to more than one recipient, and each recipient has a different spam policy or filtering policy, the envelope is split so that each recipient can receive his or her message with the correct spam policy or filtering policy applied. This feature is implemented by filtering the original message for the first recipient on the list, removing the other recipients from the original message, and making copies of the original message for the other recipients. The copies are re-filtered by the filtering engines so that the appropriate policies can be applied to the message. If your organization defines complex Policy Routes by envelope sender or recipient and requires those routes only for groups of recipients with the same spam policy, then you will need the original message to be discarded and a new message created for the first recipient. This is because routes are determined cumulatively throughout the SMTP session and the original message would match routes from all original recipients. If you enable Split All Recipient Groups on the System > Settings > System page, copies of the original message are created and filtered for all of the recipients that have the same characteristics. The original message is discarded. For example, if usera and userb belong to the same spam policy group and same Policy Route, they receive the same copy of the message. to userc and userd who belong to a different spam policy and Policy Route receive the same copy of the message for their route. The original message addressed to all four users is discarded. The disadvantage of enabling the Split All Recipient Groups feature is that it requires more processing time. The advantage is that the path for each message through the filtering engines can be traced to one unique Policy Route. 62

93 Chapter 4 - Proofpoint Protection Servers Splitting Envelope by Recipient Policy Route If a message is addressed to several recipients, and the recipients belong to different Policy Routes (Policy Route condition is Envelope Recipient Equals <value>), the envelope is split for each recipient and the messages are reinjected into the filtering engines for processing. Administrators can create spam policies and filtering rules for recipients in specific domains by enabling this feature. You can enable or disable this feature by selecting On or Off for the Split Envelope Based on Recipient Policy Route parameter on the System > Settings > System page. Using the Recipient Domain Mapper Large organizations can potentially receive that includes subdomains in the addresses or machine-specific addresses. The Domain Mapper feature, when enabled, maps the known aliases for a recipient to the primary standard address for the recipient. It does not modify the original recipient address for the message unless the message is stored in the Quarantine. If the message is stored in the Quarantine, the recipient address for the message is changed to the primary standard address for the message in the Quarantine. For example: can be mapped to Use Cases A Digest will go to a single mailbox with messages addressed to multiple aliases that are not in the User Repository. If a user in your organization has several aliases, you do not have to add all of the aliases for that user in the User Repository. Scope The Proofpoint Protection Server uses the recipient address in several components of the product, including these: To look up a user in the User Repository to verify the recipient is legitimate before checking the recipient's Safe Senders and Blocked Senders lists. To enable Recipient Verification in the Firewall. To place a copy of an message in a Quarantine folder. To include a message in the Digest. To create Policy Routes based upon the recipient address. To trigger rules based upon the recipient address in any of the filtering modules. When you enable the Domain Mapper feature, it automatically limits the mapping scope to user lookups, Recipient Verification, and messages in the Quarantine. If you want to extend the mapping scope to the rules in the filtering modules and Policy Routes, select On for Extend Mapping Scope To Include Rules and Routes. Examples If the recipient address is message will be stored in the Quarantine with the address A message addressed to will be included in the Digest that is sent to If you enabled Recipient Verification and are using the User Repository as the source for Recipient Verification, a message sent to will be validated against If you create a Policy Route based upon Envelope Recipient Equals the Policy Route will apply to Envelope Recipient Equals If you want to maintain rules and Policy Routes based upon the full address, or want to maintain routing information in the recipient address, you should not select On for Extend Mapping Scope To Include Rules and Routes. 63

94 Proofpoint Administration Guide Important: If you already have messages in the Quarantine when you enable the Domain Mapper, the mapping will not apply to the messages already stored in the Quarantine; the mapping will only apply to new messages entering the Quarantine. Enabling the Domain Mapper To enable the Domain Mapper, select On for Enable Recipient Domain Mapper on the System > Settings > System page. Extend Mapping Scope To Include Rules and Routes In the Match Recipient Domain field, enter the domains you want to re-map to the primary standard domain. Separate each domain with a comma. For example: example1.com,example2.com,example3.com In the Map Domain To field, enter the primary standard domain for your organization. Using the Recipient Address The Proofpoint Protection Server can use one of two addresses for delivering , handling split envelopes, and matching addresses in the User Repository: the original SMTP recipient address or a rewritten address defined by alias lookup or LDAP routing configurations. By default, On is selected for the Use Original Recipient Address For Filtering parameter. Select Off only if address rewriting is in effect and user profiles are added to the User Repository using the rewritten address. Note: The Use Original Recipient Address For Filtering parameter is disabled if SMTP Turbocharge is enabled. Enabling Traffic Statistics Reporting If you would like to send traffic statistics to Proofpoint for analysis, click On for Enable Traffic Statistics Feedback to Proofpoint on the System > Settings > System page. Proofpoint will automatically collect this data and use it to improve filtering effectiveness. Once enabled, the total number of data queues sent to Proofpoint for analysis appears under Data Queues in the Storage column of the Server Status tab on the System > Summary page. Enabling Honeypoint Honeypoint gives you the ability to help Proofpoint maintain and improve anti-spam effectiveness. If you have addresses within your organization that currently receive only spam, you can use Honeypoint to submit those messages to Proofpoint for analysis and MLX training. This helps Proofpoint keep spam out of your inboxes. To enable Honeypoint, select On for the Enable Honeypoint Feedback To Proofpoint parameter on the System > Settings > System page, and then save your changes. Inspect Compressed Archives and PE Encrypted Messages If you are not licensed for Proofpoint Encryption, this parameter is named Inspect Compressed Archives on the System > Settings > System page. Enabling Inspect Compressed Archives and PE Encrypted Messages results in the following behavior: The Proofpoint Protection Server decompresses attached archives, and archives within archives, so that the files contained within are exposed or made available to the filtering engines for processing. For example, once the archive is decompressed the contents of each file contained in the archive can be scanned using the Extract Text Content feature. If you have a license for Proofpoint Encryption, messages that have been decrypted with the Secure delivery method are also scanned by the filtering modules. 64

95 Chapter 4 - Proofpoint Protection Servers Although the files within an archive are processed individually, the actions taken by the filtering modules are applied to the entire archive, not just the file or document within the archive that triggered a rule. The Inspect Compressed Archive feature decompresses specific archive types, including zip, RAR (single volume) tar, gzip, and TNEF (winmail.dat). Important: If you disable Inspect Compressed Archives you will see an improvement in performance, but files in archives will bypass filtering by the Firewall, Regulatory Compliance, and Digital Assets modules. If you are licensed for Proofpoint Encryption and disable Inspect Compressed Archives and PE Encrypted Messages, any rule with Secure selected for the Delivery Method and Decrypt selected for the Secure Action will no longer be triggered. If necessary, you can also choose to exclude certain compressed archives from being inspected by entering the file extensions or MIME types, separated by commas, into the Archive Scanning Exclusion List field. For example, to exclude zip archives from being inspected, enter zip,application/zip into the Archive Scanning Exclusion List. (Do not use spaces in the list of file types to exclude.) Related Topics: For information about scanning and extracting document content, see Extract Text Content. For information about detecting the true type of a file or document, see Detect Document Type. For information about decrypting messages that were encrypted with the Proofpoint Encryption Microsoft Office Outlook Plugin, Premium version, see Secure in "Rules and Delivery Dispositions." Detect Document Type The scanning engine bundled with the Proofpoint Protection Server automatically detects true document types for single attachments and documents within compressed archives. The scanning engine detects over 400 different document types. The scanning engine can also identify password protected documents, such as Word, Excel, and zip files. Important: The scanning engine cannot detect document types of Microsoft files embedded within a Microsoft file. For example, if <file>.doc contains an embedded <file>.xls, the scanning engine cannot detect the <file>.xls. The scanning engine identifies only the document type of the file that contains the embedded file, not the embedded file. The scanning engine does not rely upon the extension of the document, for example.txt,.doc,.ppt, or.exe, to determine the document type. Instead, the scanning engine checks the signature of the file type in the header, body, and footer of the message. Once the document type is identified, the file name is appended with the new (true) extension. For example, if the file name was product_release.ppt and it was changed to product_release.doc, Proofpoint Protection Server adds.ppt to the end of the file, like this: press_release.doc.ppt. The process of determining the true document type and appending the extension is entirely transparent to the user. The user will never detect or see any changes to the original attachment. The same is true for messages delivered to the Quarantine; the attachments appear unchanged. This feature is especially useful if the extension of a document is not recognizable or has been tampered with in the hopes that the true document type will not be detected and prevented from being delivered. Rules created for handling certain extensions will continue to be effective because the true document type will be detected. For example, if an message included an attached document with an altered extension, changed from.pps to.doc, the Detect Document Type feature identifies the true document type, allowing the filtering modules to take the appropriate action. If, for example, you have an Firewall rule that deletes PowerPoint attachments, the attachment would be properly identified by the scanning engine and then deleted. If the scanning engine detects the altered extension for the.pps document within an archive, the entire archive is deleted, not just the document that triggered the Firewall rule. The Detect Document Type feature is always enabled. You can exclude certain file extensions or MIME types from being detected. To exclude specific file extensions or file types from detection, navigate to the System > Settings > System page and enter the file extensions or mime types, separated by commas, into the Document Detection Exclusion List field. For example, to exclude graphic files from being inspected, enter jpeg,gif,bmp into the Document Detection Exclusion List. (Do not use spaces in the list of file types to exclude.) Save your changes when you are done. 65

96 Proofpoint Administration Guide Detect Document Type and uuencoded Messages If a message or attachment includes plain text before the BEGIN section of the uuencoded block, the Detect Document Type feature can detect and decode the uuencoded block as long as the plain text is less than 1K in size. If the plain text exceeds the 1K size limit, the uuencoded block cannot be decoded. In cases where the plain text before the BEGIN section of the uuencoded block is less than 1K in size, the decoder discards the plain text before decoding the message or attachment. Extract Text Content The Extract Text Content feature scans and extracts the contents of any attached file supported by the scanning engine bundled with the Proofpoint Protection Server. The scanning engine can scan and extract text from over 300 different document types. Any document the scanning engine cannot scan will simply be ignored. For example, the scanning engine cannot inspect executable files. Note: If necessary, you can create an Firewall rule to filter for messages with executable files. Important: The scanning engine cannot extract the content of a non-microsoft file if it is embedded within a Microsoft file. For example, if <file>.doc contains an embedded <file>.pdf, the scanning engine cannot extract the content of the <file>.pdf. However, if a Microsoft file is embedded within another Microsoft file the scanning engine can extract the content of both files. For example, if <file>.doc contains an embedded <file>.pps, the content of both files is extracted. The scanning engine not only scans the contents of single attachments and compressed archives, but can also scan the contents of files within multiple archives. To scan files within a compressed archive, you must enable the Inspect Compressed Archive feature. If you use either the Digital Assets or Regulatory Compliance modules, and you want these modules to be able to scan documents other than HTML or text, do not disable the Extract Text Content feature. See About the Regulatory Compliance Module and About the Digital Assets Module for more information. Note: The Extract Text Content feature can affect the performance of the Proofpoint Protection Server. Proofpoint suggests that you take advantage of the Document Extraction Exclusion List to reduce the types of documents that are scanned, thereby minimizing the resources required to scan the contents of every message attachment that passes through the filtering engine. To exclude certain documents from being scanned, navigate to the System > Settings > System page and enter the file extensions or MIME types, separated by commas, into the Document Extraction Exclusion List field. For example, to exclude graphic files from being inspected, enter "jpeg,gif,bmp" (without the quotation marks) into the Document Extraction Exclusion List. (Do not use spaces in the list of file types to exclude.) Save your changes when you are done. Enabling Sub-addressing The Enable Sub-addressing parameter supports sub-addressing when recipient verification is enabled. When subaddressing is enabled, the filtering engines will first use the original recipient address for recipient verification. If the verification fails and the recipient address contains a non-leading + in it, the filtering engines will remove the part of the address after the + and up to part and repeat the verification. For example, if the recipient address is the filtering engines will use for recipient verification if fails verification. Enabling ICAP If your network has a proxy server that is ICAP-compatible, you can filter HTTP content as well as SMTP mail for data loss prevention. See About ICAP and Creating DLP Rules for HTTP Content for more information about ICAP. Select On for the Enable ICAP Settings parameter to filter HTTP content through the Regulatory Compliance and Digital Assets modules. The Rules page in the Regulatory Compliance and Digital Assets modules will display separate SMTP and HTTP columns, so that you can enable a rule for SMTP messages, HTTP content, or both. 66

97 Chapter 4 - Proofpoint Protection Servers The Add Rule page in the Regulatory Compliance and Digital Assets modules will display separate tabs for SMTP messages and HTTP content. The delivery method and delivery options differ for each protocol. Example: Inspect Compressed Archive and Extract Text Content This example illustrates how the Inspect Compressed Archive and Extract Text Content features work together to provide a comprehensive method for making the files or documents within an archive available for filtering. Once an archive is decompressed, the files are made available for filtering. The contents of the files are scanned, and then the text and original binary files are passed to the modules for filtering. The text and binary files are processed by the filtering modules until a rule is triggered. Once a rule is triggered, the filtering stops and the Proofpoint Protection Server takes the appropriate action for the message based on the disposition of the rule: Deliver Now, Continue, Reject, Retry, Discard, or Re-route. Examples: Business document in Excel format - the content of this document does not contain spam, a virus, or offensive language. This document does not trigger any rules. Executable for a small graphics program - the scanning engine cannot scan.exe file types, so this file is ignored. Press release in Word format - this press release contains confidential information. This document triggers a Digital Assets rule that rejects the message and sends a copy to the DLP Incident Queue. Admin Server Settings The settings on the System > Settings > Admin Server page allow you to set the timeout for the management interface session and select display modes for the management interface. Setting the Session Timeout for the Management Interface If the Proofpoint Protection Server does not receive any user input for a period of time, it will automatically "log out" the administrator, requiring the administrator to log back in to the management interface. The session timeout feature allows administrators to control the period of time the management interface can remain idle before logging out the administrator. The Admin Server Session Timeout is set by default to 30 minutes. After 30 minutes, if no changes are made to the Proofpoint Protection Server, the administrator is automatically logged out of the management interface. Enter a new value into the field and save your changes. 67

98 Proofpoint Administration Guide Login Settings Many browsers offer the option to remember your password when you log in to a browser-based interface. To add to the security of the Proofpoint Protection Server management interface, you can disable the browser-based remember password prompt by selecting Off for the Enable Autocomplete parameter. If you would like to add a custom disclaimer text to the Proofpoint Protection Server login page, enter the text into the Disclaimer text box. Navigation Menu Settings These settings control the navigation menu display. The management interface is persistent, so that when an administrator logs off from the management interface, then logs back in, his or her view from the previous session will display. Default Display Mode controls the default view for the management interface. Since the management interface is persistent, the default view is displayed when you log in with a specific browser, and it will be the last view displayed when you logged out of the same browser. The following choices are available for the default display mode: - Basic Mode. This mode displays the most common navigation links used by administrators. - Advanced Mode. This mode displays all of the navigation links, but collapses and expands the links under the main entry in the navigation pane. - Advanced Mode (Expanded). This mode displays all of the navigation links without the option of collapsing and expanding the links under each main entry in the navigation pane. Enable Persistence allows for persistent views and promotion of menu items. When an administrator logs back in to the Proofpoint Protection Server management interface, the management interface will display exactly what was displayed when the administrator logged off. If you disable persistence, the Enable Sticky Tabs and Enable Sticky Menu choices will also be disabled. Enable Sticky Tabs when enabled, displays the tab the administrator was last working on when he or she clicks a navigation link. Enable Sticky Menu when enabled, displays the navigation pane menu items as they were displayed when the administrator last logged off when the administrator logs back in to the management interface. Expiration Time allows administrators to change the time period for saving promoted menu items. For example, if the setting is 14 days, persistence will remain in effect for 14 days. At the end of this period, the management interface will return to its default display mode. Reset Persistent Menu Settings clicking this "clears" the persistent settings. The next time an administrator logs in, he or she will see the default display for the management interface, as defined by the Default Display Mode setting. Evaluation Settings Administrators can hide the Evaluation link in the navigation pane by selecting Off for the Show Evaluation Page parameter. Communication Channel Settings By default, the RSS feed is enabled on the Login page. You can disable the RSS feed by selecting Off for the Show on Login parameter. External Admin Access Settings The External Admin Access feature allows administrators to enter an alternative hostname and port number to the Proofpoint Protection Server s URL. If your network configuration is such that the master Proofpoint Protection Server is located on a protected network for example, in the DMZ or behind a firewall the address for the Proofpoint Protection Server is not accessible to any system on the standard network. This feature allows you to give users on 68

99 Chapter 4 - Proofpoint Protection Servers your standard network access to the Proofpoint Protection Server's management interface when they would normally not have access to it. For example, if your security officer needs to run reports for the Regulatory Compliance Module, he or she would have access to the Proofpoint Protection Server via the External Admin Access. You will also need to set up your routers or firewall to allow access to the Proofpoint Protection Server s management interface. Enter the alternate hostname and port into the corresponding fields under External Admin Access and then click Save Changes. Viewing Server Status Information Use the System > Servers page for the following tasks: View detailed status for each Proofpoint Protection Server or appliance on the network. Add and delete agents. Reboot or shut down a server. Start, stop, or refresh the processes on a server. Change parameters for an existing server. Run database utilities. See Database Utilities. View process details for diagnostic purposes. Note: The master Proofpoint Protection Server (Config Master) is always the first one in the list if you have a cluster. You cannot delete the master system. Status icons: Working as expected. Warning - needs attention. Error - not working as expected or process stopped. Navigation tips: Click the plus sign icon (+) next to the name of a server to view the processes running on that server. Click the name of the server to display the Server Information page for the server. Click the name of a process to view the details for that process. Click the action button to apply an action to the process: Restart, Start, Stop, and Refresh. Click the check box next to the name of a server to select it before applying an action to the server: Delete Agent - you cannot delete the master server (Config Master), Reboot, and Shutdown. The Servers table displays a list of Proofpoint Protection Servers or appliances on the network and the following data about each one: Name of the server - this is an arbitrary name that you give to the server. You can change the name in the Name field on the Server Information page. (Click the name of the server on the System > Servers page.) Services - displays the services running on the system. PPS Version - the version of Proofpoint Protection Server software running on the server. System ID - for an appliance, this is the MAC address. Swap - displays the amount of available swap space and used swap space. Server Profile - displays the profile for the server: Config Master - the master Proofpoint Protection Server. Note that the Config Master is always displayed first on the list. Config Master/Encryption - the master Proofpoint Protection Sever when it is licensed for Proofpoint Encryption. Config Master/Encryption-Secure Reader - the master Proofpoint Protection Server when it is licensed for Proofpoint Encryption and also running Secure Reader, which allows users to decrypt messages using a browser. 69

100 Proofpoint Administration Guide Mail Filter - a filtering agent. Mail Filter/ Encryption-Secure Reader - a filtering agent in a cluster that is licensed for Proofpoint Encryption. The agent is filtering and encrypting , and also running Secure Reader. Mail Filter/Encryption - a filtering agent in a cluster that is licensed for Proofpoint Encryption. Quarantine Node - an agent designated for the Quarantine database. This choice appears only if you have enabled this feature. Quarantine/Encryption - a Quarantine Node in a cluster that is licensed for Proofpoint Encryption. Smart Search - a system running the optional Proofpoint Smart Search software. Log - a system designated for the sendmail and filterd logs and corresponding reports. System Disk - displays the amount of available disk space and used disk space. CPU User - displays the percentage of CPU utilization that occurred while executing at the user level (application). CPU Nice - displays the percentage of CPU utilization that occurred while executing at the user level with nice priority. CPU I/O Wait - displays the percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request. CPU Busy - displays the percentage of time that the CPU or CPUs were busy. CPU System - displays the percentage of CPU utilization that occurred while executing at the system level (kernel). Last Update - displays the timestamp for the last software update or upgrade. Uptime - displays how long the server has been processing messages. Process Details Select a process from the Processes list to view process-specific diagnostic information for that process. Proofpoint Technical Support may request this information for troubleshooting purposes. To view process details, click the plus sign icon for a system in the cluster to view the processes running on that system, and then click the name of the process to view its details. Related Topics: See Adding and Deleting Agents for information about adding an agent to the cluster and Changing Server Configuration Parameters to change the Server Profile for a system. Database Utilities Administrators can run database utilities to check and compress the Quarantine database from the management interface. If you have a cluster of appliances or Proofpoint Protection Servers, you can run the database utilities on each system in the cluster. The Check database utility checks the database tables for corruption and errors, and automatically tries to repair or correct any anomalies it finds. You can run the Check database utility while the cluster is filtering . The Compact database utility compacts the database and returns disk space to the system. The optimization procedure locks the tables in order to make the changes, so you must stop the filtering process before running the Compact database utility. The Repair database utility runs a repair on the database tables. This method is more intensive than the auto-repair that is done by the Check database utility and it can repair issues that cannot be fixed by Check database. It may take a long time to complete, and should only be run under the advisement of Proofpoint technical support personnel. The Repair database utility does not require that you disable the filtering process. You will see alert messages from this utility as the tables are repaired. 70

101 Chapter 4 - Proofpoint Protection Servers Important: Do not run the Repair database utility unless directed to do so by Proofpoint technical support. To run any of the database utilities, first click the plus sign icon (+) next to the name of the system in the cluster, and then select db under Processes in the table. Select the utility you want to run from the menu next to Run Utility. Adding and Deleting Agents You can deploy several Proofpoint Protection Servers or appliances in a cluster. One server is designated as the master, or administrative server. In the management interface, the master is named Config Master. The master server can filter messages as well as serve as the centralized management point, or you can disable the filtering on the master server so that it functions as an administrative server only. All other filtering servers (agents) in the cluster are designated, managed, and configured from the master server. You need to enter information about a Proofpoint Protection Server in the Add Agent page to add a server as an agent. Enter the same information you provided for that server during installation. The information you enter in the Add Agent page establishes communication between the master Proofpoint Protection Server and the agent. Important: When you add an agent to a cluster, certain scheduled tasks are temporarily halted for the duration of time that it takes to add the agent. Examples of scheduled tasks are Digest Generation and LDAP imports. To work around this, add an agent when no tasks are scheduled to take place on the Config Master. The scheduled tasks will run at the next scheduled interval. About the Import Agent Sendmail Configuration Parameter Administrators often need to move an agent from one cluster to another one, or replace an agent that has had a hardware failure with another agent in the same cluster. To facilitate this process the master imports the agent's sendmail configuration as soon as you add the agent to the cluster. If you later move the agent to another cluster, the master in the new cluster imports that agent's sendmail settings. The only time you would not use this feature (clear the check box) is if you are replacing an agent with a new agent in the same cluster due to hardware failure. In that case, the master already has the failed agent's sendmail configurations and will push those settings to the replacement agent. Note: If you clone the settings for the new agent from an existing agent (or the Config Master) in the cluster, the Import Agent Sendmail Configuration parameter is disabled because when you clone an agent the sendmail configuration is automatically copied from the source host to the destination agent. About Cloning an Agent Cloning an existing agent provides a convenient solution for the following use cases: You want to add an agent to an existing cluster and you already have an agent that is configured with all of the settings that you need (the source host). Instead of duplicating the configuration on the new agent, you can simply clone its configuration from the source agent. You have an agent in the cluster that suddenly stops filtering messages or starts producing errors. You can quickly restore the agent by cloning it from an agent that is working. You do not have to re-install and reconfigure the agent that was not functional. When you add a new agent to a cluster, you can select the Config Master or any filtering agent in the cluster as the source host. You cannot select a Quarantine Master, Log node, or Smart Search node as the source host. The following settings are cloned from the source host: sendmail configurations, the Server Profile (for example, Mail Filter/Encryption), hosts override, and all configurations specific to an agent, including the SSL certificates for the end user HTTPD and MTA TLS settings. The name of the source host is excluded. Everything that you can configure using the management interface, except the settings that are specific to the name of the source host are cloned. 71

102 Proofpoint Administration Guide Cloned agents will maintain a unique IP address and hostname so they can co-exist in the same cluster. Note: It can take several minutes for the cloning procedure to complete. Important: If you clone an agent from a source host that has host-specific or IP-specific certificates, those certificates will also be added to the agent. You will need to add host-specific or IP-specific certificates for the cloned agent to reflect the cloned agent's hostname or IP address. About Server Profiles and Services Administrators can deploy a cluster of agents and select different profiles for each agent. The type of profile you select determines which services you can select to run on that agent. For example, you can set up a cluster of four systems: one system is the master (Config Master), where all centralized management and configuration is applied, two systems are designated as filtering agents, and one system is designated as the Quarantine Node. You can select these services for the filtering agents: Secure Reader or ICAP. The advantages of designating profiles and services in a cluster are for performance, scalability, and reduction of a single point of failure. When you add an agent to a cluster, you select the Server Profile for that agent. If the agent is a filtering agent, you then select the Services you want to run on the agent. You cannot change an existing Server Profile on an agent. If you want to change the profile of an agent or node in a cluster, you must first delete it from the cluster and add it again with the new Server Profile. Note: The Quarantine Node, Smart Search Node, and Log Node are unique in that they contain sensitive data and should not be deployed in the DMZ like the other agents. Quarantine Node Administrators have the option of designating a system in a cluster as a Quarantine Node. The Quarantine Node maintains the Quarantine and the Incident Queue databases. The advantage of designating a Quarantine Node is scalability. By moving the Quarantine off the master Proofpoint Protection Server, you are balancing the load in the cluster. Important: Refer to the Reference Guide for command-line instructions to enable this feature, or contact Proofpoint Professional Services or Technical Support. You cannot enable this feature from the management interface. Smart Search Node By default, the Smart Search database is maintained on the Config Master. Administrators have the option of adding an agent to a cluster and designating it as the Smart Search Node. Each agent in a cluster that is filtering forwards its logs of sendmail events and filtering events to the Smart Search Node for aggregation, indexing, and analysis. Important: If you are currently running Smart Search on the Config Master, and decide to add a Smart Search Node, the current data in the Smart Search database (on the Config Master) is not automatically transferred over to the Smart Search Node. Recent searches are not carried over. The Smart Search Node begins collecting the log data for indexing once its processes start. Log Node The Log Node is similar to the Smart Search Node. By default, the log database is maintained on the Config Master. Administrators have the option of adding an agent to a cluster and designating it as the Log Node. Each agent in a cluster that is filtering forwards their logs of sendmail events and filtering events to the Log Node for aggregation and reporting. Important: If you add a Log Node to an existing cluster, the current log data and report data on the Config Master is not automatically transferred over to the Log Node. Reports are not carried over. The Log Node begins collecting the log data once its processes start. If you delete a Log Node from a cluster, all of the log data and corresponding reports are lost. 72

103 Chapter 4 - Proofpoint Protection Servers Mail Filter and Secure Reader Service The Secure Reader service is the Proofpoint Encryption component that provides the browser-based interface for users to decrypt, read, compose, reply to, and forward encrypted messages. Adding an Agent To add a Proofpoint Protection Server as an agent: 1. Click Add Agent on the System > Servers page. 2. Enter the following parameters for the agent: Host Name - enter the hostname of the system where you installed the Proofpoint Protection Server software. Admin Port Number - enter the communication port the management interface of the master Proofpoint Protection Server uses to configure the agent. Instance Name - enter the instance name for the agent. By default, the instance name is instance1 (unless you changed the name during installation does not apply to the Proofpoint Messaging Security Gateway). Admin User Password - enter the password for the agent. Clone Existing Agent Configuration if you want to clone the settings for the new agent from an existing agent or from the Config Master. Select the source host from the Source Host Name list. If applicable, add host-specific or IP-specific certificates on the cloned agent. Import Agent Sendmail Configuration - leave this box selected so that the master can import the agent's sendmail configuration. Clear this box only if you are replacing a failed agent with a new agent in the same cluster. If you selected Clone Existing Agent Configuration, this choice is disabled. 3. Make a Server Profile selection: Config Master/Mail Filter - this profile is for the Config Master. The Config Master is the central management administrative interface and depending upon your deployment, filters as well. Config Master/Encryption-Secure Reader - this profile is for the Config Master when you have licensed Proofpoint Encryption. Mail Filter - filters only. Smart Search Node - (optional module) contains the message tracing software and the database of index entries for message tracing. Log Node - maintains the sendmail and filterd logs for every system in a cluster. Maintains the reports generated from the log data. Quarantine Master/Encryption - maintains the Quarantine only. You will only see this choice if you have enabled the Quarantine Node feature. 4. Make a Services selection: Secure Reader - provides a web-based user interface for Proofpoint Encryption so that users can read and compose secure messages. ICAP - filters, blocks, and quarantines HTTP content. 5. Click Add Agent to add the agent. Note: You cannot add the same agent to more than one master Proofpoint Protection Server. Deleting an Agent You can only delete one agent at a time. Select the check box next to the name of the agent and click Delete Agent. Important: The Config Master always appears first in the server list. You cannot delete the master Proofpoint Protection Server. You cannot "undo" an agent deletion. 73

104 Proofpoint Administration Guide Related Topics: See Viewing Server Status Information for details on the status of a cluster of master and agents. See Changing Server Configuration Parameters for information on how to make changes to the parameters of a system in the cluster. Starting and Stopping Processes The Proofpoint Protection Server software is comprised of many processes, or services that run in the background once the filtering engines begin scanning messages. To see the processes running on a server, navigate to the System > Servers page. Click the plus sign icon (+) next to the name of the server. You can Start, Stop, Restart, or Refresh a process. To view details about a specific process, click the name of the process on the list. Notes: These processes (except the scheduled ones) should always be running regardless of the settings you make in other areas of the management interface. The Proofpoint Encryption process appears only if a system has the Secure Reader service enabled. Related Topics: See Changing Server Configuration Parameters for information on how to make changes to the parameters of a system in the cluster. Changing Server Configuration Parameters The server parameters are set during the software installation process. The only parameters you can change later are the name of the server and Services. See the table in Adding and Deleting Agents for information about Server Profiles and Services. To change server parameters, navigate to the System > Servers page and click the name of the server. You cannot change the following information on the Server Information page: Server ID - displays the fully qualified instance name for the server. This ID is created during setup and is based on the hostname, admin port number, and instance name. Host Name - displays the hostname of the system provided during setup. Admin Port - displays the port for communication between the master Proofpoint Protection Server and this system. SSL Enable - during setup, you are prompted whether you want Secure Sockets Layer for communication with the master Proofpoint Protection Server. If you chose yes, the status is Enabled. Install Path - displays the directory location for the Proofpoint Protection Server software. Server Profile - you cannot change the profile for an agent. If you want to change the profile for an agent, you must delete it from the cluster and add it once again with the different profile. You can make changes to the following parameters: Name - by default the server ID appears. You can enter a descriptive name for the Proofpoint Protection Server or appliance for identification purposes. This is the display name. Services - you can add or delete a service from the agent by clearing or selecting the Services check boxes. Note: If you change a hostname, a domain, or a nameserver for any system in a cluster, you need to reboot each system in the cluster. Related Topics: See Adding and Deleting Agents for information on adding agents to a cluster and changing Server Profiles. 74

105 Chapter 4 - Proofpoint Protection Servers About Alerts You can configure the Proofpoint Protection Server to send alerts to the administrator when certain conditions apply. For example, you can automatically monitor the amount of disk space on the system running the Proofpoint Protection Server software. If the available disk space diminishes to a specified level, the administrator will automatically receive a warning by way of . Several categories of alert types are available for alerts: system events, digest generation events, update events, quarantine events, log events, and events for the optional Smart Search and Proofpoint Encryption modules. Configuring alerts is a multi-step process: Configure the trigger settings. These settings determine the condition that triggers the alert. See General Alert Settings. Create an alert profile, where you determine who will receive the alert and the action to take when the alert is triggered. For example, send the alert as an HTML message or text message. See Creating and Managing Alert Profiles. Add rules to the alert profile, where you select the condition or conditions under which the alert is sent to the users in the alert profile, and whether or not to suppress how often the alert is sent. See Creating Rules for Alerts. The parameters for each of these tasks are organized on a separate tab on the System > Alerts page. The Proofpoint Protection Server software includes an alert profile named default that sends an HTML message to a specified recipient. The recipient for the alerts in the default profile is determined when you install the software on a Proofpoint Protection Server, or finish configuring an appliance using the Setup Assistant Guide. General Alert Settings Use the System > Alerts > General page to enable or disable alerts, to select an SMTP profile, and to set the alert triggers. See About Alerts for an introduction to alerts. The host that routes alerts and the sender of the alerts are defined by the SMTP Profiles settings on the System > Settings > SMTP page. See Configuring SMTP Profiles and Parameters. To disable the alert feature, click Off for the Alert Enable parameter. The Proofpoint Protection Server software is set up to use the default SMTP profile named alert. You can select a different SMTP profile to use a different host to route alerts. To configure the alert trigger settings: For each setting under Alert Trigger Settings, enter a new value into the field if you want to change the upper or lower limits that trigger an alert. Disk Space - enter a number that represents the disk space (in gigabytes) that should trigger these alerts. When disk space diminishes to these levels, alerts are triggered. - Available System Disk Space Less Than <value> GB. Sends an alert indicating the amount of available disk space for the sendmail queue. Accept the default or enter a different value. SMTP Queue - these alerts are sent if the number of messages for any one SMTP queue exceeds the specified values. - Total Messages In Queue More Than <value> Messages. Triggers an alert when the number of messages in any SMTP queue exceeds the value in the field. - Queued Messages For One Domain More Than <value> Messages. An alert that includes the name of the queue will be sent if the number of messages for any one recipient domain exceeds the number entered in the field. For example, if messages that are addressed to any regardless of which queue they are in exceed the number entered in the field, an alert is sent that includes the domain name example.com. Cannot Connect To Update Server - update alert settings cover the Dynamic Update Service feature. These alerts inform you that an update is available for the Virus Protection Module and the MLX Engine and whether or not the update has been successfully downloaded to the Proofpoint Protection Server. Enter a value into the field to represent the number of connection attempts. 75

106 Proofpoint Administration Guide - Unable To Connect To Update Server After <value> Tries. If the Proofpoint Protection Server cannot connect to an update server after the designated number of attempts, an alert is triggered. Quarantine Consolidate - an alert is sent when an Error log entry is generated if for some reason the Quarantine Consolidator cannot transfer messages to the master Quarantine. The Quarantine Consolidator is a program that transfers the messages from each agent Quarantine Queue to the master Proofpoint Protection Server Quarantine. Note that if an administrator has disabled Quarantine queue consolidation on the Quarantine > Settings > Consolidation page, these alerts will not be generated. - Number Of Messages Equal To Or Greater Than <value>. This value represents the number of messages that are waiting in an agent's Quarantine Queue. For example, if you enter 1000 into the field, an Error alert will be sent if an agent has 1000 messages in its Quarantine Queue waiting to be transferred by the Quarantine Consolidator. Spam Module Out Of Date - an alert is sent when the spam MLX Engine and spam definition files have not been updated for a period of time. - Spam Engine Older Than <value> Hour(s). This value represents the number of hours that have elapsed since the spam MLX engine was last updated. - Spam Definition Older Than <value> Hour(s). This value represents the number of hours that have elapsed since the spam definition files were last updated. Virus Module Out Of Date - an alert is sent when the virus engine and virus definition files have not been updated for a period of time. - Virus Engine Older Than <value> Hour(s). This value represents the number of hours that have elapsed since the virus engine was last updated. - Virus Definition Older Than <value> Hour(s). This value represent the number of hours that have elapsed since the virus definition files were last updated. Save your changes. Creating and Managing Alert Profiles Use the System > Alerts > Alert Profiles page to create a list of recipients for alerts and the action to take: whether to send the alert as an HTML message or a text message. When you create rules for alerts, you will select a profile from the Alert Profiles list. See About Alerts for an introduction to alerts. In a large organization where there are many administrators with different areas of responsibility, alert profiles allow you to group administrators who need to receive alerts from specific areas of the Proofpoint Protection Server software. The Proofpoint Protection Server or appliance includes an alert profile named default. The default profile sends an HTML message to a default specified recipient when any alert is triggered. This recipient is determined at the time you install the software on a Proofpoint Protection Server or finish setting up an appliance using the Setup Assistant Guide. To create an alert profile: 1. Click Add. 2. In the Add Alert Profile pop-up window, enter a name for the profile in the Profile ID field. 3. Select either Send HTML alert message or Send Text alert message from the Action drop-down list. 4. Select a language from the Language drop-down list for the alert. 5. Enter the addresses for the recipients into the Recipients field. Separate multiple addresses with a comma. 6. Click Add Profile to add a single profile, or Add and New to add several profiles at once. To delete an alert profile, select the check box for the profile, click Delete, and confirm. To find a recipient in an alert profile: Use the Find Member field to search for a recipient. When you click Search, the Alert Groups List displays all of the profiles that contain that recipient. The Find Member field returns results for: 76

107 Chapter 4 - Proofpoint Protection Servers - Partial or complete recipient name. - Partial or complete address for the recipient. - Partial or complete domain name for the recipient's address. To display all of the profiles after a search, clear the Find Member field and click Search. Creating Rules for Alerts Use the System > Alerts > Rules page to add rules to the alert profiles you create. See Creating and Managing Alert Profiles for information about creating alert profiles. The Alert Rules List displays the name of each alert profile and whether or not the rules for the profile are enabled, the list of conditions for each rule, the action taken when alerts are triggered, and the suppression settings, if any. See About Alerts for an introduction to alerts. Complete the following tasks on the Rules page: Add rules to a profile. A rule is comprised of a profile, one or more conditions, and an action. Delete rules from a profile. Test the rules for an alert profile. Administrators listed in the profile will receive a test message according to the action defined by the profile. Preview the rules in the profile. The preview displays the information sent by the alert rule when it is triggered. About Alert Suppression Some administrators do not want to receive an alert each time it is triggered. The suppression feature gives administrators flexibility and control over how often they receive alerts. For example, an alert may be triggered once a minute, but the administrator only wants to receive the alert the first time it is triggered, and after that, only once an hour. Or perhaps the administrator wants to wait until the alert is triggered 30 times before an action is taken for the alert. Overview: No suppression - this choice applies no suppression. Each time an alert is triggered the action is applied. Alert after X occurrence - this choice counts the number of times the alert is triggered and applies the action only after the X occurrence. Administrators can then apply suppression to the action (or not) after the X occurrence. Suppression of the action is applied by minutes or hours. Suppression after the first alert - this choice applies the action the first time the alert is triggered, and after that, every N times the alert is triggered, where N is a number defined by the administrator. Administrators can then apply suppression to the action (or not) after the Nth occurrence. Suppression of the action is applied by minutes or hours. Adding a Rule or Rules to a Profile To add a rule to an alert profile: 1. Click Add to display the Add Alert Rule pop-up window. 2. Enter an identifier for the rule into the ID field. This identifier is used internally to track the rule. 3. Select the profile from the Alert Profile drop-down list. 4. The Alert Conditions list displays the available conditions that trigger alerts. Select an item from this list and click the down-arrow button to populate the Subscribed Alerts list. 5. Enter the comment text in the Additional Alert Comment field. 6. Select a suppression of actions when the alert is triggered, if applicable. 77

108 Proofpoint Administration Guide 7. Click Add Rule to add the rule to the selected profile, or click Add and New to add a rule to another profile. Note: You can create several different rules for the same profile, and control which ones are in effect by enabling or disabling the rules for that profile. If you want to create a new rule that is similar to an existing rule, click Clone Rule on the Rules page. See Cloning Rules in "Rules and Delivery Dispositions." To edit the rules for an existing profile: 1. Click the name of the profile in the Alert Profile column to display the Edit Alert Rule pop-up window. 2. To remove a condition from a rule, select the condition in the Subscribed Alerts list and click the up-arrow button to move it off the list. 3. Make your selections for Suppression, if applicable, and save your changes. To delete a rule from the Alert Rules List, select the check box for the rule to the left of the Enabled column, click Delete and confirm. To disable a rule, clear the check box for the rule in the Enabled column and save your changes. Testing a Rule Testing a rule means applying the action without the trigger. For example, if the action for the rule is to send a message to a pager when the alert is triggered, you can test the action to verify that it works. Previewing a Rule The preview displays the type of information the administrator receives when an alert is triggered. For example: Field EID Category Title Severity Description Resolution Description A description for the internal event identification. The component of the Proofpoint Protection Server software that triggered the alert. For example, a filtering module or the Digest generation process. The name of the alert as it appears in the Alert Conditions list. The severity of the alert - for example, Critical or Normal. Provides a brief description of the problem that triggered the alert. Provides a suggestion for what action to take for the alert. Click Preview to display the Preview Alert pop-up window, and select the condition from the Select Alert drop-down list. About Policy Routes Policy Routes provide a way to group connection and envelope attributes into conditions. Similar to rules, which are comprised of one or more conditions, Policy Routes are comprised of one or more conditions. Administrators use Policy Routes to apply filtering modules and rules to the messages on specific routes, allowing for more control over the filtering of sent to and from their organization. Policy Routes are available as a condition when you create a rule and as a global restriction for the filtering modules. If you have an ICAP-enabled proxy server on your network (for example, the Blue Coat Proxy SG), you can filter outbound HTTP traffic for Data Loss Prevention. A typical use case is to create a Policy Route with a protocol condition equal to ICAP:HTTP. You can then create rules for this Policy Route to trigger for HTTP content. See About ICAP and Creating Rules for HTTP Content for more information about ICAP and filtering HTTP content. 78

109 Chapter 4 - Proofpoint Protection Servers Policy Routes are defined by the following conditions: Country code (not applicable to HTTP content) Envelope Recipient (not applicable to HTTP content) Envelope Recipient Belongs To Group (not applicable to HTTP content) Envelope Sender (not applicable to HTTP content) Envelope Sender Belongs To Group (not applicable to HTTP content) Local IP (not applicable to HTTP content) Policy Route Protocol Sender HELO Domain (not applicable to HTTP content) Sender Hostname (not applicable to HTTP content) Sender IP Address (for HTTP content, the Sender IP is the end user IP encapsulated in the ICAP header) Sender Reverse IP Address (not applicable to HTTP content) Examples of Policy Routes: policy_route_a Sender IP Address Ends With AND Country Code Equals ar policy_route_b Sender Hostname Contains proofpoint.com AND Envelope Sender Belongs To Group legal Once defined, Policy Routes are made available throughout the product. Policy Routes and Filtering Modules Policy Routes allow you to exclude messages from being filtered by a module for specific routes. This feature is useful, for example, if you do not want to use Proofpoint Protection Server processing resources to filter messages from senders that you trust. Suppose you want the Spam Detection Module to filter all inbound , except from trusted partners. After defining the routes, you can apply spam filtering for all inbound from everyone and exclude inbound from your partners from spam filtering. For each filtering module, you can choose to which routes to apply filtering and which routes to ignore on a per-module basis. When you exclude a specific route from filtering by a specific module, the inbound or outbound on that route will not be filtered by that module and no rules will trigger for for that route. Policy Routes and Rules Policy Routes allow you to apply rules to messages and connections for specific routes. Assuming the filtering module is filtering messages for the route, creating a rule for a specific route gives you more granular control. For example, you may want to create a Policy Route for inbound mail that restricts mail from your competitors, so it does not reach the employees at your organization. You would first create a Policy Route using the domain of the competitor, and then create a rule and apply the discard disposition with an option that sends a copy of the messages to the Quarantine. Note: You cannot apply Policy Routes at the rule level for the Virus Protection Module and Zero-Hour Module. Policy Routes and Groups You can create a Policy Route by using a group of senders or recipients as the condition. This feature allows you to have more granular control over filtering for specific groups of users or triggering rules in a filtering module for for specific groups of users. For example, you can create a Policy Route for all the users in your organization, then create a Policy Route for a group of users in a specific department in your organization. You can then create a rule to apply to to everyone in your organization except the group. When you create a Policy Route using the Envelope Recipient Belongs to Group or Envelope Sender Belongs To Group condition, the groups you create on the Groups and Users > Groups page are available as choices for these conditions. 79

110 Proofpoint Administration Guide Default Policy Routes The Policy Routes that you create appear on the System > Policy Routes page. Each listed Policy Route includes the policy ID, description, and route. You can also enable or disable routes by selecting or clearing the check box in the Enabled column. The Proofpoint Protection Server provides the following default Policy Routes to control and restrict internalnet Policy Route created for DNS block lists. Prevents mail from your internal networks from being blocked by mistake. By default the route is populated with the local host's IP address. See DNS Block List in "Proofpoint Protection Servers" for more information. outbound Policy Route use to create a list of senders or recipients whose outbound requires filtering by the Proofpoint Protection Server. By default, the route is not pre-populated. spfsafe Policy Route use to define a list of senders whose is sent from external or internal networks that adhere to the SPF protocol that verifies the legitimacy of the sender. By default, the route is not prepopulated. default_inbound Policy Route (appliance only) created automatically for the appliance when inbound filtering is configured. The default_inbound Policy Route determines which inbound mail the appliance will accept for filtering and determines the destination host or hosts responsible for delivering the mail. See Inbound Mail Configurations in "Appliance" for more information. tls_fallback Policy Route (appliance only) the tls_fallback Policy Route is used in conjunction with the tlsfallback Buffer Queue and is pre-populated with the condition which indicates a message has been sent from the Buffer Queue. You should not modify this Policy Route. These default Policy Routes become available for selection when you enable a filtering module and as a condition option when you create rules. By having a list of Policy Routes from which to choose, you do not have to re-create the same Policy Route each time you want to build a rule that includes the route as a condition. For detailed information on how to exclude specific routes from filtering by a module, or how to apply a rule to specific routes, see Policy Routes in "Rules and Delivery Dispositions." Creating and Modifying Policy Routes A Policy Route is defined by a route ID, description, and condition. Important: Before you delete a Policy Route, verify that the Policy Route is not being used by a filtering module, or a rule in a filtering module, or as a condition in a rule. If you delete a Policy Route, any filtering module, rule in a filtering module, or condition that uses the deleted Policy Route will stop working. Creating a Policy Route To create a Policy Route: 1. Click Add. 2. Enter the name of the route in the Route ID field. 3. Enter a description for the route in the Description field. 4. For a simple Policy Route with one condition, click Add Condition. Otherwise, click Advanced to build a complex Policy Route. 5. Click the link Click here to add a new condition or the plus sign icon (+) to add a new condition. Note: If you move the Add Condition pop-up window just under the Condition field on the Policy Route page, you can see the conditions that appear as you append them to create a composite rule. 7. Select a condition from the Condition drop-down list. See Conditions in "Rules and Delivery Dispositions" for a description of each condition. 8. Select an operator from the Operator drop-down list. See Operators in "Rules and Delivery Dispositions" for a description of each operator. 9. Enter a value, depending upon the selection you made for both the condition and operator, into the Value field. For example, if you selected Equals for the Operator and Sender IP Address for the condition, you would enter the IP address for the sender. 80

111 Chapter 4 - Proofpoint Protection Servers 10. If you are building a nested condition, click the Add and New Condition button. 11. When you finish adding conditions, click Save Changes. Changing the Logical Operator To change an operator for an existing condition: 1. On the Policy Routes page, click the name of the Policy Route with the condition you want to change. 2. Click Advanced. 3. Click the AND or OR operator in the Condition text box on the Policy Route page to display the Edit Operator pop-up window. 4. Select the operator and click Save Changes. Deleting a Condition To delete a condition from a Policy Route: 1. On the Policy Routes page, click the name of the Policy Route for which you want to delete a condition. 2. Click Advanced to display the advanced view. 3. Click the condition that you want to delete in the Condition text box on the Policy Route page. 4. Click Delete on the Edit Condition pop-up window and save your changes. Changing a Condition To change a condition: 1. On the Policy Routes page, click the name of the Policy Route for which you want to change a condition. 2. Click Advanced to display the advanced view. 3. Click the condition you want to change in the Condition text box on the Policy Route page to display the Edit Condition pop-up window, make your changes on the Edit Condition pop-up window, and save. Related Topics: See About Policy Routes and Policy Routes in "Rules and Delivery Dispositions" for more information about Policy Routes. Custom Modules Use the System > Custom Modules page to import custom modules, enable or disable them, and change the order in which the custom modules filter messages. Obtain custom modules from Proofpoint Professional Services. Adding a Module Custom modules are distributed in a.zip archive that includes these files: a description for the module (module.dsc), a Perl script (module.pl), and a configuration parameter file that is injected into the existing filter.cfg file (module.cfg). When you add a custom module to the Proofpoint Protection Server you are prompted for the directory location for the archive file. To add a custom module: 1. Click Import. 81

112 Proofpoint Administration Guide 2. In the Add Custom Module pop-up window, enter the full path to the zip archive into the Custom Module Filename field or use the Browse button to find the zip archive. 3. Click Add Module to import the module, and save your changes. Note: A check box appears in the Enabled column for the custom module and a drop-down list in the Order column that lists all the modules. Enabling or Disabling a Module You cannot disable the default Proofpoint Protection Server modules on the Custom Modules page, only custom modules that you add. Changing the Module Filtering Order You cannot change the filtering order for the default Proofpoint Protection Server modules, only modules that you add. You can move a custom module up or down in the filtering order so that it applies to messages before or after the default Proofpoint Protection Server modules. Make a choice from the Order drop-down list to change the filtering order. Deleting a Custom Module You can only delete custom modules that you added. Related Topics: See Creating a Configuration Version for information on how to save a configuration before or after you make changes to the Proofpoint Protection Server. About Licenses and the Dynamic Update Service The Licensing feature manages the product licenses for your Proofpoint modules and software. You must activate the Proofpoint Protection Server or appliance in order to apply the licensing and enable the Dynamic Update Service. The Dynamic Update Service distributes and manages the latest module updates, software patch updates, or system upgrades from the Proofpoint-hosted update servers. If the Proofpoint Protection Server or appliance is not activated, you will not receive any module updates or system upgrades, including Spam MLX Engine, Spam MLX Definitions, Virus Definitions, and Virus Engine updates. Licensing overview: When you install the Proofpoint Protection Server or deploy an appliance for the first time, all of the filtering modules including Regulatory Compliance, Digital Assets, and Proofpoint Encryption are enabled and displayed in the management interface. This initial configuration allows you to evaluate all of the product features for an arranged period of time. You must still activate the Proofpoint Protection Server or appliance for a complete evaluation, otherwise you will not receive updates from the Dynamic Update Service. When you purchase a license for the Proofpoint Protection Server or appliance, you are issued one activation key that enables the product components you wish to keep. If you add a module after activating the Proofpoint Protection Server or appliance, the original activation key you entered will automatically enable the module for which you purchased a license. By activating the Proofpoint Protection Server or appliance, you are ensuring you will receive all relevant module updates and software upgrades from Proofpoint. The product components for which you have not purchased a license will expire and stop working. You will see a warning in the management interface 30 days before the unlicensed components stop working, and again 7 days before they stop. You will also receive an alert for the module that is about to expire at 30 days before expiration and on the day of expiration. When you log out of the management interface and log back in, the unlicensed product components and reports for those components will disappear from the management interface. 82

113 Chapter 4 - Proofpoint Protection Servers If you purchase a license for a product component that was previously unlicensed, the component will become available as soon as the license is updated by Proofpoint. This also applies if you switch between anti-virus engines. To view the current license status, navigate to the System > Licenses and Updates > Licenses page. Proofpoint maintains the most up-to-date virus definitions and Zero-Hour virus engine from our partners and includes any new spam attributes, balanced weights, and classifiers to update the MLX Engine to ensure the most accurate spam detection. As new updates for the MLX Engine and virus definitions become available, they are packaged and placed on Proofpoint-hosted update servers. You should configure the Proofpoint Protection Server or appliance to poll the update servers and download and deploy the latest updates automatically. If you are using the Regulatory Compliance Module, the HIPAA dictionaries are also maintained up-to-date by the Dynamic Update Service. The Dynamic Update Service also provides the Proofpoint Protection Server or appliance system upgrades when they are made available through Technical Support. You cannot configure the Proofpoint Server or appliance to install the system upgrades automatically. The update store on the Proofpoint Protection Server or appliance is a directory location for storing the module updates, system upgrades, and software patches. The update store automatically synchronizes with the Dynamic Update Service using a polling interval that you can configure. You can also manually force synchronization on an asneeded basis. System Upgrade Checklist To successfully upgrade the Proofpoint Protection Server software or appliance, you need to complete several tasks prior to the upgrade. Contact Technical Support by opening a call in CTS to request that an upgrade installation package be made available. If necessary, determine alternate mail processing while the master server and agents are being upgraded. Estimate the time required to upgrade your installation. Free up disk space and reduce data to be migrated. Check your firewall rules. If you installed the Proofpoint Protection Server software yourself (not an appliance), verify you have the passwords for the Proofpoint user and root user available during the upgrade process. 83

114 Proofpoint Administration Guide Contacting Proofpoint Technical Support Open a call in the Proofpoint Call Tracking System (CTS) to make a request to upgrade your Proofpoint Protection Server software. Technical Support will make the installation package available for download. Find out if you can upgrade to the latest version from the version you are currently running. Important: If you have multiple clusters, each one will require a separate activation key. Alternative Mail Routing If necessary, make plans to reroute the mail being filtered by the Proofpoint Protection Server(s). For master and agent configurations there should be no interruption in mail routing provided that the master and agent(s) are participating in a load-balanced configuration. If you do not have a load-balanced cluster, or you have a single server, determine the availability of MX hosts and use them to temporarily route the mail being filtered by the Proofpoint Protection Server. Estimating the Time to Upgrade The time required to upgrade a master Proofpoint Protection Server depends on the number of messages in the Quarantine and the amount of retained log data. It takes about an hour to upgrade a master and a single agent that have fewer than 100,000 messages in the Quarantine. It takes several hours to upgrade a cluster that includes a master and several agents that have several hundred thousand messages or more in the Quarantine. The agents typically take less than an hour each to upgrade. Freeing up Disk Space and Reducing Data to Migrate The upgrade process determines if there is enough disk space available on the master and agents to complete the upgrade. If disk space is insufficient, the upgrade process will stop, and you will receive a message that indicates you need to free up additional disk space. Because large amounts of data are copied during the upgrade, Proofpoint recommends that you free up as much disk space as possible prior to the upgrade. Eliminate unnecessary data such as old log data or messages in the Quarantine. Reducing data also reduces the amount of time required for upgrading the master and agents. Go to the System > Summary page to determine the amount of available disk space and the amount of space being used by the Quarantine on the master server. Typically, the amount of disk space the Quarantine uses is twice the size as indicated on the System > Summary page. This is because the size displayed in the management interface only represents the messages, and not the other components, such as indexes associated with the Quarantine. The size of the Quarantine also depends upon the size of the messages in the Quarantine. The larger the messages, the smaller the differential between the size displayed in the management interface and the actual space used by the Quarantine. In most cases, Proofpoint recommends that the master have greater than 50 percent disk space available. You need this much space because depending upon which version you are upgrading to, the database may be copied during the upgrade process. To free up disk space: If you are using the Audit Messages feature, you must disable it prior to the upgrade, or change the expiration period to one week or less, at least 7 days prior to the upgrade. - To change the expiration period for the Audit Messages feature, see Folders and Message Expiration in "Quarantine" for instructions. - To disable the Audit Messages feature (for reporting false-positives and false-negatives), see Users Reporting False Negatives and Positives in "End User Services" for information on how to enable and disable this feature. Reduce the Quarantine messages and log data. Logs should not take up more than 10 GB of disk space. - Empty the Deleted folder in the Quarantine. See Folders and Message Expiration in "Quarantine" for instructions. - Change the expiration period for the messages in the Quarantine if necessary. This will vary depending upon your configuration. See Managing Folders in "Quarantine" for instructions. 84

115 Chapter 4 - Proofpoint Protection Servers - Change the log retention period if necessary. This will vary depending upon your configuration. For log retention periods, Proofpoint recommends seven days, especially for the hourly data. See Configuring Reports in "Logs and Reports" for instructions. Change the value for Retain Hourly Data to 7 days. Change the other parameters, Retain Monthly Data and Retain Daily Data, as needed. - Check the value for maximum number of table rows. See Configuring Reports in "Logs and Reports" for instructions. (By default, 500,000 is the maximum value for Maximum Rows and typically does not exceed 1,000,000.) Remove previously installed versions of the software on both the master and agents. See Updating Modules and Upgrading System Software for instructions. If you used the Expire by Table method for the Quarantine folders, it is especially important that you remove previously installed versions of the software. See Updating Modules and Upgrading System Software for more information. Automatic Database Check During an upgrade, a check is run against the database on the current deployment before the upgrade continues. If problems are found, the upgrade will attempt to repair the database. If no problems are found, or if the repair is successful, the upgrade will continue. If the repair is not successful, you need to contact Proofpoint Technical Support so that the existing problems can be fixed before continuing the upgrade. Status messages for the database check and database repair are displayed continuously on the Upgrade Progress page, so that you can monitor the progress of the database utilities. Depending upon the size of your Quarantine, log database, and User Repository, a database check can take up to several hours to complete. At times, you will not see status messages this is normal. Proofpoint recommends that you run a manual database check within nine days before an upgrade to expedite the upgrade process. If you happen to reboot the systems in your cluster, the database check will need to be run again. For example, suppose you plan to upgrade the cluster on Saturday. On Monday you run a manual database check so that the upgrade on Saturday will complete in less time. If you reboot a system in the cluster on Wednesday, the status of the manual database check on Monday is reset, so you will need to run a manual database check again before the upgrade. Check Firewall Rules Configure your firewall rules to ensure outbound access to the Proofpoint update service and inbound access from Proofpoint Technical Support. Outbound firewall rules Be sure to configure your firewall so your servers can communicate outbound with TCP port 443 (HTTPS). See https://support.proofpoint.com/article.cgi?article_id= for information about the IP addresses that need to be accessible from your Proofpoint master and agents. For purposes of troubleshooting, use SSH port 22 for copying files, such as configurations or logs used for problem determination and resolution from a server to Proofpoint or between your master and agents at (ssh.proofpoint.com). Inbound firewall rules For purposes of troubleshooting, verify that Proofpoint Technical Support has inbound access to your servers over TCP port 22 (SSH). Also verify that your firewall does not have an "idle" timeout that could cause an SSH connection to be dropped. Our standard Technical Support IP addresses are , , and If you have an appliance, these IP addresses are configured by default. See Host Firewall in "Appliance" for instructions. 85

116 Proofpoint Administration Guide Managing the System Upgrade Process The software required for a system upgrade is downloaded from the Proofpoint-hosted update servers. Once downloaded, the system upgrade is managed from the master Proofpoint Protection Server. The master server is responsible for preparing the servers in a cluster for upgrade, including a system check. The system check verifies the versions of the existing Proofpoint Protection Server software and operating systems on each server in the cluster. Once the master and agents pass the system check, the software is staged, making it ready for installation. After the systems have been prepared for installation, begin the installation process by clicking Upgrade on the Licenses and Updates > General page. Manage the remainder of the upgrade process from the Upgrade Progress page. All of the systems in a cluster appear on the Upgrade Progress page and are upgraded in this order: master, Quarantine Master, agent_one, agent_two, and so on. You can upgrade agents one at a time or simultaneously. When you upgrade multiple agents at a time, be aware that they will not be filtering during the upgrade. To ensure the continuous flow of during the upgrade, do not upgrade more than half the agents in a cluster at a time. Each system being upgraded in a cluster has its own Start Upgrade and Retry buttons. These buttons become available at the appropriate times during the upgrade process. For example, a Start Upgrade button will not display for an agent or agents, until the master server and Quarantine Master have been upgraded. And a Retry button will not display unless a system fails to upgrade. Important: To upgrade to the latest version, the Proofpoint Protection Server or servers must have a specific release (or higher) installed. All systems in a cluster must be running the same version of the software. If you upgrade the software on the master, you must also upgrade the software on each agent in the cluster. System Upgrade Checklist It is important to review the information in the System Upgrade Checklist prior to upgrading the system software. The checklist helps ensure that you successfully upgrade the software on all of your Proofpoint Protection Server software systems. Errors and Failed Upgrades If a master server or agent fails the system check and preparation phase, the system or systems will display in the Server Log panel on the Upgrade Progress page, but you will not be able to upgrade because the Start Upgrade button will not be available. Should a system fail to upgrade successfully, click the Retry button that appears for the failed master or agent. If clicking the Retry button does not successfully upgrade an agent, you can attempt to detach it and reattach it to the cluster after the upgrade process completes. However, re-attaching an agent to a cluster can be a cumbersome process that will require the aid of Technical Support. Note: Proofpoint strongly suggests you try to troubleshoot a failed upgrade first by reviewing the log files and with the help of Technical Support before you resort to detaching an agent or agents. You must revert an entire cluster back to the previous version of the Proofpoint Protection Server software in the case of a failed upgrade. You cannot revert a single server or agent; you can only retry to upgrade them. When you revert an upgrade for an entire cluster, all the systems in the cluster revert back to the previous version of the software, but not to the previous version of the operating system. Important: Revert an upgrade only if it appears to be a failure, and only revert an upgrade as a last resort. Displaying and Saving Log Data Refer to the information that appears in the Server Log panel on the Upgrade Progress page to track down the reason for a failure. The data that displays in the Server Log panel is saved to separate log files during an update or upgrade. The Log Level drop-down list provides these choices for displaying different levels of information about the progress of an update or an upgrade: Critical, Error, Info, Debug, and Trace. You can make a selection from the Log Level drop-down list during or after an update or upgrade. Data will display for the log level you selected and every level above that selection. For example, if you select Debug from the Log Level drop-down list, data for the Debug, Info, Error, and Critical logs will display. The log files are located in proofpoint_root/var/log/update_upgrade directory. The logs for the updates are saved to a directory stamped with the day's date, indicating when the update occurred. If there are multiple updates in 86

117 Chapter 4 - Proofpoint Protection Servers a single day, a new directory is created for each update. For example, update log, update log, and update log. The log files for the upgrades are saved to a directory that uses the version of the software you upgraded from and the version of the software you upgraded to. For example, pps x_4.5.6.y. The soft links current_upgrade and current_update point to the most recent corresponding directory. The log file or files for an update are saved using a timestamp, for example update-timestamp.log. The log file or files for an upgrade are saved using the hostname, port number, and instance for the filename, for example, ppsmaster _instance1.log. The log files are helpful in cases where you need to track down the reason for a failure or for viewing the details of an update or an upgrade after it completes. Click the Expand and Collapse icon to the left of the systems that appear on the Server Log panel to determine how much log information to display. Select a level from the Log Level drop-down list to display enough information to help locate the reason for the failure. Handling Databases and Log files The Proofpoint Protection Server software determines if the database of your current installation is compatible with the database of the upgrade. If the database schemas are not compatible, the upgrade process will copy the database of your existing installation, making the data available should the upgrade fail and you need to revert to the current installation. If the Proofpoint Protection Server detects that the databases are compatible and have no schema changes, the current database is hard-linked to the upgrade database. If you need to revert an upgrade, the master server might lose some Quarantine data if the database files were copied as opposed to being hard-linked. This happens if the master server or an agent starts to filter mail after being upgraded, and the messages are saved to the new Quarantine database, not the original database. As a result, when you revert to the original installation, the Proofpoint Protection Server once again starts saving data to the original database, which does not contain the messages that were filtered by the servers and agents and saved to the upgraded database. As a result, the data collected in the upgraded Quarantine will not be transferred back to the original Quarantine. Log files for your current installation, with the exception of archive log files, will be copied to the new Proofpoint Protection Server installation directory. Updating Modules and Upgrading System Software The System > Licenses and Updates > General page displays detailed information about the current versions and available versions for module updates, software patches, and system upgrades. Module updates refer to the following components: Spam MLX Engine. Spam MLX Definitions. Content Extraction Engine for the Extract Text Content feature. McAfee or F-Secure Antivirus Definitions. McAfee or F-Secure Antivirus Engine. Regulatory Compliance Module dictionaries and NPI identifiers. Zero-Hour Anti-Virus Engine. Proofpoint Protection Server Software Patch. System upgrades refers to the Proofpoint Protection Server software binaries. Important: System upgrades are only available through Proofpoint Technical Support. The Module Updates and System Upgrades tables display version information and current status for the modules and software binaries. You can check for module updates or system upgrades, download, and deploy or install them from this page. Clicking Check for Updates in the Module Updates table or Check for Upgrades in the System Upgrades table will populate both tables with status information. Clicking Download in either of these tables will also download modules and upgrades, if available, to the master Proofpoint Protection Server. While the modules and software patches can be installed automatically, you must manually start the upgrade process for the software binaries. 87

118 Proofpoint Administration Guide The Update Progress and Upgrade Progress pages indicate the progress of an update or upgrade, respectively. You can determine the type and amount of data you would like to display about the progress of the update or upgrade from the Log Level drop-down list. When the process completes, an OK button and a message appear indicating that the update or upgrade was successful. See Managing the System Upgrade Process for instructions about how to view different levels of log data in the Server Log panel and how to access the log files. Your Proofpoint Protection Server must be activated to contact Proofpoint-hosted systems for version information and download capabilities. See Activating Updates and Managing Licenses for instructions. Checking and Deploying the Latest Module Updates To check for and deploy the latest module updates: 1. Click Check for Updates on the System > Licenses and Updates > General page. (When you click Check for Updates, the information is refreshed in both the Modules Updates and System Upgrades tables.) If new definitions are available, they display in the Status column of the Module Updates table. 4. Click Download to download the latest module updates from the Proofpoint-hosted update servers to your Proofpoint Protection Server. (You cannot download newer versions of the modules from the management interface unless they are ready for download.) 5. Select the check box next to the modules or software patches you want to deploy. 6. Click Apply Update(s) to deploy the latest module updates or software patches. 7. Click OK to return to the System > Licenses and Updates > General page. Checking and Installing the Latest Software Upgrade System upgrades must be made available through Proofpoint Technical Support before you can download and install the software. Once a system upgrade has been made available, you can actively download the software or wait for the software to be automatically downloaded along with the module and software patch updates. See Automatically Updating Modules and Software Patches for more information. When the Proofpoint Protection Server downloads a system upgrade, it immediately completes a system check and stages the software for installation on all the systems in a cluster. If the software has been automatically downloaded, you only need to click Upgrade to begin the upgrade or installation process. Important: Before starting the system upgrade process, verify you have completed the tasks listed in the System Upgrade Checklist. The time required to upgrade the master Proofpoint Protection Server software in a cluster can vary widely. The time required to upgrade can be affected by the size and complexity of the cluster, the amount of saved log data, and the number of messages in the Quarantine. To check, download, and install the latest version of the Proofpoint Protection Server software: 1. Click Check for Upgrades in the System Upgrades table. (When you click Check for Upgrades it refreshes the information in both the Software Upgrades and Modules Updates tables.) Note: If a system upgrade is available, the System Upgrades table is populated with information about the upgrade. If you are upgrading an appliance, the table is also populated with information about the Proofpoint Messaging Security Gateway operating system, which you cannot select. Selecting the software for download also selects the operating system for an appliance. 2. Click Download to download the latest software from the Proofpoint-hosted update servers to your master Proofpoint Protection Server. (You cannot download newer versions of the modules from the management interface unless they are ready for download.) 3. Once the download completes, select the check box next to the new version of the Proofpoint Protection Server software. Note: If you are running the Internet Explorer browser, the upgrade check box may not display in the browser. If this happens, click the "Server preparation and check phase completed successfully" message to continue the upgrade. 4. Click Upgrade to start the preparation phase of the upgrade. The Upgrade Progress page displays the progress of the system check and the upgrade process. 88

119 Chapter 4 - Proofpoint Protection Servers The upgrade process first completes a system check. The system check determines the version of the software, version of the operating system, amount of available memory, and the amount of disk space on all the systems in a cluster. The operating systems on the systems are upgraded (if necessary). Next the master Proofpoint Protection Server pushes or stages the software to all the systems, preparing them for software installation. Note: If the system upgrade was downloaded automatically, the system check is completed twice - when the software is automatically downloaded and when you click Upgrade. 5. After the system checks are completed and the software staged to the systems, click the Start Upgrade button on the Upgrade Progress page to begin the actual installation of the software. During an upgrade, a check is run against the database on the current deployment before the upgrade continues. If problems are found, the upgrade will attempt to repair the database. If no problems are found, or if the repair is successful, the upgrade will continue. If the repair is not successful, you need to contact Proofpoint Technical Support to fix the existing problems before continuing the upgrade. Database check and repair status messages are displayed on the Upgrade Progress page. If you are upgrading a cluster of systems, the Upgrade Progress page will display each system in the cluster, starting with the master server. The upgrade process will upgrade the systems in a cluster in this predefined order: master server, Quarantine Node, and then agent or agents. The Start Upgrade button appears for the server or agents that are available for upgrade. Once a system is upgraded, the Start Upgrade button becomes available for the next system in the predefined order. 6. When the upgrade process completes for all systems, a message indicates that the upgrade is complete. Click the Ok button to complete the upgrade process and return to the System > Licenses and Updates > General page. Related Topics: See About Licenses and the Dynamic Update Service for introductory information about the Update Service. See Activating the Dynamic Update Service for instructions on how to activate automatic updates. Activating Updates and Managing Licenses Activate the Dynamic Update Service and manage licenses on the System > Licenses and Updates > Licenses page. The Proofpoint modules that require licensing include Spam Detection, Regulatory Compliance, Digital Assets, Virus Protection, Zero-Hour, Proofpoint Smart Search, and Proofpoint Encryption. If you log in to the Proofpoint Protection Server, and a license is due to expire within the next 30 days, a message displays in the status bar. This message includes the name of the module and the date its license will expire. If a license has expired within the last 30 days, a message indicates that the license has expired. If multiple licenses are due to expire or have expired, the messages that display in the status bar will not identify the modules, but instead will indicate that multiple licenses require attention. The messages for multiple licenses will continue to display until only one license requiring attention remains, in which case the module will be identified. Important: You must contact Proofpoint to renew a license. See Creating Rules for Alerts in "Proofpoint Protection Servers" for information about sending out alerts for expired licenses. The Licenses page provides information about the activation status and licensing information. The Licensing Information table lists the following information: Module displays the module name. Status displays one of three status types: Licensed, Expired, or Not Installed. Expiration Date depending upon the status of the license, the Expiration Date column will display different information: - If the license is not installed, the column is empty. - If the license is expired, a red expiration date displays. - If the license will expire within 30 days, the expiration date and a message indicating when the license will expire displays. - If the license will not expire within 30 days, the expiration date displays. Note provides a URL for contacting Proofpoint to renew the license. 89

120 Proofpoint Administration Guide Activating the Dynamic Update Service Administrators are required to activate the Dynamic Update Service for the appliance or master Proofpoint Protection Server in order to receive software and module updates from Proofpoint. To temporarily deactivate or activate the Dynamic Update Service, click Deactivate and confirm. To activate the Dynamic update service, click Activate and enter your product activation key into the Proofpoint Activation ID field of the Activation pop-up window. Related Topics: See About Licenses and the Dynamic Update Service for introductory information about the Dynamic Update Service. See Updating Modules and Upgrading System Software for information about checking for latest versions and Automatically Updating Modules and Software Patches for setting automatic update options. Automatically Updating Modules and Software Patches Administrators can automatically download and deploy the latest modules and Proofpoint Protection Server software patches as soon as new releases are available from Proofpoint. You can control which components to update automatically and how often to check (polling frequency) for updates. Note: System upgrades and software patches are only made available through Proofpoint Technical Support. However, if Technical Support has made a system upgrade available to you, the Proofpoint Protection Server will also automatically download the software at the same time it downloads the modules and software patches. The master Proofpoint Protection Server pulls any software that has been made available. There is no distinction made about whether the server is downloading system software patches, upgrades, or modules. Navigate to the System > Licenses and Updates > Settings page to change the polling frequency and select the modules that you want to update automatically. The Polling Frequency is how often the Proofpoint Protection Server checks for the latest modules from the Proofpoint-hosted update servers. Save your changes when you are done. Note: Although setting the Polling Frequency is intended for modules and software patches, if a system upgrade is also available, the Proofpoint Protection Server will also download the upgrade. System upgrades are only made available through Technical Support. See Updating Modules and Upgrading System Software. Direct Agent Updates The Direct Agent Update feature allows agents to receive the latest module updates directly from the update servers in the case where they have lost contact with the Config Master. If the Config Master is temporarily off-line, the agents in a cluster will continue to receive the latest Spam MLX Engine, Spam MLX Definitions, and anti-virus definitions from the Dynamic Update Service. If you enable Direct Agent Updates, the period of time that an agent will wait for an update from the Config Master before the agent contacts the Dynamic Update Service directly is three times the Polling Interval. For example, if the Polling Interval is set to 5 minutes, an agent will contact the Dynamic Update Service if it does not receive an update from the Config Master for at least 15 minutes. Important: If you enable the Direct Agent Updates feature, you need to ensure the agents allow connectivity to the Proofpoint update servers. See https://support.proofpoint.com/article.cgi?article_id= for information about the ports and IP addresses that need to be accessible for the updates. Related Topics: See Activating Updates and Managing Licenses for information on how to use the Dynamic Update Service. 90

121 Chapter 4 - Proofpoint Protection Servers Viewing Update History The history of the module and software patch updates are displayed on the System > Licenses and Updates > History page. To view the history of previously installed versions of a system upgrade, see Updating Modules and Upgrading System Software. The Update History and Software Patch History tables display the names, versions, and timestamps for the modules and software patches that have been installed. Removing Previously Installed System Upgrades The Previously Installed System Upgrades table displays a list of software versions that have been installed on each system in a cluster. Remove old versions of the software to free up disk space. To remove old software binaries on a system, select the check box for the version in the Previously Installed System Upgrades table and click Delete. Note: The disk space in the Size column represents an estimate of space used by old binaries and some shared files between a previously installed version and the current deployment. For this reason, deleting a previously installed version will not reclaim all of the space displayed in the Size column. Removing Previously Installed Patches Administrators can un-install a patch that they have deployed. Ability to un-install a patch is supported under the following circumstances: It is the last patch you installed. The patch must support the ability to be un-installed. Not all patches can be un-installed. In the Module table on the System > Licenses and Updates > Settings page, the check box for Software Patches must be cleared (disabled). The patch is obsolete. The Operations column will display an Uninstall button for a patch if it can be removed. Viewing Configuration History When you make changes to the Proofpoint Protection Server parameters, the changes are tracked and saved in a log file. When you are ready to deploy the configuration in a production environment, you can save the entire configuration as a set, or version. The Proofpoint Protection Server saves each configuration version, allowing you to roll back to any configuration version. In addition, if you automatically or manually update the Proofpoint Protection Server with the latest modules, virus definitions, or Proofpoint Protection Server software, a configuration version is automatically created for you. The System > Config History page displays the current configuration version being used by the Proofpoint Protection Server. Use this page to create a new version or to restore from the list of available versions. If you need to recover an entire system, see About Backup and Restore. The Current Configuration Version displays the following information about the current version: Date - the creation date of the current configuration version. Tag - a name for the group of configuration files that comprise the version. Created By - the name of the administrator who created the configuration version. Comment - a description for the configuration version. Restored On - if an administrator rolled back to a previous configuration version, the date and time stamp for that version displays in this field. Last Modified - this field indicates a timestamp for the last time configuration changes were made to the system. 91

122 Proofpoint Administration Guide Related Topics: See Creating a Configuration Version and Restoring to a Previous Configuration for information about these tasks. Creating a Configuration Version A version is comprised of several configuration files. When you make changes to the Proofpoint Protection Server parameters, you may or may not change every module. The system has an internal tracking method that keeps a history of the changes to each module. When you create a version, you are saving the configuration files as a group, and tagging the group with a version name. Later, you can restore the Proofpoint Protection Server to a specific point in the past by choosing a version that identifies the set of configuration files from that time. Note: A version is automatically created during a Proofpoint Protection Server software upgrade or module update. To create a configuration version, navigate to System > Config History. Under Create a Version, enter a name for the set of configuration files in the Tag field, enter a comment, and then click Create. The new version is added to the Restore Configuration table. Restoring to a Previous Configuration When you restore to a previous configuration, all the current configuration settings are overwritten with the settings from the version you selected from the list. To restore to a previous configuration, navigate to the System > Config History page. To view the available configurations, from the Restore Configuration table, select a choice from the Version Type drop-down list: All, System, or Custom. The Restore Configuration table is populated with the type of configurations you selected from the drop-down list. Select the version you want to restore in the Restore Configuration table, and click Restore Version. About Backup and Restore For specific instructions on backing up and restoring the Proofpoint Protection Server, see the following topics: Backing Up the Proofpoint Protection Server Restoring the Proofpoint Protection Server For general information about backup and restore, read the information in this topic. Use the Backup and Restore feature for these tasks: Back up critical Proofpoint Protection Server data and configurations immediately or on a scheduled basis. View and manage the backed-up data. Restore the cluster from the backed-up data and configurations if necessary. The Backup and Restore feature provides a solution for recovering a Proofpoint Protection Server if the system has been severely impaired or requires replacement hardware. If you only need to revert back to an earlier set of Proofpoint Protection Server configurations, see Viewing Configuration History. Proofpoint suggests that you create backups on a regular basis to ensure that your data is protected and your backed-up data is current. Create backups immediately on an as-needed-basis when you make significant changes to the Proofpoint Protection Server software. For example, when you reconfigure parameters, complete a new LDAP import, or download and install a software update from Proofpoint. Proofpoint also recommends that after backing up the data, you copy the backup files to another system to ensure that you have the data available for recovery if the Proofpoint Protection Server should crash or become inoperable. The Proofpoint Protection Server backs up the following data: Dictionaries. Certificates. Server configurations - for example, parameters and attributes. If you have deployed Proofpoint Smart Search, the Smart Search configuration settings are backed up. 92

123 Chapter 4 - Proofpoint Protection Servers Lists of entries - for example, groups, safe senders, and blocked senders. List of Quarantine folders - folder names and settings are preserved, as well as the references to folders in rules. The User Repository. Saved reports. The sdconf.rec file, if you are using RSA SecurID for authentication. Appliance configurations: - DNS server. - Firewall settings. - Domain. Configurations such as lists and dictionaries created by the administrator for the Firewall, Spam Detection, Virus Detection, Digital Assets, and Regulatory Compliance modules are also backed up. The Proofpoint Protection Server does not back up the following data: System and Proofpoint Protection Server passwords. Data in the database - for example, messages in the Quarantine, or Smart Search index entries, if you have deployed Proofpoint Smart Search. Log files. Fully qualified instance name (FQIN) - for example, hostname-1000_instance1. Update history. Appliance configurations: - Hostname. - Network settings - IP addresses, gateway, and netmask. - sendmail settings Note: Software patches for the Proofpoint Protection Server are not backed up. However, when you restore a backup configuration, a list of the patches you had installed will appear in the management interface. Downloading the backup files copies them from the Proofpoint Protection Server to your local system. Importing the backup files copies them from your local system to the Proofpoint Protection Server. You need to import backup configuration files if you are in the process of recovering a Proofpoint Protection Server configuration, or you need to import a backup configuration you previously deleted from the System > Backup and Restore page. The backup configuration you want to restore must be located on the Proofpoint Protection Server. The Proofpoint Protection Server only allows you to restore a backup configuration with the same version of the currently running Proofpoint Protection Server software and operating system. However, you can restore configurations between the Linux operating systems and between different appliance models. If you have a cluster, you must add the agents back to the cluster after running a restore operation on the master. The agents must have the same IP addresses and hostnames they had when you created the backup configuration. The master server will not recognize the agents if their IP addresses and hostnames have changed. Backing Up the Proofpoint Protection Server Proofpoint suggests that you create backups on a regular basis to ensure that your data is protected and your backed-up data is current. Create backups immediately when you make significant changes to the Proofpoint Protection Server software. Proofpoint also recommends that after backing up the data, you copy the backup files to another system to ensure the data is available for recovery if the Proofpoint Protection Server should crash or become inoperable. Backing Up Data Immediately To back up data immediately, navigate to the System > Backup and Restore page, enter a backup description into the Comment field, and click Create Backup. 93

124 Proofpoint Administration Guide The backup completes almost immediately as evidenced by the data that appears in the Backup and Restore table. There is no limit to the number of immediate backups you can create. Unlike scheduled backups, the backups created on an as-needed basis are not deleted after they reach a certain number. Creating a Backup Schedule To create a backup schedule, make a selection from the Backup Schedule drop-down list and save your changes. Daily backups are created at 2:00 A.M. local time. Weekly backups are created on Sundays at 2:00 A.M. local time. Just like immediate backups, the scheduled backups populate the Backup and Restore table. The Comment column indicates whether they are Daily Scheduled Backup or Weekly Scheduled Backup. The Proofpoint Protection Server retains a maximum of 14 backup configurations. The oldest backup configuration is automatically deleted prior to beginning another scheduled backup. Downloading Backup Configurations to Your Local System To copy a backup configuration to your local system, select the configuration and click Download. You will be prompted for a name and location for the backup configuration. Check the location you selected during download to make sure the backup configuration was successful. Important: Proofpoint strongly recommends that you regularly download the backup configurations to your local system to ensure that you have the data stored in a safe place and available for recovery. Related Topics: See About Backup and Restore for general information and a list of what is backed up and what is not backed up. See Restoring the Proofpoint Protection Server for information on how to restore the system from a backup version. Restoring the Proofpoint Protection Server The backup configuration you want to restore must be located on the Proofpoint Protection Server. The Proofpoint Protection Server only allows you to restore a backup configuration with the same version of the currently running Proofpoint Protection Server software and operating system. However, you can restore configurations between the Linux operating systems and between different appliance models. Data restored from a backup will overwrite and remove any existing data on the server. Sequence of tasks for restoring a Proofpoint Protection Server: 1. Install the Proofpoint Protection Server software on a replacement system. 2. Make sure you have copies of the backup configuration files on the replacement system. 3. Log in to the Proofpoint Protection Server as admin. 4. Import the backup configuration you want to use for restoring the Proofpoint Protection Server to its original configuration. 5. Restore the configuration of the Proofpoint Protection Server. Importing a Backup Configuration To import a backup configuration to the Proofpoint Protection Server from your local system, navigate to the System > Backup and Restore page and click Import Configuration. In the Import Configuration File pop-up window, enter the full path and filename of the backup configuration or browse to its location and double-click its name, and click Import. 94

125 Chapter 4 - Proofpoint Protection Servers Restoring a Backup Configuration When you first initiate the restore process, you can decide whether or not you also want to restore the agents. To restore a backup configuration, select the check box next to the backup configuration you want to restore, click Restore Backup, and confirm. Important: Be sure to update the Spam MLX and Anti-virus definitions after the restore and before you restart the server. Related Topics: See About Backup and Restore for general information about this feature. See Backing Up the Proofpoint Protection Server for information on creating a system backup. Downloading the System Data File The system data file contains configuration information about the appliance and Proofpoint Protection Server software to assist Proofpoint Technical Support when troubleshooting a reported problem. When you open a call using CTS please include the system data file to help expedite a solution to the problem. The system data file includes the system data for of all of the systems in a cluster. The Log Collection Service is another option for transferring system data to Proofpoint Technical Support. The Log Collection Service gathers system data from a single server in the cluster and transfers the data automatically to Proofpoint Technical Support. Refer to the Reference Guide for information about the Log Collection Service. To download and save the system data file, navigate to the Help > Tools page and click Download. Save the data file in a location that you can easily access in order to include a copy of the file when you open a CTS call. Note: It can take a few minutes to gather the information for the data file. The following information is collected for the system data file: Core files. Warnings and errors in all relevant log files. The /etc/filter.cfg and /instance/etc/filter.cfg files are reviewed for inconsistent rules and routes. The Proofpoint Protection Server software and appliance configuration settings. The sendmail, NTP, and DNS configuration files. Log files for the Proofpoint Protection Server and appliance. The sendmail log files. The current status of the operating system. A summary of the current filter.log message entries, including message count and size, attachment count and size, and message processing duration. Quarantine folder information. Lists of groups and group members. Testing Network Connectivity Test the network connection for the appliance or Proofpoint Protection Server to verify it is communicating with the hosts it is configured to use. 95

126 Proofpoint Administration Guide To test the network connection for the appliance or Proofpoint Protection Server: 1. Navigate to the System > Diagnostics > Connectivity page. 2. If you have a cluster, select the server for which you want to test connectivity from the Server drop-down list. 3. If necessary, enter either the IP address or hostname of the system or systems to which you want to connect in the Connect To (IP Address/Hostname) text box. (A default list is already defined, which you can replace or modify if necessary.) 4. Click Test. For each IP address or hostname entered in the Connect To field, a report displays next to the Result parameter. If no connection was made, the report displays the address is not accessible. If a connection was made, the report displays is accessible and provides more information about packets, the traceroute, and port availability. Click Flush DNS Cache to clear the resulting data from the display. Testing the Connection Test the connection for the appliance or Proofpoint Protection Server to verify it is properly communicating with your mail server or to troubleshoot connection problems. To test the connection to the mail server: 1. Navigate to the System > Diagnostics > page. 2. If you have a cluster, select the server for which you want to test the connection from the Server dropdown list. 3. Fill in the fields on the page. Some of the fields are optional. If you do not enter information for a specific server into the SMTP Server field, the test will use the local SMTP server. Click Test when you are done. The results of the test display under Result. If the test was successful, an excerpt from a sendmail log displays a report of the negotiation between the Proofpoint Protection Server and the mail server MTA. If the test was not successful, a descriptive error message displays. Testing LDAP to sendmail Connectivity Many organizations use LDAP for addresses and routing information. The LDAP to sendmail connectivity test determines if sendmail can connect to the LDAP server successfully. To use the LDAP to sendmail connectivity diagnostic test, navigate to the System > Diagnostics > Sendmail LDAP page. Enter an address into the Lookup Address field and click Test. The page displays the results for the connectivity test. Note: Before you test sendmail connectivity you must configure the settings on the Appliance > SMTP Settings > LDAP Routing page for your organization. The screen shot below illustrates the changes that you need to make to the fields to reflect the settings for your organization. 96

127 Chapter 4 - Proofpoint Protection Servers Reviewing the System Status The System > Diagnostics > System Status page reports information about the status and performance of the appliance or Proofpoint Protection Server. If you have a cluster, select the server for which you want to review the system status from the Server drop-down list before you click Test. The results of the system status test displays under System Status Report. To reset the service LED on the appliance, click Reset System Event Log. 97

128

129 Chapter 5 - Accounts and Passwords About Administration Privileges The Proofpoint Protection Server supports these administration privileges: Root Administrator - the root administrator: - has access to all of the licensed Proofpoint Protection Server modules, including Administrators Management privileges. - can create new administrators of any level (root, super administrators, and administrators) and assign access to the Proofpoint modules. - can view, log out, delete, and modify other administrators. - can "unlock" any administrator who has been locked out of the management interface because of repeated login failures. Super Administrator - the super administrator: - can only be created by a root administrator. - has Administrators Management privileges. - can only create other administrators. - can only give access to the licensed modules that he or she also has access to. - cannot view, log out, delete, or modify other super administrators or root administrators. Administrator - the administrator: - is created by the root administrator or the super administrator. - cannot view, create, or modify other administrators. - can only view or have access to the licensed modules or folders in the Quarantine and DLP Incidents that were granted when the account was created. The Proofpoint Protection Server is configured by default with one account with Administrators Management privileges - the login name is admin and the password is what you determine at the time you installed the Proofpoint Protection Server software or set up the appliance. When administrators with Administrators Management privileges log in to the Proofpoint Protection Server, the Administrators link is available to them, and they have access to the configuration parameters for all other administrators for the system. Viewing the Administrator List Use the Administrator > Administrators page to view current administrators, view administrators (super-users) who have access permission to add and delete other administrators, and to change the information for an existing administrator. Important: The Administrators page is only available to root administrators and super administrators. Both have Administrators Management access under Managed Modules. Current Session notes the date and time the administrator has logged in to the Proofpoint Protection Server. If more than one administrator logged in with the same account information, each session for that user displays in this column. Logout - for each administrator that is currently logged in to a session of the management interface, the Logout button displays under Current Session. You can log an administrator out of a session by clicking Logout. 99

130 Proofpoint Administration Guide Unlock - if an administrator is locked out of the management interface because he or she entered an incorrect password, you can allow them access by clicking Unlock. Access Icons root administrator super administrator administrator Adding and Deleting Administrators Only administrators with Administrators Management privileges can add or delete Proofpoint Protection Server administrators on the Administrator > Administrators page. See About Administration Privileges for detailed descriptions of administrator types. When you create a root administrator, all of the Managed Modules disappear because the root administrator has access to everything. When you create an administrator with Administrators Management access, you are creating a super administrator. To add an administrator, click Add Administrator and fill in the fields in the Add Administrator page. Most of the fields are self-explanatory. Fields that require more description are included here: Administrator ID - enter the identification name for the administrator. Alphanumeric characters, periods, and dashes are allowed; you cannot use spaces or special characters, and the ID is case-sensitive. This is the name you enter into the Proofpoint Protection Server login screen. Password - enter the administrator password, and then confirm it in the Re-type Password field. If you have password policies in place, you must adhere to them when entering a password. If the password does not adhere to the password policy, you will see an error message when you click Add Administrator. Note: The default password policy requires at least seven characters, a mix of digits and letters, and must contain at least one special character. Change Password On Next Logon - click the On radio button if you want to force administrators to change their password each time they log in to the management interface. Name - enter the name of the administrator. Alphanumeric characters and periods are allowed. The following special characters are not allowed: " $! % & ( ) [ ] { } \ / ^ ~ ` = # * : ; < >? Enter an address, telephone number, and comment for the administrator, if applicable. Managed Modules - for each administrator you add, you can control the administrator access to the modules. For each administrator, select the check boxes to add view access and administrative privileges for specific modules. Module names that are not licensed appear in italics and are only visible to the root administrator. Modules that are not checked for an administrator are not visible when he or she logs in to the Proofpoint Protection Server. When you select Quarantine or DLP Folders in the Managed Modules table, you have the option of limiting the administrator's access to the folders in the Quarantine or in the Incident Queue. See Folder Access Control in this topic. Important: If you check the Administrators Management box, the administrator is able to modify the other administrator privileges. This is a super administrator. Each Module in the Managed Modules list corresponds to the same module in the navigation pane, except where noted here: - System: controls Settings, Policy Routes, and Custom Modules. - Server Management: controls Servers, Services, Update Service, Config History, and Backup and Restore. Click Add Administrator to save your changes. To delete an administrator from the list, select the administrator and click Delete Administrator and confirm. Important: If there is only one administrator on the list, you will not be able to delete it because you cannot delete the only administrator who has Administrators Management privileges. Note: You can delete several names at a time. You cannot "undo" a deletion. 100

131 Chapter 5 - Accounts and Passwords Folder Access Control When an administrator with full Administrators Management privileges creates an account for another administrator, he or she can control which Quarantine folders the new administrator can view and manage. When you select Quarantine in the Managed Modules table, you will see a list of Available Folders and Allowed Folders. By default, the new administrator has access to all of the folders. All of the Quarantine folders are listed in the Allowed Folders list. To limit access to specific folders, you must move the folders you do not want the administrator to have access to from the Allowed Folders list to the Available Folders list. The new administrator will only be able to view and manage messages in the folders left in the Allowed Folders list. For example, if you create an account for the security officer in your organization and move all of the folders except the Asset and Regulation folders from the Allowed Folders list to the Available Folders list, the security officer will only be able to view and manage messages in those two folders. The following list describes how Quarantine Folder Access Control is implemented: Root administrators and super administrators with Administrators Management privileges have access to all of the folders in the Quarantine. By default, this is the admin account. You cannot restrict Quarantine or DLP folder access for root administrators or super administrators. You can only restrict DLP folder access for administrators who do not have access to the Groups and Users Managed Module. Administrators with Administrators Management privileges have access to all of the folders in the Quarantine. By default, this is the admin account. When you add an administrator and select Quarantine under Managed Modules, by default the new administrator has access to all of the folders in the Quarantine. To limit access to specific Quarantine folders, select the folders to which you do not want to grant access in the Allowed Folders list and move them to the Available Folders list. Click Add Administrator when you are done. An administrator with limited folder access is not allowed to add any other administrators. An administrator with limited folder access is not allowed to add or delete folders from the Quarantine. The Add and Delete links are not available on the Quarantine > Folders page. The All check box is not available on the Quarantine > Folders page. When an administrator with limited folder access creates a rule, the administrator will only see the Quarantine folders to which he or she has access on the Rule page. An administrator with limited folder access will not be able to create a Quarantine folder from the Rule page. When an administrator with limited folder access edits an existing rule, he or she will not be able to change the folder to which the quarantined messages are sent. The End User Services > Filters > Folders page will not include the Folders for administrators with limited folder access. The all selections choice is removed from the list of Quarantine folders on the Quarantine > Messages page for administrators with limited folder access. The New Folder choice is removed from the Folder list on the Quarantine > Messages page for administrators with limited folder access. The Deleted folder is not accessible to an administrator with limited folder access. Changing Administrator Parameters Administrators with Administrators Management privileges can change account information and folder access control for other administrators. Navigate to the Administrator > Administrators page and click the name of the administrator to change his or her account information. See Adding and Deleting Administrators for details on folder access control and password syntax. 101

132 Proofpoint Administration Guide Changing Account and Password Information As an administrator, you can change your password, name, and contact information, regardless of your administration privileges. However, you cannot change your access control. To change your password and contact information, navigate to Administrator > Account and Password and change the information in the fields. Save your changes when you are done. Important: If password policies are in effect, you must adhere to these policies for your new password to be accepted by the system. Administrator Password Policy The Administrator > Password Policy page displays password policies created on the Groups and Users > Password Policies page and the authentication profiles created on the Groups and Users > Import/Auth Profiles page. Select the password policy from the list that you want to apply to the Proofpoint administrators, and then click Save Changes. To create additional password policies, click the Manage Password Policies link to take you to the Groups and Users > Password Policies page. Select the authentication profile from the list that you want to apply to the Proofpoint administrators, and then click Save Changes. To create additional authentication profiles, click the Manage Authentication Sources link to take you to the Groups and Users > Import/Auth Profiles page. Note: The No Authentication Allowed choice means the administrator will not be allowed to authenticate at all - for example, if an administrator leaves your organization you can select this choice to "lock" the administrator out of authentication on the Proofpoint Protection Server. 102

133 Chapter 6 - Logs and Reports Log Concepts The log files from the agent systems are periodically transferred to the master Proofpoint Protection Server, also known as the Log Database Transfer Host. The Log Database Transfer Host (or Config Master) loads the log files into a database and maintains these tables: raw log file data from each Proofpoint Protection Server system, hourly aggregated data, daily aggregated data, and monthly aggregated data. The aggregated data is available for generating reports. The Log Database Transfer Host provides these logs: Filter - log of events generated by the filtering engines. Command Processor - log of messages that are processed as a result of the end users making requests from their End User Digests. MTA - log of messages processed by sendmail. The events are collected from /var/log/maillog. Regulatory Compliance - events generated by this module. Digital Assets - events generated by this module. Proofpoint Encryption - events generated by this module. Log concepts are illustrated in the following diagram. Each agent in a cluster runs a script named logprexfer.sh that prepares the agent log files for transfer. The master Proofpoint Protection Server runs a script named logcollector.sh that pulls the log files from the agents at specified intervals. It then uses the logparser.sh script to parse the log data into CSV files and the logloader.sh script to load the CSV files into the master log database. For each Proofpoint Protection Server in the cluster, the log files are maintained in the directory ${PROOFPOINT_ROOT}/var/spool/logxfer. You can configure the Proofpoint Protection Server to keep "old" log files in an archive for specified periods of time. For example, the default archival period is 14 days. After 14 days, old log files are removed from the Proofpoint Protection Server database, freeing up disk space. You can change the 103

134 Proofpoint Administration Guide archival period to shorter or longer periods of time. The log files for each agent in the cluster are segregated into directories named with the agent's fully-qualified instance name (fqin) and a timestamp. For example, the directory location for the archived log files for an agent named <fqin2> would be ${PROOFPOINT_ROOT}/var/spool/logxfer/<fqin2>_filter/<time stamp> The Log Database Transfer Host (master Proofpoint Protection Server) rolls over the raw log data tables periodically to prevent the tables from getting too large. When a rollover takes place, the existing raw data tables are renamed with a timestamp, creating new empty tables for storing the new incoming data. The frequency of the rollover event can be configured, and it depends upon the maximum number of rows of data that you want to keep in the database tables. You need to configure the following parameters: Enable the log feature for every Proofpoint Protection Server (master and agent systems) and determine which events to capture in the log, using the Logs and Reports > Log Settings page. Determine the retention period for archiving log files for every Proofpoint Protection Server. Determine how many rows of data in the message table to maintain, and how long to retain the hourly, daily, and monthly tables of aggregated data on the master Proofpoint Protection Server, by configuring the parameters on the Logs and Reports > Report Settings > General page. Determine which mail host to use for sending alerts, who should receive the alerts, and which categories of alerts to send on the master Proofpoint Protection Server. Reporting Concepts You can generate reports for system statistics, statistics for any of the modules, classifications, rules, and message dispositions. Every report represents data captured for a specific period of time. Reports fall into these categories: Time-series plots - line graphs that typically display performance or trends over a period of time. In these graphs, the x-axis is always depicted in increments of time - hours in a day or days in a month. Aggregated data plots - bar charts or pie charts that represent an aggregation of data over a period of time. In these charts, the x-axis is depicted as anything except time - for example, types of viruses, domain names, message dispositions, or top 10 domains that send to your organization. Saved reports - if you find that you repeatedly use the same report, you can add it to your Saved category for easy access in the future. The report configurations on the master Proofpoint Protection Server apply to the data used for creating reports. Log files are collected from the agent systems in the cluster and pushed to the master Proofpoint Protection Server. You can configure the following options: The hostname for the system maintaining the centralized log database. The maximum number of rows to maintain in the recipients table in the database. This number determines how often the database rolls over, freeing up space for more data. Retention periods for raw, hourly, daily, and monthly log data. Reporting the top spam senders and top adult spam senders. Reporting trends by a specific spam policy. The log database maintains these data tables: Raw data tables that contain unprocessed data. Tables that store data aggregated by the hour for the Proofpoint Protection Servers. Tables that store data aggregated daily for the Proofpoint Protection Servers. Tables that store data aggregated monthly for the Proofpoint Protection Servers. The aggregated data is available for generating reports. Note: Reports do not display data in real time. The minimum granularity is hourly and data is updated once per hour. 104

135 Chapter 6 - Logs and Reports System Reports System reports are specific to overall Proofpoint Protection Server performance and frequency of message traffic. For example, how many messages are processed by the system and how long it takes to process each message. Other examples are volume of messages by envelope criteria such as senders, domains, and recipients. Firewall Module Reports The Firewall reports display the number of messages that are blocked, delivered, or processed by envelope criteria. The Firewall Module does not "score" messages like the Spam Detection Module. The reports display the number of messages that have specific rules applied to them and the final dispositions for the messages. Virus Protection Module Reports The Virus Protection reports are specific to the Virus Protection Module. Messages containing viruses are tracked by type of virus, volume of messages containing virus infections, how these messages are classified, and how they are processed (disposition). Zero-Hour Module Reports The Zero-Hour reports are specific to the optional Zero-Hour Anti-Virus Module. These reports summarize trends, top rules that are triggered, threat levels, and number of confirmed viruses intercepted before an updated virus signature was distributed. Spam Detection Module Reports Spam reports are specific to the Spam Detection Module. For example, how many messages do not contain spam, contain spam, are likely to contain spam, or not likely to contain spam, and how many are delivered, quarantined, or rejected with a message to the original sender. Many layers of granularity are available to administrators for spam reporting. For example, you can create a report that displays the trends for spam rules triggered by a specific policy. Or you can specify the score range for reporting on the number of messages that scored within that range over time. Regulatory Compliance Module Reports The Regulatory Compliance Module reports help administrators track the senders who most frequently send messages containing private information (HIPAA, PHI, and NPI) and the trends for which rules are triggered. The Compliance Incident Manager (Regulatory) report allows administrators to create a report that summarizes compliance violations. Digital Assets Module Reports The Digital Assets Module reports help administrators track the senders who most frequently send messages containing information that is confidential to your organization, and the trends for which rules are triggered for this module. The Compliance Incident Manager (Digital Assets) report allows administrators to create a report that summarizes content security violations. Proofpoint Encryption Reports The Proofpoint Encryption reports track inbound and outbound messages that are encrypted. Administrators can gather data about rules that trigger encryption and message encryption trends. 105

136 Proofpoint Administration Guide Saved Reports Each time you customize a report, you can save it so that the settings are preserved. Your saved reports display on the Saved page. Log Configuration Settings Each Proofpoint Protection Server maintains log files to capture system events. For every Proofpoint Protection Server on the network, configure the system logging settings on the Logs and Reports > Log Settings page. Make selections from the following system log settings: Log File Level - this is the level of events that you wish to collect in the log file for reporting purposes. For practical purposes, not every log level is visible in the management interface for the Log File Level. The levels are organized from least to most information in the log file. The recommended choice is Information when you are testing the system and Reporting when the system is working as expected. Retain Log File For - enter a number for the days that you want to retain (keep) log files on the system. This parameter applies to consolidated logs from all of the agents for the filtering engines (filter) and messages processed by sendmail (MTA). Syslog Enable - enable (or disable) the capturing of events in the UNIX syslog. Syslog Level - if Syslog Enable is enabled, captures events in the UNIX syslog. These include Emergency, Alert, Critical, Error, Warning, Reporting, Note, Information, Debug, and Trace. Syslog Facility - if Syslog Enable is enabled, captures events in the UNIX syslog facility. These include daemon, syslog, user, mail, and local0 through local7. Syslog Host - the IP address or hostname of an external system with a syslog listener which is set up to archive the logs from this system. Click Save Changes when you are done. Note: For the Log File Level and the Syslog Level, the system log setting you select applies to that level and above. For example, if you select Warning for the Log File Level choice, the events of type Warning and above - that is, Warning, Error, Critical, Alert, and Emergency are captured. Viewing and Searching the Logs The Logs and Reports > Log Viewer page displays detailed information for these logs: The Filter log lists activity generated by the filtering engines. The Command Processor log displays activity generated by End User Digests. The MTA log lists messages passed from sendmail to the Proofpoint Protection Server for filtering. (This log applies only to an appliance.) The Regulatory Compliance log displays events generated by the Regulatory Compliance Module. (Displays only if you installed the optional Regulatory Compliance Module.) 106

137 Chapter 6 - Logs and Reports The Digital Assets log displays events generated by the Digital Assets Module. (Displays only if you installed the optional Digital Assets Module.) The Proofpoint Encryption log displays events generated by Proofpoint Encryption. Viewing Logs To view a log for a Proofpoint Protection Server: 1. Select the name of the Proofpoint Protection Server from the Server drop-down list. 2. Select the log you want to view from the Log File Type drop-down list. 3. Select a value from the Lines drop-down list. This is the number of entries you want to display at a time. The Entries drop-down list adjusts according to the number you select in the Lines list. For example, if you choose 200 for Lines, the Entries list choices are 0-200, , , and so forth. 4. If you want to view only one log level, select the level from the Level drop-down list. 5. Select either Descending Date or Ascending Date from the Order drop-down list to view the entries by date in descending or ascending order. 6. Use the navigation buttons to scroll through the log file. Important: The displayed log entries are controlled by the log retention period (the Retain Log File For parameter on the Logs and Reports > Log Settings page). You can display log entries with older timestamps by selecting the Include Old Log Files check box, but it will slow down the management interface response considerably. Searching Logs You can search any log for specific entries and highlight the entries of interest. When you use these two features together you can easily narrow down the search for specific items in the log and highlight the entries for ease of viewing. The search facility uses the same syntax as the UNIX grep command, which accepts regular expressions. For example, administrators can search the log for sender addresses, recipient addresses, message IDs, or rules that have been triggered. This feature is useful for tracing the path of a message through the Proofpoint Protection Server's filtering engines. To search for and highlight an entry or a pattern: 1. Enter a word, number, or pattern into the Find field (for example, mod=service). 2. Enter a word, number, or pattern into the Highlight field (for example, cmd=action). 3. Click Search. Note: You can also copy and paste items into the Find or Highlight fields. Configuring Reports Use the Logs and Reports > Report Settings > General page to determine data retention periods, how often to roll over the database, and how to present spam reporting. To configure the Report Configuration settings: 1. Make selections or enter data for the following parameters: Route Based Report - this table contains Policy Route log data for each message, and is not proportional to the number of filtered messages. For example, one message can belong to multiple routes. Select one of the following settings from the menu: - Disable. You will not have access to route-based reports or data for export. - Enable for log data export only. You will be able to export the log data corresponding to these reports but you will not be able to view the reports. 107

138 Proofpoint Administration Guide - Enable full reporting. You will be able to export the log data and view or publish the reports. Maximum Rows - defines the maximum number of rows of data you want to keep in the database. A large number in this field will cause the database to roll over less frequently. A small number in this field will cause the database to roll over more frequently. Retain Hourly Data For - select a time period from the drop-down list for maintaining aggregated statistical data by the hour. Retain Daily Data For - select a time period from the drop-down list for maintaining aggregated statistical data on a daily basis. Retain Monthly Data For - select a time period from the drop-down list for maintaining aggregated statistical data on a monthly basis. Report Spam Sender If Spam Score Is Over - enter a value into the field. This feature allows you to define which policies to use to define spam. For example, if you enter 80, the Top Spam Senders report will include the senders who sent messages that scored 80 or above. Report Adult Spam Sender If Adult Spam Score Is Over - enter a value into the field. This feature allows you to define which policies to use to define spam. For example, if you enter 80, the Top Adult Spam Senders report will include the senders who sent messages that scored 80 or above for adult spam. Spam Classification Trend Report Uses Policy - select a spam policy from the list. The spam policies that you create display as choices in this list. When you create a Spam Classification Trends report, the report reflects the spam trends for the policy you select here. Average Messages per Connection - this parameter defines how many messages per connection to use for the Message Distribution and Message Distribution Trends reports. These reports provide visibility into the number of messages blocked at the connection level. The Average Messages per Connection parameter is a configured assumption since there is no way of knowing how many messages were actually associated with a blocked connection. The Global Message Summary and Global Message Trends reports provide overall high-level visibility into the mail flow including messages blocked at the connection level as well as messages accepted and filtered. For example, if you set the Average Messages per Connection parameter to 3, and the Proofpoint Protection Server did not accept 1000 connections because Proofpoint Dynamic Reputation determined that the associated IP addresses were sending spam, then this data will be treated as 3000 messages by the Global Message Summary and Global Message Trends reports. 2. Click Update Report Data to load the latest log data from all the Proofpoint Protection agents in the cluster to the master Proofpoint Protection Server. The latest data displays on the System > Summary page. 3. Click Save Changes. High Volume Reports The Logs and Reports > Report Settings > High Volume Reports page controls high volume report parameters. The high volume reports require more processing cycles and disk space. You can disable these reports to optimize system processing resources if you do not need report data from these tables. Any report that has the words "top sender," "top recipient," or "top sending hosts" in the description is a high volume report. The tables that contain log data for senders, recipients, and sending hosts are not proportional to the number of messages filtered by the filtering engines. For example, one message can be addressed to 10,000 recipients. For each report on the High Volume Reports page, select one of the following choices: Disable. You will not have access to the data for reporting purposes or data export. Enable for log data export only. You will be able to export the log data corresponding to this report but you will not be able to view the reports. Enable full reporting. You will be able to export the log data and view or publish reports containing the data. 108

139 Chapter 6 - Logs and Reports High Volume Report Data Retention Make a selection from the Retain High Volume Data For list. The longer you retain high volume data, the higher the risk that the system will run out of disk space. Retaining high volume data also has an impact on the processing speed for report generation. You should experiment with different retention periods and different selections and monitor the disk space carefully if you choose to retain high volume data for reporting purposes. Viewing Reports To view the reports that are included with the Proofpoint Protection server, navigate to the Logs and Reports > Report Viewer page. Select the category of reports that you want to view from the Category drop-down list. To view the detailed report, click the name of the report you want to view or click the time period for the report you want to view. Note: The minimum granularity for reports is hourly and data is updated once per hour. For more information about the reports in each category on the Logs and Reports > Report Viewer page, see Reporting Concepts. See Custom Reports for more reporting options. Custom Reports Several options are available to customize a report. The report options will vary according to the filtering module that you have installed. For example, the Incident Manager report options for the Regulatory Compliance and Digital Assets modules will only display when you are customizing an Incident Manager report. Note: You can only generate one report at a time. If the system is busy generating a report, wait until the report is finished before generating a new one. To create a custom report: 1. Navigate to Logs and Reports > Report Viewer. 2. Click any report name on the Report Viewer page. 3. Click Customize. 4. Under Customize Report, select the module from the Module drop-down list. 5. Select the report you want to create from the Report drop-down list. 6. Under Time Period, make your selections from the Period drop-down list, or select Custom and choose custom selections for the time period. 7. Under Data Options, make your selections for the Report For Route choices. Note: The Report For Route parameter is disabled for the Summary Dashboard report. Select a Policy Route from the list if you want to create a report for a specific Policy Route. If you have an agent running the ICAP service, you can customize a report for a specific protocol by making a selection from the Selected Protocol list. 8. Under Output Format, select the Chart, Table, or both check boxes. 9. Select the appropriate choices under Report Options. The report options will vary with each category of reports. Report options include the following choices: Data Set or Granularity - select Hourly, Daily, or Monthly. In most cases, bar charts display data sets and line graphs display granularity. Note: If you select Monthly, it means month-to-date. For example, if the date is April 10, and you select Monthly, the data included in the report is from April 1 to April 10. View Top - enter a value to represent the top-n results for the report. For example, if you enter 10 for a Top Sending Hosts report, data for only the top ten hosts sending the most messages will be included in the report. Show null value - select the check box if you want the report to include null or missing data. For example, if you create a report for Top Senders and select Show null value, the report will include data for messages that did not include a sender in the Sender message header. 109

140 Proofpoint Administration Guide View # of Items - enter a value for the number of data points you want to include in the report. Rule ID - select the rules for which you want to include data in the report. Folder Name - select the folders for which you want to include data in the report. Severity - select the severity level for which you want to include data in the report. Sort By - make a selection from the choices in the list. Data in the report is sorted by your selection. Order By - select either Ascending or Descending for the sort order for the data. 10. Click Generate Report or Save Report. Regulatory Compliance Incident Manager Report Notes When you create a Regulatory Compliance Incident Manager report and change the View Number of Items field, you are creating a new query. Example: 1. You create a report that contains 500 items. The returned data is initially sorted by date. 2. Now you sort the data by severity, you will see the original 500 items sorted by severity. 3. You now change the number of items to display to 100. The generated report will contain new query results with the first 100 items sorted by date, not the first 100 items from the previous report (with 500 items) already sorted by severity. Summary Dashboard Report The Summary Dashboard Report is a special system-level report that displays data from the System > Summary page in chart and table format. It includes the charts that illustrate system level activity on the Server Status tab for the Default view and the tables that display module summary data on the Message Traffic tab. The Summary Dashboard Report is especially beneficial because it provides system and administrators with a comprehensive report of important Proofpoint Protection Server data and operations. You can customize this report as you would any other report. In addition, you can also configure the Options parameters on the Customize Report page to determine which charts and tables to display. To view or customize the Summary Dashboard Report: 1. Navigate to Logs and Reports > Report Viewer. 2. Click Summary Dashboard on either the All or System category to display the Summary Dashboard Chart and data. 3. Click Customize to view the Customize Report form. The Options parameters display additional selections that allow you to determine which charts and tables to include in the report. 4. Select Charts and Tables, then select the specific charts and tables you want to include in the report. 5. Click Generate Report to see the results immediately. Then click Save Report if you want to permanently save your changes. You can also publish, print, or the Summary Dashboard Report as you would any other report. Printing and ing Reports You can export the data for a report to a comma-separated value file, print the graph and data for a report, and send the graph and data for a report via to a recipient. To print or a report, select the report on the Logs and Reports > Report Viewer page. Click Print or on the report page. Note: If the report does not contain any data, you will not see the Print or buttons on the report page. 110

141 Chapter 6 - Logs and Reports Saved Reports You can save custom reports so that you do not have to repeatedly create the same custom settings. You can easily access saved reports from the Logs and Reports > Report Publisher > Saved page. You also have options to edit the saved report or publish the report at scheduled times. To save a report: 1. Create a custom report as described in Custom Reports. 2. Click Save Report in the Customize Report form of the Report Viewer page. Enter and name and description for the report, and click Add Report. Publishing Reports Use the Logs and Reports > Report Publisher > Publish page to publish reports to an internal URL, reports to other users, and schedule reports to be distributed automatically. The Proofpoint Protection Server publishes reports to a URL so that an external server (such as an intranet) can request specific reports for display. The data is provided in HTML, XML, and text format. Before you publish a report to a URL or a report, go to the Logs and Reports > Report Publisher > Saved page to verify the reports are enabled for publishing (check box is selected). Note that you cannot publish to a URL if you have All Reports selected. You can, however, publish All Reports to an address. Separate several addresses with a comma (,). Click Publish Reports Now to publish the report or reports. Viewing the Report Publishing History The Logs and Reports > Report Publisher > History page displays a complete history of reports that have been ed or published. Scheduling Reports for Automatic Distribution Navigate to the Logs and Reports > Report Publisher > Schedule page to schedule reports for automatic distribution by and by publishing to a URL. Before you schedule reports for automatic publication, navigate to the Logs and Reports > Report Publisher > Saved tab to verify the reports are enabled for publication. To schedule reports for automatic distribution: 1. Click the On radio button for the Enable Scheduler parameter. This is the global setting for publishing reports automatically. 2. Select the report you want to publish from the Reports drop-down list. If you select All Reports from the list, the new schedule will override the schedule for individual reports. For example, if you have scheduled reporta to be published on Mondays at 2 P.M., and you select All Reports to be published on Tuesday at 3 P.M., reporta will no longer be published on Mondays at 2 P.M. 3. Make your selections for the Schedule URL Publishing parameters. 4. Make your selections for the Schedule Publishing parameters. 5. Enter the address for the recipient into the To field. Separate multiple recipients with a comma (,). 6. Enter a subject and message into the fields. 7. Select the times to generate and send the report from the Time drop-down list. Click the right-arrow (>>) button to populate the Scheduled Times list. 8. Select Custom, Every Day, or Weekdays Only from the Days drop-down list. If you select Custom, select the boxes for the days you wish to distribute the report. 111

142 Proofpoint Administration Guide 9. Click Save Changes. Exporting Raw Log Data Administrators can export the raw log data from the Proofpoint Protection Server tables to a destination server. The exported data is formatted as a CSV or XML file, and can automatically be scheduled for export by FTP (passive mode only) to a destination server. Once the raw log data is exported, it can be imported to another database or storage area for processing. To schedule raw log data exports: 1. Navigate to Logs and Reports > Report Publisher > Export. 2. Click the On radio button for Export Enable. 3. For Export Format, click CSV or XML. 4. For Schedule File Push, click On to automatically export the raw log data at scheduled times. 5. In the Export URL field, enter the FTP destination server and directory location for the exported file. For example, ftp://hostname/directory. 6. In the Export URL User ID field, enter the user login for the destination server. 7. In the Export URL Password field, provide the password for the user login on the destination server, and then confirm the password by entering it again in the Export URL Password Retype field. 8. Using the Schedule Time options, create a schedule for the automatic exports to take place. 9. Click Save Changes. Note: If you enable export on the Logs and Reports > Report Publisher > Export page, and select either CSV or XML for the export format, but leave Schedule File Push disabled, the exported data is periodically written to the ${PROOFPOINT_ROOT}/var/spool/logexport directory. For a description of the log tables and attributes, refer to the topic "Log Database Schema" in the online manual Proofpoint Protection Server Reference Guide on the Help > Documents page. Taking Action on a Report Some of the reports allow administrators to apply an action to the Proofpoint Protection Server based upon the information in the report. This feature allows you to optimize the Proofpoint Protection Server by acting immediately upon reported information. For example, you can add the top spam sending hosts to the Global Blocked Senders List directly from the Top Spam Sending Hosts report. To block the top spam sending hosts: 1. Navigate to the Logs and Reports > Report Viewer page. 2. Select Spam from the Category drop-down list, then click the Top Spam Sending Hosts link. 3. Click Block Top Spam Hosts. 4. If there are hosts that you do not want to include on the Global Blocked Senders List, clear the check boxes for those hosts in the Blocked Top Spam Hosts pop-up window. 5. Click Block Hosts to add the selected hosts to the Global Blocked Senders List. Alert Settings The Retain Events/Alerts For parameter on the Logs and Reports > Alert Settings page control how long to retain the entries on the Alert List on the Logs and Reports > Alert Viewer page. Select a choice from the drop-down list and then click Save Changes. 112

143 Chapter 6 - Logs and Reports Alert Viewer Each Proofpoint Protection Server maintains log files to capture system alerts. The Logs and Reports > Alert Viewer page provides detailed information for each alert. It also provides a search mechanism so that administrators can find alerts for which they are interested in more information. The Alert Viewer page contains the following components: A search facility that functions like the other search facilities in the product. An Alert List that displays system alerts. A details pane that displays more information for a selected alert. Note: To control how long to retain the entries in the Alert List, go to Logs and Reports > Alert Settings and make a selection for the Retain Events/Alerts For parameter. Searching For Alerts The Alert List can hold thousands of entries. Use the search form to display alerts of interest to you. You can search by the following criteria: alert identification, level, age, and alert source (the source is the appliance or Proofpoint Protection Server that generated the alert). You can use more than one search criteria at a time. You can choose how to display the search results in the Alert List: sort by date, alert level, alert ID, or alert source, by ascending or descending order, and control the number of alerts to display on a page. If you want to start a different search, click Reset, and then click Search to display all of the entries on the Alert List. Note: You can click the up-arrow and down-arrow icons in the column headings to sort the alerts by ascending and descending order. Viewing Alert Details To view the details for an alert, select the alert in the Alert List. An alert detail pane displays more information for the alert: Label Date Level Alert ID Description Rawlog Category Title Value Timestamp for the alert. The syslog error level. An internal identification number. A description for the alert. The text from the raw log file that corresponds to the alert. The component that generated the log entry. The name of the corresponding alert triggered by the alert. The filter icon in the label column narrows down the content displayed in the Alert List. For example, if you click the filter icon for the Source label for a specific agent in the cluster, the Alert List displays only the alerts for that particular agent. If you click the filter icon for a Level of type warn, the Alert List displays only the alerts for the Level warn (warning). To reset the display to show all of the alerts, select All in the search fields and click Search. Downloading Alert Viewer Data You can download and save the data in the Alert Viewer table in CSV or XML file format. Click the Options menu and select either Download Alerts (CSV) or Download Alerts (XML). You will be prompted to either open or save the file. 113

144

145 Chapter 7 - Quarantine About the Quarantine The Quarantine is an area where copies of messages that triggered rules can be stored for further review. The messages are stored in a database on the Proofpoint Protection Server and are accessible through the management interface. Administrators can create Quarantine Folders to further organize messages in the Quarantine. For example, you can create separate folders for messages sent to the Quarantine that contain adult content, are infected with a virus, or trigger an Firewall rule. Use the links under Quarantine in the navigation pane to configure the Quarantine and manage the messages in the Quarantine. For information about the management tasks for the Quarantine, see Viewing and Managing Messages. The Quarantine interface is optimized for quickly finding specific messages through a powerful search mechanism and finding predefined groups of messages using queries you can create and save (for example, messages with a virus in the last 24 hours). To ensure that the server always has enough space to quarantine messages: Allocate plenty of disk space for the Quarantine. Take disk space limits into consideration when creating rules that send copies of messages to the Quarantine. Be aware of the expiration period for messages in the Quarantine. When messages expire, they are removed from the Quarantine, freeing up space. The System > Summary > Server Status page displays how much disk space is available on the Proofpoint Protection Server - be sure to check it frequently. When several Proofpoint Protection Servers are deployed in a cluster, each agent system maintains a local Quarantine Queue and a Quarantine Consolidator. The Quarantine Consolidator is a program that transfers the messages from each Quarantine Queue to the master Proofpoint Protection Server Quarantine or, to the Quarantine Node if you have designated an agent as a Quarantine Node. When you view and manage the messages in the Quarantine, you are managing a consolidated repository of all of the messages from all of the systems in the cluster. If for any reason the master Proofpoint Protection Server is temporarily off-line, the agent systems continue to populate their local Quarantine Queues until the master Proofpoint Protection Server is back on-line. At that point the messages are transferred from the agents to the master Proofpoint Protection Server Quarantine. Related Topics: See Introduction to Quarantine Folders for an overview of how to use folders to organize messages in the Quarantine. About Message Reporting Once a message is reported to the Proofpoint Protection Server, either from an end user or an administrator, the message follows the same path: The Proofpoint Protection Server looks up the message in the Quarantine. The Proofpoint Protection Server forwards the message using SOAP/HTTPS to Proofpoint. (If an administrator reports a message from the Quarantine, the message also includes meta information provided by the administrator in the Report Message pop-up window.) Proofpoint processes and analyzes the message. The data the engineers gather from reported messages is used to train the MLX engine which is included with each spam update. 115

146 Proofpoint Administration Guide Related Topics See Administrators Reporting False Negatives and Positives for information about message reporting from the Quarantine. See Users Reporting False Negatives and Positives for information about message reporting from end user Digests. Quarantine General Settings Use the Quarantine > Settings > General page to set preferences for releasing, deleting, searching for messages in the Quarantine, and for setting timestamp preferences. To configure general Quarantine settings, make selections or enter data fro the following parameters, and then save your changes. Release Subject Prefix this is the text that appears by default in the subject header of the message when the user or administrator releases a message from the Quarantine. Enter the text you want to display in this field. Confirm Delete On is selected by default. A message box prompts the administrator before deleting messages. When you delete a message from any folder, you can save a copy of the message in the Deleted Folder. Confirm Release On is selected by default. A message box prompts the administrator before releasing messages from the Quarantine. Enable Fast Query By Default On is selected by default, which significantly increases the speed of the query. Fast Query is a global setting and can be temporarily disabled. When Fast Query is enabled, the message count is not available (for example, Messages 41-60), and the Last Page / Last Message button is not available. To temporarily disable the Fast Query feature, clear the Fast Query check box in the Messages form on the Quarantine Messages page. If you clear the Fast Query check box, you will see a message warning you that the query will slow down considerably. Enable Resubmit Messages if you select On, the Quarantine displays a Resubmit button. This feature allows the administrator to re-submit selected messages to the Proofpoint Protection Server for filtering. This feature is useful, for example, if you have messages in the Quarantine that are probablespam, and you have updated the Spam MLX Definitions and Spam MLX Engine, you may want to re-submit the messages for filtering with the updated Spam Detection Module. The reinject SMTP profile is used for re-submitting or re-injecting messages back into the filtering process. Keep Messages Selected when you select a message in the Quarantine and apply an action, such as Redirect, the selection check box is cleared for that message. If you want to maintain the selection for a message, click the On radio button for the Keep Messages Selected parameter. Show Date/Time in Desktop Time when viewing the messages in the Quarantine, the timestamp for each message displays in the Date column. This is the date and time that a copy of the message was placed in the Quarantine. By default, the timestamp reflects the time on the Proofpoint Protection Server to 116

147 Chapter 7 - Quarantine which the management interface is connected. For example, if you start a browser on your local system and connect the management interface to a Proofpoint Protection Server in another time zone the timestamp reflects the time in that zone, not your local time zone. By default, if the timestamp for the message reflects the current day, only the time displays and not the current date (month, day, and year). Always Show Time With Date click the On radio button for this parameter if you want the timestamps to always display the day, month, and year along with the time. Enabling and Disabling Message Reporting Enable message reporting on the Quarantine > Settings > Spam Reporting page. When enabled, a Report choice is added to the Options menu on the Quarantine Message list. Administrators can then select messages in the Quarantine to report as false positives or false negatives to the Proofpoint anti-spam laboratory for analysis. The Enable Message Reporting parameter sends the message header and telemetry information to Proofpoint. The Include Message By Default parameter sends the entire message, including the message header and telemetry information to Proofpoint. The telemetry information includes which rules were triggered and what caused the trigger. Each reported message is tracked with an ID number. You can view the ID numbers by selecting the Reference ID field when you configure the Quarantine layout. Important: You must activate the Proofpoint Protection Server before you can use this feature. See Enabling and Providing Commands to the End Users in "End User Services" for information about allowing end users to report false negatives and false positives from their Digests. Handling Quarantine and User Repository Errors If you have temporarily disabled the Quarantine, you need to determine how to handle messages that have been filtered and are destined for the folders in the Quarantine. Since the Quarantine repository cannot accept messages when it is down, you can configure a rule to apply a disposition to messages that would otherwise go into the Quarantine. Configure these settings on the Quarantine > Settings > Error page. The Quarantine Repository Error rule is configured to Reject messages that cannot be placed in the Quarantine. You can edit the rule by clicking the Edit Rule button and changing the delivery method and delivery options. The User Repository Error rule is configured to Reject messages when the User Repository is temporarily disabled. You can edit the rule by clicking the Edit Rule button and changing the delivery methods and delivery options. Important: If you change the Delivery Method to Continue for the Quarantine Repository Error rule, be aware that you may be passing messages to your infrastructure that contain a virus, spam, or inappropriate content. These messages would typically be quarantined. Queue Consolidation When you have a cluster of a master server and agents, the agents use a program called the Quarantine Consolidator to transfer the messages stored locally in their Quarantine Queue to the master Proofpoint Protection Server. The Quarantine Consolidator program uses the SOAP protocol to maximize transfer rates between the master and the agents. Change Quarantine Queue Consolidator settings on the Quarantine > Settings > Consolidation page. To change the default SOAP protocol settings: 1. The Quarantine Consolidator is enabled by default. If you need to temporarily disable it, click the Off radio button for the Enable parameter. For example, you might disable the Quarantine Consolidator if you need to troubleshoot or repair the database on the master Proofpoint Protection Server. 2. The Hostname field displays the name of the master Proofpoint Protection Server. By default, the agents transfer their messages to the master. 3. If applicable, enter new values into the Timeout, Maximum Messages, Block Size, and Maximum Block Length fields. 117

148 Proofpoint Administration Guide 4. Click Save Changes. Click the Default button to restore the default values. Creating Message Templates You can create message templates on the Quarantine > Settings > Templates page to use when you redirect messages in a Quarantine folder to another recipient. The templates save you time by automatically replacing predefined variables with the appropriate information. When you redirect a quarantined message, you can select a template from the list instead of entering text into the Redirect Message pop-up window. To create a message template: 1. Click the New link to create a message template. 2. Enter a name for the template into the Quarantine Templates field. For example, VirusMessage. 3. Click in the text field, and type the message. You can insert variables from the Template Variables list by clicking the variable. For example: This message from ${OriginalSender} went into quarantine on ${InsertionDate} because it contained ${VirusName}. Note: If you are using Chrome or Firefox browsers, you cannot insert variables by clicking them. You must copy and paste them or enter them manually into the text box. 4. Click the Save link to save the new template. Note: When you point to a variable, a tool tip displays. See Using Variables in Rules in "Rules and Delivery Dispositions" for a description of each variable. When you redirect a message in the Quarantine, your template appears on the Comments drop-down list of the Redirect Message pop-up window. Setting Layout Defaults Use the Quarantine > Settings > Layout page to control the number of messages and which columns and fields to display in the Message List on the Quarantine > Messages page. These are default parameters, and can be overridden during a search query. Each time you click Reset and Search when searching for messages, the number of messages displayed in the list and the fields displayed will default to the settings you make on the Quarantine > Settings > Layout page. To configure the default layout and which columns to display: 1. Select a number from the Results Per Page drop-down list. 2. For Wrap Recipient Column, click the On button if you want the entire recipient address to display (wrap) on the Message List. Note: The Wrap Recipient Column parameter is designed to wrap multiple recipient addresses, not to wrap one long recipient address. 3. Using the right-arrow (>>) button, select the fields you want to display from the Available Fields list and move them into the Show These Fields In This Order list. 4. Using the up and down arrow buttons, arrange the order of the fields in the Show These Fields In This Order list. Note: If you are changing the status and adding comments to messages in the Quarantine, be sure to select Comments, Status, and Status (Icon) to display on the Message list. See Changing Status and Adding Comments to Messages for more information. 5. Click Save Changes. To restore the fields to their default settings, click Default. Note: Any fields that you use in a query are automatically added to the Message List display whether you specify them or not. 118

149 Chapter 7 - Quarantine Introduction to Quarantine Folders The Quarantine Folders feature allows administrators to organize the messages in the Quarantine into specific folders. Each folder has its own properties: a name, folder disposition settings, message expiration mode, whether or not to expose the messages in the folder in the End User Digests, and whether or not to allow Smart Send. System folders cannot be deleted - you can only delete folders that you create. Copies of messages will automatically be placed in the Quarantine folder if you do not select a specific folder for those messages. Important: If your organization is enforcing Folder Access Control, you may not be able to view or manage all of the folders in the Quarantine. See About Administration Privileges and Folder Access Control in Adding and Deleting Administrators for more information. Administrators have the ability to encrypt the contents of a Quarantine folder for PCI security compliance. An encrypted folder displays a lock icon in the management interface. See Encrypting Folder Content for more information. You can complete the following tasks from the Quarantine > Folders page: Create a folder. Change folder settings. View the messages in a folder. When you delete messages manually, you have the option of keeping a copy in the Deleted folder or permanently deleting them from the currently-selected folder. The Audit folder stores copies of messages when administrators select Include in Audit folder as a delivery option for messages that trigger a rule. Administrators can select the Include in Audit folder as a delivery option for any rule in any module. One example for using the Audit folder is for storing copies of messages that are classified as notspam by the Spam Detection Module. Administrators can configure the Proofpoint Protection Server to include the contents of the Audit folder in end user digests, and allow end users to report false negatives to Proofpoint. When administrators create rules to send messages to the Quarantine, they specify a unique folder in which to place copies of the messages. For example, an administrator can create a spam policy for users who are on vacation. All messages containing spam for those users can be stored in a folder named Vacation that has a three-month expiration period. Users going on vacation can request or select the Vacation spam policy to handle their spam messages until they return. Administrators can create message filtering policies and rules that send copies of messages to specific folders in the Quarantine. For example, you can create a rule in the Firewall Module that sends copies of messages containing words from a dictionary that you create to a Quarantine folder first, allowing the administrator an opportunity to review the messages as a precaution before releasing them to the recipients. Note: Administrators can send copies of messages to any folder when creating a rule in any module. For example, you can create a rule in the Firewall Module that stores copies of messages in the Zerohour folder (which does not make sense). It is good practice to select folders that correspond to the particular filtering module when you create rules that store copies of messages in a Quarantine folder. Related Topics: See About the Quarantine for an introduction to Quarantine concepts. See Users Reporting False Negatives and Positives in "End User Services" for information on allowing end users to report false negatives and positives from their Digests. Folders and Message Expiration Every message that is sent to the Quarantine receives a timestamp. This timestamp is used for search queries and more importantly, to manage expiration criteria. The Proofpoint Protection Server runs an expiration process periodically (internally named qexpire) that acts upon messages in a Quarantine folder according to the folder configurations and the age of the message. Administrators can use any of these methods to manage messages in a Quarantine folder: Delete messages manually in a folder by selecting them in the Message List on the Quarantine > Messages page and clicking Delete. When you delete messages by this method, you are prompted to make one of the following choices: - Save a copy of the deleted messages in the Deleted folder. 119

150 Proofpoint Administration Guide - Permanently delete the messages from the current folder. Act upon messages in a Quarantine folder (apply a disposition) once messages in the folder reach a certain age. You have these choices for the action to take when a message in the folder reaches a certain age: - Delete the message from the folder. - Store the message in the folder for a period of time, and then resubmit it to all the filtering engines or resubmit it only to the Virus Protection Module. Your organization must be licensed for the Virus Protection Module to filter messages for virus. - If you have the optional Zero-Hour Anti-Virus Module, you can store the message in the folder and wait for new anti-virus signature files in a specific time period, or wait for a maximum time period. Messages with this disposition are resubmitted to the filtering engines at the next process time or are delayed by hours, days, or months before being resubmitted to the filtering engines. - Store the message in the folder for a period of time and wait for new MLX spam definitions to be distributed. Re-submit the message to the Spam Detection Module for scanning. Folder Disposition Parameters A folder disposition defines the action to take when messages in the folder reach a certain age: Store Messages messages are stored in the folder for a specific period of time, and then permanently deleted from the Quarantine. If you select this choice, enter a value into the field and select a period for the Messages expired after drop-down list. If you choose the Store Messages disposition, messages will automatically be deleted from the folder when they reach the age of the expiration period. Delay Delivery messages are stored in the folder for a specific period of time, and then they are either resubmitted to all of the filtering modules for filtering (Resubmit), or resubmitted only to the Virus Protection Module for filtering before releasing (Release With AV Scan). If no rules are triggered, the message is delivered to the original recipient or recipients. If you choose this disposition, make the following selections: - Delay delivery for. Enter a value into the field and select a period from the drop-down list. This is how long the messages will be stored in the folder. - Action after delay. Make a selection from the drop-down list. Select Resubmit to resubmit the messages to all of the filtering modules. Select Release With AV Scan to resubmit the messages in the folder to only the Virus Protection Module for scanning. The Release With AV Scan is the recommended choice, since in rare instances the Resubmit choice can result in messages remaining in a temporary mail loop before being released. Select Release Encrypted to encrypt the messages in the folder before releasing. This choice appears only if you are licensed for Proofpoint Encryption. Delay Messages and Wait for AV Updates if you have the optional Zero-Hour Anti-Virus Module, the messages are stored in a folder for a specified maximum period of time. After a specified number of antivirus signature updates and a minimum period of time, the messages are resubmitted to all of the modules for filtering. If no rules are triggered, the messages are delivered to the original recipient or recipients. If you choose this disposition, make the following selections: - Wait for this number of AV signature updates. Make a selection from the drop-down list. This is the number of virus signature updates you require from the Proofpoint Attack Response Center before resubmitting the messages for filtering again. - AND wait for at least this time period. Enter a value into the field and make a selection from the dropdown list. This is how long you want the messages to remain in the folder while counting the specified number of virus signature updates from Proofpoint. - Wait a maximum of this time period. Enter a value in the field and make a selection from the drop-down list. This is the maximum time period to store messages in the folder. If you do not receive the specified number of virus signature updates in the specified wait period, the messages in the folder are resubmitted for filtering according to this time period. If you select No Maximum, as soon as the specified number of updates are received, the message is resubmitted for filtering at the next expiration process time (qexpire). Delay Messages and Wait for Spam Updates the messages are stored in a folder for a specified maximum period of time. After a specified number of spam MLX definition updates and a minimum period of time, the messages are resubmitted to all of the modules for filtering. If no rules are triggered, the messages are delivered to the original recipient or recipients. If you choose this disposition, make the following selections: 120

151 Chapter 7 - Quarantine - Wait for this number of spam definition updates. Make a selection from the drop-down list. This is the number of spam MLX definition updates you require from Proofpoint before resubmitting the messages for filtering again. - AND wait for at least this time period. Enter a value into the field and make a selection from the dropdown list. This is how long you want the messages to remain in the folder while counting the specified number of spam definition updates from Proofpoint. - Wait a maximum of this time period. Enter a value in the field and make a selection from the drop-down list. This is the maximum time period to store messages in the folder. If you do not receive the specified number of spam definition updates in the specified wait period, the messages in the folder are resubmitted for filtering according to this time period. If you select No Maximum, as soon as the specified number of spam definition updates are received, the message is resubmitted for filtering at the next expiration process time (qexpire). Disabling Release and Resubmit Administrators can disable the Release and Resubmit links for messages in a Quarantine folder. This feature is enabled by default. For example, to prevent anyone from accidentally releasing messages from a Quarantine folder, the administrator can move these messages into a folder that has disabled Release and Resubmit links. Advanced Expiration Modes Quarantine folders provide these choices for message expiration modes: Expire by Message messages in a folder are tracked by timestamps and deleted individually when they reach the folder expiration setting. Expire by Table messages in a folder are tracked by timestamps aggregated into tables. Administrators configure the maximum number of messages that can populate a table the default is one million and the minimum number of messages allowed in a table is 100,000. There are two methods by which a new table is created in a folder: When a table is full, another table is automatically created to hold the next set of messages. When the difference between the timestamp for the first message and last message inserted in a table equals the folder expiration setting, a new table is created to hold the next set of messages even if the table is not full. This method prevents messages that have expired from being stored in a table indefinitely simply because the table is not full. There is no limit to the number of tables a folder can hold. When the last message in a table reaches its expiration date according to the folder expiration settings, all the messages in the table are deleted at once. If you are managing millions of messages in the Quarantine, the Expire by Table setting will optimize Quarantine management and Digest generation. Note: You can view the expiration mode for the messages in a folder by pointing to the entry in the Expiration column for the folder on the Quarantine > Folders page. If you use Expire by Table as the message expiration setting, use the following variables to decide how many messages per table to allow: Determine how many messages a day the Proofpoint Protection Server is processing for your organization. Multiply this number by 2, 3, or 4 to populate a table. For example, if your organization receives 1,000,000 messages per day, the maximum messages per table should be 2, 3, or 4 million. Check the logs to determine how many Update Digests are sent to the user community, and how many messages are processed for Update Digests. When the Proofpoint Protection Server generates an Update Digest for the user community, it will do so more efficiently if it only has to process the data in the last table in a Quarantine folder. Keeping Messages Indefinitely To keep messages in the Quarantine indefinitely, create a folder, select Store Messages and set the folder Messages expired after disposition to Never, and move messages that you want to keep indefinitely into the folder. 121

152 Proofpoint Administration Guide Encrypting Folder Content Administrators can encrypt the contents of a Quarantine folder by enabling encryption on the Advanced tab for the folder settings. The folder must be empty before you can enable encryption, so if you want to change the setting for an existing folder from "not encrypted" to encrypted, you must wait until all of the messages in the folder are deleted from the folder. To the administrator, there is no difference between viewing messages in an encrypted or un-encrypted folder. The views are the same. Folder encryption protects the database in the case where someone copies the Quarantine database to another server and attempts to view the contents using another tool. The messages in the database will be encrypted and impossible to decipher. The following list describes details for the folder encryption feature: You can enable the encryption feature on individual folders that are empty. A lock icon displays next to the encrypted folders on the Quarantine > Folders page. If a folder setting is originally "not encrypted," and messages are added to it, you cannot change the folder to "encrypted" later. You can only set a folder to "encrypted" before messages are added to it, or after all of the messages are deleted from the folder. If you move a message from an encrypted folder to a "not encrypted" folder, the message remains encrypted. If you move a message from a "not encrypted" folder to an encrypted folder, the message will become encrypted. When you back up or restore the Proofpoint Protection Server, the folder encryption is preserved. System Folders Proofpoint provides several system folders to help administrators organize messages in the Quarantine. When you create a rule that stores a copy of a message in the Quarantine, you have the option of storing the message in one of the supplied system folders, or any other folder that you create. When you create a rule, you can store messages that triggered the rule in any folder whatsoever. For example, you can create a rule in the Spam Detection Module and select the Probable Virus folder for storing the messages. When you create a rule in a module, it is good practice to select a Quarantine folder that is logical for the module. The Proofpoint Protection Server ships with these default system folders: Adult - this folder stores messages that were categorized as Adult Spam, which typically means pornographic content. Audit - this folder stores copies of messages that have been classified as notspam by the rules in the Spam Detection Module. Blocked - this folder stores copies of messages from senders on the global Blocked Senders List. Bounce Management - this folder stores copies of messages from rules that triggered in the Firewall Bounce Management module. Bulk - this folder stores copies of messages that have been classified as Bulk by the Spam Detection Module. Deleted - copies of messages that are deleted manually from any other folder are placed in this folder. When you select and delete messages from the Deleted folder, the messages are permanently removed from the system. Suspected Spam - copies of messages that have been classified as Suspected Spam by the Spam Detection Module are stored in this folder. The messages are resubmitted for filtering after new updated spam definitions are available according to the Suspected Spam disposition settings. Probable Virus - this folder stores copies of messages that were caught by the Zero-Hour Anti-Virus Module, and then resubmitted to the Virus Protection Module for scanning. Messages in this folder cannot be verified for containing a virus. Quarantine - this is the global folder. If you do not create any other folders, or if you do not specify a folder when you create a rule, all messages destined for the Quarantine will be stored in the Quarantine folder. 122

153 Chapter 7 - Quarantine Smart Send - this folder stores messages that triggered rules enabled for Smart Send. Users can release or delete messages from this folder without administrator help. Smart Send Released - when users release messages from the Smart Send folder, they are placed in this folder by default. Administrators can select a different folder for released messages if they so desire. Virus - this folder stores messages that triggered rules in the Virus Protection Module. Zerohour - this folder stores messages with high or medium risk of containing a virus detected by the optional Zero-Hour Anti-Virus Module. Important: Placing copies of messages in the Audit folder does not automatically enable auditing messages for false negatives. See Users Reporting False Negatives and Positives for information on enabling auditing for end users from their Digests. System folders are indicated with a system icon and cannot be deleted. Folders created by administrators are indicated by a person icon. Administrators can delete folders that they created. When administrators create new folders they can control whether or not to expose the contents of the folders to users when they receive their Digests. When the contents of a folder can be exposed to users, a dot displays under the digest icon column in the list of folders. See Controlling Digest Content with Folders in "End User Services" for more information. Related Topics: See Introduction to Quarantine Folders for an overview of Quarantine folder concepts. See Creating a Folder for more details about folder properties. Creating a Folder There is no limit to the number of folders you can create. The purpose of a folder is to store messages that trigger specific rules to a specific folder in the Quarantine. Typically, administrators create the folder with a specific rule in mind, and then create the rules that send the messages to the folder. To create a Quarantine folder: 1. Navigate to the Quarantine > Folders page and click Add. 2. In the Add Folder pop-up window, enter a name for the folder on the Folder tab. 3. Click the Disposition tab. For more details on folder expiration dispositions, see Folders and Message Expiration. 4. Select a disposition for the messages in the folder: Store Messages. Delay Delivery. Delay Delivery and Wait for AV Updates (Zero-Hour Module only). Delay Delivery and Wait for Spam Updates 5. If you want to disable the release and resubmit operations for messages in the folder, select Off for the Enable Release and Resubmit Operations parameter. 6. Click the Services tab. Select Off for Include in Digest if you do not want messages in the folder to be available to users in the Digest. Selecting On does not automatically include the messages in the folder in End User Digests. See Controlling Digest Content with Folders in "End User Services" for information on how to include the contents of the folder in End User Digests. This parameter is not available for the Deleted and Audit folders. Select On for Allow Smart Send if messages in the folder can be released by users without administrator intervention. When released, the message is scanned by the Virus Protection Module and delivered to the user. A copy of the message is stored by default in the Smart Send Released folder, or another folder you select from the list. 7. Click the Alerts tab. If an unusual number of messages are suddenly sent to a Quarantine folder, this feature triggers an alert. This tab controls whether or not to send an alert when the number of messages injected into a folder in specified time period exceeds the threshold. Enable Injection Alerts. Select On if you want to enable this feature. 123

154 Proofpoint Administration Guide Time Period. Enter a value for duration in minutes. This is the time period for tracking the number of messages injected into the folder. Number of Messages. Enter a value into the field for the number of messages injected into the Quarantine folder during the time period that you entered. See About Alerts in "Proofpoint Protection Server" for instructions on how to configure alerts for folder injection thresholds. 8. Click the Advanced tab. 9. Select On for the Encryption parameter if you want the folder content to be encrypted. (The folder must be empty to enable encryption - see Encrypting Folder Content for more information.) 10. Make a selection from the Expiration Mode drop-down list: Expire by Message the disposition is applied to messages in the folder individually as each message ages according to its timestamp. Expire by Table the messages in the folder are maintained in tables. As the last message in a table ages according to its timestamp, the disposition is applied to the entire table of messages. See Folders and Message Expiration for more information. 11. If you select Expire by Table, click Advanced to determine how many messages per table you want to maintain in the folder. 12. Enter a number, in millions, in the Maximum Messages field. When a table in the folder reaches this capacity, a new table is created in the folder to store incoming messages. 13. Click Add Entry to save the folder settings. Note: Messages are tracked by the timestamp of insertion into a Quarantine folder. If several messages are inserted into a table with the same timestamp, and the table has almost reached its capacity, messages with the same timestamp will still be placed in the same table instead of a new table. For this reason you may see a table with 1,000,010 messages in it even though you specified 1,000,000 messages per table. Managing Folders Managing folders includes changing folder settings, deleting folders, and viewing the messages in specific folders. Changing Folder Settings Click the Edit link for a folder to change its settings. You can change the following settings for a folder: Disposition folder disposition setting: Store Messages, Delay Delivery, Delay Delivery and Wait for AV Updates, or Delay Delivery and Wait for Spam Updates. You can also enable or disable the ability to release messages from the folder or resubmit messages in the folder for filtering. Services whether or not to include the folder contents in End User Digests. (This parameter is not available for the Deleted folder.) Whether or not to allow Smart Send for the messages in the folder. Alerts - whether or not to trigger an alert when the number of messages injected into the folder exceeds the specified number over the specified time period. Advanced determines if folder content should be encrypted, and whether or not the disposition (Expiration Mode) applied to the messages in the folder should be applied to individual messages or messages grouped by table. If the Expiration Mode is set to Expire by Table, you can change the maximum number of messages per table. Important: You can change the Expiration Mode from Expire by Message to Expire by Table at any time. You cannot change the Expiration Mode from Expire by Table to Expire by Message if the folder contains more than one table. You can view the number of tables in a folder by selecting the folder on the Quarantine > Folders page and selecting the Advanced tab for the folder. Viewing Messages in a Folder To see the messages in a specific folder, click the name of the folder on the Quarantine > Folders page. 124

155 Chapter 7 - Quarantine Deleting a Folder If you delete a folder that contains messages, the messages in the folder are deleted too. You cannot delete the system folders. You can only delete folders that you create. Viewing and Managing Messages The Quarantine > Messages page displays the Messages search form and the Message List. The Messages search form provides the search and sort functions; the Message List displays the messages in the currentlyselected folder and provides links to apply actions to the messages. If the Expiration Mode for a Quarantine folder is set to Expire by Table, a yellow information bar above the Message List displays the time period for which the messages were sent to the Quarantine. For more information about expiration modes, see Folders and Message Expiration. If the Maximum Age search criteria is set to Auto, only messages injected into the Quarantine in the last 24 hours will display in the Message List. The following links provide more information about the tasks you can complete from the Quarantine > Messages page: View the messages in each Quarantine folder and view details for a message. Search for messages using simple search criteria. Search for messages using advanced search criteria. Create and save search queries to save time. Apply actions to messages using the Delete, Move, Release, Redirect, and Resubmit links. Generate a Digest immediately for the user community using Generate Digest from the Options menu. Change the status and add a comment to a message. Add entries to the global Blocked Senders, Safe Senders, and Safe Recipient lists, using the corresponding selections from the Options menu. Create new Quarantine folders using the Folder menu. Change the properties of a Quarantine folder. Report false positives or negatives to Proofpoint. The Message List can hold thousands of entries. To quickly view a specific entry on the list, enter a number into the Go to Message field, and then press the Enter key or click the Enter button. You can also sort messages in the Message List by column heading. For example, to sort the messages in the list by sender, click the Sender column heading. Note: Messages over 100 MB in size cannot be placed in the quarantine. Typically, an administrator will create an Firewall Module rule to reject messages over a certain reasonable size (for example, 5 MB), so the 100 MB size limitation for messages destined for the quarantine is not an issue you are likely to encounter. Related Topics: See About the Quarantine for an introduction to Quarantine concepts. See Introduction to Quarantine Folders for an overview of how to use folders to organize messages in the Quarantine. 125

156 Proofpoint Administration Guide Message Indicators The following indicators provide information for each message in the Message List: A check mark in the check box indicates the message is selected. You must first select messages before applying an action to them. If the message includes an attachment, a check mark displays in the Attachment column. Attachments are indicated by a paper clip icon. If the message has a status assigned to it, a comment icon appears to the left of the message. The document icon indicates the state of the message: Related Topics: See Setting Layout Defaults for instructions on selecting columns for display in the Message List. See Viewing and Managing Messages for an overview of the Quarantine > Messages page. See Message List Buttons for an overview of the actions you can perform on the messages in the Quarantine. Simple Searches Administrators typically select a folder from the folder drop-down list before initiating a search query. If your deployment is enforcing Folder Access Control, the folder drop-down list displays only the folders to which the administrator has access. The all folders choice will apply the search query to all of the folders to which the administrator has access. Be aware that selecting all folders may increase the time it takes for the search query to complete. See Adding and Deleting Administrators for more information about Folder Access Control. You can use simple search criteria to find messages in the Quarantine, and you can use several criteria at a time. Navigate to the Quarantine > Messages page to specify search criteria for messages in specific folders or all of the folders. The Sender, Subject, and Recipient fields are not case-sensitive. The drop-down list choices apply to the text that you enter into the fields. When you use Starts with or Equals, it expedites the search If you select Auto the Maximum Age, the query applies only messages injected into the Quarantine in the last 24 hours. Note: If a folder Expiration Mode is set to Expire by Table, see "Searching for Messages by Age In a Specific Folder" below for more information. Select a reason from the Reason drop-down list. The All messages choice means any reason. To search for messages by the spam score, select a value from the Score From and To lists. If you disable Fast Query, it will take longer to return the search results. To start a new search, click Reset before entering new search criteria. 126

157 Chapter 7 - Quarantine Searching for Messages by Age in a Specific Folder When administrators retain millions of messages in the Quarantine, a search query can take hours to complete. To expedite search queries in a very large Quarantine, the Proofpoint Protection Server handles searches differently, depending upon whether the Expiration Mode for a folder is set to Expire by Message or Expire by Table. The Maximum Age search criteria allows administrators to search through messages of specific ages according to their timestamps. If you do not change the Maximum Age search criteria, the Proofpoint Protection Server applies the Auto setting. If a folder is set to Expire by Message, the Auto setting for Maximum Age allows the search query to ignore the timestamps for the messages and applies the search to all messages in the folder. If a folder is set to Expire by Table, the Auto setting for Maximum Age restricts the search query to the last table in the folder. For example, if a folder contains three tables, and each table can hold 1,000,000 messages, the Auto setting for Maximum Age will search only the last (or newest) table in the folder. A yellow bar displays above the Message List to inform you that the query applied only to the last table in the folder. If you want the search query to include every table in the folder, select All for Maximum Age or specify a time period from the choices on the Maximum Age drop-down list. The Proofpoint Protection Server will prompt you to continue if a query will take a long time to complete. Advanced Searches Administrators typically select a folder from the folder drop-down list before initiating a search query. If your deployment is enforcing Folder Access Control, the folder drop-down list displays only the folders to which the administrator has access. The all folders choice will apply the search query to all of the folders to which the administrator has access. Be aware that selecting all folders may increase the time it takes for the search query to complete. See Adding and Deleting Administrators for more information about Folder Access Control. You can narrow down a search even further by using the advanced search criteria. Click the Advanced Search button to see the advanced search options on the Quarantine > Messages page. Important: Click the Reset button after a search. If you hide the Advanced Search criteria without resetting, the advanced criteria will continue to apply to a simple search. To search for messages by the size (in kilobytes) of the message, select an operator from the Size dropdown list, and enter a number into the KB field. To search for messages by message ID number, enter the message ID number into the Message ID field. The message ID is determined and assigned to a message ID header by the sending mail server (for example, a Microsoft Exchange server) and is not necessarily unique to each message. 127

158 Proofpoint Administration Guide To search for messages by a GUID (Global Unique Identifier), enter it into the GUID field. The GUID is assigned to messages by the Proofpoint Protection Server and is unique for each message in the Quarantine. Enter a hostname or IP address into the Sender Host/IP field. Select the check box next to Date Range. Use the month, day, and year drop-down lists to select a beginning and ending time period. The search finds messages that were quarantined during this time period. Select a choice from the Protocol list. Displaying Only Messages Released by Users Administrators can track the messages users release from their End User Digests. If users repeatedly release messages from the same sender, perhaps the sender address should be placed on the Global Safe Senders list. When users release messages from their Digests, the messages are moved from the corresponding Quarantine folder to the Deleted folder. Use the Released by User Only feature to display only those messages released from the End User Digests. Messages released by administrators do not display. Navigate to the Quarantine > Messages page, click the Advanced button, and select Released By User Only from the Show drop-down list. Controlling the Number of Fields to Display You can add more fields to display on the Messages list by clicking the Advanced search button and selecting additional fields from the Additional Field drop-down list. When you enter a query, you can still add fields that you did not specify with the default settings. The Additional Field drop-down list contains the fields that you did not specify in the default settings. Note: Any fields that you use in a query are automatically added to the Messages list display, whether you specify them or not. If have an agent running the ICAP service, select Protocol or Protocol Type from the Additional Field menu to view the messages captured by ICAP. If you are managing message status and adding comments to messages, select Status and Comments from the Additional Field menu. Controlling the Number of Messages to Display You can control the default number of messages that display on the Messages list by setting the Results Per Page parameter on the Quarantine > Settings > Layout page. To override the default number and display more messages or fewer messages in the list, click the Advanced Search button, and select a number from the Display drop-down list on the Quarantine > Messages page. Creating and Managing Search Queries You can save search criteria settings in a query. This feature is useful, for example, if you find you are using the same search criteria over and over again. By saving the criteria in a query, you can simply select the query by its name each time you want to apply a particular search. There is no limit to the number of queries you can create and save. When you save a query, the Simple Search or Advanced Search criteria are preserved with the query. Important: When you save a search query, the query applies only to the currently-selected folder. For example, if you create a query while viewing messages in the Virus folder, and then switch to the Probable Virus folder, the query you created while in the Virus folder will not work in the Probable Virus folder. To create a query, navigate to the Quarantine > Messages page, and click New (in the title bar). Enter the name of the query into the field (replace the Query1 with a name for your query). The maximum length for a query name is 20 characters. You may use only the letters A through Z and underscores. Numbers and special characters are not allowed; the query utility strips "illegal" characters out of the name. You can select saved queries from the list in the future, delete, or modify them. 128

159 Chapter 7 - Quarantine Temporarily Disabling Fast Query The Fast Query feature noticeably speeds up a query when you are searching for messages that meet specific search criteria. When Fast Query is enabled, the message count is not available (for example, Messages 41-60,) and the Last Page / Last Message button is not available. The Fast Query feature is enabled by default, and is represented by a check mark next to Fast Query on the Messages form. To temporarily disable the Fast Query feature, clear the Fast Query check box on the Quarantine > Messages page. If you clear the Fast Query check box, you will see a message warning you that the query will slow down considerably. Sorting Messages To sort messages by search criteria, select a criteria from the Sort by drop-down list on the Messages search form. For example, you can search for all messages from a particular Sender, then sort those messages by Reason. To sort messages in the Messages list by their date, click the up-arrow or down-arrow icon next to the Date column heading. The sort order switches between ascending and descending. Viewing Message Details in Folders View detailed information about a message to understand why the message was quarantined and to determine if you want to take further action on the message. The message details appear in a message preview pane on the bottom of the Quarantine > Messages page. After viewing the message details, administrators can decide which action, if any, to apply to the message. See Message List Actions for more information about actions you can apply to messages in a Quarantine folder. Important: If the Expiration Mode for a folder is set to Expire by Table, only the messages in the table that have not yet expired are included in the Messages list. As messages reach their expiration dates in the table, they are no longer displayed in the Messages list, even though they are still maintained in the table. When the last message in the table reaches its expiration date, the entire table is dropped and all messages in the table are permanently removed from the Quarantine. If the Maximum Age search criteria is set to Auto, only messages injected into the Quarantine in the last 24 hours will display in the Message List. To view message details in any of the Quarantine folders, select a folder from the Quarantine folders drop-down list, and click any entry in any of the table cells for the message: Reason, Sender, Recipients, Date, Subject, or Size to display the message preview pane. Note: If you click an envelope icon it will also display the message details: When you select a message for viewing in the message preview pane, it is highlighted in the Messages list. The message preview pane provides a View menu, an Options menu, and a navigation bar. View menu allows administrators to select different views for the details for a message: - Message. Displays the message as it appears to the client. - Triggered Rules. Displays the rules that were triggered by the message. - Headers. Displays the message headers. - Source. Displays the message source text. - Sender WhoIs. Displays the WhoIs record of the sender, as it is registered by a qualified registrar. - Status. Displays details about the status of the message: the date the status was applied, the identification of the administrator who changed the status and added a comment, the message status, and the comments added to the message. If the status of a message is Unknown, it means the status assigned to the message was deleted from the Proofpoint Protection Server. Options menu provides the following choices: - Save Message. Opens the message or save it to a directory location. 129

160 Proofpoint Administration Guide - View as HTML. Displays the message in HTML format. - View Source. Displays the message in RFC 822 format. Navigation Bar The following table describes the navigation bar icons: Decrease message preview pane size. Increase message preview pane size. Previous message in Message List. Next message in Message List. Maximize message preview pane. Minimize message preview pane. Close message preview pane. Related Topics: See Introduction to Quarantine Folders for an overview of how to use folders to organize messages in the Quarantine. See Creating a Folder for more information about folder expiration and message expiration modes. See Changing Status and Adding Comments to Messages for more information about changing message status and adding comments to messages in the Quarantine. Selecting Messages for Actions Before you apply actions to messages in a folder, you need to select them. You have several options for selecting messages. Important: The messages displayed in the Messages list result from a query. If you do not select any search criteria for a query and click the Reset button followed by the Search button, the query returns all of the messages in the folder. However, the Messages list only displays as many entries as you have configured to display. (See Setting Layout Defaults and Controlling the Number of Messages to Display.) For example, your search query may return 3,000 entries, but you will only see 100 of them at a time in the Messages list. This is why it is important to understand which messages you are selecting before you apply an action to them. Selecting Individual Messages Each message in the Messages list has a check box to the left of it. To select individual messages, select the check box next to the message. Selecting Messages on a Display Page The number of messages to display at a time on a page is configured on the Quarantine > Settings > Layout page. To select all of the displayed messages after a query, select the check box in the table column heading for the Messages list. 130

161 Chapter 7 - Quarantine Selecting All of the Messages from a Query To select all of the messages from a query, whether or not they are displayed on the page, select the All check box, to the left of the Quarantine folders drop-down list. The All check box does not apply if you are changing the status or adding a comment to messages in the Quarantine. Note: If you want to select all of the messages in a folder, you must first clear all of the search criteria by clicking the Reset button, and then click the Search button. After the query returns all of the messages in the folder select the All check box. Message List Actions This list describes the links for the actions that you can apply to messages in a folder on the Quarantine > Messages page. Delete - deletes the selected messages from the current folder, offering you the option of placing copies of the messages in the Deleted folder. (This button is not available for the Deleted folder.) See Emptying the Deleted Folder for more information. Note: You need to refresh your browser if you delete all of the messages in a folder. Move - moves the selected messages from the current folder into another folder. See Moving Messages Between Folders for more information. Release - delivers the selected messages to the original recipient(s) and removes them from the folder. See Releasing Messages for more information. Redirect - sends the selected message to a recipient or recipients other than the original recipient. You are prompted to provide the addresses for the new recipients. See Redirecting Messages for more information. Resubmit - resubmits the selected messages to all of the filtering modules. (This option is enabled with the Enable Resubmit Messages parameter on the Quarantine > Settings > General page.) See Resubmitting Messages for Filtering for more information. Status - this link toggles between displaying and hiding the message status pane. See Changing Status and Adding Comments to Messages for more information. Folder Menu The Folder menu provides short cuts to folder management tasks: Properties - displays the Edit Folder pop-up window, where you can make changes to the folder properties. New Folder - displays the Add Folder pop-up window, where you can add a new folder to the Quarantine and configure its properties. Delete Folder - available only for folders that you create, and not the System folders. Deletes the folder and its contents from the Quarantine. List All Folders - displays the Quarantine > Folders page, where you can view all of the folders in the Quarantine. See Creating a Folder for more information about folder parameters. Options Menu The Options menu provides the following choices: Generate Digest - generates Digests immediately for the user community. See Generating a Digest from the Quarantine for more information. 131

162 Proofpoint Administration Guide Block Sender - adds the sender of the selected message to the Global Blocked List. Future messages from the sender automatically receive a spam score of 100. See Automatically Adding Senders to the Global Blocked List for more information. Safe Sender - adds the sender of the selected message to the Global Safe List. Future messages from the sender automatically receive a spam score of zero. See Automatically Adding Senders to the Global Safe List for more information. Safe Recipient - adds the recipient of the selected message to the Global Safe List. Future messages addressed to the recipient receive a spam score of zero. See Adding Recipients to the Global Safe List for more information. Report - when enabled, this choice is for reporting false positives. Sends the selected message or messages to Proofpoint. False positives are messages that scored high enough to be quarantined as spam but are indeed legitimate. Proofpoint uses false positives to train the MLX Engine. See Administrators Reporting False Positives and Negatives for more information. Re-score Spam - resubmits the selected messages to the Spam Detection Module for scoring. This feature is useful, for example, if you received a new Spam MLX Engine and Spam MLX Definitions and want to rescore the messages in the folder with the updated module. Virus Scan - resubmits the selected messages to the Virus Protection Module or the Zero-Hour Anti-Virus Module for a status update. See Updating the Virus Status for more information. Download Message List (CSV) and (XML) - saves the selected messages to a file, either in CSV or XML format. Related Topics: See About the Quarantine for an introduction to Quarantine concepts. See Introduction to Quarantine Folders for an overview of how to use folders to organize messages in the Quarantine. Folder Actions The Folder drop-down menu allows you to apply the following actions to Quarantine folders: View and change folder properties. Select Properties from the Folder menu. For more information about changing folder properties, see Managing Folders. Create a new folder. Select New Folder from the Folder menu. For more information about creating a new folder, see Creating a Folder. View all of the existing Quarantine folders. Select List All Folders from the Folder menu. This choice takes you to the Quarantine > Folders page. Moving Messages between Folders Administrators can move messages between folders in the Quarantine. For example, if you want to keep certain messages in the Quarantine indefinitely, you can create a folder with an expiration setting of never, and move messages into that folder. The messages will remain in the Quarantine until you decide to delete them. Messages in the Quarantine are tracked by many criteria, including a timestamp given to the message when it is sent to the Quarantine. You can use this timestamp for search queries and for automatically deleting messages from the Quarantine according to the Quarantine folder disposition settings. Important: When you move a message from one folder to another, its timestamp changes to the current time (the time it is moved). If you search for the message by its original timestamp after you move it, you will not find it. The original timestamp is retained and can be viewed on the Message Detail page for the message, on the Source view. To move messages between folders: 1. On the Quarantine > Messages page, select the name of the folder you want to view from the folders dropdown list on the Messages list. 132

163 Chapter 7 - Quarantine 2. Select the check boxes for the messages that you want to move to a different folder on the Messages list. 3. Click Move, select a folder from the drop-down list and click Move again in the pop-up window. Viewing and Restoring Deleted Messages When messages are automatically deleted from any folder according to the Store Messages settings on the Disposition tab for that folder, they are permanently removed from the Proofpoint Protection Server. When you manually delete messages from any folder, you are prompted to place a copy of the deleted messages in the Deleted folder. This gives the administrator a second chance to apply an action to deleted messages. While messages are stored in the Deleted folder, you can release them, move them to another folder, manually delete them, or allow the messages to be automatically deleted according to the folder Disposition settings. Note: If you do not want to be prompted for a confirmation each time you manually delete a message from the Messages list (move it to the Deleted folder), you can disable the message box. See Quarantine General Settings for instructions. To view the messages in the Deleted folder, select it from the folders drop-down list. To restore messages in the Deleted folder, move them to another folder. See Moving Messages Between Folders. Related Topics: See Selecting Messages for Actions for more information on how to select messages in the Deleted folder before you delete or restore them. Emptying the Deleted Folder You can empty the contents of the Deleted folder in these ways: Set the folder disposition settings to automatically delete the contents of the folder after a time period. Manually select and delete the messages in the Deleted folder. Any messages deleted in these ways are permanently destroyed and cannot be recovered. You cannot undo this action. To automatically empty the Deleted folder: 1. Navigate to the Quarantine > Folders page. 2. Click the name of the Deleted folder in the table to view its settings. 3. Click the Disposition tab. 4. Verify the Store Messages radio button is selected. 5. Select a time period from the Messages expired after drop-down list. 6. Click Save Changes. All messages will automatically be removed from the folder at the designated time period. For example, if you choose 2 Weeks, a message will be removed two weeks after the date that it was stored in the Deleted folder. To manually delete messages from the Deleted folder, select them and click Delete. Note: You need to refresh your browser if you delete all of the messages in a folder. Related Topics: See Selecting Messages for Actions for more information on how to select messages in the Deleted folder before you delete them. 133

164 Proofpoint Administration Guide Releasing Messages Releasing a message from a folder delivers it to the original recipient, removes it from the original folder, and places a copy of the message in the Deleted folder. A released message can trigger some types of rules before it is delivered to the original recipient. Any rule that takes action prior to the message content being scanned can cause the message to be quarantined again rather than truly being released. Examples of rules that take action before the message content is scanned are rules that include Envelope Sender or Envelope Recipient conditions. The Release menu has the following choices: Release With Virus Scan - re-submits the selected messages to the Virus Protection Module. If no rules are triggered, the selected messages are released to the infrastructure. Release Without Virus Scan - releases the selected messages to the infrastructure without further virus scanning. Release Encrypted - encrypts the selected messages before releasing to the infrastructure. You are prompted to select a Branding Template and a Response Profile for the message. See Managing Branding Templates and Managing Response Profiles for more information. Note: A copy of the message remains in the Deleted folder until you manually delete it or the message is removed according the expiration setting for the folder. Redirecting Messages Redirecting a message delivers a copy of the message to someone other than the original recipient. You have the option of redirecting the message to the original recipient or recipients of the message and deleting the message from the Quarantine after sending it. If you do not delete the message after redirecting it, the original message remains in the Quarantine folder until it receives the action applied to it according to the folder Disposition settings. To send a message to another recipient or recipients: 1. Navigate to then Quarantine > Messages page. 2. Select a folder from the folders drop-down list. 3. Select the check box next to the message or messages you want to redirect in the Messages list and click Redirect. 4. In the Redirect Message pop-up window, enter the new recipient address or several new recipient addresses into the Redirect to field. Separate multiple recipients with a semi-colon, like this: The Add recipient button populates the Redirect to field with the original recipient or recipients of the message. 5. Select Delete message after redirection if you want to delete the message from the Quarantine once you send it to other recipients. Leave this check box clear if you want the message to remain in the Quarantine according to the folder's Disposition settings. 6. Enter a subject and comment into the text boxes. 7. Click Redirect Message to send the message. The original message is sent to the new recipient or recipients as an attachment. Resubmitting Messages for Filtering This feature allows administrators to resubmit messages in the Quarantine to the Proofpoint Protection Server for filtering again. Proofpoint frequently distributes updates for the Virus Protection Module DAT files (virus definition files) and the Spam Detection Module MLX engine. Administrators may want to resubmit messages in the Quarantine after deploying the latest module updates from Proofpoint. You must enable the Enable Resubmit Messages parameter on the Quarantine > Settings > General page. See Quarantine General Settings for instructions. 134

165 Chapter 7 - Quarantine To resubmit messages in the Quarantine: 1. Navigate to the Quarantine > Messages page. 2. Select a folder from the folders drop-down list, and the messages you want to resubmit for filtering, and click Resubmit. Generating a Digest from the Quarantine Administrators can send a Digest to the user community using the Generate Digest choice from the Options menu on the Quarantine > Messages page. This feature is useful, for example, if there are messages in the Quarantine that you believe the intended recipients should know about immediately. You can generate a Digest for those users right away instead of waiting for the scheduled Digest generation time. To generate a Digest from the Quarantine > Messages page: 1. Click the Options menu and select Generate Digest. 2. On the Generate Digest pop-up window, click the appropriate radio button: Use Digest Users Settings use this selection to send Digests to users on the list that you set up using the End User Services > Filters > Users page. See Creating the List of Digest Users for more information. Specify Recipients (Comma Separated) use this selection to send a Digest to a few specific users. Enter the addresses for the users into the text box. 3. Click Generate Digest. Automatically Adding Senders to the Global Blocked List This feature allows administrators to automatically add senders to the Global Blocked List. The Proofpoint Protection Server automatically rejects messages from senders on the Global Blocked List based on envelope and connection criteria such as specific addresses, domains, or IP addresses. Any future messages originating from these locations will be rejected as spam and will not undergo any further filtering. To add a sender to the Global Blocked List: 1. Navigate to the Quarantine > Messages page, and select a folder from the folders drop-down list. 2. Select the check box next to the message for which you want to add the sender to the Global Blocked Senders List. 4. Click the Options menu and select Block Sender. If you select only one message, the Add List Entry pop-up window contains fields for adding hostname and domain criteria. 5. Select the check boxes next to the description of the criteria you want to use to add the sender to the Global Blocked List. You can add senders to the Global Blocked List by address, hostname, HELO domain, and IP address. 6. For the hostname and domain entries, select an operator from the drop-down list. See Operators in "Rules and Delivery Dispositions for a description of each operator. 7. Click the Add Entry button to save the changes. If you select several messages, for the Global Blocked List, the Add List Entry pop-up window does not contain fields for adding the hostname and domain criteria. 135

166 Proofpoint Administration Guide Automatically Adding Senders to the Global Safe List Adding senders to the Global Safe List is the opposite of adding them to the Global Blocked List. By adding senders to the Global Safe List, any future originating from the sender will not be filtered for spam. The connection or envelope criteria are based on address, hostname, domain, or IP address. To add a sender to the Global Safe List: 1. Navigate to the Quarantine > Messages page, and select a folder from the folders drop-down list. 2. Select the box next to the message for which you want to add the sender to the Global Safe List. 3. Click the Options menu and select Safe Sender. If you select only one message, the Add List Entry pop-up window contains fields for adding hostname and HELO domain criteria. 4. Select the check boxes for the criteria you want to use to add the sender to the Global Safe List. You can add senders to the Global Safe List by address, hostname, HELO domain, and IP address. 5. For the hostname and domain entries, select an operator from the drop-down list. See Operators in "Rules and Delivery Dispositions for a description of each operator. 6. Click Add Entry. If you select several messages for the Global Safe List, the Add List Entry pop-up window does not contain fields for adding hostname and domain criteria. Adding Recipients to the Global Safe List Adding recipients to the Global Safe List is like adding senders to it, but it applies to a recipient instead of a specific sender. This feature is useful, for example, if you want to allow legitimate newsletters or bulletins to be distributed to recipients by . To add a recipient to the Global Safe List: 1. Navigate to the Quarantine > Messages page, and select a folder from the folders drop-down list. 2. Select the box next to the messages for which you want to add the recipient to the Global Safe List. 3. Click the Options menu and select Safe Recipient. The Quarantine > Messages page displays the message "Recipient successfully added to Safe List." Note: Adding a recipient mailing list simply adds the mailing list to the Global Safe List in the Spam Detection Module. It does not add the individual recipients in the mailing list, only the mailing list - for example, Administrators Reporting False Negatives and Positives Occasionally, a message can score high enough to enter the Quarantine, but it actually does not contain spam (false positive). Conversely, a message that does contain spam and does not score high enough to trigger a rule for spam (false negative) can be delivered to an box. Administrators can report these false positives or negatives to Proofpoint, where the Proofpoint anti-spam engineers can use the message header and telemetry information to "train" the MLX engine. The telemetry information includes which rules were triggered and what caused the trigger. Important: The Proofpoint Protection Server must be activated before administrators can report false positives or false negatives. You must also enable the corresponding parameters on the Quarantine > Settings > Spam Reporting page. To report a false positive or false negative to Proofpoint: 1. Navigate to the Quarantine > Messages page, and select a folder from the folders drop-down list. 136

167 Chapter 7 - Quarantine 2. Select the check box for the message you want to report, or click the message itself in the table. 3. Click the Options menu and select Report. Note: If you select one message to report, information for that message appears in the From, To, Subject, and Reason fields in the Report Message pop-up window. If you select more than one message to report, information for the messages will not display in these fields. 4. Make a selection from the Actual Reason drop-down list. The choices are FP (Legitimate Mail), FN (Spam), and Other. Note: You would only select Other from the Actual Reason drop-down list under the direction of Proofpoint. 5. Make a selection from the Message Type drop-down list. The choices vary according to the selection you make for the Actual Reason. FP (Legitimate Mail) the message was classified as spam and should have been classified as not spam. - Business/Personal Mail. The is from a legitimate sender. from this sender should not be scored as spam in the future. - Legitimate Bulk Mail (Opt-In). The came from a bulk sender, from whom you want to continue receiving . from this sender should not be scored as spam in the future. - Zero-Hour. The Zero-Hour Module classified the message as containing a probable virus, but it does not. A copy of the message is sent to the Proofpoint Attack Center, and the administrator can release the message to the intended recipient. FN (Spam) the message was classified as not spam but should have been classified as spam. - Ordinary Spam. The message contains spam. - Phish. The message came from a sender trying to pose as a legitimate sender to gather information about you. - Adult. The message contains pornography or adult content. 6. Enter your comments in the Comments text box. For example, special comments about the message you are reporting. You can also copy and paste certain sections of the message you are reporting in the Comments text box if you do not want to include the entire message (Include Message) because it contains confidential or proprietary information. 7. Select the Include Message check box if you want to include the original message as part of the report to Proofpoint. (This check box is not available for every Message Type choice.) 8. Click the Report button to send the message to Proofpoint. Related Topics: To allow end users to report false positives or false negatives from their Digests, see Users Reporting False Negatives and Positives in "End User Services." Updating the Virus Status During the time that messages are stored in a Quarantine folder, the Proofpoint Protection Server may receive new virus signature files from the Proofpoint Dynamic Update Service. Or, if you have the optional Zero-Hour Anti-Virus Module, messages stored in the Zerohour folder have been placed there because they triggered rules that classified them as having a probable, medium, or high threat level of being infected with a virus. You can update the virus status of the messages in a Quarantine folder to determine if they are indeed infected and should be deleted or if they are not infected and can be released to the infrastructure. To update and view the virus status for messages: 1. Navigate to the Quarantine > Messages page, and select a folder from the folders drop-down list. Choose a folder that is storing messages that may be infected with a virus 2. Select the messages you want to check for virus status. If you do not select any messages, the status update is applied to the displayed messages. 3. Click the Options menu and select Virus Scan. A new Status column displays on the Messages list. 137

168 Proofpoint Administration Guide An icon indicates the virus status for each message: A green check mark means the message is free of virus and can be released to the infrastructure. A red X icon means the message is infected. The name of the virus appears next to the icon. Protected means the message could not be scanned for a virus, so the status cannot be updated. Related Topics: See Selecting Messages for Actions for more information on how to select messages in a Quarantine folder before you update the virus status. Changing the Status and Adding Comments to Messages Administrators can assign a status and add a comment to a message (or messages) in any Quarantine folder. The most common application for this feature is to enforce compliance to your organization's policies for outbound mail. The typical use case is that you create compliance rules for outbound mail that trigger if the message content or attachment to the message violates your organization's policies. Copies of messages that trigger the rules are sent to a compliance Quarantine folder. Your information security team reviews the content of the Quarantine compliance folder, assigns a status to the message, and adds a comment to the message for administrative purposes. Several status definitions are included for your convenience: New, In Progress, Escalated, False Positive, and Resolved. To add, delete, review, or select status definitions, go to the DLP Incidents > Settings page. To display the status icon, Status column, and Comments column in the Messages list on the Quarantine > Messages page, go to the Quarantine > Settings > Layout page to select the display settings. To change the status or add a comment to a message: 1. Select the check box for the message or messages. 2. Click Status to display the status pane. 3. Initially, the New Status field displays the default status that is currently selected. Select a different status from the list and add a comment to the Comments field. 4. Click Add to save your changes. A status icon is added to the message in the Message List. The status pane displays a history for the message: each time the status changed, who made the change, the date the change was made, and the comments added to the message. If you select several messages at once (by clicking check boxes), the status pane displays the details for the highlighted message, not all of the selected messages. 138

169 Chapter 8 - Groups and Users About Groups and Users The Groups and Users feature allows administrators to manage mail for the user community on a global, group, and user level. Administrators can apply several attributes to manage mail, including filtering mail (or not), spam policies, Digest attributes, and encryption attributes. See About Attributes for a list of all of the attributes you can apply on a global, group, and user level. See About the End User Digest for information about Digests. Note: If your deployment consists of more than 1000 groups, some of the management interface elements behave differently on the Groups and Users > Users page. See Adding Users and Mailing Lists and Assigning Attributes for details. You can complete the following tasks using Groups and Users: Configure and populate the User Repository. Create Password Policies for Groups of users. Create import and authentication profiles. Assign global attributes. Manage groups and assign attributes. Manage users and assign attributes. Envelope Splitting Envelope splitting addresses the following cases: When a message is addressed to multiple recipients and some of the recipients have filtering applied (Opt In) and some do not (Opt Out). The Filter (Opt In/Out) attribute is on the Groups and Users > Global > Inbound page. When a message is addressed to multiple recipients and the recipients have different Spam Policy attributes. When a message is addressed to multiple recipients and the sender of the message is on the Safe Senders list for some recipients and on the Blocked Senders list for other recipients. When a message is addressed to multiple recipients and they are in unique domains and belong to different Policy Routes. The following figure illustrates an example of how mail is filtered for addressed to multiple recipients when two users are Opt In and two users are Opt Out. 139

170 Proofpoint Administration Guide Related Topics: For information about attributes, see About Attributes. For information about Policy Routes, see About Policy Routes and Creating and Modifying Policy Routes. Enabling Automatic Domain Groups, User Repository, and POP Forwarder You can enable or disable the User Repository on the Groups and Users > Settings General page. If you disable the User Repository, users will not be able to manage their End User Digests. To temporarily disable the User Repository, click the Off radio button in the Groups and User Options section on the page. To automatically create a Domain Group for each host or domain that you add to the Appliance > Inbound Mail page, select On for the Enable Automatic Domain Group Creation parameter. Important: Automatic domain group creation applies only to the hosts or domains that you add to the Appliance > Inbound Mail page or Appliance > Outbound Mail > Mail Routes page after you enable this feature. It does not apply to pre-existing hosts and domains for systems in a cluster, or for systems added to a cluster with pre-existing hosts and domains. POP Forwarder During product evaluation (and beyond), administrators can allow users to forward from their personal POP accounts to an appliance for filtering. Once enabled, this feature can be disabled on a per-user, per-group, or globally by changing the Enable Forwarder attribute. If this feature is temporarily disabled (for example, during a product upgrade) administrators can re-enable it by selecting On for the Enable parameter under Forwarder (POP3) on the Groups and Users > Settings > General page. Related Topics: See Creating an Import or Authentication Profile for instructions on how to create profiles to populate the User Repository with users from a variety of data sources, and set user authentication parameters on a perprofile basis. See Scheduling an Import Profile for information about how to automatically import users for a specific profile into the User Repository on a scheduled basis. 140

171 Chapter 8 - Groups and Users Configuring the Layout for the Users List and Groups List Use the Groups and Users > Settings > Layout page to control how many entries display in the Groups and Users > User List and the Groups and Users > Group List when you search for users, and whether or not to wrap the names in the Aliases and Group Name columns. About Attributes Attributes provide a method for configuring and managing End User Digests, authentication sources, branding templates, and profiles and external passwords for encryption. You can apply the attributes on a global, group, and user level. The levels provide a hierarchy by which attributes are applied. Global attributes apply to all users. Group attributes apply to groups of users (User Groups and Domain Groups). User attributes apply to specific users. The user attributes override group attributes, and group attributes override global attributes. For example, you can enable filtering for all individuals in an organization (global level), disable filtering for a specific group of users in the same organization (group level), and enable filtering for one member of the specific group (user level). Configure global attributes on the pages under Groups and Users > Global in the navigation pane. Configure group attributes on the corresponding tabs when you add or edit a group. See the following topics for more information about the parameters for the attributes: Inbound Attributes Outbound Attributes Services Attributes Authentication Attributes POP3 Forwarder Attributes Attributes are applied to End User Digest settings, spam policy selections, and enforcement of module rules. Attributes also permit users to upload confidential information to the Document Repository, change a password, and report false negatives. 141

172 Proofpoint Administration Guide Summary: You can select default attributes for both groups and users. 142

173 Chapter 8 - Groups and Users If you make default selections for a user, the user will inherit the attributes of the group to which he or she belongs. If the user belongs to more than one group, the user will inherit attributes of the group that has the higher precedence. If the user belongs to both a Domain Group and a User Group, the user will inherit the attributes of the User Group. If the user does not belong to a group, or the group also has default selections for its attributes, the user will inherit the selections made for global attributes. See Adding Groups and Assigning Attributes for more information about setting group precedence. See Setting Policy Precedence for Attributes for more information on how users inherit attributes. Inbound Attributes This topic describes the inbound mail attributes on the Groups and Users > Global > Inbound page. Filter (Opt In/Out) - determines if recipients will have filtered by the Proofpoint Protection Server or not. Selecting No (Opt Out) will bypass mail filtering. By default, Yes is selected for Filter (Opt In/Out) on a global level. If the same message is addressed to a user with Yes selected and to a user with No selected, the envelope is split so that filtering is applied correctly or bypassed for each recipient. See Envelope Splitting for more information. Spam Policy - determines how spam will be processed. Spam policies are defined by a set of rules and are listed on the Spam Detection > Policies > Policies page. You can create as many spam policies as necessary. The Proofpoint Protection Server ships with a default Global Spam Policy that is automatically applied to all users in the User Repository. You have the option to allow users to select a spam policy for themselves from the End User Digest. When you create the spam policies, you decide which spam policies you want to expose to the end users with the End User Visible attribute on the Spam Detection > Policies > Policies page. See Creating Spam Policies and Rules in "Spam Detection Module" for more information. Use From/Sender Header for Safelist - if set to Yes, allows users to add senders to their Safe Senders and Blocked Senders Lists based on the sender's From header. If set to No, allows users to add senders to their Safe Senders and Blocked Senders Lists based on envelope Sender. Because some organizations have many envelope senders, adding just one of the envelope senders to either a Safe Senders List or a Blocked Senders List may not be effective. Note: If this parameter is set to Yes, users will see the sender's From header display in the End User Web Application for quarantined messages, but will not be able to search for messages by the From header - this search field will be disabled. The Proofpoint Protection Server only allows searching by envelope Sender. Audit Audit Messages - saves copies of messages that are filtered and delivered to the end user in the Audit folder in the Quarantine. Administrators can review the messages in the Audit folder and report false negatives to Proofpoint. (A false negative is spam incorrectly classified as not spam.) By default, No is selected on the global level. Smart Send Allow Smart Send - allows users to release quarantined messages, or block quarantined messages without administrator intervention. If you are licensed for Proofpoint Encryption, users can encrypt and then release quarantined messages. See About Smart Send for more information about this feature. Outbound Attributes The topics on this page describe the outbound mail attributes on the Groups and Users > Global > Outbound page. Encryption Enable Secure Reader - Secure Reader is a browser-based application that allows users to decrypt, read, forward, and reply to encrypted messages. You can disable this feature on a global, group, or user level by selecting No for this parameter. Response Profile - specifies which profile to apply if you have deployed Proofpoint Encryption. See Managing Response Profiles for information on creating Response Profiles. 143

174 Proofpoint Administration Guide External Password Policy - specifies the password policy enforced for users outside your organization in order to register with Proofpoint for encrypting and decrypting messages. See Password Policies for Groups and Users for information about creating password policies. Branding Template - specifies which Branding Template to apply to encrypted . See Managing Branding Templates for information on creating Branding Templates. Language - specifies which language to use for the notification of a secure message. When a user receives a secure message, the Language parameter determines which language to use for the notification. After the user clicks the SecureMessageAtt.htm attachment the language for the Secure Reader interface is determined by the locale of the browser. For example, if your browser is set to the French locale, your Secure Reader interface will display in French. If you select the Use Detected Language from Message choice, Proofpoint Encryption will detect the language of the beginning part of the content of the secure message and the secure message notification will display in that detected language. If you want to change the content of the information displayed to the user by Secure Reader, see Resources. Regulatory Compliance Enforce Regulatory Compliance - this attribute is available if the Regulatory Compliance Module is installed. This attribute ensures that Regulatory Compliance rules that filter for violations of privacybased or financial transaction regulations are enforced. Consider leaving this attribute set to Yes at the global level, and then determine on a group or user level which individuals are exempt from Regulatory Compliance rules. Digital Assets Enforce Digital Assets - this attribute is available if the Digital Assets Module is installed. This attribute ensures that Digital Assets rules for filtering confidential information stored in the Document Repository are enforced. Consider leaving this attribute set to Yes at the global level, and then determine on a group or user level which users are exempt from Digital Assets rules. Document Creation Allowed - this attribute is available if the Digital Assets module is installed. This attribute allows specific users to upload confidential documents or information to the Document Repository using . See Document Processor Settings in "Digital Assets Module" for information on setting up the POP3 mailbox. There may be individuals in your organization that work with highly confidential information and want to protect it from being distributed by . Consider leaving this attribute set to No at the global level, and then determine on a group or user level which users are allowed to upload documents to the Document Repository. Smart Send Allow Smart Send - allows users to release quarantined messages, or block quarantined messages without administrator intervention. If you are licensed for Proofpoint Encryption, users can encrypt and then release quarantined messages. See About Smart Send for more information about this feature. Services Attributes The attributes on the Groups and Users > Global > Services page apply to the Digest and Web Application. Digest The Digest settings display if the master switch for Digest is enabled on the End User Services > Digest Settings page. Enable - enables the Digest feature on a global, group, or user level. Digest Format - provides options for delivering and managing the End User Digest. Depending upon which clients you support, and which configuration parameters you enable, you can allow users to manage their Digests either using or a web browser. Digests are always initially delivered to end users by . By default HTML Only + HTTP commands is selected on the global level to allow end users to manage their Digests from a web browser. Important: To allow users to use a web browser for management tasks, enable the following parameters: Enable HTTP Commands - See Web-based Command Processor in "End User Services." Enable User Commands and Display Web Based List Management Link - See Enabling and Providing Commands to the End Users in "End User Services." With the exception of Text Only, the following choices for the Digest Format also offer a "Simple" HTML format for End User Digests. These Simple formats were created for clients that do not support more advanced HTML, for example, Eudora on Apple Macintosh systems. 144

175 Chapter 8 - Groups and Users Note: Only the HTML Only + HTTP Commands option supports displaying a custom logo in the Digest. Digest Format option End User Digest delivery method End User Digest commands End User Digest account management Sample use cases Text Only by not applicable Force text format for easy display on mobile devices. HTML/Text by , with web browser option HTML Only by , with web browser option Users typically have a desktop client installed. HTML/Text + HTTP commands HTML Only + HTTP commands by web browser by web browser Users typically do not have a desktop client installed. by web browser by web browser Send Digest - sends a Digest to the recipients configured on the End User Services > Filters > Users tab. Administrators can grant varying levels of Digest management to the end users. For example, users can request an updated Safe Senders and Blocked Senders List, add safe and blocked senders to their personal lists, select a spam policy, and determine if they want to receive an empty Digest. By default, Yes is selected on the global level. Send Empty Digest - sends an empty Digest to the recipients configured on the End User Services > Filters > Users page. Users may want to receive Digests even if they are empty because they can still complete management tasks. For example, users may want to add a name to their Safe Senders or Blocked Senders List or request an updated Summary Digest. By default, No is selected on the global level. Audit Folder in Digest - includes the messages collected in the Quarantine Audit folder in the End User Digest. This gives users the ability to report false negatives to Proofpoint. Note, selecting Audit Folder in Digest without selecting Audit Messages is of no consequence. You have to select both parameters for the Audit Folder in Digest to have any effect. By default, No is selected on the global level. Note: Administrators must configure other settings to enable auditing and reporting from End User Digests see Users Reporting False Negatives and Positives in "End User Services." The Proofpoint Protection Server provides a default Spam Reporting Group, which has the Audit Messages and Audit Folder in Digest attributes set to Yes. You can immediately add users to the Spam Reporting group so they can participate in reporting false negatives. The Audit Messages and Audit Folder in Digest attributes determine whether or not end users participate in the spam auditing and reporting process. Web Application The Web Application setting displays if the master switch for the Web Application is enabled on the End User Services > Web Application page. Enable - enables the Web Application feature on a global, group, or user level. See Web Application in "End User Services" for customizing the Web Application settings. Language Language - determines the language used for the Digest and Web Application. You can view the supported languages by expanding the menu. Branding Template Branding Template - defines the branding template to use for both the Digest and Web Application. See Managing Branding Templates for more information. 145

176 Proofpoint Administration Guide Authentication Attributes The attributes on the Groups and Users > Global > Authentication page define which authentication source to use for authentication, which password policy to apply, and whether or not to allow users to change passwords. Authentication Authentication Source - specifies the source to use for user authentication (user name and password). Administrators can force user authentication for access to account management (Manage My Account link in -based Digests), for access to the Web Application, and for Secure Reader (Proofpoint Encryption) authentication. The choices on the Authentication Source list are generated on the Groups and Users > Import/Auth Profiles page. The No Authentication Allowed choice means the user will not be allowed to authenticate at all - for example, if an employee leaves your organization you can select this choice to "lock" the employee out of authentication on the Proofpoint Protection Server. Password Policy - specifies the password policy in effect. See Password Policies for Groups and Users for information on creating password policies. Change Password Allowed - this attribute is available if users are authenticating with the User Repository. This attribute allows users to change the password that the administrator assigned to them. If enabled, a Change Password link displays in the end users Manage My Account web interface. By default, Yes is selected on the global level. The following parameters are found on the Authentication tab of the User Attributes pop-up window when you select a user name on the Groups and Users > Users page. Password This is the password associated with each user in the User Repository. It applies to both the Web Application and Proofpoint Encryption. Password and Confirm Password - if the users were imported into the User Repository, or if you manually add a user, the default password is generated by the Proofpoint Protection Server. To see the default password, go to the Groups and Users > Import/Auth Profiles page and select the PPS group. Click the Advanced tab, and find Default User Password. Users are required to change the default password the first time they log in to the Web Application or register with Proofpoint Encryption. If a user changes his or her password for the Web Application, the same password applies to Proofpoint Encryption. If a user forget his or her password, you can create a new one for the user by entering a new password into the Password and Confirm Password fields. Require a password change on next sign in - when a user logs in to the Web Application for the first time, he or she will automatically be required to change the user password. The Require a password change on next sign in setting is ignored. For Proofpoint Encryption, there are three cases where it is important for users to change their passwords: - You used an LDAP import to populate the User Repository. - You reset the password for an existing user. - You manually added a new user to the User Repository. The Require a password change on next sign in check box is greyed out (you cannot change it) for users who have not yet reset their passwords for the first time. Once a user has changed his or her password, the Require a password change on next sign in check box will become available for administrators to enable or disable. Info This section displays timestamps for Proofpoint Encryption password activity: the last time the user authenticated with Proofpoint Encryption and the last time the user changed his or her password. POP3 Forwarder Attributes The attributes on the Groups and Users > Global > POP3 Forwarder page define whether or not users are allowed to forward for filtering. Enable Forwarder - allows users (or a mailing list) to forward from a POP account to the appliance or Proofpoint Protection Server for filtering. Administrators typically create POP forwarding profiles for specific users or mailing lists during an evaluation of the product. See Adding Users and Mailing Lists and Assigning Attributes for instructions on adding a POP3 Forwarder profile. Select No to disable this feature after an evaluation. 146

177 Chapter 8 - Groups and Users Global Attributes Global attribute settings apply to all the users and groups in the User Repository. You can later select different attributes for groups of users and individual users that will override the global attributes. To configure global attributes, navigate to the pages under Groups and Users > Global in the navigation pane. One of the preconfigured attribute selections for groups and users is Default. (Global attributes have no Default selections.) The links next to the attributes take you to the page in the management interface where you can add, delete, or make changes to the attribute. Selecting Default for group and user attributes has this effect: When Default is selected for a group attribute, the group acquires the global attribute setting. When Default is selected for a user attribute, and the user belongs to a group, the user acquires the group attribute setting. When Default is selected for a user that does not belong to a group, the user acquires the global attribute setting. See About Attributes for an introduction to attributes. Related Topics: Inbound Attributes Outbound Attributes Services Attributes Authentication Attributes POP3 Forwarder Attributes Password Policies for Groups and Users Administrators can create unique password policies and apply these policies on a global level, group level, or user level. Create password policies on the Groups and Users > Password Policy page, and then apply each policy to a group of users or individual users. All of the password policies you create appear in a list for the Password Policy attribute. See About Attributes for information about the attributes you can apply on a global, group, or user level. Password policies are enforced when: administrators log in to the management interface. users log in to the Web Application. users internal and external to your organization register with Secure Reader or log in to decrypt encrypted messages. The Proofpoint Protection Server includes preconfigured password policies that you can change but cannot delete - for example, an Administrator policy for administrators, an Encryption Users policy for users outside your organization, and an Internal Users policy for the user community inside your organization. You should create a group for the Proofpoint administrators in your organization and select Administrator as the Password Policy attribute for the group of administrators. To add a password policy, click Add on the Groups and Users > Password Policies page. Click Save to save the password policy after you are done. Note: The default password policy requires at least seven characters, must be no longer than 20 characters, and must include at least one digit and at least one special character such Password Policies Settings When you click Add to create a new password policy, or click the name of an existing password policy, you can configure the following settings in the Password Policies pop-up window. 147

178 Proofpoint Administration Guide General Settings Configure the settings on the General tab for name, description, and concurrent login settings. Enter a name and description for the password policy. Make a selection for Enable Concurrent Log In - if you do not want administrators to log in at the same time with the same account more than once, click the Off radio button. Concurrent login applies only to administrators logging in to the management interface. Important: If you enable the concurrent log in feature for administrators, be aware that if two administrators are making changes to the same page at the same time in the management interface, the second administrator to save his changes will overwrite the first administrator's changes. Expiration Settings Configure password expiration settings on the Expiration tab. Password expiration settings apply only to administrators and Proofpoint Encryption users. These settings do not apply to Web Application users. Make the following configuration choices: Password Expiration - forces a password change after a specified number of days. Expiration Time Period - the number of days after which the password must be changed. Password Expiration Warning - warns the user that his or her password is about to expire. Display Warning Time - the number of days before the password expiration warning. The value for the display warning time must be greater than the value for the expiration time period. Syntax Settings Password syntax policies pertain to restricting password length, forcing passwords to contain special characters or numbers, disallowing legitimate words, and disallowing a user name to match a password. The syntax policies apply to administrators, Proofpoint Encryption users, and Web Application users. Make the following configuration choices on the Syntax tab: Minimum Password Length - enforces the minimum number of characters in the password. Maximum Password Length - enforces the maximum number of characters in the password. Require Numbers (0-9) In Password - forces the password to include a number. Require Special In Password - forces the password to include a special character. Any of the characters noted in this parameter are acceptable. Require Combination of Upper and Lower Case Letters - forces the password to include both uppercase and lowercase letters. Prevent Common Words As Password - when enabled, the Proofpoint Protection Server compares the password to the words in an American English dictionary packaged with the Linux or UNIX spell command. If the password matches any word in the dictionary, it will not be accepted. This parameter is only available for customers who upgrade from a previous release and were using this feature. Password Must Not Match Administrator ID - does not allow the login username and password to be the same. Login Failure Settings The login failure policies help prevent hackers from repeatedly trying different login accounts and passwords to access the Proofpoint Protection Server. Make the following configuration choices on the Login Failures tab: Enable IP Address Lockout - disallows repeated login attempts from the same machine. The IP Address Lockout settings apply only to administrators. 148

179 Chapter 8 - Groups and Users IP Address Lockout Trigger After - reflects how many login attempts are allowed before the system locks out the sending IP address. IP Address Lockout Time - reflects the duration of the lockout period. Enable User Lockout - disallows repeated login attempts from the same user account. The User Lockout settings apply to administrators, Secure Reader users, and Web Application users. User Lockout Trigger - reflects how many login attempts are allowed before the system locks out the user trying to log in. User Lockout Time - reflects the duration of the lockout. Password Reset The password reset settings apply only to Proofpoint Encryption Secure Reader users. When enabled, the password reset feature will either pose a series of questions to allow a user to reset a password or will send an notification to a user with a link to reset a password. If you also enabled password expiration, users will be required to reset their passwords according to your expiration policies. Note: For each Password Policy you create, you can configure the number and type of required password reset questions. You can customize the password reset questions, but note that changes to the reset questions will apply to all of your password policies. You can view and change the text for the reset questions by selecting Edit Reset Questions from the Options menu. This will take you to the on the End User Services > Resources > Per Brand page. Make the following configuration choices on the Password Reset tab: Enable Password Reset - enables or disables the password reset feature. Reset Option - select Reset Questions if you want users to answer password reset questions to change a password. If you select Reset Questions, users will be required to select or create password reset questions when they register. Select if you want users to change a password via an notification. If you select , uses will not be required to select or create password reset questions when they register. The notification provides a link to the user to reset a password. If you change the Reset Option from to Reset Questions, users will be required to set up password reset answers the next time they log in. This applies only if they have never set up password reset answers before. Number of Password Reset Questions Available During User Registration Process - determines how many questions to use for the password reset when a user first registers with Proofpoint Encryption Secure Reader. Number of Password Reset Questions Prompted To User For Password Reset - determines how many questions to use when a user must create a new password when a password has expired. Question# - for each question that you allow, select either User Selects Pre-defined Password Reset Question or User Creates Password Reset Question. If you select User Selects Pre-defined Password Reset Question, users will be prompted with the predefined reset questions they selected during the registration process. If you select User Creates Pre-defined Password Reset Question, the user will be prompted with a reset question that the user created during the registration process. About the User Repository The User Repository is a data source that stores the list of users and groups that you import or add. Populate, manage, and search the User Repository from the Groups and Users > Users page. The User Repository maintains the following information: User address. Delegated user to manage each mailing list, if applicable. For each user, a user-designated list of senders whose messages are acceptable (the Safe Senders List). 149

180 Proofpoint Administration Guide For each user, a user-designated list of senders whose messages are not acceptable (the Blocked Senders List). aliases for the user. If a user has several aliases, he or she will receive one Digest instead of a Digest for each alias. Groups to which the user or users belong. Attributes for the user. Before importing users and groups into the Repository, you need to create an import profile where you determine the data source, import options, and group attributes. You can import users and groups from several different data sources. The user import feature also provides command line options for advanced administrators to configure and manage an LDAP import for profiles that use an LDAP server as the data source. The groups you import are defined by the structures or organizational units you have configured in your Directory Service. Groups provide a method for managing an N number of end users to which you want to apply the same attributes, such as spam policies, mail delivery methods, and Digest content. Users can belong to multiple groups. Each group has a precedence that determines which attributes should be applied to the user. If a user belongs to multiple groups, the attributes for the group with the highest precedence will be applied to the user. Importing Users into the Repository You need to populate the User Repository with users before you can configure attributes on a global, group, or user level. There are several ways to populate the Repository: Import users from a data source. Add one person or mailing list at a time. Import a file from a directory location. Automatically add users when they release a message or request a Summary Digest from their Digest. Use the command-line interface from a system prompt (only applies to the Proofpoint Protection Server). The Proofpoint Protection Server can accept data from several data sources. See Creating an Import or Authentication Profile for detailed information. Creating an Import or Authentication Profile Use the Groups and Users > Import/Auth Profiles page to create the following types of profiles: Import - populates the User Repository. For example, imports data from a file to the User Repository. Authentication - authenticates the users so that they can access and manage Proofpoint accounts (using the Manage My Account link in -based Digests or the Web Application). Also authenticates users so that they can read secure messages using Secure Reader (Proofpoint Encryption). For example, a profile that uses RADIUS, CAS, or the Universal profile to authenticate users. Both import and authentication - populates the User Repository and authenticates users. For example, a profile that uses data from an LDAP server. Profiles allow administrators to control data import and authentication parameters on a per-profile basis. Most large organizations have frequent additions, deletions, or changes to their database of employee addresses and mailing lists. Create profiles and schedule automatic imports at specific intervals to keep the User Repository on the Proofpoint Protection Server up to date. User authentication requires these steps: Create a profile that defines the data source for user authentication on the Groups and Users > Import/Auth Profiles page. Select a choice for the Authentication attribute on a global, group, or user level. To create groups or users and assign attributes, see Adding Groups and Assigning Attributes and Adding Users and Mailing Lists and Assigning Attributes. The Proofpoint Protection Server supports the following data sources for authentication: CAS (Central Authentication System) - this authentication profile is typically used by universities. 150

181 Chapter 8 - Groups and Users Note: If your organization uses CAS for authentication, this method excludes all other methods. You cannot create and use other authentication profiles if you are using CAS for authentication. OpenSSO - open source access and federation server platform for identity and access management. Custom Module - a custom authentication modules are designed and provided by Proofpoint Professional Services. RSA SecurID - two-factor authentication profile. Notes: You must create the sdconf.rec file on the RSA Authentication Manager and you must know which Config Master IP address to use to connect to the RSA Authentication Manager. The first time an administrator logs in to the Proofpoint Protection Server with RSA credentials, the node secret file is created. This file is necessary for communication between the Proofpoint Protection Server and the RSA Authentication Manager. If you delete the node secret file from either the Proofpoint Protection Server or the RSA Authentication Manager, the two will be out of sync. Therefore, if you delete the node secret file from one, you must also delete it from the other so that it can be re-created. POP3 server and RADIUS (Remote Authentication Dial In User Service) - these authentication profiles are typically used by ISPs. User Repository - this authentication profile uses the entries in the User Repository (Groups and Users > Users page) for authentication. Universal - allows organizations that already have an authentication source in place to use that source. The Proofpoint Protection Server redirects authentication requests to your organization's authentication source. See Universal Authentication below for more information. No Authentication - this data source does not require authentication. Users can log in to the Web Application or read secure messages without providing authentication credentials. Proofpoint does not recommend this choice because it is not secure. The Proofpoint Protection Server supports the following data source for populating the User Repository: File - includes LDIF, CSV, or a URI pointing to a local file, FTP, HTTP, or HTTPS location. The Proofpoint Protection Server supports the following data source for populating the User Repository and authenticating users: LDAP/Microsoft Exchange/Active Directory/Lotus Domino - supported by Microsoft Active Directory, Microsoft Exchange, and Lotus Notes or Domino Server. To schedule updates to the user data in the User Repository for an existing File or LDAP profile, see Scheduling an Import Profile. About Fallback Authentication By enabling Fallback Authentication, several authentication profiles can be queried when a user tries to authenticate. For each profile, the authentication sources are queried in the order that you specify when you create the authentication profile. If an entry for the user does not exist in the first source, the next source is queried. Each profile that has fallback authentication enabled is queried until all of the available authentication sources are queried. If an entry for the user exists in a given authentication source, but authentication fails for another reason (for example, an invalid password), then fallback does not take place. The authentication process stops and the user is notified of the authentication failure. Examples The authentication fallback order is LDAP, then PPS (the User Repository). An entry for user exists only in the User Repository. User tries to authenticate. The LDAP server is queried first and there is no entry for user Then the User Repository is queried, where an entry is found for The user's credentials are verified. The authentication fallback order is LDAP, then PPS. User tries to authenticate to read a secure message. User does not exist in either authentication source. The LDAP server is queried first, then the User Repository. Since the user does not exist in the User Repository either, the user is prompted to register and create an account. The authentication fallback order is LDAP, then PPS. User tries to authenticate. The LDAP server is queried first, and an entry for user exists. User provided an incorrect password. The user is then notified of the login failure, and the User Repository is never queried. 151

182 Proofpoint Administration Guide The next sections describe the configuration settings when you add or edit an import or authentication profile. General Parameters The parameters on the General tab of the Add or Edit pop-up window will vary depending upon which data source you select for the profile. If you select Off to disable the profile: - users cannot authenticate using the profile - scheduled imports for the profile will stop - an icon indicates the profile is disabled - you can still select the profile and invoke a manual import. Select a choice from the Data Source list. Enter a name and description for the profile. Settings on the General Tab CAS authentication profile: Service URL - the URL for the CAS server. For example, https://cas.server.example.com. Service Path - the path to the validation service. For example, /cas/servicevalidate. Redirect URL - after validation, the CAS server redirects to the end user Web Application port on the Proofpoint master. For example, https://proofpointmaster.example.com:10020/enduser/login.cgi. Token Name - the security ID sent back from the CAS server. For example, ticket. Default Domain Name - enter the most common domain for your organization. The domain is added to the user login so that the user can be found in the User Repository. Custom Login - if you enable this parameter, you need to provide an alternative path for a login and logout service URL for users to authenticate. Login URL - for example, https://cas.server.example.com/cas/login?service=https://proofpointmaster.examp le.com:10020/enduser/login.cgi Logout URL - for example, https://cas.server.company.com/cas/login?status= Note: when the user logs out of the Web Application but is not logged out of the CAS server, the status changes to 1. For example, https://cas.server.company.com/cas/login?status=1. Custom Module authentication profile: Module Username and Password File profile: URL LDAP/Microsoft Exchange/Active Directory/Lotus Domino profile: Under Settings, provide the parameters that are specific to that data source. If you are creating a profile for an LDAP data source, use a fully qualified domain name or IP address in the Host/IP Address field. Click Configure for an LDAP data source to search for the Base DN for the specified Host or IP address and populate the Base DN field. Note: If there is no Base DN defined, the Map UID to Attribute (on the Advanced tab) is set to objectguid if the LDAP server is Active Directory - otherwise it will be set to uid. If a Base DN is already defined, Map UID to Attribute will maintain the setting you specified. Under Verify, provide a user name and password - to test the data source before saving the import or authentication profile, enter a legitimate user name and password into the and click Verify. The user will be authenticated by the profile. Under Verify, click Info to retrieve the LDAP attributes for the user you specify in the Username field. The query uses the Authentication Attribute setting. For example, if you specify uid for the Authentication 152

183 Chapter 8 - Groups and Users Attribute, you need to enter a uid and not an address to retrieve the information. (Applies only to LDAP data source.) No Authentication profile: There are no parameters to set. OpenSSO profile: Authentication Secure Socket Layer (SSL) Host/IP Address Port Path Default Domain Name Custom Login Login URL Logout URL Validation Secure Socket Layer (SSL) Host/IP Address Port Path Token Name Login URL POP3 profile: Settings POP3 Server Port Default Domain Name Secure Socket Layer (SSL) POP3 Authentication Method Verify Enter a user name and password that you know is valid and click Verify to test the connection to the POP3 server. User Repository profile: Enter a user name and password that you know is valid and click Verify to test the connection to the User Repository. RSA SecurID profile: RSA sdconf.rec file - enter the path or browse to the sdconf.rec file generated by the RSA Authentication Manager. The Proofpoint Protection Server will automatically test the connection to the RSA Authentication Manager, and an error message will display if the connection fails. Config Master IP address to connect to RSA Authentication Manager - if your Proofpoint Protection Server has several IP addresses, select the one to use for the connection. Timestamp of sdconf.rec file - displays the timestamp for the sdconf.rec file. RADIUS profile: Host Port Secret Timeout 153

184 Proofpoint Administration Guide Default Domain Name Verify Enter a user name and password that you know is valid and click Verify to test the connection to the RADIUS server. Universal profile: Login URL - the external authentication URL that corresponds to the external authentication mechanism. Secret - either enter a secret or let the Proofpoint Protection Server generate one for you. This secret must be persisted externally and accessed by the external authentication mechanism. Timeout - select the appropriate timeout for communication between the Proofpoint Protection Server and the external authentication server. Authentication Return Codes Authentication results appear in the log. The following list describes return codes for authentication results: 0 Successful authentication. -1 Internal error. -2 User does not have a profile in the user repository. -3 Could not create a profile for the user in the repository. -4 No address exists for the user in the data source. -5 The authentication profile for the user is not valid. -6 The alias for the user is not enabled. -7 There is no authentication profile selected for the user. -9 The user has logged out of the Web Application. -10 A generic LDAP error prevents authentication for the user. -11 Failure to connect to the LDAP server for authentication. -12 The user does not exist on the LDAP server. 49 The user credentials are not valid on the LDAP server Internal error. Advanced Parameters The parameters on the Advanced tab will vary depending upon which data source you select for the profile. The following list describes the advanced parameters for an import or authentication profile: Options Fallback Authentication - enables or disables fallback authentication. Fallback Authentication Profile - select the fallback authentication profile that you want to use from the list of authentication profiles. Each authentication profile list is queried in the order in which it appears in the list. By default, PPS (the User Repository) is selected as the fallback authentication profile. Force Authentication - if enabled, forces the user to provide a password when he or she clicks the Manage My Account link in his or her Digest. This option is not available for the Universal profile. Allow to Login Without Password - if enabled, does not require a password from the user. Warning: enabling this parameter compromises secure access to Proofpoint accounts and the Web Application. This option is not available for the Universal profile. 154

185 Chapter 8 - Groups and Users Allow Login with Alias - if enabled, users can authenticate with an alias in addition to the primary authentication method. Create User After Authentication (POP3, CAS, RADIUS, and LDAP) - if enabled, adds an address for the user to the User Repository (if one does not already exist) once the user authenticates. Default Password (User Repository only) - if you enable Force Authentication for the User Repository profile, enter a password for users to use the first time they authenticate. Be sure to communicate the password to your user community. On a newly-installed deployment, the field is already populated with a generated password that you can change. Default Domain Name - if authentication is using a user ID (uid - for example, "user") instead of an address the Proofpoint Protection Server will construct an entry for the user in the User Repository by combining the uid and the default domain name. (For LDAP, this option is under the Advanced LDAP Options.) Import Settings Filter - if applicable, enter the LDAP filter you want to use for the search into the Filter field. If you leave this field blank, the default filter is (mail=*). Consult the RFC for LDAP Server if you need filter syntax information. Insert Mode - inserts entries from the data source into the User Repository: - Insert all entries. Inserts all the entries from the data source into the User Repository, whether they are new or already exist. - Insert new entries only - Insert existing entries only Add to Group with Profile Name - if enabled, adds a group to the Groups and Users > Groups page if the group does not already exist. The name of the group will be the same as the name of the import or authentication profile, and the names of the users imported will be added to the group. This setting is the equivalent of the -importgroupid <name> command option. Remove User Profiles Not Imported - if enabled, removes the entries in the User Repository that do not exist in the data source during an import. Allow Mailing Lists without Owner - allows mailing lists without owners to be imported. Map UID to Attribute - allows you to select the LDAP attribute to be used to populate the internal uid field. You can enter an attribute into the text field or select one from the drop-down list. This setting is the equivalent of the -attrnamemap uid = <value> command option. Replace Mode - replaces the existing entries in the User Repository with the entries from the data source. - Replace all aliases for existing users. Replaces only the aliases. - Replace full user record. Replaces the user entry in the User Repository with the full record from the data source. Any existing personal Safe Senders or Blocked Sender Lists that belong to users in the User Repository are lost. - Add new aliases to existing aliases. Adds new aliases from the data source to existing aliases in the User Repository. Update Mode - updates the entries in the User Repository. In the update mode user data represents first name and last name. - Update all user data. Updates the existing first name and last name in the User Repository as well as aliases with the entries in the data source. - Do not update any user data. Does not update the first name and last name for the entries. Object Type - the Proofpoint Protection Server automatically detects if an entry is a user address or mailing list based upon the object type in the data source. - Auto based on objectclass. The Proofpoint Protection Server automatically populates the User Repository with entries for users and mailing lists, categorizing these by the object type. - User. Inserts the entries from the data source into the User Repository as user addresses. - List. Inserts the entries from the data source into the User Repository as mailing lists. Group Attribute - Enter the attribute you want to use for sorting or grouping entries. For example, for LDAP, if you enter ou, which typically represents an organizational unit, each user will be sorted into the group 155

186 Proofpoint Administration Guide defined by the ou attribute. Or if you use Active Directory, you would enter memberof to sort users based on the organizational unit. After import, the groups appear in the Group List. Command Options - enter options separated by spaces, for the useradm command to further fine-tune or extend data import capabilities. See Command Options for a complete list of options. By Default Require a Password Change on First Sign In (User Repository only) - if enabled, forces users to change their passwords the first time they are authenticated by the User Repository. Advanced LDAP Options If the data source is an LDAP server, you can click Advanced LDAP Options on the General tab to configure the following additional parameters: Enter the Base DN for the LDAP Server search in the Base DN field. For example, dc=company,dc=com. Enter the Bind DN into the Bind DN field. If you leave this field blank, the login is anonymous. Enter the password into the Password field that is used to connect to the LDAP Server. If you leave this field blank, the login is anonymous. Enter the port number used for communication between the Proofpoint Protection Server and LDAP Server into the Port field. Select an authentication attribute from the Authentication Attribute list, or enter an attribute into the field. The Proofpoint Protection Server will populate the User Repository with this attribute from the LDAP server for authentication. If applicable, enable Secure Socket Layer and select an SSL version from the Version list. If applicable, select a choice from the Simple Authentication and Security Layer list. Enter a domain into the Default Domain Name field. If authentication is using a user ID (uid - for example, "user") instead of an address the Proofpoint Protection Server will construct an entry for the user in the User Repository by combining the uid and the default domain name. Universal Authentication Organizations that already have an authentication source in place and would like to use that source for authentication may do so by creating a Universal profile. For example, when a user opens a secure message, the user is redirected to an external login page for authentication. The authentication results are returned to the Proofpoint Protection Server and the Secure Reader session can proceed. Overview The implementation of a Universal profile is a multi-step process. A Proofpoint Professional Services engineer works with your organization to create a web page that is protected by your organization's identity management solution. Use the Proofpoint management interface to create the Universal authentication profile on the Groups and Users > Import/Auth Profiles > Add pop-up window. See the steps below to create the Universal profile. You will need the URL for the web page that is protected by your organization's identity management solution. The Secret is part of the token that validates the authentication redirect. The Secret is a required component of the web page. If you change the Secret using the Proofpoint management interface, you will need to update the web page accordingly. Select the Universal profile as the Authentication Source on a global level or for specific groups in your organization. To create a Universal authentication profile: 1. Click Add on the Groups and Users > Import/Auth Profiles page. 2. On the General tab, click On to enable the profile. 3. Select Universal from the Data Source list. 156

187 Chapter 8 - Groups and Users 4. Enter a name and description for the profile. 5. In the Login URL field, enter the HTTP address for the web page that is protected by you organization's identity management solution. 6. The Secret field displays a generated secret. You can change the content of this field by entering a different value or click Generate to generate a new value. You will need to include this value in the web page. 7. The Timeout value represents the duration for the communication between the Proofpoint Protection Server and the web page. You can select a different value from the list. Important: If the clocks on your web server and the Proofpoint Protection Server are not synchronized, users may not be able to authenticate. If the authentication source is unavailable, a "page not found" message will appear to the user. 8. Click Add Entry when you are done. Immediately Updating the User Repository You can immediately update the User Repository with data for a selected import profile (data source) by selecting the check box for the import profile and clicking Import. Option to Customize the LDAP Query Filter for Authentication This section contains an example to illustrate how to customize the query filter for LDAP authentication. Example: your LDAP server contains Primary User Records, and also Personal Address Book records (PAB). User "Joe" has a primary user record like this: dn: cn=joe, dc=example, dc=com objectclass: inetorgperson cn: Joe uid: aef123== mail: userpassword:: Another user has a Personal Address Book record that includes like this: dn: cn=wally, dc=example, dc=com objectclass: personaladdressbook mail: mail: mail: mail: If you set up the Proofpoint Web Application to authenticate against this LDAP server based on the user address (the "mail" attribute), when Joe tries to log in authentication uses the following LDAP query filter: That query filter would return two records - Joe's primary user record, and Wally's PAB record). If the PAB record is returned first in the list, then Joe would fail to authenticate, even with the correct password, because the authentication credentials are checked against the wrong LDAP record. To fix this, you can restrict the LDAP authentication queries by adding a new entry to the filter.cfg file to specify an additional LDAP filter. Using the example, add the following entry to the filter.cfg file to ensure only the primary user record is returned: com.proofpoint.auth.ldap.extrafilter=objectclass=inetorgperson This entry sends the following LDAP query string during the authentication process: Joe will now be able to successfully authenticate. 157

188 Proofpoint Administration Guide Advanced Import Options You can import data from a file or directly from an LDAP Server. See Import Attributes and Values and Command Options for additional information about importing data from an LDAP Server. Click Add on the Groups and Users > Import/Auth Profiles page. Click the Advanced tab on the Add Profile pop-up window. The following list describes each import option under Import Settings: Filter - if applicable, enter the LDAP filter you want to use for the search into the Filter field. If you leave this field blank, the default filter is (mail=*). Consult the RFC for LDAP Server if you need filter syntax information. Insert Mode - inserts entries from the data source into the User Repository. - Insert all entries. Inserts all the entries whether they are new or already exist. - Insert new entries only - Insert existing entries only Add to Group with Profile Name - if enabled, adds a group to the Groups and Users > Groups page if the group does not already exist. The name of the group will be the same as the name of the import or authentication profile, and the names of the users imported will be added to the group. This setting is the equivalent of the -importgroupid <name> command option. Remove User Profiles Not Imported - removes the entries in the User Repository that do not exist in the data source during an import. - Only When User Profiles To Be Deleted Is Less Than - select a value from the list. This number limits how many entries to delete during an import when they do not exist in the data source. For more details about this parameter, see Limiting the Number of User Profiles to Delete Upon Import below. Allow Mailing Lists without Owner - allows mailing lists without owners to be imported. Map UID to Attribute - allows you to select the LDAP attribute to be used to populate the internal uid field. You can enter an attribute into the text field or select one from the drop-down list. This setting is the equivalent of the -attrnamemap uid = <value> command option. Replace Mode - replaces the existing entries in the User Repository with the entries from the data source. - Replace all aliases for existing users. Replaces only the aliases. - Replace full user record. Replaces the user entry in the User Repository with the full record from the data source. Any existing personal Safe Senders or Blocked Sender Lists that belong to users in the User Repository are lost. - Add new aliases to existing aliases. Adds new aliases from the data source to existing aliases in the User Repository. Update Mode - updates the entries in the User Repository. In the update mode user data represents first name and last name. - Update all user data. Updates the existing first name and last name in the User Repository as well as aliases with the entries in the data source. - Do not update any user data. Does not update the first name and last name for the entries. Object Type - the Proofpoint Protection Server automatically detects if an entry is a user address or mailing list based upon the object type in the data source. - Auto based on objectclass. The Proofpoint Protection Server automatically populates the User Repository with entries for users and mailing lists, categorizing these by the object type. - User. Inserts the entries from the data source into the User Repository as user addresses. - List. Inserts the entries from the data source into the User Repository as mailing lists. Group Attribute - Enter the attribute you want to use for sorting or grouping entries. For example, for LDAP, if you enter ou, which typically represents an organizational unit, each user will be sorted into the group defined by the ou attribute. Or if you use Active Directory, you would enter memberof to sort users based on the organizational unit. After import, the groups appear in the Group List. Command Options - enter options separated by spaces, for the useradm command to further fine-tune or extend data import capabilities. See Command Options for a complete list of options. 158

189 Chapter 8 - Groups and Users Limiting the Number of User Profiles to Delete Upon Import If the communication between the LDAP Server and the Proofpoint Protection Server fails during an import, thousands of entries in the User Repository could potentially be removed. These entries will be re-imported at the next scheduled import, but in the meantime, if you have recipient verification enabled, the Proofpoint Protection Server could potentially reject thousands of messages intended for legitimate users. The parameter Only When User Profiles To Be Deleted Is Less Than <value> lets you control how many entries to delete during an import if the entries do not already exist in the User Repository. If you upgrade from a previous release, this value is set to No Limit. The corresponding useradm.sh option is -removelimit <value>. Command Options Use these import and export options for the useradm command for the supported data sources: LDIF, CSV, LDAP, and text. Enter these options, separated by spaces, into the Command Options text box on the Advanced tab of the Add or Edit pop-up window. See Creating an Import or Authentication Profile for more instructions. See Notes for the insertmode, replacemode, and updatemode Options at the end of this topic for more details about these options. Option -allowlocal -alloworphanlists -attrdefault <attribute=value> -attrnamemap <internalattr=externalattr> Parameter is casesensitive No No Description Allow local address. Allows Import of mailing lists for which there is no owner. During an import, assigns default values to user attributes if the import source does not already have the values defined. Map the entry internal attribute name to the external (import source) attribute name. -attrvalue <attribute=value> No Force the attribute to have a specific value. -attrs <attribute1,attribute2> No Additional LDAP attributes to import or export. -base -b <directorybase> No Base DN (Distinguished Name). -charset <set> Yes Determines the character set during an import or export. The default is latin-1 if you do not specify a character set. Values for <set>: utf8 latin1 utf-8 latin-1 -clear Deletes all user profiles in the User Repository, or deletes only the user profiles that are members of the group <name> specified by the importgroupid <name> option. For example: -clear - importgroupid <name>. -delete d <file> No Delete the users listed in a file. -domaingroups Create domain groups upon LDAP import. For example, if you import and two new domain groups 159

190 Proofpoint Administration Guide -domainlevels = <value> are created: example1.com and example2.com. Where <value> is set to 1 or 2. Sets the domain levels when creating domain groups. By default <value> is set to 2, if you set it to 1, only top-level domains are created. - No Specify the filter to use during an export. -export -e <file> Yes Exports the User Repository to a CSV file. -exportpwd -filter -f <searchfilter> No LDAP filter. Include encrypted user passwords when exporting. -format <format> Yes Ignores the extension of the imported file and formats the file type using one of these formats: csv ldif txt CSV LDIF Text -groupattr No During an import, use this attribute to determine the group the user belongs to. The default is memberof. For example, ou as in OrganizationalUnit. -groupidattr <name> No If the value of the attribute specified by groupattr is an LDAP DN (DistinguishedName), look up the DN to obtain a short name for the group. The default is cn. -groupidfilter <group id> Yes Ignores groups that do not match this list of group IDs or patterns. Separate multiple entries with a comma. (No spaces.) -help Help on command usage. -host -h <hostname> No Imports the user repository from a LDAP server or Active Directory server. -import -i <file> Yes Imports the user repository from a local LDIF file, HTTP, or FTP file, and checks the file extension so that the imported file matches the existing one. -importgroupid <name> Yes Imports the users into the group <name>. Separate multiple group names with commas. Spaces in a group name are allowed - for example, PPS admin. If you also use the -removeold flag, removes users from the group that are not included in the import. -insertmode -im <mode> Yes Inserts entries from the source into an existing user repository, using one of these modes: a n e t Inserts all entries (this is the default). Inserts only the new entries. Inserts only existing entries. Test the process without actually inserting any entries. -ldaps Use SSL for the connection to the LDAP server. 160

191 Chapter 8 - Groups and Users -ldapversion <version> Sets the LDAP protocol version, using one of these versions: 3 LDAPv3 (this is the default). 2 LDAPv2. -list -l -listobjectclass <yourargument> No Displays the current profiles ( addresses) in the user repository. By default, Proofpoint uses the objectclass mailgroup for mailing lists, or the objectclass group if you are importing from Exchange or Active Directory. If you use a different objectclass for mailing lists, enter that value as the argument. -login -l <username> Yes The bind DN with which to authenticate to the LDAP or Active Directory server. If this parameter is not specified, the login is anonymous. -ownermode Looks up the owner of a mailing list during an import. -pass -p <password> Yes The password for the bind DN specified to authenticate to the LDAP or Active Directory server. If the password is not provided the user will be prompted for one. -profid <profileid> Yes Imports the user repository from a location specified by the profile ID. -removelimit <value> Yes Limits the number of entries to remove from the User Repository during an LDAP import. Applies only if you are also using the -remove option. Values are No Limit, 5, 10, 25, 50, 100, 500, 1000, 2500, 5000, and removeold -removeolddomaingroup -removeoldgroup During an import, removes entries in the existing user repository that do not exist in the data source. Deletes domain groups that have not been imported with the -domaingroups option. During an import, removes a user from a group in the existing User Repository if the user has been removed from the group in the data source. -replacemode -rm <mode> Yes Replaces the existing entries in the user repository with the data from the source, using one of these modes: r f u Replaces all aliases for existing users (this is the default). Replaces the user entry with the full record from the source any existing Safe Lists and Blocked Lists in the user repository are lost. Adds new aliases (from the source) to existing aliases in the user repository. -sasl <method> Yes Uses SASL authentication for importing from an LDAP server. You must specify one of these 161

192 Proofpoint Administration Guide methods: DIGEST-MD5, CRAM-MD5, ANONYMOUS, EXTERNAL, LOGIN, or PLAIN. -scope <value> No Limits the search to this scope: base one sub Search only the base object. Search the entries immediately below the base object. Search the whole tree below (and including) the base object. This is the default. -starttls -test Starts a TLS (Transport Layer Security) session with the LDAP source. Test the import without actually inserting or deleting the entries. -type <mode> Yes Imports or exports the entries by type of object, using one of these modes: a u l Automatically, based on objectclass (this is the default). User. List. -updatemode -um <mode> Yes Updates the existing entries in the User Repository with the data from the source, using one of these modes: u n Replaces all user data (this is the default). Does not replace all user data. -uidprimary -verbose -v During an import, use uid as the primary key to locate the user records in the data source. Verbose mode. Provides feedback information during the process. Notes for the insertmode, replacemode, and updatemode Options This section provides more detail about the insertmode, replacemode, and updatemode import options and flags. A user profile consists of the following information: 1. aliases. 2. Safe senders and blocked senders lists. 3. Group membership information. 4. All other user attributes, including the owner of the profile. insertmode flags determine whether or not to process entries based upon whether or not they already exist in the database (User Repository): a(ll) - process all entries 162

193 Chapter 8 - Groups and Users n(ew) - process only the entries that do not already exist e(xisting) - process only the entries that already exist replacemode flags determine how to process entries when they already exist in the database (the numbers refer to the information in the user profile): f(ull) - replace 1, 2, 3, and 4 r(eplace) - replace 1, replace 2 if it exists in the data source, add 3, apply updatemode for 4 u(pdate) - add 1, add 2 if it exists in the data source, add 3, apply updatemode for 4 updatemode flags determine how to process 4 when the entries already exist in the database: u(pdate) - apply the changes to 4 n(ot) - do not apply the changes to 4 During an import, the three modes process entries from the data source in the following sequence: 1. insertmode determines whether an entry is processed or not based upon whether or not it already exists in the database. It does not determine which part of the record to process. 2. If an entry is processed, replacemode determines how to process various parts of the source record. 3. updatemode is only pertinent when part 4 of the entry is processed. Import Attributes and Values The Proofpoint Protection Server uses the following attributes to import data from any of the supported data sources: LDAP, LDIF, CSV, or text. *During an import, attributes are applied on a global, group, or user level. The default setting means "inherit the attribute from the group." If the attribute is not defined by the group, it means "inherit the global attribute." Data Source Attribute mail Attribute Descriptio n address Value Text address. givenname First name Text. sn Last name Text. usertype proxyaddresses, mailalternateaddress, userprincipalname, othermailbox (Note: when importing from a CSV file, use proxyaddresses for the column heading.) blacklist User or mailing list Aliases Blocked Senders list 0 = user 1 = mailing list. Text. For CSV, separate each entry with a semi-colon, using this format: e.com. For LDAP, place each entry on a separate line, using this format: Text. For CSV, separate each entry with a semi-colon, using this format: e.com. For LDAP, place each entry on a separate line, using this format: 163

194 Proofpoint Administration Guide memberof Name of the group Text. For CSV, separate each entry with a semi-colon, using this format: e.com. For LDAP, place each entry on a separate line, using this format: objectclass Mailing list. mailgroup. For CSV, separate each entry with a semi-colon, using this format: e.com. For LDAP, place each entry on a separate line, using this format: owner whitelist contenttype emptydigest IncludeAuditFolder Owner or delegated owner Safe Senders List Digest Format parameters Empty Digest parameters Include Audit folder in Digest Text. address. For CSV, separate each entry with a semi-colon, using this format: m. For LDAP, place each entry on a separate line, using this format: Text. For CSV, separate each entry with a semi-colon, using this format: com. For LDAP, place each entry on a separate line, using this format: -1 = Default setting * 1 = HTML/Text 2 = Text Only 3 = HTML Only 4 = HTML/Text + HTTP commands 5 = HTML Only + HTTP commands 6 = Simple HTML/Text 7 = Simple HTML 8 = Simple HTML/Text + HTTP 9 = Simple HTML + HTTP 0 = Default setting* 1 = Do Not Send Empty Digest 2 = Send Empty Digest -1 = Default setting* 1 = Do Not Include Audit Folder 2 = Include Audit Folder SendDigest Send Digest -1 = Default setting* 164

195 Chapter 8 - Groups and Users 0 = Do Not Send Digest 1 = Send Digest SpamClassification Spam policy Text; internal policy name. -1 = Default policy* MessageAuditing OptIn DigitalAssets DigitalAssetsDocumentCrea tion Locale RegulatoryCompliance SafeListUseHeader Audit messages Filter messages Enforce the Digital Assets Module rules Allows specific users to populate the Document Repository in the Digital Assets Module Determines the language for the End User Digest Enforce the Regulatory Compliance Module rules Allows users to add senders to their Safe/Blocke d Senders lists based on the sender's -1 = Default setting* 0 = Do Not Audit Messages 1 = Audit Messages -1 = Default setting* 1 = Yes 0 = No -1 = Default setting* 0 = Do Not Enforce 1 = Enforce -1 = Default setting* 0 = Do Not Allow 1 = Allow -1 = Default setting* sc = Chinese (Simplified) tc = Chinese (Traditional) da = Danish nl = Dutch (Nederlands) enus = English (U.S.A.) fi = Finnish (Suomi) fr = French (Français) de = German (Deutsch) it = Italian (Italiano) ja = Japanese pl = Polish (Polski) ptbr = Portuguese (Brazil) ru = Russian es = Spanish (Español) sv = Swedish (Svenska) -1 = Default setting* 0 = Do Not Enforce 1 = Enforce -1 = Default setting* 0 = Do Not Allow 1 = Allow 165

196 Proofpoint Administration Guide SecurityPolicy PasswordOption AuthSource PasswordPolicy ExternalPasswordPolicy Template header From information instead of the sender's envelope information Secure Message Profile. Defines the options available to users for Proofpoint Encryption. Change Password Allowed. Allows users to change the password they use to log in to the Web Application. Authenticati on Source. Specifies the source to use for user authenticatio n, defined by the import or authenticatio n profile. Password Policy External Password Policy Branding Template -1 = Default othewise, value will be the name of the profile -1 = Default 0 = No 1 = Yes -1 = Default otherwise, value will be the name of the profile -1 = Default otherwise, value will be the name of the profile -1 = Default otherwise, value will be the name of the password policy profile -1 = Default otherwise, value will be the name of the Branding Template CSV File Format When creating a comma-separated value (CSV) text file for import, include a line at the top of the file to indicate the columns for the attributes you want to import. For example: sn,givenname,mail,proxyaddresses,contenttype,emptydigest,whitelist,blacklist,usertype, owner,memberof The line above determines the format and order of all the lines that follow in the file. To designate "no value," separate the attributes with a comma. To enter more than one value, separate each value with a semi-colon (;). See Import Attributes and Values for a complete list of the import attributes and values used for importing data from any of the supported data sources. 166

197 Chapter 8 - Groups and Users Scheduling an Import Profile When you create a new import profile, it does not have a schedule associated with it. You can automatically update data in the User Repository for an existing import profile by scheduling an import. Schedule the import on the Groups and Users > Import/Auth Profiles page. To create a schedule for an import profile: 1. Click Schedule for the selected profile. (The Schedule button does not appear for import profiles that already have schedules.) 2. In the Schedule Import pop-up window, select the times and days for the automatic import. 3. Click Save Changes. Deleting and Modifying Import Profiles Use these instructions to delete or modify existing import profiles on the Groups and Users > Import/Auth Profiles page. To delete a profile, select the check box next to it and click Delete. To modify a profile, select the entry under Name or Description to display the Edit Profile pop-up window. Make necessary changes, then click Save Changes. Automatically Adding a User to the User Repository Users must have an entry in the User Repository before they can fully manage End User Digests and receive Digests on a scheduled basis. Users who are not in the User Repository will receive Digests if they have messages in the Quarantine. The users who are not in the User Repository can only complete the following management tasks from a Digest: Report false negatives. Request that a message be released. Request that a safe sender be added to their Safe Senders List. Administrators can configure the Digest so that when users complete a Digest management task, they will automatically be added to the User Repository. This method of adding users to the Repository is especially useful if administrators do not have an LDAP server or another means of easily populating the Repository. See Enabling and Setting Up the End User Digest for instructions about how to configure the Digest to automatically add end users to the Repository. Note: If you automatically add a user to the User Repository, an End User Digest will be sent to the user and to all the aliases for that user. The Proofpoint Protection Server cannot consolidate aliases for a user added to the User Repository with this method. About Groups Create and manage groups of users on the Groups and Users > Groups page. You can create User Groups or Domain Groups on the Groups page. The benefit of creating a group is that you can apply the same attributes to the entire group of users. See Adding Groups and Assigning Attributes for information about adding groups. See About Attributes for an introduction to attributes. Configure global attributes on the pages under Groups and Users > Global in the navigation pane. When you create a group, the group either inherits the global attributes or you can customize the attributes for the group. Group attributes will override the global attributes. See the following topics for more information about the parameters on each of the group attribute tabs: Inbound Attributes Outbound Attributes Services Attributes 167

198 Proofpoint Administration Guide Authentication Attributes POP3 Forwarder Attributes User Group - any individual can belong to a user group. Users and their corresponding addresses are added manually or by using an import profile. For example, you can apply the same firewall rules, spam policies, or outbound disclaimers for the users belonging a User Group. Domain Group - similar to User Group, a Domain Group allows administrators to manage for the user community in one or more domains. Domain Group is useful for the administration of policies in a multitenant environment such as Managed Service Providers, Internet Service Providers, and the Proofpoint on Demand platform. For example, if your organization manages for unique domains and subdomains, you can create groups for each domain and create unique firewall rules, spam policies, or outbound disclaimers for the users belonging to a domain. User Groups and Domain Groups have unique icons to identify them. User Group Domain Group See Group List Indicators for a description of the icons displayed on the Groups page. Managing groups entails adding, removing, and modifying groups. You can also set spam policies for a group and immediately generate and send Safe Senders and Blocked Senders Lists or Digests to selected groups. When you create a Policy Route, you can use the groups on the Groups and Users > Groups page for the condition of the Policy Route. See About Policy Routes in "Proofpoint Protection Servers" for more information about groups and Policy Routes. Note: If your deployment consists of more than 1000 groups, some of the management interface elements behave differently on the Groups and Users > Users page. See Adding Users and Mailing Lists and Assigning Attributes for details. You can complete the following tasks from the Groups page: Add user or domain groups and assign attributes. Delete groups. Make changes to a group. Immediately generate and send Safe Senders and Blocked Senders Lists. Immediately generate and send an updated Digest. Set policy precedence for attributes. Group List Indicators The following indicators provide information about each entry in the Groups list: Selection box Digest icon Empty Digest icon Type of group icon Group inherits the Global default setting Group inherits the Global default setting Group receives empty Digest 168

199 Chapter 8 - Groups and Users User Group Domain Group Adding Groups and Assigning Attributes When you create a group of users, you can manage and assign attributes to all of the members in the group at once. See About Groups for an introduction to the Groups feature, including a description for the difference between User Groups and Domain Groups. The attributes you assign to a group will override the Global attributes. See About Attributes for an introduction to attributes. See the following topics for information about the parameters on each of the tabs for group attributes: Inbound Attributes Outbound Attributes Services Attributes Authentication Attributes POP3 Forwarder Attributes When you populate the User Repository using an import profile, the group attributes for user records are automatically added to the Groups list. For example, if you create an import profile that uses an LDAP server as the source, and the user records include the attribute "memberof," the group name for memberof will automatically be added to the Groups list. You can also create groups manually on the Groups and Users > Groups page. The Proofpoint Protection Server provides a preconfigured Spam Reporting group with attributes set to allow its members to report false negatives (messages incorrectly identified as not spam). If a user belongs to this group, the messages that are delivered to the user's inbox are also saved in the Audit folder in the Quarantine. (Administrators must configure other settings to enable auditing and reporting from end user Digests see Users Reporting False Negatives and Positives in "End User Services" for information.) Note: The groups you create can also be added to Policy Routes. See About Policy Routes in "Proofpoint Protection Server" for more information. Once you create a group, go to the Groups and Users > Users page to add users to the group. See Adding Users and Mailing Lists and Assigning Attributes for instructions on adding users to groups. The users belonging to a Domain Group are automatically displayed for you. The Proofpoint Protection Server finds the users in the User Repository that belong to the domain specified by the Domain Group and populates the User List with those entries. Adding a User Group To add a user group and set attributes: 1. Click Add User Group. 2. On the Group tab of the Add Group pop-up window, enter the following information: Enter a name and description for the group. Policy Precedence - this is the precedence or order of the policy associated with the group. The higher the number you enter, the higher the precedence for the group. For example, suppose belongs to two groups: Engineering _SF group with a precedence of 50 and the TechSupport_SF group with a precedence of 80. The TechSupport_SF group policy and attributes will take precedence and be applied to (The precedence must be a value between 0 and ) See Setting Policy Precedence for Attributes for an explanation of how attributes are inherited on a global, group, or user level. 3. Make selections for inbound mail on the Inbound tab. See Inbound Attributes for more information. 4. Make selections for outbound mail on the Outbound tab. See Outbound Attributes for more information. 5. Make selections for Digest and Web Application attributes on the Services tab. See Services Attributes for more information. 6. Make selections for authentication on the Authentication tab. See Authentication Attributes for more information. 169

200 Proofpoint Administration Guide 7. Make a selection for forwarding from a POP account on the POP3 Forwarder tab. See POP3 Forwarder Attributes for more information. 8. Click Add Entry. Adding a Domain Group If you have deployed an appliance, the domains listed on the Appliance > Inbound Mail page and the domains listed on the Appliance > Outbound Mail > Mail Routes page are automatically included in a list of available domains when you create a Domain Group. You can select domains from this list to be included in the Domain Group. To automatically add a Domain Group each time you add an entry to the Appliance > Inbound Mail page, see Enabling Automatic Domain Groups, User Repository, and POP Forwarder. Important: The list of available domains is populated with the domains from the master Proofpoint Protection Server. Hosts or domains listed in the Inbound Mail page on agent systems in the cluster are not included in this list. If you created Domain Groups when you added domains to the Appliance > Inbound Mail page or the Appliance > Outbound Mail > Mail Routes pages, those domains display on the Groups and Users > Groups page with an underscore in the name, like this: example1_com, example2_org, and so forth. You must select each Domain Group in the Group List to finish configuring the settings for the group, such as entering a description, selecting a policy precedence, and selecting attributes. If you have not deployed an appliance, and have instead deployed the Proofpoint Protection Server software on a Linux system, you will need to manually add the domains to the list of available domains, separating each domain with a comma or a new line. Note: When you remove a domain from the Inbound Mail page or the Outbound Mail > Mail Routes page, it will also be removed from the list of available domains. To add a Domain Group and set attributes: 1. Click Add Domain Group. 2. On the Group tab of the Add Group pop-up window, enter a name and description for the domain group. 3. Domain Name - select an operator from the drop-down list. Appliance: To choose domains from the pre-populated Inbound/Outbound Domains list, click the Select Domains From List radio button. Move the domains from this list to the Selected Domains list. This list only includes the hosts or domains on the master Proofpoint Protection Server - it does not include hosts or domains on the agents in a cluster. If you select Regular Expression Match or Does Not Match Regular Expression, the Add Other Domains radio button is automatically selected and you must enter the regular expression into the Input Domains text box. See Using Regular Expressions in "Rules and Delivery Dispositions" for information about constraints with regular expressions. To manually enter domains in the Inbound/Outbound Domains list, select the Add Other Domains radio button and enter the domains into the text box, separating each domain with a comma or a new line. Select the domain or domains you want to add to the Domain Group by moving them to the Selected Domains list. Entries that you manually add to the list do not persist - that is, each time you select Add Other Domains, the list is empty until you populate it for the Domain Group that you wish to add. Proofpoint Protection Server software installation: Enter the domains into the Input Domains text box. Separate domains with a comma or a new line. Move the domains that you want to include in the Domain Group to the Selected Domains list. Note: Use the Domain Filter search feature to find the domain or domains you wish to add. Enter the first few letters of the domain you are searching for into the text box and then click Search. You can enter hostnames or domains into the Domain Filter field. You can enter partial strings into the Domain Filter field. For example, if you enter "example" into the Domain Filter field, the search will return "example1.com," "example2.com," "example3.com," and so forth. Click Reset to clear the search results and display the entire list of inbound mail routes. The Domain Filter field accepts regular expressions. See Using Regular Expressions in "Rules and Delivery Dispositions" for information about constraints with regular expressions. 170

201 Chapter 8 - Groups and Users 4. Policy Precedence - the precedence or order of the policy associated with the group. The higher the number you enter, the higher the precedence for the group. (The precedence must be a value between 0 and ) See Setting Policy Precedence for Attributes for an explanation of how attributes are inherited on a global, group, or user level. 5. Make selections for inbound mail on the Inbound tab. See Inbound Attributes for more information. 6. Make selections for outbound mail on the Outbound tab. See Outbound Attributes for more information. 7. Make selections for Digest and Web Application attributes on the Services tab. See Services Attributes for more information. 8. Make selections for authentication on the Authentication tab. See Authentication Attributes for more information. 9. Make a selection for forwarding from a POP account on the POP3 Forwarder tab. See POP3 Forwarder Attributes for more information. 10. Click Add Entry. Managing and Deleting Groups Use these instructions to modify existing group attributes, delete groups from the User Repository, view members of a group, and set attributes for multiple groups at the same time on the Groups and Users > Groups page. Viewing Members of a Group To view the members of a group, click the View Members link. This link takes you to the Groups and Users > Users page and displays only the members of the group. When you click View Members for a Domain Group, the page is populated with the users whose addresses contain the domain that you specified for that group. Deleting Groups You can delete several groups at a time from the Groups list. Select the check box for the group you want to delete, click Delete and confirm the deletion. Making Changes to a Group To make changes to a group entry on the Groups list, click the entry in any of the table cells to display the Group Attributes pop-up window. Make changes to the configurations or attributes for that group, then click Save Changes. Generating Lists and Digests for Groups Immediately To send a Digest to a group of users, or send an updated Safe Senders or Blocked Senders list to a group of users: 1. Navigate to the Groups and Users > Groups page. 2. Select the groups by clicking the check box for each group. 3. Select Generate Digest or Generate Safe/Blocked Sender List from the Generate menu. Note: The Digest must be enabled to generate a digest immediately for a group. (See Enabling and Setting Up the End User Digest for instructions.) Setting Policy Precedence for Attributes Each attribute can be applied on a global, group, or user level. For a complete list and description of the attributes, see About Attributes. When an attribute is configured as Default for a user, the user inherits the setting for that attribute from the group attribute setting. If the user does not belong to a group, he or she inherits the setting for that attribute from the global setting. 171

202 Proofpoint Administration Guide When an attribute is configured as Default for a group, that group of users inherits the attribute setting from the global setting. User attribute settings override group attribute settings, and group attribute settings override the global attribute settings. When a user belongs to more than one group, and the attribute settings differ for each group, the Proofpoint Protection Server uses a policy precedence to determine which attribute settings to apply to the user. The attribute settings for the group with the higher policy precedence will override the attribute settings for the group with the lower policy precedence. When you add a user, and assign the user to two groups with different attribute settings, the user will inherit the attribute settings from the group with the higher policy precedence. This precedence is applied to each attribute setting individually. If a user belongs to both a Domain Group and a User Group, and an attribute has one value for the Domain Group and a different value for the User Group, the attribute for the User Group takes precedence. When you first create a group, you select the attributes for the group and assign a policy precedence to the group. You can change the precedence for the group if you want to increase or decrease its precedence. To change the policy precedence for a group: 1. Navigate to the Groups and Users > Groups page. 2. Select the group or groups for which you want to change the policy precedence. 3. Click Policy Precedence. 4. Select the group in the Policy Precedence pop-up window and use the up and down arrow buttons to it up or down in the list to raise or lower its precedence or priority. 5. Click Save Changes. 172

203 Chapter 8 - Groups and Users 173

204 Proofpoint Administration Guide 174

205 Chapter 8 - Groups and Users About Users Use the Groups and Users > Users page to manage the users and mailing lists in the User Repository. Managing users entails adding individual users and mailing lists, searching for users, and adding and removing users from groups. Administrators can also import users from a local file, export users to a CSV file, and immediately generate and send Safe Senders and Blocked Sender Lists or Digests to selected users. See Adding Users and Mailing Lists and Assigning Attributes for information about adding users to the User Repository. Note: If your deployment consists of more than 1000 groups, some of the management interface elements behave differently on the Groups and Users > Users page. The search form provides the search and sort functions; the User List displays the data in the User Repository and provides functionality for managing the users. You can complete the following tasks from the Groups and Users > Users page: Add individual users and mailing lists. Delete users and mailing lists. Make changes to a single user or mailing list. Add and remove users from groups. Import and export users immediately. Export the user list to a CSV file. Automatically add a user to the User Repository. Immediately generate and send Safe Senders and Blocked Senders Lists. Immediately generate and send and updated Digest. Search for users listed in the Users List. User List Indicators The following indicators provide information about each entry in the User List on the Groups and Users > Users page: You must first select entries on the list before applying an action to them. A check mark in the check box indicates an entry is selected. The person icon indicates whether the address is for a single user, if the address is delegated to another user, or if it is a mailing list. The person icon can be in one of three states: One person - an individual. Two people - an individual with a person delegated to manage the sent to the individual s address. 175

206 Proofpoint Administration Guide Three people - a mailing list. Adding Users and Mailing Lists and Assigning Attributes The attributes you select when you add an individual user or mailing list on the Groups and Users > Users page override global and group attributes. See About Attributes for an introduction to attributes. See the following topics for more information about the parameters on each of the tabs for attributes: Inbound Attributes Outbound Attributes Services Attributes Authentication Attributes POP3 Forwarder Attributes To add a user or mailing list and set attributes: 1. Navigate to the Groups and Users > Users page. 2. Click Add User (or Add Mailing List) on the User List form. 3. Provide the following information on the Account tab: Address - the complete address for the user. For example, Delegate Address - selecting this check box allows another individual to receive and manage the user s Digest. For example, an administrative assistant could manage the Digest for his or her manager. Enter the delegated individual s address into the field for Delegate Address. - If you are adding a user, both the user and the delegated user will receive the Digest. - If you are adding a mailing list, only the delegated user will receive the Digest. Note: You can only delegate one user. The delegated user must exist in the User Repository. You cannot delegate a user that is not already included in the User Repository. Enter the first and last name for the user. Aliases - enter the aliases, if any, for the user into the text field, and click the right-arrow (>>) button for each alias to populate the Aliases List. 4. On the Group tab, select the groups to which you want the end user to belong. Click the right-arrow (>>) button to add the group to the Member Of list. The groups created during a user import or created on an individual basis appear in the Available Groups list. Note: If your deployment consists of more than 1000 groups, you can scroll through the groups by using the scrolling feature on the Group tab. 5. On the Inbound tab, make selections for inbound mail. See Inbound Attributes for information about the filtering and audit attributes. For the Safe/Blocked List attributes, enter the following information: Safe Senders - enter the complete addresses of the senders who have permission to send mail to the user. Click the right-arrow (>>) button to add their addresses to the Safe Senders List. If you allow users to add safe senders to their own Safe Senders List, any address they add will also appear in the list box. Blocked Senders - enter the complete addresses of the senders you want to block from sending to the user. Click the right-arrow (>>) button to add an address to the Blocked 176

207 Chapter 8 - Groups and Users Senders List. If you allow users to add blocked senders to their own Blocked Senders List, any address they add will also appear in the list box. 6. On the Outbound tab, make selections for outbound mail. See Outbound Attributes for more information. 7. On the Services tab, make selections for Digest and Web Application attributes. See Services Attributes for more information. 8. On the Authentication tab, make selections for authentication. See Authentication Attributes for more information about the Authentication attributes. To reset a password for a user, enter a new password into the Password and Confirm Password fields. The Password field always contains a password, either the default password or the one you entered. To force users to change their passwords when they log in to their accounts, click (enable) the check box next to Require a password change on next sign in. The Require a password change on next sign in parameter for a user will override the By Default Require a Password Change on First Sign In parameter for a Groups and Users > Import/Auth Profiles authentication profile. The Authentication tab displays information about when the user last logged in to his or her account and when the user last changed his or her password. The password parameters apply only to authentication against the User Repository. Any other authentication profile ignores the Password and Confirm Password settings for a user. 9. On the POP3 Forwarder tab, make a selection for forwarding from a POP account to the Proofpoint Protection Server for filtering. See POP3 Forwarder Attributes for more information. 10. Click New on the POP3 Forwarder tab if you want to create a POP forwarding profile for the user or mailing list. Administrators typically use this feature when they are evaluating the Proofpoint Protection Server or appliance. This feature forwards from a POP account to the Proofpoint Protection Server or appliance for filtering, and then forwards the filtered to the infrastructure for delivery to a new forward address. For example, if you want to forward all messages directed to your personal POP account (for example, or you can create a profile for each of these accounts. Profile Name - enter a name for the profile. Enable - enables or disables the forwarder. Remove Mail From Server - if On is enabled, removes the from the POP server once it is forwarded. If Off is selected, a copy of the forwarded remains on the POP server. Enable SSL - some POP servers require a secure connection for communication. Server - enter the name of the POP server into this field. Port (Optional) - if necessary, enter the port number for communication between the POP server and the Internet. If you do not enter a specific port, a default port is used. Enter the user account login name and password for the POP server. Forward Address - enter a new address into this field that is not the same as the address for the POP account. Filtered will be delivered to the address in this field. Note: To verify that the Proofpoint Protection Server or appliance can contact the POP server, click Verify. Click Save to save the new profile. 11. Click Add Entry to add the user or mailing list to the User Repository. Managing and Deleting Users Use these instructions to delete users from the User Repository, make changes to user attributes or configurations, and add and remove users from groups on the Groups and Users > Users page. Deleting Users or Mailing Lists You can delete several users or mailing lists at a time from the User List. Select the check boxes for the users or mailing lists that you want to delete, click Delete and confirm the deletion. 177

208 Proofpoint Administration Guide Making Changes to a Single User or Mailing List To make changes to an entry in the User List, click the entry in any of the table cells to open the User Attributes pop-up window. Make any necessary changes, then click Save Changes. Adding and Removing Users from Groups To add existing users to or remove them from a group or groups: 1. On the User List, select the check boxes for the users that you want to add or remove from a group. 2. Click Groups. 3. In the Group pop-up window, select a group from the Available Groups list. 4. Move the group name, using the arrow buttons, from the Available Groups list to either the Member Of list, depending upon whether you want to add the users to the group or remove the users from the group. The groups you create during user import or on an individual basis appear in the Available Groups list. If you select several users, the Groups pop-up window displays three lists: Remove, Available Groups, and Add. 5. Click Save Changes. Note: If your deployment consists of more than 1000 groups, the Groups choice on the User List is removed. To move a user to a different group, select the user in the User List and go to the Group tab to move the user from one group to another one. Generating Lists and Digests for Users Immediately If you have configured the Proofpoint Protection Server to automatically send Digests to the user community, the users will have an opportunity to request updated Safe Senders and Blocked Senders Lists each time they receive a Digest. To send a Digest or an updated list to selected users or mailing lists immediately on the Groups and Users > Users page: 1. Select the check boxes for the user, users, or mailing lists to whom you want to send a Digest or Safe Senders and Blocked Senders list. 2. Select Generate Digest or Generate Safe/Blocked Sender List from the Generate menu. Note: The Enable Digest parameter must be On for the Generate Digest choice to be active. See Enabling and Setting Up the End User Digest for more information. Importing and Exporting Users Immediately You can start an import for an existing import or authentication profile at any time (if you do not want to wait for the scheduled time), or import entries into the User Repository from a local CSV file. For example, you can export several CSV files from different sources, merge them into one file, and import the CSV file on the Groups and Users > Users page. If you have not defined import profiles on the Groups and Users > Import/Auth Profiles page, the only choice you have is to import from a local CSV file. The Options menu provides the import choices. To immediately import from an import profile: 1. Select Import from the Options drop-down menu on the User List form. This step takes you to the Groups and Users > Import/Auth Profiles page. 2. Select a profile that you have already created. 3. Click Import. 178

209 Chapter 8 - Groups and Users To immediately import from a local file: 1. Select Import from File from the Options menu. 2. If you are importing a local file, enter the full path to the file into the File field or click Browse to find the file. 3. Make selections for the following settings: Insert Mode - inserts entries from the data source into the User Repository. - Insert all entries. Inserts all the entries from the data source into the User Repository, whether they are new or already exist. - Insert new entries only - Insert existing entries only Replace Mode - replaces the existing entries in the User Repository with the entries from the data source. - Replace all aliases for existing users. Replaces only the aliases. - Replace full user record. Replaces the user entry in the User Repository with the full record from the data source. Any existing personal Safe Senders or Blocked Sender Lists that belong to users in the User Repository are lost. - Add new aliases to existing aliases. Adds new aliases from the data source to existing aliases in the User Repository. Update Mode - updates the entries in the User Repository. In the update mode user data represents first name and last name. - Update all user data. Updates the existing first name and last name in the User Repository as well as aliases with the entries in the data source. - Do not update any user data. Does not update the first name and last name for the entries. Object Type - the Proofpoint Protection Server automatically detects if an entry is a user address or mailing list based upon the object type in the data source. - Auto based on objectclass. Populates the User Repository with entries for users and mailing lists, categorizing these by the object type. - User. Inserts the entries from the data source into the User Repository as user addresses. - List. Inserts the entries from the data source into the User Repository as mailing lists. 4. Select the check box for the following parameters if appropriate: Remove Profiles Not Imported removes the entries in the User Repository that do not exist in the data source during an import. Insert All Entries With An Address inserts all the entries from the data source that have an address into the User Repository, whether they are new or already exist. Use UID As Primary Key the UID is used as the primary key for importing users. (Make sure that the file or source you use for importing users has a UID, before making this selection.) By default, user import uses the user's address as the primary key. 5. Click Import. Exporting Users Immediately To immediately export the user list to a CSV file, click Export to CSV from the Options menu. You will be prompted to either open the file or save it. Searching for Users The User List on the Groups and Users > Users page can hold thousands of entries. You can navigate to a specific location or use search criteria to find a specific user or users in the User List. To navigate to a specific location use the Go to User feature. For example, if the User List contains 1000 entries and you want to jump to the middle of the list, you would enter 500 into the Go to User field, and then click the Enter button or Enter key. 179

210 Proofpoint Administration Guide The Users search form provides several choices for search criteria, including user attributes, by which you can search for users or mailing lists in the User Repository. You can use more than one search criteria at a time. Excluding Groups from the Search Results You can selectively exclude or include users who belong to certain groups from the search criteria by selecting In Group or Not In Group from the Groups menu and selecting a group name from the drop-down list. Example When recipients outside your organization reply to an encrypted message originating from your organization, an entry is created in the User Repository for that recipient. The entry is created so that the recipient outside your organization can register and authenticate with Proofpoint Encryption. The User Repository will thus be populated with entries for recipients outside your organization. To facilitate management of the User List, you can exclude entries belonging to recipients outside your organization from the display. If you select Not In Group and select Encryption_users from the drop-down list, and then click Search, the User List will exclude the entries for external users. Note: Users who do not belong to any group will be excluded from the search results when you select Not In Group as the search criteria. You can also choose how to display the search results in the User List. The search criteria on the Users search form is self-explanatory. The following example illustrates how to search for a user with a specific set of criteria. To find a specific user by his or her first name, last name, or address: 1. Navigate to the Groups and Users > Users page. 2. In the Users search form, enter the name of the user into the First Name or Last Name field. This field is not case-sensitive. Or, enter an address into the Address field. 3. Select a choice from the drop-down list next to the field. These choices apply to the text you enter into the field in Step 2. When you use Starts With or Equals, it expedites the search. 4. Select First Name, Last Name, or Address from the Sort by drop-down list to specify how you want the entries found by the search to display in the User List. 5. Select Descending or Ascending from the Order list to specify how you want the entries ordered in the list. 6. Select a choice from the Display drop-down list for the number of entries to display from the search. If you select Default, the number you entered when you configured the User and Group layout displays. (See Configuring the User and Group Layout for information.) 7. Click Search. The User List displays only the entries that match the search criteria, in the order you specified. 8. If you want to start a different search, click Reset. 180

211 Chapter 9 - End User Services About End User Services Use the End User Services pages for setting up the user experience for Digests, the Web Application, and Proofpoint Encryption. End User Services include the following administration tasks: Setting up Branding Templates for the Digest, Web Application, and Proofpoint Encryption. See Managing Branding Templates. Configuring Digest settings - enabling, generating, and setting up how Digests display. See Enabling and Setting Up the End User Digest. Setting up the Command Processor for both Web-based and -based Digests. See Web-based Command Processor and -based Command Processor. Scheduling automatic Digest distributions. See Scheduling Digest Generation. Enabling recipient verification so that only legitimate users receive Digests. See Enabling SMTP Verify. Deciding who should be excluded or included in the Digest distribution, and configuring which messages in the Quarantine should be included in the Digest. See Creating the List of Digest Users. Configuring authentication settings. See Authenticating End Users. Deciding which commands to include in the Digest and Web Application for user tasks such as releasing messages from the Quarantine, and making requests for Safe Senders or Blocked Senders. See Enabling and Providing Commands to End Users. Enabling and customizing the Web Application user experience. See Web Application. Customizing the text displayed in the Digest, Web Application, and Proofpoint Encryption. See Resources. Allowing users to release, block, or encrypt and release messages that are quarantined or in the Incident Queue because they violated security policies. See Smart Send. About the End User Digest The Digest provides users with a list of messages that have been sent to the Quarantine because they triggered filtering rules. Digests are sent as messages users. Administrators can either use for all Digestrelated requests from users, or allow users to launch a browser to manage their accounts from the Digest. When you enable the Web Application, the Manage My Account link appears in the Digest. Note that when users manage their accounts using a browser launched from the Manage My Account link, they cannot see their quarantined messages unless the administrator specifically allows it. To use only for all Digest-related requests, see -based Command Processor. To use a browser for all Digest-related requests except releasing messages from the Quarantine, see Webbased Command Processor. Administrators can also configure the Proofpoint Protection Server to allow authenticated users to access their accounts from a browser at any time without first sending out Digests. Users simply launch a browser and point it to a URL and authenticate. The browser displays the links for account requests and a view of the messages in the Quarantine for that user. To use a browser for all Digest-related requests including viewing and releasing messages from the Quarantine, see Web Application. To configure which commands are available to users from their Digests or Web Application, see Editing Modules and Selecting User Commands. The Proofpoint Protection Server provides many features for configuring the level of control over the Digest - for example, whether or not to send Digests to the user community, who receives one, how often, the type of messages to include, and actions users can take on the messages in the Quarantine. Filtering mechanisms such as modules 181

212 Proofpoint Administration Guide and folders are available to help administrators decide which messages to include in the Digest. Digest commands provide administrators with the ability to control the level of end-user self-services. Users can complete the following end-user self-services if enabled by the administrator: Add or remove safe and blocked senders to their personal lists. Suggest safe senders for the Global Safe List. Request a Summary Digest. Release messages from the Quarantine. Report false negatives and false positives to Proofpoint. Request empty Digests (web browser only). Select a spam policy (web browser only). Change their password. View their lists of aliases. If you are licensed for Proofpoint Encryption, you have the option of allowing users to manage their secure messages. Note: Users with several aliases receive one consolidated End User Digest instead of a separate Digest for each alias in the User Repository. Benefits of Allowing End Users to Manage Digests Allowing users to manage their own Digests produces the following benefits: Reduction of calls to the help desk since end users can manage their personal Safe Senders and Blocked Senders Lists. The administrator still maintains control by having full visibility into the user lists and maintains the Global Safe and Global Blocked Lists that override the personal user lists. Great reduction in false positives because end users can determine their own safe and blocked senders. For example, a movie mailing list is valid to one user but not to another. A movie fan can add the sender of the mailing list to his or her Safe Senders List. Very easy deployment because initially the End User Digest and personal Safe Senders and Blocked Senders Lists are all communicated over , requiring no additional client software installation. Types of End User Digests Administrators can schedule these types of End User Digests: Update Digest - Contains only those messages that have been quarantined since the last Update Digest was sent to the user community. An administrator would typically generate and send the Update Digest to the user community on a daily basis. Users probably do not want to see an entire list of their messages in the Quarantine (Summary Digest) each time they receive a Digest, only the new messages sent to the Quarantine since the last Update Digest was received. Summary Digest - Lists all messages for an end user in the Quarantine. Typically the Summary Digest is not scheduled on a daily basis, but rather a weekly basis because users only want to see the new messages since the last Digest. Users can also request a Summary Digest on an as-needed basis. Empty Digest - Contains no messages. The Proofpoint Protection Server generates and sends an empty Digest notification, so users continue to receive the Digest whether or not any of their messages have been quarantined since the last Digest was delivered (Update Digest or Summary Digest). Users may want to receive an empty Digest so they can continue to complete certain operations, for example, request a Safe Senders or Blocked Senders List. Digest Configurations Administrators need to decide which Digest configuration to send to the user community: web-based or -based. Selecting a Digest configuration may depend upon your specific organizational requirements. For example, you might need to consider the amount of traffic on the POP3 server, the load on the internal Proofpoint Protection Server web server, security issues, or intranet and Internet connections. 182

213 Chapter 9 - End User Services For example, if your users do not have access to web browsers on their systems, you would only want to implement -based Digests. If you are concerned about users accessing the Proofpoint Protection Server internal web server from outside the organization, you may only want users to receive -based Digests. If you want to keep the load on your POP3 server to a minimum, or if the Proofpoint Protection Server is well-protected from unauthorized users, web-based Digests might better serve your user community. Administrators can choose from these Digest configurations: -based Digest users receive their Digest by and all operations permitted to the end user are completed through services. When a user reports or makes a request from their Digest, an message is sent to either a mailbox set up on a POP3 server or a mailbox local to the Proofpoint Protection Server. The request is validated by a security token and processed by the Command Processor so that the Proofpoint Protection Server can fulfill the request. See -based Command Processor for instructions for setting up the services. Web-based Digest users receive their Digest by , and all operations permitted to the end user except viewing and releasing messages from the Quarantine are completed through a web browser. All requests and reports are routed through the internal web server on the Proofpoint Protection Server. See Web-based Command Processor for instructions on enabling the HTTP commands. Web Application - a user enters a URL in a browser and is authenticated with a login and password. The browser displays the Digest commands and messages in the Quarantine for the user. See Web Application for more information. Note: If you enable the Web Application, the Manage My Account link displays in an -based Digest and provides access to a web interface launched in a browser. Users can manage Safe Senders and Blocked Senders lists and make changes to their Profiles using the web interface. Overview of Safe Senders and Blocked Senders Lists Administrators can configure the Proofpoint Protection Server to allow users to create and maintain personal Safe Senders and Blocked Senders Lists. The Safe Senders List includes the senders from which a user does want to receive . The Blocked Senders List includes senders from which a user does not want to receive . Typically, administrators use the Global Safe List and Global Blocked List to control that should be accepted or rejected from specific senders. The entries in the global lists take precedence over the entries in the personal Safe Senders and Blocked Senders Lists. See Adding Entries to the Global Lists for more information. Although administrators can populate the personal Safe Senders and Blocked Senders Lists for individual users, administrators often leave the task of populating these lists to the users. The Allow User To Manually Add Safe/Blocked Senders command needs to be enabled on the End User Services > Commands page to allow users to create and maintain their personal Safe Senders and Blocked Senders Lists. See Enabling and Providing Commands to End Users for instructions. Note: Users cannot add or delete senders from their Safe Senders and Blocked Senders Lists using a textbased End User Digest. Users who do not have profiles in the User Repository cannot add safe senders to their personal list. If this is the case, users need to make a request by to the administrator. The administrator then creates a profile for that user, and adds the safe sender to the user's personal Safe Senders List. Once the user has a profile in the User Repository he or she will be able to add their own safe and blocked senders. The Safe Senders and Blocked Senders Lists appear in user the profile. For more information about adding users to the User Repository, see Automatically Adding a User to the User Repository in "Groups and Users." Related Topics: To complete configurations for the Safe Senders and Blocked Senders Lists see Creating Text for Safe or Blocked Messages and Configuring Labels and Help. Managing Branding Templates Branding Templates are templates that control how content is presented to the user community for the following Proofpoint components: End User Digests - both and Web-based Digests that are sent to users. Web Application - the end-user interface to the Web Application. 183

214 Proofpoint Administration Guide Secure Reader - the end-user interface to manage encrypted messages. The Proofpoint Protection Server includes default templates that administrators can use right away. You cannot delete the System Default End User Digest Branding Template or System Default Encryption Branding Template, but you can change them. Administrators can add as many templates as they need. Branding Templates are included on the list of attributes that you can apply on a global, group, or user level. See About Attributes in "Groups and Users" for more information about attributes. You can apply one Branding Template for encrypted mail, and a different Branding Template for the Web Application and Digest. You can also use a single template that applies to all three. Adding a Branding Template To add a new Branding Template, navigate to the End User Services > Branding Templates page and click Add. Default colors on the Digest, Web Application, and Secure Reader tabs are displayed in a field along with the corresponding HTML code. To change the color, click in the HTML code field and select a different color from the palette. To reset the colors to the original default settings, click Default. General Settings Enter a name and description for the Branding Template on the General tab. Enter an address, telephone number, or both into the Contact field. The contact information displays in the Secure Reader interface. Users will need this contact information if they have trouble reading secure messages. If you do not enter contact information, users will not have a way to contact your organization with questions or problems regarding an encrypted message. (This feature does not apply to the Digest or Web Application.) Digest Click the Digest tab to configure the fonts and colors for headings, tables, and commands that display in the Digest. Each field on the right side of the page is labeled with a number. The numbers correspond to the interface elements displayed on the left side of the page. Click Save when you are finished. Web Application The background colors for the Web Application tab display as gradients. If you change the background colors they will no longer display as gradients. Configure the fonts and colors for headings, tables, and commands that display in the Web Application. Secure Reader Click the Secure Reader tab to configure the fonts and colors for headings, tables, and commands that display in a browser when users read encrypted messages. If you selected On for the Enable Login URL on the Encryption > Settings > Secure Reader page, a unique URL is generated for each Branding Template. Users outside your organization can navigate to this URL to authenticate or register with Proofpoint Encryption to compose a secure message. The Map to field allows you to map the generated URL to a URL of your choice that is easier to remember. Enter the new URL into the field and save your changes. Important: You cannot use spaces or special characters in the Map to field. You can only enter alphanumeric characters and the forward slash (/). The first character must be a letter. Encryption Click the Encryption tab for the following tasks: To customize the image presented to users when they receive secure messages. 184

215 Chapter 9 - End User Services To select a Domain Profile to use with the Branding Template (optional). If you are creating a Branding Template for a specific Domain Profile, select the FQDN (Fully Qualified Domain Name) from the Select Domain Profile list. See Creating Domain Profiles for more information. To point users to a customized Help file for Proofpoint Encryption (optional). You can change the color or the default padlock image, use a custom image, or omit the image entirely. Note: The custom image must be in.gif,.jpg,.png, or.bmp file format, no larger than 128 by 128 pixels. Use the Following Image - this parameter displays the default padlock image. You can change the color of the padlock by selecting a color from the drop-down list. Do Not Use Any Image - select this parameter if you do not want to display the padlock image in secure messages. Proofpoint Encryption includes a default help file. If you want to provide your user community with a customized help file, select On for the Custom Help parameter and enter the URL for your customized help file into the URL field. Save your changes when you are done. Logo Click the Logo tab to add a custom logo to the Branding Template. The Logo settings apply to the Digest, Web Application, and Proofpoint Encryption. Note: The logo must be in.gif file format, no larger than 200 by 50 pixels. Custom Logo - this parameter enables or disables the custom logo. When Off is selected, the current logo displays. Click On to upload a custom logo. Custom Logo File - enter the directory location and file name for the custom logo into this field, or click Browse to navigate to the directory and file. Click Upload Custom Logo to import the logo. Your custom logo displays in the Current Logo field. Title The Title tab controls the font color for the main title and subtitle displayed to users on the Digest and Web Application and it only displays if you do not have a logo. Enabling and Setting Up the End User Digest Enabling the End User Digest is a two-step process: first enable the Digest on the End User Services > Digest Settings page, and then configure the Command Processor ( or Web) or Web Application. If you do not configure the Command Processor, users will receive Digests but they will not be able to complete any operations on their messages. The Command Processor processes user requests that are made from the Digest. See -based Command Processor and Web-based Command Processor for more information. Note that the web-based command processor does not display a user's messages in the Quarantine unless you specifically configure it to do so. If you want users to view and manage their Digests directly from a browser, see Web Application for more information. No matter which method you select for users to view and manage their Digests, you must always start with the End User Services > Digest Settings page. Digest Settings Make a selection for each of the following parameters: Enable Digest this is the master switch for enabling or disabling the Digest feature. If you select Off, you will not see the Digest settings on the Services page or tab for attributes on the Groups and Users > Global, Groups and Users > Groups, or Groups and Users > Users pages. SMTP Profile Used For Sending Digest allows you to select the SMTP server you want to use to deliver Digests to the users. (Create SMTP profiles on the System > Settings > SMTP page.) 185

216 Proofpoint Administration Guide Send User Error Message sends an error message to the end user if he or she tries to release a message that has already been deleted from the Quarantine. Report False-Positive Upon Release when users release messages from the Quarantine, a message is automatically sent to Proofpoint, reporting the message as a false positive. Automatic Profile Creation users can only manage their Safe Senders or Blocked Senders lists if they have an entry in the User Repository. If you enable automatic profile creation, users who are not in the Repository will automatically be added when they request a Safe Senders or Blocked Senders List from their Digest. (Users are automatically sent a Digest, even if they are not in the Repository, if one of their messages ends up in the Quarantine.) Overwrite Reply-To by default, the Reply-To address is populated with an address from the SMTP buffer queue that sends the message containing the Digest. You can overwrite the default Reply-To address with a specific address by enabling this parameter and entering the new address into the Address field. Sort Options The list of messages in the Digest can be sorted by either the spam score or by the date and time they were sent to the Quarantine. Select a choice from the Sort Update Digest By drop-down list. Choices are Score or Date. Select a choice from the Sort Summary Digest By drop-down list. Choices are Score or Date. Columns The parameters under Columns control the subject length and whether or not to include the message score and date in the Summary and Update Digests. Maximum Subject Length In Digest - select a number from the drop-down list. Smaller numbers produce better performance when generating Digests for the user community. Include Score in Digest - click the On radio button if you want to include the spam score for each quarantined message in the Digest. Include Date in Summary Digest - click the On radio button if you want to include the date the Summary Digest was generated. Include Date in Update Digest - click the On radio button if you want to include the date the Update Digest was generated. Custom Link You can add a link to any URL to display in the Digest. This feature is typically used to point users to a custom help file when you have customized the labels for the Digest in your organization. When users click the Help link on the Digest or Safe Senders and Blocked Senders Lists they see the default help topic that Proofpoint provides. Administrators have the option of pointing the Help link to a URL that describes help for the custom labels you create. The Text field is what displays as the link to your URL. If you point users to a custom help URL, be sure to disable the default Help link that Proofpoint provides, otherwise users will see two Help links in their Digests. See Enabling and Providing Commands to End Users to disable the default Help link. Generate Digest If you want to immediately create and send a Summary Digest to the users, click Generate. Make a selection in the Generate pop-up window, and then click Generate Digest: Use Digest Users Settings - select if you want to generate Digests for the users defined by the settings you already configured. See Creating the List of Digest Users for more information. Specify Recipients - select if you want to generate a Digest for a few specific recipients. Enter the recipient addresses into the field, separating each one with a comma. 186

217 Chapter 9 - End User Services Generating a Summary Digest Immediately An administrator can immediately generate Summary Digests for recipients on the End User Services > Digest Settings page, instead of waiting for the scheduled generation time. This feature can be useful for testing purposes. Click Generate on the End User Services > Digest Settings page. 1. In the pop-up window, click the Use Digest Users Settings radio button if you want to generate a Digest only for the users specified on the End User Services > Filters > Users page. See Creating the List of Digest Users. Or, click Specify Recipients and enter the addresses for the recipients into the field. Only recipients on this list will receive a Summary Digest. 2. Click Generate Digest. Related Topics: To automatically send an End User Digest to the user community on a scheduled basis, see Scheduling Digest Generation. Creating Digest Headers and Footers Use the End User Services > Resources > Global page to customize the content of the header or footer of the Digest. The header or footer text fields are populated with default text, but you can change this text and use variables in your custom message. Typically, administrators use this text to explain to users what the Digest contains, and to place contact information on the bottom of the Digest so users know who to contact for help. To customize the headers and footers for the Digest: 1. Enter digest.template.header or digest.template.footer into the Filter text box to find the resource. 2. To change the header, clear the Default check box and change the value for the com.proofpoint.filter.digest.template.header resource. 3. To change the footer, clear the Default check box and change the value for the com.proofpoint.filter.digest.template.footer resource. 4. Click Save Changes. Click the Default check box to restore the default text for the header and footer. Creating Text for Safe or Blocked Messages Use the End User Services > Resources > Glogal page to customize the text in the messages that are sent to the user community for the Safe Senders and Blocked Senders Lists. You can change this text and use variables to customize the message. Typically, administrators use this text to explain to users how to use the Safe Senders and Blocked Senders message and to provide contact information at the bottom of the Digest so users know who to contact for help. To customize the headers and footers for the Safe Senders and Blocked Senders Lists: 1. Enter safeblockedsenders into the Filter text box to find the resource. 2. For the resource com.proofpoint.filter.digest.template.safeblockedsenders.text, clear the Default check box, and then change the text in the value column. 3. To change the footer, clear the Default check box, and then enter new text for the value for the com.proofpoint.filter.digest.template.footer resource. 4. Click Save Changes. Click the Default check box to restore the default text for the Safe Senders and Blocked Senders list. 187

218 Proofpoint Administration Guide Configuring the Error Template When end users attempt to release messages from their Digests that are no longer in the Quarantine, they will receive an error message. Use the End User Services > Resources > Global page to configure the text you want to include in the message. To customize the error message: 1. Enter error.header into the Filter text box to find the resource. 2. Find the com.proofpoint.filter.digest.template.error.header and com.proofpoint.filter.digest.template.error.footer resources, clear the Default check box, and then change the text in the value column for each one. 3. Click Save Changes. Click the Default check box to restore the default text for the Header and Footer. Configuring Labels and Help All of the commands or links that appear in an Digest or in the Web Application are controlled on a per-module basis. You can customize the header and description for each module that you want to include in the Digest or Web Application, and you can select which commands to make available (to your user community) for each module. Use the End User Services > Filters > Modules page to select which modules to include in a Digest or Web Application. For example, if you want to include messages that were quarantined by the Regulatory Compliance Module, you need to specifically include this module in the Digest or Web Application. Use the Options feature on the End User Services > Filters > Modules page to select which commands to make available to users in their Digests or in the Web Application. See Controlling Digest Content With Modules for instructions on how to select which quarantined messages to include in the Digest or the Web Application. See Editing Modules and Selecting User Commands to select which commands to make available to users. Command Label Options The label commands describe the actions the user can apply. You can customize the label for each command or link. If you want to change the text that appears for each command label or link, go to the End User Services > Resources > Global page. See Resources for more information. Users can apply these actions: Release specific messages from the Quarantine users release one or many messages at a time from the Quarantine. Released messages are delivered to the user's mailbox. If a message is addressed to only one recipient, it is deleted from the Quarantine when the user releases it. If a message is addressed to more than one recipient, it is delivered to the recipient that releases it, but remains in the Quarantine, and is not delivered to the other recipients. Release the message and recommend that the sender be placed on the Global Safe List the Global Safe List is controlled by the administrator. A user that has no personal profile in the User List can request that the sender of a message be placed on the Global Safe List. Request a summary Digest users can request a list of the most recent messages addressed to them that are held in the Quarantine. Request a Safe Senders and Blocked Senders List users can request their latest Safe Senders and Blocked Senders Lists so they can review the entries. Report a false positive to Proofpoint. Report a false negative to Proofpoint. False negatives include spam or phish messages. Request that an entry be added to or deleted from the Safe Senders or Blocked Senders List. View the message in a preview pane. Add the sender of the selected message to the user's personal Safe Senders List. 188

219 Chapter 9 - End User Services Add the sender of the selected message to the user's personal Blocked Senders List. Request help for managing messages in the Digest and the account. Administrators have the option of linking the user Help to a URL instead of sending the help by . Web-based Command Processor Enable the web-based command processor on the End User Services > Command Processor > Web page so that users can make requests from their Digests through a web browser. For example, users can add senders to their Safe Senders and Blocked Senders List, request an updated Digest, or change their passwords. See Enabling and Providing Commands to End Users for instructions. Important: By default, the browser-based Digest does not display messages in the Quarantine for the user unless the user is authenticated by a login and password. To override this default, you need to enable the Show Quarantine When Using Digest Link parameter on the End User Services > Web Application page. To process web-based user requests HTTP Only + HTTP commands is selected for the Digest Format attribute on a global, group, and user level. See About Attributes for more information. Note: If you select Off for Enable HTTP Commands, you no longer have support for any of the HTTP Only +HTTP commands. If you would like to use -based commands to fulfill user requests, see -based Command Processor. To enable and configure the web-based command processor: 1. Navigate to the End User Services > Command Processor > Web page. 2. Click On for Enable HTTP Commands. 3. Make your selections from the following parameters, and if necessary enter the appropriate information: Use Default Hostname In URL by default set to the hostname for the web server (the Proofpoint Protection Server). Use Alternative Hostname In URL if applicable, specify an alternative hostname to access the Proofpoint Protection Server across the network. Enter the name into the field. This is useful if you do not want to expose the hostname of the Proofpoint Protection Server to the users. Use Default Port in URL uses the default port number for the web server (the Proofpoint Protection Server). Use Alternative Port in URL specifies an alternative port number to access the Proofpoint Protection Server. Enter the port number into the field. For example, This is useful if you do not want to expose the port number that provides HTTP access to the Proofpoint Protection Server. 4. Click Save Changes. -based Command Processor By default, user requests from their Digests are processed using the web-based command processor. For information about fulfilling user requests using the web-based command processor, see Web-based Command Processor. If you want to fulfill user requests using the -based command processor instead, you need to enable the based processor and set up a local mailbox on the Proofpoint Protection Server or on a remote POP3 server on the End User Services > Command Processor > page. Whether local or remote, the command processor on the Proofpoint Protection Server periodically checks the mailbox you set up to receive -based user requests. The Proofpoint Protection Server uses a security token to validate the authenticity of the request. If the request is valid, the command processor processes the command. Setting Up a Local Mailbox If you decide you want to use a local mailbox to process -based requests or commands, the Proofpoint Protection Server will automatically provide a default address for the mailbox based on your organization's domain, which you can change if necessary. 189

220 Proofpoint Administration Guide Important: The address for the local mailbox is automatically added to the sendmail alias table on an appliance. You need to add the address to your sendmail alias table if you installed the Proofpoint Protection Server software separately. To enable requests using a local mailbox: 1. Navigate to the End User Services > Command Processor > page. 2. Click On for Enable. 3. For the Type parameter, select Local Mailbox (Mbox). Mbox folders store many messages in one file. Each message begins with a line which starts with the string From. Lines inside a message which accidentally start with From are, in the file, preceded by the greater than symbol (>). This character is stripped when the message is read. 4. For the Proofpoint Protection Server, a temporary address, appears in the Address field, which you need to change to match your organization's domain. For the appliance, your actual domain name is used for the default address. 5. Select the Internal Access Only check box so that senders outside your company cannot send messages to the mailbox that receives requests. You do not want to select this box if the server handling requests is also handling the internal mail messages. You only want to select this box if the mail server handles incoming messages exclusively. 6. Click Save Changes. You do not need to make any changes to the SOAP Processor Port field. The port default is Setting Up a POP3 Server You need to create the mailbox on the POP3 server that will process the user requests before enabling this feature (for example, create a POP3 mailbox named ppsdigest). See your administration documentation for information on how to create a mailbox. To enable requests using a POP3 server: 1. For the Type parameter, select Remote Mailbox (POP3). 2. Make selections or enter information for the following parameters: Address field enter the address for the mailbox that will receive requests from users. The Proofpoint Protection Server checks this mailbox regularly for requests. You can control how often the mailbox is checked with the Poll Rate. Internal Access Only check box this is a security measure so that senders outside your company cannot send messages to the mailbox that receives requests. You do not want to select this box if the server handling requests is also handling internal mail messages. You want to select this box if the mail server only handles incoming messages exclusively. POP3 Server field enter the POP3 server name that receives the end user requests. Port field - if you want to change the default port, enter a different port number into the field. Login and Password fields enter the login name and password for the POP3 server. Click Verify to verify that the login and password are legitimate. Secure Socket Layer (SSL) - select On if you want all communication with the POP3 server to use SSL. Poll Rate list select a period of time. This is how often the Proofpoint Protection Server checks the POP3 server for requests. Choose the POP3 authentication method from the POP3 Authentication Method list. These choices determine how the Command Processor communicates with the POP3 server. You can choose from one of the following authentication methods: - Auto Detect. If the POP3 server supports encryption, the Command Processor uses encryption for the login, password, and transmission. If it does not, the Command Processor uses clear text. 190

221 Chapter 9 - End User Services - LOGIN Protocol. The Command Processor uses clear text for communication with the POP3 server. - APOP Protocol. The Command Processor uses encryption for communication with the POP3 server. 3. Click Save Changes. Important: To complete enabling -based client requests, you need to make the appropriate selections for the Digest Format attribute on a global, group, and user level. See Services Attributes in "Groups and Users" for more information. You do not need to make any changes to the SOAP Processor Port field. The port default is Note: If you have more than one Proofpoint Protection Server on the network enabled for the End User Digest feature, verify each one has a unique mail box to receive the end-user requests to release messages. Web Application The End User Web Application feature serves the following purposes: it allows users who receive Digests to manage Proofpoint accounts by launching a browser, and gives administrators another method by which users can manage their Proofpoint accounts strictly using a web browser (without receiving an Digest). When you enable the Web Application, a Manage My Account link appears in the Digest. A user who receives an Digest can click the Manage My Account link to log in to the Web Application to complete tasks such as viewing and releasing messages from the Quarantine, creating Safe Senders and Blocked Senders lists, changing a profile, and managing secure messages encrypted by Proofpoint Encryption. Or, you can provide the user community with a URL to point to from their browsers to access their Proofpoint accounts via the End User Web Application. Important: You must enable authentication to use this feature. See Creating an Import or Authentication Profile for information about authentication. The settings on the End User Services > Web Application page control what displays to a user in a browser once he or she has been authenticated to view his or her account. To configure the commands that appear in the browser for the user community or control the commands that appear to a user in an Digest, see Editing Modules and Selecting User Commands. You can select specific commands and links to appear in the Web Application or Digest for each filtering module that sent messages to the Quarantine. To enable and configure the end user Web Application: 1. Navigate to the End User Services > Web Application page. 2. The Web Server port uses port 443 (HTTPS) for a secure connection. If you want to use port (TCP) instead, select the Alternative Port (10020) radio button. 3. The Enable radio button is the master setting for allowing the user community to log in to the Web Application. If you select Off, you will not see the Web Application setting on the Services page or tab for attributes on the Groups and Users > Global, Groups and Users > Groups, or Groups and Users > Users pages. 4. For the Default Page, make a selection from the list. This selection determines which page displays in the browser once the user is authenticated: Safe/Blocked Sender Lists - displays the Safe Senders and Blocked Senders view. Profile - displays the Profile view. Quarantine - displays the user's messages in the Quarantine. 5. Allow Users to Change Language - allows users to change the default language for their Digests. 6. Allow Message Preview - enables a message preview when users select a message in the Quarantine. 7. Maximum Message Preview Length - controls the number of characters displayed in the message preview pane. 8. Maximum Message Size to Preview - controls which messages can be previewed by using the message size as criteria. For example, if you select 2 MB for this parameter, and the user tries to preview a message 191

222 Proofpoint Administration Guide that exceeds 2 MB, the user will see the following message in the preview pane: "This message exceeds the size limit and therefore cannot be displayed." 9. Maximum Messages Per Page - controls the number of messages displayed in the Quarantine view. Note: If you select 200, Internet Explorer may display a "URI too long" message. If your organization uses Internet Explorer, then select 100 or a smaller value to avoid the error. 10. Show Total Messages In Folder - displays the number of messages in each Quarantine folder. 11. Enable Message Search - provides a search mechanism for keyword searches. 12. Show Quarantine - allows administrators to display or hide the Quarantine view in the Web Application. If you select Off, users will not be able to see messages in the Quarantine. Note: If you select Off and save your changes, the Quarantine choice is removed from the Default Page list. 13. Show Quarantine When Using Digest Link - applies to users that receive a Digest by that includes a link to Manage My Account that launches a browser. This parameter allows users to see messages in the Quarantine from a browser-based Digest without authentication. If you select Force Authentication for an authentication or import profile (Groups and Users > Import/Auth Profiles), users will be required to provide a login and password when they click Manage My Account in a Digest. 14. Show Profile - disable this parameter if you do not want users to see the Profile navigation link in the Web Application. They will not have access to the Settings or Account links that are available in the Profile view. 15. Show Profile Settings - disable this parameter if you want users to see the Profile navigation link in the Web Application, but do not want users to see the Settings link. They will only have access to the Account link in the Profile view. 16. Show Encryption Key Management - when enabled, allows users to manage Proofpoint Encryption keys. Users can revoke and restore keys for secure messages, and change the key expiration for secure messages. 17. Expiration - controls how long the user can remain logged in to the account in a single session. For example, if you select 5 Minutes, a user will automatically be logged out of the account after 5 minutes. 18. Click Save Changes. Custom Profile Item The Custom Profile Item parameters provide a convenient way for administrators to communicate information to the user community via the Web Application. Once enabled, users will see the message or URL in the browser when they manage their Proofpoint accounts. To enable Custom Profile Item: 1. Click the On radio button. 2. Enter text into the Label field. This is the text that displays in the Profile section of the navigation pane in the Manage My Account view. 3. Enter text or a URL into the Content field. If you enter a text message, it displays in the Manage My Account page. If you enter a URL, a web browser displays the URL. 4. Click Save Changes. Session The Expiration parameter controls how long the browser-based Web Application session stays active. Users will have to authenticate after the session expires. Scheduling Digest Generation Use the End User Services > Digest Schedule page to configure the Proofpoint Protection Server to automatically generate Update Digests and Summary Digests on a schedule. Note: You must enable the Digest and configure the Command Processor before you can schedule automatic Digest generation. See Enabling and Setting up the End User Digest for more information. 192

223 Chapter 9 - End User Services To schedule automatic Digest generation: 1. Click the On radio button for the Scheduled Update Digest parameter. Update Digests contain a list of new messages that have been added to the Quarantine for the recipient since the last update. 2. For the Times parameters, choose a time from the Time drop-down list, and then click the right-arrow (>>) button to move it to the Digest Generation Times list. You can select more than one generation time from the list. For example, you may want to generate a Digest in the early morning before users arrive at work and at the end of the day, just before they leave. 3. Select a day from the Days drop-down list. If you select Custom, you can choose which days of the week you want to generate the Update Digest. 4. Click the On radio button for the Scheduled Summary Digest parameter. The summary contains a list of all the user messages in the Quarantine. 5. Select a time to create the Summary Digest from the Times drop-down list, and select a day by clicking a Days radio button. 6. Click Save Changes. Enabling SMTP Verify Use the End User Services > SMTP Verify page to enable recipient verification with SMTP. When SMTP Verify is enabled, the list of Digest recipients is verified using the default verify SMTP profile that supports the SMTP VRFY protocol. Once the recipients are verified, the Proofpoint Protection Server generates and delivers Digests to the legitimate recipients. This eliminates using resources to generate, deliver, or bounce Digests for recipients that are not legitimate. Important: You must first enable the Digest before you can enable recipient verification using SMTP Verify. To test the verify SMTP profile, enter an address into the Test Address field, and then click Verify. Related Topics: For more information about SMTP profiles, see Configuring SMTP Profiles and Parameters in "Proofpoint Protection Servers." General Filter Configurations Use the End User Services > Filters > General page to control the following Digest content: Enable Score Range - exposes only the quarantined messages that score within a specified range. If enabled, select a score range from the list. Exclude Adult Spam - excludes messages that were classified as adult spam from the Digest. Messages classified as adult spam are typically pornographic. Enable Maximum Message Age - if enabled, this parameter controls which messages appear in the Digest according to the timestamp for the message. For example, if you select On and select 7 Days for the Maximum Message Age, the Digest will not include a message that is 8 days old even though the message may still be in the Quarantine. Creating the List of Digest Users Use the End User Services > Filters > Users page for granular control over which users in your organization receive a Digest. It is important to know that the Proofpoint Protection Server provides a number of ways to send Digests to end users: Configure the Send Digest and Send Empty Digest attributes on a global, group, or user level. For more information, see About the User Repository and Services Attributes in "Groups and Users." Create a list of Digest recipients using the End User Services > Filters > Users page. This list can include all users in the User Repository, all users who have messages in the Quarantine, and can include or exclude specific users. 193

224 Proofpoint Administration Guide Important: You can use these two methods in combination or independent of each other. The configurations you make on the End User Services > Filters > Users page override or take precedence over the selections you make for global, group, and user attributes. Users Who Receive a Digest Use these options to create a list of users who will receive a Digest: Include Users with Profiles in User Repository - all users in the User Repository (User List) who have messages in the Quarantine receive Digests. Include Users with Messages in the Quarantine - users who have messages in the Quarantine receive Digests, whether or not they are included in the User Repository. Note: You can select both choices - they are not mutually exclusive. You can further control which users should receive Digests with these options: - include all users. All users that have messages in the Quarantine receive a Digest. - include all users except those in exception list. All users that have messages in the Quarantine receive a Digest except those that you specifically exclude. See Apply Exclusions to the List for instructions. - include users in inclusion list. Only those users that have messages in the Quarantine and match the specified criteria receive a Digest. See Apply Inclusions to the List for instructions. Users Who Are Not in the Repository Administrators can configure the Proofpoint Protection Server so that users who do not have a profile in the User Repository will automatically be added once the user releases a message from the Quarantine or requests an updated Summary Digest. See "Automatic Profile Creation" in Enabling and Setting Up the End User Digest. Apply Inclusions to the List Use the End User Services > Filters > Users page for granular control over which users in your organization receive a Digest. Use the inclusion list to specify users who should receive a Digest whether or not they have profiles in the User Repository. 1. Select the Include Users with Messages in the Quarantine check box. Note: You can select the Include Users with Profiles in User Repository check box, if you also want all users in the User Repository (User List) to receive a Digest. These two methods are not mutually exclusive. 2. Click the include users in inclusion list radio button. Populate the Send a digest to users with an address that matches list to send a Digest to users whose addresses match the specified criteria. 3. Enter a user's address (for example, into the Address field and choose one of the following conditions: Equals - the address is exactly as specified. For example, include the recipient Contains - the address includes a string. For example, include recipients with addresses that include the string exec. Starts with - the address starts with a specific string. For example, include recipients that include pps in the beginning of the address. Ends with - the address ends with a specific string. For example, include recipients addresses that end with example.com. Regular Expression Match - the address matches a specific Perl regular expression. For example, the address begins with abc (^abc), or the address contains w (\w). Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. 194

225 Chapter 9 - End User Services 4. Click the right-arrow (>>) button to add the address to the Send a digest to users with an address that matches list. 5. Click Save Changes. Apply Exclusions to the List Use the End User Services > Filters > Users page for granular control over which users in your organization receive a Digest. The exclusion list sends Digests to all users who have messages in the Quarantine, except those that you specifically exclude. 1. Select the Include Users with Messages in the Quarantine check box. Note: You can select the Include Users with Profiles in User Repository check box, if you also want all users in the User Repository (User List) to receive a Digest. These two methods are not mutually exclusive. 2. Click the include all users except those in exception list radio button. Populate the Exclude users with addresses that matches list to exclude those users from receiving a Digest. 3. Enter a user's address (for example, into the Address field and choose one of the following conditions: Equals - the address is exactly as specified. For example, exclude the recipient Contains - the address includes a string. For example, exclude recipients with addresses that include the string exec. Starts with - the address starts with a specific string. For example, exclude recipients that include pps in the beginning of the address. Ends with - the address ends with a specific string. For example, exclude recipients addresses that end with example.com. Regular Expression Match - the address matches a specific Perl regular expression. For example, the address begins with abc (^abc), or the address contains w (\w). Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. 4. Click the right-arrow (>>) button to add the address to the Exclude users with addresses that matches list. 5. Click Save Changes. Controlling Digest Content with Folders Use the End User Services > Filters > Folders page to select Quarantine folders as criteria to control which messages to include in Digests or the Web Application. Select the Quarantine folders from the Available Folders list on the page. By default messages in the Quarantine folder are always included in the Digest or Web Application. Folders for the optional modules are included if those modules are licensed, as well as any other folders created by an administrator. For more information about folders, see Introduction to Quarantine Folders in "Quarantine." For the most granularity, use the Folders feature in conjunction with the Modules feature to determine which quarantined messages to include. You should first determine which modules to include on the End User Services > Filters > Modules page, then select the folders on the Folders page containing the messages quarantined by the modules. Important: If the correct modules are not selected, the messages stored in the folders will not be included in the Digests or the Web Application. For example, if you want to include the messages that were quarantined by the Virus Protection Module, yet fail to select the Virus folder, the Digests or the Web Application will not include messages quarantined by the Virus Protection Module. For more information about the Modules feature, see Controlling Digest Content with Modules. The selections made for Folders apply to both Digests and the Web Application. The folder names do not appear to the users, only the messages contained within the folders. When you select modules on the End User 195

226 Proofpoint Administration Guide Services > Filters > Modules page the quarantined messages in the Digest and Web Application are organized under the module names. To include the messages quarantined in a folder, use the right-arrow button (>>) to move the folders to the Include Folder Messages in Digest list and save your changes. Controlling Digest Content with Modules Use the End User Services > Filters > Modules page to select the filtering modules for which you want quarantined messages to be included in Digests and the Web Application. For example, if you want to include messages that triggered rules in the Virus Protection Module, select Antivirus from the Available Modules list and move it to the Include In Digest List. The End User Services > Filters > Modules page is also where you control which commands are available to end users when they view their quarantined messages. See Editing Modules and Selecting User Commands for information about these tasks. Controlling Digest content with modules is a two-step process: first decide which modules you want to include in Digests, and then select command options for each module. After you select which modules to include, the Digest and Web Application display a heading for the module and the messages sent to the Quarantine by that module. Each filtering module can potentially have several folders associated with it. For the most granularity and control over which messages to include, use the Folders feature with the Modules feature. For more information, see Controlling Digest Content With Folders. 1. Select the modules from the Available Modules list for the messages you want to include in the Digest or Web Application. 2. Use the right-arrow (>>) button to move the modules to the Include in Digest list. 3. To control the order in which quarantined messages in the module are displayed, select the module and use the up-arrow or down-arrow to move the module in the list. 4. Click Save Changes. Important: After selecting which modules to include in the Digest or Web Application, go to the End User Services > Filters > Folders page to select the Quarantine folders for those modules. See Editing Modules and Selecting User Commands for information about the Options and Audit Module Options buttons. Editing Modules and Selecting User Commands Use the End User Services > Filters > Modules page for the following tasks: Select the filtering modules that you want to expose to users in the Digest or Web Application. If a rule is triggered in the filtering module and the message is sent to the Quarantine, that message is included in the Digest or Web Application. See Controlling Digest Content with Modules for more information. Important: Each filtering module has one or many associated Quarantine folders. After selecting a filtering module, you must add the folder or folders for that module to the list of folders to include. See Controlling Digest Content with Folders for more information. Select the commands that you want to make available to users in Digests and in the Web Application. For example, you may want users to be able to release a message that triggered a rule in the Spam Detection Module, but not allow users to release a message that triggered a rule in the Regulatory Compliance Module. Selecting Command Options For each filtering module that you select, you can control which commands are available for that module. 1. Select a module in the Include in Digest list and click Options. 2. The Edit Module pop-up window displays the following tabs: Module - displays the internal name for the filtering module and the Header that displays in the Digest or Web Application. Messages are displayed to the user under the header for each module. 196

227 Chapter 9 - End User Services Digest - use this tab to control the available commands in Digests. Web Application - use this tab to control available commands in the Web Application. 3. Move the commands that you want to display to users to the Available in Digest and Available in Web Application lists, respectively. Save your changes. Note: If you select a command for a module and disable the same command on the End User Services > Commands page, the command will not appear because the End User Services > Commands page controls global settings. See Enabling and Providing Commands to the End Users. To define or change the names of the commands see Configuring Labels and Help for instructions. Available Commands for Modules Available commands vary depending upon whether the Digest is distributed via or available from a browserbased Digest (Web Application). The following table describes each command: Command Description based Digest Blocklist Add the sender of the message to the user's personal Blocked Senders List. Browserbased Digest Delete Message Delete All Messages Release And Add Safe Sender Release And Recommend Safe Sender Release Message Report False-Negative Phish Report False-Negative Spam Report False-Positive Spam Save Attachment Safelist Deletes the message from the Digest. Deletes all of the messages currently displayed in the Quarantine in the Web Application. Releases the message to the user and adds the sender to the user's personal Safe Senders List. Releases the message to the user and sends a request to the administrator to place the sender on the global Safe Senders List. Releases the message to the user. Reports the message as a false-negative phish to the administrator. Reports the message as a false-negative spam message to the administrator. Reports the message as a false-positive spam message to the administrator. Allows the end user to save the message attachment to local hard disk. Adds the sender of the message to the user's personal Safe Senders List. 197

228 Proofpoint Administration Guide Command Description based Digest Save Message Allows the user to save the message to local hard disk. Browserbased Digest View Attachments View Message Allows the user to view the message attachment. Displays the message to the user in a preview pane. Selecting Audit Options Unlike the other filtering modules, the audit module is used strictly for auditing messages. This is why the commands for the audit module are configured using the Audit Module Options button. Select commands for the audit module by following the same instructions described in "Selecting Command Options." Changing the Default Heading and Description Displayed for the Modules Messages in the Digest or Web Application are grouped under the module names where the rules were triggered. For example, you may want to change the name of the Spam Detection Module heading from "Quarantine" to "Junk Mail." To change the headings and descriptions that display in the Digest or Web Application, go to the End User Services > Resources page. Authenticating End Users Use the End User Services > Authentication page for custom authentication parameters. Authentication is applied when users click Manage My Account in their Digests, log in to the Web Application, or authenticate for Proofpoint Encryption. To create authentication profiles for the Authentication attribute, See Creating an Import or Authentication Profile. To apply the Authentication attribute on a global, group, or user level, see Authentication Attributes. Important: If you require users to change their passwords the first time they log in to their Proofpoint accounts, you must also communicate the Password Policy that is in place, if applicable. See Password Policies for Groups and Users in "Groups and Users" for more information. Custom Login The Custom Login feature allows administrators to create a custom login page for users to access their Proofpoint accounts. For example, you can provide a link on your organization's intranet to a portal that prompts for a user name and password for access to the Web Application. Authentication by Token The Authentication by Token parameter applies only to the CAS (Central Authentication System) server. If you are using CAS for authenticating users, enable this parameter and enter the token for the server. Access Token The token-based access feature provides another level of security when users access the Proofpoint Quarantine or manage their Proofpoint accounts. For example, if you add a link on your intranet site that gives users access to the Web Application, you can generate a token and include it in the URL to your portal, thus preventing unauthorized access. The syntax for the URL is https://<your_domain>:10020?at=<generated_token>. 198

229 Chapter 9 - End User Services Error Codes If a user's login and password fail, he or she will see an error code next to the Invalid Credentials message in the Login screen. The following list describes the error codes and their meanings: Code Meaning 1 General system error. 2 The user does not have an entry in the User Repository. Either create an entry for the user or click On for the Add Profile After Authentication parameter on the End User Services > Authentication page. 3 There was an error in creating a profile for the user. 10 The LDAP authentication failed. Either the user login or password is invalid. 11 The connection to the LDAP server failed, so the authentication could not take place. Users Reporting False Negatives and Positives To allow users to report false negatives and false positives from their Digests or Web Application, administrators must configure several parameters in different components of the Proofpoint Protection Server. Digest settings: Enable the Digest on the End User Services > Digest Settings page. Enable the Web Application on the End User Services > Web Application page. Schedule the Digest generation on the End User Services > Digest Schedule page. Enable User Commands on the End User Services > Filters > Modules page. Enable the Enable Auto False-Positive Reporting link and the Enable Auto False-Negative Reporting link on the End User Services > Commands page. You can also allow users to report false positives when they release messages from their Digest by enabling Report False-Positive Upon Release on the End User Services > Digest Settings page. Groups and Users settings: Enable Groups and User Options on the Groups and Users > Settings > General page. Enable (select Yes) for the Audit Messages and Audit Folder in Digest attributes. You can select Yes for these attributes for everyone in your organization (Groups and Users > Global > Inbound), for specific groups (Groups and Users > Groups for example, the Spam Reporting Group or any other group that you create), or for specific users (Groups and Users > Users). An individual user or user that belongs to a group can only report a false negative if the Audit Folder in Digest attribute is enabled for the user or for the group. A false negative that is delivered to a user mail box will also appear in the user's Digest from which the user can report the message to Proofpoint. Digest and Web Application modules filter settings: Enable user commands for the Audit folder. Go to the End User Services > Filters > Modules page. Select a module in the Include in Digest list and click Audit Module Options. Select the commands you want to provide to users in the Digest Commands tab and the Web Quarantine Commands tabs. Spam Detection settings: For any spam policy that you create that includes a rule that classifies messages as notspam, enable the Include in Audit folder option for the rule. Enabling the Include in Audit folder option places copies of messages that do not score high enough to be classified as spam in the Audit folder in the Quarantine. Enabling and Providing Commands to End Users The Digest commands on the End User Services > Commands page are global settings. For more granularity, you can control commands on a filtering module basis. See Controlling Digest Content With Modules. The global settings on the End User Services > Commands page override per-module command settings. 199

230 Proofpoint Administration Guide Important: All of the commands on the End User Services > Commands page apply only to Digests, except the Display Request Summary Link command, which applies to both the Digest and the Web Application. To control which commands appear to users in the Web Application, you must configure the settings on a per-module basis. Select On or Off for the following parameters on this page to control the functions for the Digest and Safe Senders and Blocked Senders Lists. Save your changes when you are done. Enable User Commands this is the main control for the user commands. User commands are actions that users can apply to the messages in the Digest. If Enable User Commands is Off, and users receive a Safe Senders and Blocked Senders List, they will only be able to view the list; they will not be able to add or delete entries from the list. Display Request Summary Link allows users to request a complete list of messages he or she has in the Quarantine. Display Digest Help Link when enabled, users can click a link to receive help for tasks. The default help link describes the default labels provided by Proofpoint. If you customize the labels for the Digest, you will want to provide users with a customized help file that matches your custom labels. In this case, disable this parameter (click Off) and see Configuring Labels and Help for more information. Enable Auto False-Positive Reporting provides a link so that users can report to administrators that a message in the Quarantine is a false positive. Enable Auto False-Negative Reporting provides a link so that users can report to administrators that a message in the Quarantine is a false negative. Note: Administrators must configure other settings to enable auditing and reporting from End User Digests see Users Reporting False Negatives and Positives for information. Display Recommend Safe Sender Link this parameter applies only under the following circumstances: - A user does not have a user profile (entry) in the User Repository. - Create auto profile is disabled. - The user receives a Digest because the administrator is sending a Digest to any recipient who has a message in the Quarantine. When enabled, the Safelist link is displayed in the Digest for these users. By clicking this link, the user releases the message and requests that the administrator add the sender of the message to the Global Safe List. - Use Default Admin Address. Uses the default administrator address for requests. - Use Alternative Address. Allows you to use a different address for the administrator. Send Safe/Blocked Senders On Demand allows users to request Safe Senders and Blocked Senders Lists. Display End User Aliases allows users to view their list of aliases in the digest report. Display End User Safe Senders allows users to view their Safe Senders List. Enable End User Blocked Senders allows users to view their Blocked Senders List. Allow User To Manually Add Safe/Blocked Senders if enabled (On), allows users who have a profile in the User Repository to manually add senders to their personal Safe Senders and Blocked Senders Lists by entering the addresses using a keyboard. (The other available method is to add senders to personal Safe Senders and Blocked Senders Lists by clicking a link in the Digest.) Send Confirmation Message this parameter controls whether or not users receive a confirmation message whenever they make a change to their Safe Senders or Blocked Senders Lists. About Resources Use the End User Services > Resources pages to customize the password reminder questions, links, status messages, error messages, and text displayed to users in Digests, Web Application, and Secure Reader for Proofpoint Encryption. The End User Services > Resources page provides one central location for editing or customizing the elements presented to users. The End User Services > Resources > Global page resources apply to all of the Branding Templates - if you change the value of a resource, it applies in every case where the resource is displayed. The End User Services > Resources > Per Brand page resources are a subset of the resources on the Global page and apply to the Secure Reader template for Proofpoint Encryption. You can modify these resources for 200

231 Chapter 9 - End User Services individual Branding Templates. For example, if you change the value of the resource templates.encrypt.readmessagenow for Branding_Template_A, the new value will only display to users or groups assigned to use Branding_Template_A. First select the Branding Template from the drop-down list and then customize the resources that you want to change. Notes: The following Value fields are intentionally left blank so that you can enter custom text (optional): templates.encrypt.login.text - this resource adds a custom text message to the Secure Reader login page. The custom text displays under the Password field on the login page. disclaimer - this resource adds a custom text message to the Web Application login page. The following list describes how to use the tabs on the End User Services > Resources > Global and Per Brand pages: The Resource column displays the name of the internal resource. Each resource represents an element on the Digest, Web Application, or Secure Reader page. The Default column contains a check box for each resource. If the box is selected, the text for that resource is pre-populated with a default value. If you clear the check box, a field appears where you can enter a different value for the resource. The Value field contains the text displayed in the Digest, Web Application, or Secure Reader page. To change the text for an element that displays on a page, clear the check box for the element and enter new text in the field. Click Save Changes. To select a language to work with when you are making changes, choose a language from the Locale list. For example, if you select French from the Locale list, the values for the resources appear in French. If you change the resource com.proofpoint.filter.digest.euwbl.header to display a custom message, the users in your organization who manage their accounts and Web Application in French will see the new custom message. However, users who to manage their accounts in German or Japanese will not see the custom message that you created. They will see the default value for their specific language displayed for com.proofpoint.filter.digest.euwbl.header instead. To find a resource that contains a specific word, enter the word or part of the word into the Filter field and click Filter. The Filter toggles between displaying only the filtered results and all of the resources on the page. To display only the resources that you have customized select Custom from the View menu. Select Default to view only the default resources, or select All to view all of the resources on the page. Smart Send See About Smart Send for an introduction to Smart Send. The End User Services > Smart Send page is a centralized location to set global Smart Send settings for inbound and outbound mail and to add a custom help link to the Smart Send notifications users receive. Smart Send Inbound Select Yes or No for the Allow Smart Send parameter. The choice you make will also be applied to the Groups and Users > Global > Inbound page. Smart Send Outbound Select Yes or No for the Allow Smart Send parameter. The choice you make will also be applied to the Groups and Users > Global > Outbound page. Custom Link Select the On radio button if you want to add a link to the notification users receive when they have Smart Send messages in the Quarantine or Incident Queue. Enter the text for the link into the Text field - for example, Help. Enter the path and URL for your customized help into the URL field. Save your changes when you are done. 201

232

233 Chapter Firewall Module About the Firewall Module The Firewall Module provides the following methods to control, filter, and manage traffic in your organization: Filters messages by connection and message attributes and applies rules for disposition of these messages. Uses trusted source and blocked lists to apply an authoritative disposition to messages from senders on these lists without further processing by the Proofpoint Protection Server. Uses dictionaries to filter messages for content and apply rules for disposition of these messages. Provides an SMTP Rate Control feature to restrict traffic per IP address. The Firewall Module filters messages by both connection and message attributes. The connection and message attributes are contained in the envelope information and are analyzed by the Firewall Module as soon as the message is passed from sendmail to the Proofpoint Protection Server through the Milter interface. The Firewall Module supports the authoritative disposition Deliver Now to messages from senders or domains included on the Trusted Source list. Messages from senders included on the Trusted Source list are delivered to the infrastructure without further filtering by the Proofpoint Protection Server. Conversely, messages from entries on the Blocked list can be rejected without further processing. To view and manage the Trusted Source and Blocked lists, go to the Firewall > Rules page. Many organizations today are concerned with the potential liabilities caused by transmitting with inappropriate content through their messaging systems. You can create dictionaries containing inappropriate words with associated weights that correspond to determining whether or not the message is inappropriate. You can then create rules with dispositions based on the score of the message. The Firewall already includes an Offensive Language dictionary, and you can also obtain other preconfigured dictionaries from Proofpoint Support or Professional Services. The Firewall Module enforces flow policies by shaping SMTP traffic dynamically in real time. The Proofpoint Protection Server MLX Dynamic Reputation technology is integrated into the Firewall - it constantly inspects SMTP connections at the IP address level, monitoring the number of connections and analyzing the content of the messages. The MLX Dynamic Reputation engine assigns a reputation score to each IP address based upon observed behaviors. Based on the scores, the SMTP Rate Control feature of the Firewall Module takes corrective action according to the defined policies. For example, if 75 percent of the messages sent from a specific IP address over a specified time period contain spam, the Proofpoint Protection Server applies a policy to refuse or restrict messages from that specific IP address. The SMTP Rate Control traffic shaping policies improve the network bandwidth utilization for your organization, reduce the overhead for sending messages to the Quarantine, and reduce server storage requirements as well as CPU resources. About Proofpoint Dynamic Reputation and netmlx Proofpoint Dynamic Reputation is a connection management and reputation service that uses Proofpoint netmlx machine-learning technology to block incoming connections from malicious IP addresses. The system provides enterprises with an accurate first line of defense against spam, directory harvest attacks, denial of service attacks and other -borne threats while delivering substantial bandwidth savings. The Proofpoint Attack Response Center collects information for millions of IP addresses using data from Proofpoint honeypots, customer sites, and other sources. Proofpoint netmlx machine-learning algorithms continually parse hundreds of data points for all IP addresses in real-time to generate extremely timely, accurate network reputation scores. Proofpoint netmlx creates the industry's most accurate and up-to-date database of reputation for IP addresses sending across the Internet, allowing each customer site to benefit from the network effect provided by Proofpoint's real-time, machine-learning analysis of global sender behavior. Each minute hundreds of data points for all IP addresses are parsed with advanced machine-learning algorithms to generate a score that represents the sender's reputation, whether positive or negative. Proofpoint Dynamic Reputation uses these scores combined with local behavioral data to make intelligent decisions about accepting, throttling, or rejecting incoming connections. 203

234 Proofpoint Administration Guide Administrators who purchase Proofpoint Dynamic Reputation receive a URL from Proofpoint that points to the database of reputation IP addresses. After adding the URL to the DNS Block List on the System > Settings > DNS Block List page, you can create rules in the Firewall and Spam Detection modules that will trigger based upon the netmlx score for the message. Related Topics: See DNS Block List in "Proofpoint Protection Servers" for information about adding entries to the DNS Block List. See Conditions in "Rules and Delivery Dispositions" for information about the netmlx condition. Firewall Settings Use the Firewall > Settings page to temporarily disable the Firewall and to specify Policy Routes if you do not want messages from all connections and all routes to be filtered by the Firewall Module. Selecting Policy Routes The Policy Routes feature allows you to apply the Firewall Module filtering to specific Policy Routes. If you want the Firewall Module to filter all messages and connections, leave the check boxes under Policy Routes clear. If you want to restrict filtering to specific Policy Routes, or disable filtering for specific Policy Routes, select the Restrict processing and Disable processing check boxes. See Policy Routes in "Rules and Delivery Dispositions" and About Policy Routes in "Proofpoint Protection Servers" for more information. About Recipient Verification Recipient Verification verifies the existence of a recipient address before processing the message through the Proofpoint Protection Server filtering engines. To understand how the Recipient Verification feature works, it is important to understand how the components work together to check for legitimate recipients in the stream. Depending upon the size of your organization, you could potentially filter millions of messages a day for thousands of recipients. The Recipient Verification feature allows you more control over the resources you use for message filtering. If messages are addressed to invalid recipients, you can simply discard these messages and continue filtering the messages for the valid recipients. If a message is addressed to multiple recipients, the message is filtered and delivered to the valid recipients, and recipients that are not valid are removed from the message. Data Connector The Recipient Verification feature checks for legitimate addresses by comparing the recipient addresses to the ones maintained by a verification source, defined as a Verification Data Connector. A Verification Data Connector is determined by any of these methods: LDAP profile you can create LDAP profiles on the System > Settings > LDAP page. See Configuring LDAP Profiles and Parameters in "Proofpoint Protection Servers" for more information. This type of verification source can be used for Microsoft Active Directory, Lotus Notes Directory, or other LDAP environments. User Repository compares recipient addresses against the entries in the User Repository (Groups and Users > Users). SMTP profile you can create SMTP profiles on the System > Settings > SMTP page. If you plan to use an SMTP profile for Recipient Verification, you will need to use an SMTP profile that was created with a direct profile type. The direct profile type connects to an SMTP server that supports the SMTP VRFY protocol. See Configuring SMTP Profiles and Parameters in "Proofpoint Protection Servers" for more information. Custom data connector if you need to use a Verification Data Connector other than the ones provided by the Proofpoint Protection Server, contact Proofpoint Professional Services. A Custom Connector Module 204

235 Chapter Firewall Module can be developed to your specifications and provided to you for uploading to the Proofpoint Protection Server. The Firewall > Recipient Verification > Verification Data Connector page displays the available Verification Data Connectors (LDAP Verification, User Repository Verification, and SMTP Verification). Use this page to add Custom Connector Modules for unique verification sources specific to your organization. You can add or delete Custom Connector Modules, but there are no parameters to change for them. Verification Profile A Verification Profile is defined by an ID, description, type of verification source, and list of domains for which to verify recipient addresses. You can add as many profiles as you need, and modify the default verification profiles provided by Proofpoint on the Firewall > Recipient Verification > Verification Profile page. You can also delete, enable, or disable profiles for use with Recipient Verification on this page. Verification Rules A Verification Rule defines how to process messages addressed to valid and invalid recipients. Create verification rules on the Firewall > Recipient Verification > Verification Rules page. Per-Message or Per-Recipient Dispositions Administrators have these options for handling messages with no valid recipients: Per-message basis the recipients for a message are verified, and if all of them are invalid, administrators can apply a disposition to the entire message. This is a global setting that applies a disposition to all messages that have no valid recipients. Use the Firewall > Recipient Verification > General page to configure the global per-message setting. Per-recipient basis the recipients for a message are verified, and a rule will trigger depending upon whether one, one or more, or no recipients for the message are valid. Use the Firewall > Recipient Verification > Verification Rules page to add, edit, enable, or disable the rules. Important: The per-recipient rules will take precedence over the per-message (global) setting. For example: You configure the global setting to silently discard any message that has no valid recipients, without placing a copy of the message in the Quarantine. You then create a rule that checks for valid recipients in a message if there are none, the rule continues to process the message and places a copy of the message in a Quarantine folder. The per-recipient rule will trigger first (take precedence), and the message will continue to be filtered and a copy of the message will be placed in the Quarantine. General Recipient Verification Settings Use the Firewall > Recipient Verification > General page to complete these tasks: Enable the Recipient Verification feature. If applicable, restrict or disable Recipient Verification for specific Policy Routes. Apply a global disposition to all messages that have no valid recipients. Apply a global disposition to all messages when Recipient Verification cannot take place due to a connection failure to the Verification Data Connector (the verification source). Enabling Recipient Verification To enable Recipient Verification click the On radio button and configure the remaining parameters. 205

236 Proofpoint Administration Guide Navigate to the Firewall > Recipient Verification > Profile page to ensure you have enabled at least one profile. If you enable Recipient Verification and have disabled all of the Verification Profiles, the Proofpoint Protection Server will not be able to check for valid or invalid recipients. Selecting Policy Routes If you want to apply Recipient Verification to all messages and connections, leave the check boxes under Policy Routes clear. If you want to restrict recipient verification to specific Policy Routes, or disable recipient verification for specific Policy Routes, select the Restrict processing and Disable processing check boxes. See Policy Routes in "Rules and Delivery Dispositions" and About Policy Routes in "Proofpoint Protection Servers" for more information. When using Policy Routes with Recipient Verification, ensure that the Policy Routes only contain IP address or sender address conditions. Policy Routes based on recipient domains (for example, default_inbound) will not work correctly with Recipient Verification. To limit verification to certain domains or subdomains, edit the verification profile. Invalid Recipients Global Setting Administrators have the option of applying a global disposition to all messages that have no valid recipients. This permessage setting is overridden by any rule that also triggers if a message has no valid recipients. See Verification Rules for information on creating rules for valid or invalid recipients on a per-recipient basis. To apply a global disposition to all messages with no valid recipients: 1. For the Message Does Not Contain A Valid Recipient parameter, select the Copy Message to Folder check box if you want to send a copy of the message to a Quarantine folder, and select a folder from the drop-down list. If you want to create a new Quarantine folder, click Create New Folder. 2. Select one of the following dispositions: Continue processing the message will continue to process through the filtering modules. Silently discard message the message is discarded and no information is sent to the sender. Reject the message and return the following permanently rejects the message with an SMTP return code and text. You can change the content of the Return Code and Return Text fields. The sender receives the rejected message along with the code and text. Verification Failure Setting If the Proofpoint Protection Server cannot connect to the Verification Data Connector defined by the Verification Profile because of network or a verification source system failure, the Verification Failure settings determine how to process the messages. Select one of the following choices when recipients cannot be verified: Allow recipient and continue processing the message will be filtered through all of the filtering modules, and if no rules are triggered, the message is delivered to the valid recipients. Retry (temp fail) message for recipient and return the following temporarily reject the message. The sender of the message receives the returned message with an SMTP return code and text. You can change the content of the Return Code and Return Text fields. The sender receives the returned message along with the code and text and can try to re-send the message later. 206

237 Chapter Firewall Module Verification Data Connector The Firewall > Recipient Verification > Data Connector page displays the methods the Proofpoint Protection Server uses for Recipient Verification. The following Data Connectors are provided by Proofpoint and cannot be deleted: LDAP Verification, User Repository Verification, and SMTP Verification. See About Recipient Verification for descriptions of Recipient Verification terminology. You can obtain Custom Connector Modules from Proofpoint to satisfy your organization's specific requirements for unique verification sources. For example, if your organization needs to use an external database for Recipient Verification, Proofpoint can develop a Custom Connector Module for you. Adding Custom Connector Modules Custom Connector Modules are created by Proofpoint Professional Services and distributed as zip archives. To add a Custom Connector Module for the verification source: 1. Click Add on the Data Connector page. 2. In the Add Connector Module pop-up window, enter the directory path into the Connector Filename field, or click Browse to navigate to the location of the zip archive. 3. Click Add Connector. 4. Click Close. Verification Profile The Firewall > Recipient Verification > Profile page displays the verification source profiles the Proofpoint Protection Server can use for checking messages for valid recipient addresses. You can add as many profiles as you need - for example, a unique profile for each domain or group of domains for which you want to check recipient addresses. You can add, delete, modify, enable, or disable profiles on the Profile page. See About Recipient Verification for descriptions of Recipient Verification terminology. Important: If you already enabled a profile that contains a specific domain, and you create another profile that contains the same domain, you will see a warning message. You should not enable more than one profile at a time that includes the same domain. For example: profile 1 - includes the domains eng.proofpoint.com and support.proofpoint.com, and is already enabled. profile 2 - includes the domains eng.proofpoint.com and mktg.proofpoint.com. When you add profile 2, you will see a warning that eng.proofpoint.com is already being used for Recipient Verification in another profile. You should disable profile 1 before enabling profile 2, since these two profiles share at least one common domain. Or, remove the common domain from one of the enabled profiles. To add a Verification Profile: 1. Click Add on the Profile page. 2. Click Enable to enable the profile as soon as you save it. 3. Enter an identification for the profile. You cannot use spaces or special characters in the ID field. 4. Enter a description for the profile. 5. For Domains, select one of the following choices: Verify recipients for all domains the Proofpoint Protection Server verifies recipient addresses for all domains. This choice can be used in conjunction with a Policy Route restriction for example, to ensure Recipient Verification is only applied to inbound

238 Proofpoint Administration Guide Verify recipients for specific domains enter the legitimate domains for which you want to verify recipients, so that the Proofpoint Protection Server does not attempt to verify addresses that are not verifiable for your organization. Use one domain per line for multiple domains. Use the following syntax when entering exact match of example.com; excludes any subdomains of example.com..example.com subdomains of example.com only; excludes the domain example.com. example.com domain example.com and all subdomains of example.com. You can also create a regular expression for an entry for example, the regular expression *.example.com tries to match any domain that ends with example.com. Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. Note that you can enter the same domain twice - for example, if you have two LDAP servers, Recipient Verification will check one server and then the other one for the domain name. 6. For Data Connector, select a Type from the list: User Repository - make this selection if you want the Proofpoint Protection Server to use the entries in the User Repository (Groups and Users > Users page) to verify legitimate recipient addresses. SMTP - select an SMTP profile from the SMTP Profile list to verify the legitimacy of the recipient addresses. Be sure to select an SMTP profile that was created with a direct profile type. For more information about SMTP profiles, see Configuring SMTP Profiles and Parameters in "Proofpoint Protection Servers." If needed, you can define both Temp Failure and Verify codes for the SMTP profile. You can enter a single value, multiple values separated by commas, or a range of values using a dash (-). Enter the appropriate code value into one or both of the following fields: - Temp Failure Codes. Enter a value for a sendmail return code. The default value is The sendmail return codes are described in RFC Verify Codes. Enter a value for the SMTP VRFY protocol return code. The default value 250 represents a valid recipient address. The SMTP VRFY protocol return codes are described in RFC 821. LDAP - if you choose this source, make the following additional selections: - LDAP Profile. Select a profile from the drop-down list. - LDAP Scope. Make a selection from the list: Restricted to the base entry (base). The base entry is defined by the profile Base DN parameter. The Base DN parameter is required. All entries one level under the base entry (one). Restricts the scope to entries one level under the base entry. All levels under the base entry (sub). Allows the scope to include all levels in the LDAP directory structure. This is the most common setting. - LDAP Query. This field is pre-populated with a generic LDAP query string that describes the search criteria. Proofpoint strongly recommends that you fine-tune or customize this string for your organization. Proofpoint supports the following variables in the string: ${rcpt} ${domain} ${id} ${name} ${first} ${middle} ${last} Note: If you select LDAP Profile for the Data Connector, you can change an existing profile or add a new one by clicking Manage LDAP Profiles. To view the details for each LDAP profile, go to the System > Settings > LDAP page. 7. To add one profile at a time, click Add Entry. To add several profiles, click Add and New. Click Close when you are done. 208

239 Chapter Firewall Module Profile Precedence by Domains If you have added several Profiles, and each one is configured for a unique domain or domains, the Proofpoint Protection Server attempts to use the enabled profile for the domain that most closely matches the domain specified by the recipient address in the message. If none of the recipient addresses in the message match a domain in a Verification Profile, the Proofpoint Protection Server will use the first enabled profile in the list that contains All domains. Verification Rules Use the Firewall > Recipient Verification > Verification Rules page to enable and disable Recipient Verification rules, and to create rules for messages that are addressed to valid and invalid recipients. While the global setting on the Firewall > Recipient Verification > General page applies a disposition to an entire message that has no valid recipients, the Recipient Verification rules apply a disposition to a message on a per-recipient basis. For example, administrators can create a rule that compares the recipient addresses to the addresses on an LDAP server, removes the invalid recipients from the message, and continues processing the message for the valid recipients. The Proofpoint Protection Server includes a default rule named verified that removes the invalid recipients from a message and continues to process the message for the valid recipients. The verified rule uses the Verification Profile named profile to check the recipient addresses. Administrators can enable, disable, or edit the default verified rule. Verification Rule Conditions When you create a rule for Recipient Verification, the following conditions are available: Recipient verification profile - this condition defines which Verification Profile to use for validating recipient addresses. When you select this condition, you must also select an Operator and a Verification Profile from the respective drop-down lists. Recipient address verified as invalid - this condition means the recipient address was verified and was confirmed as invalid. Note: Administrators can create an Firewall rule that triggers based upon how many invalid recipients are found in the message. See Conditions in "Rules and Delivery Dispositions." Creating Recipient Verification Rules You can create a simple rule that applies one Recipient Verification condition to a message or build a complex rule by appending at least two conditions with the AND logical operator. (Do not use the OR logical operator.) Note: If you want to create a new rule that is similar to an existing rule, click Clone Rule on the Rules page. See Cloning Rules in "Rules and Delivery Dispositions." If you want to change the rule order, see Controlling Rule and Policy Order in "Rules and Delivery Dispositions." To create a Recipient Verification Rule: 1. Click Add Rule. 2. On the Rule page, enter an identifier for the rule into the ID field. This identifier is used internally to track the rule. 3. Enter a name or description for the rule. 4. Leave the Policy Routes check boxes clear if you want this rule to apply to all messages and connections. If you want to restrict processing or disable processing for messages or connections for specific Policy Routes, select the corresponding check boxes. See Policy Routes in "Rules and Delivery Dispositions" for more information. 5. Click Add Condition in the Basic view or the Click here to add a new condition link or the plus sign icon (+) to add a new condition in the Advanced view. 6. In the Add Condition pop-up window, select the condition or conditions that you want to apply to this rule. See "Verification Rule Conditions" in this topic. 209

240 Proofpoint Administration Guide 7. To add one entry at a time, click Add Condition. To add several entries, click Add and New Condition. Click Close when you are done. 8. If you want to send a copy of the message to the Quarantine, select Copy Message To Folder and select a folder from the folder drop-down list, or click Create New Folder if you want to add a new folder to the Quarantine. This choice places a copy of the message in the Quarantine folder you select from the list. If the message is addressed to several recipients, some of which are valid, and some of which are invalid, only one copy is placed in the Quarantine folder for all of the recipients. Administrators can review these messages to verify that messages addressed to invalid recipients are indeed detected by the Recipient Verification feature. Administrators do not typically need to release messages from this folder, since the valid recipients will receive their messages, provided no other rules were triggered to send them to the Quarantine. 9. Under Dispositions, make a selection from the Invalid Address radio buttons: Continue processing. The Proofpoint Protection Server continues to process the message for all of the recipients, valid or invalid. If no other rules are triggered, the message is delivered to the infrastructure. Messages that are undeliverable because they are addressed to invalid recipients will be handled (or bounced) according to the settings on the mail server. Silently discard recipient. The invalid recipients are removed from the message. For the valid recipients, the message continues to process. Reject the recipient and return the following. For the invalid recipients, the message is not delivered, and the original sender receives a return message describing the code and text displayed in the fields. You can change the content of the Return Code and Return Text fields, respectively. For the valid recipients, the message continues to process. 10. Click Add Rule to save the rule. About SPF Sender Policy Framework (SPF) is an anti-spam protocol that allows you to authenticate or verify the domain of an sender. This protocol is useful in deterring spammers who often disguise their true Internet address by pretending that their comes from a legitimate domain. Each domain that provides support for SPF has an entry in their Domain Name System (DNS) that describes unique attributes about their mail system and a list of authorized senders. An SPF client program, in this case the Proofpoint Protection Server sends a DNS query to the domain from which the supposedly originated to determine if the sender is legitimate. When the SPF client program evaluates an SPF record, it produces one of several results or conditions, which are predefined by the SPF protocol and included as rules in the Proofpoint Protection Server SPF feature. The results of the DNS query will determine which condition the Proofpoint Protection Server will apply to the filtered . See Editing SPF Rules for a description of the predefined results or conditions. Enabling SPF Navigate to the Firewall > SPF > General page to enable the Sender Policy Framework (SPF) protocol. SPF is disabled by default. Selecting Policy Routes The Policy Routes feature allows you to apply the SPF protocol to specific Policy Routes. If you want SPF to authenticate all messages and connections, leave the check boxes under Policy Routes clear. If you want to restrict filtering to specific Policy Routes, or disable filtering for specific Policy Routes, select the Restrict processing and Disable processing check boxes. See Policy Routes in "Rules and Delivery Dispositions" and About Policy Routes in "Proofpoint Protection Servers" for more information. 210

241 Chapter Firewall Module Creating SPF Policies Create SPF policies on the Firewall > SPF > Policies page. You can create a new policy, or it may be more efficient to clone an existing policy which you can then modify. If no other policies exist, you can clone the default policy as the template for a new policy. To create a policy: 1. Click Add Policy. 2. Enter a name and description for the SPF policy. 3. If you want to create a new policy based upon the rules that already exist for another policy, select the policy from the Clone SPF Policy Rules From drop-down list. Otherwise, leave it blank. 4. Click Save Changes. After you create an SPF policy, enable the rule or rules you want to include in the policy on the Firewall > SPF > Rules page. See Editing and Enabling SPF Rules for instructions. Creating, Editing, and Enabling SPF Rules Use the Firewall > SPF > Rules page to edit existing SPF rules, enable, disable, or delete rules for an SPF policy, and determine whether or not to restrict or disable processing for a selected Policy Route. The rules in the SPF Rules list include the following conditions, which are predefined by the SPF protocol: Pass Fail Soft Fail Neutral TempError PermError None Each of these conditions is described in the SPF Rules list. Proofpoint has predefined the rules for these conditions. You can edit or delete these rules. Selecting Policy Routes The Policy Routes feature allows you to apply SPF filtering to specific Policy Routes. If you want SPF to filter all messages and connections, do not select either check box for the Policy Routes parameter. If you want to restrict processing to specific Policy Routes, select the Restrict processing to selected policy routes check box. If you want to disable filtering for specific Policy Routes, select the Disable processing for selected policy routes check box. See Policy Routes in "Rules and Delivery Dispositions" and About Policy Routes in "Proofpoint Protection Servers" for more information. Enabling and Disabling SPF Rules You can enable or disable SPF rules on the Firewall > SPF > Rules page by selecting or clearing the check box for the rule in the Enabled column. You can also enable or disable a rule when you create a new rule or edit an existing one. 211

242 Proofpoint Administration Guide Creating or Editing SPF Rules To create a new SPF rule, click Add Rule on the Firewall > SPF > Rules page. 1. If you have more than one SPF Policy, select the policy from the Policy menu. Otherwise the new rule will be added to the default policy. 2. Select On to enable the new rule when you save it. 3. Enter a name and description for the new rule in the ID and Description fields. 4. In the Add Condition pop-up window, make a selection from the Operator and Value drop-down lists. Click either Add and New Condition or Add Condition to save the conditions for the rule. 5. If you also want to send a copy of the message to the Quarantine, select Quarantine message. Select a folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 6. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 7. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 8. Click Add Rule to save the rule. To edit an existing rule, click Edit Rule. Make your changes to the rule and click Save Changes when you are done. About Dictionaries Navigate to the Firewall > Dictionaries page to add, delete, or edit dictionaries. In the context of the Firewall Module, a dictionary is a text file containing a list of words, a number for each word, and an instance count. The number represents the weight of the word. The instance count represents how many times to add the weight to the message score when the word is found in the message. As the Firewall Module filters a message, it compares each word in the message with a dictionary and sums a score for the message based upon the words it finds in the message. It uses the total score for the message to classify the message according to a rule that you create. You can create dictionaries in the following languages: Dutch, English, Finnish, French, German, Italian, Japanese, Polish, Russian, Spanish, and Swedish. Important: Dictionary words are case-sensitive. When you add a word to a dictionary, select Case Insensitive Match or Case Sensitive Match from the Condition drop-down menu. For example, a "confidential terms" dictionary can be used to filter outgoing messages to ensure that none of the messages contain confidential information. These words might imply that a message is confidential or they may be words used in internal company confidential projects. A confidential terms dictionary could include terms like these: 10:Confidential 10:Confidentially 8/3:Nondisclosure 5/2:Secret 1:401k 4:Internal 20/3:Cobra In this example, the first number represents the weight (10:), two numbers separated by a slash represent the weight and the instance count (8/3:), and finally the word to filter for in messages. No instance count indicates "count every instance of the word." Another example for filtering words in outgoing messages is to use the Regular Expression Match operator when you add words to a dictionary. The Firewall Module searches for patterns that match the expression. For example, you can create a dictionary named "patterns" that contains patterns for employee ID numbers, part numbers, or medical ID numbers. Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. The Proofpoint Protection Server includes a dictionary named offensivewords, which includes approximately 100 words in the American English language that are racist, derogatory, or obscene. You can add, delete, or change the weight for the words and instance count in the offensivewords dictionary. The offensive rule that uses the 212

243 Chapter Firewall Module offensivewords dictionary is disabled by default. When the offensive rule is enabled, messages with a weight score greater than 20 are sent to the Quarantine and "Contains Offensive Language" is added to the message header. Related Topics: See Adding and Deleting a Dictionary to add a dictionary and Adding and Deleting Words for information on how to populate it. Managing Dictionaries Navigate to the Firewall > Dictionaries page to add, delete, enable, and disable dictionaries. To add and enable a dictionary, click Add. Enter a name and description and enable the dictionary. To add one entry at a time, click Add Dictionary. To add several entries, click Add and New. Click Close when you are done. To delete a dictionary, click the check box next to the name of the dictionary you want to delete. You may check several dictionary names at the same time. Note: You cannot "undo" a deletion. To disable a dictionary, clear the check box for the dictionary in the Enabled column and save your changes. Enabling and Disabling a Dictionary Use these instructions to either enable or disable a dictionary. To enable a dictionary: 1. Click the Dictionaries link under Firewall in the navigation pane. 2. Select the check box for the dictionary you want to enable in the Enabled column. 3. Click Save Changes. To disable a dictionary: 1. Clear the check box for the dictionary you want to disable in the Enabled column. 2. Click Save Changes. Adding and Deleting Words in a Dictionary To manually add words to a dictionary: 1. Go to the Firewall > Dictionaries page. 2. Click the name of the dictionary in the table to display the Dictionary Word List for the dictionary. You can add a description or change the description for the dictionary in the Description field. The Dictionary drop-down list displays the names of the Firewall dictionaries. If applicable, select the name of the dictionary that you want to change. The Entries drop-down list allows you to choose which range of words you would like to display. The Find Words field allows you to search for specific words. Enter the word you are searching for, and then click Search. Only the entries for that word display in the Dictionary Word List. The Word column lists the words contained in the dictionary. The Condition column displays if the condition is Case Insensitive Match, Case Sensitive Match, or Regular Expression Match for the word. The Count column displays the number of times the weight of a word is added to the score of the message when the Firewall Module finds the word in a message. For example, you may want the Firewall Module to track and score every instance of the word, or only the first 3 instances of the word. 213

244 Proofpoint Administration Guide The Weight column displays the weight of the word. This weight is added to the total message score as defined by the Count. 3. Click Add to add a word to the dictionary. 4. In the Add Dictionary Entry pop-up window, select a choice from the Condition drop-down list: Case Sensitive Match - match the word exactly, including the case. Case Insensitive Match - match the word but ignore case. Regular Expression Match - the address matches a specific Perl regular expression. For example, the address begins with abc (^abc), or the address contains wxy (\wxy). Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. 5. Enter a word into the Word field. 6. Enter a weight for the word into the Weight field. A message with words that add up to a low score has a higher chance of being legitimate. Messages with words that add up to a high score have a higher chance of being quarantined. 7. Count every instance - click the Yes radio button if you want the Firewall Module to add the weight to the score of the message each time it finds the word. Click the No radio button if you want the Firewall Module to add the weight to the score for only the first number of instances. Enter the number of instances into the Count only the first field. 8. To add one entry at a time, click Add Entry. To add several entries, click Add and New. Click Close when you are done. To manually delete words from a dictionary: 1. Click the name of the dictionary on the Dictionaries page. (Or click any dictionary name to open the Dictionary Word List page.) 2. Verify the name of the dictionary in the Dictionary drop-down list, or select another dictionary. 3. Select the check box next to the word or words you want to delete from the dictionary. 4. Click Delete to delete the entries you selected. 5. Click OK to confirm the deletion. Example: Adding a Regular Expression Match This section contains an example for adding a pattern to a dictionary. By adding patterns to a dictionary, you can filter for important numbers that should not leave your corporation by - for example, employee Social Security Numbers or medical ID record numbers. 1. Navigate to the Firewall > Dictionaries page. 2. Add a dictionary named Patterns. 3. Click the name of the dictionary to display the Dictionary Word List. The Dictionary drop-down list displays the names of the Firewall Module dictionaries. Select the name of the dictionary you want to make changes to from this list. 4. Click Add to add a word to the dictionary. 5. Select Regular Expression Match from the Condition drop-down list. 6. In the Word field, enter the pattern. For example, an American Social Security Number regular expression would look like this: (?!000)([0-6]\d{2} 7([0-6]\d 7[012]))([ -])?(?!00)(\d{2})([-])?(?!0000)(\d{4}) 7. Enter a weight for the word into the Weight field. You can assign a negative weight to a word in a dictionary. This feature is useful if the dictionary contains a regular expression match to search for a pattern. You can use negative weights to exclude a specific word from the total score of the message. 8. Click Yes for Count every instance if you want the Firewall Module to add the weight to the score of the message each time it finds the word. Click No if you want the Firewall Module to add the weight to the score for only the first number of instances. Enter the number of instances into the Count only the first field. 214

245 Chapter Firewall Module 9. To add one entry at a time, click Add Entry. To add several entries, click Add and New. Click Close when you are done. Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. Editing Words, Weights, or Conditions To manually change a word, instance count, or weight of a word: 1. Navigate to the Firewall > Dictionaries page. 2. Click any dictionary name to display the Dictionary Word List. 3. Select the name of the dictionary from the Dictionary drop-down list. 4. In the Dictionary Word List, click the word you wish to change. 5. In the Change Dictionary Entry pop-up window, make your edits to the Word, Weight, Condition, or instance count. 6. Click the Save Changes button to apply your changes. 7. Close the Change Dictionary Entry pop-up window. Importing Words into a Dictionary You can import many entries at once into a dictionary by creating an ASCII text file of words and their weights, and then importing the text file. Important: Dictionary words are case-sensitive. If you have enabled the concurrent login feature for administrators (see Password Policies for Groups and Users) be aware that if two administrators are importing words at the same time, the changes from one administrator will overwrite the other administrator's changes. The entries in the text file must be formatted as shown below to be processed by the Firewall Module. For words with a Condition defined as Case Insensitive Match, separate the weight from the word with a colon (:). For example: integer:word For words with a Condition defined as Case Sensitive Match, separate the weight from the word with an equals sign (=). For example: integer=word For words with the Condition defined as Regular Expression Match, separate the weight from the word with a tilde (~). For example: integer~word Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. For words that you want to count every instance, do not include a count number. For example: integer:word For words that you only want to count for the first N instances, include the count number after the weight and separate with a slash. For example: integer/instances:word Table of examples: 1:wordA Count every instance of worda and add a score of 1 for each instance. Ignore case. 1=WordB Count every instance of WordB and add a score of 1 for each instance. Casesensitive. 215

246 Proofpoint Administration Guide 10/3:wordC Count the first 3 instances of wordc and add a score of 10 for each instance. 20/2:wordDDD Count the first 2 instances of wordddd and add a score of 20 for each instance. 15/4~\d\d\d Count the first 4 instances of a word that matches this regular expression and add a score of 15 for each instance. 10~([0-6]\d{4}) Count every instance of a word that matches this regular expression and add a score of 10 for each instance. To import a text file of word entries and weights: 1. Use a text editor to create the file, using the format shown above. 2. Save the file in a directory location that is accessible by the Proofpoint Protection Server. 3. Navigate to the Firewall > Dictionaries page. 4. Click the name of the dictionary in the table to which you want to import entries. 5. Click Import on the Dictionary Word List page. 6. In the Import Dictionary File pop-up window, enter the directory location for the file into the Dictionary Filename field, or browse to the location where you saved the dictionary text file. 7. Click Open to import the file. Important: Words are appended to a dictionary, not overwritten. You can populate a dictionary by using the import feature several times, each time adding more words to the dictionary. If you want to delete entries, you must do so using the management interface. The file format must be UTF-8 text. Any other format will result in an error message. Note: When you import a large dictionary, it may take a few minutes to complete, and there is no visual indication that the import is finished. Related Topics: See Exporting a Dictionary for instructions on exporting the entire contents of a dictionary to a CSV file for purposes of editing. Exporting a Dictionary Administrators may want to export a dictionary if they need to make global changes to its contents. If this is the case, Proofpoint recommends that you export the dictionary, edit the contents, delete the original dictionary, and then create a new dictionary to which you will import the revised contents. To export a dictionary: 1. Navigate to the Firewall > Dictionaries page. 2. Click the name of the dictionary that you want to export to a text file. 3. Click Export on the Dictionary Word List page. 4. In the Save As dialog box, navigate or browse to a location where you want to save the file. By default, the file is saved as the dictionary name with a.csv file extension. For example: dictionary.csv. 5. Click Save. 216

247 Chapter Firewall Module Open the file in a text editor to make changes to the dictionary contents. Note: If you view the exported CSV file in Microsoft Excel some UTF-8 special characters may not display correctly. Traffic Shaping with SMTP Rate Control The Proofpoint Protection Server MLX Dynamic Reputation technology defines and restricts traffic from specific IP addresses by analyzing the messages from the connections in real time and applying policies according to what is discovered from the analysis. For example, if a new IP address sends messages, the first 12 are analyzed. If 95% of these messages contain spam or a virus, messages from that IP address will be rejected for a 24 hour period. After that 24 hour period, 12 new messages are allowed and analyzed again for spam and viruses. Administrators can create a list of non-throttled hostnames and IP addresses that are trusted and therefore exempt from the traffic shaping rules. For example, if an organization has several regional offices, each mail server from the regional offices could be added to the Non-throttled Hosts list. Depending upon how your organization's network is configured, you may have one or more intermediate MTAs between the sending host from the Internet and the Proofpoint Protection Server. Each intermediate MTA adds a received header. Since you do not want to throttle traffic from the MTAs internal to your network, you can choose which Sending Host IP to use to determine the original sending host IP address to use for traffic analysis and rate control. Administrators control how many messages the Proofpoint Protection Server uses for its traffic analysis and the time period for collecting the data for the analysis. For example, if the Proofpoint Protection Server analyzes 20 messages originating from a specific IP address over a 24 hour period and determines 90 percent of the messages contain spam, it will discard messages from that connection. As the messages analyzed from the IP address become "clean," the Proofpoint Protection Server automatically adjusts its policy to accept messages from the IP address unless there is reason to apply a restrictive policy. SMTP Rate Control Configurations Use the Firewall > SMTP Rate Control > Configuration page to set the rate control parameters. To set the general configurations for SMTP Rate Control: 1. Click On for Enable SMTP Rate Control. 2. Enter a number into the Minimum Message Sample Size By IP For Rate Control Analysis field. This number determines how many messages are needed for analysis per IP address. The recommended number is Enter a number into the Analyze Messages For The Past<value> Minutes field. This number determines the time period for analysis per IP address. The recommended number is 1440 minutes (24 hours). 4. Enter a number into the Calculate Message Acceptance Rate Over The Past <value> Minutes field. The rate of incoming mail (messages per minute) is calculated for all messages received in this time period. The recommended value is 45 minutes. 5. Enter a number into the Spam Score Threshold Value field. Messages with a spam score above this threshold will be considered spam by the SMTP Rate Control calculations. 6. Enter a number into the Minimum Number of Message Recipients for DHA Test field. Messages with this minimum number of recipients will be analyzed for a Directory Harvest Attack by SMTP Rate Control. If the Percent of Invalid Recipients DHA Threshold number is met, the throttle will be applied. The recommended value is 5 recipients. 7. Enter a number into the Percent of Invalid Recipients DHA Threshold field. Messages with this percentage of invalid recipients will be considered a Directory Harvest Attack by SMTP Rate Control. The recommended value is 75 percent. Important: You must enable Recipient Verification in the Firewall in order for the Minimum Number of Message Recipients for DHA Test and Percent of Invalid Recipients DHA Threshold parameters to work. Both of the conditions must be met in order for throttling to trigger. See Firewall Settings for information on enabling Recipient Verification. 217

248 Proofpoint Administration Guide 8. Click Save Changes. Related Topics: See Traffic Shaping with SMTP Rate Control for an introduction to the SMTP Rate Control feature. Example: Rule for DHA A Directory Harvest Attack (DHA) is an attempt by spammers to determine and collect the valid addresses from an server so that these addresses can be added to a spam database. A typical DHA program employs one of these methods to collect valid addresses: Uses all possible alphanumeric combinations that could be used for the user name part of the address. Sends a message to the most likely user names for example, for all possible combinations of first initials followed by common surnames. If you do not have a strategy in place to handle messages from a DHA, the server returns a "not found" reply message for each address that is not legitimate. Addresses that are legitimate and not bounced are collected by the DHA program and placed on a list for spammers to use. You can protect your organization from a DHA by enabling Recipient Verification in the Firewall Module and enabling the rule that restricts messages suspected to be from a DHA. DHA Settings and Recipient Verification The SMTP Rate Control feature includes default settings for identifying a DHA on the Firewall > SMTP Rate Control > Configuration page. These parameters identify a DHA: Minimum Number of Message Recipients for DHA Test messages with this minimum number of recipients will be analyzed for a Directory Harvest Attack by SMTP Rate Control. If the Percent of Invalid Recipients DHA Threshold number is met, the throttle will be applied. Percent of Invalid Recipients DHA Threshold messages with this percentage of invalid recipients will be considered a Directory Harvest Attack by SMTP Rate Control. The default settings are 5 and 75 percent, respectively. These values and the other values on the Configuration page were determined through statistical analysis by Proofpoint. Before you can create a rule for handling a DHA, you must enable Recipient Verification in the Firewall so that the DHA parameters in SMTP Rate Control can take effect. The DHA parameter values are meaningless unless a comparison can take place between addresses for incoming and legitimate recipients within your organization. See General Recipient Verification Settings for information about enabling Recipient Verification. Enabling the Rule for a DHA The simplest case is if each message contains one recipient and the recipient is invalid. If 20 or more messages are sampled, and each one is addressed to an invalid recipient, the DHA rule will trigger. In the case where each message is addressed to many recipients, some of which are valid and some of which are invalid, the sampling can become skewed, or slanted. You want to keep a legitimate connection open (not throttled) that is sending a few messages with a majority of legitimate recipients, while rejecting (throttling) a connection that is sending lots of messages with a majority of invalid recipients. The Proofpoint Protection Server already includes a rule for a DHA. It will trigger if 75 percent (or more) messages are addressed to invalid recipients, and limit the message acceptance rate to 1 message per minute. The Restrict Directory Harvest Attacks rule on the Firewall > SMTP Rate Control > Rules page should be enabled. 218

249 Chapter Firewall Module Creating SMTP Rate Control Rules Use the Firewall > SMTP Rate Control > Rules page to enable, disable, add, or delete SMTP rate control rules. The Firewall Module includes these SMTP Rate Control rules that you can enable and use right away: reject - if 99 percent of the messages from an IP address contain a virus, or if 99 percent of the messages from an IP address score as spam, stop accepting messages from the IP address. restrict - if 75 percent of the messages from an IP address contain a virus, or if 75 percent of the messages from an IP address score as spam, restrict the number of messages from that IP address to 6, and continue to process the messages that have already been accepted by the Proofpoint Protection Server. dha - default rule to stop a Directory Harvest Attack based upon the number of invalid recipients. See Example: Enabling the Rule for a DHA for an explanation. idle - default rule to restrict a Denial of Service Attack where a connection comes in and stays idle, tying up one of the available sendmail connections. Adding a Rate Control Rule To create a new rate control rule: 1. Click Add Rule to add a new rule. 2. Enter a name for the rule into the ID field. This is an internal name which you cannot change. 3. Enter a description for the rule into the Description field. 4. In the Basic view, click Add Condition. Otherwise, click Advanced and click the Click here to add a new condition link. 5. In the Add Condition pop-up window, select a condition from the Condition drop-down list. See Conditions in "Rules and Delivery Dispositions" for a description of each condition. Enter the appropriate values for the condition. For example, if you select Sender IP Address for the Condition, select an operator and enter a value for this condition. You can create a composite rule by appending several conditions with the AND or OR logical operators. 6. To add one entry at a time, click Add Condition. To add several entries, click Add and New Condition. Click Close when you are done. 7. Leave the Policy Routes check boxes clear if you want this rule to apply to all messages and connections. If you want to restrict processing or disable processing for messages or connections for specific Policy Routes, click the corresponding check boxes. See Policy Routes in "Rules and Delivery Dispositions" for more information. 8. Select the Quarantine message check box if you want a copy of the message to be stored in the Quarantine. Select a Quarantine folder from the drop-down list. If you want to create a new folder, click New Folder. 9. Select a Delivery Method - Continue, Reject, or Retry. 10. If you select the Continue delivery method, and you want to restrict the traffic from the IP address, select the Limit message acceptance rate check box, and enter a value into the messages/minute field. For example, if you enter 5 into the field, the Firewall will restrict the number of messages from the IP address to 5 per minute. Note: Selecting the Continue delivery method and selecting Limit message acceptance rate does not provide any information to the sending host. This is the recommended configuration. 11. Select the Change message headers check box if you want to add a header to the messages before they are quarantined. 12. Click Add Rule to save the rule. Note: If you want to create a new rule that is similar to an existing rule click Clone Rule on the Rules page. See Cloning Rules in "Rules and Delivery Dispositions." If you want to change the rule order see Controlling Rule and Policy Order in "Rules and Delivery Dispositions." 219

250 Proofpoint Administration Guide Adding and Deleting a List of Non-throttled Hosts Use the Firewall > SMTP Rate Control > Non-throttled Hosts page to add or delete non-throttled hosts. Create a list of hosts or IP addresses to exclude from traffic shaping and restricting. For example, your organization's internal and remote mail servers should be included on the Non-throttled Hosts list. To exclude hosts and IP addresses from traffic shaping or restricting: 1. Click Add. 2. In the Add List Entry pop-up window, select a choice from the Filter Type drop-down list: Sender Hostname - select this choice to add a hostname to the list. Sender IP Address - select this choice to add an IP address to the list. 3. Select an operator from the Operator drop-down list. 4. Enter a value into the Value field. 5. To add one entry at a time, click Add Entry. To add several entries, click Add and New. Click Close when you are done. To delete an entry from the Non-throttled Hosts list, select the check box for the item or items you want to delete, click Delete and confirm. Importing and Exporting Non-throttled Hosts You can add many entries to the Non-throttled Hosts list at once by importing a file. The file must be an ASCII text file and must adhere to a specific format. Important: If you have enabled the concurrent login feature for administrators (see Password Policies for Groups and Users) be aware that if two administrators are importing hosts at the same time, the changes from one administrator will overwrite the other administrator's changes. Use the Firewall > SMTP Rate Control > Non-throttled Hosts page to import or export a list of non-throttled hosts. The entries in the file must be in this format: $<filter type>,<operator>,<value> Each entry must be on a separate line, with commas separating the entry definitions, and no spaces. Filter type $ip $host Operator equal not_equal match not_match regex not_regex Corresponding web interface Sender IP Address Sender Hostname Corresponding web interface Equals Does Not Equal Contains Does Not Contain Matches Regular Expression Does Not Match Regular Expression Here is an example of a Non-throttled Hosts list text file formatted for import: $ip,not_match,123 $host,equal,hostname5 $ip,match,

251 Chapter Firewall Module Important: Each time you import a file into the Non-throttled Hosts list, the entries are appended to the existing list. To import a list: 1. Click Import, and then enter the complete path or browse to the text file that you want to import. 2. Click Import. Exporting a list saves the information in the Non-throttled Hosts list into a comma-separated value text file. To export a list: 1. On the Non-throttled Hosts tab, click Export. 2. You will be prompted to either save or open the file. Managing Host or IP Connections The statistics for the connections under analysis by SMTP Rate Control are maintained on the Firewall > SMTP Rate Control Connections page. This page is also the starting point for many SMTP Rate Control management tasks. For example, you may want to reset a specific IP address that is being restricted by mistake or immediately reset all connection statistics so that the analysis "starts over." Displaying Statistics Use the Show drop-down list to display connection statistics for the following views: All Unique IP Addresses - the data in the table reflects statistics for all of the IP addresses sending messages to the Proofpoint Protection Server. Previously Throttled IP Addresses - the data in the table reflects statistics for IP addresses that were previously restricted for traffic because they triggered an SMTP Rate Control rule. Currently Throttled IP Addresses - the data in the table reflects statistics for IP addresses that are currently restricted for traffic because they triggered an SMTP Rate Control rule. Filtering for Specific Data To search for specific host names or IP addresses in the Connections table, enter a word, word pattern, or number into the Find field and click Search. The page refreshes, displaying the matches on top of the table. Refreshing the Data To refresh the table data on the Connections page at specific time intervals, select an interval from the Refresh Every drop-down list. Connections Table Information The table on the Connections page displays the following information: Hostname - name of the sending host, if it can be resolved from a DNS entry. If the hostname cannot be resolved, the IP address for the host displays. IP Address - IP address of the sending host. Total Msgs - total number of messages sent from the sending connection. Msgs/Min - calculated messages per minute sent from the sending connection. Spam Msgs - total number of messages that contain spam from the sending connection. 221

252 Proofpoint Administration Guide Spam % - percentage of messages containing spam calculated from the total number of messages sent from the sending connection. Virus Msgs - total number of messages that contain a virus from the sending connection. Virus % - percentage of messages containing a virus calculated from the total number of messages sent from the sending connection. Invalid Rcpt Msgs - total number of messages sent to invalid recipients. Invalid Rcpt % - percentage of total messages that were sent to invalid recipients. Connection Management Tasks Use the Options drop-down menu on the Connections page to complete SMTP Rate Control management tasks. Select the check box for the hostname or IP address to which you want to apply the management task, and then click the appropriate action from the Options drop-down menu. Add IP To Blocked List - adds the IP address to the Firewall Blocked list. Messages from the IP address are rejected with no further processing or filtering by the Proofpoint Protection Server. See Creating an Access List for more information about the Blocked list. Add Hostname To Blocked List - adds the hostname to the Firewall Blocked list. Messages from the sending host are rejected with no further processing or filtering by the Proofpoint Protection Server. Add IP To Non-throttled Hosts - adds the IP address to the Non-throttled Hosts list. See Adding and Deleting a List of Non-throttled Hosts for more information. Add Hostname To Non-Throttled Hosts - adds the hostname to the Non-throttled Hosts list. Reset Host Stats - resets the statistics-gathering and analysis for the selected host or IP address. You may want to reset an IP address that is being restricted by mistake or immediately reset a connection before waiting for the automatic recalculation to take place, as determined by the Calculate Message Acceptance Rate Over The Past <value> minutes parameter. See SMTP Rate Control General Settings for more information. Reset All Stats On Server - resets all of the connection statistics that SMTP Rate Control uses to determine which connections should be restricted. That is, the data collection "starts over" for analysis. Firewall Rules and Filtering Order The Firewall Module filters messages by both connection and message attributes and provides access lists that determine which senders are trusted sources (trusted) and which senders are untrusted sources (blocked). The connection and message attributes are filtered by the Firewall rules in a pre-determined order. If necessary, you can also change the pre-determined filtering order. See the section "Controlling Rule Order" in Creating Firewall Rules for more information. Use the Firewall > Rules page to complete these tasks: Create new rules and access lists. Edit existing or default access lists. Default Firewall Rules The Proofpoint Protection Server includes the following Firewall rules that you can enable and start using right away: system - accepts messages generated internally by the Proofpoint Protection Server (for example, alerts), but does not accept messages from the HELO domain "localhost" because these messages may be undeliverable. limit - temporarily rejects messages from an IP address that exceeds the concurrent connection limit. blocked - rejects any message originating from a specific host. To create the list of blocked hosts, click Edit List. 222

253 Chapter Firewall Module trusted - accepts any message originating from a specific host or IP address. Messages from trusted hosts are delivered to the infrastructure. To create the list of trusted hosts, click Edit List. maxsize - rejects messages or attachments that are larger than the specified limit. Note: If you split a gzip archive before sending it, you run the risk of triggering the maxsize rule. The rule is designed to prevent the filtering engines from inflating a split archive because inflation may take a very long time. attacherr - if a message has an archive attachment of type zip, rar, or tar and the archive is corrupt or it takes too long to process, the message is sent to the Quarantine. exestrip - deletes the listed attachments from the message and continues to filter the message through the other modules. offensive - scans messages for words in the offensivewords dictionary. If a message scores high enough for containing offensive words, it is sent to the Quarantine with the subject header "contains offensive language." prs - scans messages for the Proofpoint Dynamic Reputation netmlx score. If the score is greater than or equal to 80, the messages are rejected. maxduration - limits the maximum filtering engine processing time to 180 seconds per message. For example, if a message contains several archives embedded within other archives, and it takes longer than 180 seconds to process the message, the message is rejected with a reply to the original sender. subjectline_encrypt - for Proofpoint Encryption. Encrypts messages that include [encrypt] in the message subject. response_encrypt_external - for Proofpoint Encryption. Applies to messages from recipients who reply to an encrypted message. The rule splits the message so that encryption is applied when appropriate. For example, if a sender sends an encrypted message to both internal and external recipients, and each recipient replies or forwards the message, the message is split. Copies of the message are sent in clear text to the internal recipients and copies are encrypted and sent to the external recipients. The Branding Template used for this rule will be the original message brand - not the Branding Template selected in the rule. desktop_plugin_encrypt - for Proofpoint Encryption. This rule works with the Proofpoint Encryption Plug-in for Microsoft Outlook. It adds a Send Securely button in the Outlook interface. If messages trigger the system, blocked, trusted, and maxsize rules, the messages are immediately rejected or delivered to the infrastructure. Filtering Order Messages are filtered in this order of envelope criteria: 1. Sender Hostname, Sender IP Address, Total Connections, Total Concurrent Connections, and Total Messages. 2. Sender HELO Domain. 3. Envelope Sender. 4. Envelope Recipient. 5. Number of Recipients. 6. Message Headers. 7. Message Size. 8. Attachment File Count, Attachment File Size and File Size, Count, and Depth in Archive. 9. File Extension, MIME Type, sub-type, URI, Message Encryption, Message Body Text, Any Part of the Message, and Filename. Creating Firewall Rules Navigate to the Firewall > Rules page. You can create a simple rule that applies one condition to a message, or build complex rules by appending several conditions using the AND or OR logical operators to append many conditional statements to a single rule. You cannot 223

254 Proofpoint Administration Guide build a complex rule if the first condition is defined by a list of values. See Creating and Managing Composite Rules in "Rules and Delivery Dispositions." Note: If you want to create a new rule that is similar to an existing rule, click Clone Rule on the Rules page. See Cloning Rules in "Rules and Delivery Dispositions." If you want to change the rule order, see Controlling Rule and Policy Order in "Rules and Delivery Dispositions." Important: You cannot create a rule with more than one condition if one of the conditions is defined by a list of values. To create a rule with a list of values for a condition, the list of values must be the first and only condition for the rule. To create an Firewall rule: 1. Click Add Rule. 2. Enable the new rule by selecting On for the Enable parameter. 3. Enter an identifier for the rule into the ID field. This identifier is used internally to track the rule. 4. Enter a name or description for the rule into the Description field. 5. Leave the Policy Routes check boxes clear if you want this rule to apply to all messages and connections. If you want to restrict processing or disable processing for messages or connections for specific Policy Routes, select the corresponding check boxes. See Policy Routes in "Rules and Delivery Dispositions" for more information. 6. In the Basic view, click Add Condition. Otherwise, click Advanced to build a rule in the Advanced view. Click the link Click here to add a new condition or the plus sign icon (+) to add a new condition. 7. In the Add Condition pop-up window, select one or more conditions that you want to apply to this rule. For each condition, choose an operator from the list and where applicable, enter a value into the field. The list of operators will vary according to the condition you apply. See Conditions in "Rules and Delivery Dispositions" for a description of each condition. See Operators in "Rules and Delivery Dispositions" for a description of each operator. Note: For each of the attributes Sender IP Address, Sender Hostname, Sender HELO Domain, Envelope Sender, and Envelope Recipient, enter a single value in the field, or click the Create list of values radio button to apply the rule to a list of values. The list of values attribute can only be used for the first and only condition. The list of values option will be unavailable if you are adding an additional condition to a rule. 8. To add one entry at a time, click Add Condition. To add several entries, click Add and New Condition. Click Close when you are done. 9. If you also want to send a copy of the message to the Quarantine, select Quarantine message. Select a folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 10. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 11. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 12. Click Add Rule to save the rule. Creating and Populating an Access List The Proofpoint Protection Server includes two default rules for the Firewall Module that are authoritative Trusted Source and Blocked. Entries on the Trusted Source list are delivered to recipients without further processing, and entries on the Blocked list are rejected without further processing. The Trusted and Blocked Access Lists are initially empty you must populate the lists with addresses that your organization trusts as legitimate sources or rejects as potentially dangerous. The Access Lists for the Trusted Source and Blocked rules are comprised of entries for Sender IP Address or Sender Hostname. These are the only two Access Types that you can select when you populate the Access Lists for the Trusted Source and Blocked rules. When you create a new rule, you can create Access Lists for the following attributes: Envelope Sender 224

255 Chapter Firewall Module Envelope Recipient Sender IP Address Sender Hostname Sender HELO Domain To create an Access List you must first create a rule for the Access List, and then populate the list with the addresses to which you want to apply the rule. To create and populate an Access List: 1. Create the rule, using the instructions in Creating Firewall Rules. 2. In the Basic view, click Add Condition. Otherwise, click Advanced to build a rule in the Advanced view. Click the link Click here to add a new condition or the plus sign icon (+) to add a new condition. 3. In the Add Condition pop-up window, select one of the following conditions to apply to the Access List: Sender IP Address, Sender Hostname, Sender HELO Domain, Envelope Sender, and Envelope Recipient. 4. Select an operator from the Operator list. 5. Select the Create List of Values radio button. 6. Click Add Condition. 7. Click Add Rule. 8. Click the Edit List button for the rule you just created in order to populate the Access List for the rule. 9. On the Access List page, click Add. 10. Select an operator from the Operator drop-down list. See Operators in "Rules and Dispositions" for a description of each operator. 11. Enter the appropriate text for the entry into the Value field. For example, an IP address if you are filtering messages by IP address, or if you are filtering by sender or recipient. 12. To add one entry at a time, click Add Address. To add several entries, click Add and New. Click Close when you are done. Global lists are described in Adding Senders to the Global Blocked Senders List and Adding Senders to the Global Safe Senders List in "Quarantine." Importing and Entries into an Access List You can add many entries to an Access List at once by importing a file. The file must be an ASCII text file and must adhere to a specific format. Create a separate file for each Access Type for example, create a separate list for Sender IP Address, Envelope Recipient, Sender Hostname, Sender HELO Domain, or Envelope Sender, respectively. Important: If you have enabled the concurrent login feature for administrators (see Password Policies for Groups and Users) be aware that if two administrators are importing entries at the same time, the changes from one administrator will overwrite the other administrator's changes. The entries in the file must be in this format: $<access_type>,<operator>,<address> Each entry must be on a separate line, with commas separating the entry definitions, and no spaces. Access type $ip $rcpt $host $helo $from Corresponding management interface parameter Sender IP Address Recipient Address Sender Hostname Sender HELO Domain Name Sender Address 225

256 Proofpoint Administration Guide Operator equal not_equal match not_match regex not_regex Corresponding management interface parameter Equals Does Not Equal Contains Does Not Contain Regular Expression Match Does Not Match Regular Expression Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. Here are two examples of Access List text files formatted for import into the Firewall: $ip,not_match,123 $ip,match,457 Important: Each time you import a file into an Access List, the entries are appended to the existing list - the entries in the file do not replace the existing ones. To delete entries from an Access List, you must use the management interface. To import a text file into an existing Access List: 1. Create a file using the format described above and save it to a temporary location. 2. Navigate to the Firewall > Rules page. 3. Click Edit List next to the Rule ID for which you want to import entries into the Access List. 4. Click Import. 5. In the Access List File pop-up window, enter the directory location and filename for the file into the Access List Filename field, or click Browse to locate the file. 6. Click Import, and then Close. Exporting Entries from an Access List Exporting an Access List saves the entries into a comma-separated value text file. To export an Access List: 1. Navigate to the Firewall > Rules page. 2. Click Edit List next to the Rule ID for which you want to export entries. 3. Click Export. 4. You will be prompted to save the file in a directory location. The default name for the file is <access_list_name>.csv. 226

257 Chapter Firewall Module Deleting and Modifying Entries on an Access List Navigate to the Firewall > Rules page and click Edit List for the rule. To delete entries from a list: 1. On the Access List page, select the check box next to the entries you want to delete. You can select several at once. 2. Click Delete. 3. Click OK to confirm the deletion. To modify an entry on an Access List: 1. On the Access List page, click the entry you want to change, either in the Access Type, Condition, or Address column. 2. In the Change List Entry pop-up window, make your changes to the Value or Operator fields. 3. Click Save Changes. Note: Whenever you click the Edit List button on a Rule page, you will see an "Updated Successfully" message even if you did not make any changes. Enabling or Disabling a Rule You have the following options for enabling or disabling Firewall rules: Navigate to the Firewall > Rules page and select or clear the check box in the Enabled column for the rule. Click Edit Rule on the Firewall > Rules page and select Off or On for the Enable parameter for the rule. Create a rule and select Off or On for the Enable parameter for the new rule. Click Save Changes when you are done. Deleting or Editing a Rule Navigate to the Firewall > Rules page. To delete a rule: 1. Click Delete for the rule you want to remove. 2. Confirm the deletion. To edit the rule: 1. Click Edit Rule for the rule you want to change. 2. Make your changes on the Rule page. 3. Click Save Changes. About Bounce Management When spammers use your organization's domain to forge sender addresses, the bounced messages return to your organization. Bounce management solves this problem by using a key to sign your organization's outbound messages. This signature is used to verify inbound bounce notifications. The bounce notifications resulting from spam will not have the appropriate signature and can therefore be blocked. 227

258 Proofpoint Administration Guide Note: Additional work is required to support Bounce Management on a Proofpoint Protection Server deployment (software-only installation). Refer to the Configuring Bounce Management section of the Proofpoint Protection Server Installation Guide for instructions. If you enable Bounce Management for your organization, the key is used to generate and add a signature to the envelope sender for outbound . Inbound messages for your organization that resulted from non-delivery (bounced message) are validated for legitimate signatures. Legitimate bounced is processed by the filtering engines and the signature is stripped as part of the filtering process. You can verify that Bounce Management is in effect by viewing entries in the sendmail (MTA) log and filter log on the Logs and Reports > Log Viewer page. Here are some examples of what you will see in the log: to=<prvs> (MTA log) Milter chgfrom: prvs= (MTA log) orcpt=prvs= (filter log) mod=batv (filter log) address=strip (filter log) address=sign (filter log) The Proofpoint Protection Server includes a default Bounce Management policy with default validation rules that will apply Bounce Management as soon as you enable it. Enable Bounce Management, wait one week, then enable the emptysender rule. 228

259 Chapter Firewall Module Overview Bounce Management entails the following configuration tasks: Enable Bounce Management on the Firewall > Bounce Management > General page. By default, Bounce Management signing is disabled for the default_inbound Policy Route. Verify that automatic stripping of Bounce Address Tag Validation signatures is applied to inbound on the Rules page. Create new policies and rules for signature verification on the Policies page (optional). Create reports for Bounce Management using the Logs and Reports > Report Viewer page. Note: When you first enable Bounce Management, do not enable the rules for Envelope Recipient Address Signature Is Not Present on the Bounce Management > Rules page for at least one week. Otherwise legitimate (bounced) that was sent before you enabled Bounce Management will be discarded. Enabling Bounce Management Enable Bounce Management on the Firewall > Bounce Management > General page. See About Bounce Management for an introduction and overview. When you enable Bounce Management: Bounce Management is excluded by default from the Policy Route named default_inbound. messages not in the default_inbound Policy Route are signed with a key. Signatures are stripped from messages for the default_inbound Policy Route. The Default Bounce Management Policy is enforced. The rules for the Default Bounce Management Policy are enforced: - If the inbound message contains a valid signature in the envelope Recipient, strip the signature and continue to process the message. - If the inbound message contains a signature in the envelope Recipient that has expired or is invalid, discard the message and send a copy of the message to the Bounce Management Quarantine folder. - If the inbound message is from null Sender and does not contain a signature in the envelope Recipient at all, discard the message and send a copy of the message to the Bounce Management Quarantine folder. Overview Bounce Management entails the following configuration tasks: Enable Bounce Management on the Firewall > Bounce Management > General page. Verify that automatic stripping of Bounce Address Tag Validation signatures is applied to inbound on the Rules page. Create new policies and rules for signature verification on the Policies page (optional). Create reports for Bounce Management using the Logs and Reports > Report Viewer page. Note: When you first enable Bounce Management, do not enable the rules for Envelope Recipient Address Signature Is Not Present on the Bounce Management > Rules page for at least one week. Otherwise legitimate (bounced) that was sent before you enabled Bounce Management will be discarded. Enabling Automatic Key Rotation Automatic key rotation is enabled by default. For security purposes, it is good practice to allow automatic key rotation. When automatic key rotation is enabled, old keys are replaced with new keys that are automatically generated every month. When a new key is generated, the old key remains in the system for one additional month, so that messages signed with the old key can continue to be verified when the replacement (new) key is distributed. Important: If you are sharing keys between clusters, disable automatic key rotation. 229

260 Proofpoint Administration Guide Generating Keys Generate keys on the Firewall > Bounce Management > Keys page. Two keys are generated and provided by default. Key rotation works as follows: On the first rotation, a new key is created for Slot 2 and the key in Slot 1 becomes current. On the second rotation, a new key is created for Slot 3 and the key in Slot 2 becomes current. The key in Slot 0 is discarded. On the third rotation, a new key is created for Slot 4 and the key in Slot 3 becomes current. The key in Slot 1 is discarded. You can generate up to eight additional keys for use by the Bounce Management key rotation for a total of 10 keys. The current key that is used for signing outbound mail is selected in the Current column. When automatic key rotation is enabled, new keys are generated every month to replace old keys. When a new key is generated, the old key that it replaces is maintained in the system for a month so that inbound mail signed with the old key can be verified. Important: If you have disabled automatic key rotation, and want to manually rotate a key you can generate a key for the next slot and select the next key in the Current column. The Bounce Management signature is valid for seven days. If a legitimate message bounces back to your organization, it must bounce back within seven days of its original signed and sent date in order to be verified as legitimate. To generate a key, click Generate. The un-encrypted key displays on the page. Sharing Keys between Clusters If you have several clusters in your deployment, you need to share the same keys between the clusters. If Cluster 1 is using key X to sign all outbound mail, and Cluster 2 is filtering inbound mail, Cluster 2 will need key X in the same slot to validate the signatures for legitimate inbound mail. To share a key between clusters, copy and paste the key from one cluster to the other clusters. The key must be pasted in the same numbered slot in the destination cluster as the source cluster. This is a manual process. Important: If you are sharing a key between clusters, disable automatic key rotation. Creating Bounce Management Policies and Rules The Proofpoint Protection Server ships with a default Bounce Management policy that includes several rules for signature verification. You can edit the existing rules for the default policy, or create new rules for the default policy for handling bounced messages that do not contain the signature. You can create as many policies as you need, configure unique rules for each policy, and apply different Bounce Management policies to different Policy Routes. To create a new Bounce Management policy: Create Policy Routes on the System > Policy Routes page for outbound mail streams. Create a Bounce Management policy on the Firewall > Bounce Management > Policies page. Or clone a new Bounce Management policy from an existing Bounce Management policy. On the Firewall > Bounce Management > Rules page, restrict the processing to inbound mail streams. Edit the Bounce Management rules as needed. Creating and Changing Validation Rules Every Bounce Management policy contains rules that will trigger if the following conditions are met: the envelope recipient signature is valid, the envelope recipient signature is invalid or expired, or the envelope recipient signature is missing. Envelope Recipient Address Signature Is Valid - if the message envelope recipient contains a valid signature, the message continues to process through the filtering modules. To make changes to the disposition of this rule, click Edit. You cannot change the condition for this rule. 230

261 Chapter Firewall Module Envelope Recipient Address Signature Is Invalid or Expired - if the message envelope recipient contains an invalid or expired signature, a copy of the message is sent to the Quarantine folder Bounce Management and the original message is discarded. To make changes to the disposition of this rule, click Edit. You cannot change the condition for this rule. Envelope Recipient Address Signature Is Not Present - these rules are evaluated if the message envelope recipient does not contain a signature. The purpose of these rules is to distinguish between messages that are bounces from messages that are not bounces. You can create additional rules to trigger for specific conditions. For example, you can create a rule where if Any Part of Message Contains "out of office", continue processing the message and send a copy of the message to a folder in the Quarantine. The rule will trigger if the envelope subject contains "out of the office" and the envelope recipient signature is not present. When you have several rules listed for the Envelope Recipient Address Signature Is Not Present condition, the first rule to trigger will prevail. Click Add Rule to create a new rule, or Clone Rule to create a new rule that is based upon an existing rule. Creating a Bounce Management Policy To create a Bounce Management policy: 1. Click Add Policy on the Policies page. 2. Enter a name and a description for the policy. 3. If you want to create the new policy based upon an existing policy, select an existing policy from the Clone Bounce Management Policy Rules From list. 4. For Policy Routes, make your selections from the Restrict and Disable lists. See Policy Routes in "Rules and Delivery Dispositions" for more information about Policy Routes. 5. Click Strip signature from envelope recipient address to enable this parameter for inbound Policy Routes only. Inbound messages with legitimate keys will have the key stripped from them as they are filtered by the Proofpoint Protection Server. Bounce Management policies are not applicable to outbound Policy Routes. 6. Save your changes. Adding or Editing Validation Rules Use either of these methods to add or edit rules for a Bounce Management policy: Click the policy name on the Policies page, or Go to the Rules page. To edit a rule: 1. Click Edit Rule for the condition for which you want to change the rule settings. 2. If you have more than one policy, verify the name of the policy or select a policy from the Policy list. 3. If you also want to send a copy of the message to the Quarantine, select Quarantine message. Select a different folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 4. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 5. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. Click Save Changes. To add a rule to the Envelope Recipient Address Signature Is Not Present condition: 1. Click Add Rule or Clone Rule to clone a new rule from an existing rule. 2. Click On to enable the new rule. 3. Enter a name for the rule into the ID field. 4. In the Basic view, click Add Condition. Otherwise, click Advanced to build a rule in the Advanced view. Click the link Click here to add a new condition or the plus sign icon (+) to add a new condition. 5. In the Add Condition pop-up window, select one or more conditions that you want to apply to this rule. For each condition, choose an operator from the list and where applicable, enter a value into the field. The list of operators will vary according to the condition you apply. See Conditions in "Rules and Delivery Dispositions" for a description of each condition. See Operators in "Rules and Delivery Dispositions" for a description of each operator. 231

262 Proofpoint Administration Guide 6. To add one entry at a time, click Add Condition. To add several entries, click Add and New Condition. Click Close when you are done. 7. If you also want to send a copy of the message to the Quarantine, select Quarantine message. Select a folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 8. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 9. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 10. Click Add Rule to save the rule. Here is an example for a rule to discard messages that do not contain a signature for the envelope recipient: Any part of the message contains "message not deliverable" OR Sender Address equals "" discard the message and send a copy to the Quarantine. About DKIM DomainKeys Identified Mail (DKIM) signing provides a method for end-to-end authentication for originating from your organization. When enabled, messages originating from your organization will include a DKIM signature that can be verified by the receiving organization if the receiving organization has DKIM verification capability. DKIM signing uses the RSA public key encryption scheme to add a header field named "DKIM-Signature" that contains a digital signature of the contents of the mail message. The advantage to enabling DKIM signing is that it protects the message signer identity and integrity of the message. For more details about DKIM signing, refer to RFC Overview The DKIM signing feature is disabled by default. To enable DKIM signing, follow these steps in order: 1. On the Firewall > DKIM > General page, enable DKIM and save your changes. 2. On the Firewall > DKIM > Keys page, generate or import a key and select the Policy Routes to which DKIM signing with the key will apply. When you add a key, it is disabled until you enable it. 3. Publish the key to DNS. 4. Test the DNS text record. It will take a few minutes for the DNS update to take effect. 5. Enable the key. 6. Save your changes. Enabling DKIM and Editing the DKIM Error Rule Enable DKIM on the Firewall > DKIM > General page and then save your changes. Important: If you enable DKIM and do not configure the domains and selectors on the Firewall > DKIM > Keys page, none of the outgoing messages will contain a DKIM signature. Editing the DKIM Error Rule If DKIM cannot read the key for a message, or if the key is malformed or corrupted, the message is temporarily rejected. You can edit the DKIM Error rule by clicking Edit Rule. To edit the DKIM Error rule: 1. Click Edit Rule. 2. On the Rule page, make your changes to Quarantine message, if applicable. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 232

263 Chapter Firewall Module 3. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 4. If you want to change the subject of the message, click Change subject based on detected language. See Delivery Options in "Rules and Delivery Dispositions" for more information. 5. Click Save Changes. DKIM Key Management Configure DKIM for your organization on the Firewall > DKIM > Keys page. Click Generate Key to create a key for a domain and selector. Each key must have a unique domain and a unique selector within the domain. In the Generate Key pop-up window, enter a domain for your organization into the Domain field. The correct syntax for domains is subdomain.subdomain...domain.tld, where domain is your registered domain name, and tld is the top level domain or extension - for example,.com,.org,.tv, and so forth. The subdomains can be nested several levels. For example: proofpoint.com sales.proofpoint.com us.proofpoint.com engineering.us.proofpoint.com example1.example2.example3.org a.b.c.d.org Enter a selector into the Selector field. Selectors allow for multiple or concurrent public keys per each signing domain. Here are some use cases for selectors from the RFC 4871: "Domains that want to delegate signing capability for a specific address for a given duration to a partner, such as an advertising provider or other outsourced function. Domains that want to allow frequent travelers to send messages locally without the need to connect with a particular Mail Submission Agent. Affinity domains (for example, college alumni associations) that provide forwarding of incoming mail, but that do not operate a mail submission agent for outgoing mail." The correct syntax for selectors is subdomain * (".") subdomain. For example: sales engineering engineering.us engineering-us a.b.c Applying Policy Routes Use the Restrict processing and Disable processing check boxes to restrict DKIM signing to outbound messages that you want to be signed with that key. See Policy Routes for more information about Policy Routes. If you leave the Policy Routes check boxes clear, every incoming and outgoing message processed by the appliance or Proofpoint Protection Server will include a DKIM signature. Viewing and Publishing the Public Key Each DKIM key that you generate also generates a DNS text record that contains the public key. Receiving organizations that have DKIM verification capability will query your DNS servers to look up the public key for verification. Click View in the DNS Text Record column to see the text record for a DKIM key. A pop-up window displays the DNS text record that contains the public key. Copy the DNS text record for each domain-selector pair to your DNS servers. 233

264 Proofpoint Administration Guide Testing the DNS Lookup Click Test to verify that the DNS text record can be retrieved from your DNS servers. The test completes a DNS lookup and verifies the published key matches the one configured on the Proofpoint Protection Server. The result of the test displays in the Information bar. Searching for Domain Entries To search for keys for specific domains, enter the domain into the Domain field and then click Search. To display all of the entries after a search, clear the Domain field and then click Search. Importing and Exporting DKIM Key Information To export the RSA private key for a specific domain-selector entry, click Export Key. You will be prompted for a location to save the file. The default name of the file is "<selector name>.pem". To import a key, click Import Key. In the Import Key pop-up window, browse to the.pem file, and enter the domain, selector, and Policy Route information. If you try to import a domain-selector pair that already exists, you will see an error message. Rotating Keys You cannot change an existing key for a domain. If you want to rotate keys, disable the key for the domain and create a new key for the domain using a different selector. 234

265 Chapter 11 - Virus Protection Module About the Virus Protection Module Antivirus protection is a key component of the Proofpoint Protection Server. The Proofpoint Protection Server provides this functionality by integrating optional antivirus engines from several leading antivirus vendors. Virus Signatures and Identity Files The virus engine uses a number of virus signatures or identity files that identify specific known viruses, as well as a heuristic engine to detect previously unknown strains. As described in Updating Modules and Upgrading System Software under Licenses and Updates in "Proofpoint Protection Servers," the Dynamic Update Service ensures that the Proofpoint Protection Server is up to date and contains the latest virus signatures or identity files. Message Conditions The Virus Protection Module classifies messages into any of these conditions: The message is not infected, continue to process it. The message is infected with a specific virus, create a rule to handle all messages that contain the specific virus. The message contains errors and further analysis is impossible. The message contains protected data (password-protected or encrypted attachment). The message contains riskware or spyware. Virus Protection Settings The Virus Protection Module settings allow administrators to configure the Virus Protection Module to ignore messages that are password-protected, encrypted, or corrupt. This feature is useful, for example, if the users have antivirus software installed locally on their systems. The Proofpoint Protection Server can ignore messages that contain attachments that are password-protected, allowing the user's local antivirus software to screen the messages for viruses. You can apply the Virus Protection Module to specific routes if you do not want all inbound and outbound messages to be filtered by the Virus Protection Module. Enabling or Disabling the Virus Protection Module Enable or disable the Virus Protection Module on the Virus Protection > Settings > General page. Selecting Policy Routes The Policy Routes parameter allows you to apply the Virus Protection Module filtering to specific Policy Routes. If you want the Virus Protection Module to filter all messages and connections, leave the check boxes under Policy Routes clear. If you want to restrict filtering to specific Policy Routes, or disable filtering for specific Policy Routes, select the Restrict processing and Disable processing check boxes. See Policy Routes in "Rules and Delivery Dispositions" and About Policy Routes in "Proofpoint Protection Servers" for more information. 235

266 Proofpoint Administration Guide Ignoring Corrupt Files The Proofpoint Protection Server can ignore corrupt files so that it does not waste CPU and processing resources. Enable this feature if you want the Virus Protection Module to ignore corrupt files. Ignoring Encrypted Files You can configure the Virus Protection Module to ignore messages that are encrypted. Virus Protection Error - Reject Temporarily The Proofpoint Protection Server is designed to operate in a fail-safe manner. In the unlikely event that the Virus Protection Module stops operating properly, the Proofpoint Protection Server is configured with a rule to temporarily reject all messages that contain an attachment. Important: If you change the Delivery Method to Continue for the rule, you run the risk of infecting your network with a virus. To change the options for the Virus Protection Error rule: 1. Click Edit Rule for the Virus Protection Error parameter. 2. On the Rule page, select Quarantine Option to quarantine a copy of the message. Select a different folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 3. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 4. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 5. Click Save Changes. Module Summary and Update History Tables The Module Summary table displays a summary of statistical information for the module over a period of time. The Rank column displays a ranking for the most viruses found by the module, and the Top Viruses column displays the names of the viruses found most frequently by the module. The Update History table displays a record for the times the Virus Protection Module was updated with the latest virus definition files from Proofpoint. Creating Virus Protection Policies and Rules Creating a Virus Protection policy is a two-step process: first define the policy, and then edit or add to the predefined set of rules for that policy. The Virus Protection Module provides a default policy, which you can edit or clone as the basis for creating another policy. You cannot delete the default policy; you can only modify the set of rules for it. There is no limit to the number of policies you can create. Edit the pre-existing set of rules to make each policy unique. For example, a Managed Service Provider (MSP) may need to create unique Virus Protection policies for each of its customers. One customer may request that infected messages be quarantined, and another customer may request that any message with a virus be immediately rejected. Individual Policy Routes can be created for each virus protection policy to ensure that mail sent to that customer's domain will be processed accordingly. See Creating and Modifying Policy Routes in "Proofpoint Protection Servers" for instructions. Creating a Virus Policy The easiest way to create a new virus policy is to base it upon an existing policy. If no other policies exist, use the default policy as the basis for the new policy. 236

267 Chapter 11 - Virus Protection Module Follow these steps to create a virus policy: 1. Navigate to the Virus Protection > Virus Policies > Policies page. 2. Click Add Policy. 3. Enter a name and description for the policy. 4. If you want to create a new policy based upon the rules of an existing policy, select the policy from the Clone Virus Protection Policy Rules From drop-down list. Otherwise, leave it blank. 5. Click Save Changes. Ordering the Default Policy The Virus Protection Module provides the default policy to ensure that messages with viruses are filtered and processed. If you create additional policies, you will want to move the default policy to the bottom of the list, so that the default policy rules trigger last. See Controlling Rule and Policy Order in "Rules and Delivery Dispositions." Editing Predefined Policy Rules You can only edit the predefiined set of rules for each virus policy, with the exception of the Messages Contain Specific Virus rule for which you can create or clone rules. (See Message Is Infected for adding or cloning rules for the Messages Contain Specific Virus rule.) You can also change or select multiple Policy Routes for each policy. To edit policy rules and select a Policy Route: 1. On the Policies page, click the name or description of the policy that you want to edit. 2. Leave the Policy Routes check boxes clear if you want this rule to apply to all messages and connections. If you want to restrict processing or disable processing for messages or connections for specific Policy Routes, click the corresponding check boxes. See Policy Routes in "Rules and Delivery Dispositions" for more information. 3. Click Edit Rule for the condition that you want to change. 4. If you also want to send a copy of the message to the Quarantine, select Quarantine message. Select a different folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 5. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 6. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. Click Save Changes. If the Virus Protection Module is disabled, the Virus Protection Error rule on the Settings page temporarily rejects messages that cannot be filtered for viruses. See Enabling and Managing the Virus Protection Module for more information. Message Is Not Infected By default, the Continue disposition is configured for the Message Is Not Infected condition. Typically, you should not change this disposition. To edit the Message Is Not Infected rule: 1. Click the Edit Rule button in the Messages Not Infected section. 2. On the Rule page, select Quarantine message to send a copy of the message to the Quarantine. Select a different folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 3. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 237

268 Proofpoint Administration Guide 4. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 5. Click Save Changes. Message Is Infected You can create rules to determine how the Virus Protection Module handles messages that are infected with any virus or a specific virus. The following actions appear for the Message Is Infected condition on the Virus Protection > Virus Policies > Rules page: Messages Contain Specific Virus - if necessary, add a rule that determines how to handle messages that contain a specific virus. Message Contains a Virus - by default, infected messages are discarded and a copy is sent to the Quarantine. Edit the Existing Rule for Message Contains a Virus To edit the rule, click Edit and make your changes. See Introduction to Quarantine Folders for more information about folders. See About Delivery Dispositions if you want to change the Delivery Method. See Delivery Options if you want to change the default options for handling infected messages. Create a Rule for a Specific Virus You may not want to use Proofpoint Protection Server processing resources for cleaning a known virus from thousands of messages, so you can create a rule to immediately reject or discard messages containing a specific virus. To create a rule for a specific virus: 1. On the Rules page, click Add Rule in the Messages Contain Specific Virus section. 2. Enable the new rule by selecting On for the Enable parameter. 3. Enter a name for the rule into the ID field. This name is used internally by the Proofpoint Protection Server. 4. For the Virus Name parameter, enter a name of the specific virus for which you are creating a rule. 5. Select one of the following operators from the drop-down list to apply to the virus name: Equals - the virus name is exactly as specified. For example, apply the rule only to messages containing the virus sobig. Contains - the virus name is included in the message. Matches Regular Expression - the virus name matches a specific Perl regular expression. For example, the virus name begins with fun (^fun), or it contains love (\love). Important: Several regular expression metacharacters must be escaped to become literal characters. See Using Regular Expressions for a list. 6. Click the Reject radio button. 7. If applicable, make changes to the Reject Option parameters. 8. Click Add Rule to save the rule. 238

269 Chapter 11 - Virus Protection Module Message with Errors No Further Analysis When the condition is Messages with Errors, it means the message is corrupt or is missing information, preventing further analysis. By default, the Virus Protection Module discards the original message, places a copy in the Quarantine and annotates the subject line for messages that are corrupt. To edit the Message With Errors rule: 1. On the Rules page, click Edit Rule for the Messages With Errors condition. 2. On the Rule page, make your changes to Quarantine message, if applicable. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 3. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 4. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 5. Click Save Changes. Protected Message - Continue to Process Messages that are password-protected are not filtered by the Virus Protection Module. These messages continue to filter through the other Proofpoint Protection Server modules, and if no other rules are triggered, they are delivered to the infrastructure. Users must rely on desktop virus protection software for virus detection in protected messages. Messages that are not filtered by the Proofpoint Protection Server contain "Not Virus Scanned" in the message header. To change the Messages Contain Protected Data rule: 1. Click Edit Rule in the Messages Contain Protected Data section. 2. On the Rule page, make your changes to Quarantine message, if applicable. Select a different folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 3. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 4. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 5. Click Save Changes. Message Contains Riskware or Spyware Messages that contain riskware or spyware are discarded. Copies of these messages are sent to the Quarantine with a new subject header. Important: Some antivirus vendors do not support filtering for riskware or spyware. In this case you will not see the corresponding rule in the management interface. To change the Messages Contain Riskware/Spyware rule: 1. Click Edit Rule in the Messages Contain Riskware/Spyware section. 2. On the Rule page, make your changes to Quarantine message, if applicable. Select a different folder from the Folder drop-down list, or click New Folder if you want to add a new folder to the Quarantine. See Quarantine Option in "Rules and Delivery Dispositions" for more information. 3. Make a selection from the Delivery Method radio buttons. See About Delivery Dispositions in "Rules and Delivery Dispositions" for more information. 239

270 Proofpoint Administration Guide 4. Make your selections and entries on the delivery Options section of the page. See Delivery Options in "Rules and Delivery Dispositions" for more information. 5. Click Save Changes. 240

271 Chapter 12 - Zero-Hour Anti-Virus Module About the Zero-Hour Anti-Virus Module The Zero-Hour Anti-Virus Module protects organizations against new viruses and other forms of malicious code during the first critical hours of their release and before anti-virus signatures have been updated and distributed. The Zero-Hour Module analyzes incoming messages for similarities to suspected virus-infected messages. Messages and attachments that exhibit recurrent pattern characteristics of the emerging virus are automatically quarantined by the Proofpoint Protection Server. These messages remain in the Quarantine for a temporary period of time and until one or more virus signatures are downloaded from Proofpoint. The Proofpoint Attack Response Center constantly analyzes millions of Internet messages for anomalies that indicate a potential virus attack. Advanced pattern recognition technology is used to identify potential new viruses within minutes of their mass distribution over the Internet, with greater than 95 percent accuracy. Unlike other virus outbreak solutions, the Zero-Hour Anti-Virus Module accurately detects and quarantines only those messages associated with an emerging virus, without stopping legitimate . Instead of quarantining all with attachment types suspected of being dangerous, the Zero-Hour Module delays only specific messages that are classified as being part of an emerging outbreak, resulting in a minimal impact on the normal flow of . The Zero-Hour Module ships with a default policy that includes rules for messages classified with a potential virus threat of medium or high, for messages containing an probable virus, and for messages that could not be analyzed because of a temporary connection failure to the Proofpoint Attack Response Center. Administrators can create additional policies and rules for the Zero-Hour Module and have unlimited granularity over how long to delay messages in the Quarantine, how many new virus signatures to wait for, and which attachments or file types to exclude from Zero-Hour virus scanning. The Zero-Hour Module is an optional module, and it complements the Proofpoint Virus Protection Module. You cannot use the Zero-Hour Module unless you are also using the Virus Protection Module from Proofpoint. 241

Release 7.0 Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94086 www.proofpoint.com

Release 7.0 Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94086 www.proofpoint.com Proofpoint Protection Server Reference Guide Proofpoint Protection Server Proofpoint Messaging Security Gateway Proofpoint Messaging Security Gateway Virtual Edition Release 7.0 Proofpoint, Inc. 892 Ross

More information

Release 6.3 Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 www.proofpoint.com

Release 6.3 Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 www.proofpoint.com Proofpoint Messaging Security Gateway Virtual Edition Installation Guide Release 6.3 Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 www.proofpoint.com Website:www.proofpoint.com Toll-free telephone:

More information

Proofpoint Enterprise Archive. Legal Discovery and Supervision

Proofpoint Enterprise Archive. Legal Discovery and Supervision Proofpoint Enterprise Archive Legal Discovery and Supervision May 2014 Proofpoint Enterprise Archive Copyright and Trademark Notices Proofpoint Archive is proprietary software licensed to you for your

More information

Configuration Information

Configuration Information Configuration Information Email Security Gateway Version 7.7 This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard.

More information

Trustwave SEG Cloud Customer Guide

Trustwave SEG Cloud Customer Guide Trustwave SEG Cloud Customer Guide Legal Notice Copyright 2015 Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation

More information

Message Archiving. Microsoft Exchange Journaling Configuration Guide. For Exchange Server 2007 and 2010

Message Archiving. Microsoft Exchange Journaling Configuration Guide. For Exchange Server 2007 and 2010 Message Archiving Microsoft Exchange Journaling Configuration Guide For Exchange Server 2007 and 2010 Google Message Discovery Postini Message Archiving Google, Inc. 1600 Amphitheatre Parkway Mountain

More information

F-Secure Messaging Security Gateway. Deployment Guide

F-Secure Messaging Security Gateway. Deployment Guide F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4

More information

Setting up Microsoft Office 365

Setting up Microsoft Office 365 Setup Guide Revision F Using McAfee SaaS Email Protection to Secure Exchange Online in Microsoft Office 365 Setting up Microsoft Office 365 Use this guide to configure Microsoft Office 365 and Microsoft

More information

Setting up Microsoft Office 365

Setting up Microsoft Office 365 Integration Guide Revision G McAfee SaaS Email Protection Securing Exchange Online in Microsoft Office 365 Setting up Microsoft Office 365 Use this guide to configure Microsoft Office 365 and Microsoft

More information

RSA Two Factor Authentication

RSA Two Factor Authentication RSA Two Factor Authentication VERSION: 1.0 UPDATED: MARCH 2014 Copyright 2002-2014 KEMP Technologies, Inc. All Rights Reserved. Page 1 / 16 Copyright Notices Copyright 2002-2014 KEMP Technologies, Inc..

More information

Evaluation Guide. eprism Messaging Security Suite. 800-782-3762 www.edgewave.com V8.200

Evaluation Guide. eprism Messaging Security Suite. 800-782-3762 www.edgewave.com V8.200 800-782-3762 www.edgewave.com Welcome to EdgeWave Messaging Security! This short guide is intended to help administrators setup and test the EdgeWave Messaging Security Suite for evaluation purposes. A

More information

eprism Email Security Appliance 6.0 Release Notes What's New in 6.0

eprism Email Security Appliance 6.0 Release Notes What's New in 6.0 eprism Email Security Appliance 6.0 Release Notes St. Bernard is pleased to announce the release of version 6.0 of the eprism Email Security Appliance. This release adds several new features while considerably

More information

Sophos for Microsoft SharePoint Help. Product version: 2.0

Sophos for Microsoft SharePoint Help. Product version: 2.0 Sophos for Microsoft SharePoint Help Product version: 2.0 Document date: September 2015 Contents 1 About Sophos for Microsoft SharePoint...3 2 Dashboard...4 3 Configuration...5 3.1 On-access scan...5 3.2

More information

Message Archiving. Microsoft Exchange Journaling Configuration Guide. For Exchange Server 2000 and 2003

Message Archiving. Microsoft Exchange Journaling Configuration Guide. For Exchange Server 2000 and 2003 Message Archiving Microsoft Exchange Journaling Configuration Guide For Exchange Server 2000 and 2003 Google Message Discovery Postini Message Archiving Google, Inc. 1600 Amphitheatre Parkway Mountain

More information

8.7. Resource Kit User Guide

8.7. Resource Kit User Guide 8.7 Resource Kit User Guide 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. The software described in this document is furnished under

More information

GFI Product Manual. Administration and Configuration Manual

GFI Product Manual. Administration and Configuration Manual GFI Product Manual Administration and Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and is provided "as is"

More information

Configuration Information

Configuration Information This chapter describes some basic Email Security Gateway configuration settings, some of which can be set in the first-time Configuration Wizard. Other topics covered include Email Security interface navigation,

More information

Email Encryption. Administrator Guide

Email Encryption. Administrator Guide Email Encryption Administrator Guide Email Encryption Administrator Guide Documentation version: 1.0 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo,

More information

RSA Two Factor Authentication. Feature Description

RSA Two Factor Authentication. Feature Description RSA Two Factor Authentication Feature Description VERSION: 3.0 UPDATED: SEPTEMBER 2015 Copyright Notices Copyright 2002 2015 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP

More information

Important Information

Important Information June 2015 Important Information The following information applies to Proofpoint Essentials US1 data center only. User Interface Access https://usproofpointessentials.com MX Records mx1-usppe-hosted.com

More information

Sophos for Microsoft SharePoint startup guide

Sophos for Microsoft SharePoint startup guide Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning

More information

FortiMail Email Filtering Course 221-v2.2 Course Overview

FortiMail Email Filtering Course 221-v2.2 Course Overview FortiMail Email Filtering Course 221-v2.2 Course Overview FortiMail Email Filtering is a 2-day instructor-led course with comprehensive hands-on labs to provide you with the skills needed to design, configure,

More information

PureMessage for Microsoft Exchange Help. Product version: 4.0

PureMessage for Microsoft Exchange Help. Product version: 4.0 PureMessage for Microsoft Exchange Help Product version: 4.0 Document date: July 2013 Contents 1 About PureMessage for Microsoft Exchange...3 2 Key concepts...4 3 Administration console...7 4 Monitoring...9

More information

Deployment Guide. For the latest version of this document please go to: http://www.exchangedefender.com/documentation.php

Deployment Guide. For the latest version of this document please go to: http://www.exchangedefender.com/documentation.php Deployment Guide For the latest version of this document please go to: http://www.exchangedefender.com/documentation.php ExchangeDefender Introduction The purpose of this guide is to familiarize you with

More information

Policy Based Encryption Z. Administrator Guide

Policy Based Encryption Z. Administrator Guide Policy Based Encryption Z Administrator Guide Policy Based Encryption Z Administrator Guide Documentation version: 1.2 Legal Notice Legal Notice Copyright 2012 Symantec Corporation. All rights reserved.

More information

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide Symantec Database Security and Audit 3100 Series Appliance Getting Started Guide Symantec Database Security and Audit 3100 Series Getting Started Guide The software described in this book is furnished

More information

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions. PureMessage for Microsoft Exchange protects Microsoft Exchange servers and Windows gateways against email borne threats such as from spam, phishing, viruses, spyware. In addition, it controls information

More information

Virtual LoadMaster for Microsoft Hyper-V

Virtual LoadMaster for Microsoft Hyper-V Virtual LoadMaster for Microsoft Hyper-V on Windows Server 2012, 2012 R2 and Windows 8 VERSION: 1.3 UPDATED: MARCH 2014 Copyright 2002-2014 KEMP Technologies, Inc. All Rights Reserved. Page 1 / 20 Copyright

More information

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Copyright 2012 Trend Micro Incorporated. All rights reserved. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

More information

Hyper V Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide

Hyper V Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide Virtual LoadMaster for Microsoft Hyper V on Windows Server 2012, 2012 R2 and Windows 8 Installation Guide VERSION: 3.0 UPDATED: SEPTEMBER 2015 Copyright Notices Copyright 2002 2015 KEMP Technologies, Inc..

More information

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note KEMP LoadMaster and Azure Multi- Factor Authentication Technical Note VERSION: 1.0 UPDATED: APRIL 2016 Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies

More information

System Center Virtual Machine Manager 2012 R2 Plug-In. Feature Description

System Center Virtual Machine Manager 2012 R2 Plug-In. Feature Description System Center Virtual Machine Manager 2012 R2 Plug-In Feature Description VERSION: 6.0 UPDATED: MARCH 2016 Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies

More information

TSM Studio Server User Guide 2.9.0.0

TSM Studio Server User Guide 2.9.0.0 TSM Studio Server User Guide 2.9.0.0 1 Table of Contents Disclaimer... 4 What is TSM Studio Server?... 5 System Requirements... 6 Database Requirements... 6 Installing TSM Studio Server... 7 TSM Studio

More information

Log Insight Manager. Deployment Guide

Log Insight Manager. Deployment Guide Log Insight Manager Deployment Guide VERSION: 3.0 UPDATED: OCTOBER 2015 Copyright Notices Copyright 2002-2015 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies

More information

Dell SonicWALL Hosted Email Security. Administration Guide

Dell SonicWALL Hosted Email Security. Administration Guide Dell SonicWALL Hosted Email Security 2015 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software

More information

SESA Securing Email with Cisco Email Security Appliance Parts 1 and 2

SESA Securing Email with Cisco Email Security Appliance Parts 1 and 2 Course Overview Securing Email with Cisco Email Security Appliance (SESA) combines Parts 1 and 2 (SESA1, SESA2) into a single three day course. Students learn to use Cisco Email Security Appliances (ESA's)

More information

CA ARCserve Backup Patch Manager for Windows

CA ARCserve Backup Patch Manager for Windows CA ARCserve Backup Patch Manager for Windows User Guide r16 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Websense Email Security Transition Guide

Websense Email Security Transition Guide Websense Email Security Transition Guide Websense Email Security Gateway v7.6 2011, Websense Inc. All rights reserved. 10240 Sorrento Valley Rd., San Diego, CA 92121, USA R140611760 Published August 2011

More information

FortiMail Email Filtering. Course 221 (for FortiMail v5.0) Course Overview

FortiMail Email Filtering. Course 221 (for FortiMail v5.0) Course Overview FortiMail Email Filtering Course 221 (for FortiMail v5.0) Course Overview FortiMail Email Filtering is a 2-day instructor-led course with comprehensive hands-on labs to provide you with the skills needed

More information

Email Data Protection. Administrator Guide

Email Data Protection. Administrator Guide Email Data Protection Administrator Guide Email Data Protection Administrator Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2015 Symantec Corporation. All rights reserved. Symantec,

More information

Email Services Deployment. Administrator Guide

Email Services Deployment. Administrator Guide Email Services Deployment Administrator Guide Email Services Deployment Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the

More information

Email Track and Trace. Administration Guide

Email Track and Trace. Administration Guide Administration Guide Track and Trace Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the

More information

provides several new features and enhancements, and resolves several issues reported by WatchGuard customers.

provides several new features and enhancements, and resolves several issues reported by WatchGuard customers. WatchGuard XCS v10.0 Update 1 Release Notes WatchGuard XCS Build 140312 Revision Date 11 November, 2014 Introduction WatchGuard is pleased to announce the release of WatchGuard XCS v10.0 Update 1. This

More information

FortiMail Email Filtering Course 221-v2.0. Course Overview. Course Objectives

FortiMail Email Filtering Course 221-v2.0. Course Overview. Course Objectives FortiMail Email Filtering Course 221-v2.0 Course Overview FortiMail Email Filtering is a 2-day instructor-led course with comprehensive hands-on labs to provide you with the skills needed to configure,

More information

MDaemon Vs. Microsoft Exchange Server 2013 Standard

MDaemon Vs. Microsoft Exchange Server 2013 Standard Comparison Guide Vs. The following chart is a side-by-side feature comparison of and. Flex Licensing Maximum Accounts Unlimited Unlimited SMTP, POP3, DomainPOP, and MultiPOP POP3 & SMTP Only SSL / TLS

More information

Portal Administration. Administrator Guide

Portal Administration. Administrator Guide Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec

More information

Email AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Email AntiSpam. Administrator Guide and Spam Manager Deployment Guide Email AntiSpam Administrator Guide and Spam Manager Deployment Guide AntiSpam Administration and Spam Manager Deployment Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec

More information

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide Policy Based Encryption E Administrator Guide Policy Based Encryption E Administrator Guide Documentation version: 1.2 Legal Notice Legal Notice Copyright 2012 Symantec Corporation. All rights reserved.

More information

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide Policy Based Encryption E Administrator Guide Policy Based Encryption E Administrator Guide Documentation version: 1.2 Legal Notice Legal Notice Copyright 2012 Symantec Corporation. All rights reserved.

More information

www.novell.com/documentation Administration Guide Novell Filr 1.0.1 May 2014

www.novell.com/documentation Administration Guide Novell Filr 1.0.1 May 2014 www.novell.com/documentation Administration Guide Novell Filr 1.0.1 May 2014 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,

More information

MESSAGING SECURITY GATEWAY. Detect attacks before they enter your network

MESSAGING SECURITY GATEWAY. Detect attacks before they enter your network MESSAGING SECURITY GATEWAY Detect attacks before they enter your network OVERVIEW This document explains the functionality of F-Secure Messaging Security Gateway (MSG) what it is, what it does, and how

More information

Email Migration Project Plan for Cisco Cloud Email Security

Email Migration Project Plan for Cisco Cloud Email Security Sales Tool Email Migration Project Plan for Cisco Cloud Email Security 2014 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Conf idential. For Channel Partner use only. Not f

More information

Comprehensive Anti-Spam Service

Comprehensive Anti-Spam Service Comprehensive Anti-Spam Service Chapter 1: Document Scope This document describes how to implement and manage the Comprehensive Anti-Spam Service. This document contains the following sections: Comprehensive

More information

Microsoft SharePoint

Microsoft SharePoint Microsoft SharePoint VERSION: 1.1 UPDATED: JULY 2014 Copyright 2002-2014 KEMP Technologies, Inc. All Rights Reserved. Page 1 / 13 Copyright Notices Copyright 2002-2014 KEMP Technologies, Inc.. All rights

More information

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide Dell KACE K1000 System Management Appliance Version 5.4 Service Desk Administrator Guide October 2012 2004-2012 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without

More information

Personal Dashboard User Guide

Personal Dashboard User Guide Version 8.1 800-782-3762 www.edgewave.com 2001 2011 EdgeWave. All rights reserved. The Red Condor and EdgeWave logos and brands are trademarks of EdgeWave. All other trademarks and registered trademarks

More information

Administrator Operations Guide

Administrator Operations Guide Administrator Operations Guide 1 What You Can Do with Remote Communication Gate S 2 Login and Logout 3 Settings 4 Printer Management 5 Log Management 6 Firmware Management 7 Installation Support 8 Maintenance

More information

SonicWALL Email Security Solutions SonicWALL Email Security

SonicWALL Email Security Solutions SonicWALL Email Security SonicWALL Email Security Solutions EMAIL SECURITY SonicWALL Email Security SonicWALL Email Security 6.0 Administrator's Guide Appliance Edition SonicWALL Email Security Administrator s Guide Version 6.0

More information

TIBCO Administrator User s Guide. Software Release 5.7.1 March 2012

TIBCO Administrator User s Guide. Software Release 5.7.1 March 2012 TIBCO Administrator User s Guide Software Release 5.7.1 March 2012 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY

More information

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide FortiAuthenticator Agent for Microsoft IIS/OWA Install Guide FortiAuthenticator Agent for Microsoft IIS/OWA Install Guide February 5, 2015 Revision 1 Copyright 2015 Fortinet, Inc. All rights reserved.

More information

IBM Lotus Protector for Mail Security. Administrator Guide. Version 2.8 Release 2.8.1 SC27-3829-01

IBM Lotus Protector for Mail Security. Administrator Guide. Version 2.8 Release 2.8.1 SC27-3829-01 IBM Lotus Protector for Mail Security Administrator Guide Version 2.8 Release 2.8.1 SC27-3829-01 Copyright statement Copyright IBM Corporation 2006, 2013. U.S. Government Users Restricted Rights Use, duplication

More information

Contents Notice to Users

Contents  Notice to Users Web Remote Access Contents Web Remote Access Overview... 1 Setting Up Web Remote Access... 2 Editing Web Remote Access Settings... 5 Web Remote Access Log... 7 Accessing Your Home Network Using Web Remote

More information

Secure Web Gateway Version 11.0 User Guide

Secure Web Gateway Version 11.0 User Guide Secure Web Gateway Version 11.0 User Guide Legal Notice Copyright 2013 Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying,

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

Policy Based Encryption Essentials. Administrator Guide

Policy Based Encryption Essentials. Administrator Guide Policy Based Encryption Essentials Administrator Guide Policy Based Encryption Essentials Administrator Guide Documentation version: 1.0 Legal Notice Copyright 2015 Symantec Corporation. All rights reserved.

More information

PureMessage for Microsoft Exchange Help. Product version: 3.1

PureMessage for Microsoft Exchange Help. Product version: 3.1 PureMessage for Microsoft Exchange Help Product version: 3.1 Document date: June 2015 Contents 1 About PureMessage for Microsoft Exchange...4 2 Key concepts...5 2.1 Key concepts overview...5 2.2 Inbound,

More information

Symantec Protection for SharePoint Servers 6.0.4 Implementation Guide

Symantec Protection for SharePoint Servers 6.0.4 Implementation Guide Symantec Protection for SharePoint Servers 6.0.4 Implementation Guide for Microsoft SharePoint 2003/2007 Symantec Protection for SharePoint Servers Implementation Guide The software described in this book

More information

Installation Guide Supplement

Installation Guide Supplement Installation Guide Supplement for use with Microsoft ISA Server and Forefront TMG Websense Web Security Websense Web Filter v7.5 1996 2010, Websense Inc. All rights reserved. 10240 Sorrento Valley Rd.,

More information

Barracuda Spam Firewall User s Guide

Barracuda Spam Firewall User s Guide Barracuda Spam Firewall User s Guide 1 Copyright Copyright 2004, Barracuda Networks www.barracudanetworks.com All rights reserved. Use of this product and this manual is subject to license. Information

More information

Symantec Mail Security for Microsoft Exchange

Symantec Mail Security for Microsoft Exchange Symantec Mail Security for Microsoft Exchange Getting Started Guide v7.0.2 Symantec Mail Security for Microsoft Exchange Getting Started Guide The software described in this book is furnished under a license

More information

IBM Security SiteProtector System Configuration Guide

IBM Security SiteProtector System Configuration Guide IBM Security IBM Security SiteProtector System Configuration Guide Version 2.9 Note Before using this information and the product it supports, read the information in Notices on page 209. This edition

More information

VERITAS NetBackup TM 6.0

VERITAS NetBackup TM 6.0 VERITAS NetBackup TM 6.0 System Administrator s Guide, Volume II for UNIX and Linux N15258B September 2005 Disclaimer The information contained in this publication is subject to change without notice.

More information

Symantec Security Information Manager 4.8 Release Notes

Symantec Security Information Manager 4.8 Release Notes Symantec Security Information Manager 4.8 Release Notes Symantec Security Information Manager 4.8 Release Notes The software described in this book is furnished under a license agreement and may be used

More information

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

SpamPanel Reseller Level Manual 1 Last update: September 26, 2014 SpamPanel

SpamPanel Reseller Level Manual 1 Last update: September 26, 2014 SpamPanel SpamPanel Reseller Level Manual 1 Last update: September 26, 2014 SpamPanel Table of Contents Domains... 1 Add Domain... 2 MX verification Tool... 4 Overview... 5 Incoming... 6 Incoming Bandwidth Overview...

More information

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0 Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...

More information

Port Following. Port Following. Feature Description

Port Following. Port Following. Feature Description Feature Description VERSION: 6.0 UPDATED: MARCH 2016 Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies logo are registered

More information

GFI MailArchiver for Exchange 4. Manual. By GFI Software

GFI MailArchiver for Exchange 4. Manual. By GFI Software GFI MailArchiver for Exchange 4 Manual By GFI Software http://www.gfi.com Email: info@gfi.com Information in this document is subject to change without notice. Companies, names, and data used in examples

More information

eprism Email Security Suite

eprism Email Security Suite V8.4 eprism Email Security Suite 800-782-3762 www.edgewave.com 2001 2012 EdgeWave. All rights reserved. The EdgeWave logo is a trademark of EdgeWave Inc. All other trademarks and registered trademarks

More information

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016. Integration Guide IBM

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016. Integration Guide IBM IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016 Integration Guide IBM Note Before using this information and the product it supports, read the information

More information

TRITON - EMAIL SECURITY HELP

TRITON - EMAIL SECURITY HELP TRITON - EMAIL SECURITY HELP Websense Email Security Gateway v7.6 2011, Websense Inc. All rights reserved. 10240 Sorrento Valley Rd., San Diego, CA 92121, USA R150411760 Published April 2011 Printed in

More information

eprism Email Security Suite

eprism Email Security Suite Guide eprism 2505 eprism Email Security Suite 800-782-3762 www.edgewave.com 2001 2012 EdgeWave. All rights reserved. The EdgeWave logo is a trademark of EdgeWave Inc. All other trademarks and registered

More information

TRITON Unified Security Center Help

TRITON Unified Security Center Help TRITON Unified Security Center Help Websense TRITON Unified Security Center v7.7 2011-2012, Websense Inc. All rights reserved. 10240 Sorrento Valley Rd., San Diego, CA 92121, USA Published 2012 Printed

More information

Sophos for Microsoft SharePoint Help

Sophos for Microsoft SharePoint Help Sophos for Microsoft SharePoint Help Product version: 2.0 Document date: March 2011 Contents 1 About Sophos for Microsoft SharePoint...3 2 Dashboard...4 3 Configuration...5 4 Reports...27 5 Search...28

More information

[The BSD License] Copyright (c) 2004-2011 Jaroslaw Kowalski jaak@jkowalski.net

[The BSD License] Copyright (c) 2004-2011 Jaroslaw Kowalski jaak@jkowalski.net Software used by portions of this application require the following license statement: [The BSD License] Copyright (c) 2004-2011 Jaroslaw Kowalski jaak@jkowalski.net All rights reserved. Redistribution

More information

WatchDox Administrator's Guide. Application Version 3.7.5

WatchDox Administrator's Guide. Application Version 3.7.5 Application Version 3.7.5 Confidentiality This document contains confidential material that is proprietary WatchDox. The information and ideas herein may not be disclosed to any unauthorized individuals

More information

Frequently Asked Questions

Frequently Asked Questions Frequently Asked Questions Table of Contents DNS Settings... 3 MX record... 3 SPF record... 3 Configuring Outbound... 3 Smart host configuration for Exchange 2003... 3 Smart host configuration for Exchange

More information

Web Remote Access. User Guide

Web Remote Access. User Guide Web Remote Access User Guide Notice to Users 2005 2Wire, Inc. All rights reserved. This manual in whole or in part, may not be reproduced, translated, or reduced to any machine-readable form without prior

More information

Symantec Messaging Gateway 10.0 Installation Guide. powered by Brightmail

Symantec Messaging Gateway 10.0 Installation Guide. powered by Brightmail Symantec Messaging Gateway 10.0 Installation Guide powered by Brightmail The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of

More information

McAfee VirusScan and epolicy Orchestrator Administration Course

McAfee VirusScan and epolicy Orchestrator Administration Course McAfee VirusScan and epolicy Orchestrator Administration Course Intel Security Education Services Administration Course Training The McAfee VirusScan and epolicy Orchestrator Administration course from

More information

T E C H N I C A L S A L E S S O L U T I O N

T E C H N I C A L S A L E S S O L U T I O N Trend Micro Email Encryption Gateway 5.0 Deployment Guide January 2009 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 USA T +1.800.228.5651 / +1.408.257.1500 F +1.408.257.2003 www.trendmicro.com

More information

ecopy ShareScan 4.5 Installation and Setup Guide for Canon ScanFront devices Part Number: 73-00330-1 (01/2009)

ecopy ShareScan 4.5 Installation and Setup Guide for Canon ScanFront devices Part Number: 73-00330-1 (01/2009) ecopy ShareScan 4.5 Installation and Setup Guide for Canon ScanFront devices Part Number: 73-00330-1 (01/2009) Licensing, Copyright, and Trademark Information The information in this document is subject

More information

Hosted Email Security 2.0 Administrator s Guide

Hosted Email Security 2.0 Administrator s Guide Hosted Email Security 2.0 Administrator s Guide 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates

More information

Symantec Enterprise Vault

Symantec Enterprise Vault Symantec Enterprise Vault Guide for Mac OS X Users 10.0 Symantec Enterprise Vault: Guide for Mac OS X Users The software described in this book is furnished under a license agreement and may be used only

More information

FTA Computer Security Workshop. Secure Email

FTA Computer Security Workshop. Secure Email FTA Computer Security Workshop Secure Email March 8, 2007 Stan Wiechert, KDOR IS Security Officer Outline of Presentation The Risks associated with Email Business Constraints Secure Email Features Some

More information