Symantec Mail Security for SMTP. Administration Guide

Transcription

1 Symantec Mail Security for SMTP Administration Guide

2 Symantec Mail Security for SMTP Administration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. April 27, 2006 Copyright notice Copyright Symantec Corporation. All rights reserved. Symantec, the Symantec logo, Brightmail, LiveUpdate, SESA, and Norton AntiVirus are U.S. registered trademarks or registered trademarks of Symantec Corporation or its affiliates in other countries. Other names may be trademarks of their respective owners. Symantec Mail Security for SMTP 5.0 is protected under U.S. Patent Nos. 6,052,709; 5,999,932; and 6,654,787. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software and commercial computer software documentation as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA Printed in the United States of America

3 Technical support Licensing and registration As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using. To receive the latest product information by , go to: and join our support bulletin mailing list. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

4 Contacting Technical Support Customers with a current support agreement may contact the Technical Support group via phone or online at enterprise/. Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at platinum/. When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Contents Chapter 1 Chapter 2 Chapter 3 About Symantec Mail Security for SMTP Key features Functional overview Architecture Where to get more information Configuring system settings Configuring certificate settings Configuring host (Scanner) settings Working with the Services page HTTP proxies SMTP Scanner settings Advanced SMTP settings Configuring internal mail hosts Testing Scanners Configuring LDAP settings Replicating data to Scanners Starting and stopping replication Replication status information Troubleshooting replication Configuring Control Center settings Control Center administration Control Center certificate Configuring, enabling and scheduling Scanner replication SMTP host System locale Configuring settings Configuring address masquerading Importing masqueraded entries Configuring aliases Importing aliases Configuring local domains Importing local domains and addresses... 51

6 6 Contents Understanding spam settings Configuring suspected spam Choosing language identification type Software acceleration Configuring spam settings Configuring virus settings Configuring LiveUpdate Excluding files from virus scanning Configuring general settings Configuring invalid recipient handling Configuring scanning settings Configuring container settings Configuring content filtering settings Chapter 4 Configuring filtering About filtering Notes on filtering actions Multiple actions Multiple policies Security risks About precedence Creating groups and adding members Assigning filter policies to a group Selecting virus policies for a group Selecting spam policies for a group Selecting compliance policies for a group Enabling and disabling end user settings Allowing or blocking based on language Managing Group Policies Creating virus, spam, and compliance filter policies Creating virus policies Creating spam policies Creating compliance policies Managing Firewall policies Configuring attack recognition Configuring sender groups Configuring Sender Authentication Managing policy resources Annotating messages Archiving messages Configuring attachment lists Configuring dictionaries Adding and editing notifications...114

7 Contents 7 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Working with Spam Quarantine About Spam Quarantine Delivering messages to Spam Quarantine Working with messages in Spam Quarantine for administrators Accessing Spam Quarantine Checking for new Spam Quarantine messages Administrator message list page Administrator message details page Searching messages Configuring Spam Quarantine Delivering messages to Spam Quarantine from the Scanner Configuring Spam Quarantine port for incoming Configuring Spam Quarantine for administrator-only access Configuring the Delete Unresolved setting Configuring the login help Configuring recipients for misidentified messages Configuring the user and distribution list notification digests Configuring the Spam Quarantine Expunger Specifying Spam Quarantine message and size thresholds Troubleshooting Spam Quarantine Working with Suspect Virus Quarantine About Suspect Virus Quarantine Accessing Suspect Virus Quarantine Checking for new Suspect Virus Quarantine messages Suspect Virus Quarantine messages page Searching messages Configuring Suspect Virus Quarantine Configuring Suspect Virus Quarantine port for incoming Configuring the size for Suspect Virus Quarantine Testing Symantec Mail Security for SMTP Verifying normal delivery Verifying spam filtering Testing antivirus filtering Verifying filtering to the Spam Quarantine Configuring alerts and logs Configuring alerts Viewing logs Configuring logs...159

8 8 Contents Chapter 9 Chapter 10 Working with reports About reports Choosing a report About charts and tables Selecting report data to track Setting the retention period for report data Running reports Saving and editing Favorite Reports Running and deleting favorite reports Troubleshooting report generation No data available for the report type specified Sender HELO domain or IP connection shows gateway information Reports presented in local time of Control Center By default, data are saved for one week Processed message count recorded per message, not per recipient Recipient count equals message count Deferred or rejected messages are not counted as received Reports limited to 1,000 rows Printing, saving, and ing reports Scheduling reports to be ed Administering the system Getting status information Overview of system information Message status Host status LDAP synchronization Log details Scanner replication Version Information Managing Scanners Editing Scanners Enabling and disabling Scanners Deleting Scanners Administering the system through the Control Center Managing system administrators Managing software licenses...192

9 Contents 9 Administering the Control Center Starting and stopping the Control Center Checking the Control Center error log Increasing the amount of information in BrightmailLog.log Starting and stopping UNIX and Windows services Starting and stopping Windows services Starting and stopping UNIX services Periodic system maintenance Backing up logs data Backing up the Spam and Virus Quarantine databases Maintaining adequate disk space Appendix A Appendix B Appendix C Feature Cross-Reference New features for all users Changes for Symantec Mail Security for SMTP users New feature names Discontinued features Changes for Symantec Brightmail Antispam users About filtering and message handling options Spam foldering and the Symantec Outlook Spam Plug-in About foldering and the plug-in Installing the Symantec Outlook Spam Plug-in Usage scenarios End user experience Software requirements Configuring automatic spam foldering Configuring the Symantec Spam Folder Agent for Exchange Configuring the Symantec Spam Folder Agent for Domino Enabling automatic spam foldering Enabling language identification Integrating Symantec Mail Security with Symantec Security Information Manager About Symantec Security Information Manager Interpreting events in the Information Manager Configuring data sources Firewall events that are sent to the Information Manager Definition Update events that are sent to the Information Manager Message events that are sent to the Information Manager Administration events that are sent to the Information Manager...228

10 10 Contents Appendix D Editing antivirus notification messages Modifying notification files Changing the notification file character set Editing messages in the notification file Notification file contents Glossary Index

11 Chapter 1 About Symantec Mail Security for SMTP This chapter includes the following topics: Key features Functional overview Architecture Where to get more information Key features Symantec Mail Security for SMTP offers enterprises an easy-to-deploy, comprehensive gateway-based security solution through the following: Antispam technology Symantec s state-of-the-art spam filters assess and classify as it enters your site. Antivirus technology Virus definitions and engines protect your users from -borne viruses. Content Compliance These features help administrators enforce corporate policies, reduce legal liability, and ensure compliance with regulatory requirements. Group policies and filter policies An easy-to-use authoring tool lets administrators create powerful and flexible ad hoc filters for individuals and groups.

12 12 About Symantec Mail Security for SMTP Functional overview Functional overview You can deploy Symantec Mail Security for SMTP in different configurations to best suit the size of your network and your processing needs. Each Symantec Mail Security for SMTP host can be deployed in the following ways: Scanner Deployed as a Scanner, a Symantec Mail Security for SMTP host filters . Your installation can have one or many Scanners. Symantec Mail Security for SMTP runs alongside your existing or groupware server(s). Control Center Deployed as a Control Center, a Symantec Mail Security for SMTP host is a Web-based configuration and administration center. Use it to configure and manage filtering, SMTP routing, system settings, and all other functions. Your enterprise-wide deployment of Symantec Mail Security for SMTP can have multiple Scanners but only one Control Center, from which you configure and monitor all the Scanner hosts. The Control Center provides status for all Symantec Mail Security for SMTP hosts in your system, system logs, and extensive customizable reporting. Use it to configure both system-wide and host-specific details. The Control Center provides the Setup Wizard, for initial configuration of all Symantec Mail Security for SMTP instances at your site, and also the Add Scanner Wizard, for adding new Scanners. It also hosts the Spam and Suspect Virus Quarantines, for storage of spam and virus messages respectively. End users can access the Control Center to view their quarantined spam messages and set their preferences for language filtering and blocked and allowed senders. Alternatively, you can configure the Spam Quarantine for administrator-only access. Scanner and Control Center A single Symantec Mail Security for SMTP host performs both functions. Note: Symantec Mail Security for SMTP provides neither mailbox access for end users nor message storage; it is not intended for use as the only MTA in your infrastructure. Note: Symantec Mail Security for SMTP does not filter messages that don t flow through the SMTP gateway. For example, when two mailboxes reside on the same MS Exchange Server, or on different MS Exchange Servers within an Exchange organization, the messages will not pass through the Symantec Mail Security for SMTP filters.

13 About Symantec Mail Security for SMTP Architecture 13 Architecture Symantec Mail Security for SMTP processes a mail message as follows. For the sake of discussion, our sample message passes through the Filtering Engine to the Transformation Engine without being rejected. The incoming connection arrives at the inbound MTA via TCP/IP. The inbound MTA accepts the connection and moves the message to its inbound queue. The Filtering Hub accepts a copy of the message for filtering.

14 14 About Symantec Mail Security for SMTP Where to get more information The Filtering Hub consults the LDAP SyncService directory to expand the message s distribution list. The Filtering Engine determines each recipient s filtering policies. The message is checked against Blocked/Allowed Senders Lists defined by administrators. Virus and configurable heuristic filters determine whether the message is infected. Content Compliance filters scan the message for restricted attachment types or keywords, as defined in configurable dictionaries. Spam filters compare message elements with current filters published by Symantec Security Response to determine whether the message is spam. At this point, the message may also be checked against end-user defined Language settings. The Transformation Engine performs actions per recipient based on filtering results and configurable Group Policies. Where to get more information In addition to this Administration Guide, your Symantec Mail Security for SMTP product comes with the following documentation: Symantec Mail Security for SMTP Installation Guide Symantec Mail Security for SMTP Planning Guide Symantec Mail Security for SMTP Getting Started Symantec Mail Security also includes a comprehensive help system that contains conceptual and procedural information. You can visit the Symantec Web site for more information about your product. The following online resources are available: Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration Provides product news and updates techsupp/ent/ enterprise.html /licensing/els/help/en/ help.html symantec.com

15 About Symantec Mail Security for SMTP Where to get more information 15 Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats avcenter/global/index.html

16 16 About Symantec Mail Security for SMTP Where to get more information

17 Chapter 2 Configuring system settings System settings apply to the Control Center and to attached and enabled Scanners. This section explains the following: Configuring certificate settings Configuring host (Scanner) settings Testing Scanners Configuring LDAP settings Replicating data to Scanners Configuring Control Center settings Configuring certificate settings Manage your certificates using the Certificate Settings page. The two types of certificates are as follows: MTA TLS certificate This is the TLS certificate used by the MTAs in each Scanner. Every Scanner has separate MTAs for inbound messages, outbound messages, and message delivery. Assign this certificate from the Inbound Mail Settings and Outbound Mail Settings portions of the SMTP tab on the Settings > Hosts page. User interface HTTPS certificate This is the HTTPS certificate used by the Control Center for secure Web management. Assign this certificate from the Settings > Certificates page.

18 18 Configuring system settings Configuring certificate settings You can add certificates to the certificate list in the following two ways: Add a self-signed certificate by adding the certificate and filling out the requested information as presented to you at the time. Add a Certification Authority Signed certificate by submitting a certificate request to a Certification Authority. When you receive the certificate back from the Certification Authority, you then import the certificate into the Control Center. Manage certificates Follow these steps to add either self-signed or Certification Authority Signed certificates and to assign certificates. To add a self-signed certificate to the list 1 In the Control Center, click Settings > Certificates. 2 Click Add. 3 In the Certificate type drop-down list, choose Self-Signed Certificate. 4 Complete the information on the Add Certificate page. 5 Click Create. To add a Certification Authority Signed certificate to the list 1 In the Control Center, click Settings > Certificates. 2 Click Add. 3 In the Certificate type drop-down list, choose Certificate Authority Signed. 4 Fill in the information on the Add Certificate page. 5 Click Request. A new page is displayed, showing the certificate information in a block of text, designed for use by the Certification Authority. 6 Copy the block of text that appears and submit it to the Certification Authority. Each Certification Authority has its own set of procedures for granting certificates. Consult your Certificate Authority for details. 7 When you receive the certificate file from the Certification Authority, place the file in an easily accessed location on the computer from which you are connecting to the Control Center. 8 On the Certificate Settings page, click Import.

19 Configuring system settings Configuring certificate settings 19 9 On the Import Certificate page, type the full path and filename or click Browse and choose the file. 10 Click Import. To view or delete a certificate 1 In the Control Center, click Settings > Certificates. 2 Check the box next to the certificate to be viewed or deleted. 3 Click View to read the certificate. 4 Click Delete to remove the certificate. To assign an MTA TLS certificate 1 In the Control Center, click Settings > Hosts. 2 Select a host and click Edit. 3 Click the SMTP tab. 4 Check Accept TLS encryption as appropriate. 5 Choose the TLS certificate from the Certificate drop-down list for the inbound or outbound MTA. 6 Click Save. To assign a user interface HTTPS certificate 1 In the Control Center, click Settings > Control Center. 2 Select a certificate from the User interface HTTPS certificate drop-down list. 3 Click Save.

20 20 Configuring system settings Configuring host (Scanner) settings Configuring host (Scanner) settings The following sections describe changes that can be made to individual hosts. Information is available on these topics: Working with the Services page HTTP proxies SMTP Scanner settings Working with the Services page You can stop or start the following services on a Scanner. Conduit LiveUpdate Filter Engine MTA Note: If you stop the filter-hub or the MTA service and wish to continue receiving alerts, specify an operating MTA IP address in the settings for the Control Center. In addition, you can configure individual Scanner replication and MTA settings that can help you take a Scanner offline on this page. Work with the services page Use the following procedures from the Services page to manage individual Scanner services, replication, and stop the flow of messages through a Scanner. To start and stop services 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 Select the services to be started or stopped. 5 Click Stop to stop a running service or Start to start a stopped service. To enable or disable Scanner replication for a host 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit.

21 Configuring system settings Configuring host (Scanner) settings 21 3 Click Edit. 4 Using the Scanner Replication portion of the page, check Enable Scanner Replication for this host to enable Scanner replication. (Replication is enabled by default.) 5 Using the Scanner Replication portion of the page, uncheck Enable Scanner Replication for this host to disable Scanner replication. The Control Center will not update the directory for this Scanner when the box is not checked. 6 Click Save to store your changes. To take a Scanner out of service 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 On the MTA Operation portion of the page, check Do not accept incoming messages. All messages in Scanner queues are processed as needed, but no new messages will be received. 5 Click Save to store your changes. HTTP proxies The Conduit and Symantec LiveUpdate run on each Scanner, and receive filter updates from Symantec. If you need to add proxy and/or other security settings to your server definition, use the steps below. To change or add proxy information 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 Click the Proxy tab. 5 Check Use proxy server. 6 Specify the proxy host name and port on this panel. In addition to this information, you can include a user name and password as needed. 7 Click Save to store your information.

22 22 Configuring system settings Configuring host (Scanner) settings SMTP Scanner settings A full complement of SMTP settings has been provided to help you define internal and external SMTP configurations for Scanners. Inbound SMTP settings determine how the inbound MTA processes inbound messages. Outbound SMTP settings determine how the outbound MTA processes outbound messages. If you set up inbound or outbound SMTP filtering rather than using Content Compliance filters, you can save resources because messages that do not meet the SMTP criteria will be rejected before content filtering begins. To modify SMTP settings for a Scanner 1 In the Control Center, click Settings > Hosts. 2 Check the Scanner to edit. 3 Click Edit. 4 Click SMTP. 5 As appropriate, complete the SMTP definition for the scanner. The following parameters are included: Setting Scanner Role Description Determines if the Scanner is used for Inbound mail filtering only, Outbound mail filtering only, or Inbound and outbound mail filtering.

23 Configuring system settings Configuring host (Scanner) settings 23 Setting Inbound Mail Settings* Description Provides settings for inbound messages. In this area, you can provide the following information: Inbound mail IP address Location at which inbound messages will be received. Inbound mail SMTP port Port on which inbound mail is received, typically port 25. Accept TLS encryption Indicates if TLS encryption is accepted. Check the box to accept encryption. You must have a certificate defined for MTA TLS certificate in Settings > Certificates to accept TLS encryption. Certificate Specifies an available certificate for TLS encryption. Accept inbound mail connections from all IP addresses Indicates that all connections for inbound messages are accepted when checked. This is the default. Accept inbound mail connections from only the following IP addresses and domains Indicates that only the addresses or domain names entered in the checked IP Address/Domains box are accepted. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically. Warning: If you are deploying this Scanner behind a gateway, and are specifying one or more IP addresses instead of All IP addresses, you must add the IP addresses of ALL upstream mail servers in use by your organization. Upstream mail servers that are not specified here may be classified as spam sources. Relay local domain mail to: Gives the location where inbound mail is sent after being received on the inbound port.

24 24 Configuring system settings Configuring host (Scanner) settings Setting Outbound Mail settings* Relay non-local mail to: Description Provides settings for outbound mail characteristics. In this area, you can provide the following information: Outbound mail IP address Specifies the IP address on which outbound messages are sent. Outbound mail SMTP port Specifies the port on which outbound mail is sent, typically port 25. Accept TLS encryption Indicates if TLS encryption is accepted. Check the box to accept encrypted information. You must have a certificate defined for MTA TLS certificate in Settings > Certificates to accept TLS encryption. Certificate Specifies an available certificate for TLS encryption. Accept outbound mail connections from the following IP addresses and domains Indicates that only the addresses entered in the checked IP Address/Domains box are accepted. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically. If you specify one or more IP addresses, you must include the IP address of the Control Center so that Spam Quarantine and Suspect Virus Quarantine can release messages. After you add the first entry, the IP address of the Control Center is added automatically and selected. If you are using a different IP address for the Control Center, or have the Control Center and Scanner installed on different machines, you must add the new IP address and disable the one that was added automatically. Specifies how outbound SMTP message relaying is routed. By default, MX Lookup is used. Apply above settings to all hosts Indicates that when saved, all settings on this page are applied immediately to all hosts. Advanced Settings Provides for inbound, outbound and delivery advanced settings. See Advanced SMTP settings on page 25 for details. (*) Classless InterDomain Routing (CIDR) is supported for inbound and outbound mail connection IP addresses. 6 Click Save to store your changes.

25 Configuring system settings Configuring host (Scanner) settings 25 Advanced SMTP settings Use the MTA Configuration portion of the page to specify the MTA host name. The MTA Host Name gives you the ability to define the Hello banner during the initial portion of the SMTP conversation. Use the following advanced inbound SMTP settings to further define your SMTP configuration: Table 2-1 Item Inbound SMTP advanced setting descriptions Description Maximum number of connections Maximum number of connections from a single IP address Maximum message size in bytes Maximum number of recipients per message Insert RECEIVED header to inbound messages Enable reverse DNS lookup Sets the maximum number of simultaneous inbound connections allowed. Additional attempted connections are rejected. The default is 2,000 connections. Sets the maximum number of simultaneous inbound connections allowed from a single IP address. Additional connections for the same IP address will be rejected. The default is 20. You can also limit the number of connections from a single IP address per time period. Click Policies > Attacks in the Control Center. Sets the maximum size of a message before it is rejected. The default is 10,485,760 bytes. Sets the maximum number of recipients for a message. The default is 1,024 recipients. Places a RECEIVED header in the message during inbound SMTP processing. Causes the system to perform reverse DNS lookup on the SMTP client IP addresses to resolve the IP address to a name when checked. This is the default condition. When unchecked, reverse DNS lookup is not performed for inbound messages. Use the following advanced outbound SMTP settings to define further your SMTP configuration: Table 2-2 Item Maximum number of connections Outbound SMTP advanced setting descriptions Description Sets the maximum number of permissible simultaneous outbound connections. Additional attempted connections are rejected. The default is 2,000 connections.

26 26 Configuring system settings Configuring host (Scanner) settings Table 2-2 Item Outbound SMTP advanced setting descriptions Description Maximum message size in bytes Maximum number of recipients per message Default domain for sender addresses with no domain Insert RECEIVED header Strip pre-existing RECEIVED headers from outbound messages Enable reverse DNS lookup Sets the maximum size allowable for a message before it is rejected. The default is 10,485,760 bytes. Indicates the maximum number of recipients permitted to receive this message. The default is 1,024 recipients. Sets a default domain when none can be found in the message. Places a RECEIVED header in the message during outbound SMTP processing when checked. When unchecked, no RECEIVED header is inserted during outbound SMTP processing. If Insert RECEIVED header and Strip RECEIVED headers are both checked, the outbound SMTP RECEIVED header remains when the message goes to the delivery queue. Removes all RECEIVED headers for the message when checked. When headers are stripped, message looping can occur depending on the settings of other MTAs. When unchecked, RECEIVED headers remain in the message during outbound processing. The RECEIVED header for outbound SMTP processing remains in the message when Insert a RECEIVED header and Strip pre-existing RECEIVED headers from outbound messages are checked. Causes the system to perform reverse DNS lookup on the SMTP client IP addresses to resolve the IP address to a name. when checked. This is the default condition. When unchecked, reverse DNS lookup is not allowed for outbound messages. Settings also exist governing SMTP delivery configuration for your site. Delivery configuration message settings are as follows: Table 2-3 Item Maximum number of external connections Maximum number of external connections to a single IP address SMTP delivery advanced setting descriptions Description Sets the maximum number of simultaneously allowed external connections. Additional attempted connections are rejected. The default is 100 connections. Sets the maximum number of simultaneous connections allowed to a single IP address. Additional connections to this IP address are rejected. The default is 50 connections. You can also limit the number of connections to a single IP address per time period.

27 Configuring system settings Configuring host (Scanner) settings 27 Table 2-3 Item SMTP delivery advanced setting descriptions Description Maximum number of connections to all internal mail servers Sets the maximum number of connections allowed to all defined internal mail servers. Any additional connection attempts are rejected. The default is 100 internal mail server connections. Maximum number of connections per single internal mail server Minimum retry interval Sent message timeout Message delay time in queue before notification Enable TLS encryption Sets the maximum number of connections to one internal mail server. Any additional attempt to make a connection is rejected. The default is 50 connections. Sets the smallest interval the SMTP server waits before trying to deliver a message again. The default is 15 minutes. Sets the time after which a undelivered message times out and is rejected from the queue. The default is 5 days. Sets the time a message waits in the mail queue before notification of nondelivery is sent. The default is 4 hours. Allows TLS encryption when checked. If unchecked, TLS encryption is not performed. By default, TLS encryption is not enabled. To set up the SMTP Advanced Configuration 1 From the Control Center, click Settings > Hosts. 2 Select a Scanner from the displayed list. 3 Click Edit. 4 Click the SMTP tab. On this page, you will see some general-purpose settings described in SMTP Scanner settings on page Click Advanced Settings. On this page you will see some advanced Scanner configuration SMTP settings. These settings are fully described in Advanced SMTP settings on page As appropriate, modify the settings explained above. 7 Click Save to store your information. You are returned to the main SMTP configuration page. 8 Click Save.

28 28 Configuring system settings Testing Scanners Configuring internal mail hosts You can add or delete internal mail hosts at your site. Configure internal mail hosts Follow these procedures to add or delete internal mail hosts. To add an internal mail host 1 From the Control Center, click Settings > Hosts. 2 Check the Scanner you want to configure. 3 Click Edit. 4 Click the Internal Mail Hosts tab. 5 Specify the IP address for an internal mail host. 6 Click Add. 7 Click Save to store the information. To delete an internal mail host 1 From the Control Center, click Settings > Hosts. 2 Check the Scanner you want to configure. 3 Click Edit. 4 Click the Internal Mail Hosts tab. 5 Select an internal mail host. 6 Click Delete. Testing Scanners 7 Click Save to store the information. After adding or editing a Scanner, you can quickly test that the Scanner is operating and that the Agent is able to make a connection. The Agent is a component that facilitates communicating configuration information between the Control Center and each Scanner. To test a Scanner 1 In the Control Center, click Status > Host Details. 2 If only one Scanner is attached to your system, you can see a snapshot of how it is currently functioning.

29 Configuring system settings Configuring LDAP settings 29 3 If more than one Scanner is attached, select the Scanner you want to test from the drop-down list. You will see a snapshot of its current status. Configuring LDAP settings The Control Center can optionally use directory information from LDAP servers at your site for one or both of the following purposes: Authentication LDAP user and password data is used for Quarantine access authentication and resolving aliases for quarantined messages. The Control Center reads user and password data directly from the LDAP server. Synchronization LDAP user and group data is used for group policies, directory harvest attack recognition, distribution list expansion and dropping messages for invalid recipients. User and group data is read from the LDAP server and cached in the Control Center and Scanners, but not written back to the LDAP server. Symantec Mail Security for SMTP supports the following LDAP directory types: Windows 2000 Active Directory Windows 2003 Active Directory Sun Directory Server 5.2 (formerly known as the iplanet Directory Server) Exchange 5.5 Lotus Domino LDAP Server 6.5 Note: If you are using version 5.2 of the SunOne LDAP server, you must update to patch 4 to address some changelog issues that arose in patch 3. Configure LDAP settings Follow these procedures to configure LDAP settings. To add an LDAP server 1 In the Control Center, click Settings > LDAP. 2 Click Add. 3 Complete the necessary fields presented for defining a new LDAP Server. The values you complete will depend on your choice in the Usage drop-down list. 4 Click Save.

30 30 Configuring system settings Configuring LDAP settings Note: When adding an LDAP server that performs synchronization, you can replicate data from the Control Center to attached and enabled Scanners with the Replicate now button. Begin this replication only after initial synchronization has completed successfully as shown on the Status > LDAP Synchronization page, and the number of rejected entries is 0 or stays constant after successive synchronization changes. If synchronization has not completed successfully, error messages will be shown on the Status > LDAP Synchronization page. Alternatively, you can wait until the next scheduled replication occurs at which time all Scanners will be fully updated by the LDAP synchronization server. Note: If you see the error during server creation, Failed to create user mappings for source, and you have recently changed DNS servers, restart your LDAP synchronization components. Windows users use the Services control panel to first stop SMS Virtual Directory, then start SMS Sync Server. Dependencies are automatically restarted. Alternatively, the host can be rebooted. Linux/Solaris users issue the following command: /etc/init.d/sms_ldapsync restart Then, follow the above steps again. The following table describes the available settings for LDAP authentication and synchronization services when an LDAP server is being added to the Control Center Table 2-4 Item Description Host LDAP Server Parameters when adding a server Description Text describing the LDAP server being defined. Permissible characters are any alphanumeric character (0-9, a-z, and A-Z), a space ( ), hyphen (-), or underline (_) character. Any other symbol will cause the definition to fail. Host name or IP address. Port TCP/IP port for the server. The default port is 389. Directory Type Specifies the type of directory used by the LDAP server. Available choices are: Active Directory iplanet/sun ONE/Java Directory Server Exchange 5.5 Domino

31 Configuring system settings Configuring LDAP settings 31 Table 2-4 Item Usage LDAP Server Parameters when adding a server Description Describes how this LDAP server will be used. Available usage modes are: Authentication Synchronization Authentication and Synchronization You can have only one authentication server defined in the Control Center. Administrator Credentials Specifies login and usage information for the LDAP server as follows: Anonymous bind Allows you to login to an LDAP server without providing specific user ID and password information. Before using anonymous bind, configure your LDAP server to grant anonymous access to the changelog and base DN. For the Domino Directory Type using anonymous bind, group and dlist data are not retrieved. Name (bind DN) Login name allowing you to access the LDAP server. When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full DN such as cn=administrator,cn=recipients,ou=mysite,o=myorg rather than a shortened form such as cn=administrator to ensure detection of all change events and guarantee full authentication by the LDAP server. For an Active Directory server, the full DN or logon name with User Principal Name suffix can be required. Password Password information that allows you to access the LDAP server. Test Login Verifies the anonymous bind connection or the user id and password given for accessing the LDAP server. Windows Domain Names (Active Directory only) Windows domain names you see in the Log on to dropdown list when logging onto a Windows host. Use commas or semicolons to separate multiple domain names. Primary domain (Domino only) Domain aliases (Domino only) Internet domain to which mail is delivered. Internet domain names that resolve to the primary domain. For example, you could assign company.net to be an alias for company.com. Use commas to separate multiple names.

32 32 Configuring system settings Configuring LDAP settings Table 2-4 Item Authentication Query Details LDAP Server Parameters when adding a server Description Contains the following options: Autofill Places default values in the field for you to modify as needed. Query start (Auth base DN) Designates the point in the directory from which to start searching for entries to authenticate. If an entry contains an ampersand, delimit the ampersand as follows: OU=Sales \& Marketing,OU=test,DC=domain,DC=com & OU=test1,DC=domain,DC=com Login attribute Specifies the attribute that identifies a directory entry representing a person. Primary attribute Finds users based on the attribute which represents a mailbox. alias attribute Finds users based on the attribute representing an alternative address for entities mailbox. Login query Finds users based on their Login attributes. Test Attempts to execute the query as defined. Note: For Exchange 5.5, the user directory Name (rdn) must be the same as the alias (uid) for that user. Synchronization Configuration Allows for the following definitions governing synchronization behavior: Synchronize every Specifies how often scheduled synchronization occurs. You can specify a number of minutes, hours, or days. The default is 1 day. Audit level Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose are available. The default is Off. Page size Number of discrete changes that are accepted together for synchronization. Use a number between 1 and 2,000. The default is 25. If you are using the iplanet/sunone directory server, change Page size to 0 for optimal performance. This section is grayed out if Usage type is Authentication.

33 Configuring system settings Configuring LDAP settings 33 Table 2-4 Item Synchronization Query Details LDAP Server Parameters when adding a server Description Specifies queries to use for synchronization. Available choices are: Autofill Places default values in the field for you to modify as needed. Query start (Sync base DN) Designates the point in the directory from which to start searching for entries with addresses/aliases or groups. To use this field, begin by clicking Auto Fill for the naming contexts of the directory. Reduce the received list of DN s brought into the field by Auto Fill to a single DN, or write your own DN based on the provided list. Custom query start Allows for the addition of a customized query. User query Finds users in the LDAP server. Group query Finds LDAP groups in the LDAP server. Distribution list query Finds Distribution Lists in the LDAP Server. Buttons labelled Test allow you to test each synchronization query type. Note: If you need to change Host, Port, base DN, ldap Group filter, User filter, or Distribution List filter after saving an LDAP synchronization source, you must delete the source, add the source including all attributes to be filtered, and perform a full synchronization. To edit an LDAP server 1 In the Control Center, click Settings > LDAP. 2 Choose an LDAP server definition by checking the box next to it. 3 Click Edit. 4 Make changes as appropriate. 5 Click Save.

34 34 Configuring system settings Configuring LDAP settings Not all parameters are available for editing in an LDAP definition. Only the following can be changed after an LDAP server has been defined: Table 2-5 Item Administrator Credentials LDAP Server Parameters when editing a server Description Specifies login and usage information for the LDAP server as follows: Anonymous bind Allows you to login to an LDAP server without providing specific user ID and password information. Before using anonymous bind, configure your LDAP server to grant anonymous access to the changelog and base DN. For the Domino Directory Type using anonymous bind, group and dlist data are not retrieved. Name (bind DN) Login name allowing you to access the LDAP server. When entering the Name (bind DN) for an Exchange 5.5 server, be sure to use the full DN such as cn=administrator,cn=recipients,ou=mysite,o=myorg rather than a shortened form such as cn=administrator to ensure detection of all change events and guarantee full authentication by the LDAP server. For an Active Directory server, the full DN or logon name with User Principal Name suffix can be required. Password Password information that allows you to access the LDAP server. Test Login Verifies the anonymous bind connection or the user id and password given for accessing the LDAP server. Windows Domain Names (Active Directory only) Windows domain names you see in the Log on to dropdown list when logging onto a Windows host. Use commas or semicolons to separate multiple domain names. Primary domain (Domino only) Domain aliases (Domino only) Internet domain to which mail is delivered. Internet domain names that resolve to the primary domain. For example, you could assign company.net to be an alias for company.com. Use commas to separate multiple names.

35 Configuring system settings Configuring LDAP settings 35 Table 2-5 Item Authentication Query Details Synchronization Configuration LDAP Server Parameters when editing a server Description Contains the following options: Autofill Places default values in the field for you to modify as needed. Query start (Auth base DN) Designates the point in the directory from which to start searching for entries to authenticate. Login attribute Specifies the attribute that identifies a directory entry representing a person. Primary attribute Finds users based on the attribute which represents a mailbox. alias attribute Finds users based on the attribute representing an alternative address for entities mailbox. Login query Finds users based on their Login attributes. Test Attempts to execute the query as defined. Allows for the following definitions governing synchronization behavior: Synchronize every Specifies how often scheduled synchronization occurs. You can specify a number of minutes, hours, or days. The default is 1 day. Audit level Verbosity setting for LDAP audit logs. Choices of Off, Low, and Verbose are available. The default is Off. Page size Number of discrete changes that are accepted together for synchronization. Use a number between 1 and 2,000. The default is 25. If you are using the iplanet/sunone directory server, change Page size to 0 for optimal performance. This section is grayed out if Usage type is Authentication. Editing an LDAP server definition can cause a full synchronization to be initiated. This can have serious performance impact on your system until the synchronization completes. To initiate an LDAP synchronization 1 Click Status > LDAP Synchronization. 2 If you wish to synchronize fewer than 1,000 changes of LDAP data, click Synchronize Changes. 3 If you wish to synchronize 1,000 changes of LDAP data or more, click Full Synchronization.