eprism Security Appliance User Guide

Transcription

1 eprism Security Appliance User Guide Software Version: Last Revision: 5/25/07

2 Preface 7 CHAPTER 1 eprism Overview 11 What s New in eprism eprism Overview 14 eprism Deployment 20 How Messages are Processed by eprism 22 CHAPTER 2 Administering eprism 27 Connecting to eprism 28 Configuring the Admin User 32 Web Server Options 35 Customizing the eprism Interface 36 CHAPTER 3 Configuring Mail Delivery Settings 37 Network Settings 38 Virtual Interfaces 42 Static Routes 45 Mail Routing 46 Mail Delivery Settings 48 Mail Aliases 53 Mail Mappings 55 Virtual Mappings 57 CHAPTER 4 Directory Services 59 Directory Service Overview 60 Directory Servers 61 Directory Users and Groups 63 LDAP Aliases 67 LDAP Mappings 69 LDAP Recipients 71 LDAP Relay 73 LDAP Routing 76 CHAPTER 5 Mail Security and Encryption 79 SMTP Mail Access 80 Anti-Virus 82 Threat Outbreak Control 85 External Message Encryption 90 Encrypting Mail Delivery Sessions 94 SSL Certificates 97 3

3 CHAPTER 6 Message Content Scanning 101 Content Scanning Overview 102 Attachment Control 103 Attachment Content Scanning 106 Objectionable Content Filter 110 Pattern Based Message Filtering (PBMF) 112 Malformed Mail 121 Dictionaries 123 Message Archiving 125 CHAPTER 7 Intercept Anti-Spam 131 Intercept Anti-Spam Feature Overview 132 Trusted and Untrusted Mail Sources 134 Configuring Intercept Anti-Spam 136 Intercept Components 139 Intercept Advanced Features 177 Trusted and Blocked Senders 181 Spam Quarantine 187 CHAPTER 8 User Accounts and Remote Authentication 195 POP3 and IMAP Access 196 Local User Mailboxes 197 Mirror Accounts 199 Strong Authentication 200 Remote Accounts and Directory Authentication 202 Relocated Users 205 Vacation Notification 206 Tiered Administration 209 CHAPTER 9 Secure WebMail and eprism Mail Client 211 Secure WebMail 212 eprism Mail Client 216 CHAPTER 10 Policy Management 219 Policy Overview 220 Creating Policies 223 Domain Policies 224 Group Policies 226 User Policies 231 Managing Policies 233 Policy Diagnostics 234 4

4 CHAPTER 11 Threat Prevention 237 Threat Prevention Overview 238 Configuring Threat Prevention 239 Creating Threat Prevention Rules 241 Static Address Lists 251 Dynamic Address Lists 253 F5 Blocking 256 Cisco Blocking 261 Threat Prevention Status 264 CHAPTER 12 HALO (High Availability and Load Optimization) 265 CHAPTER 13 Reporting 283 HALO Overview 266 Configuring Clustering 268 Cluster Management 274 Configuring the F5 Load Balancer 278 Queue Replication 279 Viewing and Generating Reports 284 Viewing the Mail History Database 294 Viewing the System History Database 296 Report Configuration 299 CHAPTER 14 System Management 301 System Status and Utilities 302 Mail Queue Management 305 Quarantine Management 306 License Management 308 Software Updates 311 Security Connection 312 Reboot and Shutdown 313 Backup and Restore 314 Centralized Management 321 Problem Reporting 326 Health Check 327 CHAPTER 15 Monitoring System Activity 329 Activity Screen 330 System Log Files 332 Offloading Log Files 335 SNMP (Simple Network Management Protocol) 337 Alarms 340 5

5 CHAPTER 16 Troubleshooting Mail Delivery 343 Troubleshooting Mail Delivery 344 Troubleshooting Tools 345 Examining Log Files 346 Network and Mail Diagnostics 355 Troubleshooting Content Issues 360 APPENDIX A Using the eprism System Console 363 APPENDIX B Restoring eprism to Factory Default Settings 367 APPENDIX C Message Processing Order 369 APPENDIX D Customizing Notification and Annotation Messages 371 APPENDIX E Performance Tuning 375 APPENDIX F SNMP MIBS 383 Setting Default Performance Settings 376 Advanced Settings 377 MIB Files Summary 383 MIB Files 387 MIB OID Values 411 APPENDIX G Third Party Copyrights and Licenses 417 6

6 Preface Preface This User Guide provides detailed information on how to configure and manage your eprism Security Appliance, and contains the following topics: Chapter 1 eprism Overview on page 11 Chapter 2 Administering eprism on page 27 Chapter 3 Configuring Mail Delivery Settings on page 37 Chapter 4 Directory Services on page 59 Chapter 5 Mail Security and Encryption on page 79 Chapter 6 Message Content Scanning on page 101 Chapter 7 Intercept Anti-Spam on page 131 Chapter 8 User Accounts and Remote Authentication on page 195 Chapter 9 Secure WebMail and eprism Mail Client on page 211 Chapter 10 Policy Management on page 219 Chapter 11 Threat Prevention on page 237 Chapter 12 HALO (High Availability and Load Optimization) on page 265 Chapter 13 Reporting on page 283 Chapter 14 System Management on page 301 Chapter 15 Monitoring System Activity on page 329 Chapter 16 Troubleshooting Mail Delivery on page 343 The following sections contain supplemental information for the eprism Security Appliance: Appendix A Using the eprism System Console on page 363 Appendix B Restoring eprism to Factory Default Settings on page 367 Appendix C Message Processing Order on page 369 Appendix D Customizing Notification and Annotation Messages on page 371 Appendix E Performance Tuning on page 375 Appendix F SNMP MIBS on page 383 Appendix G Third Party Copyrights and Licenses on page 417 7

7 Related Documentation If Release Notes are included with your product package, please read them for the latest information on installing and managing eprism. The following documents are included as part of the eprism documentation set: TABLE 1. eprism Documentation Document Release Notes Installation Guide User Guide Intercept Anti- Spam Quick Start Guide Description Provides up to date information on the product, including new features, improvements, bug fixes, and any known issues. If instructions in the Release Notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes. Provides detailed information on how to install and provide the initial configuration for the eprism Security Appliance. Provides detailed information on how to configure, administer, and troubleshoot the eprism Security Appliance. Describes the basic configuration details and recommended strategies for eprism s Intercept Anti-Spam features. Conventions The following typographical conventions are used in this guide: TABLE 2. Typographical Conventions Typeface or Symbol Description Example italic Screen name or data field names Activity Screen, or SMTP Port bold courier font Bold courier Button names, Menu items, and Screen names Text displayed on the screen and File and Directory Names Text entered by the user Information that describes important features or instructions Select Basic Config Network on the menu and click the Apply button backup/backup.gzip Enter: example.com Please see the following section for more details Information that alerts you to potential problems and issues Use caution when enabling this feature 8

8 Preface Contacting Technical Support St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST) Avenue of Science San Diego, CA Main: FAX: Technical Support: Technical Support Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ Main: FAX: Technical Support: Technical Support Copyright Information St. Bernard Software, Inc. All rights reserved. St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged. Information in this document is subject to change without notice. 9

9 CHAPTER 1 eprism Overview This chapter provides an overview of the architecture and features of the eprism Security Appliance, and contains the following topics: What s New in eprism 6.5 on page 12 eprism Overview on page 14 eprism Deployment on page 20 How Messages are Processed by eprism on page 22 11

10 eprism Overview What s New in eprism 6.5 The eprism Security Appliance version 6.5 adds several new features while considerably improving the functionality of existing features. Blocked Senders List The Blocked Senders List allows end users to specify a list of addresses from which they do not want to receive mail. These senders will be blocked from sending mail to that specific user via eprism. If a sender is on the Blocked Senders List, the message can either be rejected with notification or discarded by eprism. Blocked Senders are configured via Mail Delivery Anti-Spam Trusted/Blocked Senders on the menu. Virtual Interfaces Virtual Interfaces are used by eprism to define additional interfaces and IP addresses to send and receive mail for specific domains. These Virtual Interfaces are associated with the existing physical network interfaces on eprism. eprism will send all outbound for a specific domain using its specified IP address in the Virtual Interfaces configuration. eprism selects the Virtual Interface to use for outgoing mail by matching the sender's domain to the domains associated with the configured Virtual Interfaces. Virtual Interfaces are configured via Basic Config Virtual Interfaces on the menu. Image Spam Analysis An Image Spam message typically consists of random text or no text body and contains an attachment picture (usually.gif or.jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature that performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to eprism's other Anti-Spam features that detect spam characteristics in the text of a message, the Image Spam Detection feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages. The Image Spam Detection feature uses the Token Analysis feature to analyze image spam messages. Token Analysis must be enabled for Image Spam detection to work. Enable the Image Analysis option via Mail Delivery Anti-Spam Intercept Token Analysis Advanced on the menu. 12

11 What s New in eprism 6.5 Intercept Anti-Spam Improvements The following improvements have been made to eprism's Intercept Anti-Spam feature: The Intercept Anti-Spam engine has been enhanced to increase Intercept's effectiveness against the latest types of image spam and other spam messages. The Intercept training engine and database have been updated to improve the efficiency and effectiveness of training for spam and legitimate mail. Intercept's use of the BorderWare Security Network (BSN) and DNS/URL Block Lists has been improved to provide more effective reputation and block list contribution to the overall Intercept spam score decision for a message. Bulk Analysis has been modified to reduce the probability of false positives in the Intercept spam decision. To revert to the previous behaviour and increase the emphasis on Bulk Analysis results, set the Bulk Analysis weight to 90 in the advanced Intercept settings, accessed via Mail Delivery Anti-Spam Intercept and clicking the Advanced button. LDAP Paging Support When querying an LDAP server, the amount of information returned may contain thousands of entries and sub-entries. Paging allows LDAP information to be retrieved in more manageable sections to control the rate of data being returned. Previously, eprism could not retrieve more entries than the administrative limit configured by Microsoft Active Directory, requiring the limit to be increased on the Active Directory server. Active Directory LDAP paging is now supported by eprism and removes the requirement to manually set a higher maximum page size in Active Directory for use with eprism LDAP user imports. 13

12 eprism Overview eprism Overview eprism is a dedicated Mail Firewall designed for deployment between internal mail servers and the Internet. eprism supports the standard mail protocols for processing messages while offering a secure method for their processing and delivery. eprism has been designed specifically to resist operating system attacks and protect mail servers from direct SMTP and HTTP connections. eprism Deployment eprism is generally configured to accept all mail for a domain or sub-domain, store and process mail according to specified security policies, and deliver the mail to one or more internal mail servers for collection by users. eprism is ideally suited for deployment in parallel with an existing firewall, on a DMZ, or on an internal network. See eprism Deployment on page 20 for more detailed information on deploying eprism. Mail Delivery Security eprism has a sophisticated mail delivery system with several security features and benefits to ensure that the identifying information about your company s infrastructure remains private. For a company with multiple domain names, eprism can accept, process and deliver mail to private servers. For a company with multiple private servers, the eprism can route mail based on the domain or subdomain to separate groups of users. Security features such as mail mappings and address masquerading allow the ability to hide references to internal host names. Content Scanning and Filtering eprism implements attachment controls, attachment content scanning, and content filtering based on pattern and text matching. These controls prevent the following issues: Breaches of confidentiality Legal liability from offensive content Personal abuse of company resources Compliance policies Attachment controls are based on the following characteristics: File Extension Suffix The suffix of the file is checked to determine the attachment type, such as.exe, or.jpg. MIME Content Type MIME (Multipurpose Internet Mail Extensions) can be used to identify the content type of the message. Content Analysis The file is analyzed from the beginning to look for characteristics that can identify the file type. This analysis ensures that the attachment controls are not circumvented by simply renaming a file. 14

13 eprism Overview Deep Content Scanning Attachments such as PDFs or Microsoft Word documents can be analyzed for words or phrases that match a pattern filter or compliance dictionary. Virus Scanning The eprism Security Appliance features optional virus scanning based on Kaspersky Anti-Virus. Messages in both inbound and outbound directions can be scanned for viruses and malicious programs. eprism s high performance virus scanning provides a vital layer of protection against viruses for your entire organization. Automatic pattern file updates ensure that the latest viruses are detected. Threat Outbreak Control The Threat Outbreak Control feature provides customers with zero-day protection against early virus outbreaks. For most virus attacks, the time from the moment the virus is released to the time a pattern file is available to protect against the virus can be several hours. During this period, mail recipients are vulnerable to potential threats. eprism's Threat Outbreak Controls can detect and take action against early virus outbreaks to contain the virus threat. Malformed Message Protection Similar to malformed data packets used to subvert networks, malformed messages allow viruses and other attacks to avoid detection, crash systems, and lock up mail servers. eprism ensures that only correctly formatted messages are allowed into your mail systems. Message integrity checking protects your mail servers and clients and improves the effectiveness of existing virus scanning implementations. Intercept Anti-Spam The eprism Security Appliance provides a complete and robust set of anti-spam features specifically designed to protect against the full spectrum of current and evolving spam threats. eprism s Intercept Anti-Spam engine can combine the results of several Anti-Spam features to provide a better informed decision on whether a message is spam or legitimate mail. These features include: Specific Access Patterns (SAP) Filter messages based on pattern matches against the client address or header parameters such as HELO or Envelope-From and Envelope-To. Pattern Based Message Filtering (PBMF) Filter messages based upon matches in the envelope/header/body of a message. Spam Dictionaries Filters messages based on a dictionary of typical spam words and phrases that are matched against a message. Mail Anomalies Checks various aspects of the incoming message for issues such as unauthorized SMTP pipelining, missing headers, and mismatched identification fields. Checks for recent spam and viruses from a specific IP address can also be enabled which is used in conjunction with the Threat Prevention feature. DNS Block List (DNSBL) Detects spam using domain-based lists of hosts with a poor reputation. Messages can also be rejected immediately regardless of the results of other Anti-Spam processing if the client is listed on a DNSBL. A configurable threshold allows administrators to specify how many DNSBLs must trigger to consider the sender as unreliable. 15

14 eprism Overview URL Block List Detects spam by examining the URLs in a message and querying a SURBL (Spam URI Realtime Block Lists) server to determine if this URL has been used in spam messages. Bulk Analysis Detect bulk mail spam by checking mail sent to a large numbers of users. Token Analysis Detects spam based on advanced content analysis using databases of known spam and valid mail. This feature is also specially engineered to effectively detect Image spam. Sender Policy Framework (SPF) Performs a check of a sending host s SPF DNS records to identify the source of a message. DomainKeys Authentication Performs a check of a sending host s DomainKeys DNS records to identify the source of a message. Threat Prevention eprism s Threat Prevention capabilities that allow organizations to detect and block incoming threats in real-time. Threat types can be monitored and recorded to track client IP behaviour and reputation. By examining mail flow patterns, eprism detects whether a sending host is behaving maliciously by sending out viruses, spam, or attempting denial-of-service (DoS) attacks. By instantly recognizing these types of mail patterns, eprism can be an effective solution against immediate attacks. eprism s Threat Prevention feature can block or throttle inbound mail connections before the content is processed to lessen the impact of a large number of inbound messages. Trusted and Blocked Senders List These features allow users to create their own personal Trusted and Blocked Senders Lists based on a sender s address. The Trusted addresses will be exempt from eprism s spam controls allowing users to trust legitimate senders, while addresses on the Blocked Senders List will be prevented from sending mail to that user via eprism. Spam Quarantine The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to connect to eprism either directly or through a summary to view and manage their own quarantined spam. Messages can be deleted, or moved to the user s local mail folders. Automatic notification s can be sent to end users notifying them of the existence of messages in their personal quarantine area. Secure WebMail eprism s Secure WebMail provides remote access support to internal mail servers. With Secure WebMail, users can access their mailboxes using web clients such as Outlook Web Access, Lotus inotes, or eprism s own web mail client. eprism addresses the security issues currently preventing deployment of web mail services by providing the following protection: Strong authentication (including integration with Active Directory) Encrypted sessions Advanced session control to prevent information leaks on workstations 16

15 eprism Overview Authentication eprism supports the following authentication methods for administrators, WebMail users, Trusted Senders List, and Spam Quarantine purposes: User ID and Password RADIUS and LDAP RSA SecurID tokens SafeWord and CRYPTOCard tokens Mail Delivery Encryption All mail delivered to and from eprism can be encrypted using TLS (Transport Layer Security). This includes connections to remote systems, local internal mail systems, or internal mail clients. Encrypted messages are delivered with complete confidentiality both locally and remotely. Encryption can be used for the following: Secure mail delivery on the Internet to prevent anyone from viewing while in transit. Secure mail delivery across a LAN to prevent malicious users from viewing other than their own. Create policies for secure mail delivery to branch offices, remote users and business partners. eprism supports TLS/SSL encryption for all user and administrative sessions. TLS/SSL is used to encrypt SMTP sessions effectively preventing eavesdropping and interception. Local User Mailboxes eprism can host user mailboxes and act as a fully functioning mail server for small offices. eprism fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for retrieving and sending mail. HALO (High Availability and Load Optimization) eprism is the first firewall to provide enterprises with a fail-safe clustering architecture for high availability. HALO ensures is never lost due to individual system failure through its unique security, cluster management, load balancing and optimization, and "stateful failover" queue replication capabilities. All systems can be clustered together to increase additional capacity, throughput, or provide load balancing and optional high availability. Cluster Management The cluster management feature allows administrators to manage eprism clusters and to synchronize configuration settings across all systems in the cluster. Combined reports and database searches may be derived from clustered systems. Specific features include: Configuration Replication This function allows systems to be added to clusters and to assume the configuration of a defined "master" Cluster Console system. 17

16 eprism Overview Cluster Synchronization Systems within a cluster can be synchronized to the defined "master" system. Any changes to the configuration of the Cluster Console master are reflected in the configuration of all systems in the cluster. Cluster Reporting eprism reports can be generated for a single system or for all systems in a cluster. The database can be searched by system or by cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message. Load Balancing and Optimization A basic requirement of high availability is to have an automated or semi-automated mechanism for switching the mail stream between available systems in the cluster, depending on their individual availability or health. Utilizing DNS round-robin techniques or dedicated load balancing hardware, can be directed to eprism systems in a cluster depending on their availability and current load. Queue Replication To prevent the loss of messages during a system failure, eprism has created a unique solution with "stateful failover" queue replication technology that replicates queues and intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a cluster should fail and there exists undelivered mail in its queue, a mirror system can take ownership of that queue s messages and successfully process and deliver them. This ensures that no messages are ever lost. Policy Controls Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment control to be customized and applied based on the group membership, domain membership, or address of the recipient. User groups can be imported from an LDAP-based directory, and then policies can be created to apply customized settings to these groups. For example, you can set up an Attachment Control Policy to allow your Development group to accept and send executable files (.exe), while configuring your attachment control settings for all your other departments to block this file type to prevent the spread of viruses among the general users. Directory Service Support eprism integrates with LDAP (Lightweight Directory Access Protocol) directory services such as Active Directory, OpenLDAP, and iplanet, allowing you to perform the following: LDAP lookup prior to internal delivery eprism can check for the existence of an internal user via LDAP before delivering a message. This feature allows you to reject mail to unknown addresses in relay domains, reducing the number of attempted deliveries of spam messages for non-existent local addresses. This check can be performed directly to an LDAP server or to a cached directory stored locally on eprism. Group/User Imports An LDAP lookup will determine the group membership of a user when applying policy-based controls. LDAP users can also be imported and mirrored on eprism to be used for services such as the Spam Quarantine. Authentication LDAP can be used for authenticating IMAP access, user mailbox, and WebMail logins. 18

17 eprism Overview Manageability SMTP Relay Authentication LDAP can be used for authenticating clients for SMTP Relay. Mail Routing LDAP can be used to lookup Mail Routes for a domain to deliver mail to its destination server. eprism provides a complete range of monitoring and diagnostics tools to monitor the system and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional security, while comprehensive logs record all mail activity. Web Browser-based Management The web browser management interface displays a live view of system activity and traffic flows. The management interface can be configured to display this information for one or many systems, including systems in a local cluster or systems that are being centrally managed. Reporting and Auditing The reporting and audit features deliver a comprehensive set of statistics that may be generated at any time or scheduled for automatic delivery. eprism includes a wide range of predefined reports, including information on system health, mail processing, spam, virus filtering statistics, and user mail volumes. Administrators can easily create customized reports. Enterprise integration with SNMP Using SNMP (Simple Network Management Protocol), eprism can generate both information and traps to be used by SNMP monitoring tools. This extends the administrator s view of eprism and allows an instant view of significant system events, including traffic flows and system failures. Alarms eprism can generate system alarms that can automatically notify the administrator via and console alerts of a system condition that requires attention. Archiving Archiving support allows organizations to define additional mail handling controls for inbound and outbound mail. These features are especially important for organizations that must archive certain types of mail for regulatory compliance or for corporate security policies. Security Connection The Security Connection provides an automated software update service. By enabling the Security Connection, you are automatically notified of any new patches and updates for the eprism software. St. Bernard continuously monitors for new vulnerabilities and issues new updates to defend against them, ensuring that you have them as soon as they are available. Internationalization eprism supports internationalization for annotations, notification messages, and mail database views. For example, a message is sent to someone who is on vacation and the message used character set ISO-2022-JP (Japanese), the vacation notification sent back will be in the same character set. The mail history database can also be viewed using international character sets. 19

18 eprism Overview eprism Deployment eprism is designed to be situated between mail servers and the Internet so that there are no direct SMTP (Simple Mail Transport Protocol) connections between external and internal servers. eprism is typically installed in one of three locations: In parallel with the firewall On your DMZ (Demilitarized Zone) Behind the existing firewall on the Internal network SMTP TCP port 25 traffic is redirected from either the external interface of the firewall or from the external router to eprism. When the mail is accepted and processed, eprism initiates an SMTP connection to the internal mail server to deliver the mail. eprism in Parallel with the Firewall The preferred deployment strategy for eprism is to be situated in parallel with an existing network Firewall. eprism s inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of a network. This parallel deployment eliminates any mail traffic on the firewall and decreases its overall load. 20

19 eprism Deployment eprism on the DMZ Deploying eprism on the DMZ is an equally secure method of deployment configuration. This type of deployment prevents any direct connection from the Internet to the internal servers, but does not ease the existing load on the firewall. eprism on the Internal Network eprism can also be deployed on the Internal Network. Although this configuration allows a direct connection from the Internet into the internal network, it is a perfectly legitimate configuration when dictated by existing network resources. 21

20 eprism Overview How Messages are Processed by eprism The following sections describe the sequence in which the various eprism security features are applied to any inbound and outbound mail messages and how these settings affect their delivery. Trusted Mail eprism only processes mail through the spam filters when a message originates from an "untrusted" source. Trusted sources bypass the spam controls. By default, mail that arrives on a particular network interface from the same subnet is "trusted". There are two ways to control how sources of mail are identified and trusted: 1. The network interface the mail arrives on 2. A specified IP address (or address block), or server or domain name See Trusted and Untrusted Mail Sources on page 134 for information on configuring trusted and untrusted sources. Inbound and Outbound Scanning For features that scan both inbound and outbound mail, the following rules apply: Mail from trusted source to local recipient Inbound Mail from trusted source to non-local recipient Outbound Mail from untrusted source to local recipient Inbound Mail from untrusted source to non-local recipient Inbound SMTP Connection An SMTP connection request is made from another system. eprism accepts the connection request unless one of the following checks (if enabled) is triggered: Reject on Threat Prevention Rejects mail when the client is rejected by the Threat Prevention feature. Reject on unauthorized SMTP pipelining Rejects mail when the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This stops messages from bulk mail software that use SMTP command pipelining improperly to speed up deliveries. Reject on expired eprism license Rejects mail if the eprism license has expired. Specific Access Pattern and Pattern Based Message Filter (Reject) Rejects mail based on SAP and PBMF for the HELO, Envelope-TO, Envelope-From, and Client IP fields. Reject on DNS Block list Rejects mail if the sender is on a DNSBL and eprism is set to reject on DNSBL. Reject on BSN (Reputation, Infected, Dial-up) Rejects mail based on statistics provided by the St. Bernard Security Network. At this point, trusted or local networks skip any further "Reject" checks. 22

21 How Messages are Processed by eprism Reject on unknown sender domain Rejects mail when the sender mail address has no DNS A or MX record. Reject on missing reverse DNS Rejects mail from hosts where the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. This setting is rarely used because many servers on the Internet do not have valid reverse DNS records, and enabling it may result in rejecting mail from legitimate sources. Reject on missing sender MX Rejects mail when the sender s mail address is missing a DNS MX record. Reject on non-fqdn sender Rejects mail when the address in the client MAIL FROM command is not in fully-qualified domain form (FQDN). Reject on Unknown Recipient Rejects mail if the specified recipient does not exist. The system will perform an LDAP lookup on the recipient s address to ensure they exist before delivering the message. Mail Header and Message Properties The connection is now accepted. The message will be accepted for processing unless one of the following occurs: Reject on missing addresses Rejects mail when no recipients in the To: field, or no senders in the From: field were specified in the message headers. Maximum number of recipients Rejects mail if the number of recipients exceeds the specified maximum (default is 1000). Maximum message size Rejects mail if the message size exceeds the maximum. Malformed Content, Virus Checking, and Attachment Control Messages are scanned for malformed and very malformed messages, viruses, and specific attachments. If there is a problem, eprism can be configured with a variety of actions, such as sending the message to the administrative Quarantine folder. Threat Outbreak Control Messages are scanned by Threat Outbreak control to look for virus-like behaviour. These messages can be quarantined until updated Anti-Virus pattern files are available to rescan them. OCF (Objectionable Content Filter) Messages are scanned for objectionable content using a pre-defined list of words, and a configurable action is taken. Pattern Based Message Filters and Specific Access Patterns The messages are scanned to see if they match any existing Pattern Based Message Filters (PBMF), or Specific Access Patterns (SAP) set to "Trust" or "Allow Relaying". 23

22 eprism Overview Trusted and Blocked Senders List If a sender is on a user s Trusted Sender s List, the message will skip all remaining checks. If the sender is on a user s Blocked Sender s List, the message will be rejected or discarded depending on the configuration. Attachment Content Scanning Encryption Deep scanning is performed on attachments for blocked words and phrases. If enabled, outbound messages are encrypted before being delivered. Anti-Spam Processing If the message arrives from an "untrusted" source, it will be processed for spam by the Intercept Anti-Spam engine. All Intercept features that are enabled will contribute to the final spam score of a message. Mail Mappings The message is now accepted for processing and the following occurs: If the recipient address is not for a domain or sub-domain for which eprism is configured to accept mail (either as an inbound mail route or a virtual domain) then the message is rejected. If the recipient address is mapped in the Mail Mappings table, then the "To" field in the message header will be modified as required. Virtual Mappings The message is now examined for a match in the Virtual Mapping table. If such a mapping is found, the envelope-header recipient field will be modified as required. LDAP virtual mappings will then be processed. Virtual mappings are useful for the following: Acting as a wildcard mail mapping, such as any user for example.com goes to mail.example.com. You can create exceptions to this rule in the mail mappings for particular users. ISPs who need to accept mail for several domains and the envelope-header recipient field needs to be rewritten for further delivery. To deliver to internal servers, use Mail Delivery Routing Mail Routing. In all cases, mappings rely on successful DNS lookups for an MX record. Relocated Users When mail is sent to an address that is listed in the relocated user table, the message is bounced back with a message informing the sender of the relocated user s new contact information. 24

23 How Messages are Processed by eprism Mail Aliases When mail needs to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. An alias results in the creation of a new mail message to be created for the named address or addresses. This mail message is then entered back into the system to be mapped, routed, and so on. This process also occurs with local user accounts for whom a "forwarder address" has been configured. Local user accounts will be treated like aliases in this case. Local aliases are typically used to implement distribution lists or to direct mail for standard aliases such as mail to the "postmaster" account. LDAP aliases are then processed. LDAP functionality can be used to search for mail aliases on directory services such as Active Directory. Mail Routing During the mail routing process, there is no modification made to the mail header or the envelope. A mail route specifies two things: Which domains eprism will accept mail for (other than itself). Which hosts the mail should be delivered to. The message is now delivered to its destination. See Message Processing Order on page 369 for a summary of the message processing order. 25

24 CHAPTER 2 Administering eprism This chapter describes how to administer and configure basic settings for the eprism Security Gateway, and contains the following topics: Connecting to eprism on page 28 Configuring the Admin User on page 32 Web Server Options on page 35 Customizing the eprism Interface on page 36 27

25 Administering eprism Connecting to eprism To administer eprism using the web browser administrative interface, launch a web browser on your computer and enter the IP address or hostname for eprism as the URL in the location bar. Your system must be listed in your DNS server to be able to connect via the hostname. Supported web browsers: Microsoft Internet Explorer 6 and greater Firefox 1.0 and greater Mozilla 1.0 and greater Netscape 6.0 and greater Safari 1.0 and greater The login screen will then appear. Enter your admin ID and password. When logged in, the main eprism Security Gateway Activity screen and main menu will appear. 28

26 Connecting to eprism Navigating the Main Menu The main menu consists of the following main categories: Activity The Activity screen provides you with a variety of information on mail processing activity, such as the number of messages in the mail queue, the number of different types of messages received and sent, and current message activity. If you are running a HALO cluster, you will also have a Cluster Activity option that will show you the activity statistics for the entire cluster. Basic Config The Basic Config menu allows you to configure some of the basic settings for eprism including: Admin Account Alarms Customization Directory Services (LDAP) Network Performance Static Routes SNMP Configuration Web Server Configuration Virtual Interfaces Mail Delivery The Mail Delivery menu allows you to configure the features that affect mail delivery, including all mail security and anti-spam settings. It includes the following features: Anti-Spam (Intercept) Anti-Virus Outbreak Control Content Management Mail Access Threat Prevention Policy SMTP Security Encryption Archiving Delivery Settings Routing DomainKeys Signing 29

27 Administering eprism User Accounts The User Accounts menu allows you to create local accounts on the eprism and enable POP and IMAP access. Management of mirrored user accounts created by LDAP, Remote Authentication, and Secure WebMail are also configured here. It includes the following features: Local Accounts Mirrored Accounts (Only displayed if mirrored accounts exist) Relocated Users Vacations POP3 and IMAP Secure WebMail Remote Authentication SecureID Configuration HALO The HALO (High Availability and Load Optimization) menu is used to configure and manage clustered eprism systems, and includes the following features: Cluster Administration Queue Replication F5 Integration Status/Reporting The Status/Reporting menu allows you to view the current status of system services, manage your mail queue and the quarantine area, and review reports and logs. The menu includes the following features: Status & Utility Mail Queue Quarantine Reporting System Logs Problem Reporting Health Check Threat Prevention Status Management The Management menu contains options for various eprism system administration tasks such as backup and restore, license management, and software updates. The menu includes the following features: Backup & Restore Centralized Management License Management Reboot & Shutdown Software Updates Security Connection SSL Certificates 30

28 Connecting to eprism eprism System Console You can access the eprism system console by connecting a monitor and keyboard to eprism. The system console provides a limited subset of administrative tasks and is only recommended for use during initial installation and network troubleshooting. Routine administration should be performed via the web browser administration interface. When accessing the system console, you will be prompted for the UserID and Password for the administrative user. See Using the eprism System Console on page 363 for more detailed information on using the system console. 31

29 Administering eprism Configuring the Admin User The primary admin account is created during the eprism installation. Select Basic Config Admin Account from the menu to modify the password or strong authentication methods for the admin user. It is recommended that you create additional admin users and use those accounts to manage eprism instead of the primary admin account. The primary admin account password should then be written down and stored in a safe and secure place. Login Lockout If login credentials for an admin user are not properly entered after five times in a row, the account will be locked out for 30 minutes. This lockout can be reset by rebooting eprism. Strong Authentication You can also configure strong authentication for the admin user. These methods of authentication require a hardware token that provides a response to the login challenge. You can choose between the following types of secure authentication tokens: CRYPTOCard SafeWord SecurID Once selected, a configuration wizard will guide you through the steps to configure the token for the specified authentication method. See Strong Authentication on page 200 for more information on strong authentication methods. 32

30 Configuring the Admin User Adding Additional Administrative Users There is only one primary admin user account, but additional administrative users can be added using Tiered Administration. This allows you to configure another user with Full Admin rights, or with granular permissions that only give admin rights to certain eprism options. For example, you may want to add a user who can administer reports or vacation notifications, but not have any other administrative access. Granting full or partial admin access to one or more user accounts allows actions performed by administrators to be logged because they have an identifiable UserID that can be tracked by the system. A user with Full Admin privileges cannot modify the profile of the default Admin user. They can, however, edit others users with Full Admin privileges. Add an administrative user as follows: 1. From the Basic Config Admin Account screen, click the Add Admin User button. 2. Enter a User ID, an optional address to forward mail to, and a password. You can also set strong authentication methods, if required. 3. At the bottom of the Add a New User screen is a section for Administrator Privileges. 4. Select the required administrative access for the user: Full Admin The user has administrative privileges equivalent to the admin user. Administer Aliases The user can add, edit, remove, upload and download aliases (not including LDAP aliases.) 33

31 Administering eprism Administer Filter Patterns The user can add, edit, remove, upload and download Pattern Based Message Filters and Specific Access Patterns. Administer Mail Queue The user can administer mail queues. Administer Quarantine The user can view, delete, and release quarantined files. Administer Reports The user can view, configure and generate reports, and view system activity. Administer Users The user can add, edit, and relocate user mailboxes (except the Full Admin users), including uploading and downloading user lists. User vacation notifications can also be configured. Administer Vacations The user can edit local user s vacation notification settings and other global vacation parameters. Mail History The user can view the database history. View Activity The user can view the Activity page and start and stop mail services. Individual s can only be viewed if Mail History is also enabled. View System Logs The user can view all system logs files. See Tiered Administration on page 209 for more information on configuring admin access. Admin Login and WebMail access must be enabled on the network interface that will be used by tiered administration users. This is set in the Basic Config Network screen. 34

32 Web Server Options Web Server Options The Web Server Options screen defines the settings used for connecting to eprism via the web browser administrative interface. By default, eprism s web server uses port 80 for HTTP requests and port 443 for HTTPS requests. For secure WebMail and administration sessions, it is recommended that you leave the default SSL encryption enabled to force a connecting web browser to use HTTPS. Select Basic Config Web Server on the menu to configure your web server settings. Admin HTTP Port Indicates the default port 80 for HTTP requests. Admin HTTPS Port Indicates the default port 443 for HTTPS requests. Require SSL encryption Requires SSL encryption for all user and administrator web sessions. Allow low-grade encryption Allow the use of low-grade encryption, such as DES ciphers with a key length of 64 bits, for encrypted user and administrator web sessions. Enable SSL version 2 Enables SSL version 2 protocol. Note that SSL version 2 contains known security issues. Enable SSL version 3 Enable SSL version 3 protocol. This is the default setting. Enable TLS version 1 Enable TLS version 1 protocol. This is the default setting. Character set encoding Select the type of character encoding used for HTML data. 35

33 Administering eprism Customizing the eprism Interface The eprism interface logos can be easily customized by uploading your own organization s custom logos to replace the eprism logo on the main login screen, the administration screen logo, and the eprism Mail Client logo. Administrators can also customize the login page title of the administrative session screen. Customize a logo as follows: 1. Select Basic Config Customization on the menu to customize the eprism logos. 2. Click Browse to choose a file, and then click Next to upload the file. Revert to the default eprism graphic by selecting the Default Logo button. Most graphic formats are supported, but it is recommended that you use graphics suitable for web page viewing such as GIF and JPEG. The maximum file size is 32k. TABLE 1. Recommended Image Sizes Logo Type Main Screen Logo Admin Screen Small Logo eprism Mail Client Logo Size in Pixels 285 x 85 pixels 191 x 57 pixels 94 x 28 pixels 36

34 CHAPTER 3 Configuring Mail Delivery Settings This chapter describes how to configure network and mail delivery settings for the eprism Security Gateway, and contains the following topics: Network Settings on page 38 Virtual Interfaces on page 42 Static Routes on page 45 Mail Routing on page 46 Mail Delivery Settings on page 48 Mail Aliases on page 53 Mail Mappings on page 55 Virtual Mappings on page 57 37

35 Configuring Mail Delivery Settings Network Settings The basic networking information to get eprism up and running on the network is configured during installation time. To perform more advanced network configuration and to configure other network interfaces, you must use the Basic Config Network settings screen. From the network settings screen you can modify the following items: Hostname and Domain information Default Gateway Syslog Host DNS and NTP servers Network Interface IP Address and feature access settings Clustering and Queue Replication interface configuration Support Access settings If you make any modifications to your network settings, you must reboot eprism. The system will prompt you to restart after clicking the Apply button. Configuring Network Settings Select Basic Config Network on the menu to configure eprism's network settings. Hostname Enter the hostname (not the Fully Qualified Domain Name) of the eprism Security Gateway, such as the hostname eprism in eprism.example.com. Domain Enter the domain name, such as example.com. Gateway Enter the IP address of the default route for eprism. This is typically the external router connected to the Internet, or the network Firewall s interface if eprism is located on the DMZ. Syslog Host eprism can log to a specific syslog host. A syslog host collects and stores log files from many sources. Enter the IP address of the syslog server that will receive all logs from eprism. 38

36 Network Settings Name Server At least one DNS name server must be configured for hostname resolution, and it is recommended that secondary name servers be specified in the event the first DNS server is unavailable. DNS servers can be queried either in strict order as specified in the configuration, or by the fastest response. If "Strict Ordering" is selected, the DNS servers will be queried in the order they are configured. If the first DNS server is unavailable, the next server in the list will be queried. For "Favor Fastest" mode, eprism uses DNS caching to determine which of the configured DNS servers is sending the fastest response. This is the default mode which will provide the best performance in most cases. NTP Server NTP is critical for accurate timekeeping for the eprism Security Gateway. Entering a valid NTP server will ensure that the server time is synchronized. It is recommended that secondary NTP servers be specified in the event the primary NTP server is unavailable. Network Interfaces Enter the required settings for each network interface. You can enter information for up to four interfaces. Some of the following options will not be displayed unless the related feature is enabled. IP Address Enter an IP address for this interface, such as Netmask Enter the netmask for this interface, such as Media Select the type of network card. Use Auto select for automatic configuration. Large MTU Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve performance connecting to servers on the local network. The default is 576 bytes. For most organizations, the default option of 576 bytes is adequate. This option should only be changed if needed and with the involvement of a Technical Support representative. 39

37 Configuring Mail Delivery Settings Respond to Ping Allows ICMP ping requests to this interface. This will allow you to perform network connectivity tests to this interface, but will cause this interface to be more susceptible to denial of service ping attacks. Trusted Subnet If selected, all hosts on this subnet are considered trusted for relaying and anti-spam processing. Admin Login Allows access to this interface for administrative purposes. WebMail Allows access to WebMail via this interface. IMAPS Server Allows secure access to eprism s internal IMAP server via this interface. IMAP Server Allows access to eprism s internal IMAP server via this interface. POP3S Server Allows secure access to eprism s internal POP3 server via this interface. POP3 Server Allows access to eprism s internal POP3 server via this interface. POP and IMAP settings are only displayed if enabled in User Accounts POP3 and IMAP. SNMP Agent Allows access to the SNMP agent via this interface. Advanced Parameters The following advanced networking parameters are TCP extensions that improve the performance and reliability of communications. Enable RFC 1323 Enable TCP extensions to improve performance and to provide reliable operations of high-speed paths. This is enabled by default, and should only be disabled if you experiencing networking problems with certain hosts. Enable RFC 1644 Enable an experimental TCP extension for efficient transaction oriented (request/response) service. This is disabled by default. Path MTU Discovery (RFC 1191) Disable Path MTU (Maximum Transfer Unit) if required to resolve delivery problems when interconnecting between specific firewalls and SMTP proxies. Path MTU is enabled by default. 40

38 Network Settings Clustering The Clustering section is used to enable clustering on a specific network interface. See HALO (High Availability and Load Optimization) on page 265 for more information on configuring clustering. Enable Clustering Select the check box to enable clustering on this eprism system. Cluster Interface Select the interface to enable clustering on. Support Access Enable Support Access, if required, which allows St. Bernard Technical Support to connect to this system from the specified IP address. This setting does not need to be enabled during normal usage, and should only be enabled if requested by St. Bernard Technical Support. This option only appears if you have installed the Support Access patch in Management Software Updates. For security reasons, Support Access communications use SSH (Secure Shell) to establish a secure connection via PKI (Public Key Infrastructure) encryption on a non-standard network port. Support Access will only allow a connection to be made from the St. Bernard network. 41

39 Configuring Mail Delivery Settings Virtual Interfaces Virtual Interfaces are used by eprism to define additional interfaces and IP addresses to send and receive mail for specific domains. These Virtual Interfaces are associated with the existing physical network interfaces on eprism. eprism will send all outbound for a specific domain using its specified IP address in the Virtual Interfaces configuration. eprism selects the Virtual Interface to use for outgoing mail by matching the sender's domain to the domains associated with the configured Virtual Interfaces. If no Virtual Interface domains match the domain of the sender, or if using the Virtual Interface results in a non-routable network connection, the eprism will send the mail via its normal outbound interface. eprism will also accept inbound arriving via this Virtual Interface's IP address. When a mail server connects to SMTP port 25 on a Virtual Interface, the customized banner for that interface will be communicated. If no banner has been specified, the default eprism banner will be used (configured via Mail Delivery Mail Access). Only TCP port 25 can be used for sending and receiving mail on a Virtual Interface. Virtual Interfaces can be pinged if ping is enabled on the corresponding physical network interface. Due to their nature, Virtual Interfaces cannot be pinged from the Status and Utility screen on eprism. Domains using Virtual Interfaces can be used with eprism's Domain-based Policies to provide flexibility in creating security and content policies for specific domains. Network Routing of Virtual Interfaces Virtual Interfaces are routed as follows: via a physical interface that shares the same subnet as the Virtual Interface via the physical interface that can reach a host specified through a static route via the current default route (through the physical interface that connects to the default router) For an eprism with the following characteristics: Interface 1: /24 Interface 2: /16 Default Gateway/Router: Adding a Virtual Interface of will route via Interface 1. Adding a Virtual Interface of will route via Interface 2. Adding a Virtual Interface of will route via Interface 2 through the default gateway. If the Virtual Interface has no corresponding physical interface displayed, there is no valid route through any physical interface and the Virtual Interface will be disabled. 42

40 Virtual Interfaces Configuring Virtual Interfaces To configure Virtual Interfaces, select Basic Config Virtual Interfaces on the menu. Administrators must upload a Virtual Interface list in CSV format that contains comma or tab separated entries in the form: [domain],[ip Address],[Banner message] For example: example1.com, ,example1.com ESMTP eprism supports up to 175 Virtual Interfaces. This feature does not currently support IDN (Internationalized Domain Names). The file (vip.csv) should be created in CSV file format using Excel, Notepad or another Windows text editor. It is recommended that you download the file first by clicking the Download File button, editing it as required, and uploading it using the Upload File button. A standards-compliant banner should, at minimum, contain the domain name and the keyword ESMTP, such as "example.com ESMTP". Extra informational text after the ESMTP keyword is optional, such as "example.com ESMTP Authorized Users Only". Mail Routing Each domain that will be used with Virtual Interfaces must have a mail route defined via Mail Delivery Routing Mail Routing to route mail to a destination mail server. Virtual mappings can also be used for mail routing. 43

41 Configuring Mail Delivery Settings DNS MX records must be published for any Virtual Interfaces. Local network devices such as the default external router must also be properly configured to route traffic to and from the Virtual Interfaces. Virtual Interfaces and Trusts arriving via a Virtual Interface is considered "Untrusted" by eprism for Anti-Spam and security processing. To configure a client as "Trusted", use a Specific Access Pattern or Pattern Based Message Filter (PBMF) to trust the client connecting on that Virtual Interface. To trust a client using a Specific Access Pattern: 1. Select Mail Delivery Mail Access on the menu. 2. Click the Add Pattern button. 3. Enter the IP address of the client in the Pattern field. 4. Select the Client Access check box. 5. Select "Trust" in the If pattern matches field. 6. Click the Apply button. 44

42 Static Routes Static Routes Static routes are required if the mail servers to which mail must be relayed are located on another network, such as behind an internal router, firewall, or accessed via a VPN. Select Basic Config Static Routes to configure your static routes. To add a new static route, enter the network address, netmask and gateway for the route, and then click New Route. 45

43 Configuring Mail Delivery Settings Mail Routing eprism, by default, accepts mail addressed directly to it and delivers it to local eprism mailboxes. You can configure additional domains for eprism to accept and route mail for using the Mail Routing menu. Select Mail Delivery Routing Mail Routing from the menu to set up mail routes. Sub Select this check box to accept and relay mail for subdomains of the specified domain. Domain Enter the domain for which mail is to be accepted, such as example.com. Route-to Enter the address for the server to which mail will be delivered. When using a FQDN, the corresponding DNS record will be looked up. Port Enter the port number of the SMTP server if it is different from the default port number of 25. The port number must be between 1 and MX (Optional) Select the MX check box if you need to look up the mail routes in DNS before delivery. If this is not enabled, MX records will be ignored. Generally, you do not need to select this item unless you are using multiple mail server DNS entries for load balancing/failover purposes. By checking the MX record, DNS will be able to send the request to the next mail server in the list. KeepOpen (Optional) Select the KeepOpen check box to ensure that each mail message to the domain will not be removed from the active queue until delivery is attempted, even if the preceding mail failed or was deferred. This setting ensures that local mail servers receive higher priority. The KeepOpen option should only be used for domains that are usually very reliable. If the domain is unavailable, it may cause system performance problems due to excessive error conditions and deferred mail. A list of domains can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [domain],[route],[port],[ignore_mx],[subdomains_too],[keep_open] For example: example.com, ,25,on,off,off 46

44 Mail Routing The file (domains.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button. LDAP Routing Click the LDAP Routing button to define mail routes using an LDAP directory server. This is the preferred method for mail routing for organizations with a large amount of domains. See LDAP Routing on page 76 for more detailed information on using LDAP for mail routing. Adding Rules for Relays To allow internal mail systems to relay mail outbound via eprism, a Specific Access Pattern must be set up for the system. 1. Select Mail Delivery Mail Access on the menu. 2. Click the Add Pattern button. 3. Enter the IP address of the system, and select Client Access. 4. Set the if pattern matches field to "Trust". 47

45 Configuring Mail Delivery Settings Mail Delivery Settings The Mail Delivery settings screen allows you to configure parameters related to accepting, relaying and delivery mail messages. Select Mail Delivery Delivery Settings on the menu to configure the following parameters: Delivery Settings Maximum time in mail queue Enter the number of days for a message to stay in the queue before being returned to the sender as "undeliverable". Maximum time in queue for bounces Enter the number of days a system-generated bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable. Default is 5 days. Set this value to 0 to attempt delivery of bounce messages only once. Maximum original message text in bounces Enter the maximum amount (in bytes) of original message text that is sent in a non-delivery notification. Range is 10 to If this field is left blank, the default is set to 5000 bytes. Time before delay warning Number of hours before issuing the sender a notification that mail is delayed. Time to retain undeliverable notice mail The number of hours to keep undelivered notice mail addressed to external mail server s MAILER-DAEMON. These messages are typically notifications sent to mail servers with invalid return addresses and can be safely purged. Leave this value blank for no special processing. 48

46 Mail Delivery Settings Deliver mail to local users Disable this option to prevent mail delivery to local accounts configured on this eprism. The postmaster (admin) account will not be affected by this setting. Gateway Features Masquerade Addresses Masquerades internal hostnames by rewriting headers to only include the address of the eprism. Strip Received Headers Strip all Received headers from outgoing messages. Default Mail Relay Relay To (Optional) Enter an optional hostname or IP address of a mail server (not this eprism system) to relay mail to for all with unspecified destinations. A recipient s domain will be checked against the Mail Routing table, and if the destination is not specified the will be sent to the Default Mail Relay server for delivery. This option is usually used when the eprism cannot deliver directly to remote mail servers. If you are setting up this mail server as a dedicated webmail system, and all mail originating from this system should be forwarded to another mail server for delivery, then specify the destination mail server here. Do NOT enter the name of your eprism system as this will cause a relay loop. BCC All Mail Ignore MX record Enable this option to prevent an MX record lookup for this host to force relay settings. Enable Client Authentication Enable client SMTP authentication for relaying mail to another mail server. This option is only used in conjunction with the default mail relay feature. This allows eprism to authenticate to a server that it is using to relay mail. With this configuration, connections to the default mail relay are authenticated, while connections to other mail routes are not. User ID Enter a User ID to login to the relay mail server. Password Enter and confirm a password for the specified User ID. eprism offers an archiving feature for organizations that require storage of all that passes through their corporate mail servers. This option sends a blind carbon copy (BCC) of each message that passes through eprism to the specified address. This address can be local or on any other system. Once copied, the mail can be effectively managed and archived from this account. You must also specify an address that will receive error messages if there are problems delivering the BCC mail. 49

47 Configuring Mail Delivery Settings Very Malformed Mail Specify the action to be performed when a very malformed message is detected by the system. A very malformed message may cause scanning engine latency. Possible actions: Just log Log the event and take no further action. Quarantine mail The message is placed into quarantine. Temporarily Reject Mail Returns an error to the sending server and doesn't accept the mail. The mail delivery can be attempted again after a period of time. Reject mail The message is rejected with notification to the sending system. Discard mail The message is discarded without notification to the sending system. Select the Notify check box to allow notifications using the malformed notification settings (configured via Mail Delivery Content Management Malformed Mail) when the action specified above is performed (except for Just log.) Mail that is very malformed has not been virus scanned, or filtered for attachments and spam. Annotations and Delivery Warnings Administrators can enable and customize Annotations that are appended to all s and customize Delivery Failure and Delivery Delay warning messages. Some mail clients will display notifications and annotations as attachments to a message rather than in the message body. Separate annotations can be enabled for different users, domains, and groups using Policies. See Policy Management on page 219 for information on creating policies and configuring separate annotations. 50

48 Mail Delivery Settings The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system settings that are automatically substituted at the time the message is sent. See Customizing Notification and Annotation Messages on page 371 for a full list of variables that can be included. Advanced Delivery Options Click the Advanced button on the Mail Delivery Delivery Settings screen to reveal advanced options for Advanced SMTP Settings, SMTP notifications, and the Received Header. Advanced SMTP Settings The following advanced SMTP settings can be configured: SMTP Pipelining Select the check box to disable SMTP Pipelining when delivering mail. Some mail servers may experience problems with SMTP command pipelining and you may have to disable this feature if required. ESMTP Select the check box to disable ESMTP (Extended SMTP) when delivering mail. Some mail servers may not support ESMTP and you may have to disable this option if experiencing problems. Caution: Disabling ESMTP will disable TLS encryption on outgoing connections. HELO required Enable this option to require clients to initiate their SMTP session with a standard HELO/EHLO sequence. It is recommended that you leave this feature enabled. It should only be disabled when experiencing problems with sending hosts that do not use a standard HELO message. Content Reject Message This is the text part of the SMTP 552 error message reported to clients when message content is rejected because the maximum message size has been exceeded. 51

49 Configuring Mail Delivery Settings Multiple Recipient Reject Mode Indicates the reject handling of messages with multiple recipients. This option only applies to features with reject actions such as Malformed and Very Malformed Mail, Attachment Control, Attachment Scanning, PBMF, OCF, Anti-Virus, and Intercept Anti-Spam features, including those used within a policy. The options are as follows: All: Reject the message if all recipients reject the message. If some but not all of the recipients reject the message, the message will be discarded without notification to the sender for those recipients that rejected the message. Any: Reject the message if any recipient rejects the message. Never: The message will never be rejected, regardless of any configured reject actions. For recipients that rejected the message, the message will be discarded without notification to the sender. Send EHLO Always send EHLO when communicating with another server, even if their banner does not include ESMTP. Disable EHLO if you are experiencing communications problems with specific SMTP servers. Disabling EHLO will disable TLS/SSL encryption. SMTP Notification Administrators can select the type of notifications that are sent to the postmaster account. Serious problems such as Resource or Software issues are selected by default for notification. Resource Mail not delivered due to resource problems, such as queue file write errors. Software Mail not delivered due to software problems. Bounce Send postmaster copies of undeliverable mail. If mail is undeliverable, a single bounce message is sent to the postmaster with a copy of the message that was not delivered. For privacy reasons, the postmaster copy is truncated after the original message headers. If a single bounce message is undeliverable, the postmaster receives a double bounce message with a copy of the entire single bounce message. Delay Inform the postmaster of delayed mail. In this case, the postmaster receives message headers only. Policy Inform the postmaster of client requests that were rejected because of (UCE) policy restrictions. The postmaster will receive a transcript of the entire SMTP session. Protocol Inform the postmaster of protocol errors (client or server), or attempts by a client to execute unimplemented commands. The postmaster will receive a transcript of the entire SMTP session. Double Bounce Send double bounced messages to the postmaster. Received Header The Received Header is the mail server information displayed in the Received: mail header of a message. The default can be modified to a more generic identifier to prevent attackers from knowing the mail server details. 52

50 Mail Aliases Mail Aliases When mail is to be delivered locally, the delivery agent runs each local recipient name through the aliases database. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and so on. This process also occurs for local user accounts with a specified "forwarder address". Local user accounts are treated as aliases in this case. Local aliases are typically used to implement distribution lists, or to direct mail for standard aliases such as postmaster to real user mailboxes. For example, the alias postmaster could resolve to the local mailboxes admin1@example.com, and admin2@example.com. For distribution lists, an alias called sales@example.com can be created that points to all members of the sales organization of a company. Configuring Mail Aliases Click Mail Delivery Routing Mail Aliases on the menu to configure aliases. Click on an entry to edit a current alias. Adding a Mail Alias Click the Add Alias button to add a new alias. 53

51 Configuring Mail Delivery Settings The specified alias name must be a valid local mailbox on this eprism system. Enter the corresponding mail address for the alias. Click the Add More Addresses button to enter multiple addresses for this alias. Uploading Alias Lists A list of aliases can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [alias],[mail_address] For example: sales,fred@example.com info,mary@example.com The file (alias.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the mail alias file first by clicking Download File, editing it as required, and uploading it using the Upload File button. LDAP Aliases Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you to search LDAP-enabled directories such as Active Directory for mail aliases. See LDAP Aliases on page 67 for more information on LDAP Aliases. 54

52 Mail Mappings Mail Mappings Mail Mappings are used to map an external address to an internal address and vice versa. This is useful for hiding internal mail server addresses from external users. For mail originating externally, the mail mapping translates the address in the To: and CC: mail header field into a corresponding internal address to be delivered to a specific internal mailbox. For example, mail addressed to joe@example.com can be redirected to the internal mail address joe@chicago.example.com. This enables the message to be delivered to the user s preferred mailbox. Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender: header modified by a mail mapping so it appears to have come from the preferred external form of the mail address, joe@example.com. Configuring Mail Mappings Click Mail Delivery Routing Mail Mapping on the menu to configure mail address mappings. Click on an entry to edit a current mapping. Adding a New Mapping Click the Add button to add a new mapping. 55

53 Configuring Mail Delivery Settings External mail address Enter the external mail address that you want to be converted to the specified internal address for incoming mail. The specified internal address will be converted to this external address for outgoing mail. Internal mail address Enter the internal mail address that you want external addresses to be mapped to for incoming mail. The internal address will be converted to the specified external address for outgoing mail. Extra internal addresses Enter any additional internal mappings which will be included in the outgoing mail conversion. Click the Add button for each entry. When you have completed entering your addresses, click Apply to create the mail mapping. Uploading Mapping Lists A list of mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [type ("sender" or "recipient")],[map_in],[map_out],[value ("on" or "off")] For example: sender,joe@chicago.example.com,joe@example.com,on The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the mail mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button. Access Control via Mail Mappings eprism can block all incoming and outgoing mail messages that do not match a configured mail mapping. This ensures that all incoming and outgoing mail matches a legitimate user as the destination or source of a message. Click the Preferences button to enable Mail Mapping Access Control. If this feature is enabled, all incoming and outgoing mail will be blocked unless the user has a mapping listed in the mail mappings table. 56

54 Virtual Mappings Virtual Mappings Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address. For example, eprism can be configured to accept mail for the and deliver it This allows eprism to distribute mail to multiple internal servers based on the Recipient: address of the incoming mail. Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for example.com is sent to mail.example.com. You can create exceptions to this rule in the Mail Mappings for particular users. Virtual mappings are also useful for ISPs who need to accept mail for several domains, and situations where the envelope-recipient header needs to be rewritten for further delivery. You should review the use of Mail Routes before setting anything in Virtual Mappings, as they may be more appropriate for delivering mail to internal mail servers. Configuring Virtual Mappings Click on Mail Delivery Routing Virtual Mapping on the menu to configure mappings. Click on an entry to edit a current mapping. Virtual Mappings and Reject On Unknown Recipient/LDAP Checks When using Virtual Mappings, the Reject on Unknown Recipient and LDAP Recipient lookups will not be performed for these mapped addresses. This prevents these addresses from being rejected by eprism because the virtual mappings do not exist in an LDAP directory. 57

55 Configuring Mail Delivery Settings Adding a Virtual Mapping Click the Add Virtual Mapping button to add a new mapping. Enter the domain or address to which incoming mail is directed in the Input box, such Then enter the domain or address to which mail should be redirected to, such in the Output box. Uploading Virtual Mapping Lists A list of virtual mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [map_in],[map_out] For example: user@example.com,user The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the virtual mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button. The domain being virtually mapped or redirected must be defined via an "internal" DNS MX record to connect to this eprism Security Gateway. LDAP Virtual Mappings Click the LDAP Virtual Mappings button to configure and search for virtual mappings using LDAP. This allows you to search LDAP-enabled directories such as Active Directory for virtual mappings. See LDAP Mappings on page 69 for more information on configuring LDAP virtual mappings. 58

56 CHAPTER 4 Directory Services This chapter describes how to integrate your existing LDAP directory services with eprism and contains the following topics: Directory Service Overview on page 60 Directory Servers on page 61 Directory Users and Groups on page 63 LDAP Aliases on page 67 LDAP Mappings on page 69 LDAP Recipients on page 71 LDAP Relay on page 73 LDAP Routing on page 76 59

57 Directory Services Directory Service Overview eprism can utilize LDAP (Lightweight Directory Access Protocol) services for accessing directories (such as Active Directory, OpenLDAP, and iplanet) for user and group information. LDAP can be used with eprism for mail routing, group lookups for policies, user lookups for mail delivery, alias and virtual mappings, and authentication. LDAP was designed to provide a standard for efficient access to directory services using simple data queries. Most major directory services such as Active Directory support LDAP, but each differs in their interpretation and naming convention syntax. Other types of supported LDAP services include OpenLDAP and iplanet. Naming Conventions The method for which data is arranged in the directory service hierarchy is a unique Distinguished Name. The following is an example of a Distinguished Name in Active Directory: cn=jsmith,dc=example,dc=com In this example, "cn" represents the Common Name, and "dc" is the Domain Component. The user, jsmith, is in the users container. The domain component is analogous to the FQDN domain name, in this case, example.com. For all LDAP Directory features, you must ensure you enter values specific to your LDAP environment and schema. 60

58 Directory Servers Directory Servers The first step in configuring Directory Services on eprism is to define and configure your Directory Servers. Select Basic Config Directory Services Servers on the menu to configure your LDAP servers that will be used for eprism s LDAP functions such as user and group membership lookups, authentication, and mail routing. Click Add to configure a new LDAP server, or click Edit to modify an existing server: Server URI Enter the server URI (Uniform Resource Identifier) address, such as ldap:// Use "ldaps:" if you are using SSL with the LDAP directory. Label An optional label or alias for the LDAP server. 61

59 Directory Services Type Select the type of LDAP server, such as Active Directory, or choose Others for OpenLDAP or iplanet. Bind Select this check box to bind to the LDAP server with the specified Bind DN and password. Bind DN Enter the DN (Distinguished Name) for the user to bind to the LDAP server, such as cn=administrator,cn=users,dc=example,dc=com for Active Directory implementations. Ensure that you enter a bind DN specific to your environment. In Active Directory, if you are using a user account other than Administrator to bind to the LDAP server, the name must be specified as the full name not the account name, such as "John Smith" instead of "jsmith". Bind Password Enter the bind password for the LDAP server. Search Base Specify a default starting point for lookups, such as dc=example,dc=com. Timeout The maximum interval, in seconds, to wait for the search to complete. Dereference Aliases Specifies how alias dereferencing is performed during a search: Never: Aliases are never dereferenced. Searching: Aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search. Finding: Aliases are only dereferenced when locating the base object of the search. Always: Aliases are dereferenced when searching and locating the base object of the search. Paged Select the check box to enable paging support for an Active Directory server. When querying an LDAP server, the amount of information returned may contain thousands of entries and sub-entries. Paging allows LDAP information to be retrieved in more manageable sections to control the rate of data being returned. Page Size Enter the amount of entries in a Page Size for this Active Directory server. If this field is left blank, the default value of 1000 will be used. The Page Size must match the size configured in the Active Directory server's LDAP query policy (default is 1000). Click the Test button to test your LDAP settings and send a test query to the LDAP server. When finished, click the Apply button to add the LDAP server. 62

60 Directory Users and Groups Directory Users and Groups The Directory Users and Groups screen is used to import user account data from LDAP-based directory servers. This information is used to provide LDAP lookups for valid addresses for the Reject on Unknown Recipient anti-spam option, and import group membership information for policies. Local mirror accounts can also be created to allow directory-based users to view and manage quarantined mail for the Spam Quarantine feature. Select Basic Config Directory Services Users and Groups to import users from a directory. Click the Add button to add a new directory user import configuration. Directory Server Select a directory server to perform the search. Search Base Enter the starting base point to start the search from, such as dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree. Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. 63

61 Directory Services Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter the appropriate query filter, such as ( (objectcategory=group)(objectcategory=person)) for Active Directory LDAP implementations. If you use Exchange public folders for , include the following in your query filter: (objectcategory=publicfolder) For example, ( ( (objectcategory=group)(objectcategory=person))(objectcategory=p ublicfolder)) For iplanet and OpenLDAP, use:(objectclass=person) Timeout The maximum interval, in seconds, to wait for the search to complete. Result Attributes This section specifies the fields to return during the LDAP query. LDAP queries can return a lot of information that is not required and the Result Attributes are used to filter only the data needed. attribute The name of the attribute that identifies the user s address. For Active Directory, iplanet, and OpenLDAP, use mail. alias attribute The name of the attribute that identifies the user s alternate addresses. In Active Directory, the default is proxyaddresses. For iplanet, use . For OpenLDAP, leave this attribute blank. Member Of attribute The name of the attribute that identifies the group(s) that the user belongs to. This information is used for Policy controls. In Active Directory, the default is memberof (this is case sensitive). For iplanet, use Member. For OpenLDAP, leave this blank. Account Name attribute This is the name of the attribute that identifies a user s account name for login. In Active Directory, the default is samaccountname. For iplanet, use uid. For OpenLDAP, use cn. Click the Test button to test your LDAP settings. Click Apply when finished. 64

62 Directory Users and Groups Import Settings eprism can automatically import LDAP user data on a scheduled basis. This allows eprism to stay synchronized with the LDAP directory. To import LDAP users and groups, click the Import Settings button in the Basic Config Directory Services Directory Users and Groups screen. Import User Data Select the check box to enable automatic import of LDAP user data. Enabling automatic import ensures that your imported LDAP data remains current with the information on the LDAP directory server. Frequency Select the frequency of LDAP imports. You can choose between Hourly, Every 3 Hours, Daily, Weekly, and Monthly. Start Time Specify the start time for the import in the format hh:mm, such as 23:00 to schedule an import at 11pm for the period specified in the Frequency field. Click Apply to save the settings. Click Import Now to immediately begin the import of users. View the progress of LDAP imports via Status/Reporting System Logs Messages. Mirror LDAP Accounts as Local Users To provide local account access for the Spam Quarantine feature, you can mirror the LDAP accounts which creates a local account on eprism for each user imported. This provides a simple method for allowing directory-based users to view and manage quarantined messages if you have enabled the Spam Quarantine feature. These local mirror accounts cannot be used as local mail accounts. They can only be used for the Spam Quarantine. See Spam Quarantine on page 187 for more information on configuring the user-based Spam Quarantine. To create mirrored LDAP users: 1. Select the Mirror accounts option. 65

63 Directory Services 2. Choose an Expiry period for the mirrored accounts. If the user no longer exists in the LDAP directory for the specified period of time, the local mirrored account will be deleted. Note that this only applies to a local mirrored account, not accounts used for the Reject on Unknown Recipients feature. 3. Click Apply to save the settings. Click Import Now to immediately begin the import of users and create mirrored accounts. View the progress of LDAP imports via Status/Reporting System Logs Messages. Mirrored accounts can be viewed via User Accounts Mirrored Accounts on the menu. 66

64 LDAP Aliases LDAP Aliases LDAP Aliases are used to search LDAP-enabled directories for mail aliases of a user. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and processed. LDAP Aliases have been tested with Active Directory only, and the examples shown are for Active Directory LDAP implementations. See Mail Aliases on page 53 for more information on Mail Aliases. Select Basic Config Directory Services LDAP Aliases to configure LDAP Aliases. Click the Add button to add a new LDAP alias search. Directory Server Select a directory server to perform the search. Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree. Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. 67

65 Directory Services Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Alias Attribute Enter the Alias Attribute that defines the alias mail addresses for a user, such as (proxyaddresses=smtp:%s@*) for Active Directory implementations. Enter the attribute that returns the user s address, such as mail for Active Directory implementations. Timeout The maximum interval, in seconds, to wait for the search to complete. Use the Test button to perform a test of the LDAP alias configuration. Click Apply to save the settings. 68

66 LDAP Mappings LDAP Mappings LDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user. Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address. LDAP Virtual Mappings have been tested with Active Directory only, and the examples shown are for Active Directory LDAP implementations. See Virtual Mappings on page 57 for more information on Virtual Mappings. Select Basic Config Directory Services LDAP Mapping to configure LDAP Virtual Mappings. Click the Add button to add a new LDAP Virtual Mapping search. Directory Server Select a directory server to perform the search. Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree. 69

67 Directory Services Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Incoming Address Enter the Incoming Address attribute that defines the virtual mapping for a user, such as (proxyaddresses=smtp:%s) for Active Directory implementations. Enter the attribute that returns the user s address, such as mail for Active Directory implementations. Timeout The maximum interval, in seconds, to wait for the search to complete. Use the Test button to perform a test of the LDAP virtual mapping configuration. Click Apply to save the settings. 70

68 LDAP Recipients LDAP Recipients The LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient feature configured in Mail Delivery Anti-Spam Intercept. You must have Reject on Unknown Recipient enabled for this feature to work. When a mail message is received by eprism, this feature searches an LDAP directory for the existence of a recipient s address. If that user address does not exist in the LDAP directory, the mail is rejected. This feature differs from the LDAP Users lookup option which searches for a user using the imported locally-cached LDAP users database. The LDAP Recipients feature performs a direct lookup on a configured LDAP directory server for each address. If using an Active Directory server, it is recommended that the LDAP Users function be used. If both LDAP Users and LDAP Recipients are enabled with Reject on Unknown Recipient, the system will lookup the local and mirrored LDAP Users first, and then use the direct query to an LDAP server. Select Basic Config Directory Services LDAP Recipients on the menu to configure your LDAP recipient lookups. Click Add to add a new LDAP Recipients search. 71

69 Directory Services Directory Server Select a directory server to perform the search. The directory server Bind password cannot contain a "$" character. Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree. Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter the Query Filter for the LDAP Recipients lookup, such as (&(objectclass=person)(mail=%s)) for Active Directory implementations. For OpenLDAP and iplanet, use (&(objectclass=person)(uid=%s)). Result Attribute Enter the attribute that returns the user s address, such as mail for Active Directory implementations. For OpenLDAP, and iplanet, you can also use mail. Timeout The maximum interval, in seconds, to wait for the search to complete. Use the Test button to perform a test of the LDAP recipients configuration. Click Apply to save the settings. 72

70 LDAP Relay LDAP Relay The LDAP SMTP Authenticated relay feature allows authenticated clients to use this eprism as an external mail relay for sending mail. For example, you may have remote users that need to send mail via this eprism system. These client systems must use a login and password to authenticate to the system before being allowed to relay mail. These accounts can be set up locally, but you can also use LDAP relay authentication to authenticate the user to an LDAP directory server. Configuring LDAP Authenticated SMTP Relay 1. Select Mail Delivery Mail Access on the menu. 2. Enable the Permit SMTP Authenticated Relay and the LDAP Authenticated Relay check boxes. 3. Select Basic Config Directory Services LDAP Relay on the menu. 73

71 Directory Services There are two different ways to provide LDAP support for SMTP authentication: Using Bind, or querying the LDAP server directly. The Bind method will only work with Active Directory and iplanet implementations. The Query Direct method will only work with OpenLDAP. Bind The Bind method will use the User ID and password to authenticate on a successful bind. The Query Filter must specify the User ID with a %s variable, such as (samaccountname=%s) for Active Directory. The Result Attribute must be a User ID such as samaccountname. Enter corresponding values specific to your LDAP environment. For iplanet, use uid=%s for Query Filter, and mail for Result Attribute. Query Directly The Query Direct method will query the LDAP server directly to authenticate a user ID and password. The Query Filter must specify the user ID, and the Result Attribute must specify the password. For OpenLDAP, use uid=%s for Query Filter, and userpassword for Result Attribute. For either method, the relay will be refused if the LDAP server direct query or bind attempt fails for any reason, such as an invalid user name or password, bad query, or if the LDAP server is not responding. The directory server Bind password cannot contain a "$" character. Select a method, and then click Add to add an entry. You can only use one method, Bind or Query Direct, for all defined LDAP servers. You cannot use both at the same time. 74

72 LDAP Relay Directory Server Select a directory server to perform the search. Search Base The Search Base is derived from the Search Base setting in Basic Config Directory Services Servers. You must ensure that you complete the Search Base string with information specific to your LDAP hierarchy, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree. Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter the Query Filter for the LDAP lookup, such as (samaccountname=%s) for Active Directory implementations. Result Attribute Enter the attribute that returns the user s account, such as samaccountname for Active Directory implementations. Timeout The maximum interval, in seconds, to wait for the search to complete. Use the Test button to perform a test of the LDAP relay configuration. Click Apply to save the settings. 75

73 Directory Services LDAP Routing LDAP mail routing allows a mail route for a recipient to be queried on a specified LDAP server. The destination mail server for that domain will be returned and the message will then be routed to that server. This is the preferred method for mail routing for organizations with a large amount of domains. Any locally defined mail routes in Mail Delivery Routing Mail Routing will be resolved before LDAP routing. LDAP routing has been tested only with iplanet implementations but the examples provided should work with OpenLDAP depending on your LDAP schema. Select Basic Config Directory Services LDAP Routing to configure your LDAP routing settings. Click Add to add a new LDAP route search. Directory Server Select a directory server to perform the search. Search Base The Search Base is derived from the Search Base setting in Basic Config Directory Services Servers. You must ensure that you complete the Search Base string with information specific to your LDAP hierarchy, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree. Base: Searches the base object only. 76

74 LDAP Routing One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter the Query Filter that will search for the Mail Domain of a recipient, such as (&(cn=transport Map)(uid=%s)) for iplanet implementations. Result Attribute Enter the attribute that returns the domain s mail host, such as mailhost for iplanet implementations. Timeout The maximum interval, in seconds, to wait for the search to complete. Use the Test button to perform a test of the LDAP routing configuration. Click Apply to save the settings. 77

75 CHAPTER 5 Mail Security and Encryption This chapter describes how to configure the mail security features of your eprism Security Appliance and contains the following topics: SMTP Mail Access on page 80 Anti-Virus on page 82 Threat Outbreak Control on page 85 External Message Encryption on page 90 Encrypting Mail Delivery Sessions on page 94 SSL Certificates on page 97 79

76 Mail Security and Encryption SMTP Mail Access The Mail Access screen allows you to configure features that provide security when eprism is accepting mail during an SMTP connection. Select Mail Delivery Mail Access to configure your SMTP mail access settings. Specific Access Patterns This feature can be used to search for patterns in a message for filtering during the SMTP connection. See Specific Access Patterns (SAP) on page 140 for detailed information on configuring these filters. Pattern Based Message Filtering Enable this option to use Pattern Based Message Filtering to reject or accept mail based upon matches in the message envelope, header, or body. See Pattern Based Message Filtering (PBMF) on page 112 for detailed information on configuring Pattern Based Message Filters. Maximum recipients per message Set the maximum number of recipients accepted per message. A very large amount of recipients means the message is more likely to be spam or bulk mail. The default is set to Maximum recipients reject code Allows administrators to define other errors to return instead of the default "452 Error: too many recipients" error, such as permanently rejecting the connection "554". Maximum message size Set the maximum message size that will be accepted by eprism. When attachments are sent with most messages, the message size grows considerably due to the encoding methods used. The maximum message size should be set accordingly to accommodate attachments. 80

77 SMTP Mail Access Maximum Unknown Recipients Maximum Unknown recipients per message This value determines how many unknown recipients are allowed in the message before it will be rejected by eprism. A high number of unknown recipients indicates the message is likely spam, or a denial of service attempt. Maximum Unknown recipients reject code This value indicates the SMTP reject code to use when the maximum unknown recipients value is exceeded. This should be set to either 421 (temporary reject) or 554 (permanent reject). SMTP Authenticated Relay This feature allows authenticated clients to use eprism as an external mail relay for sending mail. For example, you may have remote users that need to send mail via this eprism system. Client systems must use a login and password to authenticate to the system before being allowed to relay mail. These accounts can be local or they can be authenticated via LDAP. Select Mail Delivery Mail Access on the menu to enable SMTP Authenticated Relay. LDAP SMTP Authentication SMTP authentication can also be performed via an LDAP directory server. Select the check box to enable LDAP Authenticated Relay, and select the link to configure. This feature can also be configured via Basic Config Directory Services LDAP Relay. See LDAP Relay on page 73 for detailed information on configuring LDAP Authenticated Relay. SMTP Banner The SMTP banner is exchanged during the HELO/EHLO session of an SMTP connection. This banner contains identifying information for your mail server which can be used as information to launch attacks against eprism. This option allows you to customize the SMTP banner and also remove eprism s hostname by using the Domain only option. 81

78 Mail Security and Encryption Anti-Virus eprism provides an optional virus scanning service. When enabled, all messages (inbound and outbound) passing through the eprism Security Appliance can be scanned for viruses. eprism integrates the Kaspersky Anti-Virus engine which is one of the highest rated virus scanning technologies in the world. Virus scanning is tightly integrated with the mail engine for maximum efficiency. Viruses can be selectively blocked depending on whether they are found in inbound or outbound messages, and attachments are recursively disassembled to ensure that viruses cannot be concealed. When a virus-infected message is received, it can be rejected, deleted, quarantined, or the event can be simply logged. Quarantined messages may be viewed, forwarded, downloaded, or deleted. Quarantined messages can also be automatically deleted based on age. By default, any attachments that cannot be opened and examined by the mail scanner because of password-protection are quarantined. This feature prevents password-protected zip files that contain viruses or worms from being passed through the system. Virus pattern files are automatically downloaded at regular intervals to ensure that they are always up to date. Notification messages can be sent to the sender, recipient, and mail administrator when an infected message is received. Licensing Anti-Virus Kaspersky Anti-Virus is a cost option. To enable virus scanning after the 30-day evaluation period, you must purchase and install a license for each system. See License Management on page 308 for more information on adding licenses. 82

79 Anti-Virus Configuring Anti-Virus Scanning Select Mail Delivery Anti-Virus from the menu to configure virus scanning for both inbound and outbound directions. Enable Kaspersky virus scanning Enable or disable virus scanning by selecting the check box. Treat as a Virus Attachments resembling a known virus Some types of attachments may resemble a known virus pattern and could contain malicious code. It is strongly recommended that you treat attachments with code that resembles a known virus as if they contained a virus. Attachments containing unknown viral code The anti-virus scanner can detect code that resembles the patterns of a virus. It is strongly recommended that you treat attachments containing suspected viral code as if they contained viruses. Corrupt attachments Corrupted attachments may not be able to be processed by the anti-virus scanner and could contain viruses. It is strongly recommended that you treat corrupt attachments as if they contained viruses. Password-protected attachments Attachments protected by a password cannot be opened by the anti-virus scanner and could contain viruses. It is strongly recommended that you treat attachments that cannot be opened as if they contained viruses. Attachments causing scan errors Attachments that are causing errors while being scanned by the anti-virus scanner may contain viruses. It is strongly recommended that you treat attachments that cause scanning errors as if they contained viruses. Action Configure the action to be performed for both inbound and outbound mail. Possible actions include: Just log: Log the event and take no further action. 83

80 Mail Security and Encryption Reject mail: The message is rejected with notification to the sending system. Quarantine mail: The message is placed into the administrative quarantine area. Discard mail: The message is discarded without notification to the sending system. Notification A notification can be sent to the recipients and sender of a message, and also the mail system administrator. Select the required check box for both inbound and outbound mail. In the Inbound Notification and Outbound Notification text boxes, customize the content for the response message. Updating Pattern Files Virus pattern files must be continuously updated to ensure that you are protected from new virus threats. The frequency of virus pattern file updates can be configured from the Virus Pattern Files section. Update interval (mins) Select the time interval to configure how often to check for pattern file updates. Options include 15, 30, and 60 minutes. Proxy If you access the Internet through a proxy server, you must enter its hostname and port number, such as proxy.example.com:80, for updates to succeed. Manual Update Pattern files can be updated manually by clicking the Get Pattern Now button. Status Displays the date and time of the last update. 84

81 Threat Outbreak Control Threat Outbreak Control The Threat Outbreak Control feature provides customers with zero-day protection against early virus outbreaks. For most virus attacks, the time from the moment the virus is released to the time a pattern file is available to protect against the virus can be several hours. During this period, mail recipients are vulnerable to potential threats. eprism s Threat Outbreak Controls can detect and take action against early virus outbreaks to contain the virus threat. If a message is classified as containing a possible virus, the message can be quarantined, deleted, or the event can be logged. When an updated anti-virus pattern file is received, any quarantined files will be re-scanned automatically. If a virus is detected with the new pattern file, the configured anti-virus action is performed on the message. If the hold period for a message in the quarantine expires and it has not been positively identified as a virus during that time, the configured "release" action will be performed. eprism will examine incoming "untrusted" messages and look for the following characteristics when deciding if the message indicates an early virus threat: The message is bulk (addressed to a large number of recipients) and contains an executable or common office document attachment (such as.doc). To detect the message as "Bulk", the Intercept Bulk Analysis feature must be enabled. The message originates from an IP address that has recently sent viruses and contains an executable or common office document attachment. To detect if the client has recently sent viruses, the Mail Anomalies feature and the Recent virus from Client option must be enabled. The message originates from an IP address with a poor St. Bernard Security Network (BSN) reputation and contains an executable or common document attachment. To detect addresses with a poor reputation, the BSN feature must be enabled. The anti-virus scanner detects attachments that resemble a known virus or contain unknown viral code. The message was malformed, or was blocked by attachment control and the action was set to "Discard" or "Reject". The following table lists the types of executable files and common office document formats that are scanned by Threat Outbreak Control: TABLE 1. Executable Files and Common Office Documents Executable.bat.chm.cmd.com.dll.drv.exe Common Office Documents.doc.dot.ppt.wk1.wks.wp.xls 85

82 Mail Security and Encryption TABLE 1. Executable Files and Common Office Documents Executable.js.jse.nlm.ovl.pif.scr.shs.sys.vbe.vbs.vxd Common Office Documents Configuring Threat Outbreak Control Select Mail Delivery Outbreak Control on the menu to configure the Threat Outbreak Control feature. Detection The following options take effect when Threat Outbreak Control is enabled: Action Select the action to perform if a message is detected as having a possible virus: Just Log: The message will be delivered and an entry added to the mail logs. Reject mail: The message will be rejected with notification to the sender. 86

83 Threat Outbreak Control Quarantine mail: The message will be placed into the administrative quarantine area. These messages can be viewed and managed via Status/Reporting Quarantine on the menu. Discard mail: The message will be discarded without notification to the sender. Hold Period Enter the time period (in hours) for which to hold the message in the administrative quarantine area. The default hold period is 8 hours. In most cases, the Anti- Virus pattern files will be updated within 2-4 hours of a new virus being discovered. It is recommended that enough time is configured to allow the opportunity for the files to be rescanned with updated anti-virus pattern files as they become available. If the Quarantine expiry period is set to a value less than the "Hold Period", the expiry period takes precedence and the held message will be expired. Notification Select the users who will receive a notification if a message is detected as having a possible virus. Options include the "Recipients", the "Sender", and the "Administrator". Notification Message Enter the text for the automated notification message. Anti-Virus Action During the hold period, if a quarantined message is rescanned and determined to have a virus, the configured Anti-Virus action will be performed, as set in Mail Delivery Anti-Virus. If the hold period expires and the message has been determined not to be infected with a virus, the "Release" action will be performed. Release The following options take effect for a quarantined message when its configured "Hold Period" has elapsed: Action Select the action to perform if the "Hold Period" has elapsed for a quarantined message: 87

84 Mail Security and Encryption Just Notify: A message will be sent to notify the specified users that the "Hold Period" for a quarantined message has elapsed without it being classified as a virus. The message will remain in the quarantine until released manually by the administrator. Release mail: The message will be automatically released from the quarantine and delivered to the original recipients. Notifications can also be enabled to notify users when the message is released. If the message was discarded or rejected by Attachment Control or Malformed Mail and was then quarantined by Threat Outbreak Control, the message will be discarded on release. The final action will be Threat Outbreak Control and "Quarantine" because of a possible virus. Notification Select the users who will receive a notification if a message is released from the quarantine. Options include the "Recipients", the "Sender", and the "Administrator". Notification Message Enter the text for the automated notification message. Threat Outbreak Reports and Logs Threat Outbreak Control activity is displayed in eprism s reports, including the following information: A summary of Threat Outbreak actions and the types of messages blocked, including information on the number of messages quarantined and released and the number of malformed, virus-infected messages, and messages that contained a forbidden attachment. A list of the top viruses caught and the time and date when they were detected by Threat Outbreak Control and when they were detected by the Anti-Virus scanner. 88

85 Threat Outbreak Control The Top Virus List section also contains a column called Outbreak Control Number indicating the number of viruses caught by Threat Outbreak Control. In the Status/Reporting Reporting Mail History section, the disposition of messages caught by Threat Outbreak Control can be searched for based on the message status of "possible virus". 89

86 Mail Security and Encryption External Message Encryption eprism provides integration with external encryption servers to provide encryption and decryption functionality. encryption allows individual messages to be encrypted by a separate encryption server before being delivered to its destination by eprism. Incoming encrypted messages can also be sent to the encryption server to be decrypted before eprism accepts the message and delivers it to the intended recipient. This integration allows organizations to ensure that encrypted messages are still processed by eprism for security issues, as well as being scanned for content and policy rules. encryption provides organizations with the ability to protect the privacy and confidentiality of their messages and also conform to any regulatory compliance policies that must ensure that certain types of data are encrypted before being sent out across the Internet. Encryption and decryption can be performed for selected messages via filter rules on the eprism. A message filter can be created for specific sending addresses, IP addresses and host names of specific SMTP servers, or for specific words located in the subject of a message such as "Encrypt". As mail is forwarded back and forth between eprism and the Encryption server, all mail statistics will include this additional delivery and mail counts will be higher as a result. Configuring eprism Message Encryption and Decryption eprism can be set up to integrate with an existing encryption server using the following general steps: 1. Configure the Encryption server to integrate with eprism. 2. Create Mail Routes to the Encryption server on eprism. 3. Enable Encryption and Decryption on eprism. 4. Create Encryption rules on eprism to identify messages to be encrypted. The Encryption server must be on the same network as eprism. Ensure they are communicating properly and can see each other on the network by using a utility such as ping. Configuring the Encryption Server The existing Encryption server must be set up to relay all mail to the eprism Security Appliance. Please see the documentation provided by your Encryption server vendor. In general, outbound and inbound proxies or mail routes must be configured on the Encryption server to ensure messages are accepted from and passed back to eprism after being encrypted or decrypted. 90

87 External Message Encryption Define Mail Routes for Encryption and Decryption Mail routes to the Encryption server must be defined for both encrypting and decrypting messages. To ensure eprism knows where to route messages for encryption, create a mail route for the domains.encrypt_reroute and.decrypt_reroute to the address of the Encryption server. 1. Select Mail Delivery Routing Mail Routing to define mail routes. 2. Enter.encrypt_reroute as the Domain, and in the Route-to field, enter the address of the Encryption server such as Similarly, create a route for.decrypt_reroute as the Domain, and in the Route-to field, enter the address of the Encryption server such as The port and IP address may be different depending on the Encryption server configuration. 91

88 Mail Security and Encryption Enabling Encryption and Decryption on eprism 1. Select Mail Delivery Encryption to configure your encryption settings. 2. Select the Active check box to enable the Encryption and Decryption action as required. 3. Select an Action to perform on a message that is to be encrypted or decrypted. Select the Redirect to action to send this message to the Encryption server for encryption or decryption using the mail route specified in the Action Data field. 4. To reroute the message to the Encryption server using the Redirect to action, the Action Data must be set to the appropriate mail route for encryption and decryption. Enter encrypt_reroute or decrypt_reroute as the action data. These mail routes must be defined in Mail Delivery Routing Mail Routing to point to the Encryption server. 5. Select optional notifications to the Recipients, Sender, or Administrator, when a message has been sent for encryption. 92

89 External Message Encryption Defining Filter Rules for Encryption A filter rule must be used to identify what types of messages are to be encrypted. For example, your organization may use a tag in the subject header such as "Encrypt" which can used to identify an outgoing message that must be encrypted. Specific addresses and IP addresses can also be defined to ensure certain users or servers have their encrypted. Encryption rules can be created using either Pattern Based Message Filters (PBMF) or by using definable dictionaries with the Objectionable Content Filtering and Attachment Scanning features. The latter features allow dictionaries with specific keywords and phrases to be used to trigger the encryption rules. See Message Content Scanning on page 101 for detailed instructions on configuring these features. The filter rule will examine outbound mail messages for specific patterns to redirect mail for encryption. This could be anything from a user s address to a phrase. When setting up the filter rule, the only criterion is that the filter action is set to Encrypt or Decrypt. To set up an encryption rule using Pattern Based Message Filters: 1. Select Mail Delivery Content Management Pattern Filters (PBMFs) to set up filters for encryption purposes. 2. Create a simple rule that checks all outbound mail for the word "Encrypt" in the subject, and set the action to Encrypt. The "Encrypt" and "Decrypt" PBMF action will only appear when Encryption and Decryption are enabled in Mail Delivery Encryption. 3. A separate filter rule must be created to allow messages arriving from the Encryption server to be relayed. This action allows eprism to accept messages back from the Encryption server that have been encrypted and relay these messages to external networks. Create a rule to match the Client IP field to the address of the Encryption server, such as , and set the action to Relay. The filter rule that allows messages to be relayed back must be of a higher priority than any Encryption rule that is created. Similarly, you must create a PBMF rule to examine incoming messages that need to be decrypted before being delivered to the recipient. 93

90 Mail Security and Encryption Encrypting Mail Delivery Sessions eprism offers a simple mechanism for encrypting mail delivery using SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption. A flexible policy can be implemented to allow other servers and clients to establish encrypted sessions with eprism to send and receive mail. The following types of traffic can be encrypted: Server to Server Used to create an VPN (Virtual Private Network) and protect company over the Internet. Client to Server Many clients, such as Outlook, support TLS for sending and receiving mail. This allows messages to be sent with complete confidentiality from desktop to desktop, but without the difficulties of implementing other encryption schemes. Encryption can be enforced between particular systems, such as setting up an VPN between two eprism Security Appliances at remote sites. Encryption can also be set as optional so that users who are concerned about the confidentiality of their messages on the internal network can specify encryption in their mail client when it communicates with eprism. eprism supports the use of certificates to initiate the negotiation of encryption keys. eprism can generate its own site certificates, and can also import Certificate Authority (CA) signed certificates. See SSL Certificates on page 97 for more information on importing certificates. Configuring Mail Delivery Encryption Select Mail Delivery SMTP Security from the menu to enable delivery encryption. 94

91 Encrypting Mail Delivery Sessions Incoming TLS Mail Accept TLS Enable this option to accept SSL/TLS for incoming mail connections. Require TLS for SMTP AUTH This value is used to require SSL/TLS when accepting mail for authenticated relay. See SMTP Authenticated Relay on page 81 for more detailed information. Log TLS info into Received header Enabled this option to log TLS information (including protocol, cipher used, client and issuer common name) into the Received: message header. Note: These headers may be modified by intermediate servers and only information recorded at the final destination is reliable. Default TLS Policy Offer TLS Enable this option to offer remote mail servers the option of using SSL/TLS when sending mail. Enforce TLS Enabling this option will require the validation of a CA-signed certificate when delivering mail to a remote mail server. Failure to do so will result in mail delivery failure. Specific Site Policy This option supports the specification of exceptions to the default settings for TLS/SSL. For example, you may need to exempt a mail server from using TLS/SSL because of lack of TLS support. To exempt a system, specify the IP Address or FQDN (Fully Qualified Domain Name) of the remote mail server in the Add/Update Site field. Select Don t Use TLS from the drop-down box and click the Update button. The exempted mail server will be listed under the Specific Site Policy. TLS options include the following: Don t Use TLS TLS Mail Delivery is never used with the specified system. May Use TLS Use TLS if the specified system supports it. Enforce TLS Deliver to the specified system only if a TLS connection with a valid CAsigned certificate can be established. Loose TLS Similar to Enforce TLS but will accept a mismatch between the specified server name and the Common Name in the certificate. 95

92 Mail Security and Encryption TLS and Reporting Report filters can be configured to display any messages that have been encrypted with SSL/ TLS. Select Status/Reporting Reporting Report Filters, and select "SSL" in both the Encryption from Sender and Encryption to Recipient filters. The filters can be enabled when generating a report to display only SSL/TLS based messages. The Mail History can also be filtered for SSL/TLS messages via Status/Reporting Reporting Mail History by selecting the "ssl" field in the drop-down search menu. 96

93 SSL Certificates SSL Certificates A valid SSL certificate is required to support the encryption services available on eprism. The SSL encrypted channel from the server to the web browser (such as when using a URL that begins with HTTPS), requires a valid digital certificate. You can use self-signed certificates generated by eprism, or import certificates purchased from commercial vendors such as Verisign. A certificate binds a domain name to an IP address by means of the cryptographic signature of a trusted party. The web browser can warn you of invalid certificates that undermine secure, encrypted communications with a server. The disadvantage of self-signed certificates is that web browsers will display warnings that the "company" (in this case, the eprism Security Appliance) issuing the certificate is untrusted. When you purchase a commercial certificate, the browser will recognize the company that signed the certificate and will not generate these warning messages. A web server digital certificate can only contain one domain name, such as server.example.com, and a limitation in the SSL protocol only allows one certificate per IP address. Some web browsers will display a warning message when trying to connect to any domain on the server that has a different domain name than the server specified in the single certificate. Digital certificates eventually expire and are no longer valid after a certain period of time and need to be renewed before the expiry date. Install a commercial certificate on the eprism Security Appliance as follows: 1. Select Management SSL Certificates on the menu. 2. Create a new certificate using the Generate a 'self-signed' certificate button. 3. Click Apply to reboot the system to install the new certificate. 97

94 Mail Security and Encryption 4. After the reboot, the current certificate and certificate request that was signed by the onboard Certificate Authority will be displayed. To obtain a commercial certificate, send this certificate request information to the commercial Certificate Authority (CA) of your choice (such as Verisign, Entrust, and so on) for signing. Ensure that the certificate is an Apache type of certificate for a mail server. SSL Certificate 5. When received from the CA, install the commercial certificate using the Load site certificate button. Enter the PEM encoded certificate information from the signed SSL certificate returned by the CA by copying and pasting the appropriate text into the specified field. Private Key Select the Use this Private Key for SSL Certificate check box to use the supplied private key. Copy and paste the PEM encoded private key into the required field. Do not enable this option and leave the field blank if the certificate was generated by a request from this eprism system. Generating a new self-signed certificate after you have installed a commercial certificate will overwrite the private key associated with the installed commercial certificate, making it invalid. 98

95 SSL Certificates Intermediate Certificate Some commercial certificates require you to upload an intermediate certificate in addition to the commercial certificate and the private key. Enter this information into the Intermediate Certificate section. 99

96 CHAPTER 6 Message Content Scanning This chapter describes how to configure the Attachment and Content scanning features of your eprism Security Appliance, and contains the following topics: Content Scanning Overview on page 102 Attachment Control on page 103 Attachment Content Scanning on page 106 Objectionable Content Filter on page 110 Pattern Based Message Filtering (PBMF) on page 112 Malformed Mail on page 121 Dictionaries on page 123 Message Archiving on page

97 Message Content Scanning Content Scanning Overview eprism s extensive content management capabilities allow administrators to scan messages and attachments to ensure that inappropriate and offense material or sensitive documents are prevented from being transmitted inbound or outbound. eprism s advanced attachment content scanning performs deep scanning of attachments, such as PDF and document files, for patterns of text and phrases defined in a phrase file. These content filtering and scanning features can also be used by the policy engine to allow organizations to create different content scanning policies for different sets of domains, groups, and users. Select Mail Delivery Content Management on the menu to configure the content control and scanning features. Inbound Attachment Control Filters inbound messages based on the type of attachment. Outbound Attachment Control Filters outbound messages based on the type of attachment. Attachment Content Scanning Performs deep content scanning on an attachment and filters the message based on a list of key words. Note: The advanced content scanning feature is a licensed feature. Objectionable Content Filtering (OCF) The Objectionable Content Filter defines a list of key words that will cause a message to be blocked if any of those words appear in the message. Pattern Based Message Filtering (PBMF) Reject or accept mail based on matches in the message envelope, header, and body. Malformed Mail Scans for malformed messages in incoming mail to protect against Denial of Service (DoS) attacks. 102

98 Attachment Control Attachment Control Attachment filtering can be used to control a wide range of problems originating from both inbound and outbound attachments, including the following: Viruses Attachments carrying viruses can be blocked. Offensive Content eprism blocks the transfer of images which reduces the possibility that an offensive picture will be transmitted to or from your company mail system. Confidentiality Prevents unauthorized documents from being transmitted through the eprism Security Appliance. Loss of Productivity Prevents your systems from being abused by employees. Configuring Attachment Control Select Mail Delivery Content Management Attachment Control to configure attachment filtering for inbound and outbound messages. Default action This value sets the default action for attachment control for items not specifically listed in the Attachment Types list. The default is Pass, which allows all attachments. Any file types defined in the Attachment Types list will override the default setting. Attachment Control Enable the feature for inbound and outbound mail. Attachment Types Click Edit to configure the controls for each type of attachment. Action Select an action to perform. Options include: Just log: Log the event and take no further action. 103

99 Message Content Scanning Reject mail: The message is rejected with notification to the sending system. Quarantine mail: The message is placed into the administrative quarantine area. Discard mail: The message is discarded without notification to the sending system. Notification Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. Administrators can customize the content for the Inbound and Outbound notification. Editing Attachment Types Click the Edit button to edit your attachment types. You can add file extensions (.mp3), or MIME content types (image/png). For each attachment type, choose whether you want to BLOCK or Pass the attachment. Select the Scan check box to perform content scanning for attachments with the specified extension. Click the Add Extension button to add a file extension or MIME type to the list. 104

100 Attachment Control Extension Enter a specific attachment type extension or MIME type, such as ".mp3" or "image/png". Scan Select this option to perform content scanning for attachments with the specified extension. The system can scan files within an archive file (such as.zip) for forbidden attachments. The attachment will still be checked for viruses (if anti-virus scanning is enabled) if the Scan option is deselected. If an archive file, such as.zip, contains a file type that is blocked, the archive file will be blocked, even if it is set to Pass. Disable the Scan option if you do not want to scan the content of the archive file. Anti-Virus scanning must be enabled to allow archive files to be decompressed and checked for forbidden attachments. 105

101 Message Content Scanning Attachment Content Scanning eprism s Attachment Content Scanning features performs deep scanning of attachments, such as PDF and Microsoft document files, for patterns of text and phrases. This allows organizations to use filter rules and policy settings to scan attachments for specific content that could be considered offensive, private and confidential, or against existing compliance rules. There are two methods for content scanning of message attachments: Text and phrases are searched for in a document using a Pattern-Based Message Filter (PBMF) and an appropriate PBMF action performed if there is a match. eprism will search the extracted message text for words contained in uploaded compliance files defined via a policy and perform the configured action if there is a match. Attachment Content Scanning is a licensed feature and requires a license key to work after an initial 30 day evaluation period. Unopenable Attachments The following cases of unopenable documents will result in an attachment being flagged as a compliance violation if the "Treat unopenable documents as compliancy violations" setting is enabled. Files that are larger than 1 GB File types that are not recognized by the scanner Files that take longer than one minute to scan Malformed or virus-infected attachments Configuring Attachment Content Scanning Select Mail Delivery Content Management Attachment Scanning to configure your attachment content scanning options. Enable Select the check box to enable attachment content scanning. Treat unopenable documents as compliancy violations Attachments that are protected by a password or encrypted may contain text that is a compliance violation. Enable this feature to treat unopenable documents as though they were not compliant. Files over 1 GB in size will not be scanned and are classified as non-compliant. 106

102 Attachment Content Scanning Phrase length This field specifies the length of phrases used for pattern-matching checks. This number of words will be passed to the scanning engine to check if it matches any phrases in your compliance file. Long phrases will result in greater processing times. It is recommended that phrases be four words or less. The phrase length of the compliance dictionary selected for Attachment Content Scanning should not be greater than the phrase length selected in this field. File Types Select the types of files to be scanned: All Supported Formats: Scans all file formats supported by the content scanner. Common Document Formats: Scans only common word processing, spreadsheet, database, presentation, text, and archive formats. Standard Document Formats: Scans only common document formats (word processing, spreadsheet, database, presentation, text, and archive files), including less common formats such as graphics and desktop publishing formats. Punctuation treatment Select how the scanning engine should treat punctuation. Significant: The punctuation will be considered as part of the word or phrase it appears in. Treat as space: The punctuation will be treated as a space. For example, the phrase "This, is classified" will be treated as "This is classified". This is the default setting. Ignore: The punctuation will be completely ignored. Case sensitivity Select how the scanning engine will treat case sensitivity. If Sensitive is chosen, capitalization of letters will be taken into effect. For example, the word "Classified" must appear in the phrase compliance file with the capitalized first letter. Notifications Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. Enter the content for the notification message. See Customizing Notification and Annotation Messages on page 371 for information on variables such as %SENDER% and %RECIPIENT%. The compliance status of messages can be searched in the mail history database via Status/ Reporting Reporting Mail History Advanced on the menu. 107

103 Message Content Scanning Using Pattern Based Message Filters for Attachment Scanning One of the methods that can be used to search for compliance text within a file is to create a Pattern Based Message Filter (PBMF). Create a pattern filter as follows: 1. Select Mail Delivery Content Management Pattern Filters (PBMF) to define a filter for attachment scanning. 2. Click Add. 3. In the Apply To field, select whether you want to check Inbound, Outbound, or All Mail. 4. In the Message Part field, select Attachment Content. Selecting Attachment Content will scan the entire message, including the header, body and any attachment for matching content. 5. In the Pattern field, enter a pattern to match against. 6. Select the Action to perform on a message that contains the pattern text, such as Reject. 7. Click Apply to add the filter. Attachment Scanning via Policy Compliancy File Attachment scanning can also be performed via Policies with a compliance file uploaded and enabled. The compliance file will contain a list of words and phrases that can be matched against text contained in scanned attachment files. In the specified policy, accessed via Mail Delivery Policy, enable Attachment Scanning, and select the corresponding phrase file to be used with that policy. Custom phrase files are uploaded via Mail Delivery Content Management Dictionaries. 108

104 Attachment Content Scanning The phrase length of the compliance dictionary selected for Attachment Content Scanning should not be greater than the phrase length selected in the Attachment Content Scanning configuration. See Dictionaries on page 123 for more detailed information on uploading custom dictionary files. 109

105 Message Content Scanning Objectionable Content Filter The Objectionable Content Filter defines a list of key words that will cause a message to be blocked if any of those words appear in the message. The Objectionable Content Filter provides enhanced content filtering functionality and flexibility, allowing users to restrict content of any form including objectionable words or phrases and offensive content. The predefined lists provided are configurable and can be updated and customized to meet the specific needs of any organization. Rules can also be applied to both inbound and outbound messages preventing unwanted content from entering an organization and prohibiting the release of sensitive content outside an organization. OCF words can be extracted from messages that disguise the words with certain techniques. For example, OCF will detect the word "spam", even if it is disguised as "sp@m" or "s_p_a_m" using the advanced token recognition component of eprism s Token Analysis feature. OCF has a maximum of 35 characters for a word. OCF does not detect plurals of words. Both plural and singular word forms need to defined in the dictionaries. Select Mail Delivery Content Management Objectionable Content on the menu to configure the objectionable content filter. Enable OCF Select the check box to enable OCF. Logging Set the type of logging to perform for OCF processing. This information will appear in the Mail Transport log. No Logging No OCF logging will be performed. First match only Log the first word that was matched by the filter. All matches Log all words that were matched by the filter. 110

106 Objectionable Content Filter Phrase Files Select the type of phrase file to use with OCF. The Weak OCF phrase file contains a small list of common objectionable words and phrases. Moderate and Strong OCF include a larger list amounts of words and phrases that are considered offensive. Organizations can create their own OCF phrase files via the Mail Delivery Content Management Dictionaries feature. This may include words and phrases specific to an organization that need to be blocked. The OCF dictionaries contain content that is of a vulgar nature. The pre-defined dictionaries should be viewed with caution as they contain words and phrases that may be offensive. Notifications Action Set actions for both inbound and outbound messages. The following actions can be set: Just log Log the event and take no further action. Reject mail The message is rejected with notification to the sending system. Quarantine mail The message is placed into quarantine. Discard mail The message is discarded without notification to the sending system. Encrypt Redirects the message to the Encryption server specified in the Mail Delivery Encryption menu. Decrypt Redirects the message to the Decryption server specified in the Mail Delivery Encryption menu. Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. The content for the Inbound and Outbound notification can be customized. See Customizing Notification and Annotation Messages on page 371 for a full list of system variables that can be used in the notification. 111

107 Message Content Scanning Pattern Based Message Filtering (PBMF) Pattern Based Message Filtering is the primary tool for creating filter rules on the eprism. PBMFs are used for: Trusting and blocking messages containing certain text or characteristics Creating content filter rules for managing messages. An administrator can create filter rules for any aspect of an message including the message header, sender, recipient, subject, attachment content, and message body text. For example, administrators can create a simple text filter that specifies to check messages for the word "FREE" in the subject. This filter rule is helpful in correcting disadvantages in the other spam filters. Specific Access Patterns should be used to trust specific servers to bypass BSN, DNSBL, and other checks because PBMFs may bypass or interfere with certain content filters such as Content Scanning and OCF that occur later in eprism s processing order. Message Structure The following is an example of a typical mail message: 112

108 Pattern Based Message Filtering (PBMF) Message Envelope The information in the message envelope, such as HELO, MAIL FROM, and RCPT TO, are parameters not visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them. Message Header The message header includes the following fields: Received from Indicates the final path that the message followed to get to its destination. It arrived from "mail.example.com", which delivered it to "server.example.com" to be put in the mailbox of Received by This indicates a previous "hop" that the message followed. In this case, the message came via "mail.example.com" which accepted the message addressed to "user@example.com". Delivered-To The user to be delivered to, in this case "user@example.com". Received from This marks the origin of the message. Note that it is not necessarily the same as the actual system that originated the message. Subject This is a free form field and displayed by a typical mail client. To This is a free form field and displayed by a typical mail client. It may be different from the destination address in the Received headers or from the actual recipient. From This is a free form field and is displayed by a typical mail client. It may be different from the From address in the Received headers. It is typically faked by spammers. Message-ID This is added by the mail server and is often faked by spammers. Other header fields include Reply-to, Sender and so on. These fields can be forged by spammers because they do not affect how the mail is delivered. Message Body Following the header is the text or content of the message. This content can be formatted or encoded in many different ways, but in this example, it is displayed as plain text. Message Attachment Many s contain attachments to the main message. eprism has the ability to decode attachments to match text found within an attachment using a filter rule. 113

109 Message Content Scanning Default Pattern Based Message Filters Several default Pattern Based Message Filters (PBMF) have been preconfigured to ensure that mail is not trained in the following situations: Outbound Mail To: Contains All Mail Subject: Contains "[SPAM]" All Mail Subject: Contains "[MAYBE SPAM]" All Mail Subject: Contains "Spam summary for" All Mail Subject: Contains "Delayed Mail" All Mail Subject: Contains "Delivery Status Notification" All Mail Subject: Contains "Delivery Failure Notification" All Mail Subject: Contains "Undelivered Mail Returned to Sender" All Mail Subject: Contains "AutoReply" All Mail Subject: Contains "Returned Mail:" All Mail From: Contains + domain All Mail From: Contains + domain These rules help prevent misconfiguration of the Token Analysis database by ensuring that forwarded spam messages, delivery notifications, automatic replies, and system messages are not trained. Spam messages should never be forwarded within an organization as this will also misconfigure the Token Analysis training database. The default St. Bernard PBMF rules can be edited or removed by the administrator via Mail Delivery Content Management Pattern Filters (PBMF) on the menu. All St. Bernard rules can be deleted using the Remove Default PBMFs button in the PBMF edit view. Additional "postmaster" and "MAILER-DAEMON" PBMFs need to be created for organizations supporting multiple domains. 114

110 Pattern Based Message Filtering (PBMF) Configuring Pattern Based Message Filtering Select Mail Delivery Content Management, and then select Pattern Filters (PBMF) on the menu. The pre-defined PBMF rules are provided as examples on how rules are to be created and can be deleted if not needed without any repercussions. Click the Add button to add a new pattern to the filter list. Select the direction of mail for the PBMF rule in the Apply To field, such as All Mail, Inbound, or Outbound, depending on your requirements. All Mail Mail destined for any domain. Inbound mail Any mail that is destined to a domain that the eprism is configured to accept mail for. This will be any domain listed in the Mail Routing table in Mail Delivery Routing Mail Routing. Outbound mail Mail destined to any domain that the eprism is not configured to accept mail (every domain other than those configured in Mail Routing.) "Trusted" mail has no bearing on the Inbound/Outbound relationship. Select the Message Part you want to filter on. eprism allows you to filter on the following parameters: Message Envelope Parameters These parameters will not be visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them. <<Mail Envelope>> This parameter allows for a match on any part of the message envelope which includes the HELO, Client IP and Client Host. HELO This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. Example: mail.example.com. 115

111 Message Content Scanning Client IP This field will be accurately reported and may be reliably used for both blocking and trusting. It is the IP address of the system initiating the SMTP connection. Example: Client Host This field will be accurately reported and may be reliably used for both blocking and trusting. Example: mail.example.com. The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be visible if your client supports reading the message source. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client. Envelope Addr This matches on either the Envelope To or Envelope From. These fields are easily faked, and are not recommended for use in spam control. They may be useful in trusting a source of mail. Example: fred@example.com. Envelope To This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. Example: fred@example.com. Envelope From This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. Example: fred@example.com. Message Header Parameters Spammers will typically enter false information into these fields, except for the Subject field, and they are usually not useful in controlling spam. These fields may be useful in trusting certain users or legitimate source of . <<Mail Header>> This parameter allows for a match on any part of the message header. <<Recipient>> This parameter matches the To: or CC: fields. CC: From: Message-ID: Received: Reply-to: Sender: Subject: To: There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions (described below) to specify these. Message Body Parameters <<Raw Mail Body>> This parameter allows for a match on any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content. <<Mail Content>> This parameter allows for a match on the visible decoded message body. 116

112 Pattern Based Message Filtering (PBMF) STA (Token Analysis) Token Bulk Analysis tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible HTML text comments, which would not be caught by a normal pattern filter. For example, Token Analysis extracts the token "viagra" from the text "vi<spam>ag<spam>ra" and "v.i.a.g.r.a.". Attachment Scanning Pattern based message filters can be defined to match the content of an entire mail message, including attachments. This type of PBMF is used with the Attachment Content Scanning feature. See Attachment Content Scanning on page 106 for more information on scanning attachments. Match Option Matching looks for the specified text in each line. You can specify one of the following: Contains Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail. Ends with Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.) Matches The entire line or field must match the text. Starts with Looks for the text at the start of the line or field (no characters between the text and the start of line.) Reg Exp Enter a regular expression to match the text. Pattern Enter a text pattern (case insensitive) to search for in the message. You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions. For example, to search for a "blank" message field, use the following regular expression: ^subject:[[:blank:]]*$ Although the Regular Expression feature is supported, St. Bernard cannot help with devising or debugging Regular Expressions because they have an infinite variety and can be very complex. Using Regular Expressions is not recommended unless you have advanced knowledge of their use. 117

113 Message Content Scanning Priority Select a priority for the filter (High, Medium, Low). The entire message is read before making the decision. If a message matches multiple filters, the filter with the highest priority will be used. If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest (Bypass, Reject, Discard, Quarantine, Certainly Spam, Archive, Redirect, Trust, Relay, Accept, Just log). Discard, Quarantine, and Redirect are actions available when creating a custom PBMF action in the PBMF preferences screen. If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used. Action When a rule has been triggered, the specified action is performed: Bypass Allow this message to bypass all Intercept anti-spam and Content Management (Attachment Control, Malformed Message and OCF) processing. This action will override other PBMF actions for the same priority. This action does not bypass Anti-Virus scanning. Trust This mail is considered trusted and from a legitimate source. This message will not be processed for spam. Reject Mail is received, then rejected before the close of an SMTP session. Message is trained for spam if "Train" is also selected. Relay Relay is enabled for this mail and the message is considered trusted for anti-spam scanning purposes. Message will be trained as legitimate mail if "Train" is also selected. Accept Mail is accepted and delivered as per normal operation. Message is trained as legitimate mail if "Train" is also selected. Certainly Spam Mail is received, trained as spam, and then the Intercept action for "Certainly Spam" is applied. Just Log Take no action, but log the occurrence. "Just Log" can be used to override other lower priority PBMFs to test the effect of PBMFs without an action taking place. BCC Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC address set up in the Preferences section. Do Not Train Do not use the message for Token Analysis training purposes. Configurable Actions There are several configurable actions that can be defined by the administrator by clicking the Preferences button. When defined, these actions will appear in this list. Encrypt Redirects the message to the Encryption server specified in the Mail Delivery Encryption menu. Decrypt Redirects the message to the Encryption server specified in the Mail Delivery Encryption menu. Archive (High, Medium, Low) Redirects the message to an archiving server specified in the Mail Delivery Archiving menu. The "Relay" or "Trust" action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction. 118

114 Pattern Based Message Filtering (PBMF) Upload and Download of PBMF Rules You can create a list of PBMF rules and upload them together in one file. The file must contain comma or tab separated entries in the form: [Section],[type],[pattern],[action],[sequence(priority)],[rulen umber],[direction],[options] For example: to:,contains,friend@example.com,reject,medium,1,both,on The Options field is used for the "Do-Not-Train" option. The value can be "on" or blank. If the field is blank, a "Reject" action will be considered "Reject+Train". The file (pbmf.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the PBMF file first by clicking Download File, edit it as required, and upload it using the Upload File button. PBMF Preferences Select the Preferences button to define configurable PBMF actions and customize notifications. PBMF BCC Action This is used in conjunction with the BCC PBMF action to define an address to send a blind carbon copy of the message to. PBMF Action Administrators can define up to six customized actions that can be used for PBMF filters. When an action has been defined and activated, it will appear in the list of actions when creating a PBMF rule. Active Select the check box to activate this action. Action Name Enter a descriptive name for this customized action. Action The action can be one of the following: Reject: The mail will not be accepted and the connecting mail server is forced to return it. 119

115 Message Content Scanning Discard: The mail will be dropped with no notification. Quarantine: The mail will be put into the administrative quarantine area. The quarantine can be accessed via Status/Reporting Quarantine on the menu. Certainly Spam: Mail is received, trained as spam, and then the Intercept action for "Certainly Spam" is applied. Redirect to: The message will be delivered to the mail address specified in the Action Data field. Accept: Mail is accepted and delivered as per normal operation. BCC: The message will be copied to the mail address specified in the Action Data field. Do Not Train: Select the check box to ensure that when this action is triggered, the message will not be trained for spam. Action data For the "Redirect To" action, send the message to a mailbox such as "spam@example.com". You can also specify a domain such as "spam.example.com". For BCC, enter an address to send a blind carbon copy of the message to. Notification Notifications can be enabled for all recipients, the sender, and the administrator. The content of the notification message can be customized. 120

116 Malformed Mail Malformed Mail Many viruses and denial of service attacks (DoS) try to elude virus scanners by concealing themselves in malformed messages. The scan engines cannot detect the attachment and pass the complete message through to an internal server. Some mail clients try to rebuild malformed messages and may rebuild or activate a virus-infected attachment. Other types of malformed messages are designed to attack mail servers directly. Most often these types of messages are used in denial-of-service (DoS) attacks. eprism analyzes each message with extensive integrity checks. Malformed messages are quarantined if they cannot be processed. Select Mail Delivery Content Management Malformed Mail on the menu to enable and configure malformed scanning. Enable malformed scanning Select this option to enable scanning for malformed s. Enable NULL Character Detect Select this option to enable null character detection. Any messages containing null characters (a byte value of 0) in the raw mail body will be considered a malformed message. The null character detection feature may cause incompatibility with certain mail servers and it is recommended that this feature be disabled if issues occur. Action Select an action to be performed. Options include: Just log: Log the event and take no further action. Reject mail: The message is rejected with notification to the sending system. 121

117 Message Content Scanning Quarantine mail: The message is placed into the administrative quarantine area. Discard mail: The message is discarded without notification to the sending system. Notifications Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and the administrator. Enter the content for the notification message. See Customizing Notification and Annotation Messages on page 371 for information on variables such as %SENDER% and %RECIPIENT%. 122

118 Dictionaries Dictionaries The Dictionaries feature contains default and custom word and phrase dictionaries that can be used with Objectionable Content Filtering, Spam Dictionaries, and compliancy-based Attachment Content Scanning. Each file is a simple word or phrase text file (Unix format) with one word or phrase per line, such as: Compliance Classified Top Secret The maximum word length is 35 characters. Both plural and singular word forms need to defined in the dictionaries. In Policies, the phrase length of the compliance dictionary selected should not be greater than the phrase length configured in the content scanning configuration. For example, to define a new dictionary to be used for policy compliance: 1. Select Mail Delivery Content Management Dictionaries. 2. Click Add to add a new dictionary file. 3. Click Browse to select the file to be uploaded. Click Continue. 123

119 Message Content Scanning The file information screen displays the initial contents of the file. Choose the name of the file, and select the type of file you are uploading. This will indicate which feature to use with this file. Any This file can be used for any feature Compliancy This file can be used for compliance policy attachment scanning. OCF This file can be used with Objectionable Content Filtering. Spam This file can be used with the Spam Dictionaries Intercept Anti-Spam feature. Click Continue to finish uploading the file. The new dictionary will now appear in the list and can be selected when using a dictionarybased feature such as policy compliance. 124

120 Message Archiving Message Archiving eprism offers message archiving support allowing organizations to define additional mail handling controls for inbound and outbound mail. These features are especially important for organizations that must archive certain types of mail for regulatory compliance or other corporate security policies. eprism allows mail to be categorized and selectively archived for different levels of importance. By providing the ability to classify and archive messages at different levels, mail of high importance or compliance classification can be archived while allowing different actions for mail of lower importance. These features also prevent the waste of unnecessary resources by ignoring spam messages and other types of unwanted mail when archiving messages. eprism can integrate with third-party archiving servers and archive messages by creating pattern filters to classify messages and route them to the appropriate archiving server or an archive address, while still delivering the to its original recipients. Mail headers added to an archived message by eprism allow administrators to customize their archiving services for efficient retrieval of archived messages. Mail archiving can be used with Pattern Based Message Filters, the Objectionable Content Filter, and Attachment Content scanning, including the use of these features via Policies. When a message is received by eprism, these features will search for text within a message and its attachments. When this text is found, an action can be taken classifying the message for archiving into one of three categories, "Archive High", "Archive Medium", and "Archive Low". The Archiving feature then applies the archiving action for each category. For example, messages categorized as "Archive High" can have an action of "Archive copy to", with the action data identifying the archiving address or mail route to archive mail to. Configuring Message Archiving on eprism The eprism Security Appliance can be configured to integrate with third party archiving servers to archive messages using the following steps: 1. Define an archive address or a mail route to the archiving server 2. Create Content Management filters to identify messages to be archived Select Mail Delivery Archiving on the menu to configure global archiving settings. Configuration fields for three classifications of archiving will appear for High, Medium, and Low Importance archiving actions: 125

121 Message Content Scanning Active Select the check box to activate this archiving action. Action Name Select a name to be displayed as the archiving action for the PBMF, OCF, and Attachment Scanning features. Action Select the "Archive copy to" action to send the message to an archive server. Action data The action data can contain either an address or the name of the mail route for the destination archiving server. For archiving to an address, enter an address such as "archive@example.com". This will be a mailbox that will contain all archived messages. Your archiving server will be able to pull its data for eprism s archived messages from this mailbox. Mail routes can also be defined in this field to route mail to the archiving server. The action data will contain the name of the route for each classification, such as "archive_high_reroute", "archive_medium_reroute", or "archive_low_reroute". A corresponding mail route will need to be created on eprism via Mail Delivery Routing Mail Routing. See the following section, Defining Mail Routes for Archiving on page 127, for more information on creating mail routes. Mail routes are not required if archiving to an address. Add header Select the check box to add an archive header to the message when it is sent to the destination archive server. This allows the archiving server to store that message according to its classification in the header and allow for more efficient retrieval of the message in the future. Header data Enter the mail header data that will be added to the message header, such as "X-Archive: high". Notification Select optional notifications to the Recipients, Sender, or Administrator when a message has been archived. 126

122 Message Archiving Defining Mail Routes for Archiving When using the mail routing method for archiving message, mail routes to the Archiving server must be defined to ensure eprism knows where to send messages for the appropriate archiving classification of the message. For each Archiving classification, a corresponding mail route must created: "archive_high_reroute".archive_high_reroute "archive_medium_reroute".archive_medium_reroute "archive_low_reroute".archive_low_reroute Select Mail Delivery Routing Mail Routing to define mail routes. Enter the domain, such as ".archive_high_reroute", and enter the destination address of the archiving server and click Add. Mail routes are not required if archiving to an address. 127

123 Message Content Scanning Configuring Content Management Filters for Archiving To classify messages for archiving, eprism s content management features, such as PBMF, OCF, and Attachment Scanning, must be configured to search for text in a message or its attachment. The corresponding action will be the archive classification, such as "Archive High". Configuring Pattern Filters (PBMF) for use with Archiving 1. Select Mail Delivery Content Management Pattern Filters (PBMF). 2. Click the Add button. 3. Create a pattern filter looking for the required specific text. In this example, we are searching for an inbound message subject that starts with the word "Compliancy". 4. Set the Action to the appropriate archive action, such as "Archive High". 5. Click the Apply button to add the pattern filter. Configuring OCF for Archiving The Objectionable Content Filter can also be used for classifying and archiving messages. Custom dictionaries can be created for content specific to your organization. When the OCF feature finds a word from these dictionaries, an archive action can be applied. 1. Select Mail Delivery Content Management Objectionable Content. 2. Enable the OCF feature, and select your customized phrase file, such as "Archive" in this example. 3. Set the Action to the appropriate archive action for this phrase file, such as "Archive Low". 128

124 Message Archiving Configuring Policies for Archiving The Archiving feature can also be used by the Policy engine to provide customization when applying archiving actions to different domains or groups of users. When creating a policy, the Attachment Scanning feature provides actions for archiving when certain text is found in an attachment. The Attachment Scanning feature requires a phrase file to match attachment content against and a corresponding archiving action to perform. To configure a policy definition: 1. Ensure Attachment Scanning is enabled globally via Mail Delivery Content Management Attachment Scanning. 2. Select Mail Delivery Policy Policy Definition in the menu to define a policy. 3. Select the Enable check box to enable Attachment Scanning for this policy. 4. Select the Compliancy file to be used for matching text, such as "Archive" in this example. 5. Set the Action to the appropriate archive action for this phrase file, such as "Archive Medium". Customizing Archive Headers using Policies For each Policy definition, the archive header can be customized for each archiving classification if it needs to be changed from the default settings. 129

125 CHAPTER 7 Intercept Anti-Spam This chapter describes how to configure the Intercept Anti-Spam features of the eprism Security Appliance and contains the following topics: Intercept Anti-Spam Feature Overview on page 132 Trusted and Untrusted Mail Sources on page 134 Configuring Intercept Anti-Spam on page 136 Intercept Components on page 139 Intercept Advanced Features on page 177 Trusted and Blocked Senders on page 181 Spam Quarantine on page

126 Intercept Anti-Spam Intercept Anti-Spam Feature Overview eprism s Intercept Anti-Spam features have been developed to take advantage of its extensive mail control features and provides a solutions-based approach where each anti-spam feature, when enabled, provides input to the final spam score of a message. Information retrieved by all of the enabled Anti-Spam features results in a more informed decision on whether the message is in fact spam or legitimate mail. Thresholds can be set to take appropriate action on a message based on its score and classification, such as Certainly Spam, Probably Spam, and Maybe Spam. A different action can be set for each threshold, such as "Redirect" to a spam quarantine for messages that are classified as Certainly Spam, or "Modify Subject Header" for messages that are classified as Maybe Spam. Administrators can use the advanced Intercept options to provide more granular control over each anti-spam Intercept component for their environment, however, the default Intercept configuration has been engineered to provide maximum protection against spam without additional configuration. eprism s Intercept Anti-Spam engine includes the following components: Specific Access Patterns (SAP) Filter messages based on pattern matches against the client address or header parameters such as HELO or Envelope-From and Envelope-To. Pattern Based Message Filtering (PBMF) Filter messages based upon matches in any aspect of a mail message, including the envelope, header, body and any attachments. Spam Dictionaries Filters messages based on a dictionary of typical spam words and phrases that are matched against the message. Mail Anomalies Checks various aspects of the incoming message for issues such as unauthorized SMTP pipelining, missing headers, and mismatched identification fields. Checks for recent spam and viruses from a specific IP address can also be enabled which is used in conjunction with the Threat Prevention feature. BorderWare Security Network (BSN) The BSN helps to identify spam by reporting a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected, based on information collected from eprism systems and DNS Block Lists worldwide. This information can be used by the eprism Security Appliance to reject the message, or used as part of the overall anti-spam decision. DNS Block List (DNSBL) Detects spam using domain-based lists of hosts with a poor reputation. Messages can also be rejected immediately regardless of the results of other Anti-Spam processing if the client is listed on a DNSBL. A configurable threshold allows administrators to specify how many DNSBLs must trigger to consider the sender as unreliable. URL Block List URL Block Lists contain a list of domains and IP addresses of URLs that have appeared previously in spam messages. This feature is used to determine if the message is spam by examining any URLs contained in the body of a message to see if they appear on a block list. Bulk Analysis Detects bulk mail spam by checking to see if the message was sent to a large numbers of users. Token Analysis Detects spam based on advanced content analysis using databases of known spam and valid mail. 132

127 Intercept Anti-Spam Feature Overview Sender Policy Framework (SPF) Performs a check of a sending host s SPF DNS records to identify and validate the source of a message to determine whether a message was spoofed. DomainKeys Authentication Performs a check of a sending host s DomainKeys DNS records to identify and validate the source of a message to determine whether a message was spoofed. User-Based Options Other anti-spam options can be enabled to allow end users to create a list of Trusted and Blocked Senders, and also manage their own spam quarantine area: Trusted and Blocked Senders List User Spam Quarantine 133

128 Intercept Anti-Spam Trusted and Untrusted Mail Sources eprism must be properly configured for interaction with local and remote mail servers. eprism only processes mail through the spam filters when a message originates from an "untrusted" source. Trusted sources will bypass the spam controls. There are two ways to control how sources of mail are identified and trusted: 1. Trusted Subnet All mail from a specific network interface is considered trusted. 2. Specific Access Pattern An IP address (or address block), server, or domain name is identified as trusted using a specific access pattern rule. Trusted Subnet By default, mail that arrives on a particular network interface from the same subnet is "trusted". To change this setting, perform the following steps: 1. Select Basic Config Network on the menu. 2. For the specified interface, disable Trusted Subnet. Trusting via Specific Access Patterns To trust a system with a specific access pattern: 1. Select Mail Delivery Mail Access on the menu. 2. For Specific Access Patterns, click Add Pattern. 3. Enter the IP address or hostname of the system in the Pattern field. 4. Select the Client Access check box. 5. Select Trust in the If pattern matches field, and then click Apply to add the rule. 134

129 Trusted and Untrusted Mail Sources 135

130 Intercept Anti-Spam Configuring Intercept Anti-Spam To enable and configure eprism s Intercept Anti-Spam features, select Mail Delivery Anti- Spam Intercept on the menu. Intercept Actions In the Intercept Actions section, administrators can assign actions for three levels of spam score thresholds. The categories are as follows: Certainly Spam Any message with a score over this threshold (Default: 99) is almost guaranteed to be certainly spam. These types of messages require a strong action such as Reject Mail or Redirect To. Probably Spam Any message with a score over this threshold (Default: 90) is probably spam. This threshold indicates a message with a very high spam score, but not high enough to be Certainly Spam. These messages should be treated with a lighter action than Certainly Spam, such as Redirect To or Modify Subject Header, but should not be rejected. Maybe Spam Any message with a score over this threshold (Default: 60) might be spam but should be treated with caution to prevent false positives. This threshold indicates messages which could be spam, but could also be legitimate mail. It is recommended that a light action such as Modify Subject Header or Just Log be used. For each category you can set the following fields and actions: Threshold Set the threshold for this category to the specified spam score. It is recommended that administrators leave these value at their defaults. Action Specify one of the following actions: Just log: An entry is made in the log, and no other action is taken. 136

131 Configuring Intercept Anti-Spam Modify Subject Header: The text specified in the Action Data field will be inserted into the message subject line. Add header: An "X-" mail header will be added as specified in the Action Data field. Redirect to: The message will be delivered to the mail address or server specified in the Action Data field. Discard mail: The message is rejected without notification to the sender. Reject mail: The mail will not be accepted and the connecting mail server is forced to return it. BCC: Send a blind carbon copy of the message to the mail address specified in the Action Data field. Quarantine Mail: The message is sent to the administrative quarantine area. Action data Depending on the specified action: Modify Subject Header: The specified text will be inserted into the subject line, such as [SPAM]. Redirect to: Send the message to a mailbox such as "spam@example.com". The message can also be redirected to a spam quarantine server such as "spam.example.com". Add header: An "X-" message header will be added with the specified text as, such as "X-Reject: spam". The header action data must start with "X-" and must contain a colon followed by a space. If this is not specified, the phrase "X-Reject" will be prepended to the header. For example, if "spam" is entered, the full header will be "X-Reject: spam". If a header is entered with a colon, such as "Reason:spam", the full header will be "X-Reason:spam". Anti-Spam Header Anti-spam headers are added to all messages for diagnostic purposes and contain data on the spam processing applied to the message and its metrics. Enable this option to include the header with the message. The header output is similar to the following: X-BTI-AntiSpam: score:99,sta:99/022,dcc:passed,dnsbl:passed, sw:off,bsn:95 passed,spf:off,dk:off,pbmf:none,ipr:1/5, trusted:no,ts:no,bs:no,ubl:matched/1 TABLE 1. Anti-Spam Header Description Item score sta dcc dnsbl sw bsn Description Overall Intercept score Token Analysis score Bulk Analysis check DNS Block List check Spam Dictionaries BorderWare Security Network reputation 137

132 Intercept Anti-Spam TABLE 1. Anti-Spam Header Description Item spf dk pbmf ipr trusted ts bs ubl Description SPF results DomainKeys results Pattern Based Message Filters Mail Anomalies checks Trusted or non-trusted Trusted Senders List Blocked Senders List URL Block List check 138

133 Intercept Components Intercept Components Each component of the Intercept Anti-Spam engine can be enabled or disabled depending on your environment. To configure advanced settings for each feature, select its link from the list. Select the Enable check box for a specific feature and then select the spam feature link to review or customize the default settings. When finished, click the Apply button to save the configuration. Each Intercept Anti-Spam feature is discussed in more detail in the following sections. Reject on Unknown Recipient This option rejects mail if the intended recipients do not exist locally or in an LDAP directory. This option is used in conjunction with LDAP Users and the LDAP Recipients feature. eprism will determine if a user exists as follows: Checks if the user is in the local database of imported LDAP Users Performs a direct lookup on an LDAP user directory with the LDAP Recipients feature. If using an Active Directory server, it is recommended that the LDAP Users function be used. Configure LDAP Users and Groups and LDAP Recipients via the Basic Config Directory Services menu. 139

134 Intercept Anti-Spam See Directory Users and Groups on page 63 for more information on importing LDAP users for user lookups. See LDAP Recipients on page 71 for information on configuring the LDAP Recipients feature. You can override Reject on Unknown Recipient by using a Specific Access Pattern set to "Allow Relaying" or "Trust". Specific Access Patterns (SAP) Specific Access Patterns (SAP) are always enabled by default and can be used to either accept or reject mail during an SMTP connection. These rules override all others, allowing them to be used for special trusting and blocking cases to allow where it would be otherwise blocked, or to block when it would otherwise be allowed. Specific access patterns allow an administrator to respond to local filtering requirements such as the following: Allowing other systems to relay mail through eprism Rejecting all messages from specific systems Allowing all messages from specific systems (effectively trusting the server) Trust addresses that may be blocked by BSN, DNSBL, or the URL Block List. Configuring Specific Access Patterns Select Mail Delivery Mail Access on the menu. To define a Specific Access Pattern, click the Add Pattern button. Pattern Enter a mail address, IP address, hostname, or domain name. Client Access Specify a domain, server hostname, or IP address. This item is the most reliable and may be used to block spam as well as trust clients. 140

135 Intercept Components Only the Client Access parameter can be relied upon since spammers can easily forge all other message properties. These parameters, however, are useful for trusting. HELO Access Specify either a domain or server name. Envelope-From Access Specify a valid address. Envelope-To Access Specify a valid address. None of the previous three options are reliable as spammers can easily fake this property. If Pattern Matches: Reject: The connection will be dropped. Allow relaying: Messages from this address will be relayed. These messages will be processed for spam. Trust: Messages from this address will be relayed and not processed for spam. Matching Rules When you specify a Specific Access Pattern rule, it can take the following forms: IP Address eprism will match the IP address such as, " ", or you can use a more general address form such as " " that will match anything in that address space. For the Client Access parameter, eprism also supports CIDR (Classless Inter-Domain Routing) format so that administrators can specify a pattern for a network such as " /24". Domain Name eprism will match the supplied domain name, such as "example.com", with any subdomain such as "mail.example.com", "sales.mail.example.com" and so on. Address eprism will match an exact address, such as "user@example.com", or a more general rule such as "@example.com". Pattern Based Message Filters. Pattern Based Message Filtering is the primary tool used for augmenting anti-spam controls and trusting and blocking messages. An administrator can specify that mail is rejected or trusted according to the contents of the message header, including the sender, recipient, subject, attachment content, and message body text. See Pattern Based Message Filtering (PBMF) on page 112 for detailed information on configuring PBMFs. 141

136 Intercept Anti-Spam Spam Dictionaries eprism provides a built-in Spam Dictionaries filter. When enabled, all inbound messages passing through the eprism Security Appliance are scanned for spam words and phrases that appear in the dictionary. Messages with words or phrases in their subject or body that match the phrase list are more likely to be spam. eprism s Intercept Anti-Spam engine will use this information to help decide if the message is spam or legitimate mail. eprism includes a basic pre-configured spam words list that can be used for Spam Dictionary filtering. St. Bernard s default list includes very common spam words such as "prescription" and "viagra". The full default list can be viewed and saved. Administrators can use this list to build and upload their own custom spam word list. It is recommended that administrators review this default spam words list to ensure any included words are not part of their organizations functions. For example, the word "prescription" should be removed if the company is involved with the pharmaceutical industry. Select Mail Delivery Anti-Spam Intercept and then select Spam Dictionaries on the menu to configure the options for this feature. Enable Spam Dictionaries Select the check box to enable the Spam Dictionaries feature. Message content will be checked against the spam word lists and the final result will be used by the Intercept engine. Phrase file Select the phrase file used for anti-spam checks. This can be the "Default Spam Words" list provided by St. Bernard, or a custom list uploaded via Mail Delivery Content Management Dictionaries. See the following section for more information on adding a custom dictionary. Logging Select the type of logging for messages that contain matched spam words and phrases. This logging information will appear in the Mail Transport logs. Choose from the following: No logging: No logging will be performed. First match only: Only the first matching word will be displayed. All matches: All matched words will be displayed. 142

137 Intercept Components Adding a Spam Dictionary 1. Select Mail Delivery Content Management Dictionaries on the menu to view the default Spam Words list. 2. Select the Default Spam Words list. The Default Spam Words file contains a list of common words that are typically seen in spam messages. 3. Click Download to save and view the text file of spam words. The list contains one word or phrase per line, such as the following: free pic free pics free picz meds medz Administrators can use this base list to create their own dictionary of spam words by editing the text file and adding one word or phrase per line. Default words that are not required can be deleted. The maximum length for a dictionary word or phrase is 35 characters. 143

138 Intercept Anti-Spam To upload the new spam dictionary file: 1. Select Mail Delivery Content Management Dictionaries. 2. Click Add to add a new dictionary file. 3. Click Browse to select the file to be uploaded. Click Continue. 144

139 Intercept Components The file information screen displays the initial contents of the file. You can change both the name of the list and the type of dictionary. Set the Type of file to spam. This indicates that this dictionary file can be used with the Spam Dictionaries feature. Click Continue to finish uploading the file. The new dictionary will now appear in the list and can be selected when using Spam Dictionaries. 145

140 Intercept Anti-Spam Mail Anomalies The Mail Anomalies feature performs checks on incoming messages to help determine whether the message is coming from a known source of spam or is legitimate mail. Systems that send spam have certain characteristics that can give away the nature of the sending system. Many spammers deploy scripts and use spoofed or false information when sending mail. By checking incoming connections for patterns of these behaviours, eprism can help to determine whether mail from an incoming system is legitimate or spam. The Mail Anomalies feature checks messages for a variety of information that may reveal discrepancies between the message s sending host and the host listed in the message envelope and contents, and information about messages recently sent by the sending host. A message must fail four or more checks to be classified as spam. The following anomalies indicators can be enabled by the administrator. If a message fails four or more checks, the weight assigned to Mail Anomalies in the Intercept advanced settings will be the score used for Intercept processing. DNS Information The following checks relate to issues with DNS record lookups for the sending host: Missing client reverse DNS Checks if the sending host has a PTR (address to name) record and the PTR record has a matching A (name to address) record. Missing sender MX Check if the sender mail address has a DNS MX record. This check is more restrictive than the check for Unknown sender domain. If Unknown sender domain fails then this check will also fail. It is recommended that only one of the two checks be used at the same time. 146

141 Intercept Components Unknown sender domain Check if the sender mail address has a DNS A or MX record. This check is less restrictive than the check for Missing sender MX. If this check fails then Missing sender MX will also fail. It is recommended that only one of these two checks be used at the same time. Invalid HELO/EHLO hostname Checks if the HELO/EHLO address is a valid hostname. Unknown HELO/EHLO domain Checks if the HELO/EHLO address has a DNS A or MX record. Client Behaviour The following checks relate to issues with the connecting client s SMTP connection and message information: Unauthorized pipelining Check if the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This check detects bulk mail software that improperly uses SMTP command pipelining to speed up deliveries. HELO/EHLO doesn t match client Check if the HELO/EHLO address matches the sending host address. Missing From header Check if the From header is present. Missing To header Check if the To header is present. Envelope sender doesn t match From header Check if the From header matches the envelope sender address. Recent Activity The following checks identify clients who have recently sent spam or viruses and will only work if Threat Prevention (configured via Mail Delivery Threat Prevention) is enabled. Recent spam from client Check if the sending host recently sent spam. Recent virus from client Check if the sending host recently sent a virus. 147

142 Intercept Anti-Spam BorderWare Security Network The BorderWare Security Network (BSN) helps to identify spam by reporting behavior information for a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages, based on information collected from customer eprism systems and global DNS Block Lists. This information can be used by the eprism Security Appliance to either reject the message immediately or contribute to the Intercept score if a message is detected from a source with a poor reputation or numerous virus infections. If this option is enabled, eprism will ask for statistics from the BSN Domain service for the sender IP of each message received, excluding those from trusted and known networks. Using the information returned from BSN, eprism can make a decision about whether a message is spam or legitimate mail. A reputation of "0" indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value "50". BSN Statistics Sharing Statistics from your eprism can also be shared with BSN by selecting the share statistics option. The following message count statistics and the upstream client IP are sent to the BSN network when Share Statistics is enabled on eprism: Total mail Clean mail Spam mail Virus mail Unknown recipient Known recipients Malformed mail BSN Domain service queries use the DNS protocol on UDP port 53. BSN statistics sharing uploads to the BSN network using HTTPS on port 443. These ports must be opened up on your network firewall if eprism is located behind the firewall. Note the following considerations when using BSN: If the BSN server is not available, the DNS request times out. This may affect performance and requires monitoring for timed-out connections. Remove any servers which you do not use to prevent time-outs. If a message that you want to receive from a client is blocked by BSN, add a Specific Access Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be used to "Bypass" (skip anti-spam and content checks), "Trust" (to accept and train as valid mail) or "Accept" (just accept without training) the message, however, this may interfere with later eprism processing and using SAPs is recommended. 148

143 Intercept Components BSN Trusting for Relays Administrators can trust friendly local networks or addresses of known mail servers in their environment that relay mail via eprism. These specific networks and servers can be added to the "relays" IP Address list in the Threat Prevention feature to prevent them from being blocked by Threat Prevention and BSN, as well as ensuring that reputation statistics for these addresses will not be reported to BSN. For example, it is possible that in eprism environments with a backup MTA (Mail Transfer Agent) system, the backup system may be misclassified by BSN. If eprism is offline, mail will be collected by the backup MTA as specified in the organization's MX records. When eprism comes back online, this mail (which may include spam, viruses, and other types of infected mail) from the backup MTA will be forwarded to eprism for processing. If BSN is enabled, this backup system may receive a low reputation score by BSN. To add a system to the relays list: 1. Click the internal hosts and friendly mail relays link on the BSN menu. 2. The relays static IP/CIDR list screen will appear: 3. Add the address of any internal relays and a description, and then click the Add button. 149

144 Intercept Anti-Spam Configuring BSN Checks Select Mail Delivery Anti-Spam Intercept, and then BorderWare Security Network on the menu. Enable When BSN is enabled, incoming messages will be checked against the spam information gathered by the BSN network. BSN Domain Enter the BSN domain to query. The default (ipdns.borderware.com) is the primary BSN domain, and should not be modified. Share Statistics Enable BSN information, such as spam and virus statistics for connecting client IP addresses, from this eprism to be shared with the BSN network. Port 443 must be enabled outbound to allow statistics to be uploaded to the BSN server. There are no security risks associated with sharing statistics. eprism does not relay any private or sensitive information to the BorderWare Security Network. Check Relays When this option is enabled, the configured amount of received headers will be checked with BSN. For example, an message may have been relayed by four mail servers before it reached eprism. Use this field to specify how many relay points, starting from the latest headers to the earliest, should have their reputation checked via BSN. Acceptable values are between "0" and "ALL". Recommended values are "0" (off), "1" or "2". The default is "0" (off). Check Relays should be enabled if eprism is installed behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked. Exclude Relays This option specifies how many received headers to exclude from BSN checks, starting from the earliest header to the most recent. For example, if Check Relays is enabled, setting this value to 1 means that the first relay point will not be checked. Note that some ISPs include the originating dial-up IP as the first relay point which can lead to legitimate mail being classified as spam by BSN. Recommended values are "0" (off) or "1". The default is "0" (off). This setting will only be enabled if Check Relays is also enabled. As an example of using the Check Relays and Exclude Relays options, consider the following scenario: Server A -> Server B -> Server C -> Server D -> eprism With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order: 150

145 Intercept Components Received: D Received: C Received: B Received: A Setting the Check Relays option tells eprism to start with server "D" and check the configured number of received headers. If Check Relays is set to "3", it will check "D", "C", and "B". Use the Exclude Relays option to tell eprism to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks. BSN Connection Rejects By default, eprism uses BSN feedback as part of the Intercept decision. To override this default behavior, eprism can use BSN information for connection level rejects. When overriding the default behavior with BSN, eprism provides the following options: Reject on BSN Reputation If enabled, the eprism Security Appliance will reject messages from senders whose reputation is above the configured Reputation Threshold. A reputation of "0" indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value "50". BSN rejects can be overridden by creating a Specific Access Pattern to "Trust" the rejected address. BSN rejects cannot be overridden by a policy. Pattern Based Message Filtering can also be used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to accept and train as valid mail) or "Accept" (just accept without training) the message, however, this may interfere with later eprism processing and using SAPs is recommended. Reputation Threshold Enter a reputation threshold over which a message will be rejected. Generally, a rejection threshold of "70" to "75" will reject at least 60% of spam messages. If desired, this threshold can be set to a less aggressive value of "90" which results in about 40% of spam messages being rejected via this feature. Reject on Infection If enabled, the eprism Security Appliance will reject messages from senders whose infection score is above the configured Infection Threshold. Infection Threshold Indicates the criteria for rejecting messages based on whether the sending host is Currently infected (received in last hour), or Recently infected (received in last day). This is setting is only valid when Reject on Infection is enabled. Reject Connection From Dial-ups If enabled, the eprism Security Appliance will reject messages sent directly from dial-up connections. 151

146 Intercept Anti-Spam If a message is not rejected because it violates a BSN threshold, the reputation score and information about whether the sender is a dial-up can be incorporated into the overall Intercept Anti- Spam decision. BSN Reject Message This option allows the administrator to customize the reject message for BSN. Use "%s" to specify the IP address of the rejected sender, such as: go to BSN rejection, infection, and dial-up log messages will include a URL similar to the following: BSN 450: blocked by Intercept: go to intercept.borderware.com/ lookup?ip=[client_ip] where the client_ip is the connecting system that was rejected. Clicking the URL will open up a web page displaying BSN reputation statistics on the specified IP address. 152

147 Intercept Components DNS Block List DNS Block Lists (DNSBL) contain the addresses of known sources of spam and are maintained by both commercial and non-commercial organizations. The DNSBL mechanism is DNS-based resulting in a lookup on the specified DNSBL server for every server that attempts to connect to eprism. The weight assigned to DNS Block Lists in the Intercept advanced settings will be the score (default is 80) used by Intercept processing when a DNSBL is triggered for a message. If a sender is matched on more than one DNS Block List, this will increase the weight score assigned by Intercept for each list it is matched on. Note the following considerations when using DNSBL: If the DNSBL server is not available the DNS request will time out. This may affect performance and requires monitoring for timed-out connections. Remove any servers which you do not use to prevent time-outs. If a message that you want to receive is blocked by a DNSBL, add a Specific Access Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to accept and train as valid mail) or "Accept" (just accept without training) the message, however, this may interfere with later eprism processing and using SAPs is recommended. Configuring DNSBL Select Mail Delivery Anti-Spam Intercept, and then select DNS Block List to configure the options for this feature: Enable DNSBLs Select this check box to enable DNSBL lookups. Check Relays The Check Relays setting deals with spammers who are relaying their messages, usually illegally, through an intermediate server. The information about the originating server is carried in the headers of the message. Use this field to specify how many relay points, starting from the latest headers to the earliest, should be checked against a DNS Block List. Acceptable values are between "0" and "ALL". It is recommended that this option be left at the default value of "0" (off), or set to "1" or "2". 153

148 Intercept Anti-Spam This option should be enabled if eprism is behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked. Exclude Relays This option defines how many received headers to exclude from DNSBL checks, starting from the earliest to the most recent. Some ISPs include the originating dialup IP as the first relay point which can result in legitimate mail being blocked by DNSBLs that block dial-ups. It is recommended to set this value to "1" or "0". Use "1" if any of the DNSBL servers utilized include dynamic IP addresses (such as a dial-up connection). If the DNSBL service does not include dial-ups, set this to "0" to ensure mail originating from webmail systems are not rejected. As an example of using the Check Relays and Exclude Relays options, consider the following scenario: Server A -> Server B -> Server C -> Server D -> eprism With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order: Received: D Received: C Received: B Received: A Setting the Check Relays option tells eprism to start with server "D" and check the configured number of received headers. If Check Relays is set to "3", it will check "D", "C", and "B". Use the Exclude Relays option to tell eprism to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks. Reject on DNSBL Enable the check box to reject mail from blocked clients regardless of other message processing. Reject on DNSBL will reject the message at SMTP connection time regardless of other Intercept processing. Caution should be used when enabling this feature. Note that this feature, if enabled, cannot be disabled by a Policy. DNSBL Reject Threshold The number of Block Lists to trigger before rejecting based on DNSBL. If this value is set to "2", the server must appear on at least two DNSBLs before being rejected. 154

149 Intercept Components DNSBL Domains Click Edit to modify the list of your DNSBL domain serves. Click Update when finished. The default DNSBL servers supplied will cover most cases and should not be changed without careful consideration. 155

150 Intercept Anti-Spam URL Block Lists URL Block Lists contain a list of domains and IP addresses of URLs that have appeared previously in spam, phishing, or other malicious messages. This feature is used to determine if the message is spam by examining any URLs contained in the body of a message to see if they appear on a block list. Similar to DNS Block Lists, the URL Block List will be queried to see if a URL exists on the configured block list server. If a match is found, this information will be used by the Intercept engine to decide whether a message is spam or legitimate mail. If the URL in a message is matched on a URL Block List, it will be assigned a score as per the URL Block List weighting configured in the Intercept advanced Component Weight setting (default is 90.) If a URL is matched on more than one URL Block List, this will increase the weight of the score assigned by Intercept for each list it is matched on. To configure URL Block Lists: Select Mail Delivery Anti-Spam Intercept, and then select URL Block List on the menu. Select the Enable UBLs check box to enable URL Block List checks. UBL Domains URLs can be checked either by a SURBL (Spam URI Realtime Block Lists) method that performs lookups for a domain using the base domain or IP addresses of the URL, or a DNSBL lookup that can query a DNS Block List server to lookup the full domain using the resolved host IP address for the URLs in a message. St. Bernard provides a default SURBL server that can be used for the URL Block List. Other SURBL or DNSBL lists can be added by the administrator, but caution must be taken when adding servers as some free services may introduce false positives. Click the Edit button to configure the SURBL and DNSBL server lists. 156

151 Intercept Components UBL Whitelist Administrators can define a list of domains and IP addresses that will be trusted, even if messages from those addresses contain URLs that appear in a URL Block List. Enter a domain name or IP address to be trusted and then click the Add button. If a domain is entered (such as "example.com"), all subdomains of that domain will also be included (such as " A list of domain names and IP addresses can also be uploaded in one text file. The entries must appear one per line in the form: example.com The file (ubl_wl.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 157

152 Intercept Anti-Spam Bulk Analysis Bulk Analysis utilizes a set of servers that maintain databases of message checksums derived from numeric values that uniquely identify a message. Mail users and ISPs all over the world submit checksums of all messages received. The database records how many of each message is submitted. If requested, the Bulk Analysis server can return a count of how many instances of a message have been received. eprism uses this count to determine the disposition of a message. A Bulk Analysis server receives no mail, address, headers, or any similar information, but only the cryptographically secure checksums of such information. A Bulk Analysis server cannot determine the text or other information that corresponds to the checksums it receives. It only acts as a clearinghouse of counts of checksums computed by clients. This Bulk Analysis provides a simple but very effective way to successfully identify spam and control its disposition while updating its database with new spam message types. The weight assigned to Bulk Analysis in the Intercept advanced settings will be the score used by Intercept processing if the message is considered bulk. You must allow a connection on UDP port 6277 on your firewall or router to allow communications with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow down mail delivery. Bulk Analysis Considerations When implementing Bulk Analysis, consider the following: Educate your user community about this tool and request them to submit mailing lists and other bulk mail sources that need to be trusted. This step is crucial if Bulk Analysis and Token Analysis are to work properly. Set your Intercept spam dispositions so that users can recognize that a mail has been mistakenly identified as spam. This will allow users to report back false positives. The Modify Subject Header disposition is well suited for this task. 158

153 Intercept Components Configuring Bulk Analysis Select Mail Delivery Anti-Spam Intercept on the menu, and then select Bulk Analysis to configure its options. Threshold Settings The threshold is used to determine what should happen to mail when it has been classified. If bulk exceeds Bulk Analysis returns a number showing how many times the message has been identified. This can be zero (unique and therefore not bulk) or another number, such as 1352, indicating that the message has been reported as bulk this many times. It may also return the value "many". This is a special Bulk Analysis value returned when Bulk Analysis has seen a certain message in such volumes and in such a frequency that it is most certainly considered "bulk". For Bulk Analysis to be useful, you need to specify a threshold that will trigger an action. It is recommended that you enter either "many" or a value of 50 or 100. Body1, Fuz1, and Fuz2 are settings that specify which checksums will be calculated and sent in. It is recommended that you leave the default settings. These settings effectively counter the efforts of spammers to randomize message content and evade detection as bulk. Results of the various counts can be viewed in the transport logs. Click the Advanced button to reveal additional settings such as From, ID, and IP. The selected checksums must be supported by the Bulk Analysis server to work properly and it is recommended that you use the default settings. These additional settings should be used with caution, as they may increase the risk of false positives. 159

154 Intercept Anti-Spam Bulk Analysis Warning Threshold The threshold for the expected Bulk Analysis successful response rate, as a percentage of total number of Bulk Analysis queries performed. If the successful response rate falls below this value, an alarm will be generated. It is acceptable to have some value of loss depending on network connectivity. This feature is used to determine whether communication between eprism and the Bulk Analysis network is occurring properly. Bulk Analysis Servers Click Edit in the Bulk Analysis Servers section to configure your server settings, if required. he default Bulk Analysis server supplied will cover most cases and should not be changed without careful consideration. You must allow a connection on UDP port 6277 on your firewall or router to allow communications with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow down mail delivery. Bulk Analysis Trusted and Blocked Entry List Administrators can create exceptions to bulk classifications by using the Trusted and Blocked List. In many cases, it may be easier to specify such exceptions using Pattern Based Message Filters, in which case the mail bypasses all anti-spam settings. It is recommended that Pattern Based Message Filters be used for creating exceptions. The Bulk Analysis trusted and blocked entry list feature is useful for removing legitimate bulk mail, such as mailing lists, from consideration as bulk while letting it be scanned by Intercept for other spam characteristics. Click Edit to add entries to the Trusted and Block Entry lists. Click Apply to add the new entry. 160

155 Intercept Components Token Analysis Token Analysis is a sophisticated method of identifying spam based on statistical analysis of mail content. Simple text matches can lead to false positives because a word or phrase can have many meanings depending on the context. Token Analysis provides a way to accurately measure how likely any particular message is to be spam without having to specify every word and phrase. Token Analysis achieves this by deriving a measure of a word or phrase contributing to the likelihood of a message being spam. This is based on the relative frequency of words and phrases in a large number of spam messages. From this analysis, it creates a table of "discriminators" (words associated with spam) and associated measures of how likely a message is spam. When a new incoming message is received, Token Analysis analyzes the message, extracts the discriminators (words and phrases), finds their measures from the table, and aggregates these measures to produce a spam metric for the message. This spam metric is the score assigned by Token Analysis to be used in the Intercept Anti-Spam decision. Token Analysis has a built-in weighting mechanism that assigns a value between 0 and 100 to indicate whether a message is spam. A message with a low metric (closer to 0) is considered to be legitimate, while a message with a high metric (closer to 100) is considered to be spam. Token Analysis uses three sources of data to build its run-time database: The initial tables supplied are based on analysis of known spam. Tables derived from an analysis of local legitimate mail. This is referred to as "local learning" or "training". Training provided by spam from PBMF Spam, Bulk Analysis, DNSBL, SPF, and DomainKeys Intercept components. How Token Analysis Works Consider the following simple message: Subject: Get rich quick!!!! Click on to earn millions!!!!! Token Analysis will break the message down into the following tokens: [Get] [rich] [quick!!!] [Click] [on] [ getrichquick.com] [to] [earn] [millions!!!!!] Each token is looked up in the database and a spam metric is retrieved. The token "Click" has a high metric of 91, whereas the word "to" is neutral (indicating neither spam nor legitimate.) These metrics are aggregated using statistical methods to give the overall score for the message of

156 Intercept Anti-Spam Mail messages with a spam metric of 90 or greater are very likely to be spam. Lower values (50-60) indicate possible spam, while very low values (20-25) are unlikely to be spam. These spam metrics are the score assigned by Token Analysis as part of the final Intercept Anti-Spam decision. Configuring Token Analysis Select Mail Delivery Anti-Spam Intercept on the menu, and then select Token Analysis to configure its properties. When enabled, Token Analysis will always run in training mode and analyze all local mail. Local mail is assumed to be not spam and the frequency of the words found in this mail may therefore be used to modify the values supplied by St. Bernard s master list. For example, a mortgage company may use the word "refinance" quite frequently in its regular mail. The likelihood of this word suggesting spam would therefore be reduced. Token Analysis trains messages for spam if one of the following features (if enabled) classifies a message as spam: PBMF spam Bulk Analysis DNS Block Lists URL Block Lists BSN Reputation Token Analysis can train messages from the following sources as legitimate mail: PBMF "Train" action Trusted Subnet 162

157 Intercept Components Token Analysis Modes Training Only Token Analysis will analyze local mail but will NOT classify incoming mail. Scanning and Training Token Analysis will analyze local mail AND will classify incoming mail. Rebuild Database Click the Rebuild Database button to rebuild the Token Analysis database. The run-time engine is built and rebuilt at two hour intervals using several sources such as the supplied spam data, updated data from St. Bernard, trained spam from other Intercept features, and local training. Since the database is not built for the first time until two hours after installation, you can use this option to immediately rebuild the Token Analysis database. Delete Training Click the Delete Training button to remove all training material. You should delete all training material if your eprism system has been misconfigured and starts to treat "trusted" mail as "untrusted" or vice versa. Token Analysis Advanced Options Click the Advanced button to reveal additional Token Analysis options. These options are for advanced configuration only, and it is highly recommended that the default values be used. Modifications to the default values may decrease Token Analysis accuracy and should be used with care. Neutral Words Neutral words are words that may or may not indicate spam. For example, a mortgage company may want to build a neutral word list that includes "refinance" or "mortgage" because these words show up quite frequently in spam mail. By adding them to the neutral word list, the likelihood of this word suggesting spam would therefore be reduced to a neutral value. Default Neutral Words Select the check box to enable the neutral words list. This list helps prevent pollution of the Token Analysis database. It is recommended that you leave this option enabled. Uploaded Neutral Words Enables the use of the uploaded neutral words list. 163

158 Intercept Anti-Spam Upload a file using the Upload Neutral Words button. The file must be in text format and contain a list of neutral words with one word per line. Uploading a new list will replace the previous neutral words list. The system will automatically rebuild the Token Analysis database during the upload of a neutral words list. This process may take some time to complete. Token Analysis and Languages The Token Analysis spam database is based on English language spam. As a result, it may not be initially responsive to spam created in other languages. The ability to learn means that it can readily adapt to other languages. Ensure that Bulk Analysis is enabled because all mail identified as "bulk" by Bulk Analysis will be used by Token Analysis to train as spam. Assuming that some of these bulk messages are in the local language, Token Analysis will build a database that reflects that language. Token Analysis will train on local legitimate mail from the moment the system is started. This will help properly characterize the local language use by building up a database of good words to help prevent mail messages from being classified as spam. To train eprism with known local language spam mail, it is recommended that you set up rules to use the "Certainly Spam" action in Pattern Based Message Filters (PBMF). Messages specified as "spam" will be forwarded to Token Analysis and will increase its database of local language words. Japanese, Chinese, and Korean Language Token Analysis can alter the processing behavior for Japanese, Chinese, and Korean language messages to ensure they are not automatically classified as spam. These include the following character sets: Japanese major character sets ISO-2022-JP, EUC-JP, Shift-JIS Chinese major character sets GB2312, HZ-GB-2312, BIG5, GB7589, GB7590, GB , GB12052, GB/T12345, GB/T13131, GB/T13132, GB/T , ISO CN, ISO-2022-CN-EXT Korean major character sets KS C 5601 (KS C ), EUC-KR, ISO-2022-KR For each character set, select how Token Analysis will process the message: Default All content is processed by Token Analysis. If you receive legitimate mail in these languages, this may result in false positives. No Token Analysis Scan Token Analysis scanning will be turned off for all messages containing Japanese, Chinese, and Korean language characters. Lenient Token Analysis Scan Token Analysis scanning will be turned off for only the parts of the message containing Japanese, Chinese, and Korean language characters. The rest of the message will be processed normally. If there are 20 or fewer tokens in the message of non-japanese, Chinese, and Korean characters, the Token Analysis scan will be skipped for that message. 164

159 Intercept Components Image Analysis An Image Spam message typically consists of random text or no text body and contains an attachment picture (usually.gif or.jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to eprism's other Anti-Spam features that detect spam characteristics in the text of a message, the Image Analysis feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages. 1. Ensure the Enable Token Analysis option is enabled using "Scanning and Training" mode. 2. Select the Enable Image Analysis check box in the Options section. 3. Click the Apply button. Allow at least 24 hours for the Token Analysis scanner to scan and train incoming mail and update its database to see an improvement in spam catch rates. To accelerate this process: 1. Select Management Security Connection on the menu, and then click the Connect Now button to retrieve the latest Token Analysis database updates. 2. Select Mail Delivery Anti-Spam Intercept Token Analysis on the menu, and then click the Rebuild Database button to perform a manual rebuild of the Token Analysis database. (The database is rebuilt automatically every two hours.) Diagnostics The diagnostics section allows administrators to configure diagnostic options for Token Analysis to help with troubleshooting. Enable X-STA Headers This setting inserts X-STA (Token Analysis) headers into all messages. These are not visible to the user (although they can be filtered in most mail clients), but can be used to gather information on why mail is processed in a particular way. The following headers will be inserted: X-STA-Metric: The "score" assigned by Token Analysis, such as 95, which would indicate a spam message. X-STA-NotSpam: Indicates the words with the highest non-spam value found in the message. X-STA-Spam: Indicates the words with the highest spam value found in the message. Enable Monitoring Select the check box to enable the monitoring of messages received by the specified address. Monitor for Enter an address that you would like to monitor. Copy to Copy messages and the Token Analysis diagnostic to this address. 165

160 Intercept Anti-Spam Token Analysis Training The following sections allow you to define advanced parameters for Token Analysis training, such as legitimate and spam mail training settings. Legitimate Mail Settings The following settings are advanced options for the handling of legitimate mail: Valid Training Sources Select Trusted/Local Mail to train all local trusted network mail for Token Analysis, or select No Training. If "No Training" is selected, the Heuristic 1 Intercept Decision strategy should be used that deemphasizes Token Analysis. This prevents false positives from occurring when using the Heuristic 2 strategy. Local Limit Enter the maximum number of messages from local users that can be used for Token Analysis training. When the limit is reached, older training messages are deleted as new messages arrive. Default is Local Threshold Set the threshold for messages from local users to be used for training. If the Token Analysis classification for the message is greater than or equal to the specified number, the message will be used for training. Source Weighting % For Token Analysis to be useful and efficient, the training must be based on well selected data. The initial database supplied represents well selected data, and is therefore highly weighted, compared to uploaded legitimate mail or legitimate mail from the trusted network. Default: Enter a percentage for the weight of the default Token Analysis database of valid mail. 166

161 Intercept Components Uploaded: Enter the weight of locally uploaded valid mail. Legitimate mail can be uploaded by clicking the Upload Legitimate Mail button. The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective. Trusted-net: Enter the weight of mail from trusted networks that are automatically trained as valid mail. When uploading mail, it is recommended that you set the weighting to 60% for Default, 20% for Upload, and 20% for Trusted. Significant changes to the source weighting may decrease Token Analysis accuracy. Spam Training Select which features (if enabled) that will be used for spam training: BSN Reputation Train using mail marked as spam by BSN Reputation. BSN DUL Train using mail marked as spam by BSN DUL. Bulk Analysis Train using mail marked as spam by Bulk Analysis. DNSBL Train using mail marked as spam by DNSBL. Domain Keys Train using mail marked as spam by DomainKeys. PBMF Train using mail marked as spam by PBMF. SPF Train using mail marked as spam by SPF. URL Block List Train using mail marked as spam by URL Block List. Spam Settings The following settings are advanced options for the handling of spam mail: Spam Limit Enter the maximum number of spam messages used for training. Spam Training Threshold Set the threshold for spam messages to be used for training. If the Token Analysis classification for the message is less than or equal to the specified number, the message will be used for training. Source Weighting For Token Analysis to be useful and efficient, the training must be based on well selected data. The initial database represents well selected data and is therefore highly weighted, compared to uploaded spam mail or bulk mail from Bulk Analysis. Default: Enter a percentage for the weight of the default Token Analysis database of spam mail. Uploaded: Enter the weight of locally uploaded spam mail. Spam mail can be uploaded by clicking the Upload Spam Mail button. The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective. Detected: Weight of mail from Bulk Analysis, DNSBL, UBL Block Lists, PBMF or BSN automatically trained as spam. When uploading mail, it is recommended to set the weighting to 60% for Default, 20% for Upload, and 20% for Bulk. Significant changes to the source weighting may decrease Token Analysis accuracy. 167

162 Intercept Anti-Spam Dictionary Spam Count Recent changes to the way that spammers compose their messages can reduce the effectiveness of the Token Analysis filter. By introducing large numbers of normal words into their spam messages, they can hide their content because the normal words outweigh the spam words and result in a low spam count. More aggressive settings may result in more false positives. eprism counters this in two ways: 1. All words in the eprism dictionary are now assigned a base level of how likely they are to be spam. In a normal message, this increased level will not result in a false positive, since the overall count is low. In a spam message, the result is different; the normal words will not counteract the spam content, and the message is correctly identified as spam. 2. Training on local mail now works to reduce this base level closer to zero. This further reduces the likelihood of a false positive. The Dictionary Count is set to one "1" by default. This should be sufficient for most situations. It is recommended that you only change the default value if the following conditions occur: If there are too many false positives and this is not alleviated by training, then the Dictionary Count should be set to zero "0", disabling this feature. If too much spam is passing then the Dictionary Count can be increased. Try increasing the value to "10". If this results in too many false positives, reduce it to "5". This setting should only be considered for modification if other measures (training, threshold changes, uploading spam and/or legitimate mail) have been tried and have not provided the desired result. Troubleshooting Token Analysis Token Analysis is a very effective anti-spam tool and provides the mail administrator with a variety of options to finely tune this feature for their particular environment. With these advanced controls, there is a greater chance of creating a configuration that may result in excessive false positives (mail marked as spam when they are legitimate) or false negatives (mail not marked as spam when they are spam.) The following are some considerations when troubleshooting issues with Token Analysis: For excessive false positives: Ensure that the system has gone through a cycle of training. Ensure that any mailing lists that the organization sends out are trusted (via PBMF) as "accept". Check for tokens that may be words used by the organization for their regular business. For example, a financing company would want the words "mortgage" or "refinance" to be allowed as legitimate tokens. Lower the component weighting in the Intercept advanced settings. For excessive false negatives: If Bulk Analysis is enabled, ensure that it is working properly and it is using Token Analysis for training. Check that any mailing lists received by the users are trusted (via PBMF) as "Bypass" or "Accept". 168

163 Intercept Components Sender Policy Framework (SPF) Sender Policy Framework is a sender authentication technology that prevents spammers from spoofing mail headers and impersonating a legitimate user or domain to prevent phishing attacks. Unsuspecting users may reply to these seemingly legitimate addresses with personal and confidential information. SPF provides a means for authenticating the source of an by querying the sending domain s DNS records. The SPF protocol allows server administrators to describe their servers in their DNS records. By comparing the headers of the with the SPF value, the receiving host can verify that the is originating from the legitimate mail server for that domain. This prevents spammers from sending forged s. eprism s SPF actions only apply to incoming mail messages that have failed an SPF check (the message does not match the corresponding published SPF record.) If a specific mail server does not have an existing SPF record then the message is processed normally. It is possible, however, that administrators may misconfigure their DNS SPF records resulting in false positives and legitimate hosts being blocked from sending you mail. The weight assigned to SPF in the Intercept advanced settings will be the score used by Intercept processing if the message fails an SPF check. SPF is an emerging anti-fraud and anti-phishing technology that is designed primarily as a mechanism to prevent forged s rather than an anti-spam measure. It is dependent on network administrators publishing their legitimate servers in their DNS records and ensuring these records are properly configured. St. Bernard encourages customers that use SPF in their DNS infrastructure to review their own SPF records to ensure they are accurate. SPF Records The SPF protocol allows you to describe your servers in an SPF TXT record that is attached to the domain's DNS record. A typical SPF DNS record is as follows: example.com IN TXT "v=spf1 mx -all" Administrators will add this data as a TXT record to their domain (example.com). The first part is the name part of the record, such as "example.com", and the text in quotes is entered as your TXT record data. "v=sp1" identifies the TXT record as an SPF string. "mx" specifies that mail can come from only the mail servers defined in your MX records. "all" specifies that no other servers are able to send from the specified domain. You can set TXT records for both domains and individual hosts. For more information on SPF and defining TXT records, see: 169

164 Intercept Anti-Spam Configuring SPF Select Mail Delivery Anti-Spam Intercept and then select SPF on the menu to configure Sender Policy Framework settings. Enable SPF Select the check box to enable SPF verification. Strip incoming SPF headers This option removes any "Received-SPF" header from incoming messages. Spammers may attach their own forged SPF headers to create the impression that the is from a legitimate source Add outgoing SPF header This option adds an SPF header to the outgoing message. 170

165 Intercept Components DomainKeys DomainKeys is another sender authentication technology used to prevent spammers from spoofing mail headers and launching phishing attacks. The sender of an message is authenticated by querying the sending domain s DNS records. The DomainKeys protocol allows server administrators to add a digital signature to their outgoing messages that can be validated via DNS. The domain owner generates a public and private key pair to use for signing all outgoing messages. The public key is published in their DNS records and the private key is used to sign outbound messages. By verifying the signature in the headers of the using the public key, the receiving host can verify that the is originating from the legitimate mail server for that domain. This prevents spammers from sending forged s. eprism also supports the signing of outgoing messages with DomainKeys using the Policy engine. eprism s DomainKeys actions only apply to incoming mail messages that have failed a DomainKeys check (such as the message does not match the corresponding published DomainKeys record.) If a specific mail server does not have an existing DomainKeys record then the message is processed normally. It is possible, however, that administrators may misconfigure their DNS DomainKeys records, resulting in false positives and legitimate hosts being blocked from sending you mail. The weight assigned to DomainKeys in the Intercept advanced settings will be the score used by Intercept processing if the message fails a DomainKeys check. Configuring DomainKeys Select Mail Delivery Anti-Spam Intercept on the menu, and then select DomainKeys Authentication to configure DomainKeys settings. Enable DomainKeys Authentication Select the check box to enable DomainKeys authentication. Strip incoming DK headers Removes Authentication-Results: headers attached to incoming messages. This option protects against spammers who add a forged DomainKeys header to the message. Add Authentication Header Adds an Authentication-Results: header to incoming messages after they have been processed and verified by DomainKeys. Temporary DNS Error Consider the message as spam in the event a DNS error prevents a DomainKeys lookup for a sender s key. 171

166 Intercept Anti-Spam The message will be considered spam if any of the following checks are true: No Signature When Required Consider the message as spam when there is no signature, even if the sender says they sign all messages. No Signature When Not Required Consider the message as spam when there is no signature and the sender says they may not sign all messages. Invalid Signature Consider the message as spam when the signature is invalid. Key Revoked Consider the message as spam when the key used to sign the message is no longer valid. Invalid Message Syntax Consider the message as spam when the signature cannot be checked because the message has invalid syntax. No Key Consider the message as spam when the sending domain did not provide a key for the selector specified in the message. Bad Key Consider the message as spam when the sending domain provides an unusable key. Sender Testing DomainKeys These checks can also be performed for messages from senders who are testing their DomainKeys implementation by inserting a test flag into their DomainKeys DNS records. It is recommended that you use the default settings which permit more lenient checks to be performed against these test messages. DomainKeys Log Messages The response codes for DomainKeys processing will appear in the Mail Transport logs as follows: 0 - Pass 1 - Neutral 2 - Fail 3 - Soft Fail 4 - Temporary Error 5 - Permanent Error The logs will also indicate which DomainKeys check caused the error: DomainKeys: from=user@example.com, result=permerror(bad key) 172

167 Intercept Components DomainKeys Outbound Message Signing To enable signing of outgoing messages, the domain owner generates a public/private key pair. The private key is used by eprism to digitally sign the message (prepended as a header) using this key. The public key is then published in the domain s DNS records. The receiving system can authenticate the message by querying the domain owner s DNS records for the public key. eprism supports the signing of outgoing messages with DomainKeys using the Policy engine. This allows administrators to allow signing for only certain domains which have been configured in DNS for use with DomainKeys. Select Mail Delivery DomainKeys Signing to configure global settings. When enabled, the use of DomainKeys message signing must be configured via Policies. Select Mail Delivery Policy Policy Definition to edit an existing policy or to add a new policy. The DomainKeys signing section appears at the bottom of the policy screen. Enable Select the check box to enable or disable signing of outbound messages in this policy. Remove duplicate headers Select the check box to remove duplicate headers, such as Subject and To: fields, from the signature calculation. Any headers listed with the "h=" tag in the DomainKeys header will be filtered for duplication and the corresponding headers will be removed from the message envelope. This option should only be enabled if experiencing issues with rejected messages due to duplicate headers. Canonicalization This option specifies how white space characters are treated during signing. The default is "No Folding White Space" which ignores these characters during signing. This option is more lenient so that messages reformatted in transit, such as spaces or lines inserted into or removed from the message by intermediate systems between the signer and the receiver, are still valid. Selecting "Simple" keeps the signed message intact to include white space characters so that any lines that are reformatted in transit will fail validation. 173

168 Intercept Anti-Spam List Headers When signing, place a list of the headers included into the DomainKey- Signature: header. It is recommended that this option be enabled. When enabled, only those headers listed will be used in verifying the signature. If this is option is disabled, then all headers following the signature will be used in verifying the signature. Any headers added by intermediary systems after the message is signed will cause the signature to be invalid. Disabling the option increases security, but can create a large number of "invalid" signatures because of headers added by intermediary systems. Selector Name Set the Selector to use for DomainKeys signing. Selector List Click the Edit button to edit the DomainKeys Selector list. Selector List A DomainKeys selector is a tag for a DNS record that is used by others to verify your DomainKeys signature. This tag can be comprised of any characters, such as upper and lower case letters, digits, dashes, underscores, and so on. Each selector has an associated public and private key that can be generated by eprism or via external methods. The selector is stored in a DNS TXT record with the tag: <selector>._domainkey.<your_domain> Click the Add Selector button to add a new Selector to the list. Name Enter a descriptive name for this selector. Selector Enter the tag name for this selector. Private and Public Key Displays the Private and Public Keys. These can be generated automatically by choosing a key size and clicking the Generate Key Pair button. Alternately, these keys can be generated externally and pasted into the respective text boxes. 174

169 Intercept Components Key Size Select the key size for the generated key pair. Larger keys result in a more secure implementation because it decreases the probability of the keys being compromised. It is recommended that a minimum of 1024 be selected. Generate Key Pair Click the button to allow eprism to generate a private/public key pair. The resulting keys will be displayed in the respective information boxes above. Granularity The selector record can also ensure that only a specific sender (a person or entity) is allowed to use that particular selector. This is indicated by entering the portion of the sender's address that will appear to the left of the "@" symbol. For example, "techsupport" will ensure those only messages from "techsupport@example.com" are allowed to use the configured selector. Testing Select the check box to indicate that this DomainKeys DNS record is being used for testing only. This allows the administrator to perform testing on the validity of their DomainKeys configuration. Receivers will generally be more lenient with verification errors if the sender is in testing mode. Notes An additional area for comments by the administrator. For example, an administrator might list reasons why a particular selector was revoked. DomainKeys DNS Record When the private/public key pair have been created, eprism automatically generates a TXT record that can be used with your DNS server for DomainKeys signing. This record contains a copy of your public key that receiving sites will use to authenticate the digital signature in your outgoing messages. A domain using DomainKeys (such as "example.com") will have a new subdomain in their DNS configured as "_domainkey" prefixed to the domain, such as "_domainkey.example.com". A typical DomainKeys DNS record is as follows: _domainkey.example.com IN TXT "t=y; o=-; n=notes; r=test@example.com" Administrators will add this data as a TXT record to their DomainKeys domain (_domainkey.example.com). The first part is the name part of the record, and the text in quotes is entered as your TXT record data.the TXT data contains information on the DomainKeys policy, such as the following: "o=-" means all s from this domain are signed "o=~" means some s from this domain are signed "t" means Test "r" to enter the responsible address 175

170 Intercept Anti-Spam "n" to enter free form notes on the record Public key records are identified by a specific Selector (which allow a domain to have more than one public key in DNS) and stored in separate TXT records for that DomainKeys domain name. For example, the previously defined "_domainkey.example.com" domain will contain name entries for each selector, such as: selector1 The corresponding TXT data consists of various options and the public key to be used, such as: g=; k=rsa; t=y; p=mewwpqrjkoz&ldots; The value after "p=" is the public key. There are also other fields available for granularity (g), test (t), and notes (n). 176

171 Intercept Advanced Features Intercept Advanced Features Click the Advanced button to reveal advanced Intercept Anti-Spam features that can be enabled and configured by the administrator. Advanced Intercept Components The following additional Intercept Components appear when the Advanced button is selected. Reject on unknown sender domain Rejects mail when the sender s mail address does not appear in the DNS as an A or MX record. This option applies to "untrusted" mail only. Reject on missing sender MX Rejects mail when the sender s mail address has no DNS MX record. Reject on non FQDN sender Rejects mail when the client MAIL FROM command is not in the form of an FQDN (Fully Qualified Domain Name) such as "mail.example.com". This option applies to "untrusted" mail only. Reject on unauth pipelining Rejects mail when SMTP commands are sent ahead of the message even though the SMTP server supports pipelining. This option blocks mail from bulk mail software that uses SMTP command pipelining improperly to speed up deliveries. Reject on missing addresses Reject mail when no recipients (To:) or sender (From:) were specified in the message headers. These fields are the optional To: and From: fields, not the corresponding Envelope fields. Reject on missing reverse DNS Reject mail from a host when the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. Many servers on the Internet do not have valid Reverse DNS records. Setting this option may result in rejecting mail from legitimate sources. It is recommended that you do not enable this option. These options are similar to those available in Mail Anomalies, but these options will reject if a single match is found, while Mail Anomalies provides a score if a cross-section of four or more matches are found. 177

172 Intercept Anti-Spam Intercept Decision Strategy The Intercept Decision Strategy allows administrators to alter the way in which Intercept processes messages for spam. Highest Score The Highest Score method will use the maximum score derived from all the scans that were processed. For example, if Bulk Analysis, Mail Anomalies, and DNS Block List are enabled, and DNS Block List results in the highest contributing score for all the scans, then that score will be used. To achieve similar results to the Anti-Spam behaviour of previous versions of eprism, set the decision strategy to Highest Score and set all component weights to 100. Sum of Weights The message is initially classified by taking the maximum score of the Token Analysis check. The weight of any other enabled components with a spam score is then added. The component weights should be adjusted to be lower than their default settings when using the Sum of Weights decision strategy. Heuristic 1 Components are divided into objective and subjective categories. Objective components are DNS Block List, URL Block List, Mail Anomalies, BSN Dial-up, Bulk Analysis, SPF, and DomainKeys. Subjective components are Spam Dictionaries, Token Analysis, and BSN reputation. The message is classified initially by combining the subjective scores and the classification is then adjusted by combining the objective scores. A baseline is established with a subjective filter. If Token Analysis scores a message at 60, a baseline of "Maybe Spam" is established. One additional objective filter that triggers will categorize the message as "Probably Spam". Two objective filters will increase the level to "Certainly Spam". Heuristic 2 This strategy is similar to the Heuristic 1 strategy except that the subjective component scores are weighted more heavily in the final decision than in Heuristic1. Statistical Scans are processed independently and the resulting score represents the probability that a message is spam based on statistical computation of the results. Bayesian Scans are processed independently and the resulting score represents the probability that a message is spam based on Bayesian computation of the results. 178

173 Intercept Advanced Features Intercept Component Weights Administrators can customize the Intercept engine by configuring the weights for each Intercept component that will help determine the final spam score for a message. These values represent the scores that will be used if that component is triggered. For example, if a mail message triggers a DNS Block List, the spam score contribution for that message will be the defined weight, such as 80. If the message also triggers a classification by Bulk Analysis, the Bulk Analysis weight, such as 75, will be added also. The final result of these scores will be decided by your selected Decision Strategy, such as Highest Score or Sum of Weights. Valid weights for each component are from 0 to 100. Set the weight to "0" if you want that feature to have no bearing on the final spam score of a message. Set this value to "100" if you want this component to have a strong weight on the final spam score of a message. The default accuracies are recommended by St. Bernard, and any modifications to these percentages should be performed with careful consideration. Spam Dictionaries A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. A list of accurate spam words should be configured with a weight close to 100. More general word lists should be configured with lower weights. Mail Anomalies This value is used when a message fails four or more anomaly checks. A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. DNS Block List A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. The DNS Block List should generally have a weight between 60 and 80. The weight assigned will be higher if the sender is matched on more than one DNS Block List. BorderWare Security Network Reputation BSN contributes its own unique score between 0 and 100 and cannot be assigned a configurable weight. 179

174 Intercept Anti-Spam BorderWare Security Network Dial-up A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. BorderWare Security Network Dial-up should generally have a weight between 60 and 80. Bulk Analysis A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. Bulk Analysis should generally have a weight between 70 and 80. Token Analysis A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. The default value is 100, however, the weight should be lowered if false positives are occurring. SPF A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. SPF should generally have a weight of 50. DomainKeys Authentication A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. DomainKeys should generally have a weight of 90. URL Block List A value of 0 means that this indicator is a completely unreliable indicator of spam. A value of 100 means that this indicator is a completely reliable indicator of spam. The URL Block List should generally have a weight between 60 and 80. The weight assigned will be higher if the sender is matched on more than one URL Block List. Click the Reset button to return the weights to the default values. 180

175 Trusted and Blocked Senders Trusted and Blocked Senders eprism allows end users to configure their own Trusted and Blocked Senders Lists. Trusted Senders List The Trusted Senders List allows users to create their own lists of senders who they want to receive mail from to prevent them from being blocked by eprism s spam filters. Users can utilize the WebMail/ePrism Mail Client interface to create their own Trusted Sender s List based on a sender s address. Trusted Senders can also be added directly via the Spam Quarantine summary . If the message is rejected for reasons other than spam, such as viruses or attachment controls, the Trusted Senders List will have no effect. The Trusted Senders List overrides the following anti-spam actions: Modify Subject Header Add Header Redirect The following rules also apply for the Trusted Senders List: A Reject or Discard action will reject or drop the message regardless of the settings in the Trusted Senders List. If the action is set to Just Log or BCC, the trusted message will pass through, but will still be logged or BCC d by eprism. PBMF spam actions set to Medium or High priority cannot be trusted, allowing administrators to ensure that a strong security policy is enforced. The Trusted Senders List cannot trust items rejected by the administrator during the SMTP connection such as BSN and DNSBL checks. Blocked Senders List The Blocked Senders List allows end users to specify a list of addresses from which they do not want to receive mail. These senders will be blocked from sending mail to that specific user via eprism. If a sender is on the Blocked Senders List, the message can either be rejected with notification or discarded by eprism. The Trusted Senders List is processed before the Blocked Senders List. If a Blocked Sender also appears in the Trusted Senders List, the will be delivered. In the event there are multiple recipients for a message and only specific recipients have blocked the sender, the message will be delivered for those recipients that did not block the sender and the message will be rejected for those who have blocked the sender. Local eprism users can log in and create their own list of Blocked Senders. Users do not need a local account on the system as logins can be authenticated via LDAP to an authentication server and the user's Trusted/Blocked Senders List is saved locally on eprism. 181

176 Intercept Anti-Spam Enabling Trusted and Blocked Senders The Trusted and Blocked Senders List must be enabled globally by the administrator to allow users to configure their own lists. Enable the Trusted and Blocked Senders List globally as follows: 1. Select Mail Delivery Anti-Spam Trusted/Blocked Senders. 2. Select the Permit Trusted or Permit Blocked Senders lists check box to enable these features. 3. Enter the maximum number of list entries for each user. The default is "100". Valid values are from "1" to " ". 4. For Blocked Senders, select the action to perform when a user on the Blocked Senders List attempts to send mail via eprism. Reject The message will be rejected with notification to the sender. Discard The message will be discarded without notification to the sender. 5. Enter the internal mail server host domain. This is the domain part of the address appended to local user names, such as "example.com". 182

177 Trusted and Blocked Senders Configuring WebMail Access WebMail access must enabled on a network interface in Basic Config Network to allow users to login to eprism via eprism Mail Client/WebMail to manage their Trusted/Blocked Senders List. In User Accounts Secure WebMail, you must also enable the Trusted/Blocked Senders controls for the end user when they login to the eprism Mail Client/WebMail interface. 183

178 Intercept Anti-Spam Imported Trusted/Blocked Senders List Trusted/Blocked Senders Lists can be manually or automatically updated from a global list located on an external web server. The list update can be scheduled to occur at regular intervals. The list can be updated immediately by clicking the Update imported list now button. It is recommended that organizations use either the personal Trusted/Blocked Senders List or the imported list, and not both at the same time. To configure the Imported Trusted/Blocked Senders List: 1. Select the Enable imported list check box. 2. Enter the List source URL where the Trusted/Blocked Senders List can be retrieved from, such as: HTTPS is also supported for the List source URL. 3. Select the Automatic update check box to enable scheduled updates, and select the days and time to retrieve the list. 4. To perform a manual update, click the Update imported list now button. For eprism systems configured in a cluster, each cluster member must be configured to import this list independently. 184

179 Trusted and Blocked Senders Import List File The Trusted/Blocked Senders List file must be in CSV format and contain comma or tab separated entries in the form: [recipient],[sender],[block or trust] For example: The file (bwlist.csv) should be created in CSV file format using Excel, Notepad or another Windows text editor. It is recommended that you download the file first by clicking the Download File button, editing it as required, and uploading it using the Upload File button. Adding Trusted/Blocked Senders To create their own Trusted/Blocked Senders List, the end user can login to their eprism eprism Mail Client/WebMail account, and select Trusted Senders or Blocked Senders from the menu. Users do not need a local account on the system. Logins can be authenticated via RADIUS or LDAP to an authentication server such as Active Directory. The user s Trusted Senders List is saved locally on the system. See Remote Accounts and Directory Authentication on page 202 for more detailed information on setting up user authentication. The Trusted and Blocked Senders Lists are based on a sender s address. Enter an address and click the Add button. Trusted Senders can also be added directly via the Spam Quarantine summary

180 Intercept Anti-Spam 186

181 Spam Quarantine Spam Quarantine The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user or to a single user. This allows users to view and manage their own quarantined spam by giving them the ability to view, release the message to their inbox, or delete the message. Spam Quarantine summary notifications can be sent to users notifying them of existing mail in their quarantine. The notification itself can contain links to take action on messages without having to login to the quarantine. To quarantine mail, the administrator must set the action for an Intercept spam level, such as "Certainly Spam", to Redirect To, and set the action data to the FQDN (Fully qualified domain name) of the eprism system (to host the quarantine on the current system) or another eprism running the spam quarantine feature. The Spam Quarantine must be enabled on the destination system if you choose to quarantine mail on a separate eprism. Local Spam Quarantine Account To access quarantined mail, a local account must exist for each user. This account can be created locally, or you can use the LDAP Mirrored Users feature to import user accounts from an LDAP compatible directory (such as Active Directory) and mirror them on the local system. See Directory Users and Groups on page 63 for more information on importing and mirroring LDAP user accounts. Configuring the Spam Quarantine Select Mail Delivery Anti-Spam Spam Quarantine on the menu. 187

182 Intercept Anti-Spam Enable Spam Quarantine Select the check box to enable the spam quarantine. Expiry Period Select an expiry period for mail in each quarantine folder. Any mail quarantined for longer than the specified value will be deleted. Folder Size Limit Set a value, in megabytes, to limit the amount of stored quarantined mail in each quarantine folder. Enable Summary Select the check box to enable a summary notification that alerts users to mail that has been placed in their quarantine folder. Notifications can only be sent to accounts the eprism is aware of such as local accounts or LDAP mirrored user accounts. Limit # of message headers sent Specify the maximum number of headers to be sent in the notification message. Set to "0" for all message headers to be sent. Remember # of past summary keys Enter the amount of days that users are allowed to access previously sent spam summaries. The default is 8. When doing spam summaries every 12 hours, a value of 8 would result in only the last four days of spam summaries being accessible. Notification Domain Enter the domain for which notifications are sent to. This is typically the Fully Qualified Domain Name of the server. The Spam Quarantine only supports one domain. Notification Days Select the specific days to send the summary. Notification Times Select the time of day to send the summary notifications. The Spam Summary processing will begin at this time, but the actually delivery of the summary notifications will not be performed until the processing (which may take several minutes) is complete. Spam Folder Indicate the Spam Folder name. This must be an RFC821 compliant mail box name. This folder will appear in a user s mailbox when they have received quarantined spam. Mail Subject Enter a subject for the notification . Allow Trusting Senders Inserts a link in the notification summary to allow the user to add the sender to their Trusted Senders List. Allow reading messages Inserts a link in the notification summary to allow the user to read the original message. Allow releasing of Inserts a link in the notification summary to allow the user to release it to their inbox. Mail subject Enter the subject of spam summary notification message. eprism system variables can be used in the subject. See Customizing Notification and Annotation Messages on page 371. Notifications for the Spam Quarantine can only be sent to local or LDAP mirrored user accounts. 188

183 Spam Quarantine Spam Summary Message If enabled, a summary notification can be sent to alert users to mail that has been placed in their quarantine folder. Additional options allow the end user to read the message, release the message from the quarantine to their inbox, or add the sender to their Trusted Senders list, via the links in the spam summary message. Setting Spam Redirect Options To quarantine spam mail to the Spam Quarantine, you must set the Intercept action to Redirect to and set the action data to the FQDN of the spam quarantine server. To quarantine mail to the spam quarantine, use the following procedure: 1. Go to Mail Delivery Anti-Spam Intercept. 2. Set the Action for the spam level (such as "Certainly Spam") to Redirect to. 3. Set the Action data to the FQDN of the spam quarantine (either this eprism, or another eprism system running the quarantine) such as "spam.example.com". 189

184 Intercept Anti-Spam Configuring Dedicated Spam Quarantine Server To ensure that spam redirected from another eprism is properly quarantined on a dedicated Spam Quarantine server, it is recommended that a pattern filter be created to ensure these messages are classified as "Certainly Spam" by the dedicated Quarantine server. 1. Login to the eprism set up as the dedicated Spam Quarantine server. 2. Select Mail Delivery Content Management Pattern Filters (PBMF) on the menu. 3. Click the Add button to add a new pattern filter. 4. Add a pattern to match the Client IP address of the eprism system that will be redirecting mail to this quarantine server. Set the action as "Certainly Spam". 5. Select Mail Delivery Anti-Spam Intercept on the menu. 6. For the "Certainly Spam" spam category, set the action to Redirect To and the action data to the address of the Quarantine Server. Accessing Quarantined Spam The quarantined spam folder can be viewed using the eprism Mail Client/WebMail interface. Users can log in to their local or mirrored account on eprism and view their own quarantine folder. If you do not require or do not want the end users to log in locally to eprism to retrieve these messages, they can simply use the linked actions contained in the spam quarantine summary notification to manage quarantined messages. WebMail access must be enabled on a network interface in Basic Config Network to allow users to log into eprism locally or use the linked actions in the spam quarantine summary notification. Users can also use IMAP to access the quarantine folders. You must enable IMAP globally and on your trusted network interfaces as required. This allows users to connect to the system via IMAP and move spam messages out of the quarantine into their own folders. 190

185 Spam Quarantine Accessing the Quarantine Folder via IMAP To enable access to the quarantine folder via IMAP: 1. Select User Accounts POP3 and IMAP to enable IMAP globally. 2. Select Basic Config Network to enable IMAP on a specific network interface. 3. Connect from a client using IMAP to view the "spam_quarantine" folder. To retrieve false positives (messages that are not spam) from the quarantine, configure the client application with two separate accounts, one for their normal account, and one for the spam quarantine. With this configuration you can drag and drop message from the quarantine to your mail account. Enabling WebMail and Spam Quarantine Access In Basic Config Network, enable the WebMail check box for a specific network interface to allow users to login to WebMail. In User Accounts Secure WebMail, enable the Personal Quarantine Controls option to provide users with the spam quarantine controls in the eprism Mail Client/WebMail interface. 191

186 Intercept Anti-Spam Accessing the Quarantine folder using eprism Mail Client/WebMail To access the quarantine folder via eprism Mail Client/WebMail: 1. Log into your eprism WebMail account. 2. Select Spam Quarantine on the left menu. Click the Release link to release the message back into your inbox. Click the Trusted Sender link to automatically add the sender to your Trusted Sender List. Spam Quarantine in a Cluster The User Spam Quarantine can be run in a clustered environment, but there are additional steps that need to be performed for this feature to work correctly. The Spam Quarantine should be enabled on the master Cluster Console only. The cluster will automatically synchronize the configuration with the other cluster members. You must set your Intercept options to use an action of Redirect To, and set the action data to a hostname that will be used specifically for the Cluster Console s network interface. For example, set your redirect action to "redirect.example.com". On the Cluster Console, go to Mail Delivery Routing Mail Routing, and create a mail route for "redirect.example.com" to point to the IP address of the network interface on the Cluster Console that communicates with the other cluster members. This mail route will be automatically propagated to the other cluster member systems. 192

187 Spam Quarantine On the Cluster Console, create a Specific Access Pattern rule set to an action of "Trust" for the Client IP of the network interface of the cluster members that communicate with the Cluster Console. This will ensure messages being redirected from the member system will be trusted. If you are running Token Analysis, create a Pattern Based Message Filter rule on the Cluster Console set to the action of "Do Not Train" for the Client IP of the network interface of the cluster members that communicate with the Cluster Console. This prevents the message from being trained when it is sent to the master Cluster Console for the spam quarantine. 193

188 CHAPTER 8 User Accounts and Remote Authentication This chapter describes how to setup and administer local and remote user accounts and POP/IMAP access on your eprism Security Appliance, and contains the following topics: POP3 and IMAP Access on page 196 Local User Mailboxes on page 197 Mirror Accounts on page 199 Strong Authentication on page 200 Remote Accounts and Directory Authentication on page 202 Relocated Users on page 205 Vacation Notification on page 206 Tiered Administration on page

189 User Accounts and Remote Authentication POP3 and IMAP Access eprism fully supports local user mailboxes. Mail is delivered to eprism mailboxes after the same processing that applies to all other destinations. Users can use any POP or IMAP-based mail client (such as Outlook, Netscape, Eudora, and so on) to download their messages. Users can also be configured to access these mailboxes using the eprism Mail Client. It is recommended that you use the secure versions of POP and IMAP to ensure passwords are not transmitted in clear text. Select User Accounts POP3 and IMAP on the menu to enable or disable POP and/or IMAP mailboxes. To complete the procedure, you must also enable POP3 and IMAP access (and their secure versions) on your network interfaces via the Basic Config Network menu. 196

190 Local User Mailboxes Local User Mailboxes Select User Accounts Local Accounts on the menu to add new users and configure local user mail profile settings. Click the Add a New User button to begin the new user configuration: User ID Enter an RFC821 compliant mail box name for the user. Forward to Enter an optional address to forward all mail to. Set and Confirm Password Enter and confirm the user s password. The user should change this password the first time they log in. Strong Authentication Select a strong authentication method, if required. Strong authentication is explained in more detail in the next section. Disk Space Quota Enter an optional user disk space quota in megabytes (MB). Enter a value of "0" for no quota. Accessible IMAP/WebMail Servers Select the available IMAP and WebMail servers that this user can access. 197

191 User Accounts and Remote Authentication Upload and Download User Lists You can upload lists of users using comma or tab separated text files. You can specify the login ID, password, address, and disk quota in megabytes. Use the following format: [login],[password],[ address],[quota] For example, The file (user.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the user list file first by clicking File Download, editing it as required, and then uploading it using the File Upload button. Mailbox Options Click the Options button to set the maximum mailbox size (in bytes) for all local mailboxes. Set this value to 0 to disable the limit. The value must not be smaller than the Maximum message size limit set in Mail Delivery Mail Access. If you set this value to 0, users will be able to send any size of message. 198

192 Mirror Accounts Mirror Accounts LDAP user accounts can be imported from an LDAP directory server and mirrored on the local eprism system. This allows you to create local accounts based on the LDAP account to allow these users to login locally for the Spam Quarantine feature. These mirror accounts are not local accounts that can accept mail, they are only used for the Spam Quarantine feature. See Directory Users and Groups on page 63 for more detailed information on creating mirror accounts. If you have imported LDAP user accounts via Basic Config Directory Services Users and Groups, a new option will appear in the Local Accounts menu called Mirror Accounts that displays all mirrored user accounts. You can remove selected individual user s mirror accounts or remove all of them by clicking the Remove All button. When using the Remove All button, users are removed as a background process and if you have many pages of users, it may take several minutes for this operation to complete. 199

193 User Accounts and Remote Authentication Strong Authentication By default, user authentication is based on UserID and password. eprism also supports strong authentication methods such as CRYPTOCard, SafeWord, and RSA SecurID. These hardware token devices provide an additional authentication key that must be entered in addition to the UserID and password. You can select a strong authentication type in the Strong Authentication drop-down menu of the user s profile. CRYPTOCard The CRYPTOCard option is supported by a local authentication server and requires no external system for authentication. When CRYPTOCard is selected, you will be prompted to program the card at that time using the token configuration wizard. Only manually programmable CryptoCard RB-1 tokens are supported. SafeWord SafeWord Platinum and Gold tokens are supported by a local authentication server, and require no external system for authentication. When SafeWord is selected, you will be prompted to program the card at that time using the token configuration wizard. Only manually programmable SafeWord tokens are supported. 200

194 Strong Authentication SecurID To configure RSA SecurID, you must set up the system as a valid client on the ACE Server, and create an sdconf.rec (ACE Agent version 4.x) file and upload it to eprism. Although newer ACE servers are supported, the sdconf.rec file must be for version 4.x of the ACE Agent. Versions greater than 4.x generate a different format of this file. Select User Accounts SecurID on the menu to configure SecurID. Click the Browse button to find and load a sdconf.rec file. Click Upload when finished. After enabled SecureID via User Accounts SecurID, it must also be enabled for a network interface in the Basic Config Network screen. Ensure that eprism s domain name is listed in your DNS server. SecurID authentication may not work properly if a DNS record does not exist. 201

195 User Accounts and Remote Authentication Remote Accounts and Directory Authentication Directory authentication allows users to be authenticated without having a local eprism account. When an unknown user logs in, eprism will send the UserID and password to the specified LDAP or RADIUS server. If the user is authenticated, eprism will log them in and provide access to the specified server or servers. LDAP and RADIUS are widely used, and provide a convenient way of allowing access to internal mail servers or web mail servers such as Outlook Web Access. Users who login locally to an Exchange server based on an Active Directory identity can use the same identity to use Outlook Web Access with eprism s Secure WebMail service. If both LDAP and RADIUS services are defined, the system will try to authenticate via RADIUS first, and then LDAP if the RADIUS authentication fails. Configuring Directory Authentication Select User Accounts Remote Auth from the menu to configure LDAP and RADIUS authentication. If you want to use LDAP for authentication, click the New button in the LDAP Sources section to define a new LDAP source. 202

196 Remote Accounts and Directory Authentication Directory Server Select a configured LDAP directory server for authentication. Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search such as Subtree, One Level, or Base. Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter a specific query filter to search for a user in your LDAP directory hierarchy. For Active Directory implementations, use (ObjectClass=user). Timeout The maximum interval, in seconds, to wait for the search to complete. Account name attribute Enter the account name result attribute that identifies a user s login or account name, such as samaccountname for Active Directory implementations. You will need to enter the appropriate Query Filter and Account name attribute for your particular LDAP infrastructure if you use another LDAP service such as OpenLDAP and iplanet. 203

197 User Accounts and Remote Authentication RADIUS Authentication Click the New button in the Radius Servers to configure a RADIUS server for authentication. Server Enter the FQDN or IP address of the RADIUS server. Shared Secret Enter the shared secret for the RADIUS server. A shared secret is a text string that acts as a password between a RADIUS server and client. Choose a secure shared secret of at least 8 characters in length, and include a mixture of upper and lowercase alphabetic characters, numbers, and special characters such as the "@" symbol. When you add a RADIUS server, the administrator of the RADIUS server must also list this eprism Security Appliance as a client using the same shared secret. All listed RADIUS servers must contain the same users and credentials. Timeout Enter a timeout value to contact the RADIUS server. Retry Enter the retry interval to contact the RADIUS server. The server "This eprism Security Appliance" will only be made accessible for mirror users. See Directory Users and Groups on page 63 for more information on settings up mirrored accounts. The other servers listed in the Accessible Servers option are configured via User Accounts Secure WebMail. See Secure WebMail on page 212 for more detailed information on configuring this feature. 204

198 Relocated Users Relocated Users Use the Relocated Users screen to return information to the sender of a message on how to reach users that no longer have an account on the eprism system. A full domain can also be specified if the address has changed for a large number of users. Select User Accounts Relocated Users on the menu to configure the relocation information. Click the Add button to add a new relocated user. Enter a user or domain name in the User field, such as user, user@example.com, to specify an entire domain. In the "User has moved to " field, enter any appropriate contact information for the relocated user, such as their new address, street address, or phone number. 205

199 User Accounts and Remote Authentication Vacation Notification When a user will be out of the office, they can enable Vacation Notification which sends an automated reply to incoming messages. The reply message is fully configurable, allowing a user to personalize the vacation notification message. Vacation Notifications are processed after mail aliases and mappings. You must create notifications for a specific end user and not for an alias or mapping. The process for configuring Vacation Notification includes the following steps: 1. The administrator enables Vacation Notification globally. 2. Individual settings can be configured as follows: The administrator configures Vacation Notification for the user via User Accounts. The user configures their own Vacation Notification via eprism Mail Client/WebMail. Select User Accounts Vacations from the menu to enable Vacation Notification globally. Enable Vacation Notification Enable or disable the service globally for all users. Domain Part of Address Enter the domain name to be appended to local user names. This value will be used for all local users. Interval Before Re-sending The number of days after a previous notification was sent to send another reply if a new arrives from the original sender. 206

200 Vacation Notification Default Vacation Notification Profile Enter the subject and contents for the default notification message. Users will be able to change the subject and message from their own user profile. Click the Edit Vacations button to see all Vacation Notification settings and to add arbitrary notifications for non-local users. Click on an address to edit the user s vacation notification settings. From this screen, an administrator can configure the notification settings, including the address that incoming mail will receive a vacation response from. 207

201 User Accounts and Remote Authentication User Vacation Notification Profile An administrator can configure vacation notifications for individual users via their user profile in the User Accounts menu. Users can configure their own Vacation Notification settings in their profile via eprism Mail Client. To configure Vacation Notification: 1. Login to eprism Mail Client and select User Profile on the menu. 2. Set the Vacation Start Date by selecting the required date on the left calendar. 3. Set the Return to Work Date on the right calendar. The vacation notices will be sent out automatically during this time. 4. Modify the default subject and contents of the response message. 5. Click Save User Profile. Vacation notifications are not sent to s marked as "bulk" such as mailing lists and system generated messages. Notifications are also not sent to messages identified as spam. 208

202 Tiered Administration Tiered Administration Tiered Administration allows an administrator to assign additional administrative access permissions on a per-user basis. For example, the administrator can designate another user as an alternate administrator by selecting the Full Admin option in their user profile. To enable administrator permissions, select a user profile from the User Accounts Local Accounts menu. Enable each administrative option as required for that user by selecting the corresponding check box. WebMail/ePrism Mail Client access must be enabled on the network interface that will be used by tiered administration users. This is set in the Basic Config Network screen. To distribute administrative functions, the administrator can configure more selective permissions to authorize a user only for certain tasks such as administering users and reports, configuring anti-spam filter patterns, or viewing the database. Full Admin The user has administrative privileges equivalent to the admin user. Administer Aliases The user can add, edit, remove, upload and download aliases (not including LDAP aliases.) Administer Filter Patterns The user can add, edit, remove, upload and download Pattern Based Message Filters and Specific Access Patterns. Administer Mail Queue The user can administer mail queues. Administer Quarantine The user can view, delete, and send quarantined files. Administer Reports The user can view, configure and generate reports, and view system activity. Administer Users The user can add, edit, and relocate user mailboxes (except the Full Admin users), including uploading and downloading user lists. User vacation notifications can also be configured. Administer Vacations The user can edit local user s vacation notification settings and other global vacation parameters. Mail History The user can view the history database. View Activity The user can view the Activity page and start and stop mail services. Individual s can only be viewed if View Database is also enabled. View System Logs The user can view all logs. 209

203 User Accounts and Remote Authentication Granting full or partial admin access to one or more user accounts allows actions taken by administrators to be logged because they have an identifiable UserID that can be tracked by the system. A user with Full Admin privileges cannot modify the profile of the Admin user. They can, however, edit other users with Full Admin privileges. Logging In With Tiered Admin Privileges When tiered administrative privileges have been assigned to a user, they can access them via the eprism Mail Client interface by logging in locally to eprism. Select the type of feature you want to administer via the top-left drop down menu. 210

204 CHAPTER 9 Secure WebMail and eprism Mail Client This chapter describes how to setup Secure WebMail and the eprism Mail Client on your eprism Security Appliance, and contains the following topics: Secure WebMail on page 212 eprism Mail Client on page

205 Secure WebMail and eprism Mail Client Secure WebMail The Secure WebMail feature provides a highly secure mechanism for accessing webmail services such as Microsoft OWA (Outlook Web Access), Lotus inotes, and IMAP servers. Webmail services provide an attractive, easy to use remote interface for users to access their mail server mailboxes remotely via a web browser. As these webmail services are accessible from the Internet, they present a number of security challenges. The Secure WebMail feature is designed to support the use of webmail services while protecting Webmail servers from Internet attacks. The connection is managed using a full application proxy. eprism completely recreates all HTTP/HTTPS requests made by the external client to the internal webmail server. Configuring Secure WebMail and eprism Mail Client Select Basic Config Network, and then select the WebMail check box to enable WebMail access on a network interface. Select User Accounts Secure WebMail to configure Secure WebMail and eprism Mail Client options. 212

206 Secure WebMail Access Types The following options enable controls in the WebMail interface for features such as the Spam Quarantine, Trusted Senders, and administrative access. Administrative Access Enables access to administrative functions if the user has administrative privileges, such as via Tiered Administration. Local Mail Enables access to IMAP servers on the local network. Proxy Mail Enable proxy mail access to other IMAP servers. Personal Quarantine Controls Enables the Spam Quarantine controls. The Spam Quarantine must be enabled globally via Mail Delivery Anti-Spam Spam Quarantine. Trusted/Blocked Senders List Enables the Trusted and Blocked Senders List controls. These features must be enabled globally via Mail Delivery Anti-Spam Trusted/ Blocked Senders. For organizations that only want to use local mailboxes for the Spam Quarantine controls or Trusted Senders, it is recommended that you disable Local Mail and Proxy Mail access, while enabling Personal Quarantine Controls and Trusted/Blocked Senders. This displays only those functions to the end user when they log into the eprism Mail Client/WebMail account. Personal Quarantine and Trusted/Blocked Senders can be disabled if you are only using the Spam Quarantine summary for these features and users do not need to login locally. At least one of these options must be enabled to allow WebMail access on a specified interface in Basic Config Network. If all of these access options are disabled, the WebMail access option on an interface will be disabled. 213

207 Secure WebMail and eprism Mail Client Servers Webmail servers must be running one of the following: IMAP, Outlook Web Access (OWA), or Lotus inotes. Cached server passwords This option, when enabled, will keep a copy of the user s password until they explicitly log out. If a user switches servers, they will not need to reenter their password. Share cookies between servers Enable this option to ensure that when a user moves from server to server or is redirected to another server, the user s session cookies are also passed along. Upload Maximum File Size Enter the maximum file size allowed in megabytes. Click the Add Server button to add an internal server to be accessed. Address Enter the IP address, hostname, or URL of the server. Add users to this server by selecting the corresponding check box for that user. Label Enter an optional label to describe this server. Users who may access this server Select the users who will be able to access this server. Automatic Server Login Select this option to try the user s WebMail ID/Login first before prompting for an ID and password. Leave this option disabled to force a login prompt for each new server. This option enables single login capabilities to allow users to login to eprism and their WebMail server with only one login. 214

208 Secure WebMail This option should be disabled if the server is set to expire passwords after three failed attempts. Use Most Recent Select this option to try the most recently used credentials first when changing servers. This option only applies to users with more than one accessible WebMail server. Force Compatibility Select this option to ensure support for Outlook Web Access 2000 and limited support for OWA Make Invisible Use this option to make the server invisible to users in the Secure WebMail server drop-down list. Keep Alive Specify the frequency to send keep-alive messages to the WebMail server to keep the client connection alive. 215

209 Secure WebMail and eprism Mail Client eprism Mail Client The eprism Mail Client is the native webmail client for the eprism Security Appliance. Using the eprism Mail Client, you can access local mailboxes, IMAP Servers, administrative access, the Spam Quarantine, and the Trusted Senders List. From a web browser, enter the hostname or IP address of the eprism system running the eprism Mail Client. Login with your local user ID and password. (The login can also be authenticated using LDAP or RADIUS.) When successfully logged in, the eprism Mail Client interface will be displayed. Configuring eprism Mail Client Options In the User Accounts Secure Webmail screen, you can configure popup options, the sent mailbox folder, and other eprism Mail Client features in the eprism Mail Client Options section. To see popup windows, your web browser must have popups enabled. New Mail Popup Enable a popup window for new mail notifications. Minimize Popups Minimize the use of new popup browser windows by using the main frame. 216

210 eprism Mail Client Enable Inline HTML-mail Viewing Enables the viewing of HTML mail. For security reasons, any scripts and fetches for external objects are filtered out. Save Sent Mail Enables saving of sent mail in the user s mailbox. Sent Mail-box The name of the sent mail folder if enabled. Editable From Enables a user to edit the From: field when composing mail. 217

211 CHAPTER 10 Policy Management This chapter describes how to use and configure Policy controls for users, groups, and domains, and contains the following topics: Policy Overview on page 220 Creating Policies on page 223 Domain Policies on page 224 Group Policies on page 226 User Policies on page 231 Managing Policies on page 233 Policy Diagnostics on page

212 Policy Management Policy Overview eprism s Policy controls allow specific mail security features to be customized and applied to different domains, user groups, or individual users. The features that can be used with Policy controls include the following: Annotations Anti-Virus Archiving Attachment Control Attachment Content Scanning Intercept Anti-Spam Objectionable Content Filter Policy controls enable granular settings to be applied for each specific domain, group, or user. For example, Intercept Anti-Spam settings can be enabled for specific domains, while turned off for other domains. Each Anti-Spam action can be customized to configure one domain to reject spam messages, while another domain can be configured to modify the subject header of a spam message. Spam thresholds and Intercept component weights can also be customized for different domains, groups, and user addresses. Anti-Virus and Attachment Control actions for inbound and outbound mail can also be specifically defined for the requirements of each domain, group, or user. For example, you can enable inbound and outbound Anti-Virus and Attachment Control checks for some domains, while only checking inbound mail for other domains. Sender and Recipient Policy Determination When a message arrives, eprism will determine a set of policy settings for each message recipient as follows: If the message is trusted, and is addressed to a non-local recipient, then the sender s policy settings will be used for that recipient. If the message is untrusted, or is trusted but addressed to a local recipient, then the recipient s policy settings will be used for that recipient. Policy Hierarchy Policy settings are processed after any mail mappings etc. If the final recipient is a local user or a user in a domain that eprism routes mail for, then it is considered a local recipient. There are four types of policies that can apply to a user: the Domain Policy, Group Policy, User Policy, and Default Policy. Recipients can belong to multiple policies, for example, the recipient "user@example.com" may have a user-based policy for "user@example.com" and a policy based on the domain "example.com". The final policy for the recipient will be the merging of any existing policies for that user, with conflicting settings resolved in the following order of precedence: 1. User policy (user@example.com) 220

213 Policy Overview 2. Group policy (Sales) 3. Domain policy (example.com) 4. Default policy For example, if User and Domain are defined and enabled and the Anti-Virus feature is defined and enabled in only the Domain policy but undefined in the other policies, Anti-Virus will be enabled. To override this Domain policy for a user, define the Anti-Virus feature as disabled in the User Policy. Multiple Group Policies In cases where a user belongs to multiple groups, the group order takes precedence. In the Group Policy configuration screen, administrators can order the list of groups into an order of priority. For example: A user belongs to Group1 and Group2 Group 1 Policy is set to a higher priority then Group 2 Policy Group 1 Policy has Token Analysis enabled and defined Group 2 Policy has Token Analysis disabled and defined The final result is that the user s will be scanned by Token Analysis. Groups policies are not merged as they are with user and domain policies. If a user belongs to more than one group, only the first group policy in the specified group ordering is applied. PBMF Priority When using PBMFs with policies, there may be situations with conflicting priorities for global PBMFs and policy PBMFs. When processing PBMFs, eprism makes the following decisions: 1. The priority of all actions are taken into consideration. If there is only one "High" priority action, that filter will be used. 2. For PBMFs with the same priority, policies are resolved in the following order: User Policy Group Policy Domain Policy Default Policy/Global 3. For the same priority and same policy, actions are resolved in the following order: Bypass Reject Discard Quarantine Certainly Spam Redirect Trust Relay Accept 221

214 Policy Management Just Log When creating Pattern Based Message Filters (PBMFs) in policies, certain message parts such as Envelope-to and Envelope-from, Client IP, and Host, are not available. These PBMFs can cause actions to trigger before the recipients are known, such as on a connecting client IP address, and therefore are not available for use in Policies. BCC and Do Not Train actions will not prevent lower priority actions from being triggered. For example, a BCC action at "High" priority in the global PBMF list and an Accept action at "Medium" priority in a policy will result in an Accept and the BCC option. 222

215 Creating Policies Creating Policies The following sections describe how to enable and define policies. The general steps are as follows: 1. Define global eprism settings 2. Enable the Default Policy 3. Add and define new Domain, Group, and User Policies Define Global eprism Settings Before creating your specific domain and user policies, it is recommended that administrators define globally their default eprism settings for Anti-Virus, Attachment Control, Anti-Spam features, and so on, before defining more granular policies based on these global settings. These settings will be inherited by the Default policy which is the policy used by all users that do not belong to a specific policy. If you disable a feature globally, it cannot be enabled by a policy. The feature will be completely disabled, regardless of how a policy is configured. Enable the Default Policy Select Mail Delivery Policy Policy Definition to enable the default policy. The Default policy cannot be deleted. The policy name "Default" is a reserved word specifically to be used as the Default policy for users that are not defined to a specific policy. 223

216 Policy Management Domain Policies When global settings have been defined, more granular policy settings can be configured by creating policies for specific domains, groups, and users. Domain policies can be created to enable different policies for different domains in an organization. For example, administrators might require that different domains need separate annotations (such as a legal disclaimer) appended to their messages. Create a policy definition for this domain as follows: 1. Select Mail Delivery Policy Policy Definition to configure customized policies. 2. Click the Add Policy button. 3. Enter a descriptive name for this domain policy, such as "example.com". 4. Select the Enable check box to enable this policy. 5. Go to the Annotations section of the policy. 6. Select the Enable check box and the Define check box to enable annotations for this domain policy. 7. Select the Define check box for the Annotation "Edit" field, and then click the Edit button to customize the annotation for this domain. 8. Customize the annotation and click Apply, and then click Return to Policy. 224

217 Domain Policies 9. Click Apply to save the "example.com" domain policy. 10. Select Mail Delivery Policy Domain Policy to add the "example.com" domain. 11. Select the "example.com" policy in the Policy drop-down list. 12. Enter the domain that this policy will apply to, such as: example.com Use a leading "." to indicate subdomains of the specified domain, such as:.example.com This will match: a.example.com, b.example.com, c.d.example.com but not "example.com". 13. Click Add to add the domain to the Domain Policy list. Uploading and Downloading Domain Policy Lists A list of domains and corresponding policies can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [Domain],[policy name] For example: example.com,domain1 The file (domain_policy.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the domain file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 225

218 Policy Management Group Policies Policies can be customized for user s who belong to specific group. For example, a "Sales" group might have different attachment content scanning policies than users in the Development group. Group policies are also useful for providing different annotations or anti-spam features for each user group. Group membership information must be imported from an LDAP directory. Click the LDAP Import button which will take you to the Directory Users and Groups screen where LDAP users and group names can be imported. A Directory Server must be set up before you can import users and groups. See Directory Users and Groups on page 63 for more detailed information on setting up directory services for group imports. When you have set up your Directory Users and groups configuration, click Apply. Click the Import Now button which will import users and their corresponding group memberships from an LDAP directory. When the import is completed, the group list will appear 226

219 Group Policies in your Group Policy screen. Schedules imports can set up by clicking the Import Settings button. Select the "New" group view to show the groups that you just imported and are currently unassigned. New imported groups will display "New" as their policy category, indicating that the group has just been imported and currently has no policy. These new groups can then either be assigned the "Default" policy, an existing configured policy, or be set as "Unassigned". Groups configured as "New" or "Unassigned" do not have an active policy. A reimport of groups will change all previously "New" groups to "Unassigned". 227

220 Policy Management Re-Ordering Groups Group policies are applied in the order listed if the user belongs to more than one group. For example, in the case of annotations, the annotation for a user belonging to multiple groups will be their first group listed in the group order. Groups can be reordered for priority by clicking the Re-Order Groups button. A list of "Assigned" groups (groups assigned to a policy) will be displayed. Select a group to be moved, and then click the Up or Down buttons to move the group up and down the list order. Groups can be moved immediately to the top or bottom of the list using the Top and Bottom buttons. When finished the re-ordering of groups, click the Apply button. 228

221 Group Policies Assigning Group Policies Policies can now be assigned to each group by selecting a specific policy from the drop-down box. In this example, we have created a Group Policy 1 policy that we will apply to specific groups. In this example, the Canada, India, and Japan groups have been configured to use the Group Policy 1 policy. When you are finished setting the policies for the required groups, ensure the groups that have been modified are selected, and then click the Apply link. Uploading Group Policy Lists A list of groups and corresponding policies can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [group],[policy name] For example: sales,salesgroup The file (group_policy.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the group file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 229

222 Policy Management Orphaned Groups Orphaned LDAP groups are groups that have been deleted from the LDAP directory but still exist in eprism s local group list. Any policies configured for these orphaned groups will not be processed. Click the Delete Orphans button to remove these groups from eprism s group policy screen. Disabling Group Policy Group Policies can be disabled if they are not being used for Policies in your organization. This may help performance for organization s that have a large number of directory users and do not need to use Group Policy. Click the Disable Group Policy button to disable this feature. 230

223 User Policies User Policies Policies can be customized for individual user addresses. The User policy will take precedence over Domain and Group policies, and are useful for creating individual exceptions to these policies. In the following example, a user policy will be created with customized anti-virus settings. Configure a user policy as follows: 1. Select Mail Delivery Policy Policy Definition. 2. Click the Add Policy button. 3. Enter a descriptive name for this policy, such as "User Policy". 4. Select the Enable check box to enable this policy. 5. Go to the Anti-Virus section of the policy. 6. Select Kaspersky Virus Scanning and ensure the Define check box is checked. 7. Customize the actions and notifications for inbound and outbound virus scanning. 8. When finished, click Apply to save this policy. 9. Select Mail Delivery Policy User Policy to add a user address. 231

224 Policy Management 10. Select the User Policy created in the previous steps in the Policy drop-down list. 11. Enter the user address, such as in the field. 12. Click Add to add the user address to the User Policy list. Uploading and Downloading User Address Lists A list of users can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [ ],[policy name] For example: user@example.com,user Policy The file ( _policy.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the user file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 232

225 Managing Policies Managing Policies When several domain, group, and user policies have been created and customized, they can be managed from the Mail Delivery Policy Policy Definition screen. The Enabled field indicates if a policy is on and active or disabled. Each individual policy can be edited by clicking on its corresponding name. To delete policies, select the corresponding check box of the policies you want to delete, then click the Remove button. Enable Verbose Logging The Enable Verbose Logging feature enables additional logging information in the Mail Transport log file for policies. Click the Enable Verbose Logging button to enable this feature. The mail log can be viewed via Status/Logs System Logs Mail Transport. The message displayed will contain information similar to the following: policy_recipient=<testuser@qa.example.com>, policy_user=<testuser@qa.example.com> (remote=f), domain_policy=<2:antispam enabled>, group_policy=<0:>, group_name=<>, user_policy=<4:ocf enabled> default_policy=<1:default> 233

226 Policy Management Policy Diagnostics The Policy Diagnostics screen allows administrators to test their policy structure to ensure that the final result for a specific user is the desired result. There are several policies that can apply to a single user, including domain policies, user policies, group policies, and the default policy. By entering the user s address in the diagnostic screen, the final result of each policy feature will be displayed, including information on which policies were overridden by another policy with higher priority. Select Mail Delivery Policy Policy Diagnostic on the menu to configure and run policy diagnostics. Sender Enter a sender address for this test if you are testing an outbound message. This field can be left blank to indicate any sender for inbound mail. Recipient Enter the test recipient for the policy. The final result displayed during the diagnostics will be the final policy result for this specific user. Direction Select a direction for the message to determine policy results when the message is inbound or outbound. Trusted Select whether the message is considered to be from a trusted or untrusted source. Click Lookup to start the policy diagnostics. 234

227 Policy Diagnostics The Policy Diagnostic summary screen provides the administrator with a detailed analysis of how the various active policies combine to determine the final disposition of mail messages. The Policy Diagnostics table displays the eprism features that can be configured on a perpolicy basis. Each column displays the contributions to the disposition of the message by each policy (User, Group, Domain, and Default). For each feature, an "X" indicates the defined policy was used to determine the final result. Any policies that were overridden by the applied policy are indicated by an "_". An empty column indicates that a matching policy was not found by the policy resolution engine. At the end of each feature row, the final result of the policy is indicated such as "Disabled" for Kaspersky Anti-Virus. As policies are initialized with reasonable defaults and those values may match the overall default setting, it can appear that a particular policy has been overridden when in fact there is no apparent configuration responsible for this. For example, the default setting for attachment scanning is 'disabled'. If a user policy is defined, but attachment scanning is not part of that definition and nothing else overrides the default then it will appear that the contribution has come from the user policy. 235

228 CHAPTER 11 Threat Prevention This chapter describes how to configure eprism s Threat Prevention features to detect and automatically respond to security threats, and contains the following topics: Threat Prevention Overview on page 238 Configuring Threat Prevention on page 239 Creating Threat Prevention Rules on page 241 Static Address Lists on page 251 Dynamic Address Lists on page 253 F5 Blocking on page 256 Cisco Blocking on page 261 Threat Prevention Status on page

229 Threat Prevention Threat Prevention Overview eprism provides a threat prevention feature to detect and mitigate incoming threats. By default, eprism can recognize the following threats: Directory harvesting Denial of Service attacks Connections from blocked addresses Connections originating from addresses that send spam Connections originating from addresses that send viruses Historical information about connecting IP addresses and how they behave are retained, allowing a configurable set of actions including accept or reject that will be determined at connection time based on current and historical data. This information can also be pushed to a perimeter F5 or Cisco device that can be configured to rate limit, throttle or block a given IP address for a period of time before it reaches eprism. How Threat Prevention Works The Threat Prevention feature performs the following tasks. Determines the threat level of connecting IP addresses and retains historical statistics about that address Acts on the connection s IP address based on its connection history The Threat Prevention feature is contacted at several stages of mail delivery for a specific client IP address: 1. At connection request time, the history for the IP address is provided to the rules script that determines if the connection should be allowed or rejected, and how to further classify the address into a specific data group. 2. After early mail scanning, the number of known and unknown recipients and DNSBL results are added to the history of the connecting address. 3. After full mail scanning, the results of Anti-Virus, Anti-Spam, and Malformed message scanning are recorded in the history of the address. 4. Prior to connection, an F5 or Cisco device (if configured) may block an IP address before it reaches eprism if eprism is configured to push threat prevention information to the device. 238

230 Configuring Threat Prevention Configuring Threat Prevention A Connection Rules script is run each time a client tries to connect to eprism. This configurable script determines whether to accept or reject a connection based on its threat prevention history. The script performs an evaluation of the connection and drives the reject and accept decision for the threat prevention feature. The script is also responsible for moving IP addresses into appropriate data groups. Select Mail Delivery Threat Prevention on the menu to configure eprism s threat prevention features. eprism Security Appliance implements connection rule checking by using a scripting language to drive the decision making process. The script can reject or accept mail given various statistics available at the time of client connection. The listed default rules are processed in order. Description A description for the rule. Condition Condition statement to execute. List Defines which list to insert the IP address. Action Action to take if the condition is "True", such as Accept or Reject. Reject Code Reply code to send to the connecting client. For Reject, this is 450 (temporary) or 550 (permanent). For Accept, the reply code is set to 220. Move Select the arrows to modify the ordering of the connection rules. 239

231 Threat Prevention Click the Add Rule button to add a new connection rule. This rules are fully configurable, and the system will check the script when saved to ensure there are no syntax or execution errors. When you are finished with your changes, click the Apply button. The results of the script test will be shown, including existing syntax errors. Click the Advanced button to see the entire connection rules script based on the configured rules. Resetting to Defaults See the following section Creating Threat Prevention Rules on page 241 which describes how to create these rules. Press the Reset to Defaults button to replace all existing rules with the default set of rules. 240

232 Creating Threat Prevention Rules Creating Threat Prevention Rules The Threat Prevention feature runs a connection rules script each time a client tries to connect to eprism. The script determines whether to accept or reject a connection based on its threat prevention history. The script is also responsible for moving IP addresses into appropriate dynamic lists, such as "infected" or "spammers". The full script itself is not editable, but it is updated with the condition statements and actions that are defined for each Threat Prevention rule. These rules are configurable, and the system will check the script when new rules are applied to ensure there are no syntax or execution errors. Basic Rule Structure The basic structure of a connection rule is as follows: Rule Condition A set of criteria that must be met for the rule to be triggered, such as "stats1h.virus > 10" (10 or greater virus-infected messages sent in the last hour). eprism collects over 15 different types of data that can be used to create a rule condition. Action Action to take when the rule condition is met, such as "Accept" or "Reject". Reply code The reply code to send back to the sending server, such as temporarily reject (450) or permanently reject (550). Add to Dynamic List Add the IP address to a configured dynamic list, if applicable. For example, a sender that triggers a spam rule can be placed in the "spammers" dynamic list. Default Connection Rules The default connection rules are active when the Threat Prevention feature is enabled. These rules include checks for typical conditions such as blocked clients, virus and junk mail senders, and denial of service (DoS) attempts. The default rules are also helpful in learning how to put together condition statements for customized connection rules. Any of the default rules can be customized to change any aspect of the rule to better suit the needs of your organization. 241

233 Threat Prevention Blacklisted clients This rule checks if the client is already blocked by eprism. The condition statement "is_blacklist" simply checks if the client is listed in the blacklist static IP address list. If the check is true, the client will be rejected and added to the blacklisted dynamic IP address list. Directory harvesters This rule checks if the client has been involved with directory harvesting activities intended to discover valid addresses from eprism. The following condition statement is used to identify if a client is considered a directory harvester: stats30m.bad_recipients >= 50 && stats30m.good_recipients < 3 && (!is_internal &&!is_mynetworks ) This statement indicates: If the number of invalid recipients from the client in the last 30 minutes is greater than or equal to 50 and the number of good recipients from the client in the last 30 minutes is less than 3 and the client does not exist in the internal or mynetworks static lists (to trust the client) then the connecting system is rejected and entered into the harvesters dynamic IP address list Big virus senders This rule checks if the client has recently sent a large number of viruses. The following condition statement is used to identify if a client is considered a source of viruses: stats1h.virus > 10 && stats1h.perc_virus_to_messages > 50 && stats1h.perc_ham_to_messages < 25 && (!is_internal &&!is_mynetworks) This statement indicates: If the number of viruses received from this client in the last hour is greater than 10 and the percentage of virus infected messages received from this client in the last hour is greater than 50 and the percentage of clean messages received from this client in the last hour is less than 25 and the client does not exist in the internal or mynetworks static lists (to trust the client) then the connecting system is rejected and entered into the infected dynamic IP address list DNSBL clients (on more than one list) This rule checks if the client has been listed on more than one DNS Block List of blocked clients. If the client is on more than one DNSBL, it is a known open-relay that may send out a large number of spam messages. The following condition statement is used to identify if a client is on more than one DNSBL: block_list > 1 && (!is_internal &&!is_mynetworks) 242

234 Creating Threat Prevention Rules This statement indicates: If the client exists on more than one DNSBL and the client does not exist in the internal or mynetworks static lists (to trust the client) then the connecting system is temporarily rejected and entered into the spammers dynamic list DNSBL clients This rule checks if the client exists on only one DNS Block List. In this case, there is the possibility that the client is on this DNSBL by mistake, and eprism makes additional checks to examine its recent history of mail messages. The following condition statement is used to identify if a client is on one DNSBL and sends a large number of spam messages: block_list == 1 && stats30m.bad_mail > 10 && stats30m.ham < 2 && (!is_internal &&!is_mynetworks) This statement indicates: If the client exists on only one DNSBL and the number of spam and junk messages received from this client in the last 30 minutes is greater than 10 and the number of clean messages received from this client in the last 30 minutes is less than 2 and the client does not exist in the internal or mynetworks static lists (to trust the client) then the connecting system is temporarily rejected and entered into the spammers dynamic IP address list Junk senders This rule checks if the client sends out a large amount of spam or junk mail in proportion to the number of legitimate messages. The following condition statement is used to identify if a client is sending a large amount of spam or junk messages compared to legitimate messages: stats1h.bad_mail > 20 && stats1h.perc_ham_to_spam < 25 && stats5m.messages > 10 && (!is_internal &&!is_mynetworks) This statement indicates: If the number of spam and junk messages received from this client in the last hour is greater than 20 and the percentage of clean messages compared to spam received from this client in the last hour is less than 25 and the number of messages sent from this client in the last five minutes is greater than 10 and the client does not exist in the internal or mynetworks static lists (to trust the client) then the connecting system is temporarily rejected and entered into the tarpit dynamic IP address list 243

235 Threat Prevention Internal DoS This rule checks if the client is on an internal network and is using a lot of open connections that may result in a denial of service. The following condition statement is used to identify if an internal client is creating a large amount of open connections: open_connections > 50 && is_internal This statement indicates: If the number of open connections from this client is greater than 50 and the client is listed in the internal static address list then the connecting system is temporarily rejected External DoS This rule checks if an external client is using a lot of open connections that may result in a denial of service. The following condition statement is used to identify if an external client is creating a large amount of open connections: open_connections > 20 &&!is_internal This statement indicates: If the number of open connections from this client is greater than 20 and the client is not listed in the internal static address list then the connecting system is temporarily rejected Excessive senders This rule checks if a client is sending too many messages that could result in a denial of service. The following condition statement is used to identify if a client is sending an abnormal amount of messages:!is_peers &&!is_internal && stats1h.messages > This statement indicates: If the client is not listed in the peers and internal static address lists (to trust the client) and the number of messages sent from this client in the last hour is greater than then the connecting system is temporarily rejected 244

236 Creating Threat Prevention Rules Creating Connection Rules To create customized connection rules for the Threat Prevention feature, select Mail Delivery Threat Prevention on the menu, and then click the Add Rule button. The following options can be configured: Description Enter a descriptive summary of the rule. Condition Enter a condition statement to execute, such as: stats1h.bad_mail > 20 && (!is_internal &&!is_mynetworks) This statement checks if the client has sent more than 20 virus-infected or spam messages in the last hour, and is not on the internal or mynetworks IP address lists. See the following section "Building Condition Statements" for detailed information on creating these statements. Action Action to take if the condition is "True". Options are Accept Mail or Reject Mail. Reject Code Reply code to send to the connecting client. For Reject, this is 450 (temporary) or 550 (permanent). For Accept, the reply code is set to 220. Reject Message A customized reject message to send to the connecting client. The %IP% variable can be used to indicate the IP address of the client. Add to List Select a Dynamic Address List to add the client IP address to if the condition is true. These lists can be viewed and configured via Mail Delivery Threat Prevention Dynamic Lists. 245

237 Threat Prevention Building Condition Statements The Threat Prevention rules are based on condition statements that are used to create various criteria for the connecting clients and their historical behaviour. The following tables describe the variables, parameters, and Boolean operators available to create Threat Prevention rules. General Statistics The following are general statistics that can be used when creating connection rules. They include items such as the IP address of the connecting client and how many open connections a client is using. TABLE 1. General Statistics Statistic ip_address current_group open_connections block_list rule_no Description The IP address of the connecting client. The name of the current Dynamic list the client IP addresses is in, if any. The current number of open connections to this IP address. If DNS Block lists are enabled, this indicates the number of lists the IP address matched. Indicates the connection rule number for ordering purposes. For example, as part of your condition statement to prevent denial of service attacks, check that the client does not have a large amount of open connections: IP Lists open_connections > 50 The following parameters indicate if the client IP address is listed in any of the pre-defined Static IP lists (defined via Mail Delivery Threat Prevention Static Lists on the menu.) This allows you to check if the client IP address is trusted because it is identified as an internal system, a network under your control, or a peer address. The client can also be blocked if it appears in the local blacklist. TABLE 2. IP Lists Static IP List is_internal is_mynetworks Description Checks if the client IP address is listed in the internal address list. Checks if the client IP address is listed in the mynetworks address list. 246

238 Creating Threat Prevention Rules TABLE 2. IP Lists Static IP List is_peers is_blacklist Description Checks if the client IP address is listed in the peers address list. Checks if the client IP address is listed in the blacklisted address list. For example, to check if the connecting client is in the blacklist static IP list, use the following condition statement: is_blacklist If the client is already listed in the blacklist IP list, the condition is true and the configured action executed. These lists can also be used to ensure clients are trusted because they are considered internal or under an organization's control. For example, to check for a large amount of open connections, and to ensure this client is not an internal client, use the following statement: open_connections > 50 &&!is_internal This statement checks clients who have more than 50 open connections and do not belong to the internal static IP list. Statistics The following statistics can be used to build condition statements in the connection rules based on the types of messages received. These statistics identify the number of messages based on their classification, such as virus-infected, malformed, spam, and clean. Several statistics also indicate the percentage of one type of message to another, such as the percentage of spam messages to total messages received. TABLE 3. Statistics Statistic messages virus malformed spam ham connection_attempts bad_mail bad_recipients Description Total number of messages from successful connections. Number of virus-infected messages. Number of malformed messages. Number of spam messages (Intercept Certainly Spam or Probably Spam, PBMF spam). Number of messages that were clean (not spam, virus, or malformed). Number of attempted connection attempts. Number of viruses, malformed, and spam messages. Number of unknown recipients (or 0 if the "Reject on unknown recipient" feature is disabled). 247

239 Threat Prevention TABLE 3. Statistics Statistic good_recipients perc_ham_to_messages perc_virus_to_messages perc_spam_to_messages perc_malformed_to_messag es perc_bad_to_messages perc_ham_to_spam Description Number of legitimate recipients. Percentage of clean messages to the total amount of messages. Percentage of virus-infected messages to the total amount of messages. Percentage of spam messages to the total amount of messages. Percentage of malformed messages to the total amount of messages. Percentage of bad messages (virus, malformed, and spam) to the total amount of messages. Percentage of clean messages to the total amount of spam messages. These statistics must be used in combination with a specific time period. This allows you to check for the number of certain types of messages, such as "spam" messages, in a certain time period such as 24 hours. The following table describes various time periods that can be used in conjunction with the statistics variables. TABLE 4. Statistics Time Periods Time Period Description stats1m Statistics for the last minute stats5m Statistics for the last 5 minutes stats15m Statistics for the last 15 minutes stats30m Statistics for the last 30 minutes stats1h Statistics for the last hour stats24h Statistics for the last 24 hours (1 day) Specify the time period and the statistics parameter separated by a "." (period). For example, to check how many spam messages were received in the last 24 hours, use the following: stats24h.spam To check the percentage of the number of spam messages compared to the total amount of messages in the last hour, use the following: stats1h.perc_spam_to_messages 248

240 Creating Threat Prevention Rules Boolean Operators and Syntax The following are the Boolean operators that can be used when building condition statements. To combine operators, use the following syntax to ensure the order: (a && (b c)). This indicates the result of "a" AND ("b" OR "c"). TABLE 5. Boolean Operators Boolean Operator && Description and! not or > Greater than < Less than == Equal to >= Greater than or equal to <= Less than or equal to For example, to ensure a host is not listed in the internal and mynetworks static lists (to trust the system for Threat Prevention) use the following:!is_internal &&!is_mynetworks The following example shows how to use multiple Boolean operators to combine condition statements: stats30m.bad_recipients >= 50 && stats30m.good_recipients < 3 This example checks the number of good and bad recipients in the last 30 minutes. If the bad recipients are greater than or equal to 50, and the good recipients are less than 3, then the condition is true. Connection Rules Script Error Checking When you are finished with the changes and additions to the connection rules, click the Apply button. The results of the script test will be shown, including any syntax errors if they occur. 249

241 Threat Prevention If an error occurs, examine the rule you just applied and check the condition statement to ensure that it conforms to the proper syntax and that any variables or parameters are entered correctly. 250

242 Static Address Lists Static Address Lists Static IP/CIDR address lists are used to define specific groups of IP addresses that affect Threat Prevention processing. When a client connects, the connection rules script will look up the client s IP address in the existing Static Address Lists and perform any defined actions for that list. This allows you to trust, block, or provide additional classification for a specific IP address or subnet. For example, if the address is listed in the blacklist, the connection rules script will reject the message. Addresses in the peers or mynetworks list can be exempted from some of the checks because they are known sources or internal networks of your organization. It is critical that administrators add any non-routable networks used locally to the internal address list and ensure any networks under an organization s control or friendly networks are listed in the mynetworks and peers list respectively. This prevents any local addresses from being affected by Threat Prevention processing. Select Mail Delivery Threat Prevention Static Lists to define your static address lists. blacklist List of any IP addresses or networks from which you will never want to receive . internal List of internal non-routable IP addresses from which you will always accept mail, such as the network. mynetworks A list of networks and subnets that are under your organization s control from which you will always accept mail. peers A list of special sites such as peer ISP networks from which you will typically always accept mail. The peers list is not used by the default connection rules. Administrators must modify the current rules or add a new connection rule to use this list. relays A list of mail servers that need to relay mail via eprism. This prevents these servers from being blocked by content-based Threat Prevention rules and BSN, as well as being reported to BSN. Click the Add button to add a new IP list. 251

243 Threat Prevention Enter a name and description for this address list, and then enter one of the following address types: Single IP address, such as Subnet in CIDR format (such as /24) Class A, B, or C subnet with trailing octets removed (such as ) Enter a comment that can be used to further describe the addresses in this list. When finished, click the Add button to add the new list. Uploading and Downloading Addresses A list of addresses can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: [address],[description] For example: /16,non-routable The file (ipcidr.csv) should be created in csv file format using Excel, Notepad or another Windows text editor. It is recommended that you download the file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 252

244 Dynamic Address Lists Dynamic Address Lists The Threat Prevention feature can place IP addresses into Dynamic Address lists for a specified period of time and set the response to connection requests for clients falling into these groups. These dynamic lists can be configured to provide a specific action (such as 450 temporary reject or 550 permanent reject) and a time period to execute that action. Dynamic lists differ from Static lists because their contents are always changing based on the latest threat prevention data. Static lists are used by the administrator to define trusted and blocked lists based on addresses specific to their organization. Dynamic lists build their data from the history of connecting addresses and assign specific rules and actions to these addresses based on that history. IP addresses are added to these lists by the Threat Prevention connection rules script if they match a specific behavior. For example, messages from an IP address that indicate harvesting of addresses will be put into the harvesters list. When that same IP address tries to connect again after being added to the list, it will be rejected with a configured reject code for the list if it is configured with the reject action. For example, the harvesters list will reject with code "550 denied due to too many unknown recipients". No further statistics will be gathered on that IP address during this early reject period and further Threat Prevention rules will not be applied. An IP address can be released from a dynamic list after a configurable period of time. Dynamic lists can contain tens of thousands of IP addresses. Dynamic lists with an action of "Just Log" will pass the request on to the rules processing script. The rules script can then specify its own reject or accept action. If the rules script specifies an accept action, further statistics will be gathered as the mail is received and processed. Integration with F5 and Cisco Devices The dynamic lists defined on eprism can also be pushed to an F5 or Cisco device. If this feature is configured, any IP addresses that are added to a Dynamic list by the connection rules script will be pushed to an F5 or Cisco device and added to a group list of the same name. This allows the F5 or Cisco device to process further connections from the IP address and to act accordingly without the connection reaching eprism. 253

245 Threat Prevention Configuring Dynamic Lists Select Mail Delivery Threat Prevention Dynamic Lists to configure your threat prevention dynamic lists. There are five predefined dynamic lists: blacklisted Addresses that have been blocked. harvesters Addresses known to be involved in address directory harvesting. infected Addresses known to send virus-infected messages. spammers Addresses known to send large amounts of spam. tarpit Group used to temporarily reject connections to slow down incoming connections from an address. Select a group to edit its properties, or click the Add button to add a new group. Name Enter a descriptive name for this list. If you are pushing data to an F5 or Cisco device, this list name must match the group name configured on the device. 254

246 Dynamic Address Lists Description Enter a description of this list. Action Action to take if a connection IP is listed in this group. Choices are Reject Mail, or Just Log. Reject Code If the selected action is Reject Mail, reply to the connection request with this reject code. Choose between "450" (temporary) or "550" (permanent). Reject Message Enter the reason provided to the client for rejecting the connection. This message is only used if the action is set to Reject Mail. Entry Duration Enter the duration (in seconds) for an IP to remain in this list after it has been placed into this group by a connection rule. This duration period only applies to the groups on eprism and is not pushed to an F5 or Cisco device. Maximum Entries If the entry is not rejected, only allow this many address entries at once in the list. This value can range from 0 to Set to "0" for unlimited. Push to Cisco Devices Select the check box to push data to all configured Cisco devices. The list name must be identical to the group name defined on the Cisco device. Only one dynamic list can be assigned to push information to a Cisco device. Push to F5 Devices Select the check box to push data to all configured F5 devices. The Group name must be identical to the group name defined on the F5 device. 255

247 Threat Prevention F5 Blocking Administrators can push eprism s Threat Prevention information to an existing F5 device. The F5 device can then be configured to rate limit, throttle, or block a given IP address. The dynamic lists defined with eprism s Threat Prevention feature can be used to populate data groups on the F5 with the same name. For examples, IP addresses already defined into a "spammers" group can be pushed to the same group name on the F5 device allowing it to manage the response to these addresses. The F5 device will then be responsible for acting on those IP addresses. When an item is removed from a Threat Prevention dynamic list, it is automatically removed from the F5 data group. Note that the duration period of the IP addresses only applies to the Dynamic lists on eprism. The eprism constantly pushes updated list information to the F5 every 30 seconds to ensure the lists are current and accurate. Any expired IP addresses will be removed and new addresses since the last update will be added to the F5 device s list. The Dynamic list is also fully synchronized with the F5 device every hour. Administrators must then configure irules on the F5 device to act on the data groups as appropriate. The Threat Prevention feature will not automatically create irules on the F5 device. The F5 device must be version or greater. Select Mail Delivery Threat Prevention F5 Blocking to define your F5 devices. Click Add to add a new F5 device. 256

248 F5 Blocking Name Enter a descriptive name to refer to this specific F5 device. URL Enter the full URL for the F5 device, such as User Name Enter a valid user name to log into the F5 device. Password A corresponding password for the user name entered above. Click the Test button to test your connection and login parameters on the F5 device. Enabling Data Transfer to an F5 Device eprism s Threat Prevention feature can be configured to push items from its own defined dynamic lists to F5 data groups of the same name on one or more F5 devices. To enable data to be pushed to F5, ensure that each Dynamic list defined on eprism in Mail Delivery Threat Prevention Dynamic Lists has the Push to F5 Devices check box enabled. 257

249 Threat Prevention Configuring F5 Data Groups The Dynamic list names defined on eprism must be manually created on the F5 devices. These groups are not automatically created via the Threat Prevention feature. On the F5 device, you must create the groups using "external file" address data groups, not address groups. External file address groups can be updated frequently with many IP addresses without affecting F5 performance. To create groups on the F5 device: 1. Log in to the F5 administration interface. 2. Select Local Traffic irules, and then click the Data Group list tab. 3. Click Create, and then enter the same group name as the data group defined in eprism s Threat Prevention feature. 4. Select External file (not Address), and a subset of options will appear. 5. Enter the group name and select Address in the File Contents list. 6. Click Finished. 7. Repeat the steps for each data group required. This procedure must be repeated on each F5 device. 258

250 F5 Blocking 8. Create an irule for the data group. An irule for the default set of data groups provided with Threat Prevention would be similar to the following: when CLIENT_ACCEPTED { if {[matchclass [IP::remote_addr] equals $::harvesters] } { TCP::respond "550 Message Rejected - Too many unknown recipients\r\n" drop } if {[matchclass [IP::remote_addr] equals $::spammers] } { TCP::respond "550 Message Rejected - Too much spam\r\n" drop } if {[matchclass [IP::remote_addr] equals $::blacklisted] } { TCP::respond "550 Message Rejected - client blacklisted\r\n" drop } } if {[matchclass [IP::remote_addr] equals $::infected] } { TCP::respond "550 Message Rejected - Infected\r\n" drop } if {[matchclass [IP::remote_addr] equals $::tarpit] } { pool slow_rateclass } 259

251 Threat Prevention 9. Create any rate shaping classes, virtual hosts, pools, and so on, as necessary for normal configuration of an MTA. In the previous example, a pool called "slow_rateclass" is required that would be configured with rate shaping to allow a limited rate of traffic. 10. Click the Test button in the Mail Delivery Threat Prevention F5 Blocking menu to verify that you have configured the F5 device correctly in the Threat Prevention feature. eprism will attempt to list the contents of the F5 data group. If successful, the list of IP addresses which have been pushed to the F5 device will be displayed. The test feature will not interrupt mail delivery or communications with the F5 and can be used at any time. In version of F5, you cannot view the contents of external file data groups from the F5 web interface. Use the Test button in eprism s Threat Prevention menu to view the contents of external file data groups. eprism and F5 Integration Notes Note the following considerations when integrating eprism and an F5 device: The Threat Prevention feature updates continuously but also synchronizes with each F5 Data Group once an hour to ensure there are no discrepancies. If the F5 device does not contain a data group, Threat Prevention will attempt to synchronize with it indefinitely, once every second. It will report the warning once every 30 seconds in the mail logs for this condition. If there is a loss of communications between eprism and the F5 device, the Threat Prevention feature will retry the connection to the F5 up to ten times. When using F5 integration with an eprism cluster, only the master Cluster Console s data groups will get pushed to the F5 device. 260

252 Cisco Blocking Cisco Blocking Administrators can push Threat Prevention information to an existing Cisco device. eprism can update the Cisco device with information from one Dynamic Address List. The Cisco device can then be configured to block a given IP address by adding it to an appropriate IP named ACL (Access Control List). When an item is removed from eprism s Threat Prevention list, it is automatically removed from the Cisco IP access list. eprism utilizes the IP named access control list feature to forward information to the Cisco device. Cisco IOS version 11.2 or later is required for eprism and Cisco integration. Select Mail Delivery Threat Prevention Cisco Blocking to define your Cisco devices. Click the Add button to add a new Cisco device. Name Enter a descriptive name to refer to this specific Cisco device. URL Enter the full telnet URL for the Cisco device, such as telnet:// User Name Enter a valid user name to log into the Cisco device. User Password A corresponding password for the user name entered above. Administrative Password Enter the administrative (enable) password for this device. 261

253 Threat Prevention Enabling Data Transfer to a Cisco Device eprism s Threat Prevention feature can be configured to push items from a defined Dynamic Address List to an IP access list on a Cisco device. To enable data to be pushed to the Cisco device, select a Dynamic list defined on eprism in Mail Delivery Threat Prevention Dynamic Lists, and ensure the Push to Cisco Devices check box enabled. When using Cisco integration with an eprism cluster, only the master Cluster Console s data groups will get pushed to the Cisco device. The Cisco device can only accept one dynamic list. It is recommended that the blacklisted list be used to block clients at the Cisco device. Note that the duration period of the IP addresses only applies to the Dynamic lists on eprism. The eprism constantly pushes updated list information to the Cisco device every 30 seconds to ensure the lists are current and accurate. Any expired IP addresses will be removed and new addresses since the last update will be added to the Cisco device s list. The Dynamic list is also fully synchronized with the Cisco device every hour. Ensure that the Maximum Entries value is customized to the capabilities of your Cisco device. Large values may overrun a smaller load Cisco device that can only handle a certain amount of access list entries. 262

254 Cisco Blocking Cisco Device Configuration Configure the Cisco device as follows to integrate with eprism s Threat Prevention feature: For IOS version 12.1 and later, eprism lists are automatically created on the Cisco device when group information is pushed, however, the IP access group must still be assigned to a specific interface. 1. Log in to the Cisco device with the enable privilege. 2. Change to configure mode: #configure terminal 3. Change to interface mode: # interface FastEthernet x/y (where x and y are ethernet device) 4. Attach the IP access group to the eprism Dynamic Address list: # ip access-group <access_list_name> in 5. Exit from the config-if mode: # exit 6. Perform the same steps for each Cisco interface as required. 263

255 Threat Prevention Threat Prevention Status The Threat Prevention Status screen displays the current state of the threat prevention feature and provides information on the current number of items in each specified list, such as the number of addresses listed as "spammers". Select Status/Reporting Threat Prevention Status from the menu to view the current threat status. A summary of the entire threat prevention database is displayed, including the following: Number of IPs in the Threat Prevention database Number of open connections and open connections in a DNSBL The number of items in each defined data group, such as "tarpit", "harvesters", "spammers", "infected", and "blacklisted". Administrators can search for the state of a specific IP address by entering it in the search field and clicking the right-arrow button. A new table will appear for that specific IP address displaying statistics on the number of messages from that IP address during a time period and the types of messages received. To reset the status data, click Reset Threat Prevention History. 264

256 CHAPTER 12 HALO (High Availability and Load Optimization) This chapter describes the high availability and load optimization features of the eprism Security Appliance, and contains the following topics: HALO Overview on page 266 Configuring Clustering on page 268 Cluster Management on page 274 Configuring the F5 Load Balancer on page 278 Queue Replication on page

257 HALO (High Availability and Load Optimization) HALO Overview HALO (High Availability Load Optimization), is the fail-safe clustering architecture for high availability for the eprism Security Appliance. HALO enables two or more eprism systems to act as a single logical unit for processing a mail stream while providing load balancing and high availability benefits. HALO ensures that mail messages are never lost due to security vulnerabilities or individual system failures. The clustering architecture is illustrated in the following diagram. Cluster Management The eprism systems participating in the cluster will be grouped together by connecting a network interface to a separate network called the Cluster Network. The eprism systems will communicate clustering information with each other via this network. Systems can also be added or removed from clusters without interruption to mail services. It is recommended that all systems in the cluster should be running on the same platform, and that the cluster network be separated from the main production network. One system is configured to be the Cluster Console which is the "master" system where all cluster administration and configuration will be performed. When an eprism system is added to the cluster, its configuration will automatically be synchronized with the Cluster Console. Any changes to the configuration on the Cluster Console will also be replicated to every cluster member. The eprism cluster will be treated as a logical unit for processing mail and system configuration. 266

258 HALO Overview Load Balancing Although the eprism cluster will be treated as one system, is processed independently by each cluster member and requires the use of a load balancing system to distribute mail flow between the systems in the cluster. Load Balancing via DNS A DNS round-robin technique can be used to distribute incoming SMTP connections via DNS to the systems in the cluster, as shown in the following example MX records: example.com IN MX 10 mail1.example.com example.com IN MX 10 mail2.example.com Priority can be given to specific servers by configuring different priority values, as follows: example.com IN MX 5 mail1.example.com example.com IN MX 10 mail2.example.com Using a Load Balancer You can also use a hardware load balancing device, such as the F5 BIG-IP, Cisco, or other similar load balancer. The load balancer is configured to send the mail stream to systems in a cluster. If one of the systems fails, the load balancer will distribute the load between the remaining systems. The load balancer can be configured to distribute the mail stream connections intelligently across all systems in the cluster, using techniques such as round-robin, and distribution by system load and availability. 267

259 HALO (High Availability and Load Optimization) Configuring Clustering The following sections describe how to install and configure a cluster. In these examples, a cluster of two systems is described. The procedure requires the following steps: 1. Hardware and Licensing Ensure all systems are of the same hardware and have the same software versions and are properly licensed. This includes the eprism license, the Stateful Failover license, and any other options. Ensure the member cluster systems are new installations with no changes to the default configuration. When they are connected to the cluster, they will receive their configuration from the Cluster Console. 2. Cluster Network Configuration Configure a network interface on each system for clustering. Using an M1000 (which only has two network cards) in a clustering scenario requires that it be deployed internally using a single interface model so that the second network card can be used for clustering. 3. Create the cluster From the Cluster Console system, create the cluster. 4. Add Cluster members From the Cluster Console, add the cluster member systems. Step 1: Hardware and Licensing All cluster members, including the Cluster Console, should be the same level of hardware, and be running the same version of software and update patches. All cluster members must also have all the same additional features (such as Kaspersky Anti- Virus) installed and licensed before integration into the cluster. Member systems should be new installations with no changes to the default configuration except for additional licensed options. It is critical that the cluster member systems be new installations with no changes to the default configuration except for licensed options, networking, and HALO settings. The admin passwords must also be identical. Step 2: Cluster Network Configuration The following instructions describe how to configure the network settings for two eprism systems in a cluster. 1. Connect an unused network interface from each eprism to a common network switch, or connect each interface with a crossover network cable. This will form the "cluster network", a control network where clustering information will be passed back and forth between the eprism systems that form the cluster. For security reasons, this network should be isolated on its own and not be connected to the main network. For a cluster of two systems, a crossover network cable can be connected between the selected interfaces providing a secure connection without the need for a switch. 2. On each eprism system, go to the Basic Config Network screen. 3. On the network interface that you want to use for clustering, ensure that an IP address has been configured, and that the Trusted Subnet and Admin Login check boxes are enabled. 268

260 Configuring Clustering 4. In the Clustering section of the Network settings screen, select the Enable Clustering check box and choose the network interface that is connected to the cluster control network. Ensure that the selected interface has been already configured with an IP address before enabling clustering. 269

261 HALO (High Availability and Load Optimization) Step 3: Creating the Cluster The following instructions describe how to create the cluster and initialize the Cluster Console system. 1. Select HALO Cluster Administration on the menu. Before continuing, ensure that this is the system that you want to be the Cluster Console system. 2. Click the Configure button to start the cluster configuration process. 3. The system will prompt you for information on setting up the cluster. First, you must enter the admin user and password for the system that will be configured as the Cluster Console. Click the Add or Update Member button to add the system as the Cluster Console, and then click Close to finish. 4. The Cluster Management console is then displayed. 270

262 Configuring Clustering Step 4: Adding Cluster Members The following instructions describe how to add other systems to the cluster. It is critical that any additions or deletions from the cluster configuration be performed with only a single administrator logged in. If any changes are performed during a cluster configuration change, there is a risk that initialization of a member will not process correctly. 1. Add cluster members by clicking the Add/Remove button in the Cluster Management console. 2. Enter the Cluster Member hostname or IP Address, an optional name for the system, and the Admin login ID and password. All cluster systems must have the same Admin user password. 3. Click the Add or Update Member button to add the system. 4. When systems are added to a cluster, the configuration of the Cluster Console system is replicated automatically to the new cluster member. This process will take some time to complete, and the Cluster Management screen will indicate that the cluster member is initializing. 271

263 HALO (High Availability and Load Optimization) It is critical that no other configuration changes are made to the Cluster Member or Cluster Console while the member is initializing. When a system is added to the cluster, the configuration of the Cluster Console is replicated to the new node with the following exceptions: Unique networking settings such as host name and IP address, and network interface specific settings Local users and any WebMail related information Any reporting related information Centralized management information Token analysis databases Vacation notification related information is only partially replicated Local user accounts cannot be used on a Cluster Member. 5. When the initialization of the member is complete, the Cluster Management console will appear, displaying both the Cluster Console and the new cluster member. 272

264 Configuring Clustering Troubleshooting Cluster Initialization The following table describes common issues that occur when configuring a cluster. TABLE 1. Troubleshooting Cluster Initialization Issue Blank 'Address' field when setting up the cluster console Connection check fails Very slow to display the initialization screen in the console window for a new cluster member Solution The interface has not been correctly initialized. Go to Basic Config Network and scroll down to the Clustering section. Select the Cluster Interface, click Update, and reboot. The interface on the Console may not be configured correctly. The target cluster member machine is not running or the interface on the target node is not configured correctly. The hardware or software of the cluster sub-net may not be configured correctly. Check the cluster subnet between the Console and the target cluster member. Try clicking the Refresh now button on the Console screen. 273

265 HALO (High Availability and Load Optimization) Cluster Management The Cluster Management screen is accessed on the Cluster Console via HALO Cluster Administration, displaying mail processing statistics for each individual cluster member. All cluster management and configuration must be performed from the Cluster Console system. Any configuration changes made to the Cluster Console are automatically replicated to the cluster member servers. Cluster Commands The following commands can be performed for the entire cluster or for individual cluster member systems: Queues Select the appropriate button to Run, Stop, and Flush the mail queues. Send You can Enable or Disable the sending of mail from the cluster or specified system. Receive You can Enable or Disable the receiving of mail for the cluster or specified system. Activate/Deactivate Members When member systems are added to a cluster, they are assigned an active state to process mail for the cluster. If you need to take this system out of the cluster for maintenance purposes, the system can be temporarily deactivated from the cluster by using the Deactivate button. A deactivated cluster member is still monitored, and can process mail, but its configuration will not be synchronized with the Cluster Console. The state of the queue is not changed when a cluster member is deactivated. The Cluster Console itself cannot be deactivated. To perform maintenance on the Cluster Console, you must deactivate all cluster members individually. This effectively deactivates the entire cluster. When your maintenance is completed, reactivate each cluster member. 274

266 Cluster Management To reactivate a disabled cluster member, click the Activate button. Activating a cluster member will synchronize its configuration information by comparing the last time of replication and update the system with the configuration from the Cluster Console. A complete resynchronization will be required if the replication times do not exactly match. A cluster member will be deactivated automatically if the Cluster Console is unable to communicate with it, and an alarm will be issued when this occurs. processing is not affected by this deactivation. Start-Up Configuration Click the Configure button to select an action to perform when a cluster member system restarts. Wait for Console The cluster member, after a restart, will wait until it contacts the Cluster Console system and synchronize before processing mail. The system will try to contact the console for five minutes before starting without synchronization. Start immediately The cluster member will start immediately without contacting and synchronizing its configuration with the Cluster Console system. Cluster Activity When a cluster is activated, a new Cluster Activity option appears on the Activity menu, and provides an activity screen displaying the combined activity of all cluster members. To see the activity for just the current system, use the Activity option from the menu. Cluster Reporting eprism reports can be generated for a single system or for all systems in a cluster. The database can also be searched on a single system or on the entire cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message. See Viewing and Generating Reports on page 284 for more information on cluster reporting. 275

267 HALO (High Availability and Load Optimization) Configuring a New Cluster Console If you need to assign the Cluster Console role to another system in the cluster, you must log in to the cluster member you would like to use as the Cluster Console and reconfigure the cluster from the HALO Cluster Administration menu. This will essentially deactivate the entire cluster, and you must add the cluster members again to the cluster once the new Cluster Console is initialized. Backup and Restore You should configure the backup for a cluster member with a unique backup directory for each cluster system, including the Cluster Console. Separate backup directories are required to ensure that backups do not inadvertently overwrite the backup from another cluster system. Restoring from a backup is primarily intended for product recovery after a re-installation or software upgrade. Restoring clustered systems can potentially cause problems with cluster configuration and communication, and it is recommended that you use the following procedures when restoring a member of a cluster system. See Backup and Restore on page 314 for more detailed information on the backup and restore process. Restoring a Cluster Member Use the following procedure to perform a restore on a cluster member system (not the Cluster Console): 1. From the Cluster Console, remove the member system from the cluster. 2. Disconnect the member system from the cluster network via the network cable. 3. Perform the restore procedure, but only restore Quarantined mail, SSL Certificates, Token Analysis, and Reporting Data (optional). The member will automatically synchronize the rest of its configuration with the Cluster Console when it is reintegrated with the cluster. 4. When the system is restored, disable clustering on the cluster network interface in Basic Config Network. Click the Update button but do not reboot. 5. Re-enable clustering on the network interface. Ensure that the specified interface is the one connected to the cluster network. Click the Update button but do not reboot. 6. Connect the member system s network cable to the cluster network. 7. From the Cluster Console, add the system back into the cluster. Restoring the Cluster Console On each cluster member system, (not the Cluster Console) clear the cluster configuration as follows: 1. Disable clustering on the cluster network interface of each cluster member in Basic Config Network. Click the Update button but do not reboot. Re-enable clustering on the network interface. Ensure that the specified interface is the one connected to the cluster network. Click the Update button but do not reboot. 2. Disconnect the Cluster Console from the cluster network via the network cable. 276

268 Cluster Management 3. On the Cluster Console, perform a full restore of all configuration items. 4. When the restore is complete, go to the cluster configuration screen in HALO Cluster Administration, and remove all cluster members from the cluster. 5. Reconnect the Cluster Console to the cluster network. 6. Reconfigure the cluster and add the other systems as cluster members. Trusted Senders List and Spam Quarantine with a Cluster The Trusted Senders List and Spam Quarantine can be used in a clustering environment. Please note the following when using these features in a Cluster. Trusted Senders List This feature should only be enabled on the master Cluster Console system. The cluster will automatically synchronize the configuration with the other cluster members. Spam Quarantine This feature should only be enabled on the master Cluster Console system. The cluster will automatically synchronize the configuration with the other cluster members. You must set up your Intercept Redirect To actions with a hostname dedicated to the cluster interface on the Cluster Console system. See Spam Quarantine on page 187 for detailed information on setting up the Spam Quarantine in a clustered environment. 277

269 HALO (High Availability and Load Optimization) Configuring the F5 Load Balancer As part of eprism s clustering solution, you can use the F5 BIG-IP F5 icontrol load balancer to control traffic to your clustered systems. eprism includes a configuration screen where you can configure the F5 load balancer via the icontrol administrative connection. This integration allows you to configure and communicate the eprism cluster system nodes directly to the F5 device. Information on message and traffic load can be communicated directly with the load balancer resulting in intelligent failover decisions. See the F5 documentation for more information on configuring the load balancer. Load balancing integration only works with version of F5 up to version 9. It is recommended that the load balancing integration be performed on the F5 device itself rather than on eprism. Select HALO F5 Integration from the menu to configure the BIG-IP load balancer. Click the Config button to setup a new F5 configuration. BIG-IP Enabled Select the check box to enable management of the BIG-IP load balancer with icontrol. BIG-IP IP Address Specify the IP address of the BIG-IP system used for icontrol administrative access. Login Enter the login ID used to configure the load balancer. Password Enter the password for the login ID above. Pool Specify the name of the load balancing pool used for mail flow for the eprism cluster. 278

270 Queue Replication Queue Replication The Queue Replication feature enables mail queue replication and stateful failover between two eprism systems. In the event that the primary owner of a mail queue is unavailable, the mirror system can take ownership of the mirrored mail queue for delivery. Without queue replication, a system with received and queued messages that have not been delivered may result in lost mail if that system suddenly fails. In large environments, this could translate into hundreds or thousands of messages. Queue replication actively copies any queued mail to the mirror system, ensuring that if one system should fail or be taken offline, the mirror system can take ownership of the queued mail and deliver it. If the source system successfully delivers the message, the copy of the message on the mirror server is automatically removed. In the following diagram, system A and system B are configured to be mirrors of each other s mail queues. Licensing When a message is received by system A, it is queued locally and a copy of the message is also immediately sent over the failover connection to the mirror queue on system B. If system A fails, administrators can login to system B and take ownership of the queued mail to deliver it. Messages are exchanged between the systems to ensure that the mirrored mail queues are properly synchronized, preventing duplicate messages from being delivered when a failed system has come back online. HALO Queue Replication must be licensed to use it beyond the evaluation period. See License Management on page 308 for more information on licensing optional components. 279

271 HALO (High Availability and Load Optimization) Configuring Queue Replication Select HALO Queue Replication from the menu to configure this feature s options. Enable Queue Replication Select the check box to enable queue replication on this system. Replication must be enabled on both the source and mirror hosts in the Basic Config Network screen. Replication Timeout Specify the time, in seconds, to contact the host system before timing out. Replicate to Host The mail queues are automatically updated when a message is first received, and the queues are also synchronized at regular intervals. Press this button to replicate the queue to the mirror host system immediately. Mirrored Messages This value indicates the current amount of queued mail that is mirrored on this eprism. Purge Mirrored Messages Select this button to delete any mail messages in the local mirror queue. These are the files that are mirrored for another host server. Deliver Mirrored Messages Select this button to take ownership and process the mail that is mirrored for another source system. If the server is still alive, importing and processing the mirror queue may result in duplicate messages being delivered. Do not press this button unless you are certain that the source system is unable to deliver mail. Review Mirrored Messages Select this button to review any mail in the local mirror queue that is mirrored for another source server. 280

272 Queue Replication Queue Replication Interface You must also enable queue replication on a network interface on both the host and client server. Select Basic Config Network from the menu, and then scroll down to the Queue Replication section. These options only appear in the Network settings screen after Queue Replication is enabled. Enable Replication Select the check box to enable queue replication on this system. Replication Host Specify the IP address of the system that will be backing up mail for this eprism. Replication Client Specify the IP address of the system that will be backing up its mail queue to this eprism. Replication I/F Select the network interface to use for queue replication. This network interface should be connected to a secure network. It is recommended that queue replication and clustering functions be run together on their own dedicated subnet. If you are backing up and restoring configuration information to a different system than the original and queue replication is enabled, you will have to reconfigure Queue Replication to ensure that it will work properly. Importing and Processing Mirrored Messages If you have two systems that are mirroring each other s mail queues and one of those systems fails, you must go to the mirror server and import the mirrored mail to ensure that it is processing and delivered. Import the mirrored messages as follows: 1. Ensure that the host server is unavailable. Before importing any mirrored mail, you must ensure that the host server is not processing mail. If you import and process the mirrored mail on the mirror server, this may result in duplicate messages if the host server starts functioning again. 2. On the mirror server, select HALO Queue Replication from the menu. 281

273 HALO (High Availability and Load Optimization) 3. You may wish to view the current mirrored my mail by clicking the Review button. 4. Click the Deliver button. This eprism will take ownership of any queued mail mirrored from the source server, and process and deliver it. 282

274 CHAPTER 13 Reporting This chapter describes the reporting features of the eprism Security Appliance and contains the following topics: Viewing and Generating Reports on page 284 Viewing the Mail History Database on page 294 Viewing the System History Database on page 296 Report Configuration on page

275 Reporting Viewing and Generating Reports eprism s reporting functionality provides a comprehensive range of informative reports for the eprism Security Appliance, including: Traffic Summary System Health Top Mailbox Disk Users WebMail Usage POP and IMAP Access Bulk Analysis and DNSBL Lookup Performance Spam Statistics Virus and Threat Outbreak Reports Recipient Reports Health Check reports The reports are derived from information written to the various systems logs which is then stored in the database. Reports are stored on the system for online viewing, and can also be ed automatically to specified users. Reports can be generated on demand and at scheduled times. Reports can also be filtered to provide reporting on only mail domains, user groups, or specific hosts. Administrators can specify which data is to be included in each report, how it is to be displayed, the order of data, and the number of entries to report, such as "Top 10 Disk Space Users". Reports can be generated in four different formats: HTML, PDF, CSV (comma separated output) and Postscript format. 284

276 Viewing and Generating Reports Reporting Menu To generate and view reports, select Status/Reporting Reporting Reports. To view a previously generated report, click on the report name. To configure a report, click on the Configure button beside the corresponding report name. Click Generate to immediately generate the specified report. Viewing Reports To view a report, click on the report name, such as Full Report. 285

277 Reporting Reports that have been previously generated are listed here. Click on an HTML report name, such as "rep1.html", to view the contents within the current browser window. Click on the Finished At time to view it in a popup window. Click on other formats to save the report to your workstation. The following illustrates the types of charts and graphs available from the full report. 286

278 Viewing and Generating Reports Configuring Reports Click the Configure button beside a specific report name to configure that report, or click Add New Report Type to start a new report. General Report Configuration Parameters Report Title Title to display at the top of the report. To (HTML, CSV, PDF, PS) Specify an address, such as admin@example.com. Use a comma-separated list if you wish to distribute the report to multiple users, or assign an alias. Paper Size For PDF and PS formats, select the paper size, such as Letter, A4, or Legal. Describe fields in report Select this option to include a short description of each field in the report. Hosts If you are running a clustered system, select the specific host you want the report to apply to. When running reports in a clustered system, if you select "All" hosts in the report, it will generate a report for each host individually, and then merge the results into one report. Filters Select a filter, if any, to use with this report. Filters are created from the Status/ Reporting Reporting Report Filters menu. 287

279 Reporting Automatic Report Generation Configure and generate automatic reports from the Report Generation section of the configuration screen. Enable Auto Generate Select this check box to automatically generate reports. Auto Generate Report at Select the time to generate the report. Auto Generate on Week Days Choose the days of the week to generate the report....and/or Day(s) of Month Choose specific days of the month to generate the report. Timespan Covered Select the timespan covered for this report. Timespan Ends at Select the end of the timespan. It is recommended to set the timespan end time a few hours prior to report generation to allow all deferred mail to be finalized....timespan Offset (Days Ago) Select the number of days to offset the timespan. This amount of time is subtracted before setting the timespan. Click the Generate Now button to generate a report on demand using the specified settings. This will also automatically the report to the specified address. To generate a report daily at 2.00am for the previous day (up to 11:00pm): Auto Generate Report at: 02:00 Auto Generate on Week Days: All Timespan covered: 1 day Timespan ends at: 23:00 Timespan offset: 0 days To generate weekly reports on Sunday at 4:00am for the period ending Friday 11:00pm: Auto Generate Report at: 04:00 Auto Generate on Week Days: Sunday Timespan covered: 1 week Timespan ends at: 23:00 Timespan offset: 1 day ago 288

280 Viewing and Generating Reports Report Fields The Fields section allows you to choose which fields or items of information to include in the report. The fields provided are static and the standard reports use fields pre-selected from this list to satisfy certain requirements. You can include or exclude fields to any one of the reports as required. Columns Field ID This is the eprism name for this item. Title in Report Designate a title to appear in the report. Order The higher the value, the higher the field will appear in the report. Any number can be chosen to position the fields as needed. Page Break Choose between no, before, after, and both, to configure page breaks. This option only applies to PDF and PS format reports. Limit Set a limit for the number of items in a field. For example, enter "10" in the top viruses field to create a "Top Ten Virus List". Field Descriptions The following table describes the fields that appear in the report. Brief descriptions of each field can be included in the report by configuring it in the general report parameters. TABLE 1. Reporting Field Descriptions Field System name Date time Version Timespan Uptime Filter summary Description The system host name, such as server.example.com. Date and time of report generation. eprism software revision. Period covered by report. How long the eprism system has been running since the last reboot. A summary of the filters applied to this report. 289

281 Reporting TABLE 1. Reporting Field Descriptions Field Head comment Traffic blocking Blocking pie chart Total traffic Received Total traffic sent Total received message size Total sent out message size Trust traffic Processing time Spam metrics Top virus Recent virus list Threat Outbreak Control Summary Threat Outbreak Virus List Top PBMFs Top forbidden attachments Recent forbidden attachments Top compliancy Top word match Description Freeform comment that you may enter. A table showing the number of messages caught by each method over the preceding hour, day, week, month, and report timespan. A pie chart of the same data as the right hand column of Traffic Blocking (timespan). Graphs of the number of messages received per hour over the reporting period (timespan). Graphs of the number of messages sent per hour over the reporting period (timespan). Total message size of incoming messages per hour. Total message size of outgoing messages per hour. A table showing the number of messages classified as "trusted" and "untrusted" and their disposition over the reporting period. The average time a message waits between initial handshake and disposition, including DNSBL/Bulk Analysis lookups if any. Messages that are deferred are not included. Graph of the number of messages per Token Analysis assigned spam metric (0-100). List of the top viruses found. List of the most recent viruses found. The number of messages quarantined by Threat Outbreak Control and the number of those messages that were released, malformed, contained forbidden attachments, or were later found to contain viruses. The most commonly detected virus types detected by Threat Outbreak Control. List of the top pattern based message filters. Note that this includes only global PBMFs. List of the top forbidden attachments caught by attachment control. List of the most recent forbidden attachments caught by attachment control. List of the most common detected compliancy violations. List of spam word and OCF word matches. 290

282 Viewing and Generating Reports TABLE 1. Reporting Field Descriptions Field Spam Summary Intercept Component Weights Disk usage Disk load CPU load NIC load Swap usage Paging Top mailbox sizes Webmail POP IMAP Active mail queue Deferred mail queue Top senders Description Lists the number of messages classified as certainly spam, probably spam, and maybe spam A composite list of the components of the Anti- Spam Intercept engine and the results of each component relating to the number of positive results that were designated by the system as Certainly Spam, Probably Spam, Maybe Spam, mixed spam, or not spam at all. Shows disk usage by partition. Graph of average disk load (MB/s) over the reporting period. Graph of average CPU load (number of waiting processes) over the reporting period. Graph for each active network interface load (Bytes/hour) for the reporting period. Swap file usage. Paging usage. Lists the top users based on the size of their mailboxes in MB. The number of WebMail logins and failed attempts per hour. This does not include "admin" logins. Graph showing the number of POP logins and login failures per hour over the reporting period. Graph showing the number of IMAP logins and login failures per hour over the reporting period. Graph showing number of queued messages (as sampled every 5 minutes) over the reporting period. Graph showing maximum number of messages (as sampled every 5 minutes) in the deferred queue over the reporting period. The top sender (judged by envelope from, not header from) during the report timespan, sorted by number of messages. If the title contains one or more comma characters, the list will be restricted to those senders which include any string after the first comma. The limit parameter in the report configuration sets the maximum number listed. 291

283 Reporting TABLE 1. Reporting Field Descriptions Field Top sending hosts Top recipients Bulk Analysis Servers DNSBL Servers Policy summary Recipient traffic blocking Connection summary End comment Extra comment Description The top sending host names (in FQDN format) during the report timespan, sorted by number of messages. If the title contains one or more comma characters, the list will be restricted to those sender FQDNs which include any string after the first comma. The limit parameter in the report configuration sets the maximum number listed. The top recipients during the report timespan, sorted by number of messages. The sum of the message sizes is also listed. If the title contains one or more comma characters, the list will be restricted to those recipients which include any string after the first comma. The limit parameter in the report configuration sets the maximum number listed. Graph showing the average round trip, in seconds, to the preferred Bulk Analysis server over the reporting period. Graph showing the round trip, in seconds, to the DNSBL servers over the reporting period. The value is averaged over all enabled DNSBL servers. A summary of policy actions over certain time periods. Traffic blocked by recipients due to policies and their actions. Lists the number of connections refused based on features such as Mail Anomalies, Threat Prevention, DNSBL, and BSN. Comment text. Extra comment text. Language Support Any text field in the report configuration can use Western (ISO ) text. For extended characters (such as accented letters), configure your browser for Western (ISO ) and set the character set encoding in Basic Config Web Server. You can then use your language specific keyboard or copy and paste ISO-8859 text into the report configuration fields. 292

284 Viewing and Generating Reports Creating Report Filters You can create custom filters to apply when generating reports. When a filter is selected in the report configuration editor, the applicable report fields are restricted to those values that include any string in the supplied list. You can filter by mail domain, user groups, and specific hosts. Filters for specific viruses, encryption, and attachments types can also be created. Field values can be separated by a space or by starting a new line. Leave a field blank for no filtering. Wildcard characters can be used for domains and addresses, such as: *@example.com joe@*.example.com fred@*example* Select Status/Reporting Reporting Report Filters to create and edit report filters. You can filter on the following fields: Sender domain or address Recipient domain or address Sending host name or IP Encryption from Sender Encryption to Recipient Sender groups Recipient groups Virus Forbidden Attachment When a filter is created, it will appear in a dropdown list in the report configuration settings. Select the filter to apply it to the report. 293

285 Reporting Viewing the Mail History Database Every message that passes through eprism generates a database entry that records information about how it was processed, including a detailed journal identifying the results of the mail processing. Select Status/Reporting Reporting Mail History to view the database. Columns QueueID Identifies the message in the database. Time Received Time when the message was received by eprism. Subject Contents of the message subject header field. Prior If a message is forwarded because of alias expansion, bounced, vacation notification, and so on, a new message in the queue will be created. The QueueID number in the Prior column links to the original message. Journal Shows how the message was processed, including its disposition. Auth Shows SMTP authentication information, if enabled. Search Search for specific message details using the following search fields: Search Select the specific part of the message you want to search on, such as "sender" or "subject". For Enter a search string. Use a blank field to match any string. Advanced Search Select the Advanced button to perform an advanced search of the database. 294

286 Viewing the Mail History Database Search Select the specific part of the message you want to search on, such as "sender" or "subject". Use the "and" fields to select an additional message part and search string. Date You can select a time frame to search for received, disposed, or deferred mail. Status Select a message status to search for, such as "malformed", or "virus". Hosts In a clustered system, you can specify a specific host to perform the search on. Max Enter the maximum number of results (up to 10,000) returned in the search. Regex Select this option to define a search using a regular expression. After performing a search, you can enter more criteria and use the Refine button to search only within the previous results. Displaying Message Details Click on a QueueID number to view the details of a message. Dispositions and deferrals, if any, are listed in the Message Disposition section. 295

287 Reporting Viewing the System History Database Select Status/Reporting Reporting System History to view the system database. The system database is a record of system events, such as login failures and disk space usage. Search Enter any text to search for an event. You can specify the type of message to narrow the search. Leave the text area blank to list by event type. Columns Event# Identifies the event in the database. End Time Time when the event is complete. Type The type of event. Device, User The device or user in the event. Text Associated text for the event. #1, #2, #3 Parameters of the event. These are specific to each event type. Event Types The following table describes the event types that can appear in the system database. TABLE 2. System Database Event Types Event Type Abbreviation Description Parameters Admin Actions adm Shows administrative functions that have been performed AV Updates avup The time of the last update, its success or failure, and the name of the new pattern file CPU Load cpuld The load average for the past 1, 5, and 15 minutes Number of processes waiting for CPU. A very busy system may have 50 or more 296

288 Viewing the System History Database TABLE 2. System Database Event Types Event Type Abbreviation Description Parameters DCC Preferred dccpref The round trip time to preferred Bulk Analysis server Disk I/O diskio MB per second transfer, KB per transfer, transfers per second for a disk Disk Usage du Amount of used and total available disk space for each disk slice IMAP I/O impio This shows each IMAP based transfer of messages IMAP Logins implin This shows each successful IMAP authentication. If the connection used SSL, the string "ssl" follows in a separate column. Note: IMAP transfers smaller than 50 bytes are not recorded IMAP Failures impfail Shows the number of IMAP login failures. Name of preferred server UserID and IP address UserID and IP address Logins login A single web based login UserID and IP address Logouts logout A single web based logout (not including timed-out sessions) UserID and IP address Login failures lifail Login failure UserID and IP address Network I/O nic Amount of data in and out of network card Paging page This shows the swap paging activity (pages in/out) over 5 seconds POP I/O popio This shows each POP based transfer of messages POP Logins poplin This shows each successful POP authentication. If the connection used SSL, the string "ssl" follows the IP address Number of s and bytes transferred in POP session UserID and IP address 297

289 Reporting TABLE 2. System Database Event Types Event Type Abbreviation Description Parameters POP Failures popfail This shows each POP authentication failure. If the connection used SSL, the string "ssl" follows the IP address Queue Sizes que Number of messages in active and deferred queues DNSBL Response rbldns Average round time to DNSBL server with minimum and maximum values Swap usage swap This shows the swap usage, and total swap space available UserID and IP address Active queue size in bytes, deferred queue size in bytes DNSBL server Used and available swap space in megabytes 298

290 Report Configuration Report Configuration Select Status/Reporting Reporting Configure to configure the maximum time summaries, system event summaries, and reports are kept on the system, including the maximum number that are retained. summaries, system events, and reports are included in backups. Each summary is about 1,000 bytes in size. For performance reasons, such as backup/restores and searches, it is recommended to set the message limits no longer than is required, such as 250,000 messages for an M1000, 500,000 messages for an M3000 and so on. The message history is trimmed to the expiry date and number limit, whichever is smaller. System events occupy less than 2 MB per day, and a setting of 3 months is reasonable. The system purges old data every day after 12:00am, and also within a few minutes of saving the settings in this menu. The data is rolled out depending on the date/time and number constraints, whichever is less. Reports will not be generated while the data is being purged. 299

291 Reporting Disabling Reporting The reporting database is populated with information that is obtained by interpreting the system log files. You have the option of disabling reporting which results in no new information being saved in the reporting database. Note that all log files are still saved but the reporting engine will not analyze and interpret them for reports. Disabling reporting is not recommended, and should only be used if the system is extremely overloaded, or if you are testing performance levels. Click the Advanced button on the Status/Reporting Reporting Configure screen to reveal an option for disabling the reporting function. Software upgrades or system restores will re-enable reporting, if disabled. 300

292 CHAPTER 14 System Management This chapter describes the tools used to administer the eprism Security Appliance and contains the following topics: System Status and Utilities on page 302 Mail Queue Management on page 305 Quarantine Management on page 306 License Management on page 308 Software Updates on page 311 Security Connection on page 312 Reboot and Shutdown on page 313 Backup and Restore on page 314 Centralized Management on page 321 Problem Reporting on page 326 Health Check on page

293 System Management System Status and Utilities The Status/Reporting Status & Utility screen provides the following information: A snapshot of the system status, including information on uptime, load average, amount of swap space, current date and time, disk usage, RAID status, NTP status, and Anti-Virus pattern file status. Controls to start and stop the mail systems and flush the mail queues. Diagnostic tools such as a Hostname Lookup function, SMTP Probe, Ping, and Traceroute utilities that are useful for resolving mail and networking problems. System hardware configuration information. System Status From the System Status screen, you can view a number of system statistics such as the total system Uptime, load average, the amount of used swap and disk partition space, RAID status, NTP server status, and Anti-Virus pattern update status. 302

294 System Status and Utilities Utility Functions The Utility Functions allow you to control the following system services: Stop/Start Mail Services You can stop or start all mail services by clicking on the Stop/ Start Mail System Control option. Disable/Enable Sending and Receiving Alternately, you can also enable or disable only the Receiving or Sending of mail by clicking the appropriate button. This is useful if you only want to stop the processing of mail in one direction. For example, you may want to turn off the sending of mail to troubleshoot errors with SMTP delivery, while still being able to receive incoming mail. Flush Mail Queue The Flush button is used to reprocess any queued mail in the system. Only click this button once. If the mail queue does not process, you may be having other types of delivery problems, and reprocessing the mail queue will only add additional load to the system. Diagnostics The Diagnostics section contains networking and SMTP utilities to help troubleshoot network and mail delivery issues. See Network and Mail Diagnostics on page 355 for more detailed information on using these diagnostic tools for troubleshooting. Hostname Lookup Allows you to verify host name resolution by looking up a host on a DNS name server. SMTP Probe Allows you to send a test to a remote SMTP server. Ping Ensures network connectivity via ICMP ping Traceroute Ensures routing connectivity by tracing the routes of network data from source to destination server. 303

295 System Management Current Admin and WebMail Users The Current Admin and WebMail Users section allows you to see who is logged in via the web admin interface or through a WebMail session. If you are using Clustering, an admin login may show up several times on the list because of additional RPC calls related to clustering communications. In these cases you will see the Remote IP address as the other eprism systems. Configuration Information The Configuration Information section shows you important system information such as the current version of the system software, the time it was installed, and licensing and hardware information. 304

296 Mail Queue Management Mail Queue Management The Status/Reporting Mail Queue screen contains information on mail waiting to be delivered. You can search for a specific mail message using the search function. Messages that appear to be undeliverable can be removed by selecting them and then clicking the Remove link. Any mail messages in the mail queue can be processed out of the queue by clicking the Flush Mail Queue button. Only click this button once. If the mail queue does not process, you may be having other types of delivery problems and reprocessing the mail queue will only add additional load to the system. Display Options The Remove All button is used specifically with the search function. You must enter a search pattern to use with this button. To delete all mail messages in the queue, enter "@" in the search field, and then click Remove All. The following options can be appended to the URL of the Mail Queue screen:?limit=n Sets the total number of items that will be listed to the specified number. The default is 2000.?ipp=n Sets the number of items per page.?order=asc Sorts items by oldest date first to the most recent. If the query URL already contains a "?" argument, you must use the "&" instead to add options to the query. To set the total number of items to be displayed to 100, use the following URL: Use the "&" symbol instead if an "?" option already exists: mailqueue.spl?action=submit&limit=

297 System Management Quarantine Management Select Status/Reporting Quarantine to manage the Quarantine folder. This folder contains messages that have been blocked because of a virus, malformed message, compliance violation, or an illegal attachment. You can view the details of a message by clicking on its ID number, or delete the message from quarantine by clicking the Delete button. Quarantined messages can also be released from the quarantine and delivered to their original destination by clicking the Release button. Use the search field to look for specific messages within the quarantine. For example, you could search for the name of a specific virus so that any quarantined messages infected with that specific virus will be displayed. Display Options The Delete All and Release All buttons are used specifically with the search function. You must enter a specific search pattern before using these controls. It is recommended that you use the Expiry Options button to clear the quarantine area of all messages beyond a certain date. The following options can be appended to the URL of the Quarantined Mail screen:?limit=n Sets the total number of items that will be listed to the specified number. The default is 2000.?ipp=n Sets the number of items per page.?order=asc Sorts items by oldest date first to the most recent. If the query URL already contains a "?" argument, you must use the "&" instead to add options to the query. To set the total number of items to be displayed to 100, use the following URL: Use the "&" symbol instead if an "?" option already exists: quarantine.spl?action=submit&limit=

298 Quarantine Management Quarantine Expiry Options Click the Expiry Options button to configure the quarantine expiry settings. An expiry term can be set so that quarantined messages will be deleted after a certain period of time. You can use this feature to flush all messages from the quarantine area on a regular basis. Expire only on disk full The Quarantine will expire messages based on the disk space percentage configured by the administrator. The default is 90% which expires messages from the quarantine when the disk is 90% full. Valid values are between 10% and 90%. Expire per settings The Quarantine will expire messages based on the administrator's configured settings. Days Enter how many days to keep a quarantined message before deleting it. Disk usage (percentage) Enter a percentage of disk usage that can be used by the quarantine area. If the quarantine area grows beyond this size, messages will be expired. The disk partition used by the quarantine is the /var partition. Click Update to enable the settings for new quarantined messages. Click Update and Expire Now to apply the settings to all messages in the quarantine area. To delete all messages in the quarantine, set the Days value to "0", and then click Update and Expire Now. 307

299 System Management License Management The eprism Security Appliance initially starts in evaluation mode which can be used for 30 days. After that time, eprism stops accepting new mail. Incoming mail will receive an SMTP failure message explaining that no mail is being accepted because the evaluation period has elapsed. Existing mail in the queue will still be delivered, and mail in mailboxes will still be accessible to POP3/IMAP and eprism Mail Client users. Use the information in your License Pack to license and activate eprism. Activating eprism also activates your support contract which is valid for 12 months from purchase. Your Support Contract entitles you to all software upgrades and patches, as well as return-tofactory warranty on the hardware. Failure to activate your system may delay the delivery of support services. eprism can be licensed both automatically via the Internet and manually. For automatic licensing, eprism requires an Internet connection. Automatic License Activation License eprism automatically as follows: 1. Ensure that the system can access the Internet so it can connect to the St. Bernard License server. 2. Select Management License Management on the menu. 3. Click the Automatic Activation button. A new web browser window will open up and display the St. Bernard licensing activation screen. 308

300 License Management 4. Enter the serial number found in the Psn field from the License Pack. (This is not the hardware serial number of the system.) 5. Enter the hardware serial number located on the eprism in the Hsn field. 6. Click Continue to activate the license. Manual License Activation To manually activate a license: 1. From a workstation connected to the Internet, go to activate.stbernard.com to obtain an Activation Key. 2. Select the product or option you want to license, and then enter the appropriate license information. 3. You will receive an Activation Key that will be used in the following steps. 4. On eprism, select Management License Management on the menu. 5. Click the Manual Activation button. 6. Enter the Serial number and Activation Key, and then click Next. 309

301 System Management Optional Product Licenses The following products must be licensed separately. If these options are enabled, they will run in evaluation mode for 30 days. Use the same licensing procedure described previously to add these optional licenses. Kaspersky Anti-Virus HALO Stateful Failover Option Attachment Content Scanning 310

302 Software Updates Software Updates It is important to keep your eprism software updated with the latest patches and upgrades. A key aspect of good security is responding quickly to new attacks and exposures by updating the system software when updates are available. Updates are supplied in special files provided by St. Bernard. These updates can be delivered or retrieved using a variety of methods, including , FTP, or from St. Bernard s support servers. The Security Connection, if enabled, will download any patches automatically. Security Connection is discussed in more detail in the next section. St. Bernard recommends that you backup the current system before performing an update. See Backup and Restore on page 314 for detailed information on the backup and restore procedure. Select Management Software Updates on the menu to load and apply software updates. The Software Updates screen shows updates that are Available Updates (loaded onto eprism, but not applied) and Installed Updates (applied and active.) You can install an available update, or uninstall a previously installed update. When these software update files are downloaded to your local system, they can be installed by clicking Browse, navigating to the downloaded file, and then clicking Upload. After applying any updates, you must restart the system. 311

303 System Management Security Connection The Security Connection is a service running on eprism that polls St. Bernard s support servers for new updates, security alerts, and other important information. When new information and updates are received, an notification can be sent to the administrator. It is recommended that you enable this service. For security purposes, all Security Connection files are encrypted and contain an MD5-based digital signature which is verified after decrypting the file. Enabled Select to enable Security Connection. Frequency Specify how often to run the Security Connection service. Choices are daily, weekly, and monthly. Auto Download Enable this option to allow software updates to be downloaded automatically. The updates will not be automatically installed. They must be installed via Management Software Updates. Display Alerts Enable this option to display any alert messages on the system console. Send Enable this option to send an notification to the address specified below. Notification Mail Address Specify an address to receive messages from Security Connection. Support Contract You must enter a valid Support Contract number. This information is supplied with your license key at the time of purchase. Click Update to save your Security Connection configuration. Click the Connect Now button to run Security Connection immediately. 312

304 Reboot and Shutdown Reboot and Shutdown The eprism Security Appliance can be safely rebooted or shut down from this menu. Before shutting down, remove any media from the floppy and CD-ROM drives. Click Reboot now to shutdown the system and reboot. Click Shutdown now to shutdown the system completely. See Restoring eprism to Factory Default Settings on page 367 for detailed information on restarting eprism and restoring it to factory default settings. 313

305 System Management Backup and Restore eprism can backup all data, including the database, quarantined items, mail queues, user mail directories, uploaded user lists, SSL certificates, reports, and system configuration data. The eprism Security Appliance supports three backup methods: Local tape drive (if available) FTP server Local disk (using browser download to a workstation) The restore feature can restore any backup items individually. The eprism system should be backed up before performing any type of software upgrade or update. Restoring a clustered system requires a different procedure than outlined in the next section. See the Cluster Management section starting on page 197 for more information on backing up and restoring clustered systems. Restore Considerations The backup and restore function is primarily intended for product recovery after a re-installation or upgrade, and it is strongly recommended that all data be restored during a system recovery rather than individually. As the size of the reporting database can be quite large, you should restore the reporting database separately after the restoration of the basic system. You must always restore the system data first before restoring the reporting database. Starting a Backup You can perform backups on demand, or you can schedule a tape or FTP backup once per day via the Management Backup & Restore Daily Backup menu. Select Management Backup & Restore on the menu to start a backup. Select the required type of backup and click the Next >> button. 314

306 Backup and Restore Local Disk (Direct Backup) Options The following options are for backing up to the local disk: Encrypt backup Select this option to store the backup file in encrypted form. Backup system configuration Select this option to backup all system configuration data, including mailboxes, Token Analysis data, licenses and keys. This option must be enabled if you need to restore system functionality. Backup reporting data Select this option to include reports, history, and system event data in the backup. Backing up reporting data can drastically increase the size of the backup file, resulting in a much longer backup time. Use scheduled FTP backups to prevent your browser from timing out when this type of backup is taking place. When you have set your options, click Next >> to continue. Verify that your options are correct, and then click Create backup now to start the backup. The system will prompt you for a location to download the file (backup.gz). The backup file is saved in a gzip compressed archive. 315

307 System Management FTP Backup Options The following options are for backing up to an FTP server: Encrypt backup Select this option to store the backup file in encrypted form. Backup system configuration Select this option to backup all system configuration data, including mailboxes, Token Analysis data, licenses and keys. This option must be enabled if you need to restore system functionality. Backup reporting data Select this option to include reports, history, and system event data in the backup. FTP server Enter the host name or IP address of the destination FTP server. Username Enter the username for the FTP server. Password Enter the password for the FTP server. Directory Enter the directory on the FTP server for the backup files. Use PASV mode Sets FTP to use passive mode if you are having problems connecting. When you have set your options, click Next >> to continue. 316

308 Backup and Restore Verify that your options are correct, and then click Create backup now to start the backup. You can also click Create scheduled backup which will take you to the Daily Backup menu to create a scheduled FTP backup. Daily Scheduled Backup You can schedule an automatic FTP or tape backup to be performed every day at a specified time. Select Management Backup & Restore Daily Backup on the menu to configure automatic daily backups. Tape Backup Select the check box to enable daily tape backups (if available.) FTP Backup Select the check box to enable daily FTP backups. You must configure the FTP backup settings separately using the Management Backup & Restore screen. Start Time Set the start time for the backup in 24-hour format using the syntax HH:MM, such as 02:00 for 2:00AM. Mail History, System Event History, and Reports cannot be backed up if the daily backup runs between 12AM and 12:30AM. This is the time period when the reporting database is processing its rollout information. 317

309 System Management FTP Backup Naming Conventions The naming convention for FTP backups is time stamped as follows: MX-DATAx.YYMMDDHHMM Example: MX-DATA This indicates that the backup file is from May 15th, 2005 at 10:45PM. When purging old backup files during routine maintenance, ensure that you examine the timestamps before deleting them. Restoring from Backup Select the required type of restore and click the Next >> button. Restore from Local Disk Options Enter the local filename that contains your server s backup data, or click Browse to select the file from the local drive directory listing. Click Next >> to upload and restore the backup file. 318

310 Backup and Restore FTP Restore Options Enter the following information to restore from an FTP server: FTP server Enter the host name or IP address of the FTP server where the backup file is stored. Username Enter the username for the FTP server. Password Enter the password for the FTP server. Directory Enter the directory on the FTP server for the backup files. Use PASV mode Sets FTP to use passive mode if you are having problems connecting. Click Next >> to connect with the FTP server and restore the backup file. Restore Options When the backup file has been successfully retrieved, you can choose which aspects of the system you want to restore. When finished selecting the restore items, click Restore Now. If you are restoring reporting data separately, it must be performed after the restoration of the main system information. 319

311 System Management You can view the current status of the restore process in the Status section of the Management Backup & Restore menu. When the restore is complete, you should review and edit your network configuration in the Basic Config Network screen as required, and click Apply to reboot. This ensures that all restored network settings have been applied. If you modified the networking information during the system installation process and then performed a restore, your new networking information may be overwritten by the restored data. Ensure that your network settings are correct before updating and rebooting the system. Backup and Restore Errors The following table describes the types of errors that can occur when restoring a backup file: TABLE 1. Backup and Restore Error Codes Error Code Description 0 No error 1 Form data missing 2 MIME data missing boundary 3 Invalid form data 4 Unsupported encoding method 5 Unsupported header in MIME data 6 File open error 7 Filename not specified 8 Error writing file 9 Data is incomplete 320

312 Centralized Management Centralized Management The Centralized Management feature allows you to administer multiple eprism Security Appliances from a single management console. Centralized Management allows you to perform many routine administrative tasks across all eprism systems configured in the same management group. Centralized Management is used to monitor and administer multiple eprism systems, including the ability to copy configuration items such as mail routes, aliases and mappings, RADIUS and LDAP settings, and so on, to other systems in the management group. All management group communications are authenticated and transmitted using HTTPS. You can perform the following functions from the Centralized Management console: Start and Stop mail services Monitor mail queues View statistics of incoming and outgoing mail Copy configuration settings to other eprism systems Perform backups Centralized Management and Clustering Centralized Management is very different from eprism s HALO Clustering features. Centralized Management is intended for managing multiple eprism systems with different configurations, while Clustering is used to monitor and manage multiple systems with identical configurations for redundancy and load balancing purposes. See HALO (High Availability and Load Optimization) on page 265 for more detailed information on cluster management. 321

313 System Management Configuring Centralized Management Use the following procedure to initialize and configure Centralized Management. 1. Select Basic Config Network from the menu. 2. Ensure that Admin Login access is enabled for the specific network interface that will be communicating with the management group. 3. Select Management Centralized Management to configure Centralized Management. The initialization screen will appear indicating that there are no management groups configured. 4. To create a management group, click Configure. You will need to enter the login and password of the admin user. 5. Add new members to the management group by clicking the Members button. 322

314 Centralized Management 6. Enter the group member s hostname or IP address, an optional name, and the Admin user s login and password. Click Add or Update Member. Once added, click the Close button. The group member will now appear in the main management console screen. If the address of a member server changes, the original entry must be removed before adding a new entry with the new address. Changing the Centralized Management Console To change the address of the console you are using, click Edit, enter your new settings, and then click Add or Update Member. You cannot delete the console you are using from the management group. 323

315 System Management Using the Management Console From the Centralized Management Console, you can perform a variety of administrative functions. Group Commands The following commands are applied to the entire management group: Centralized Management Command From the drop-down box you can select a specific function to execute across all members of the management group. The options include Refresh, Stop All Queues, Run (Start) All Queues, and Backup. Select Auto Refresh Select the time, in seconds, for automatic refresh of settings and statistics for group members. Select Disable if you do not require Auto Refresh. Member System Commands The following commands are only applied to the specified group member: Start and Stop Services You can start and stop services for each management group member. The current status is also displayed. Connect Connect directly to the specified member and open its administration screen. Backup Backup the member server via FTP. Each group member must have its FTP backup configured individually before this function will work from the console. Copy Configuration Copy the selected settings from the management console to the selected member. Each member can be configured individually to receive only certain settings by selecting the check box of each configuration item. Click Save to save your selected settings on the management console screen. 324

316 Centralized Management Copy Configuration To copy configuration items from the Centralized Management Console to the group members, select which items to copy, and then click the Copy button. Click Save to save your settings. The following configuration settings can be replicated: Attachment Control All items, including Attachment Types, are added to the selected group member. Mail Aliases All mail aliases will be added to the selected group member. Virtual Mappings All virtual mappings will be added to the selected group member. Mail Mapping All mail mappings will be added to the selected group member. Mail Routing All mail routes will be added to the selected group member. Mail Access/Filtering Message size and patterns settings will be added to the selected group member. Relocated Users The list of relocated users on a group member will be replaced by those from the management console. Pattern Based Filtering All anti-spam Pattern Based Filtering settings except the default settings will be added to the selected group member. RADIUS/LDAP All RADIUS and LDAP configuration settings will be added to the selected group member. The mail queue will be temporarily stopped during the replication process. 325

317 System Management Problem Reporting Problem reporting allows you to send important configuration and logging information to St. Bernard Technical Support for help with troubleshooting system issues. This feature should be used in conjunction with an existing support request with technical support. Select Status/Reporting Problem Reporting to configure your troubleshooting configuration information. Send To Enter an address to send the reports. The default is St. Bernard Technical Support, but you can also put in your own address so that you can view them before sending them to St. Bernard. Mail Log Sends the latest daily mail server log. Mail Configuration Sends your current mail configuration file. Mail Queue Stats Sends a snapshot of the latest current mail queue statistics. System Messages Sends the latest daily system message log. System Configuration Sends an XML version of the system configuration. Click Apply to save the information in the form, and click Send Now to send the information to the configured address. 326

318 Health Check Health Check The Health Check service is a cost-option for the eprism Security Appliance that allows St. Bernard to perform a comprehensive review of your current configuration. St. Bernard s Professional Services consultants will provide a comprehensive report identifying the health of system processes, database inconsistencies and overall performance. Detailed recommendations for optimizing spam capture effectiveness and performance are then provided in a Diagnosis Report. The Diagnosis Report returned to you includes: Summary of system review and activities (General Configuration, Network Settings and Topology, Anti-Spam, Content Filtering, Attachment Control, Anti-Virus, Software Updates) Recommendations for each area of concern Identification of known software issues Details on upcoming releases and patches License Key Enter your license key for the Health Check service. System Report Select the type of system report to generate: Health Check now: Send a health check report immediately. Health Check + Report now: Send a health check and a full system report immediately. Health Check + Report at 3am: Send a health check and full system report at 3am. This allows the health check and report generation to occur during times of lower activity. This is the St. Bernard address where system health reports will be sent and cannot be changed. Click Submit to start the Health Check service. You will receive verification that the health check has been sent, and receive notification that you will receive a report. 327

319 CHAPTER 15 Monitoring System Activity This chapter describes how to monitor eprism s system activity and message processing, and contains the following topics: Activity Screen on page 330 System Log Files on page 332 Offloading Log Files on page 335 SNMP (Simple Network Management Protocol) on page 337 Alarms on page

320 Monitoring System Activity Activity Screen The Activity screen provides a variety of system information and utilities all on one screen, including: Mail service stop and start Mail queue statistics Queue Activity System uptime and CPU load Message status and final actions The following describes the queue statistics columns: Arrived The total number of messages processed by eprism (messages accepted). These include messages that were spam, viruses, attachment control, and so on. Sent The total number of messages sent by eprism, including mailer daemon mail, quarantine notifications, mail delivery delay notifications, local mail, alarms, reports, and so on. If a message has multiple recipients, each delivered recipient will be added to the total. Spam The total number of messages considered spam by the Intercept engine. Reject The total number of messages rejected because of client hostname/address restrictions, SAP rejects, DNSBLs, and PMBFs with reject action. Virus The total number of messages that contained a virus. Clean The total number of messages that were accepted for delivery inbound and outbound by eprism and passed all security and spam filters. 330

321 Activity Screen Show Recipients/Senders Click the Show Recipients button to show all recipients for a message if there are multiple recipients. If there is only one recipient for a message, the message will display the same way in Show Senders and Show Recipients view. If there are multiple recipients for a message, the Show Senders view will display a "+" sign in front of the message. Use this button to expand the message to see all the recipients. This is useful for seeing the actions and dispositions of a message for each recipient if they belong to different scanning policies. Cluster Activity In a clustered system, an additional Cluster Activity screen is displayed that shows the combined activity for all clustered systems. 331

322 Monitoring System Activity System Log Files Select Status/Reporting System Logs on the menu to access the system log files. Click View in the Current Log column to view the most recent log file. Click View in the Time Index column to see a list of all log files available on the system in chronological order including the current log file, old log files (rolled out) and archived (zipped). The Mail Transport log is the most important log to monitor because it contains a record of all mail processed by eprism. See Examining Log Files on page 346 for more information on interpreting the mail transport logs. Other logs include: Authentication Contains messages from POP, IMAP, and WebMail logins. HTTP Access A log of access to the web server. HTTPS Access A log of SSL web server access. HTTP Errors Contains error messages from the web server. HTTPS Engine Contains messages for the web server encryption engine. Messages Contains system messages, including file uploads. Kernel A log of kernel generated messages. It is possible that you may receive errors in the kernel logs regarding partition slices. If you your system is installed with a manufacturer s diagnostics partition, this is the cause of the error and does not indicate a critical condition. Reporting SQL (when enabled) This option only appears when SQL logging is enabled in Status/Reporting Reporting Configure. The logs can be downloaded in SQL format from this screen. 332

323 System Log Files Viewing and Searching Log Files Search for a particular search string by entering a value in the Search field and then clicking the arrow button. The following features can be used to help refine log searches: For logical "and" and "or" searches, use the keywords "and", "or", and "not". Use \and or \or to search for the actual words such as "and" and "or". Use a preceding / to search using Unix-style regular expressions. You can also download the log to a text file by using the Download button. You can then import this file into a log analysis application for offline processing. Advanced Search Click the Advanced Search link to perform advanced searches for all the log files for a specific log type. Logs to Search Select the log to perform the advanced search in. Search Archived Select the check box to search all current and archived log files. 333

324 Monitoring System Activity Search All Dates Select the check box to the entire time span. The Date/Time fields below will be greyed out if this option is selected. Date/Time from Enter a beginning date and time to search from. Date/Time to Enter the end date and time to search to. Pattern Enter a pattern to search for in the logs. Click the Search button when you are ready to begin the advanced log search. Configuring a Syslog Host All of eprism s log files can be forwarded to a syslog server which is a host that collects and stores log files from many sources. The syslog files can then be analyzed by a separate logging and reporting program. You can define a syslog host in the Basic Config Network screen. 334

325 Offloading Log Files Offloading Log Files In environments with large mail throughput requirements, eprism s log files, such as mail transport log information, may grow very quickly. When a certain amount of log files have been generated, eprism can automatically compress older files to save disk space. For backup purposes and offline reporting, eprism can copy log and reporting files to another system at regular intervals using FTP or SCP file copy utilities. This allows administrators to backup the log files to a separate host for analysis and storage. When enabled, the offload will occur each time a log file is rolled over and for the time period specified in the offload date and time. The Offload (Reporting) section is used for organizations requiring a separate reporting server where logs will be forwarded to for reporting purposes. Select Status/Reporting Server Logs Rollout & Offload on the menu to configure your rollout and offload settings. Rollout (Keep Uncompressed) Configure the number of local uncompressed files to keep on eprism in the Keep uncompressed field. When log files are rolled over, eprism will keep this amount of files uncompressed on the hard drive. When this value is reached, the files will then be compressed to save disk space (oldest first). Leave this field blank to leave all log files uncompressed. 335

326 Monitoring System Activity Offload (Backup) Offload Select the check box to enable offloading of rollout log files. Copy application Select the program (FTP or SCP) to use for copy rollout files. These applications must be enabled on the destination host. Port TCP port to be used by the copy application. If this field is left blank, default port values will be used. Host Enter the host to copy rollout data to using the specified method. Folder Select a folder to copy the rollout data to. Construct Filename Select an identifier for the file name, such as a sequential number (maillog.1) or a timestamp (maillog ). User Username to use to log in to the destination host. Password Corresponding password for the specified username. Compress Select the check box to enable gzip compression of the rollout files. Click the Update button when finished. Click the Offload now button to begin offloading files immediately. Click the Offload Again button to reset the information of Offloaded files. This will force an offload of all files (even those offloaded before) again.you must click Offload Now, or wait for the next scheduled offload (when a log file has rolled over, or every hour) to start the offloading process after clicking Offload Again. 336

327 SNMP (Simple Network Management Protocol) SNMP (Simple Network Management Protocol) Simple Network Management Protocol (SNMP) is the standard protocol for network management. When enabled on eprism, this feature allows standard SNMP monitoring tools to connect to the SNMP agent running on eprism and extract real-time system information. The information available from the SNMP agent is organized into objects which are described by the MIB (Management Information Base) files. The information available includes disk, memory, and CPU statistics, mail queue information, and statistics on the number of spam or virus-infected s. An SNMP trap can be sent when the system reboots. See SNMP MIBS on page 383 for detailed information on the objects available in eprism s MIB files. The SNMP agent service is installed and running by default, but it must be enabled specifically for each interface in the Basic Config Network screen. It is strongly advised that the agent only be configured for the internal (trusted) network. 337

328 Monitoring System Activity Configuring SNMP Select Basic Config SNMP Configuration on the menu to configure SNMP. Send Trap on Reboot Enable the check box to send a trap message to your SNMP trap host whenever the system reboots. System Contact (Required) Enter the address of the contact person for this system. System Location (Required) Enter the location of the system. Read-Only Community By default, eprism does not allow read/write access to the SNMP agent. For read access, you must set up a read-only community string on both the agent, and your SNMP management application for authentication. It is recommended that you change the default community string "public" to a more secure value. The community string is case sensitive. Permitted Clients To allow access to eprism s SNMP agent, you must specifically add the client system to the list of SNMP Permitted Clients. The clients can be specified using a host name, IP address, or network address ( /24). Typically, you will enter the address of your SNMP management station. Click Add to add the permitted client. 338

329 SNMP (Simple Network Management Protocol) Trap Hosts A trap host is an SNMP management station that will be receiving system traps from eprism. eprism will send an SNMP trap when the system is rebooted. Enter a list of hosts that will receive trap messages. The hosts can be specified using a host name or IP address. Click Add to add the trap host. MIB Files The SMNP MIB files can be downloaded by clicking the Download MIBs button. These files must be imported into your SNMP management program. The MIB file contains a list of objects representing the information that can be extracted from the system s SNMP agent. See SNMP MIBS on page 383 for detailed information on the contents of the St. Bernard eprism Security Appliance MIB files. 339

330 Monitoring System Activity Alarms eprism implements a variety of system alarms to notify the administrator of exceptional system conditions. Alarms are currently generated from the HALO, LDAP, and Backup subsystems. For example, you can receive an alarm notification if the daily FTP backup fails, or if communication is lost with a cluster member. Errors with LDAP user imports will also trigger an alarm. You can select the type of alarm notifications to receive, such as Critical, Serious, and Warning events. These notifications can be sent via: Console Alert Activity Screen Alert The following example shows an alarm appearing on the Activity screen. You must click Acknowledge to remove the alarm notification. 340

331 Alarms Configuring Alarms Select Basic Config Alarms on the menu to configure your alarms and notifications. Send Escalation Mail Select the types of alarms that will trigger an to be sent to the Escalation Mail Address specified below. Send Alarm Mail Select the types of alarms that will trigger an to be sent to the Alarm Mail Address specified below. You must have a valid specified in the Addresses section for the alarm to be sent. Alert to Console Select the types of alarms that will display an alert on the system console screen. Alert to Activity Page Select the types of alarms that will display an alert on the main activity screen. Escalation Mail Address Enter an address to send escalation messages to. Alarm Mail Address Enter an address to send alarm messages to. It is recommended that you use SNMP for monitoring of system resources such as disk space and memory usage. See SNMP (Simple Network Management Protocol) on page 337 for more information. 341

332 Monitoring System Activity Alarms List The following table describes the types of alarms that can be triggered. TABLE 1. Alarms List Severity Critical Critical Critical Critical Serious Serious Serious Serious Serious Serious Serious Serious Serious Serious Serious Serious Serious Alarm LDAP Lookup: LDAP lookup failed during delivery LDAP Lookup: LDAP lookup: Unable to bind to server LDAP Lookup: LDAP lookup: Search error 81: Can't contact LDAP server Queue Replication: Cannot connect to mirror Clustering: Cluster Error connecting to host [member address] Clustering: Cluster Error writing to host [member address] Clustering: Cluster Error closing socket for host [member address] Clustering: Cluster Error Connection to database Clustering: Cluster Error query failed: [query error message] Clustering: Cluster replication Error opening configuration file [file error] Clustering: Error loading cluster configuration file Clustering: Cluster Error loading command at [location in configuration file] LDAP Import: LDAP import, Import of groups failed LDAP Import: LDAP import, Import of users failed LDAP Import: LDAP failed to download users, groups dccstat: Excessive DCC failures FTP Backup: FTP Backup Failed [error message] 342

333 CHAPTER 16 Troubleshooting Mail Delivery This chapter describes procedures for troubleshooting mail delivery problems and contains the following topics: Troubleshooting Mail Delivery on page 344 Troubleshooting Tools on page 345 Examining Log Files on page 346 Network and Mail Diagnostics on page 355 Troubleshooting Content Issues on page

334 Troubleshooting Mail Delivery Troubleshooting Mail Delivery When experiencing mail delivery problems, the first step is to examine if the problem is affecting only incoming mail, outgoing, or both. For example, if you are receiving mail, but not sending outgoing mail, it is certain that your Internet connection is working properly, or you would not be receiving mail. In this scenario, you may have issues with the Firewall blocking your outbound SMTP connections, or some other problem preventing mail delivery. Problems affecting both inbound and outbound delivery include the following scenarios: Network infrastructure and Communications The most common scenario in which you are not receiving or sending mail is if your Internet connection is down. This can include upstream communications with your ISP, your connection to the Internet, or your external router. You should also check your internal network infrastructure to ensure you can contact eprism from your router or firewall. DNS If your DNS is not working or configured properly, mail will not be forwarded to your eprism or you will not be able to lookup external mail sites. Check the DNS service itself to see if it is running, and check your DNS records for any misconfiguration for your mail services. Ensure that your MX records are setup properly to indicate the eprism system. Firewall If you are having issues with your Firewall or if it is misconfigured, it may inadvertently block mail access to and from eprism. For example, SMTP port 25 must be opened between the Internet and eprism and internally to allow inbound and outbound mail connections. Internal Mail Systems You may be receiving incoming mail to the eprism, but mail is not being forwarded to the appropriate internal mail servers. Also, outgoing mail from the internal servers may not be forwarded to eprism for delivery. In these scenarios, examine your internal mail server to ensure it is working properly. Check communications between the two systems to ensure there are no network, DNS, or routing issues. Also check that your internal servers are configured to send outgoing mail to eprism. External Mail Systems If you have a large amount of mail to a particular destination, and that mail server is currently down, these messages will queue up in the deferred mail queue to be retried after a period of time. You can view the Mail Transport logs to see the relevant messages that may indicate why you cannot connect to that particular mail server. The server could be down, too busy, or not currently accepting connections. 344

335 Troubleshooting Tools Troubleshooting Tools The following sections describe the built-in tools that can be used on the eprism system to help troubleshoot mail delivery problems. Monitoring the Activity Screen On eprism s main Activity screen, you will be able to quickly examine if there are any issues with mail delivery. Examine the following items: Check the mail queue activity to view the number of Queued, Deferred, and Total messages in the mail queue. This is a quick indicator of how your mail is processing. Click the Refresh button frequently to ensure that the mail queues are not building up too high. In the Mail Received Recently portion of the activity screen, check the timestamps of your most recent incoming and outgoing mail. If no mail has been processed in a certain period of time, this may indicate that the inbound, outbound, or both mail directions are not working. Check the statistics for your mail queues. You may notice mail system latency if you are receiving a lot of virus, spam, or message rejects. 345