Symantec Messaging Gateway for Service Providers Implementation Guide

Transcription

1 Symantec Messaging Gateway for Service Providers 10.5 Implementation Guide

2 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation 350 Ellis Street Mountain View, CA

4 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our website at the following URL: All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

5 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

6 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America

7 Contents Technical Support... 4 Chapter 1 Introducing Messaging Gateway for Service Providers About Symantec Messaging Gateway for Service Providers What's new in Messaging Gateway for Service Providers Components of Messaging Gateway for Service Providers How Messaging Gateway for Service Providers works What you can do with Messaging Gateway for Service Providers Where to get more information about Messaging Gateway for Service Providers Chapter 2 Planning for installation About Messaging Gateway for Service Providers deployment About Messaging Gateway for Service Providers deployment at the gateway layer About Messaging Gateway for Service Providers deployment at the post gateway layer About Messaging Gateway for Service Providers deployment at the mail server About Messaging Gateway for Service Providers deployment on the Client and the Server About plan for disk space storage About firewall configuration Configuring firewall port connections for a standard deployment model Ports required for Messaging Gateway for Service Providers About using Messaging Gateway for Service Providers with other filtering products About adjusting MX records for Messaging Gateway for Service Providers software About access by the Server to perimeter information About preserving quarantined mail for access after update... 38

8 Contents 8 Chapter 3 Chapter 4 Installing Messaging Gateway for Service Providers Before you install System requirements New installation Installing Messaging Gateway for Service Providers on Linux and Solaris Configuring Messaging Gateway for Service Providers on Linux and Solaris Installing Messaging Gateway for Service Providers on Windows Update installation Updating one or more Solaris or Linux systems Updating one or more Windows systems Uninstalling Messaging Gateway for Service Providers Backing out of an update Optimizing Messaging Gateway for Service Providers Managing your system for service providers About IPv6 address in Messaging Gateway for Service Providers About the Sender Reputation Service About DNS-based IP reputation About selecting the optimal rule set to optimize performance Implementing custom rule sets Using Keep Alive Optimizing performance on Solaris SPARC Optimizing performance with Java Message Service Optimizing performance on Linux Optimizing performance on Windows About enhancing performance for outbound Configuration tips to reduce outbound spam About the factors that affect performance Hardware components that affect performance Environmental factors that affect performance About the Messaging Gateway for Service Providers settings that affect performance... 70

9 Contents 9 Chapter 5 Configuring Messaging Gateway for Service Providers About configuring settings for a large number of users Setting up Scanner services on Linux and Solaris Setting up Scanner services on Windows About configuration file elements About the Installation section About the Services section About the Spam Service Type libbh libintsig libstatsig libspamsig libregexfilter libspamhunter About the Virus Services Type libantivirus About the Consent Service Type libfastpass libpermit About the Language Service Type liblanguageid About the Reinsert Service Type libreinsert About the Programs section About the Filter program About the Client program About the Server program About the Conduit program About the LiveUpdate program About the AntiVirus Cleaner program About the Engine section About bmicheckreputation About the Policies section Adding a new disposition through the command line Updating an existing disposition Changing the destination string of an existing disposition Changing the order of message scanning Managing logs for stand-alone Scanners About the log level element About the log period element About the periodunits element

10 Contents 10 About the numberretained element About managing statistics for stand-alone Scanners About conduit rule updates About LiveUpdate rule updates Chapter 6 Chapter 7 Configuring Java Messaging Server to integrate with Messaging Gateway for Service Providers About integrating the Sun Java Messaging Server MTA with Messaging Gateway for Service Providers Installation overview Configuring Messaging Server for Messaging Gateway for Service Providers Configuring a multi-node deployment About enabling the tracker for Messaging Server Troubleshooting issues with Messaging Server integration Configuring Sendmail to integrate with Messaging Gateway for Service Providers About integrating Sendmail Understanding the filter address and optional settings About configuring Sendmail Switch to work with Messaging Gateway for Service Providers Configuring Sendmail for Messaging Gateway for Service Providers with sendmail.cf About configuring Sendmail for Messaging Gateway for Service Providers with M About using the runner and cron Understanding automatic library paths About managing Scanner components with the runner Starting the runner About stopping the runner (and all Scanner jobs) Testing the runner About monitoring job statuses About stopping and starting jobs About the runner configuration file Chapter 8 Using group policies About group policies Creating group policies Working with group policies

11 Contents 11 Chapter 9 Filtering spam About unwanted messages Enabling or disabling Messaging Gateway for Service Providers to filter unwanted messages About submitting messages for customer-specific spam rules About the process that Symantec follows to create customer-specific spam rules Setting up customer-specific spam submissions Enabling or disabling customer-specific spam submissions Provisioning the submitter ID for customer-specific spam submissions Checking and setting the customer-specific spam submission aggressiveness level Specifying and viewing who can submit messages for customer-specific rules Submitting spam messages through the command line for customer-specific rules Submitting messages that are incorrectly marked as spam through the command line for customer-specific rules Deleting customer-specific spam data Generating customer-specific spam submission report Chapter 10 Using filters to protect your environment and block unwanted mail About Messaging Gateway for Service Providers filters About specifying senders to permit or block How Messaging Gateway for Service Providers identifies senders and connections About the Allowed Senders List and the Blocked Senders List Use case scenarios to allow or block senders Adding senders to the Blocked Senders List Adding senders to the Allowed Senders List Deleting senders from the senders list Editing senders in the senders list Enabling or disabling senders from the senders list Importing sender information into a senders list Selecting reputation services to use About filtering for spam Adjusting spam scoring Rejecting spam at the gateway Scanning text attachments Increasing the speed for processing messages

12 Contents 12 About filtering for viruses Configuring antivirus filter settings Chapter 11 Keeping your product up-to-date About updating virus definitions About LiveUpdate About Rapid Release virus definitions Obtaining the virus definition updates Obtaining definitions when a new or emerging threat is discovered Setting a local mirror of the LiveUpdate server Chapter 12 Chapter 13 Managing Messaging Gateway for Service Providers Scanners, hosts, and components Specifying internal mail hosts About registering your Scanner license Monitoring the Messaging Gateway for Service Providers status and events About Logs Modifying Log settings Viewing and saving logs About tracking messages with the SMTP message ID Appendix A Command line reference policyconfig subm-config subm-config allowedlist subm-config blockedlist subm-config configuration subm-config displaylist subm-config msg subm-config msginfo subm-config provisioning subm-config rawmsg subm-config report subm-config rule subm-config ruleinfo subm-config servicestatus subm-config submitspam

13 Contents 13 subm-config submitnotspam subm-config submissionpolicy Appendix B Input XML file to generate customer-specific submission report Spam submission XML inputs and description Sample XML file to provide inputs for customer-specific spam report generation Index

14 Chapter 1 Introducing Messaging Gateway for Service Providers This chapter includes the following topics: About Symantec Messaging Gateway for Service Providers What's new in Messaging Gateway for Service Providers Components of Messaging Gateway for Service Providers How Messaging Gateway for Service Providers works What you can do with Messaging Gateway for Service Providers Where to get more information about Messaging Gateway for Service Providers About Symantec Messaging Gateway for Service Providers Symantec Messaging Gateway for Service Providers (formerly branded as Symantec Message Filter) provides an easy-to-deploy, comprehensive security solution that protects your customers and your network. It detects and repairs viruses. It also identifies and blocks unwanted before it can inconvenience your users and overwhelm your network. The product is centralized and automated. It is scalable and can be customized to fit your organization's specific needs. Messaging Gateway for Service Providers runs with your existing mail server or groupware server. Messaging Gateway for Service Providers includes the following filters that you can customize:

15 Introducing Messaging Gateway for Service Providers What's new in Messaging Gateway for Service Providers 15 Antispam filters Antivirus definitions Allowed senders and blocked senders filters You can deploy Messaging Gateway for Service Providers in different configurations to best suit the size of your needs. See Components of Messaging Gateway for Service Providers on page 17. See How Messaging Gateway for Service Providers works on page 18. See What you can do with Messaging Gateway for Service Providers on page 20. See Where to get more information about Messaging Gateway for Service Providers on page 22. What's new in Messaging Gateway for Service Providers Table 1-1 describes the new features in this release of Messaging Gateway for Service Providers Table 1-1 Feature Creation of custom spam rules New features Description You can obtain custom spam rules specifically for your organization based on the missed spam messages and false positive messages that administrators and end users submit. This feature provides the following benefits: It improves Messaging Gateway for Service Providers's ability to detect spam and helps administrators control false positive incidents. It makes it easier to submit missed spam messages or false positive messages to Symantec for analysis and rule creation. It provides visibility into the submission status and rule creation. When you configure this feature, administrators and end users can submit messages to Symantec as missed spam or false positives. Within minutes, Symantec creates custom rules. The conduit obtains these rules which are then applied to each configured Scanner. IPv6 addresses are supported Messaging Gateway for Service Providers now accepts messages with IPv6 addresses. IPv6 addresses are also supported in the allowedblockedlist.txt.

16 Introducing Messaging Gateway for Service Providers What's new in Messaging Gateway for Service Providers 16 Table 1-1 Feature Handling unwanted category Enhanced IP reputation is now integrated with Messaging Gateway for Service Providers Antivirus New features (continued) Description Messaging Gateway for Service Providers now has new configurable verdicts for unwanted category. You can configure policies for s pertaining to marketing, which are newsletters, bulk s, and s with suspicious URLs. You can choose whether or not to enable this functionality. Messaging Gateway for Service Providers now contains the enhanced IP reputation data. Support for granular unscannable dispositions. The antivirus module now returns unscannable verdicts at more granular levels: Unscannable due to malformed MIME Unscannable due to limits exceeded (size, depth or time) Unscannable due to mismatched file type Unscannable due to other reasons These new dispositions allow users to configure policies that can take different actions based on why an attachment cannot be scanned. Table 1-2 lists the features that are discontinued in Messaging Gateway for Service Providers Table 1-2 Feature Discontinued features Description Brightmail Control Center Harvester program Sieve language The Brightmail Control Center is no longer available. All Brightmail Control Center operations can now be performed with commands supplied through the command-line interface. The harvester program is no longer available. Creating filters by coding in Sieve language is no longer supported.

17 Introducing Messaging Gateway for Service Providers Components of Messaging Gateway for Service Providers 17 Table 1-2 Feature IIS support Discontinued features (continued) Description IIS support is no longer available. To allow backward compatibility for existing customers, Symantec recommends the following deployment configuration: IIS with bmisink from Symantec Message Filter 6.3 on one system Symantec Messaging Gateway for Service Providers 10.5 on a separate system Point the bmisink configuration file to the Symantec Messaging Gateway for Service Providers 10.5 server Client-only installation Client-only installation is no longer supported on the Windows platform. Accordingly, update from a client-only installation of Symantec Message Filter 6.3 to Symantec Messaging Gateway for Service Providers 10.5 is also not supported. You must manually uninstall the 6.3 client. Message quarantine Quarantine is no longer supported. See About preserving quarantined mail for access after update on page 38. for information about backing up your quarantined messages before update if you want to retain them. Components of Messaging Gateway for Service Providers Table 1-3 lists the components of Messaging Gateway for Service Providers. Table 1-3 Component Messaging Gateway for Service Providers Scanner Components of Messaging Gateway for Service Providers Description The Messaging Gateway for Service Providers Scanner processes the that is based on the configuration options that you specify. The Messaging Gateway for Service Providers Scanner contains the following subcomponents: Client Server Conduit LiveUpdate

18 Introducing Messaging Gateway for Service Providers How Messaging Gateway for Service Providers works 18 Table 1-3 Component Client Server Conduit LiveUpdate Cleaner Components of Messaging Gateway for Service Providers (continued) Description The Client is a communication channel between the MTA and the Server. You can use multiple clients, and each client can communicate with multiple Servers. The Client balances the load between Servers. The Server filters messages for classification with a variety of scanning technologies. The classification or verdict is then returned to the Client for subsequent delivery action. The Conduit obtains updated antispam filters from Symantec and notifies each Server to use the updated filters. LiveUpdate automatically downloads virus definitions from Symantec Security Response to the Scanner. The Scanner's Brightmail Engine uses these definitions to identify known security threats. The Cleaner process is responsible for cleaning virus-infected mail. See About Symantec Messaging Gateway for Service Providers on page 14. See How Messaging Gateway for Service Providers works on page 18. See What you can do with Messaging Gateway for Service Providers on page 20. See Where to get more information about Messaging Gateway for Service Providers on page 22. How Messaging Gateway for Service Providers works The Mail Transfer Agent, which is integrated with the Messaging Gateway for Service Providers Client, receives inbound . The Client sends the message to the Server for evaluation and scanning. The Messaging Gateway for Service Providers Server filters messages for classification with a variety of scanning technologies. The Server scans the message to determine the following conditions: If the sender of the message is in the allowed senders list or the blocked senders list If the message is scannable If the message is spam or suspected spam If the message contains viruses The Server returns its verdict to the Client. The Client processes the message according to the settings that you configure.

19 Introducing Messaging Gateway for Service Providers How Messaging Gateway for Service Providers works 19 Messaging Gateway for Service Providers Conduit connects to Symantec Brightmail Logistics and Operations Center (BLOC) to determine whether updated antispam filters are available. If the filters are available, the Conduit retrieves the updated antispam filters through a secure HTTP file transfer. LiveUpdate connects to Symantec LiveUpdate server to determine whether updated antivirus definitions are available. If the definitions are available, the LiveUpdate retrieves the updated antivirus definitions through a secure HTTP file transfer. After the Conduit and LiveUpdate authenticate the antispam filters and antivirus definitions, they distribute the updated filters and definitions to your servers and notify your servers to begin using the updated filters and definitions. Figure 1-1 shows how Messaging Gateway for Service Providers integrates with your system. Figure 1-1 How Messaging Gateway for Service Providers works See About Symantec Messaging Gateway for Service Providers on page 14. See Components of Messaging Gateway for Service Providers on page 17.

20 Introducing Messaging Gateway for Service Providers What you can do with Messaging Gateway for Service Providers 20 See What you can do with Messaging Gateway for Service Providers on page 20. See Where to get more information about Messaging Gateway for Service Providers on page 22. What you can do with Messaging Gateway for Service Providers Table 1-4 describes what you can do with Messaging Gateway for Service Providers. Table 1-4 Task Create group policies Messaging Gateway for Service Providers tasks Description You can specify the groups of users that are based on addresses or domain names. You can configure group policies to set identical options for all users or to specify different actions for different groups of users. For each group, you can specify filtering actions for different categories of . And for each category, you can specify different filtering options. See About group policies on page 164. Detect spam Spam is unsolicited bulk , most often advertising messages for a product or service. It wastes productivity, time, and network bandwidth. You can define which messages are spam, suspected spam, or not spam based on the scores that Messaging Gateway for Service Providers assigns to messages. You can also configure how to dispose of spam and suspected spam messages. See About filtering for spam on page 195. Detect viruses Messaging Gateway for Service Providers detects viruses with Symantec antivirus definitions and engines. You can configure Messaging Gateway for Service Providers to repair infected messages, if possible. You can also specify how you want Messaging Gateway for Service Providers to dispose of the messages that contain viruses. See About filtering for viruses on page 199.

21 Introducing Messaging Gateway for Service Providers What you can do with Messaging Gateway for Service Providers 21 Table 1-4 Task Stop mass-mailer worm attacks Messaging Gateway for Service Providers tasks (continued) Description A mass-mailer worm or virus can exploit security vulnerabilities and spread by sending copies of itself by through the Internet or a network. For example, a single mass-mailer worm can infect one computer in an organization. Then it can spread by sending copies of itself through to everyone in the company's global address book. You can specify how you want Messaging Gateway for Service Providers to dispose of the mass-mailer messages. See About group policies on page 164. Dispose of unwanted encrypted A file that cannot be scanned can put your network at risk if it contains a virus. Infected files can be intentionally encrypted so that they cannot be scanned. You can configure how you want Messaging Gateway for Service Providers to process encrypted container files to protect your network from threats. See About group policies on page 164. Establish file processing limits Messaging Gateway for Service Providers must be able to decompose and scan a container file to detect viruses. An unscannable container file that contains a virus can pose a risk to your network. An unscannable container file is one that exceeds a scanning limit, is a partial container file, or generates a scanning error. You can specify how you want Messaging Gateway for Service Providers to process the container files that cannot be scanned. See Configuring antivirus filter settings on page 199. Block unwanted When you block from unwanted senders, you reduce the volume of that is scanned and reduce spam and potential malicious attacks. You can specify a list of senders that you want Messaging Gateway for Service Providers to automatically block. You can also use third party blocked senders lists. See About specifying senders to permit or block on page 185.

22 Introducing Messaging Gateway for Service Providers Where to get more information about Messaging Gateway for Service Providers 22 Table 1-4 Task Let trusted bypass scanning Messaging Gateway for Service Providers tasks (continued) Description Another method that you can use to reduce scanning resources is to permit trusted senders to bypass scanning for spam and content filtering. Update antispam filters and antivirus definitions You can specify trusted senders in an Allowed Senders List. You can also use third party allowed senders lists. Messages from allowed senders automatically bypass scanning for spam and content filtering. Note: Messaging Gateway for Service Providers scans all messages for viruses when virus detection is enabled, including messages from trusted senders. See About specifying senders to permit or block on page 185. Messaging Gateway for Service Providers relies on continually updated filters to effectively filter messages. Messaging Gateway for Service Providers receives filter updates through the Conduit and LiveUpdate. Conduit downloads antispam filters and LiveUpdate downloads antivirus definitions. These are the components that run on each scanner that contains a Messaging Gateway for Service Providers server. Conduit and LiveUpdate poll the secure Web sites to check for updated filters. If new filters and definitions are available, they retrieve the updated filters and definitions through a secure HTTP file transfer. After they authenticate the filters and definitions, they notify the Symantec Messaging Gateway for Service Providers servers to begin using the updated filters and definitions. See About conduit rule updates on page 134. See About LiveUpdate rule updates on page 135. See About Symantec Messaging Gateway for Service Providers on page 14. See Components of Messaging Gateway for Service Providers on page 17. See How Messaging Gateway for Service Providers works on page 18. See Where to get more information about Messaging Gateway for Service Providers on page 22. Where to get more information about Messaging Gateway for Service Providers The documentation set for this release of Messaging Gateway for Service Providers includes the following:

23 Introducing Messaging Gateway for Service Providers Where to get more information about Messaging Gateway for Service Providers 23 Symantec Messaging Gateway for Service Providers Implementation Guide Symantec Messaging Gateway for Service Providers Software Development Kit Development Guide Symantec Messaging Gateway for Service Providers Getting Started Guide Symantec Messaging Gateway for Service Providers Release Notes Symantec Brightmail Engine Integration Kit Integration Guide To find documentation about Messaging Gateway for Service Providers, on the Internet, go to the following URL: &channel=documentation&sort=recent The following online resources are also available on the Symantec Web site for more information about your product: Provides access to the technical support knowledge base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration Provides product news and updates Provides access to a virus encyclopedia that contains information about all known threats and hoaxes, and access to white papers about threats index.jsp See About Symantec Messaging Gateway for Service Providers on page 14. See Components of Messaging Gateway for Service Providers on page 17. See How Messaging Gateway for Service Providers works on page 18. See What you can do with Messaging Gateway for Service Providers on page 20.

24 Chapter 2 Planning for installation This chapter includes the following topics: About Messaging Gateway for Service Providers deployment About plan for disk space storage About firewall configuration Ports required for Messaging Gateway for Service Providers About using Messaging Gateway for Service Providers with other filtering products About adjusting MX records for Messaging Gateway for Service Providers software About access by the Server to perimeter information About preserving quarantined mail for access after update About Messaging Gateway for Service Providers deployment You can deploy Messaging Gateway for Service Providers in any of the following configurations: At the gateway At the post-gateway See About Messaging Gateway for Service Providers deployment at the gateway layer on page 25. See About Messaging Gateway for Service Providers deployment at the post gateway layer on page 29.

25 Planning for installation About Messaging Gateway for Service Providers deployment 25 At the mail server See About Messaging Gateway for Service Providers deployment at the mail server on page 31. The type of deployment configuration that you choose depends on the following conditions: The size of your environment The number of servers that you plan to use Your environment configuration See About Messaging Gateway for Service Providers deployment on the Client and the Server on page 32. Before you install Messaging Gateway for Service Providers, ensure that you read and understand the advantages and requirements necessary for each deployment scenario. Also, ensure that your environment meets the minimum system requirements. See System requirements on page 40. About Messaging Gateway for Service Providers deployment at the gateway layer Some organizations prefer to have secure gateways with no other active services. In these environments, all other services including antispam services function behind the first gateway layer. In this deployment configuration, Messaging Gateway for Service Providers resides at the outermost gateway layer. This layer contains the gateway MTA, which processes inbound mail and relays it to other relay layers or to the user-facing message store layer. See About Messaging Gateway for Service Providers deployment on page 24. See About the advantages of Messaging Gateway for Service Providers deployment at the gateway level on page 26. See About the Messaging Gateway for Service Providers basic deployment on page 26. See About Messaging Gateway for Service Providers deployment behind a firewall on page 27. See About Messaging Gateway for Service Providers deployment in a demilitarized zone (DMZ) on page 28. See About Messaging Gateway for Service Providers deployment for high availability and performance on page 28.

26 Planning for installation About Messaging Gateway for Service Providers deployment 26 About the advantages of Messaging Gateway for Service Providers deployment at the gateway level Following are the advantages when you deploy Messaging Gateway for Service Providers at the gateway level: Detects spam at the point of entry Saves the resources Lets you enable the early verdict feature Because spam originates from the outside world, the gateway is the logical, effective place to deploy the server. When you deploy Messaging Gateway for Service Providers closer to the gateway, you can minimize mail processing and storage requirements. Spam is removed from the stream, which reduces network bandwidth. When you deploy the product at the gateway, the Scanner can determine an early verdict on the IP address before the entire message is received. If the message is blocked, the MTA does not need to continue through the remainder of the calls, thereby reducing scanning resources. See About Messaging Gateway for Service Providers deployment at the gateway layer on page 25. About the Messaging Gateway for Service Providers basic deployment Figure 2-1 shows the Messaging Gateway for Service Providers deployment scenario in which there is no firewall. Please note that the text "Symantec Message Filter" in the Inbound MTA portion of the figure should instead read "Symantec Messaging Gateway for Service Providers."

27 Planning for installation About Messaging Gateway for Service Providers deployment 27 Figure 2-1 Basic deployment See About Messaging Gateway for Service Providers deployment at the gateway layer on page 25. About Messaging Gateway for Service Providers deployment behind a firewall Figure 2-2 shows Messaging Gateway for Service Providers deployment behind the firewall. On all configured server computers, configure port 443 to permit outbound connections to the BLOC. Please note that the text "Symantec Message Filter" in the Inbound MTA portion of the figure should instead read "Symantec Messaging Gateway for Service Providers." Figure 2-2 Behind the firewall

28 Planning for installation About Messaging Gateway for Service Providers deployment 28 See About Messaging Gateway for Service Providers deployment at the gateway layer on page 25. About Messaging Gateway for Service Providers deployment in a demilitarized zone (DMZ) In this scenario, Messaging Gateway for Service Providers deployment is behind a double layer of firewalls or in a demilitarized zone. Figure 2-3 illustrates a typical DMZ configuration. Please note that the text "Symantec Message Filter" in the Inbound MTA portion of the figure should instead read "Symantec Messaging Gateway for Service Providers." Figure 2-3 In a demilitarized zone See About Messaging Gateway for Service Providers deployment at the gateway layer on page 25. About Messaging Gateway for Service Providers deployment for high availability and performance You can configure Messaging Gateway for Service Providers for high availability and performance. Messaging Gateway for Service Providers is licensed on a per-user as opposed to per-server basis. Therefore, you can install the software on as many servers as is necessary to handle your needs. The client supports round robin load balancing and fails over to secondary servers or tertiary servers

29 Planning for installation About Messaging Gateway for Service Providers deployment 29 for redundancy. The filtering daemon is multi-threaded, so it makes optimal use of multi-cpu systems. High availability deployments typically use two Messaging Gateway for Service Providers Servers. Some customers that use dedicated systems have numerous MTAs installed with the Messaging Gateway for Service Providers client. All of these MTAs point at a pair of Messaging Gateway for Service Providers servers. To provide redundancy, the Messaging Gateway for Service Providers client configuration includes the IP addresses of both available Messaging Gateway for Service Providers servers. Figure 2-4 illustrates the high availability scenario for Messaging Gateway for Service Providers deployment. Figure 2-4 High availability scenario See About Messaging Gateway for Service Providers deployment at the gateway layer on page 25. About Messaging Gateway for Service Providers deployment at the post gateway layer In this deployment method, MTAs at the gateway layer accept mail from the Internet. Then they relay unfiltered mail to the MTA that is integrated with Messaging Gateway for Service Providers software. The Server filters mail from the gateway layer and relays mail to other MTAs downstream.

30 Planning for installation About Messaging Gateway for Service Providers deployment 30 See About Messaging Gateway for Service Providers deployment on page 24. See About considerations for Messaging Gateway for Service Providers deployment at the post gateway layer on page 30. See About the advantages of Messaging Gateway for Service Providers deployment at the post-gateway layer on page 30. About considerations for Messaging Gateway for Service Providers deployment at the post gateway layer Following are some considerations for Messaging Gateway for Service Providers deployment at the post gateway layer: You must set up SMTP or Sendmail, Postfix, or an MTA with a Messaging Gateway for Service Providers integration to relay mail. If you run other applications such as antivirus software on this computer, ensure that there are enough resources to support Messaging Gateway for Service Providers software. See About Messaging Gateway for Service Providers deployment at the post gateway layer on page 29. About the advantages of Messaging Gateway for Service Providers deployment at the post-gateway layer Following are some advantages of Messaging Gateway for Service Providers deployment at the post-gateway layer: Reduced downtime Multiple services on one computer From an architecture perspective, this method often requires the least amount of downtime. Administrators can build the system, test it, and then deploy it into production. Multiple services is an efficient way to deploy Messaging Gateway for Service Providers in a multi-layer scenario on one box. For example, you can run antispam, antivirus, and other services on one physical computer. Figure 2-5 illustrates Messaging Gateway for Service Providers deployment at the post-gateway. Please note that the text "Symantec Message Filter" in the Inbound MTA portion of the figure should instead read "Symantec Messaging Gateway for Service Providers."

31 Planning for installation About Messaging Gateway for Service Providers deployment 31 Figure 2-5 Post-gateway deployment See About Messaging Gateway for Service Providers deployment at the post gateway layer on page 29. About Messaging Gateway for Service Providers deployment at the mail server In this deployment method, Messaging Gateway for Service Providers Server integrates directly with the internal mail server at the last node in any relay chain. If you run multiple mail servers, you might have to install multiple instances of Messaging Gateway for Service Providers Servers. See About Messaging Gateway for Service Providers deployment on page 24. See About the advantages of Messaging Gateway for Service Providers deployment at the mail server on page 31. About the advantages of Messaging Gateway for Service Providers deployment at the mail server The advantage of deploying Messaging Gateway for Service Providers at the mail server is as follows: Integrated solution This option is ideal for smaller organizations who do not deploy new servers. See About Messaging Gateway for Service Providers deployment at the mail server on page 31.

32 Planning for installation About Messaging Gateway for Service Providers deployment 32 About Messaging Gateway for Service Providers deployment on the Client and the Server Messaging Gateway for Service Providers software can be deployed in a variety of computing environments, from single computer setups to distributed client-server configurations. In each case, the Messaging Gateway for Service Providers Client integration communicates with the MTA by using standard libraries. As messages flow through the mail server, the Client calls the Server. The Server checks individual messages against antispam filters, antivirus definitions, and other filters that you configure. Based on the verdict that the Server returns and the Server and the configuration options that you configure, the mail may be handled differently. Table 2-1 summarizes the configurations in general terms. Table 2-1 Configuration scenarios with the Client/MTA integration and the Server Scenario Advantages Notes Single MTA and Messaging Gateway for Service Providers Server on one computer Saves the hardware cost because the MTA and the Server reside on the same computer. MTAs tend to be inbound and outbound. By comparison, the Server is CPU-intensive, so the two programs use different software resources. However, if the Server saves spam to disk or performs virus processing, it is inbound and outbound. The MTA must not use a large quantity of CPU cycles. Single MTA and Messaging Gateway for Service Providers Server on separate computers Advantages of the MTA and the Server installation on separate computers are as follows: Requires minimal or no change to an MTA server Provides scalability As mail throughput increases, you can add processors or memory to the Server to suit your needs. Provides flexibility The MTA server and the Server can run on separate platforms. This configuration is an adequate solution for most small to medium-sized enterprises.

33 Planning for installation About plan for disk space storage 33 Table 2-1 Configuration scenarios with the Client/MTA integration and the Server (continued) Scenario Multiple MTAs and Messaging Gateway for Service Providers Servers Advantages Advantages of multiple MTA and the Server installations are as follows: Provides maximum scalability Offers full failover and redundancy Provides built in round robin load balancing Allows for easy implementation of a virtual IP (VIP), which enables scalable load balancing Provides flexibility since the MTA server and the Server can run on separate platforms Notes See About Messaging Gateway for Service Providers deployment for high availability and performance on page 28. Most of this information is applicable to all MTAs. Consult your Symantec representative to determine which scenario best meets your needs. If your environment has a high volume of traffic, consider to use Symantec Traffic Shaper. This network device allocates reduced bandwidth to MTAs that deliver spam. The load on your MTAs is reduced without introducing false positive risks. For more information about Symantec Traffic Shaper, contact your Symantec sales representative. See About Messaging Gateway for Service Providers deployment on page 24. About plan for disk space storage The system requirements for Messaging Gateway for Service Providers describe the minimum system requirements that you need for available disk space. However, you should also consider your organization's plans to use the Log. The way that you intend to use these features affects the amount of disk space that you need to reserve. See System requirements on page 40. About firewall configuration After you install Messaging Gateway for Service Providers, you must configure your firewall to allow port connections for specific servers within your corporate network. See Ports required for Messaging Gateway for Service Providers on page 35.

34 Planning for installation About firewall configuration 34 Configuring firewall port connections for a standard deployment model Figure 2-6 illustrates a corporate network based on the standard deployment model that most organizations use. In this model, the Symantec Messaging Gateway for Service Providers resides behind a single firewall. If you use this model, you must configure your firewall to allow port connections from your Gateway MTA server so that it can access other servers over the Internet, such as the Symantec Global Threat Center and the Symantec LiveUpdate. Please note that the text "SMF" in the Gateway MTA SMF Scanner portion of the figure should instead read "SMG-SP." Figure 2-6 Sample Standard Deployment Model Workstation Internal MTAs Gateway MTA SMF Scanner 4 Corporate Firewall Internet 5 LDAP Server Table 2-2 lists the port numbers that are required for the standard deployment model.

35 Planning for installation Ports required for Messaging Gateway for Service Providers 35 Table 2-2 Firewall Port Connection Requirements for Standard Deployment Model Connection Description Inbound connection from SMF scanner to internal MTAs to relay messages Outbound connection from internal workstation to SMF web interface Inbound connection from Internet from incoming messages to Gateway MTA Outbound connection from SMF scanner to Internet for rule downloads and updates Inbound connection to Internal LDAP server from SMF scanner for LDAP queries Ports Ports required for Messaging Gateway for Service Providers Table 2-3 list of the ports that are required for Messaging Gateway for Service Providers. Table 2-3 Default ports Purpose Application layer protocol Transport layer protocol Default port Access to name service DNS UDP (TCP) 53 Access to time service NTP UDP 123 Access to the computer SSH TCP 22

36 Planning for installation About using Messaging Gateway for Service Providers with other filtering products 36 Table 2-3 Default ports (continued) Purpose Application layer protocol Transport layer protocol Default port Outbound access to the Internet HTTP TCP 80 Outbound access to Conduit HTTPS TCP 443 Outbound access to LiveUpdate HTTP TCP 80 MTA to Scanner (bidirectional) not applicable TCP See About firewall configuration on page 33. About using Messaging Gateway for Service Providers with other filtering products Messaging Gateway for Service Providers evaluates headers as part of the filtering process. Its ability to accurately identify spam depends on access to messages in their original form. Although MTAs or the products that add X-headers do not significantly affect filtering, your effectiveness is greater if you use unaltered message headers. Avoid placing Messaging Gateway for Service Providers behind other filtering products such as content filtering or MTAs. They can alter or remove pre-existing message headers or modify the message body. Some smaller organizations do not have dedicated gateway servers or a gateway layer. Instead, they deploy gateway servers and internal mail servers on the same computers. The best practice to add antivirus protection to Messaging Gateway for Service Providers software is to deploy the antivirus filtering feature. See About filtering for viruses on page 199. If you use a third-party antivirus product that has its own MTA, you may need to make the following adjustments: Ensure that Windows SMTP or Sendmail listens on port 25 and relays to an alternate port, such as port 26. Deploy the third-party antivirus product on another computer as a separate hop in the architecture of your inbound mail flow.