SifoML Security Gateway. Administrator s Guide 1.01 OD4000UME

Transcription

1 SifoML Security Gateway Administrator s Guide 1.01 OD4000UME

2 IMPORTANT NOTICE No portion of O 2 Micro specifications/datasheets or any of its subparts may be reproduced in any form, or by any means, without prior written permission from O 2 Micro. O 2 Micro and its subsidiaries reserve the right to make changes to their datasheets and/or products or to discontinue any product or service without notice, and advise customers to obtain the latest version of relevant information to verify, before placing orders, that information being relied on is current and complete. All products are sold subject to the terms and conditions of sale supplied at the time of order acknowledgement, including those pertaining to warranty, patent infringement, and limitation of liability. O 2 Micro warrants performance of its products to the specifications applicable at the time of sale in accordance with O 2 Micro's standard warranty. Testing and other quality control techniques are utilized to the extent O 2 Micro deems necessary to support this warranty. Specific testing of all parameters of each device is not necessarily performed, except those mandated by government requirements. Customer acknowledges that O 2 Micro products are not designed, manufactured or intended for incorporation into any systems or products intended for use in connection with life support or other hazardous activities or environments in which the failure of the O 2 Micro products could lead to death, bodily injury, or property or environmental damage ("High Risk Activities"). O 2 Micro hereby disclaims all warranties, and O 2 Micro will have no liability to Customer or any third party, relating to the use of O 2 Micro products in connection with any High Risk Activities. Any support, assistance, recommendation or information (collectively, "Support") that O 2 Micro may provide to you (including, without limitation, regarding the design, development or debugging of your circuit board or other application) is provided "AS IS." O 2 Micro does not make, and hereby disclaims, any warranties regarding any such Support, including, without limitation, any warranties of merchantability or fitness for a particular purpose, and any warranty that such Support will be accurate or error free or that your circuit board or other application will be operational or functional. O 2 Micro will have no liability to you under any legal theory in connection with your use of or reliance on such Support. COPYRIGHT 2007, O 2 Micro International Limited SifoML Security Gateway Administrator s Guide

3 Table of Contents 1. Introduction to SifoML SESG Components SESG Deployment Method - Relay Mode SESG Deployment Method - Transparent Mode SESG Inbound and Outbound Anti-Spam SESG Load Balancing Architecture Getting Started Logging into the system Home Page Configuring SifoML Network & Time SMTP Service Authentication Load Balancing Web Admin Event Log Storage Import/Export Update Proxy Server Tools Mail Protection How SESG Compare Input Strings Anti-DoS Anti-Relay Anti-Spam (Inbound) Anti-Spam (Outbound) Anti-Virus Mail Control Mail Forwarding (Sender / Recipient Forwarding) Mail Routing Mail Alias Archive SifoML Security Gateway Administrator s Guide

4 6. Mail Policy Compliance Inbound/Outbound Mail Policy Condition Schedule for Delayed Mails Domain Keys Mail Signature Application Examples for Setting up Mail Policies Event Logs Monitor Logs Search Logs Appendix A - Wizards...53 Appendix B Shutting Down...54 Appendix C Recovery Procedure...55 SifoML Security Gateway Administrator s Guide

5 Chapter 1 Introduction to SifoML SifoML Security Gateway (SESG) is a high-performance spam filter and mail manager. SESG s built-in filtering engine is capable of handling high volume of SMTP connections without compromising its filtering performance. 1.1 SESG Components Currently, most mail gateway products on the market provide only mail filtering capabilities without a full-featured mail management system. SifoML believes a complete security gateway product must provide not only a highly effective mechanism to protect a company s mail traffic but also a rich set of mail management functions such as backup, searching, reporting, etc. Each installation of SESG consists of two components: a mail gateway and a mail reporter. The mail gateway component is responsible for handling all incoming SMTP connections, scanning messages for spam and viruses, and forwarding legitimate messages to a mail server. The mail reporter component is responsible for storing mail messages into various categories as according to whether they are legitimate mails, spam mails, virus mails, etc and for providing users with a specialized search engine to generate reports. SESG s structural diagram is as follows: Administration Content Management Reporting SifoML Search Engine Relay Control Anti- Spam Anti- Virus Archive Quarantine Virus SMTP POP3 SifoML Database SifoOS Mail Gateway Mail Reporter Fig. 1.1 SifoML Security Gateway Administrator Guide

6 Chapter 1: Introduction to SifoML Many current market products provide only the function-set shown on the left part of the diagram. The function-set shown on the right such as reporting usually comes as a separate product. SESG consists of both a mail gateway and a mail reporter and thus provides users with a complete security gateway solution. 1.2 SESG Deployment Method - Relay Mode The mail filtering aspect of SESG can be deployed in two modes: relay or transparent. In the relay mode, the user is required to update the firewall and DNS settings in order to direct all incoming SMTP traffic to SESG for filtering. After the mail client has established SMTP connection with SESG, the SMTP Transaction inpsection will be initiated. If this inspection fails, SESG can reject the mails (and further mails) from the originator site, thus preventing the mails from hogging the cable bandwidth. If the inspection passed, SESG will accept this mail and perform scans on the mail and mail content for virus and violation of mail policies. Valid mails will be delivered to the back-end mail relay host, and all spam mails, virus mails, or mails which violate the company s mail policies will be quarantined and stored in the Mail Reporter for further control and management actions being taken by administrator. Real-time Delivery and Queued Delivery In relay-mode, you can assign a standalone mail server on your network as the default relay host where SESG will forward the mail messages from the sender to the server in real-time. As SESG will not acknowledge the sender until it delivers the mail to the relay host successfully, the sender will know immediately whether or not its mail has reached the recipient. Note that SESG will not keep mail messages on its machine. You can also assign SESG s internal MTA as the default relay host. In this case, SESG forwards the sender s messages to its internal MTA where it will send an acknowledgement to the sender apart from the mail server. Once the mail has completely arrived and scanned, the MTA will deliver it to the mail server. 1.3 SESG Deployment Method - Transparent Mode SESG also supports the transparent scanning mode. By connecting SESG s port1 to the network and port2 to the mail server, all arriving mail messages will be intercepted at port1 for scanning and then forwarded to port2 for the mail server or filed away under quarantine if they failed the scan. The sender s IP address and SMTP connections remain the same as if communicating directly with the mail server. The DNS or firewall settings do not change with the installation of SESG. Please refer to section with regards to configuration settings for netowks in transparent mode. 1.4 SESG Inbound and Outbound Anti-Spam Most anti-spam products currently on the market support scanning of inbound mails or outbound mails, but not both. SESG scans both inbound and outbound mails simultaneously, whether in the relay or transparent mode. In the relay mode, simply enable the option for outgoing mail scanning and specify the name of the mail server which wants to send out the mails. In the transparent mode, as default, the system will scan all outgoing mails originating from port SESG Load Balancing Architecture The fact each SESG host consists of a mail gateway and a mail reporter component allows you to deploy multiple SESG hosts in a networked environment to enable load balancing and fault tolerance. SifoML Security Gateway Administrator s Guide

7 Chapter 1: Introduction to SifoML Deployment 1: A typical deployment of SESG is on a single host running both the mail gateway and reporter components. In a larger setup, two hosts may be deployed, with each running the two components separately. The following diagram illustrates this deployment. SESG-1 is deployed as the dedicated mail gateway, handling all SMTP connections, scanning, and finally forwarding categorized mails to SESG-2, which is deployed as the dedicated mail reporter for user query. Inbound mail flow 1 Backup mail flow Internet example.com MX preference = 10, mail exchanger = sesg1.example.com sesg1.example.com internet address = Router DNS Map public to private Firewall SESG SESG mail.example.com Port Backup mails to reporter Port Fig. 1.2 SifoML Security Gateway Administrator s Guide

8 Chapter 1: Introduction to SifoML Deployment 2: A deployment that is based on Deployment 1, SESG-2 is now made to also run the mail gateway component so as to enable load balancing and fault tolerance. Incoming mail traffic can be routed to either SESG-1 or 2 through a Server Load Balancer or settings in DNS MX records. Both mail gateway components (from SESG-1 and 2) will in turn forward the scanned messages to the mail reporter component on SESG-2 for storage and user query. If SESG-1 should lose connection, SESG-2 is still there to handle incoming SMTP connections. The following diagram illustrates this setup. Inbound mail flow 1 Inbound mail flow 2 Backup mail flow Internet example.com MX preference = 10, mail exchanger = sesg1.example.com example.com MX preference = 5, mail exchanger = sesg2.example.com sesg1.example.com internet address = sesg2.example.com internet address = Router DNS Map public to private Map public to private Firewall SESG SESG mail.example.com Port Backup mail to reporter Port Fig. 1.3 SifoML Security Gateway Administrator s Guide

9 Chapter 1: Introduction to SifoML Deployment 3: Basing on Deployment 1, we now add an additional host to run the mail gateway component. The following diagram illustrates this configuration: SESG-1 and 2 are running mail gateway while SESG-3 is running mail reporter. Inbound mail flow 1 Inbound mail flow 2 Backup mail flow Emai l Internet Emai l example.com MX preference = 10, mail exchanger = sesg1. example.com example.com MX preference = 10, mail exchanger = sesg2. example.com sesg1. example.com internet address = sesg2. example.com internet address = Router DNS Map to Map to Firewall SESG SESG SESG mail.example.com Port Port Switch Port Backup mails to Reporter Fig. 1.4 SifoML Security Gateway Administrator s Guide

10 Chapter 2 Getting Started Every SESG is equipped with 2 Ethernet Ports, where the default IP address of Port1 is and the default IP address of Port2 is You may use a web browser to manage SESG: (Only Microsoft Internet Explorer 6.0 or Mozilla Firefox 1.0+ or later versions supported) 2.1 Logging into the system Step 1: Use the UTP cable to connect SESG port1 or port2. Point the web browser to the URL or to link to the web management console login screen. Step 2: In the login screen, enter the Username and Password as given below into the respective text boxes, and select the language from the pull down box: Username: admin (default) Password: admin123 (default) Language: Select the user interface language. This can be English, Simplified Chinese or Traditional Chinese 2.2 Home Page Summary page After you have successfully login, you will see a menu bar located at the lower-left of the page, featuring seven main menu functions. You can click on each one to bring up a list of sub-menu items for that function (the sub-menu items will be displayed above the menu bar). If you click the function Home you will see the default page (Summary) displayed on the right side of the page, showing various statistic results scanned the mail gateway. These statistics will be refreshed every ten seconds. The various data displayed are: Version: To display this system software version. License: To display the number of users authorized by this system, including , and unlimited versions. Key: To enable SESG SMTP Service Session: SMTP connection of system itself Mail Queue: The mails waited for being delivered (Including mails which are being processed under the mail policy, delayed delivery mails, and mails which are sent by SESG SifoML Security Gateway Administrator Guide

11 Chapter 2: Getting Started built-in MTA) CPU Usage: Percentage of CPU use Memory Usage: Percentage of avail Memory to Use Disk Usage: Percentage of avail disk space Mail Statistics: It includes the information of mail scanning status, including the statistics of current date, current week, current month, and current year A sample of the summary screen is shown in the diagram below: Fig Mail Queue After selecting System Setting > SMTP Service > Mail Relay Host to enable the mail queue, all mails (including delayed mails) in this host server will be queued and go through mail policy checks. Click Local the Home menu to display the queue. You may then select specific mail(s) to be resent or be deleted immediately. An example of the mail queue screen is shown below: Fig. 2.2 SifoML Security Gateway Administrator s Guide

12 Chapter 3 Configuring SifoML Click the Configuration function at the main menu bar to bring up its 11 sub-menu items: Network & Time SMTP Service Authentication Load Balancing Web Admin Event Log Storage Fig Network & Time Import/Export Update Proxy Server Tools Click Network & Time to bring up the Network and Time configuration page. The configuration is divided into 4 categories; each can be access via the different tabs on top of the page Network The Network tab contains network configuration settings for SESG. Here you can select whether you want to deploy the system in the relay or transparent mode. Configurable parameters when Relay Mode is selected are: Host and Domain Name Host Name: Please fill in the blank with SESG s host name and add SESG s host name in the DNS A record. Domain Name: Fill in the blank with the domain name the SESG belongs to. Network Interface Port 1/2 IP Address: IP address of a network interface, e.g In general, Port 1 is used for the connection with the Mail Server/Client while Port 2 is used for the SifoML Security Gateway Administrator Guide

13 Chapter 3: Configuring SifoML connection with the Mail Reporter or back-end storage devices ( e.g. FTP server, NAS etc. ). Network Mask: subnet mask for a network interface, for example Default Gateway: The default gateway address of this system, for example DNS Server Primary DNS Server: IP address for the first DNS Server inquired by the system. Secondary DNS Server: IP address for the first DNS Server inquired by the system. Note: When you apply the new IP setting, the connection configuration screen will be terminated, and you have to re-login via the new IP address. Fig. 3.2 If SESG is deployed with Transparent Mode, you can configure the following parameters: Host and Domain Name Host Name: Please fill in the blank with SESG s host name and add SESG s host name in the DNS A record. Domain Name: Fill in the blank with the domain name the SESG belongs to. Network Interface SESG s IP Address:IP address of SESG, e.g Network Mask: a subnet mask for a network interface, for example Default Gateway: The default gateway address of this system, for example DNS Server Primary DNS Server: IP address for the first DNS Server inquired by the system. Secondary DNS Server: IP address for the first DNS Server inquired by the system. Note: You will need to connect SESG s port1 to the network and port2 to the mail server Routing Static routing provides a way for the system to interconnect multiple IP Subnets. Static route should be configured if the SESG s default gateway does not provide connection to the internal network path. You may add, delete and move the subnet you set on the page. SifoML Security Gateway Administrator s Guide

14 Chapter 3: Configuring SifoML To add new set of route, click the New hyperlink and an additional line of route (with fields reset) will appear in the list. Just complete the three fields (described below) and click the Apply button to add the new route. Fig. 3.3 IP Address: It is used for a special IP address or IP subnet, for example Network Mask: It is a subnet mask of the IP subnet, for example Gateway Address: It is a gateway address of a subnet, for example Date/Time Display and set SESG system time System Time: display the current system time. Click the Refresh button to display the up-to-date current system time. Set System Time Manually: Enter the system time and click Set Time to set it. Synchronize with Client s System Time: You may synchronize the system s time with the client computer that runs the web browser by clicking the Synchronize Time button. Synchronize with NTP Server: You may synchronize the system s time with a network server. Enter the name of the NTP Server into the NTP Server field and click Save. The default NTP Server is time.stdtime.gov.tw Time Zone Set SESG s Time zone. 3.2 SMTP Service Click the SMTP Service sub-menu item to configure: Basic Settings Mail Relay Host Advanced Settings Once you are satisfied with the configuration, click Apply to apply and save the settings. Or click Reset to reset the values to previous configuration. Descriptions of the configurable parameters in the various settings are as follows: Basic Settings Maximum Concurrent Connections for a System: The maximum number of concurrent SMTP connections allowed by the system and all remote mail server/clients. If this upper limit is exceeded, the system will reject new SMTP connections, and the message too many threads will be displayed in System Log. The default value is 200 connections, and SifoML Security Gateway Administrator s Guide

15 Chapter 3: Configuring SifoML the maximum value is 1024 connections. Connection Limit: When there are too many connections to the SMTP and most of them use the same IP address, this could mean a denial-of-service or similar attack. Therefore you can set an upper limit for the number of connections using the same source IP so as to prevent such abnormality. Once the number of connections exceeds the upper limit, further connection will be denied by the system, and the message throttle xxx.xxx.xxx.xxx (IP address) will be displayed in the System Log. The default value is 5 connections, and a 0 stands for no limitation. IP Addresses to be excluded from the connection limit: These IP addresses will not be subjected to the limitation on the number of connections set above. An example of such IP address would be from a Mail Relay Host within the company which is making backups of the outgoing mails. Connection Timeout: The timeout for the wait-reply status of the system when it is trying to establish a SMTP connection with the mail server/client. The default value is 110 seconds and the range is from 10 to 300 seconds. Max Inbound Message Size: The maximum size of the incoming mail the system will accept. Max outbound Message Size: The maximum size of the incoming mail the system will accept Mail Relay Host Mail Queue of This Host:Select to enable the mail queue of this host. This is necessary before the mail policy checks are executed. Default Mail Relay Host: This is the IP address and port of the default Mail Relay Host. As described earlier, SESG handles all incoming SMTP connections through an SMTP processor and maintains an internal SMTP connection with the default mail relay host. The default mail relay host acts like a default router as all mail traffic will pass through here. If the system is not able to pass messages to this address an error message in the form of connect to xxx.xxx.xxx.xxx port yy failed will be written into the system log. The factory default for this host s IP is localhost ( ) and port 26 (in other words, SESG s internal MTA is the relay host). If you wish to assign different mail relay hosts to handle traffic from other IP addresses, you will need to configure Mail Routing by Sender IP Address. If the mail policy is enabled (i.e. the mail queue of this host is enabled), the mails should be sent through the SESG built-in MTA. For more details on default mail relay host, see the section Real-time Delivery vs- Queue Delivery below. Backup Mail Relay Host: The IP address and port of a backup Mail Relay Host in case SESG is unable to connect to the default mail relay host Connection Timeout: The default is 20 seconds. Load Balance: If load balancing is enabled, SESG will use the round-robin method to assign SMTP connections to the default mail relay host and the backup mail relay host. Real-time Delivery vs- Queued Delivery If SESG s default mail relay host is set to the backend mail server s IP address, SESG will forward mail messages to it in real-time. Real-time delivery has several characteristics: When SESG receives an SMTP command (such as HELO, MAIL FROM:, RCPT TO:) from the remote sender, it will forward the same commands to the backend mail server. When the backend mail server replies OK, SESG will forward the message to the remote sender. If the mail server does not respond or rejects further interaction with the sender, SESG will mirror the same actions with the sender. In this way the sender gets immediate feedback as if it is dealing directly with the mail server. If the sender receives a mail delivery success SifoML Security Gateway Administrator s Guide

16 Chapter 3: Configuring SifoML message it means the mail server has in fact received the mail. Note that the system does not keep any mail messages in storage from either party. If the relay host wishes to send an outgoing message via SESG, the Mail Routing by Sender IP Address ( Mail Control > Mail Routing ) must be configured so that the mail server s outgoing messages are routed to SESG s internal MTA for further delivery. Otherwise, SESG will simply forward all its messages (even ones originating from the mail server) to the relay host (which itself is also the mail server), and thus creating a looped delivery. Note that if Mail Queue for this host is enabled to conduct mail policy checks, real-time delivery will not be available. If SESG s default mail relay host is set to and port 26, SESG will forward all SMTP messages to its internal MTA which will then forward them to the backend mail server. This mode of delivery is called queued delivery. This delivery s characteristics are: Since the built-in MTA will complete the incoming mail transaction with the sender before sending them to the backend mail server, it is possible that the sender might receive a delivery success message but the backend server has never actually gotten the mail. One possible cause of such situation is when connection between MTA and mail server has broken down and as a result, SESG kept the mails in the queue for transmission later. This results in a time gap between the sender s receipt of the delivery successful message and mail server s receipt of the actual mail. SESG s built-in MTA will consult DNS and the configuration under Mail Routing by Recipient s Domain to determine where to forward the mail messages. In a setup where there are multiple mail servers in multiple domains; or when the mail server needs to send an outgoing message through SESG, the system will use this mode for mail delivery. If Mail Queue is enabled for this host, SESG will attempt to temporarily store the delivery mails and deliver them using the built-in MTA. This can only be done using the Queued Delivery mode Advanced Settings SMTP Protocol: Use SMTP Authentication: Select to enable authentication check on remote users that send outbound through the company mail server. If the authentication fails, the system will display the error message 535 Authentication failed. Use FQDN in HELO Command: Specify whether or not you want SESG to use a valid URI after a helo/ehlo command. Insert Received in the message s header: SESG will insert the Received tag into the message s header in order to indicate that the mail has been received by SESG. Insert X-User in the message s header: A unique feature of SifoML. When a mail is sent after user login into the mail server, the user s account name will become part of the mail header. Hide responses from mail relay host: When this option is enabled, the opposite party mail host can only see the response from the SESG SMTP session but not from the backend host. Keep the connection to the mail relay host: SESG will continue to send NOOP in order to maintain the connection to the mail host. Note that some mail relay host may view repeated sending of too many NOOP as an attack. Sender: Accept empty sender: Select to instruct the system to accept mails with empty Mail From: field. SifoML Security Gateway Administrator s Guide

17 Chapter 3: Configuring SifoML Recipient: Maximum recipients in a message: The default value is If the number of recipients in a mail exceeds this value, the system will display the message 550 Too many recipients. Discard message with a number of bad recipients: If a single message s number of bad recipients exceed the number set here (default is 5), the connection to the sender will be terminated, and the system will display the message 421 Too many bad recipients, closing transmission channel. This is to prevent anti-mail bomb or directory harvest attack (DHA). Miscellany: Trim the single quote in the sender/recipient address: Some mail hosts with older software may enclose the sender address with single quotes. Selecting this option would instruct SESG to remove any single or double quotes from the send address, to preventwould removecould be removed first in order to prevent setting up an account with these quote marks. Support CheckPoint Firewall-1: Some older versions of Checkpoint mail proxy do not follow the RFC rule when generating response sequence (for example, executing the rcpt to: command before the mail from: command). Select this option to enable SESG to support these servers. 3.3 Authentication Authentication Servers allow users to login to SESG using their servers accounts/passwords. SESG will authenticate the users accounts/passwords with the server before permitting them to use the mail reporter or the SESG to forward outgoing mails. SESG supports eight authentication servers, providing SMTP authentication and user login verification at the personalized Mail Reporter console. If multiple local mail domains are distributed to different mail hosts, then you need to assign the authentication servers to the different mail domain. Fig. 3.4 From the Authentication Sever list, click the Edit link to modify settings for the corresponding authentication server. The various authentication server types available for configuration: POP3, LDAP and RADIUS. There are two common parameters which can be configured for all types of servers: SifoML Security Gateway Administrator s Guide

18 Chapter 3: Configuring SifoML Local Mail Domain to Authenticate: Specify local domains address here to authenticate users belonging in the same local domain. For example, an authentication server with the domain name example.com will only authenticate users in the same local domain such as If the user s account is 123 without specifying any domain information, SESG will not use this auth server to authenticate. If an auth server is responsible for authenticating more than one local domain, you can enter multiple domain names into the text box, separating them with commas. Allowed Authentication User: Specify users that will be authenticated by this authentication server. Enter more than one user into the text box, separating them by a linefeed or comma. To configure specific type of server, select the server type from the Method pull-down box. The types are: POP3 Parameters to configure: Fig. 3.5 POP3 Host and Port: POP3 Server IP address and connection port Use address as POP3 account: Select this option to instruct the POP3 server to accept complete address only as login account name. LDAP Fig. 3.6 SifoML Security Gateway Administrator s Guide

19 Chapter 3: Configuring SifoML Parameters to configure: LDAP Host and Port: LDAP IP address and connection port. Username: This is the username which allows SESG to bind the LDAP server and perform directory search. For example, In Microsoft AD, the format is shown as follows, cn=ldap,cn=users,dc=sifoml,dc=com Password: the password corresponding to the username above. LDAP BaseDN: The starting location for searching, i.e. Base DN. It is usually the company domain, such as dc=sifoml,dc=com Search Scope: Determine how to search the users. Basic: Only search the Base DN. First Layer: Only search the next layer of Base DN. Sub Tree: Search the whole sub trees under the Base DN. Referral Search: If users cannot be found, this option will determine whether the system will use the referral returned by the LDAP server to continue searching. Selecting On will instruct the system to continue searching using the referral. As the search might continue to another LDAP server which SESG do not have access, it is usually recommended to disable this feature. Authentication Attribute: The authenticate attribute. For example in Microsoft AD, the authenticate attribute is samaccountname. Address Attribute: The address attribute. For example in Microsoft AD the address attribute is mail. In Exchange 2000/2003, it s proxyaddresses. Address Prefix: The prefix string of the LDAP mail address attribute. For example, the mail address value replied by the Microsoft Exchange Server is smtp:[email protected]. At this moment, the prefix of the mail address is smtp: RADIUS Fig. 3.7 RADIUS Host and Port: RADIUS IP address and connection port RADIUS Secret Key: RADIUS server s secret key Use address as RADIUS account: Select this option to instruct the RADIUS server to accept complete address only as login account name. 3.4 Load Balancing The load balancing parameters available for configuration are (For details on load balancing, see Section 1.5): SifoML Gateway: You can have one Primary SifoML Gateway and multiple Backup SifoML Gateways. Click the New hyperlink to add more backup gateways by entering the IP SifoML Security Gateway Administrator s Guide

20 Chapter 3: Configuring SifoML addresses as new text boxes appear. SifoML Reporter: You can only have one mail reporter in your network configuration. Enter the IP address of the SifoML Report Host. Synchronize: Clicking the Synchronize button will synchronize all the SifoML gateways configuration file. This can only be done from the designated main SifoML gateway. If only one SifoML gateway is setup, then the gateway is the main SifoML gateway; if more than one SESG are setup in the network (for example, as part of the load balancing strategy), then one gateway would need to be the designated main SifoML gateway and the rest are either the backup SifoML gateway or the SifoML Reporter. From the example in the screenshot below, there are two SESG hosts: and The server is the main gateway, and is responsible for scanning while is responsible for backup scanning and mail reporting will indicate as the main mail gateway in its configuration. In s configuration, click the Synchronize button. 3.5 Web Admin Fig. 3.8 You can configure these web administrator settings, which includes managing administrator accounts, etc. The settings are divided into three categories (in three separate tabs) Basic Settings In Basic Settings, you can configure the following parameters: Idle timeout: You can set SESG s idle timeout to be 3, 10 or 30 minutes, or 1 or 8 hours Only use secure connection (HTTPS) for Web access: Select this to instruct SESG to use only HTTPS (port 443) for web access. IP Address Rules: Specify IP addresses that are allowed access to SESG s web admin. You can specify a single IP address, a range of addresses or a whole sub network. Fig. 3.9 SifoML Security Gateway Administrator s Guide

21 Chapter 3: Configuring SifoML Click New to add a new specification. Click Delete to delete the highlighted specification. Click Up or Down to re-arrange the priorities of the specifications Account Four sets of administrator accounts and passwords can be specified, and they share the same administration privilege. Just enter the Username and corresponding password in the text boxes provided System Notification Sender Address of Notification: The system event notification messages will use this mail address as a sender. Recipient Address of Notification: Notification messages will be sent to this address. You can specify more than one addresses by entering them into the text box one at a time, separated by either a linefeed or comma. Interval of Notification: This specifies the interval which the notification will be sent out. This prevents the system from sending notifications non-stop when an event occurs recurringly. 3.6 Event Log You can configure the event content and format required by the system. Enable Logging (select to enable) Event to log: The types of events to log. These can be: o o o o System: SESG system event and the connection details of other Mail Server/Client. Traffic: Information of the traffic flow. If this is selected, you will also need to select the Traffic Log Format. This can be Internal, Webtrend, or All (combination of both). Kaspersky Virus Pattern Update: The updated virus pattern information of Kaspersky anti-virus software. Clam Virus Pattern Update: The updated virus pattern information of Clam anti-virus software. Detail Level: How detail the logs should be. Ranging from 1 to 7, 1 stands for the simplest event recording, 7 stands for very detailed event logging. Duration: How long the logs should be kept. Log Server Syslog Host: Mail Reporter host name or IP address. Webtrends Host: Webtrends host name or IP address. SifoML Security Gateway Administrator s Guide

22 Chapter 3: Configuring SifoML 3.7 Storage Fig When the free disk space is lower than the value set (in KB) here, you can specify the action to be taken by SESG either stop receiving messages, or stop archiving messages (but continue to receive). 3.8 Import/Export Export Configuration File: Click the Export button to save the configuration file into the local disk. Import Configuration Files: Click Import button to upload a backup configuration file from the local disk. You can specify the file by entering the filename into the text box (with fullpath), or click the Browse button to browse for the file. Reset Configuration Files to Factory Default: Click the Reset button to reset the system to factory default settings, including the mail database of the SifoML Reporter and statistics data. It is recommended that you export the current configuration to the local disk as backup before resetting. 3.9 Update License Update: This is where you can enter the authorization code after obtaining the license to upgrade the number of authorized users. Click the Update License button to update the system once you have entered the code in the text box. Note that you should restart the SMTP gateway via System Configuration>Shutdown for the update to come into effect. Firmware Update: Enter the filename (with fullpath) or use the Browse button to select the firmware image file you want to load. Then click Update Firmware to update the firmware Proxy Server You may want to setup the Proxy server in the event when the virus patterns or heuristic rules can be updated. Enter the Proxy server s IP address and port number, followed by the Username and Password. SifoML Security Gateway Administrator s Guide

23 Chapter 3: Configuring SifoML 3.11 Tools You can use the ping, traceroute, and dig commands available here for debugging purposes. Enter a value and click Execute button to run the command. The result will be displayed in the Output window. An example of a ping is shown in the screenshot below: Fig SifoML Security Gateway Administrator s Guide

24 Chapter 4 Mail Protection Click the Mail Protection function at the main menu bar to bring up its 5 sub-menu items: Anti-DoS Anti-Relay Anti-Spam (Inbound) Anti-Spam (Outbound) Anti-Virus Fig How SESG Compare Input Strings String matching is a common method used by the system when it comes to scanning messages. This method is built into matching rules utilized in areas like Black/White List, Keyword Matching, Mail Control, Mail Alias, etc. In many areas you will need to enter specific strings so that SESG will know what to match. SESG uses three types of string matching: any strings matching, IP address pattern matching, and address pattern matching. Note: String used in SESG s string-matching is not case-sensitive Any Strings Matching Format: <Any String> As long as the string or part of the string matches the rule (string pattern) that is setup, it is considered a successful match. Example: String Pattern: per Matching Result (O stands for successful match, X stands for failed match): super (O) 2 meals per day (O) Personal affair (O) prepare for impact (X) SifoML Security Gateway Administrator Guide

25 Chapter 4: Mail Protection IP Address Matching Format: < IP Address Pattern > Scanning from left to right starting from the first character, as long as the IP address string to be matched matches the rule (entire IP string pattern) that is set up, it will be considered a successful match. Example: IP Address Pattern: Matching Result (O stands for successful match, X stands for failed match): (O) (O) (O) (X) (X) As you can see, you can use the IP Address Pattern to represent a network segment and use IP Address Matching to find out if a particular IP address is part of that network segment. In the example above, the IP Address Pattern can represent the network segment / Therefore to represent network segment / , you can set up 127 as the IP Address Pattern; to represent network segment / , you can set up IP Address Pattern Note that to represent network segment, the period (.) followed by any IP address cannot be omitted. If the period is omitted, the pattern will not represent a network segment, as shown in the example below: IP Address Pattern: 10.2 Matching Result (O stands for successful matching, X stands for fail matching): (O) (O) (O) (X) (X) Also, a ^ prefix in an IP Address Pattern indicates that the IP address to be matched should match the entire pattern, as shown in the example below: IP Address Pattern: ^ Matching Result (O stands for successful matching, X stands for fail matching): (X) (O) Address Pattern Matching Format: < Address Pattern > The Address Pattern can be one of the following three types: complete address (e.g. [email protected] ), domain name (denoted by as first character. ), or just a string of characters (e.g. yourname or example ). See the examples below: Example: Address Pattern: [email protected] SifoML Security Gateway Administrator s Guide

26 Chapter 4: Mail Protection Matching Result ( O stands for successful match, X stands for failed match ): [email protected] (X) [email protected] (X) [email protected] (X) [email protected] (O) Address Matching Result: [email protected] (O) [email protected] (O) [email protected] (X) [email protected] (O) Address Pattern: jason Matching Result: [email protected] (O) [email protected] (O) [email protected] (O) [email protected] (O) [email protected] (O) [email protected]( O ) 4.2 Anti-DoS DoS Settings SifoML supports the configuration of settings pertaining to the control of SMTP mail behavior, otherwise known as DoS Protection Setting. There are two types of control available: Connection Frequency Control and Message Frequency Control. Connection Frequency Control Click New to setup new connection frequency control. You can choose to setup a Single IP or Sub network connection. Then specify the IP address or the sub network segment. Now you can fill in the rest of the parameters: Detection Period: The duration at which consecutive connections are established. This can be in days (d), hours (h), minutes (m) or seconds (s). For example to set a detection period of 2 hours or 10 minutes, enter 2h and 10m respectively. Note that the maximum value you can enter here is 3d (i.e. 3 days). Threshold: the maximum number of SMTP connections allowed to be made within the Detection Period. Anything exceed this threshold signals a DoS attack. Duration of Blocking: The duration where connection from the IP address or network segment will be rejected. This can be in days (d), hours (h), minutes (m) or seconds (s). For example to set a blocking duration of 1 day or 45 seconds, enter 1d and 45s respectively. Note that the maximum value you can enter here is 3d (i.e. 3 days). Message Frequency Control Click New to setup new mail frequency control. You can choose to setup a Single IP or Sub network connection. Then specify the IP address or the sub network segment. Now SifoML Security Gateway Administrator s Guide

27 Chapter 4: Mail Protection you can fill in the rest of the parameters: Detection Period: The duration at which mails are received. This can be in days (d), hours (h), minutes (m) or seconds (s). For example to set a detection period of 2 hours or 10 minutes, enter 2h and 10m respectively. Note that the maximum value you can enter here is 3d (i.e. 3 days). Threshold: the maximum number of mails or messages allowed to arrive at the server, within the Detection Period. Anything exceed this threshold signals a DoS attack. Duration of Blocking: The duration where connection from the IP address or network segment will be rejected. This can be in days (d), hours (h), minutes (m) or seconds (s). For example to set a blocking duration of 1 day or 45 seconds, enter 1d and 45s respectively. Note that the maximum value you can enter here is 3d (i.e. 3 days). Note: If you set Detection Period to 0s, the Threshold value to 0, and Duration of Blocking to 0s, it means that the specific IP or network segment will not be detected for DoS attack. If you set Detection Period to 1s, the Threshold value to 0, and Duration of Blocking to 1s, it means that the specific IP or network segment will not be able to establish any SMTP connection to SESG, and thus will not be able to send any mail or messages to it. 4.3 Anti-Relay Setting up rules in Anti-Relay allows you to prevent your server from being used to illegally relay mails that does not belonging to you. The Anti-Relay option consists of 3 sub-options: Zone Policy Allow/Deny List Zone Three categories of zones (accessible from the three tabs) you can configure in Anti-Relay. Local Mail Domain & IP List Local Mail Domain: Mail domain names accepted by SESG. These are the names string after symbol in a typical address. For example the mail domain name of [email protected] will be example.com. You can enter more than one domain names into the text box, separated by a linefeed. Under transparent mode, system will receive and scan mails from any domain networks. If you know exactly the mail domains you wish to receive mails from, and only from those domains (as specified in the Local Mail Domain field), check the Only accept local mail domain in transparent mode box. Local IP Address: IP addresses or network segment accepted by SESG. See section on how to setup IP address pattern. You can enter more than one IP address or network segment into the text box, separated by a linefeed or comma. Note: SESG does not inspect s from local IPs, so if you want to inspect s from local IPs you have to add these IPs in Remote IP List (see below) or enable the Anti- Spam (outbound) function (see section 4.4). SESG can determine and direct where s should be going (inbound, relay, outbound SifoML Security Gateway Administrator s Guide

28 Chapter 4: Mail Protection or local) depending on their sender IP address and recipient mail domain name. This is illustrated in the table below: Sender IP Address Recipient Mail Domain Name Inbound Non-Local IP Address Local Mail Domain Name Remote IP Address Relay Non-Local IP Address Non-Local Mail Domain Name Remote IP Address Outbound Non-Local IP Address Non-Local Mail Domain Name Local Local IP Address Local Mail Domain Name Remote IP List Remote IP Address: These are non-local IP addresses. Remember that SESG does not scan mails sent from local IP addresses. This can be a problem as SESG could be deployed behind a MTA/Mail Log/Antivirus Server within the same network. Therefore mails that passes through the MTA/Mail Log/Antivirus Server before going to SESG will be treated as coming from a local IP address by SESG, even when the mails had actually came from external IP address via the Internet. To ensure these mails go through SESG s scanning, the IP address of the MTA/Mail Log/Antivirus Server needs to be specified as part of the Remote IP List. SESG will then treat mails coming from these IP address as non-local. Local Exception List The general rule of a mail host is to accept any mails that are sent to the local mail domain. However, SESG can override this rule by stipulating that even mails sent to local mail domain must be subject to approval from mail relay policy or SMTP authentication. This is to prevent unwanted mails sent from within the network, and it is used in conjunction with SMTP authentication. Enter the local IP addresses or local domain name into Local Exception List or Local Mail Domain Except Sender Domain text boxes respectively Policy Channel Alias: You can choose to process alias before or after checking mail relay policy. Processing the alias first can simplify the mail relay policy. Order of Allow/Deny List: You can choose to check through Allow List first or Deny List first. Precedence of IP/Domain: Both the sender IP addresses and mail domain name can appear in the Allow/Deny List. You can choose to check IP addresses first or mail domain names. C heck Allow/Deny List even the user is authenticated: Select to instruct SESG to check through the Allow/Deny List for the user even if the user is already authenticated. Check if the authenticated username matches the user part of sender address: Select to instruct SESG to check whether the name before sign of sender mail address corresponds to the user name of SMTP authentication. If there is a difference, the mails will be rejected, preventing illegal users from using sender mail address. This option should be used in conjunction with SMTP authentication as well as the Check Allow/Deny List even the user is authenticated option. Delay checking for sender information, check sender information for each recipient: In general, sender policy in the allow/deny list has a higher priority than the recipient policy. You can select this option to ensure that recipient policy is checked before the sender policy. This is useful in some special situation, as illustrated in the following examples. SifoML Security Gateway Administrator s Guide

29 Chapter 4: Mail Protection Example policy 1: All employees must not send mails to the company s competitors. Say company s domain name is test.com, and it is part of the sender policy in the Allow List (i.e., all employees from test.com will be allowed to send mails). Competitor s domain name is example.com, and it is part of the recipient policy in the Deny List (i.e. mails going to example.com will be denied). Therefore when scanning an outgoing mail with this option selected, mails with recipient address with domain name example.com will be processed and check against the recipient policy first, and subsequently rejected. Example policy 2: Some employees can only to the recipients belonging to local mail domain name. Assuming [email protected] is not allowed to send any mails to anyone, except to the local domain example.com. You can setup [email protected] as part of the sender policy in the Deny List, while setting up example.com as part of the recipient list in the Allow List. Therefore when scanning an outgoing mail with this option selected, the mail from [email protected] will not be rejected because the recipient address is example.com, which happens to be part of the recipient policy in the Allow List. Note: The mails corresponding to Allow/Deny List will not go through the spam mail filter mechanism. In the example policy 1 above, any spam mails from test.com will be considered as valid mails; as in example policy 2, all mails sent to example.com will be viewed as valid mails. So this option should be enabled with discretion. Check Host Name in HELO command: To check the validity of the host name after using the HELO command. You can select to use DNS lookup or reverse lookup to check for the validity of the host name that is sent from the opposite party mail host. In general, this option is disabled (select None ) because many SMTP servers are not listed in the DNS Allow/Deny List This sub-option allows you to setup the Allow and Deny List for the mail relay policy, as well as specifying any Forbidden Characters that must not be in a valid mail. Mails will be rejected if it falls under the Deny List, or it contains any forbidden characters. They will be accepted if they are part of the Allow List. These settings can be accessed via the three separate tabs. For each list, you can enter more than one item, separated by a linefeed. The maximum number of characters you can enter into the list is This limitation also applies to the Forbidden Characters textbox. 4.4 Anti-Spam (Inbound) SESG s powerful anti-spam function can provide more than ten mechanisms to block incoming spam mails. Each mechanism has its advantages and disadvantages. If you are unsure how these mechanisms work, it is recommended that you use the default settings provided, and match the key words with the black and white list of your organization or enterprise. This will effectively block almost 90% of the spam mails. SifoML Security Gateway Administrator s Guide

30 Chapter 4: Mail Protection The Anti-Spam (Inbound) option consists of 9 sub-options: Policy RBL Sender Verification Recipient Verification Intelligent Content Filter White/Black List Keyword Keyword Classification Heuristic Rule Policy Here you can configure settings for Policy, Excluded List, and Included List for spam mails, accessible via three separated tabs. Policy Enable Inbound Anti-Spam Policy: There are three policies available: user-defined, group, and system policies. By default these three policies are all enabled. You can also modify the order in which these policies will be used by the system. How to react with Spam Here, you can select one of the three modes which the system will handle detected spam mails. Note that only mails with recipients listed in the Included List will be checked for spam. If the Included List is empty, then all mails will be checked. The exception is when Hybrid mode is selected, where all mails will be checked regardless. When recipients appear in both the Included List and the Excluded List, the Excluded List will take precedence. The three modes are: Quarantine mode: Mails will be quarantined. Test mode: Mails will not be quarantined and instead be delivered together with the rest of the valid mails, although a copy of the spam mail will be stored in the Reporter spam directory. Hybrid mode: Mails will be quarantined only if the recipients are part of the Included List. Otherwise, it will be delivered together with the rest of the valid mails, although a copy of the spam mail will be stored in the Reporter spam directory. How to add span tag: Specify where to add the spam tag on the mail: header or subject. You can also specify the content of the tag. Excluded List The addresses of specific recipients listed here (or match the address pattern) will not be inspected by the anti-spam policy. Maximum length of the list is 1000 characters. Included List The addresses of specific recipients listed here (or match the address pattern) will be inspected by the anti-spam policy. If this list is empty, then all mails will be inspected by the policy. Maximum length of the list is 1000 characters. You can also export this list into mail reporter s account file. SifoML Security Gateway Administrator s Guide

31 Chapter 4: Mail Protection RBL RBL (Real-time Blackhole List) filter utilizes the DNS query to check the Real-time Blackhole List for an IP during the SMTP connection phase. If this IP is listed in the black list, then mails from this IP will be considered as spam, and will be intercepted and rejected. Maximum length of the list is Sender Verification Sender verification allows you to determine whether mails should be quarantined or rejected through the verification of the sender mail address (MAIL From :). Verification Method: Select the method of verification: None: Sender verification is disabled. Local Only: To verify whether the sender address from the local mail domain exists DNS Lookup:Besides checking local addresses, SESG also verifies whether the sender from the local mail domain has a MX or A record. Strict: Based on sender s mail address, the system will request for the MX or A record of this domain network. Once the record is obtained, the system will check if the connection IP falls within the range of the IP network segment recorded. If it does not, the mail is deemed as spam. As an example shown below in the diagram, the strict verification method has been enabled. If mails are sent to this equipment through mail address [email protected], SESG will lookup SESG MX record, and the record is , and here the parameter Connection IP netmask is , which means that the connection IP should fall in the network segment , and the verification is successful. Fig. 4.2 By default, all connection IPs will be checked. If you only want certain domain networks to be checked instead, then you must fill in the Domain/ Address Include List. Connection Timeout for verification: This is the connection timeout with verification server. A connection timeout is considered as a failure in verification. When verification fails: The action to be taken after failures in verification. This can be either Quarantine or Deny Mails, where mails are quarantined or rejected respectively. SifoML Security Gateway Administrator s Guide

32 Chapter 4: Mail Protection Recipient Verification Recipient verification determines whether the spam mails should be quarantined or rejected through the verification of recipient mail address. SESG can support 8 authentication hosts, and each authentication host can be set up individually. From the Recipient Verification Server List, click Edit and you will enter into server configuration page. Local Mail Domain to Verify: This is the list of mail domains which this server will verify. Enter more than one domain name by separating them with a linefeed or comma. Fig. 4.3 The rest of the parameters will be made available depending on what Method of verification you selected: None Essentially disable recipient verification. This will make the system prone to spam attacks. VRFY Verification using the VRFY command. Basically the system will use the VRFY command to ask the recipient verification host whether or not a recipient address exists. If the recipients address exists, the verification host will reply OK and SESG will accept the incoming mail. Otherwise, SESG will deny the incoming mail. Note that Microsoft Exchange 2000 and 2003 do not support the VRFY command. You need to use LDAP servers if you want to use VRFY. Parameters to configure are: Verification Host and port: Verification Host s IP address and connection port. On Connection Failure: The action to be taken if SESG fails to connect to the recipient verification host. Verify Name Only:Some older versions of Lotus Notes can only verify the name before the "@" symbol of the mail address but not the whole mail address. Send HELO Command Before VRFY Command: Instruct the system to execute the HELO command before the VRFY command. This is because some mail hosts tends to request this particular sequence when performing verification. Support Notes group address: When using the VRFY command to verify a group address on Notes, Notes will respond with a verification failure such as 550 String [email protected] is a group, not a user. Enabling this option would instruct SESG to analyse the whole response string to determine if the group address is indeed valid. Support Postfix VRFY Command: Postfix s response code for successful verification is 252, but not 250. Enabling this option would instruct SESG to take note of this. SifoML Security Gateway Administrator s Guide

33 Chapter 4: Mail Protection VRFY command s Bad Response: Some mail servers always respond with successful verification (code 250) for SMTP VRFY, regardless of the actual verification. SESG can analyse the response string for special characters specified here that will indicate the actual result. RCPT SESG may use the RCPT command to verify if the recipient exists in the verification host (this is usually the server). If the recipients address exists, the verification host will reply OK and SESG will accept the incoming mail. Otherwise, SESG will deny the incoming mail. Verification Host and port: Verification Host s IP address and connection port. On Connection Failure: The action to be taken if SESG fails to connect to the recipient verification host. LDAP SESG logs into the recipient verification host (an LDAP server) to search for a recipient address. If the recipients address exists, the verification host will reply OK and SESG will accept the incoming mail. Otherwise, SESG will deny the incoming mail. Verification Host and port: Verification Host s IP address and connection port. On Connection Failure: The action to be taken if SESG fails to connect to the recipient verification host. Username: This is the username which allows SESG to bind the LDAP server and perform directory search. For example, In Microsoft AD, the format is shown as follows, cn=ldap,cn=users,dc=sifoml,dc=com Password: the password corresponding to the username above. LDAP BaseDN: The starting location for searching, i.e. Base DN. It is usually the company domain, such as dc=sifoml,dc=com Search Scope: Determine how to search the users. o o o Basic: Only search the Base DN. First Layer: Only search the next layer of Base DN. Sub Tree: Search the whole sub trees under the Base DN. Referral Search: If users cannot be found, this option will determine whether the system will use the referral returned by the LDAP server to continue searching. Selecting On will instruct the system to continue searching using the referral. As the search might continue to another LDAP server which SESG do not have access, it is usually recommended to disable this feature. Primary Address Attribute: The address attribute. For example in Microsoft AD the address attribute is mail. In Exchange 2000/2003, it s proxyaddresses. Primary Address Prefix: The prefix string of the LDAP mail address attribute. For example, the mail address value replied by the Microsoft Exchange Server is smtp:[email protected]. At this moment, the prefix of the mail address is smtp: Verify Name Only (Primary): SESG uses account id instead of address to authenticate with the LDAP server. This method is suitable for LDAP servers that do not use addresses as login ids but whose login ids match the account names. Secondary Address Attribute: Attribute name of the secondary mail address. Secondary Address Prefix: The prefix string of the secondary LDAP mail address attribute. See Primary Address Prefix. Verify Name Only (Secondary): SESG uses account id instead of address to SifoML Security Gateway Administrator s Guide

34 Chapter 4: Mail Protection authenticate with the LDAP server. This method is suitable for LDAP servers that do not use addresses as login ids but whose login ids match the account names. Merge Secondary As Primary Mail Address: To convert secondary mail address into primary mail address. Reporter You can enter account IDs or addresses into the mail reporter first then configure the mail gateway to read these data out from the mail reporter. You can use LDAP or text files to import these data into the mail reporter. Local Enter recipient addresses into the local recipient list. SESG will perform verification against this list. If a recipient is not in this list, SESG will not forward an incoming mail to it. You can copy-and-paste a bulk list of addresses into here Intelligent Content Filter Intelligent content filter determines the validity of a mail by matching specific content between the mail envelope and mail header. You can select the sensitivity level of the filter: Disabled: Disables the intelligent content filter. Low: Check for consistency between the "MAIL FROM" of the mail envelope consists with the FROM" in the mail header. Middle: If only one person is listed in the RCPT TO field of the mail envelope, check whether this is consistent with the TO or CC in the mail header. High: If more than one person are listed in the RCPT TO field of the mail envelope, check whether these are consistent with the TO or CC in the mail header. Note that in most e-news, the MAIL FROM content in the mail envelope is never consistent with the "FROM content of mail header. Enabling the Intelligent Content Filter will thus block most e-news. To allow these e-news messages, add their addresses to the personal black and white list White/Black List White List: Mails from addresses or domains specified here will be treated as valid mails. Black List: Mails from addresses or domains specified here will be treated as spam mails Keyword Specify keyword patterns which you will match against the mail headers From, To and Subject fields. Mails with text matches the keywords specified in the Deny Lists will be regarded as spam mails Keyword Classification You can define keywords under different categories and enable filtering on them Heuristic Rule Heuristic Rule detects spam mails based on the mail content and a score system. This section of the web admin allows you to configure settings in the Heuristic engine. Heuristic engine has mainly two methods in detecting spam mails: internal scoring system and Bayesian database scoring system. SifoML Security Gateway Administrator s Guide

35 Chapter 4: Mail Protection Internal scoring system Heuristic engine has over 1000 internal scoring rules to detect potential spam mails. When a mail matches one of these rules, its score will increase by one. When the total score reaches a threshold, the mail will be flagged as a spam mail. Bayesian database scoring system This system compares the rates of occurrence of specific data such as keywords in mail header, words/phrases in the mail body, HTML code, etc, between the valid mails and the spam mails to derive rules based on which to detect future spam mails. For example, assuming a company received 1000 mails, out of which 900 are found to be spam mails with the keyword loan in its mail body (while the valid mails do not have such keyword). Thus one can conclude that any incoming mail in future that also contains the word loan in the mail body is also a spam mail. The Bayesian system also analyzes keywords in both the historical spam mails and valid mails to determine the possibility of a future spam mail. Therefore a mail originating from a trusted sender which happens to contain a keyword belonging in the bad list will still be delivered to you simply because it is from a historically trusted sender. The premise for the Bayesian database scoring system is that a company must provide archives of its historical spam and valid mails. There are four groups of settings to configure the Heuristic Rule: Heuristic Rule Settings Enable Heuristic Rule Checking: Select to enable Heuristic engine inspection. This will enable you to configure 3 sub-setting: Spam Score: Select to insert spam score in the mail header. Min. Score: To set the lowest score of the spam mail. After each heuristic scanning, each mail will accumulate a spam score. The higher the score, the higher the possibility of this mail being a spam. Min. Score act as a threshold to decide which mail will be flagged as spam. It is recommended that you set the score between 3.0 and 4.0 so that you will have a higher accurate rate for detecting spam mails. If you set Min. Score too high, you might miss some spam mails; set too low and legitimate mails might be mistaken as spam. Size Limit: According to actual statistics, only 1% of spam mails are of size exceeding 64KB. You can allow large mails to skip scanning, thereby speeding up the scanning process. Advanced options Use RBL Check: If the sender s IP address is contained in the RBL list, the Heuristic engine will increase the scoring for this mail when this option is enabled. The RBL uses the connection party s IP address in its filtering checks while the Heuristic engine uses the IP addresses in the mail s header in its filtering checks. Use Bayesian Filtering: See Bayesian database scoring system above. Check this option to enable Bayesian filtering, and open up additional options: Enable Auto Learning:Bayesian algorithm gets better with active user feedbacks on valid and spam mails. However, if such regular and accurate feedbacks are difficult to achieve, the system can still improve by using auto-learning. In this case, specific scores are assigned to represent a valid or spam mail; the system will learn to distinguish them. Note that there should be ample sampling size for auto-learning; otherwise it should be turned off. Apply Bayesian Rules: This is the sampling size for auto-learning, which determines how many mails the system should sample (i.e. noting the score for each mail) before auto-learning is activated to return a verdict on whether the mail is valid or spam. SifoML Security Gateway Administrator s Guide

36 Chapter 4: Mail Protection Once Bayesian Filtering is enabled, the mail detection score will be derived both from the the Bayesian algorithm result and the score derived from Heuristic Rule (instead of just solely based on the Heuristic Rule score). However in this case, the Heuristic Rule s part in the total mail detection score will be lowered as the system will favor Bayesian Rules score. This is because Bayesian Rule s scoring system is a result of constant users and dynamic feedbacks of actual situation in the company (hence more accurate), whereas Heuristic Rules are based on a fixed set of algorithmns. That is why the number of samples in the database which Bayesian Rules drew upon is important as it directly affects the recognition rate. Advanced Settings You may fine tune the score aiming at the heuristic rules in order to accomplish the effect of the optimized interception. When you open a mail and view its header, the detection results of the heuristic rules will be recorded, and the results of which rules are satisfied by this mail will be recorded in the header. Each of numerical values shown below is score, which meets a rule, followed by a rule name and the description of this rule. You may adjust the score given by each rule. X-Spam-Checker-Version: SpamAssassin ( ) on mailgw.sifoml.com X-Spam-Status: score=1.2 required=3.0 X-Spam-Report: 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: ] If you want to raise the score which meets the rule FORGED_RCVD_HELO to 1.0, you need to fill score FORGED_RCVD_HELO 1.0 into the blank field. Heuristic Rule Update Fig. 4.4 Heuristic rule will be updated regularly. You can schedule SESG to update the Heuristic Rule by the hour daily just select the hour you wish to check for updates. Learning Database Export Learning Database: click Export to export learning database. Import Learning Database: click Import to import learning database. Clear Learning Database: click Clear to clear learning database. Reset Learning Database: click Reset to Default to load the built-in learning database. SifoML Security Gateway Administrator s Guide

37 Chapter 4: Mail Protection 4.5 Anti-Spam (Outbound) The Anti-Spam (Outbound) option consists of 5 sub-options: Policy Intelligent Content Filter White/Black List Keyword Heuristic Rule Policy Here you can configure settings for Policy, Advanced Settings, Excluded List, and Included List for outbound spam mails, accessible via four separated tabs. Policy Enable Inbound Anti-Spam Policy: There are three policies available: user-defined, group, and system policies. By default these three policies are all enabled. You can also modify the order in which these policies will be used by the system. How to react with Spam Here, you can select one of the three modes which the system will handle detected spam mails. Note that only mails with senders listed in the Included List will be checked for spam. If the Included List is empty, then all mails will be checked. The exception is when Hybrid mode is selected, where all mails will be checked regardless. When senders appear in both the Included List and the Excluded List, the Excluded List will take precedence. The three modes are: Quarantine mode: Mails will be quarantined. Test mode: Mails will not be quarantined and instead be delivered together with the rest of the valid mails, although a copy of the spam mail will be stored in the Reporter spam directory. Hybrid mode: Mails will be quarantined only if the recipients are part of the Included List. Otherwise, it will be delivered together with the rest of the valid mails, although a copy of the spam mail will be stored in the Reporter spam directory. How to add span tag: Specify where to add the spam tag on the mail: header or subject. You can also specify the content of the tag. Advanced Settings If Anti-Spam (Outbound) is enabled, you will also need to specify the outbound IP addresses that will be subjected to filtering in the Outgoing Mail Source IP Filtering List. Note that if you are using transparent mode, which uses port 2 to send outgoing mails, all mails will be subjected to filtering regardless of this list. If the system is working in the transparent mode and you want specific IP addresses to skip filtering, you can just add those addresses into the Allow List in the Anti-Relay option. Excluded List You can specify senders whom you want to be excluded from the anti-spam (outbound) policy by entering them into the Excluded Sender List. Included List You can specify senders whom you want to be included in the anti-spam (outbound) policy by entering them into the Included Sender List. If this list is empty, then all senders are included in the anti-spam policy. SifoML Security Gateway Administrator s Guide

38 Chapter 4: Mail Protection Intelligent Content Filter This is identical to the Intelligent Content Filter in the Anti-Spam (Inbound) option. See section for details White/Black List White List: Mails from addresses or domains specified here will be treated as valid mails. Black List: Mails from addresses or domains specified here will be treated as spam mails Keyword Specify keyword patterns which you will match against the mail headers From, To and Subject fields. Mails with text matches the keywords specified in the Deny Lists will be regarded as spam mails Heuristic Rule Enable Heuristic Rule Checking: Select to enable Heuristic engine inspection. This will enable you to configure 3 sub-setting: Spam Score: Select to insert spam score in the mail header. Min. Score: To set the lowest score of the spam mail. After each heuristic scanning, each mail will accumulate a spam score. The higher the score, the higher the possibility of this mail being a spam. Min. Score act as a threshold to decide which mail will be flagged as spam. It is recommended that you set the score between 3.0 and 4.0 so that you will have a higher accurate rate for detecting spam mails. If you set Min. Score too high, you might miss some spam mails; set too low and legitimate mails might be mistaken as spam. Size Limit: According to actual statistics, only 1% of spam mails are of size exceeding 64KB. You can allow large mails to skip scanning, thereby speeding up the scanning process. 4.6 Anti-Virus SESG has integrated mail anti-virus scan software into the system. You may enable or disable these anti-virus scan, or configure the anti-virus software. At the moment, two powerful mail anti-virus scan software are available in SESG: Clam Mail Scan and Kaspersky Mail Scan. Configurations of these software can be done by accessing the three tabs. Note: Kaspersky mail scan is a 3rd-party software that must be purchased separately, or the scan will not be made available in the system Basic Settings These are basic settings which apply to all the anti-virus software available in the system. Enable / Disable Virus Scan and Scanning order: Check the software name to enable the software. You may also re-arrange the software position to specify the order which software should scan first and which should scan next. SifoML Security Gateway Administrator s Guide

39 Chapter 4: Mail Protection Scan Inbound/Outbound/All Message: You can choose whether to scan inbound, outbound, or both types of messages. The action taken by SESG upon detecting a virus in the mail is shown in the following table: Mail Direction Inbound Outbound Relay Local Action being taken after the virus is found Quarantined Disconnects after sending response message to sender The response message is 451 Requested actions aborted: virus detected. Note:If mails are sent out from a client computer through SESG, via its own mail server first, and SESG uncovers a virus and terminates the connection, the mail server will assumed delivery failure and returns the mails to the client computer. You can cut down massive mail scanning (which will usually affect system performance) by specifying mails with certain mail sizes to skip the scanning process Kaspersky Anti-Virus Kaspersky Engine - Displays basic information about Kaspersky. Kaspersky Update To get the necessary updates, you need to enter the License Key, Username and Password for verification. Daily Update: You can schedule SESG to auto update Kaspersky by the hour daily just select the hour(s) you wish to check for updates. Send notification: You can specify how SESG should send the notification to specific recipients. Check this option to enable sending of notification, and then select from the pull-down box one of the conditions to send. Fig. 4.5 The notification recipients are specified in the System Notification tab in Configuration>Web Admin. Update Manually: You may manually update Kaspersky as and when by clicking the Update button. The update process may take several or more than ten minutes. SifoML Security Gateway Administrator s Guide

40 Chapter 4: Mail Protection Clam Anti-Virus Clam Engine - Displays basic information about ClamAV. Clam Update Daily Update: You can schedule SESG to auto update Clam by the hour daily just select the hour(s) you wish to check for updates. Send notification: You can specify how SESG should send the notification to specific recipients. Check this option to enable sending of notification, and then select from the pull-down box one of the conditions to send. The notification recipients are specified in the System Notification tab in Configuration>Web Admin. Update Manually: You may manually update Clam as and when by clicking the Update button. The update process may take several or more than ten minutes. SifoML Security Gateway Administrator s Guide

41 Chapter 5 Mail Control The Mail Control feature allows you handle mails with specific characteristics differently, e.g., mail forwarding, changing mail routing, setting mail alias, etc. Fig. 5.1 There are 5 sub menu options under Mail Control: Sender Forwarding Recipient Forwarding Mail Routing Mail Alias Archive 5.1 Mail Forwarding (Sender / Recipient Forwarding) This feature forward mails with certain sender or recipient address pattern to another address. You can enter the address pattern and the address to be forwarded to into the Sender Forwarding (or Recipient Forwarding) text box. The format is: <Sender/Recipient Address Pattern>=<Destination Forwarding Address> For example, the string [email protected] means to forward mail with the sender/recipient address containing louis (e.g. [email protected]) to an address [email protected]. You can specify multiple forwarding addresses by appending it to the last forwarding address, separated by a comma. For example: [email protected],[email protected],[email protected] You can also specify multiple forwarding patterns by entering a new forwarding pattern on a new line in the text box. For example, SifoML Security Gateway Administrator Guide

42 Chapter 5: Mail Control The third line specified forwarding of mails from a whole domain to another domain. Note that the mails forwarded will still be sent to the original intended destination. The only exception is when forwarding mails based on recipient address pattern (Recipient Forwarding), you can prevent the mail from going to the original intended recipient by specifying Aliases for the recipient (see section 5.3). 5.2 Mail Routing This feature allows you to specify where mails of one domain can be routed to another domain. This is essential in a multiple mail network domain or multiple mail server environments. You can specify routing based on recipient domain or sender domain by entering the routing rules in the Mail Routing by Recipient s Domain and Mail Routing by Sender IP Address tab respectively Mail Routing by Recipient s Domain The rule format is: < Recipient Domain > = < Domain or IP Address > For example: aaa.com=mail.aaa.com or bbb.com= You can specify multiple forwarding rules by separating them using new linefeed. When recipient domain meets the rule, the mail will be forwarded to the specified network domain or IP address. Note that the rules set here will only be consulted by SESG s built-in MTA, after referring to the DNS Mail Routing by Sender IP Address Mail Routing by sender IP Address works like a typical IP Policy Route feature in a network. The rule format is: <Sender IP Address> = <Mail Relay Server IP Address >@<Mail Relay Server Connection Port> Example 1: ^ = (Remember, ^ means to match in full) Example 2: = @2525 If Connection Port is not specified (as in the example 1), than the default port 25 is used. You can also specify multiple forwarding rules by separating them using new linefeed. Note that if no mail relay server is specified here, all the s will be forwarded to the default mail relay host specified in the option Configuration > SMTP Service. SifoML Security Gateway Administrator s Guide

43 Chapter 5: Mail Control 5.3 Mail Alias You may use mail alias to redirect recipient mail address. This is especially useful when the users mail box has changed (e.g., the user moved to a new department with a different address, or the company s network domain name has changed) but would like to continue to receive s sent to the old mail box. Note that the difference between Mail Alias and Mail Forwarding (section 5.1) is that in Mail Alias, the mail will not be sent to the original destination. The rule format is: For example: < Recipient Address Pattern > = < Forwarding Address Pattern > You can specify multiple forwarding rules by separating them with new lines SESG can also read set of aliases from Channel Alias File to change mail alias. You can instruct SESG to locate this file via a URL specified in the Advanced Operations text box, and click Transfer File to import the file. The Channel Alias File content format is as follows: abc: cde: xyz xyz where abc, cde are alias names, xyz is the recipient Archive You can specify the s to be archived, based on the s senders or recipients addresses. The Included List contains address patterns of mails you want to archived, while the Excluded List contains address patterns you do not want to archive. The Included IP contains specific IP addresses you want to archived, while the Excluded IP is vice versa. Only valid mails (i.e. mails that has not been rejected through spam mail scanning. This includes mails that have not gone through any spam mail scanning) will be archived. Also, note that if the Include List is empty, all valid mails will be archived. SifoML Security Gateway Administrator s Guide

44 Chapter 6 Mail Policy Compliance Mail Policy Compliance allows you to manage mail policy incoming and outgoing mails Six sub menu options are available: Inbound Mail Policy Outbound Mail Policy Condition Delay Schedule DomainKeys Edit Mail Footer Fig Inbound/Outbound Mail Policy You can define two types of mail policies: inbound mail policy and outbound mail policy. Inbound mail s recipients belong in the local mail domain while outbound mail s recipients are not. As shown in the Mail Policy List (shown below in an example), each policy consists of a status (enabled or disabled), Policy Name, the content (the rules), and the action corresponding to the content. Fig. 6.2 SifoML Security Gateway Administrator Guide

45 Chapter 6: Mail Policy Compliance The content of the policy is constructed by defining matching conditions, action, and other options. Click Edit corresponding to the policy to edit the policy, or you can click the New Inbound (Outbound) Policy tab to define a new policy. The policy definition interface is shown in the example below: Fig. 6.3 To define a new policy, Step 1: Enter a Policy Name Step 2: Set the conditions for matching/filtering. First select the Condition Type. This can be Sender, Recipient, Group, Time, ContentType, keyword, and fuzzy Keyword. For details on these condition types, see section 6.2. After selecting a condition type, the corresponding conditions that are available will appear in the text box below. These conditions are previously defined via the Condition option ( Mail Policy Compliance>Condition ). For details on how to define these conditions, see section 6.2. Then click the condition you want to include into the policy (the condition will be highlighted), and select either Match or NOT Match. This indicates whether the mail policy is met based on matching the condition or opposite of the condition. Then click the >> button to include the condition into the list of Condition(s) to be matched. This will form part of the conditions of your policy. You can select conditions (setting them Match or NOT Match) from the available list and include them into the Condition(s) to be matched list as many as you like. The NOT Match conditions appears with a! symbol in front of the condition. The Filter text box allows you to narrow down the available list of conditions based on words you want to filter out. SifoML Security Gateway Administrator s Guide

46 Chapter 6: Mail Policy Compliance Step 3: Now select the action to be taken when a match is found. These include: Quarantine: Quarantine all mails matching this policy. Delete: Move all mails matching this policy to the [Deleted Mail] folder. This mail will not be listed in the notification mails. The administrator can resend this mail from the [Deleted Mail] folder. Reject: Mails matching this policy will be returned to the sender. Drop: Mails matching this policy will be discarded. Confirm: Mails matching this policy will be temporarily blocked from the recipient. The group administrator can log into the SifoML Mail Reporter system and confirm the mail to continue sending it to the recipient s mailbox. Release: Mails matching this policy will be allowed to pass through the system. None: No actions will be executed on mails matching this policy. The system will continue searching for the next matching policy. All additional actions of the Step 4: Define additional actions to be taken when a match is found. You can select from a list by clicking the More Options link. Log: Action taken on the mail will be recorded in the log file Notify Group Administrator: Group administrator will be notified of the action taken on the mail Reply to Sender: Sender will be notified of the action taken on the mail Mail Priority: Select the priority of the mail delivery. If delay is selected, mails will be delivered according to the setting in Mail Policy Compliance Delay Schedule. Scan keyword in a mail s: Select whether to scan the mail s Header, Body, Attachment filename, and/or Attachment Content for matching keywords. No Archive: Do not backup the mails matching this policy Append Mail Footer: Add signatures to the mails matching this policy. Step 5: You can also specify a forwarding address to forward the mail to ( Forward to: text box), and specify a specific relay host (IP address and port number). However these are optional. Then click OK to save the policy, and return to the Policy list. At the list, you will need to click Apply to activate the new or changed policies. SifoML Security Gateway Administrator s Guide

47 Chapter 6: Mail Policy Compliance 6.2 Condition Conditions are the core of a mail policy, and must be defined before you can set up a mail policy. There are 4 types of conditions you can define: keyword, content, time and sender/recipient Keyword Condition You can define keywords you want to match from the mail (any part of the mail, including the body). This is useful when you want to scan for mails with specific known keywords and intercept them before they go to their destination. For example, you might want to intercept mails that could be pornographic in nature. Such mails usually consist of words like sex, naked, etc. FuzzyKeyword In specifying conditions for mail policy, selecting specific keywords as condition means the system will try to match the whole word. For example if the keyword confidential information is selected as a keyword condition, then the system will be looking out for the word confidential information as a whole in the mail. However when defining mail policy, you can also select FuzzyKeyword as a condition. FuzzyKeywords shares the same set of keywords defined here. But if FuzzyKeyword is selected as the condition, then the system will try to match the keyword to the mail text intelligently. For example if the fuzzykeyword is confidential information, then the words confidential and restricted information or confidential proposal on your information will be declared a match, provided that the words and restricted and proposal on your are not part of the keywords. UTF-8 Encoding All keywords are stored in UTF-8 encoding, so that you can fill in various encoded keywords on the screen, such as Japanese, Korean, Simplified Chinese, and Traditional Chinese that can be converted into UTF-8 encoding for storage. An example of keyword condition is shown in the following diagram. Fig. 6.4 SifoML Security Gateway Administrator s Guide

48 Chapter 6: Mail Policy Compliance Content Type This condition checks the mail type, size and the attachment it carries. You can also use this condition type to check on the mail s spam score. The specific types of content conditions you can use are: MIME type Types of mail attachment, using the classic window file type definition (e.g. image/jpeg ). When the system see the / symbol, it will recognize the condition as checking for MIMEtype. For example, application/x-shockwave-flash to check for flash file. You can also use the wildcard * symbol to represent an entire class of MIME, for example, audio/* to represent all audio files. You can also append <, > and = to check for the size or the number of attachments that is of that MIME type. For example, image/jpeg > 10 MB means to check for mails whose attachments are of type image/jpeg and are more than 10MB in total. Another example: text/html > 5 means to check for mails with more than 5 attachments that are of text/html type. Attachment File Extension Strings that begin with a. will be recognized as Attachment file extension. For example.txt for text file,.doc for document file. You can also append <, > and = to check for the size or the number of the attachments of that extension type. For example,.jpg > 10 MB means to check for mails whose attachments with extension.jpg are more than 10MB in total. Another example:.pdf > 5 means to check for mails with more than 5 attachments with extension.pdf Spam Score Strings that begin with the word score followed by either a >, < or =. For example, score > 3.5 checks the mail s spam score for anything more than 3.5. Mail Size Strings that begin with */* refers to the entire mail. So */* followed by >, < or = and a number specify the size of the entire mail to be matched. For example, */* > 20 MB checks the mail size for anything more than 20 Mb. Attachment Count Strings that begin with */*:attachment counts the number of attachments in the mail. For example, */*:attachment <5 checks mails that has less than 5 attachments. You can also mix and match the conditions using the & or AND junction. For example, the condition */*:attachment>5 & score>4 & score <6.5 means to check for mails with more than 5 attachments, and spam scores between 4 and Time Condition This condition checks the date and time of the mail. The specific types of time conditions you can use are: Date You can specify specific dates such as 2/14 (14 February), or a range such as 10/1-12/15 (1 October to 15 th December). To indicate any one of the specified dates, use a comma. For example, 7/2, 7/4 means either 2 July or 4 th July. Weekdays You can specify specific day of the week such as Wed (Wednesdays), or indicate either SifoML Security Gateway Administrator s Guide

49 Chapter 6: Mail Policy Compliance one of the weekdays specified, separated by a comma. For example, Mon, Wed, Thu means either Monday, Wednesday or Thursday. Time slot You can specify a timeslot in a day using the format HH:MM-HH:MM. Note that the time is in 24-hour format. For example, 9:30-16:45 represents a timeslot between 9:30am to 4:45pm. You can also indicate either one of the two timeslot using a comma. For example, 12:00-12:30, 18:00-18:30 means either the timeslot between 12pm to 12:30pm, or 6pm to 6:30pm. You can also mix and match the time conditions using the, to represent a AND junction. For example, the condition 12/15, Mon, Wed, 10:00-17:00 means 15 December AND either Monday or Wednesday AND time is from 10am to 5pm Sender/Recipient There are several formats to specify a sender/recipient condition: Full Address: <account>@<domain>. E.g. [email protected] This means that all addresses with this domains, such as [email protected], [email protected], etc, falls under this condition. account: <account>@. E.g. richard@. This means that all addresses with this account, such as [email protected]. [email protected], etc, falls under this condition. Address substring: Any strings that does not contain symbol and does not fit into the IP Address or Sub-Network format (see below), will be an address substring. All addresses that contains this substring fall under this condition. For example, steven means that addresses [email protected], user1@steven_corp.com falls under this condition. IP address: Strings in the format #.#.#.# are addresses that fall under this condition. For example, Sub-Network: Strings in the format #.#.#.#/#.#.#.# are addresses that fall under this condition. For example, / Note that the special string / means all IP addresses DomainKeys Verification: These are specific strings representing different domainkey verification condition: DK_OK: Signed with valid Domainkeys signature DK_FAIL: Signed with invalid Domainkeys signature DK_NOKEY: Signed with DomainKeys signature but public key is not available for verification. DK_NOSIG: Not signed with Domainkeys signature 6.3 Schedule for Delayed Mails When setting up mail policies, the administrator can delay the sending of mails satisfying the policy by configuring the additional options. To setup the time delayed mails will be sent, click the Delay Schedule menu option from the left column. In the interface that appears, select the hours of the day for which delayed mails will be sent. Click Apply to save the configuration or Reset to return to the previous setting. 6.4 Domain Keys Import domain keys into the system by selecting DomainKeys from the menu to view the interface. Enter the Domain Name and select the Private Key file to be imported by clicking the Browse button. Click Import to import this key file. The imported file will be listed in SifoML Security Gateway Administrator s Guide

50 Chapter 6: Mail Policy Compliance the list below. 6.5 Mail Signature To configure the signature appended to mails, select the Edit Mail Footer menu option from the left column. Select whether the signature is to be displayed as Plain text or HTML Text and type the signature in the textbox below. Click Apply to save the configuration. 6.6 Application Examples for Setting up Mail Policies Send Mails after Confirmation by Administrator In this example, we want to setup a policy such that mails to a specific employee regarding the transfer of personnel will only be sent after the group administrator (such as the department head) confirms the mail. The mail must also be forwarded to the head of the human resource department. Step 1: Add a keyword condition that includes all keywords relating to job seeking such as resume, salary etc. Step 2: Add a sender/recipient condition that includes the receiver s address. Step 3: Add an incoming mail policy. Select the 2 conditions configured in the steps above. Select Confirm as the action to be executed. Click More Options and select the following: Log and Notify group administrator. Select all the options from the scan keyword in a mail s field. In the Forward to textbox, enter the address of the head of the human resource department. Step 4: Click OK to save the new policy. In the policy list, click Apply to apply the new policy Delayed Mails In this example, we want to setup a mail policy such that the sending of mails containing large image and voice files originating from the personnel belonging to a particular department will be delayed until night time. Step 1: Add a content type condition for MIME type files. Specify the condition value as audio/* video/* to indicate all MIME audio and video files. Add a second content type condition for Flash MIME type files with the condition value application/x-shockwave-flash as shown below: Fig. 6.5 Step 2: Add an outgoing mail policy. Select the Group as the condition type and choose the groups (as created in the Reporter system) to apply the policy to. You can enter the full or partial group name in the filter textbox below to search for specific groups. SifoML Security Gateway Administrator s Guide

51 Chapter 6: Mail Policy Compliance Step 3: Select ContentType as the condition type and add the conditions setup in Step 1. Step 4: Select Pass as the action to be taken. Click More Options and select the following: Notify Original Sender and Delayed for Mail Priority. Click OK to add the new policy and Apply from the outgoing policy list to apply the policy. Step 5: Click Mail Policy Compliance > Delay Schedule and select 18 to send all delayed mails after 1800 hours daily. Fig Fuzzy Keyword Matching SifoML mail policy supports fuzzy keyword matching. For the Chinese, Korean and Japanese languages, the fuzzy keyword function will automatically remove any non-english or numerical symbols from the phrase it is being matched with. For the English language, phrases can be matched even if it contains words that were not specified as keywords. For example, if the keyword is [this is a book], mails containing contents such as [this is a boring book] will also be successfully matched if the fuzzy keyword matching ability is enabled. To enable this, simply add a new mail policy with the condition type selected as FuzzyKeyword. Add a new keyword condition and select this as the matching condition for the policy. Configure all other settings accordingly. Save and apply the new policy Outgoing Mails with Mail Signature and DomainKeys Signature You can append a mail signature and DomainKeys to mails by configuring the following: Step 1: Setup the mail signature by selecting Mail Policy Compliance > Edit Mail Footer from the menu. Step 2: Setup the domain key by importing a private key for a network domain from the menu Mail Policy Compliance > DomainKeys. Step 3: Setup a Sender/Recipient condition specifying all senders/recipients by setting the condition value as / Step 4: Add a new Outgoing Mail Policy. Select the condition configured in step 3 above and None as the action to be taken. Click More Options and select the following: Append Mail Footer and DomainKeys Signature Delete Spam Mails with an Exceedingly High Score In this example, we want to setup a policy to delete all spam mails with a score exceeding 25. The mails will be sent to the deleted mail folder and will not be listed in notification mails. These mails will only be viewable to administrators and can be resent from the deleted mail folder. SifoML Security Gateway Administrator s Guide

52 Chapter 6: Mail Policy Compliance Step 1: Add a content type condition with the value as score > 25. Step 2: Add an Incoming Mail Policy. Select the above configured condition as the matching condition for this policy. Select the action as Delete. Save and apply the new policy Mails Verification via DomainKeys In this example, we attempt to setup a policy to verify mails via the DomainKeys signature appended. If the verification fails, the mail will be quarantined. All mails without DomainKeys signature will also be quarantined. Step 1: Add a Sender/Recipient condition specifying all senders and recipients. Add a dk_fail value. This condition will match all mails with domain keys but fails verification. Fig. 6.7 Step 2: providers such as gmail.com and yahoo.com should have domain keys. Setup a Sender/Recipient condition to match mails from such providers @yahoo.com dk_nosig This will match all mails that have no domain key signatures but are from the specified mail providers. Step 3: Add a new incoming mail policy. Select the 2 conditions configured above as the matching conditions for the policy. Select Quarantine as the action to be taken. Save and apply the new policy. All mails with domain key signatures but fails verification will be quarantined. All mails without domain key signatures but are from the specified mail providers will also be quarantined Blocking Specific Spam Mails To avoid detection, some spam mails contain only enclosed image files or irrelevant contents. This example demonstrates the combined use of the content type condition to block such spam mails. SifoML Security Gateway Administrator s Guide

53 Chapter 6: Mail Policy Compliance Step 1: Add a content type condition and select Mixed Content Type Condition from the right drop down menu. Enter the following rules into the textbox. image/gif > 10 kb & image/gif < 15 kb & */*:attachment = 0 & score > 0 & score < 3.0 & application/* = 0 kb image/gif > 50 kb & image/gif < 70 kb & */*:attachment = 0 & score > 0 & score < 3.0 & application/* = 0 kb This matches all mails with images of the specified size, no attachments, having a spam mail score between 0 3, and do not contain application type mails. Fig. 6.8 Step 2: Add a keyword condition containing commonly found words from e-letters such as politics, entertainment etc. Step 3: Add an incoming mail policy. Add the content type condition configured in step 1 to be matched to the mails. Select Not Match and add the keyword condition configured in step 2 to specify that the policy should match mails not containing the keywords in the condition. Step 4: Select the action to be taken as Quarantine. Save and apply the new policy. SifoML Security Gateway Administrator s Guide

54 Chapter 7 Event Logs Click the Event Log function at the main menu bar to display the 2 sub menu functions: Monitor Log Search Log Log files are used for the real-time monitoring of the system and facilitate the maintenance of the system. Fig. 7.1 SifoML Security Gateway Administrator Guide

55 Chapter 7: Event Logs 7.1 Monitor Logs Click Monitor Log from the left sub menu to display the log file. A partial list is displayed in the figure below: Fig. 7.2 There are 5 types of log files that can be displayed including System Event logs, Traffic Event logs, Blocking Event logs, Administrative Event logs and Mailer Event logs. Select the Type from the drop down menu and specify the date of the log file to view. You can also select whether the displayed log should be refreshed at a specified interval. Click View Log to display the log file for the particular type and date. Note: When the size of the log file is too large to be fully displayed in the interface, only the last 40KB of the file contents will be listed. To view the entire file, click the Download link to store the log file as a.txt file on the local disk. 7.2 Search Logs You can search for log files based on the contents using this function. Click Search Log from the sub menu options on the left to view the interface. Fig. 7.3 Select the log type and specify the date of the log file to search. Enter the search phrase into the textbox. Click Search to begin searching the contents of the specified log file. Note: The search process will be terminated if the search results exceed 500. You can use more precise search phrases to reduce the number of returned results if this happens. For example, to search today s blocking event logs for the phrase empty, select Blocking Event from the type drop down menu, enter today s date and type empty in the search textbox. The search results will be displayed in the list below as shown in Fig. 7.4: SifoML Security Gateway Administrator s Guide

56 Chapter 7: Event Logs Fig. 7.4 SifoML Security Gateway Administrator s Guide

57 Appendix A Wizards SESG provides a quick start-up wizard feature, leading you through the basic configuration setup. Click the tab function Wizard on the lower left page to bring up the quick startup wizard. Simply follow the steps in the wizard to configure this feature. SifoML Security Gateway Administrator Guide

58 Appendix B Shutting Down Restart SMTP Service: Click the Restart button to restart the SMTP service. The rest of the system will still be in operation. Reboot System: Click the Reboot button to restart the entire system. Shutdown System: Click Shutdown to shutdown the system. Note that the system will not automatically restart after shutting down through this method. SifoML Security Gateway Administrator Guide

59 Appendix C Recovery Procedure You can establish a RS-232 connection with SESG in the event where you need to do a system recovery. Use a null-modem cable to connect the PC s com port to SESG s com port. Activate a hyper terminal session from the PC and configure the following com port setting: baud, 8 data bits, no parity, 1 stop bits and no flow control. Connect to SESG from the hyper terminal and login with the account name: emergency and password: emergency. Upon successful login, you will see the following menu. Enter 1 to reset the admin password; Enter 2 to reset the network; Enter q to exit the menu. Type <enter> after entering the selection number to execute the corresponding function. SifoML Security Gateway Administrator Guide