Training Guide eprism Security Appliance 4.0

Transcription

1 Training Guide eprism Security Appliance 4.0

2 2

3 Lesson 1 Security and eprism Contents LESSON SECURITY AND EPRISM...5 Mail Delivery Process...6 eprism Overview...7 LESSON INSTALLING EPRISM...9 eprism Deployment...10 Installation and Configuration...13 Logging in to eprism...15 LESSON BASIC CONFIGURATION...19 Admin Account...20 Network Settings...21 Static Routes...23 Web Server Options...23 Mail Routes...24 Trusted and Untrusted Networks...25 LESSON ADVANCED CONFIGURATION...29 Mail Aliases...30 Mail Mappings...33 Virtual Mappings...35 Mail Delivery Settings...38 SMTP Banner...39 LESSON LDAP INTEGRATION...43 LDAP Overview...44 Configuring LDAP Servers...44 LDAP Users and Groups...46 LDAP Authentication...50 LDAP Lookup...51 LESSON USER MAILBOXES AND SECURE WEBMAIL...55 POP3 and IMAP Access...56 Adding New Users...57 Vacation Notification...58 Secure WebMail and BorderPost...60 LESSON ANTI-VIRUS AND CONTENT FILTERING...65 Anti-Virus...66 Attachment Control...68 Malformed Messages...70 LESSON ANTI-SPAM CONFIGURATION...73 eprism s Anti-Spam Features...74 Personal Whitelisting

4 User Spam Quarantine...91 LESSON ENCRYPTION AND CERTIFICATES...97 Encryption...98 Certificates Strong Authentication LESSON GROUP POLICY MANAGEMENT Group Policies Creating Group Policies LESSON HALO (HIGH AVAILABILITY AND LOAD OPTIMIZATION) Clustering Queue Replication LESSON SYSTEM MANAGEMENT Status and Utility Mail Queue Quarantined Mail Centralized Management Tiered Administration LESSON LICENSING AND SYSTEM UPDATES Licensing System Updates Security Connection LESSON SYSTEM MONITORING SNMP Alarms System Log Files LESSON REPORTING Reporting Viewing the Database Viewing the System Database Rollout Data LESSON DISASTER RECOVERY Backing up eprism Restoring From a Backup LESSON TROUBLESHOOTING Troubleshooting Mail Delivery Troubleshooting Tools Troubleshooting Content Issues

5 Lesson 1 Security and eprism Lesson 1 Security and eprism This lesson introduces the concepts of security and the features of the eprism Security Appliance, and contains the following topics: Mail Delivery Process eprism Overview 5

6 Lesson 1 Security and eprism Mail Delivery Process Inbound Mail Internal Users Remote / Mobile Users Internet WAN Router Firewall or Exchange or inotes Server(s) Multi-layer Switch Wi-Fi Access Point or "HotSpot" 1. Client sends mail to local SMTP (Simple Mail Transport Protocol) mail server for delivery 2. SMTP server looks up destination mail server in DNS (such as mail.mydomain.com), and attempts to connect 3. SMTP server connection hits external router/firewall of destination site on port Firewall passes through SMTP port 25 traffic to eprism 5. Mail is delivered to eprism 6. eprism applies security processing, then sends to destination mail server 7. Client retrieves mail from local mail server servers need to be protected from: Malformed messages Network attacks (Denial of service, SMTP etc...) Operating system software attacks clients need to be protected from: Attachments (Could contain viruses, trojans) Viruses Content (Offensive content, images) Spam 6

7 Lesson 1 Security and eprism eprism Overview eprism is a dedicated Mail Firewall designed for deployment between internal mail servers and the Internet. eprism supports the standard mail protocols for processing messages, while offering a secure method for their processing and delivery. eprism has been designed specifically to resist operating system attacks and protect your mail servers from direct SMTP and HTTP connections. eprism delivers the most complete security available for systems. eprism runs on S-Core, St. Bernard s customized and hardened Unix operating system. S-Core does not allow uncontrolled access to the system. There is no command line access and the system runs as a closed system, preventing accidental or deliberate misconfiguration by administrators, which is a common cause of security vulnerabilities. eprism has been awarded Common Criteria EAL 4+ certification EAL4+ indicates that eprism has passed all of the requirements needed to gain Evaluation Assurance Level 4 (EAL4) and has passed some additional modules that elevate the certification above the standard EAL4 to include EAL5 vulnerability testing. No other security appliance has EAL4+ certification, which is backed by NATO, DOD and numerous world defense organizations. The eprism Security Appliance provides a complete and robust set of security capabilities specifically designed to protect against the full spectrum of security threats. Anti-Spam Processing eprism integrates features such as RBL, DCC, and STA for anti-spam protection. Anti-virus capabilities The eprism Security Appliance features optional virus scanning based on Kaspersky Anti-Virus. Automatic pattern file updates ensure that the latest viruses are caught. eprism s high performance virus scanning provides a vital layer of protection for your entire organization. Malformed message checking eprism ensures that only correctly formatted messages are allowed into your mail systems. Message integrity checking protects your mail servers and clients, and improves the effectiveness of existing virus scanning implementations. Attachment blocking eprism implements attachment controls and content filtering based on pattern and text matching. WebMail Security eprism s Secure WebMail provides secure remote access support for internal mail servers. 7

8 Lesson 1 Security and eprism NOTES 8

9 Lesson 2 Installing eprism Lesson 2 Installing eprism This lesson describes how to install the eprism Security Appliance, and includes the following topics: eprism Deployment Installation and Configuration Logging in to eprism 9

10 Lesson 2 Installing eprism eprism Deployment eprism is designed to be situated between your mail servers and the Internet so that there are no direct SMTP (Simple Mail Transport Protocol) connections between external and internal servers. eprism is typically installed in one of three locations: In parallel with the firewall On your DMZ (Demilitarized Zone) Behind the existing firewall on the Internal network SMTP port 25 traffic is redirected from either the external interface of the firewall, or from the external router to eprism. When the mail is accepted and processed, eprism makes an SMTP connection to the internal mail server to deliver the mail. eprism in Parallel with the Firewall This is the preferred deployment strategy for eprism. eprism s inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of your network. Deploying the eprism in parallel with the firewall reduces the overall load on the firewall by eliminating any mail traffic on the firewall. DMZ Internal Mail Cluster Firewall Router Internet SMTP Server 10

11 Lesson 2 Installing eprism eprism on the DMZ Deploying eprism on the DMZ is an equally secure method of deployment configuration. This type of deployment prevents any direct connection from the Internet to the internal servers, but does not ease the existing load on the firewall. Firewall Internet SMTP Server eprism on the Internal Network You can also deploy eprism on the Internal Network. Although this configuration allows a direct connection from the Internet into the internal network, it is a perfectly legitimate configuration when dictated by existing network resources. Internal Mail Cluster DMZ Firewall Internet SMTP Server 11

12 Lesson 2 Installing eprism Pre-installation Considerations The following must be taken into consideration when preparing to integrate eprism into your environment: Where will eprism be deployed? (Parallel, DMZ, Internal or other?) What DNS changes, such as the MX record, are required? What firewall changes are required? Will new firewall proxies have to be created? Will existing firewall proxies need to be modified? What mail routing changes, such as outbound SMTP relay records, are required? 12

13 Lesson 2 Installing eprism Installation and Configuration Use the following procedure to install the eprism Security Appliance. The installation procedure will take approximately 20 minutes. 1. Turn on the system. 2. After the initial system messages, you will be prompted to begin the installation and configuration. The console can be operated as follows: Use the arrow keys to navigate between fields or buttons. Pressing Enter either: o o o Completes the entry of data into a text field and moves you to the next field Invokes the action of the currently highlighted button Accepts the selected radio-button value Highlighted buttons are indicated with a dashed line. If you want to change an item before going to the next screen, press Esc (Escape) to clear all fields and start again. 3. Choose a Graphical or Text Mode installation. Use Text mode if you are experiencing display problems. 4. Choose the keyboard type that matches your system and press Enter. 5. Select the Installation Type: Auto Default values for disk space allocation for log file storage, mail storage, backup area, and database area are used. o o o o o o Operating System 256 MB Swap Space Twice the amount of installed RAM Log Files 25% of remaining space Mail Storage 25% of remaining space Database Files 25% of remaining space System Backup 25% of remaining space Custom Allows you to modify values for disk space allocation. To edit the default space allocation values, select Custom and press Enter. The hard disk will be detected and identified. Press Enter to continue. Select Edit disk layout and press Enter. Use the arrow keys to move between fields. Press Enter to use the displayed action such as add 1, add 10, and so on. The values are in megabytes. 13

14 Lesson 2 Installing eprism You will need to decrease the amount allocated to one file system before increasing another. When finished, select Done and press Enter. Note: Do not reduce the allocations for Operating System and Swap Space. Swap space is crucial for processing large file attachments. 6. Once the file systems are built, you must click OK to restart the system. 7. When the system restarts, you will be prompted with the Network Configuration screen. Press OK to continue. 8. Enter the IP address and other network settings for the system. Press Enter after each field. When the last field is complete, press Enter to highlight OK, and press Enter again to continue to the next screen. If you need to reset the settings to the defaults, press Esc. Network Interface Select the network interface to configure. Hostname Enter the hostname for the system, such as mailserver in mailserver.mydomain.com. Domain Name Enter your domain, such as mydomain.com. IP Address Enter the IP address for this interface. Subnet mask Enter the subnet mask. Gateway Enter the gateway (typically the router) for your network. Name Server Enter the IP address of your DNS server. 9. Set the region and time zone. 10. The initial configuration is now complete. The system will restart and display the main console screen. You may see a message warning that the Mail System is stopped!. This message is normal because mail services have not been started yet. The system console is only recommended for use during initial installation and network troubleshooting. Routine administration should be performed via the browser administration interface. 14

15 Lesson 2 Installing eprism Logging in to eprism eprism can be configured using any web browser and can be accessed in two ways: IP Address: Hostname: You will be prompted to login as the system administrator. The initial UserID is admin, with a Password of admin. You must change the default password after you log on. When eprism is installed for the first time, you must complete the initialization phase by accepting the license agreement and providing the basic administrative information, such as the organization name and admin address. 15

16 Lesson 2 Installing eprism The main eprism Activity screen is then displayed: Start and stop mail queues. Administration interface menu Examine queue statistics Click on a message to see its details Examine queue activity Examine uptime and CPU load 16

17 Lesson 2 Installing eprism PROJECTS 1. Create a diagram of your current network and identify where eprism will be deployed. 2. Create a checklist of the changes that you need to make to your network services configuration as per your eprism deployment location. Network Configuration Checklist DNS MX record setting Previous MX record: New MX record: Firewall proxies and ports SMTP Relay Records 3. In the table below, enter the proposed hostname of your eprism system, your domain name, gateway (default router), and values for primary and secondary DNS and NTP servers. You will need these values during the installation. Network Setting eprism Hostname Value Domain Gateway (Default Router) Name Server 1 Name Server 2 Name Server 3 NTP Server 1 NTP Server 2 NTP Server 3 17

18 Lesson 2 Installing eprism NOTES 18

19 Lesson 3 Basic Configuration Lesson 3 Basic Configuration This lesson describes how to configure the basic features of the eprism Security Appliance, and contains the following topics: Admin Account Network Settings Web Server Settings Static Routes and Mail Routes Trusted and Untrusted Networks 19

20 Lesson 3 Basic Configuration Admin Account To change the admin information, select the Admin Account option. From here you can: Change the username Change address Change password Add strong authentication 20

21 Lesson 3 Basic Configuration Network Settings To configure your network settings: 1. Select Basic Config Network from the menu. 2. Enter your hostname, domain name, gateway, and an optional syslog host for logging. 3. Enter primary and alternate DNS and NTP servers. 21

22 Lesson 3 Basic Configuration 4. Enter the IP address, netmask, and media type for each network interface. You can enter information for up to four interfaces. 5. Set your other network interface options: Respond to Ping Allows ping requests to this interface. Trusted Subnet If selected, all hosts on this subnet are considered trusted for relaying and anti-spam processing. Admin Login Allows administrative access to this interface. eprism Mail client Allows access using the eprism Mail Client via this interface. IMAP Allows access to eprism s internal IMAP server via this interface. POP3 Server Allows access to eprism s internal POP3 server via this interface. SNMP Allows access to the SNMP agent via this interface. 22

23 Lesson 3 Basic Configuration Static Routes Static routes allow communication with other local networks when deploying with multiple interfaces. To add static routes to other networks: 1. Select Basic Config Static Routes from the menu. 2. Enter the network address, netmask, and default gateway, and then click New Route. Web Server Options To change the default web server values select the Basic Config Web Server option 23

24 Lesson 3 Basic Configuration Mail Routes The eprism Security Appliance, by default, accepts mail addressed directly to it and delivers it to local BorderPost mailboxes. In addition, it will accept and relay mail addressed to hosts in its own domain as defined by the MX records in your DNS. You can configure additional domains for the eprism Security Appliance to accept and route mail for from this screen. To add a mail route: 1. Select Mail Delivery Mail Routing from the menu. 2. Select the Sub checkbox to accept and relay subdomains for the specified domain. 3. Enter the Domain for which mail is to be accepted. 4. Enter a Route-to address for the server to which mail will be delivered. 5. Select the MX checkbox if you need to look up the mail routes in DNS before delivery. If this is not enabled, MX records will be ignored. 6. Select the KeepOpen checkbox to ensure that each mail message to the domain will not be removed from the active queue until delivery is attempted, even if the preceding mail failed or was deferred. This setting ensures that high priority is given for delivery to local servers. 24

25 Lesson 3 Basic Configuration Trusted and Untrusted Networks eprism processes mail differently depending on a trust relationship. Trusted mail Allows eprism to be used as a mail relay Bypasses anti-spam controls (DCC/STA) Used to update STA tables Untrusted mail Cannot relay mail via eprism Mail is processed by anti-spam controls You must ensure that eprism is properly configured for interaction with local and remote mail servers. eprism only processes mail through the spam filters when a message originates from an untrusted source. This is defined as any system not on the local network and is determined based on the IP address and netmask of the eprism system. To change a network to untrusted : 1. Select Basic Config Network. 2. For the specified interface, uncheck Trusted Subnet. Uncheck Trusted Subnet 25

26 Lesson 3 Basic Configuration PROJECTS 1. Enter the values for your environment s network configuration in the following table, and use these values to configure the Basic Config Network section on your eprism: Domain(s) Route to Example: mydomain.com Enter any required static routes for your network, and use these values to configure the Basic Config Static Routes section on your eprism. Static Routes Network Netmask Gateway 3. Enter any required mail routes for your network, and use these values to configure the Mail Deliver Mail Routing section on your eprism. Domain(s) Route to Example: mydomain.com Identify which networks in your environment will be trusted and untrusted. 26

27 Lesson 3 Basic Configuration NOTES 27

28 Lesson 3 Basic Configuration 28

29 Lesson 4 Advanced Configuration Lesson 4 Advanced Configuration This lesson describes how to configure the advanced features of the eprism Security Appliance, and includes the following topics: Mail Aliases Mail Mappings Virtual Mappings LDAP Aliases and Mappings Mail Delivery Settings SMTP Banner 29

30 Lesson 4 Advanced Configuration Mail Aliases When mail is to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. If an alias exists, a new mail message will be created for the named address or addresses. Example: sales-team john, peter, mary, sharon, bill postmaster robert john.smith john To configure Mail Aliases: 1. Select Mail Delivery Mail Aliases from the menu. 2. Click on an entry to edit a current alias. 30

31 Lesson 4 Advanced Configuration Adding a Mail Alias: 1. Click the Add Alias button from the Mail Aliases screen. 2. Enter an alias and a corresponding mail address. 3. Click the Add More Addresses button to enter multiple addresses for this alias. Uploading Alias Lists: A list of aliases can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: For example: [alias],[mail_address] sales,fred@company.com info,mary@company.com The file (alias.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the mail alias file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 31

32 Lesson 4 Advanced Configuration To add LDAP Aliases: 1. Click the LDAP Aliases button. 2. Enter the following information into the specified text boxes: LDAP Server: Select an LDAP server to perform the search Search Base: Enter the base to start the search from, such as cn=users,dc=example,dc=com Scope: Enter the scope of the search. Options are Base, One Level, and Subtree Alias Attribute: Enter the LDAP alias attribute (Query Filter), such as (proxyaddresses=smtp:%s@*) Enter the attribute (Result Attribute) that identifies the user's address, such as mail Timeout: The maximum interval, in seconds, to wait for the search to complete 3. Click the Add button. 4. Alternately, you can click the New button to add the LDAP alias search. 32

33 Lesson 4 Advanced Configuration Mail Mappings Mail Mappings are used to map an external address to a different internal address and vice versa. This is useful for hiding internal mail server addresses from external users. For mail originating externally, the mail mapping translates the address in the To: and CC: mail header field into a corresponding internal address to be delivered to a specific internal mailbox. For example, mail addressed to fredsmith@company.com can be redirected to the internal mail address fred@sales.company.com. This enables the message to be delivered to the user s preferred mailbox. To configure Mail Mappings: 1. Select Mail Delivery Mail Mappings from the menu. 2. Click on an entry to edit a current mapping. 33

34 Lesson 4 Advanced Configuration Adding a Mail Mapping: 1. Click the Add button. 2. Enter a mapping and a corresponding mail address. 3. Enter extra internal addresses, if required. Uploading Mapping Lists A list of mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: For example: [type ( sender or recipient )],[map_in],[map_out],[value ( on or off )] sender,fredsmith,fred,on The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the mail mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 34

35 Lesson 4 Advanced Configuration Virtual Mappings Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the envelope-recipient address. For example, eprism can be configured to accept mail for domain_a and deliver it to domain_b. This allows eprism to distribute mail to multiple internal servers based on the Recipient: address of the incoming mail. To configure Virtual Mappings: 1. Click Mail Delivery Virtual Mapping. 2. Click on an entry to edit a current mapping. 35

36 Lesson 4 Advanced Configuration Adding a Virtual Mapping: 1. Click the Add Virtual Mapping button. 2. Enter an input and output address for the mapping. Uploading Virtual Mapping Lists A list of virtual mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form: For example: [map_in],[map_out] user@domain,user The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the virtual mapping file first by clicking Download File, editing it as required, and uploading it using the Upload File button. 36

37 Lesson 4 Advanced Configuration LDAP Virtual Mappings Click the LDAP Virtual Mappings button to configure and search for virtual mappings using LDAP. This allows you to search LDAP-enabled directories such as Active Directory. To configure a new LDAP virtual mapping search: 1. Enter the following information into the specified text boxes: LDAP Server: Select an LDAP server to perform the search Search Base: Enter the base to start the search from, such as cn=users,dc=example,dc=com Scope: Enter the scope of the search. Options are Base, One Level, and Subtree Incoming Address: Enter the LDAP incoming address (Query Filter), such as (proxyaddresses=smtp:%s) Enter the attribute (Result Attribute) that identifies the user's address, such as mail Timeout: The maximum interval, in seconds, to wait for the search to complete 2. Click the Add button. 3. Alternately, you can click the New button to add the LDAP virtual mapping search. 37

38 Lesson 4 Advanced Configuration Mail Delivery Settings To configure mail delivery settings: 1. Select Mail Delivery Delivery Settings from the menu. 2. Enter the maximum time mail will stay in the mail queue before being returned to the sender as undeliverable. 3. Enter the time before a delay warning is issued to the sender. 4. Enter the time to keep undelivered mail addressed to MAILER-DAEMON. 5. Select Masquerade Addresses to masquerade internal hostnames by rewriting headers to only include the address of the mail gateway. 6. Select Strip Received Headers to strip all Received headers from outgoing messages. 38

39 Lesson 4 Advanced Configuration 7. Enter the hostname or IP address of a mailserver (not this eprism system) to relay mail for this eprism. This is optional and not usually required. 8. Enable Ignore MX record to prevent an MX record lookup for this host and to force relay settings. SMTP Banner The SMTP banner allows you to configure display informational text about your server, while hiding the hostname of the eprism by showing only the domain. It is recommended that you enable this feature. To configure the SMTP banner: 1. Select Mail Delivery Mail Access/Filtering from the menu. 2. Select the Advanced button. 3. Select Domain only to remove the hostname of the system from the banner. 4. Enter text for the banner. 39

40 Lesson 4 Advanced Configuration PROJECTS 1. List any mail aliases you require in your environment: Alias Name Mail Aliases Address 2. List any mail mappings you require in your environment: External Mail Address Mail Mappings Internal Mail Address 3. List any virtual mappings you require in your environment: Input Address Virtual Mappings Output Address 40

41 Lesson 4 Advanced Configuration NOTES 41

42 Lesson 4 Advanced Configuration 42

43 Lesson 5 LDAP Integration Lesson 5 LDAP Integration This lesson describes how to integrate your LDAP directory services with eprism, and contains the following topics: LDAP Overview Configuring LDAP Servers Configuring LDAP Users and Groups LDAP Authentication LDAP User Lookup 43

44 Lesson 6 LDAP Integration LDAP Overview eprism can use LDAP (Lightweight Directory Access Protocol) services for accessing directories (such as Active Directory) for user and group information. LDAP can be used with eprism for mail routing, group lookups for policies, user lookups for mail delivery, alias and virtual mapping, and the user spam quarantine. Note: eprism currently only fully supports Active Directory LDAP implementations. LDAP support includes the following features: LDAP lookup prior to internal delivery eprism can look up internal mail addresses via LDAP during mail delivery to reduce the number of undeliverable messages due to spam attacks. Group/User Lookups An LDAP lookup will determine the group membership of a user when applying policy based controls. Authentication LDAP can be used for authenticating administrative, user mailbox, and WebMail logins. Configuring LDAP Servers Select Basic Config LDAP Servers from the menu to configure LDAP server settings. To configure a new LDAP server: 1. Enter the following information into the specified text boxes: Server URI Enter the server URI (Uniform Resource Identifier) address, such as ldaps:// Bind Select this check box to bind to the LDAP server Bind Password Enter the bind password for the LDAP server Bind DN Enter the DN (Distinguished Name) for the user to bind to the LDAP server, such as cn=admin,cn=users,dc=example,dc=com Type Select the type of LDAP server, such as Active Directory. 2. Click the Add button. 44

45 Lesson 5 LDAP Integration 3. Alternately, you can click the New button to add the LDAP server with some additional options. 4. Click the Test button to test your LDAP settings. 5. When finished, click the Update button to add the LDAP server. 45

46 Lesson 6 LDAP Integration LDAP Users and Groups Once you have an LDAP server configured, you can import users and user groups from the LDAP server to eprism. You can mirror imported users account information to create local accounts on eprism for each user. This is required for certain features such as the user spam quarantine. Configuring LDAP Users Configure LDAP users as follows: 1. Select Basic Config LDAP Users from the menu. 2. Enter the following required values: LDAP Server Select an LDAP server to perform the search. Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree o o o Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter the appropriate query filter, such as ( (objectcategory=group)(objectcategory=person)). Timeout The maximum interval, in seconds, to wait for the search to complete. 3. Click Add when finished. 4. Select the Mirror LDAP Users checkbox and then click Update to create local accounts for all users imported via LDAP. These accounts can be used in conjunction with the user Spam Quarantine to provide account folders for users to store and retrieve their spam messages. 46

47 Lesson 5 LDAP Integration 5. Alternately, you can click the New button to configure LDAP Users. 6. Click the Test button to test your LDAP settings. 7. Click Update when finished. 47

48 Lesson 6 LDAP Integration Configuring LDAP Groups Configure LDAP Groups as follows: 1. Select Basic Config LDAP Groups from the menu. 2. Enter the following required values: LDAP Server Select an LDAP server to perform the search Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree Query Filter Enter the appropriate query filter, such as (objectcategory=group). Timeout The maximum interval, in seconds, to wait for the search to complete 3. Click Add when finished. 4. Alternately, you can click the New button to configure LDAP Groups. 5. Click the Test button to test your LDAP settings. 6. Click Update when finished. 48

49 Lesson 5 LDAP Integration Import Settings You can configure eprism to automatically import LDAP user and group data on a scheduled basis. This allows you to keep current with the LDAP directory. To import LDAP users or groups: 1. From the Basic Config LDAP Users (or LDAP Groups) screen, click the Import Settings button. Enabled Select the checkbox to enable automatic import of LDAP user and group data. Enabling automatic import ensures that your imported LDAP data remains current with the information on the LDAP server. Frequency Select the frequency of LDAP imports. You can choose between Daily, Weekly, and Monthly. Start Time Specify the start time for the import in the format hh:mm. 2. Click Update when finished. 3. You can click the Import Now button to start the import immediately. 49

50 Lesson 6 LDAP Integration LDAP Authentication 1. Select User Mailboxes Directory Users from the menu to configure LDAP authentication. 2. In the LDAP Servers section, click the New button. URI/Hostname Enter the server URI (Uniform Resource Identifier) address, such as ldaps:// Bind DN Enter the DN (Distinguished Name) of the user to bind to the LDAP server, such as cn=%u,cn=users,dc=example,dc=com Search Base: Enter the starting base point to start the search from, such as dc=example,dc=com LDAP Query: Enter the LDAP query for a user search, such as (&(ObjectClass=user)(sAMAccountName=%U)) Timeout: The maximum interval, in seconds, to wait for the search to complete. 50

51 Lesson 5 LDAP Integration LDAP Lookup A Client/Hostname restriction setting in Mail Delivery Anti-Spam utilizes the LDAP look-up feature and allows you to reject mail to unknown addresses in relay domains. This reduces the number of attempted deliveries of spam messages for unknown local addresses. This option should not be enabled unless LDAP users are imported via Basic Config LDAP Users. 51

52 Lesson 6 LDAP Integration PROJECTS 1. Configure an LDAP server for your environment. 2. Perform an import of LDAP users from your LDAP server. 3. Enable LDAP authentication and test it by logging in to your system. 52

53 Lesson 5 LDAP Integration NOTES 53

54 Lesson 5 LDAP Integration 54

55 Lesson 6 User Mailboxes and Secure WebMail Lesson 6 User Mailboxes and Secure WebMail This lesson describes how to configure user mailboxes and Secure WebMail, and includes the following topics: POP3 and IMAP Access Adding New Users Vacation Notification Secure WebMail and BorderPost 55

56 Lesson 6 User Mailboxes and Secure WebMail POP3 and IMAP Access eprism fully supports user mailboxes. Mail is delivered to eprism mailboxes after the same processing that applies to all other destinations. Users can use any POP or IMAP-based mail client (such as Outlook, Netscape, Eudora, and so on) to download their messages. Users can also be configured to access these mailboxes using BorderPost. To configure POP3 access: 1. Select User Mailboxes POP3 and IMAP from the menu. 2. Enable the POP and/or IMAP service from the drop down box. 3. Select which interfaces can use POP and IMAP in the Basic Config Network menu by selecting the corresponding checkbox. 56

57 Lesson 6 User Mailboxes and Secure WebMail Adding New Users 1. Select User Mailboxes User Mailboxes from the menu. 2. Click the Add a New User button to begin the new user configuration. 3. Enter a valid User ID. 4. Enter an address to forward to. 5. Enter and confirm the password. 6. Set the Strong Authentication option if required. 7. Enter a disk space quota, if any, and select any accessible IMAP or WebMail servers that can be accessed by the user. Global Mailbox Options From User Mailboxes Mailbox Options, enter a maximum mailbox size for all users in bytes. 57

58 Lesson 6 User Mailboxes and Secure WebMail Vacation Notification When a user will be out of the office, they can enable Vacation Notification which sends an automated reply to incoming messages. The reply message is fully configurable, allowing a user to personalize the vacation notification message. To configure vacation notifications: 1. To enable and configure Vacation Notification globally, select Mail Delivery Vacation Notification from the menu. 2. Enter the domain name to be appended to local user names. 3. Set the resending interval to configure how many days after a previous notification was sent to send another reply. 58

59 Lesson 6 User Mailboxes and Secure WebMail Individual settings can be configured by the user or the admin via the user s profile. 1. Set the Vacation Start Date by selecting the required date on the left calendar. 2. Set the Return to Work Date on the right calendar. The vacation notices will be sent out automatically during this time. 3. Modify the default subject and contents of the response message. 4. Click Update. 59

60 Lesson 6 User Mailboxes and Secure WebMail Secure WebMail and BorderPost Secure WebMail and BorderPost allow users to access internal mailboxes using a web browser. Users can connect with their web browser to eprism and then access specified internal systems. Users can manage their mail accounts via the User Profile option on the BorderPost screen. To configure BorderPost and Secure WebMail: 1. Select User Mailboxes Secure WebMail from the menu. 2. Enable WebMail globally by selecting enabled in the drop-down box. You must also go to the Basic Config Network screen to enable WebMail for each network interface as required. 3. Enable or disable Cached server passwords. This option, when enabled, will keep a copy of the user s password until they explicitly log out. If a user switches servers, they will not need to reenter their password. 4. Specify an Upload Maximum File Size in megabytes. 5. Click Add Server to add all internal servers to be accessed. They must be running one of the following: IMAP, Outlook Web Access (OWA), or Lotus inotes. Enter the IP address, hostname, or URL of the server. Add users to this server by selecting the corresponding check box. 60

61 Lesson 6 User Mailboxes and Secure WebMail Select the users who can access the server 6. Select the Automatic Server Login option to try the user s WebMail ID/Login first before prompting for an ID and password. 7. Select Use Most Recent to try the most recently used credentials first when changing servers. 8. Enable the Force Compatibility mode to ensure support for Outlook Web Access Use the BorderPost Options section to configure popups, sent mail folder, and so on. 10. Select User Mailboxes User Mailboxes from the eprism main menu to add or configure user account profiles for WebMail access. WebMail is configured in the Options section. 61

62 Lesson 6 User Mailboxes and Secure WebMail This step is not required if you use RADIUS authentication. In this case, an authentication request is forwarded to the RADIUS server and no local user account is needed. Select User Mailboxes, and then RADIUS Users to configure RADIUS users. 11. SSL encryption is enabled by default to protect HTTP sessions with eprism. Encryption also protects administration and BorderPost access. Select Basic Config Web Server to configure SSL encryption. The default settings are recommended. 62

63 Lesson 6 User Mailboxes and Secure WebMail PROJECTS 1. Add new users to your eprism. Configure a disk space quota for each user, and select the IMAP/WebMail servers they can access. 2. Enable Vacation Notification globally. Using one of the users you created in the previous step, enable their vacation notification by selecting a vacation start and return to work date. Enter a customized vacation message. Try sending mail to that user, and ensure you receive the notification response. 3. Add a server to your WebMail proxy configuration, and select the users that can access that server. 63

64 Lesson 6 User Mailboxes and Secure WebMail NOTES 64

65 Lesson 7 Anti-Virus and Content Filtering Lesson 7 Anti-Virus and Content Filtering This lesson describes how to configure Anti-Virus and Content Filtering, and includes the following topics: Anti-Virus Attachment Control Malformed Messages 65

66 Lesson 7 Anti-Virus and Content Filtering Anti-Virus eprism provides an optional virus scanning service. When enabled, all messages (inbound and outbound) passing through the eprism Security Appliance are scanned for viruses. eprism integrates the Kaspersky Anti-Virus engine, which is one of the highest rated virus scanning technologies in the world. Virus scanning is tightly integrated with the mailer for maximum efficiency. To configure Anti-Virus scanning: 1. Select Mail Delivery Anti-Virus from the menu. 2. Select the Enable virus scanning checkbox. 3. Choose the action for both inbound and outbound mail, such as Just log, Reject mail, Quarantine mail, and Discard mail. 4. Select which users will receive a notification by clicking the corresponding check box for inbound and outbound mail. 66

67 Lesson 7 Anti-Virus and Content Filtering 5. Customize the notification message as required. 6. Configure the intervals for Anti-virus pattern file updates. You can choose 15, 30 or 60 minutes. 7. Enter a proxy server address if required. 8. Click Get Pattern Now to immediately retrieve a pattern file update. 67

68 Lesson 7 Anti-Virus and Content Filtering Attachment Control Attachment filtering can be used to control a wide range of problems originating from the use of attachments such as: Viruses Attachments carrying viruses can be blocked. Offensive Content eprism blocks the transfer of images which reduces the possibility that an offensive picture will be transmitted to or from your company mail system. Confidentiality Prevents unauthorized documents from being transmitted through the eprism Security Appliance. Productivity Prevents your systems from being abused by employees. To configure attachment control: 1. Select Mail Delivery Attachment Control from the menu. 2. Select the default action (Pass or Block) for file extensions not listed in the Attachment Types list. 3. Enable attachment control by selecting the corresponding checkbox for inbound and outbound mail. 4. Click Edit to configure the attachment types to control. 5. Select an action to be performed, such as Just log, Reject mail, Quarantine mail, and Discard mail. 6. Select which users will receive a notification by clicking the corresponding check box for inbound and outbound mail. 7. Customize the notification message as required. 68

69 Lesson 7 Anti-Virus and Content Filtering To edit attachment types: 1. Click the Edit button to edit your attachment types. 2. Click the Add Extension to add a file extension or MIME type to the list. 3. For each attachment type, choose whether you want to BLOCK or Pass the attachment. 4. Select the DS (Disable Content Scan) checkbox if you want to disable content scanning for attachments with the specified extension. 69

70 Lesson 7 Anti-Virus and Content Filtering Malformed Messages Many viruses try to elude virus scanners by concealing themselves in malformed messages. The scan engines cannot detect the attachment and pass the complete message through to an internal server. Some mail clients, such as Outlook, try to rebuild malformed messages and may rebuild or activate a virusinfected attachment. Other types of malformed messages are designed to attack mail servers directly. Most often these types of messages are used in denial-of-service (DoS) attacks. eprism analyzes each message with very extensive integrity checks. Malformed messages are quarantined if they cannot be processed. To enable malformed scanning: 1. Select Mail Delivery, and then Malformed from the menu. 2. Enable malformed scanning by selecting the corresponding checkbox. 3. Select an action to be performed, such as Just log, Reject mail, Quarantine mail, and Discard mail. 4. Select which users will receive a notification by clicking the corresponding check box for inbound and outbound mail. 5. Customize the notification message as required. 70

71 Lesson 7 Anti-Virus and Content Filtering PROJECTS 1. Enable and configure Anti-virus scanning. Configure both inbound and outbound mail, and set the required action. Select the users who should receive a notification, and customize the notification message as required. 2. Enable attachment control for both inbound and outbound mail. Edit the list of attachment types as per your environment. Select the users who should receive a notification, and customize the notification message as required. 3. Enable Malformed scanning. Set the required action, and select the users who should receive a notification. Customize the notification message as required. 71

72 Lesson 7 Anti-Virus and Content Filtering NOTES 72

73 Lesson 8 Anti-Spam Configuration Lesson 8 Anti-Spam Configuration This lesson describes how to configure the Anti-Spam features of the eprism Security Appliance, and includes the following topics: eprism s Anti-Spam Features o Distributed Checksum Clearinghouse (DCC) o Statistical Token Analysis (STA) Additional Anti-Spam Options o Specific Access Patterns o Real-time Blackhole Lists (RBL) o Pattern Based Message Filters (PBMF) Personal Whitelisting User Spam Quarantine 73

74 Lesson 8 Anti-Spam Configuration eprism s Anti-Spam Features eprism offers a comprehensive set of tools to fight spam DCC (Distributed Checksum Clearinghouse) Bulk mail detection STA (Statistical Token Analysis) Token analysis tool for user specific classification and spam detection RBLs (Realtime Blackhole Lists) SAP (Specific Access Patterns) Whitelist and Blacklists DCC (Distributed Checksum Clearinghouse) DCC is based on a number of servers (similar to RBLs) that maintain databases of message checksums derived from numeric values that uniquely identify a message. DCC provides a simple but very effective way to successfully identify spam and control its disposition while updating its database with new spam message types. Mail users and ISPs all over the world submit checksums of all messages received. The database records how many of each message is submitted. If requested, the DCC server can return a count of how many instances of a message have been received. eprism uses this count to determine the disposition of a message. To configure DCC: 1. Select Mail Delivery Anti-Spam from the menu. 2. Click Distributed Checksum Clearinghouse (DCC) in the left column. 3. For white and blacklists, it is recommended that you use Pattern Based Message Filters to create exceptions to DCC s bulk classifications. 4. Choose a value for If bulk exceeds, and select the required checksums (you should use the defaults). 74

75 Lesson 8 Anti-Spam Configuration DCC returns a number showing how many times the message has been identified. This can be zero (unique and therefore not bulk) or another number, such as 1352, indicating that the message has been reported 1351 prior times. It may also return the value many. This is a special DCC value returned when DCC has seen a certain message in such volumes and in such a frequency that it is most certainly considered bulk. For DCC to be useful, you need to specify a threshold that will trigger an action. It is recommended that you enter either many or a value of 50 or Select an action, such as: Just log: An entry is made in the log, and no other action is taken Modify Subject Header: The text specified in Action Data will be inserted into the message subject line Add header: An X- mail header will be added as specified in the Action Data Redirect to: The message will be delivered to the mail address specified in Action Data Reject mail: The mail will not be accepted, and the connecting mail server is forced to return it BCC: The message will be copied to the mail address specified in Action Data 6. Select the Action Data to perform, depending on the specified action: Modify Subject Header: The specified text will be inserted into the subject line, such as [DCC_BULK] Add header: A message header will be added with the specified text, such as [DCC_BULK] Redirect to: Send the message to a mailbox to quarantine the spam, such as spam@mydomain.com 75

76 Lesson 8 Anti-Spam Configuration To use DCC effectively: Following this procedure will ensure that users do not see spam, lowers the number of false positives, and ensures that no false positives are rejected. 1. Enable the DCC service. 2. Use either Modify Subject Header or Add header options to identify bulk mail. 3. Notify mail users of this service by asking them to forward all incorrectly identified mail to the administrator, such as valid mailing lists and group accounts. 4. If possible, create filters on the client to forward all identified mail to a bulk spam folder for periodic review. 5. Alternately, once all valid bulk mail accounts are identified, change the DCC setting to redirect all mail to a quarantine account. 76

77 Lesson 8 Anti-Spam Configuration STA (Statistical Token Analysis) STA is a sophisticated method of identifying spam based on statistical analysis of mail content. Simple text matches can lead to false positives because a word or phrase can have many meanings depending on the context. STA provides a way to accurately measure how likely any particular message is to be spam without having to specify every word and phrase. STA achieves this by deriving a measure of a word or phrase contributing to the likelihood of a message being spam. This is based on the relative frequency of words and phrases in a large number of spam messages. From this analysis, it creates a table of discriminators (words associated with spam) and associated measures of how likely a message is spam. When a new incoming message is received, STA analyzes the message, extracts the discriminators (words and phrases), finds their measures from the table, and aggregates these measures to produce a spam metric for the message. Consider the following simple message: Subject: Get rich quick!!!! Click on to earn millions!!!!! STA will break the message down into the following tokens: Get rich quick!!! Click on to earn millions!!!!! Each token is looked up in the database and a metric is retrieved. The token Click has a high measure of 91, whereas the word to is neutral (indicating neither spam nor legitimate). These measures are aggregated using statistical methods to give the overall score for the message of 98. Based on the resulting cumulative score, the message can then be rejected, quarantined, annotated, and forwarded according to how the local threshold is set. 77

78 Lesson 8 Anti-Spam Configuration STA can run in two different modes: Training mode only Allows eprism to update its spam and non-spam token databases without applying STA checks. This allows the spam and non-spam databases to be updated with local tokens before running the service, and ensures that the service is accurately identifying spam once enabled. Scanning and Training mode STA is both enabled and in training mode. To configure STA: 1. Select Mail Delivery Anti-Spam from the menu. 2. Click Statistical Token Analysis (STA) from the left menu. 3. STA can be enabled to filter spam immediately after installation. It is recommended that you start STA by running in Training Only mode. Set Training only 78

79 Lesson 8 Anti-Spam Configuration To configure Thresholds: STA measures the likelihood of spam for each message it processes. This likelihood is represented by a number between 0 and 100. The closer to 100, the more likely the message is to be spam. Messages typically fall into three groups: Over 90 Almost certainly spam. Between 55 and 90 Possibly spam (only a few messages). Less than 55 Almost certainly legitimate mail. 1. Set the upper and lower thresholds to appropriate values. 2. For each threshold, specify the Action and Action data: Action The action can be one of the following: o o o o Just log: An entry is made in the log, and no other action is taken Modify Subject Header: The text specified in Action Data will be inserted into the message subject line Add header: An X- mail header will be added as specified in the Action Data Redirect to: The message will be delivered to the mail address specified in Action Data 79

80 Lesson 8 Anti-Spam Configuration o o Reject mail: The mail will not be accepted, and the connecting mail server is forced to return it BCC: The message will be copied to the mail address specified in Action Data Action data Depending on the specified action: o o o Modify Subject Header: The specified text will be inserted into the subject line, such as [STA_SPAM] Add header: A message header will be added with the specified text, such as [STA_SPAM] Redirect to: Send the message to a mailbox to quarantine the spam, such as spam@mydomain.com To use STA effectively, St. Bernard recommends the following to ensure that users do not see spam, and to prevent false positives: 1. Enabling STA service in Training mode only. 2. Let STA run for several weeks to update its token databases. 3. After a few weeks, put STA in Scanning and Training mode. 4. Use the Modify Subject Header or Add header options to identify spam mail. 5. If possible, create filters on the client to forward all identified mail to a spam folder for periodic revision. 6. Alternately, you can change the STA setting to redirect all mail to a quarantine account. 80

81 Lesson 8 Anti-Spam Configuration Additional Anti-Spam Options In addition to the main anti-spam options, eprism also offers the following additional protection: Specific Access Patterns for source address filtering (SAPs) Real-time Blackhole Lists (RBLs) Pattern Based Message Filters (PBMFs) for whitelist/blacklist entries Advanced anti-spam options Specific Access Patterns Specific access patterns can be used to either accept or reject mail. These rules overrule all others, allowing them to be used for special cases to allow where it would be otherwise blocked, or to block when it would otherwise be allowed. Specific access patterns allow an administrator to respond to local filtering requirements such as: Allowing other systems to relay mail through eprism Rejecting all messages from specific systems Allowing all messages from specific systems (effectively whitelisting the mail) To configure Specific Access Patterns: 1. Select Mail Delivery Anti-Spam from the menu. 2. Click Source Address Filtering from the left menu. 3. Enable Pattern Based Message Filtering to reject or accept mail based upon matches in the message envelope, header, or body. 4. Set the maximum number of recipients accepted per message. 5. Set the maximum message size that will be accepted by eprism. 81

82 Lesson 8 Anti-Spam Configuration 6. From the Mail Filtering Settings menu, click Add Pattern to create a new source address filtering pattern. 7. Enter a mail address, host or domain name in the Pattern field. 8. Select one of the following message fields: Client Access Specify a domain, server name, or IP address. This item is reliable and may be used to block spam as well as whitelist. HELO Access Specify either a domain or server name. It is not reliable as spammers can fake this property. Envelope-From Access Specify a valid address. It is not reliable as spammers can fake this property. Envelope-To Access Specify a valid address. It is not reliable as spammers can fake this property. If Pattern Matches: o o o Reject: The connection will be dropped Allow relaying: Messages from this address will be relayed and processed for spam Trust: Messages from this address will be relayed and not processed for spam 82

83 Lesson 8 Anti-Spam Configuration RBL (Realtime Blackhole List) RBLs contain the addresses of known sources of spam, and are maintained by both commercial and noncommercial organizations. The RBL mechanism is based on DNS. Every server that attempts to connect to eprism will be looked up on the specified RBL servers using DNS. This procedure is very efficient and should not impact performance. If the server is blacklisted, then the server is considered a spammer and the connection dropped. When legitimate mail is blocked by an RBL, you can create an exception using Source Address Filtering or by creating a whitelist entry. To configure RBLs: 1. Select Mail Delivery Anti-Spam from the menu. 2. Click Real-time Blackhole List (RBL) in the left column. 3. Select the checkbox to enable RBLs. 4. Set the number of relays to check in the Check Relays field. 5. Select the action to be performed when an is classified as spam, such as: Just log: An entry is made in the log, and no other action is taken Modify subject header: The text specified in Action Data will be inserted into the message subject line Add header: An X- mail header will be added as specified in the Action Data Redirect to: The message will be delivered to the mail address specified in Action Data Discard mail: The message is discarded without notification to the sending system Reject mail: The message is rejected with notification to the sending system 83

84 Lesson 8 Anti-Spam Configuration BCC: The message will be copied to the mail address specified in Action Data 6. Select the action data for the specified action: Modify Subject Header: The specified text will be inserted into the subject line, such as [RBL] Add header: A message header will be added with the specified text, such as [RBL] Redirect to: Send the message to a mailbox to quarantine the spam, such as spam@mydomain.com 84

85 Lesson 8 Anti-Spam Configuration Pattern Based Message Filters Pattern Based Message Filtering is the primary tool for whitelisting and blacklisting messages. An administrator can specify that mail is rejected or whitelisted according to the contents of the message header, including the sender, recipient, subject, and body text. These types of filters can be helpful in correcting obvious disadvantages in the other spam filters, but they can create problems of long term maintenance. Pattern Based Message Filters have the following main characteristics: Filters can be specified using simple English terms such as contains and matches or using POSIX regular expressions Filters are processed in the order of their priority The actions can be used to modify the behavior of the STA spam filter To configure Pattern Based Message Filtering: 1. Select Mail Delivery Anti-Spam from the menu. 2. Click Pattern Based Message Filtering (Whitelisting and Blacklisting) in the left column. 3. Click Add Entry to add a new pattern to the filter list. 4. Select the Message Part you want to filter on. 85

86 Lesson 8 Anti-Spam Configuration 5. Select a match option, such as: Contains Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail. Ends with Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character). Matches The entire line or field must match the text. Starts with Looks for the text at the start of the line or field (no characters, spaces, and so on, between the text and the start of line). 6. Enter the pattern you wish to search for. You may also use POSIX regular expressions. 7. Select a priority for the filter (High, Medium, Low). The entire message is read before making the decision. If a message matches multiple filters, the filter with the highest priority will be used. 8. Specify an action for when a rule has been triggered: Reject Mail is received, then rejected before the close of an SMTP session. Spam Mail is received, then trained as spam for STA, and then rejected. Accept Mail is delivered normally and not trained by STA, or marked as spam or bulk. Attempted relays are rejected. Valid Mail is delivered normally and trained as valid by STA. Attempted relays are rejected. Relay Relay is enabled for this mail. Mail is not trained by STA. Trust Relay is enabled for this mail. Mail is trained as valid by STA. Do Not Train Do not use the message for STA training purposes. This option will not override other PBMFs if it applies to the same message. BCC Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC Address set up in the Preferences section. 86

87 Lesson 8 Anti-Spam Configuration PBMF Preferences Select the Preferences button to configure actions for spam pattern based message filters. These actions allow you to process the spam message with an additional action such as Redirect To or Modify Subject Header. You can also train the PBMF spam mail for STA purposes. Train as STA Spam Select this option to allow any mail that triggers an action to be trained as spam for STA purposes. Action Specify one of the following actions: o o o o o o Just log: An entry is made in the log, and no other action is taken Modify Subject Header: The text specified in Action Data will be inserted into the message subject line Add header: An X- mail header will be added as specified in the Action Data Redirect to: The message will be delivered to the mail address specified in Action Data Reject mail: The mail will not be accepted, and the connecting mail server is forced to return it BCC: Send a blind carbon copy mail to the mail address specified in Action Data. Action data Depending on the specified action: o o o Modify Subject Header: The specified text will be inserted into the subject line, such as [PBMF_SPAM] Add header: A message header will be added with the specified text, such as [PBMF_SPAM] Redirect to: Send the message to a mailbox such as spam@mydomain.com. You can also specify a domain such as spam.mycompany.com. 87

88 Lesson 8 Anti-Spam Configuration PBMF BCC Action Send a blind carbon copy of the message to the address specified. This is a separate action from the PBMF spam actions. Client Hostname/Address Restrictions In Mail Delivery Anti-Spam, you can also configure additional anti-spam restrictions: Reject on unknown recipient This option rejects mail if the intended recipients do not exist. This option can be used in conjunction with LDAP users, as eprism will perform an LDAP lookup to see if the local user exists. Configure and import LDAP users in the Basic Config LDAP Users menu. See LDAP Users and Groups starting on page 46 for more information on setting up LDAP user lookups. Reject on unknown sender domain Rejects mail when the sender s mail address does not appear in the DNS as an A or MX record. This option applies to untrusted mail only. Reject on non FQDN sender Rejects mail when the client MAIL FROM command is not in the form of an FQDN (Fully Qualified Domain Name) such as mail.mydomain.com. This option applies to untrusted mail only. Reject on unauth pipelining Rejects mail when SMTP commands are sent ahead of the message even though the SMTP server supports pipelining. 88

89 Lesson 8 Anti-Spam Configuration Personal Whitelisting Personal whitelisting allows users to create their own whitelists of users who they wish to receive mail from, to prevent them from being blocked by the system s spam filters. Users can use WebMail to create their own personal whitelists based on a sender s address. The personal whitelist only overrides actions related to STA, DCC, and Pattern Based Message Filter (PBMF) spam messages. If the action is reject, or if the message is rejected for other reasons, such as viruses, the personal whitelist will have no effect. Personal whitelisting must be enabled globally by the administrator to allow users to configure their own whitelist. Configure Personal Whitelisting globally as follows: 1. Select Mail Delivery Anti-Spam, and then Personal Whitelists. 2. Select the checkbox to enable personal whitelisting globally for all users. 3. Configure the domain part of the address appended to local user names. 89

90 Lesson 8 Anti-Spam Configuration Configuring Personal Whitelists To create their personal whitelists, the end user must login to WebMail, and select Personal Whitelisting from the top-left drop down menu. Note: Users do not need a local WebMail account. Logins can be authenticated via RADIUS or LDAP to an authentication server such as Active Directory. The personal whitelist is based on a sender s address. Enter an address and click the Add button to add an to the whitelist. 90

91 Lesson 8 Anti-Spam Configuration User Spam Quarantine The User Spam Quarantine is used to redirect spam mail into a local storage area for each individual user or to a single user. This allows users to connect to eprism to view and manage their own quarantined spam. To quarantine mail in each anti-spam feature, such as STA and DCC, select Redirect To as an action, and set the action data to the FQDN (Fully qualified domain name) of the current server or another spam quarantine server. Note: The Spam Quarantine must be enabled on the destination system if you choose to quarantine mail on a separate eprism. To allow users to move messages out of the quarantine to their own folders, you must enable IMAP on the trusted interfaces that will be accessed. The user will need to create an IMAP account on their client to access this folder. If your environment uses an LDAP directory, you can import the users and mirror the LDAP accounts on the local system for the spam quarantine. Users can also access the spam quarantine folder using WebMail. To configure the User Spam Quarantine: 1. Select Mail Delivery Anti-Spam, and select Spam Quarantine. Enable Spam Quarantine Select the checkbox to enable the spam quarantine. 91

92 Lesson 8 Anti-Spam Configuration Expiry Period Select an expiry period for mail in the quarantine area. Any mail quarantined for longer than the specified value will be deleted. Folder Size Limit Set a value, in megabytes, to limit the amount of stored quarantined mail. Enable Summary Select the checkbox to enable a summary notification that alerts users to mail that has been placed in their quarantine folder. Notification Domain Enter the domain for which notifications are sent to. This is typically the Fully Qualified Domain Name of the server. Notification Days Select the specific Notification Days to send the summary. Spam Folder Indicate the Spam Folder name. This must be an RFC821 compliant mail box name. This folder will appear in a user s mailbox when they have received quarantined spam. Mail Subject Enter a subject for the notification . Mail Content Preamble Customize the preamble that will appear in the message. 92

93 Lesson 8 Anti-Spam Configuration Accessing Quarantined Spam To allow user access to the quarantine folders, you must enable IMAP globally and on your trusted network interfaces as required. This allows users to connect to the system via IMAP and move spam messages out of the quarantine into their own folders. The quarantined spam folder can also be viewed using WebMail. 1. Select User Mailboxes POP3 and IMAP to enable IMAP globally. 2. Select Basic Config Network to enable IMAP on a specific network interface. 3. Login to WebMail, or connect from the client using IMAP to view the spam quarantine folder. 93

94 Lesson 8 Anti-Spam Configuration PROJECTS 1. Decide on an anti-spam strategy, including which anti-spam tools you want to configure, and what action they will take with incoming spam. 2. Create a list of your mailing lists and other sources that you do not want considered as spam or bulk. This will form the basis for your whitelist. Whitelist Sources 94

95 Lesson 8 Anti-Spam Configuration NOTES 95

96 Lesson 8 Anti-Spam Configuration 96

97 Lesson 9 Encryption and Certificates Lesson 9 Encryption and Certificates This lesson describes how to configure encryption and use certificates for authentication, and contains the following topics: Encryption Certificates Strong Authentication 97

98 Lesson 9 Encryption and Certificates Encryption All mail delivered to and from eprism can be encrypted using TLS (SSL). This includes connections to remote systems, local internal Microsoft Exchange systems, or internal mail clients. Encrypted messages are delivered with complete confidentiality both locally and remotely. Encryption can be used for the following: Secure mail delivery on the Internet to prevent anyone from viewing your while in transit. Secure mail delivery across your LAN to prevent malicious users from viewing other than their own. Create policies for secure mail delivery to branch offices, remote users and business partners. eprism supports TLS/SSL encryption for all user and administrative sessions. TLS/SSL may also be used to encrypt SMTP sessions, effectively preventing eavesdropping and interception. eprism supports the use of certificates to initiate the negotiation of encryption keys. eprism can generate its own site certificates, and can also import Certificate Authority (CA) signed certificates. 98

99 Lesson 9 Encryption and Certificates To enable encryption: 1. Select Mail Delivery SMTP Security from the menu. 2. Enable Accept TLS to accept SSL/TLS for incoming mail connections. 3. Enable Offer TLS to offer remote mail servers the option of using SSL/TLS when sending mail. 4. Enable Enforce TLS, if required. This option requires the validation of a CA-signed certificate when delivering mail to a remote mail server. 5. In the specific site policy, create exceptions to the default settings. 6. Specify the IP Address or FQDN of the remote mail server in the Add/Update Site field. 7. Select one of the following TLS options and click the Update button: Don t Use TLS TLS Mail Delivery is never used with the specified system. May Use TLS Use TLS if the specified system supports it. Enforce TLS Deliver to the specified system only if a TLS connection with a valid CA-signed certificate can be established. Loose TLS Similar to Enforce TLS but will accept a mismatch between the specified server name and the Common Name in the certificate. 99

100 Lesson 9 Encryption and Certificates Certificates A valid SSL certificate is required to support the encryption services available on eprism The SSL encrypted channel from the server to the web browser (such as when using a URL that begins with https), needs a valid digital certificate You can use self-signed certificates generated by eprism, or import certificates purchased from commercial vendors such as Verisign. To install a commercial certificate: 1. Select Management SSL Certificates from the menu. 2. Create a new certificate using the Generate a self-signed certificate button. 3. Reboot the system to install the new certificate. 4. After the reboot, the Show installed certificate button will display the certificate and the certificate request that was signed by the on-board Certificate Authority. To obtain a commercial certificate, send this certificate request information to the commercial Certificate Authority (CA) of your choice for signing. 5. Once received, install the commercial certificate using the Load site certificate button. 6. Enter the PEM encoded certificate information from the signed SSL certificate by copying and pasting the text into the specified field. 7. Select the Use this Private Key for SSL Certificate check box to use the supplied private key. Copy and paste the PEM encoded private key into the required field. 100

101 Lesson 9 Encryption and Certificates Strong Authentication eprism has the ability to add strong authentication for user accounts that exist on the system, including the following technologies: SecurID RSA authentication server CRYPTOCard local authentication SafeWord local authentication Strong authentication is configured for user accounts in the User Mailboxes - User Mailboxes section under the applicable user. To configure RSA SecurID: 1. Set up eprism as a valid client on the ACE Server. 2. Create an sdconf.rec (ACE Agent version 4.x) file and upload it to eprism. 3. Select User Mailboxes SecurID Configuration from the menu. 4. SecurID must also be enabled for each network interface in the Basic Config Network settings screen. 101

102 Lesson 9 Encryption and Certificates CRYPTOCard The CRYPTOCard option is supported by a local authentication server and requires no external system for authentication. When CRYPTOCard is selected, you will be prompted to program the card at that time. To configure a CRYPTOCard: 1. Reset the card 2. Set the card for eprism use 3. Program the card for authentication 4. Set the PIN for the card SafeWord SafeWord Platinum and Gold tokens are supported by a local authentication server, and require no external system for authentication. When SafeWord is selected, you will be prompted to program the card at that time. 102

103 Lesson 9 Encryption and Certificates PROJECTS 1. Configure your encryption as required for your environment, and create specific policies for different sites. 2. Configure SecurID, CYRPTOCard, or SafeWord if you plan to use any of these strong authentication methods. 103

104 Lesson 9 Encryption and Certificates NOTES 104

105 Lesson 10 Group Policy Management Lesson 10 Group Policy Management This lesson describes how to administer and manage the eprism Security Appliance, and contains the following topics: Group Policies Overview Creating Group Policies 105

106 Lesson 10 Group Policy Management Group Policies Policy based controls allow settings for annotations, anti-spam, and attachment control to be customized and applied to different groups of users. User groups can be imported from LDAP-compatible directories, and then Group Policies can be created to apply customized settings to these groups. Policies can be configured for the following items: Annotations Inbound and Outbound Attachment Control DCC STA Policy Scenarios The following describes some examples of how you can use policies to provide customized settings to different groups of users in your organization. Annotations You may want your Technical Support and Marketing departments to have different annotations appended to their outgoing messages. You can set up your group policy to provide an annotation emphasizing technical services for the Technical Support department, and a sales and promotional annotation for the marketing department. Other users may only require a company-wide disclaimer to be appended to their s. Attachment Control You can set up group policies to allow your Development group to accept and send executable files (.exe) to each other, while configuring your attachment control settings for all your other departments to block this file type to prevent the spread of viruses among the general users. The development group will be allowed to use these files because they may need to send compiled code to each other. Anti-Spam When using the STA (Statistical Token Analysis) anti-spam tool, you may want to use or evaluate it with only one particular user group. Group policies allow you to enable and configure STA for only certain user groups, while disabling it for all other users. 106

107 Lesson 10 Group Policy Management Creating Group Policies To create group policies, you must follow these general steps: 1. Configure an LDAP server to use with this system 2. Perform an initial import of LDAP users and groups 3. Customize your Group Default policy 4. Apply the Group Default policy to your imported groups, or customize each group individually 5. Enable Group Policy Step 1: Adding an LDAP Server You must first ensure you have defined a valid LDAP server in the Basic Config LDAP Servers screen. To configure a new LDAP server: 6. Enter the following information into the specified text boxes: Server URI Enter the server URI (Uniform Resource Identifier) address, such as ldaps:// Bind Select this check box to bind to the LDAP server Bind Password Enter the bind password for the LDAP server Bind DN Enter the DN (Distinguished Name) of the user to bind to the LDAP server, such as cn=admin,cn=users,dc=example,dc=com Type Select Active Directory. 7. Click the Add button. 107

108 Lesson 10 Group Policy Management Step 2: Import LDAP Users and Groups Once you have an LDAP server defined, you can import your user and group listings. Configure LDAP users as follows: 8. Select Basic Config LDAP Users from the menu. 9. Enter the following required values: LDAP Server Select an LDAP server to perform the search Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com Scope Enter the scope of the search. Options are Base, One Level, and Subtree o o o Base: Searches the base object only. One Level: Searches objects beneath the base object, but excludes the base object. Subtree: Searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Query Filter Enter the appropriate query filter, such as ( (objectcategory=group)(objectcategory=person)). Timeout The maximum interval, in seconds, to wait for the search to complete. 10. Click Add when finished. 11. Click Import Now to start the import process. 108

109 Lesson 10 Group Policy Management Configure LDAP Groups as follows: 7. Select Basic Config LDAP Groups from the menu. 8. Enter the following required values: LDAP Server Select an LDAP server to perform the search Search Base Enter the starting base point to start the search from, such as cn=users,dc=example,dc=com. Scope Enter the scope of the search. Options are Base, One Level, and Subtree Query Filter Enter the appropriate query filter, such as (objectcategory=group). Note: To specify one specific group, use (&(objectcategory=group)(name=groupname)), inserting the group you are using for groupname. Timeout The maximum interval, in seconds, to wait for the search to complete 9. Click Add when finished. 10. Click Import Now to start the import process. 109

110 Lesson 10 Group Policy Management Step 3: Customizing Group Default Policies Select Policy from the main menu to enter the group policy configuration screen. Select Group Default in the left column of the main Policy screen to configure the Group Default policy. This is the default setting that will be applied to all groups. When Group Policies are enabled, this policy will be applied to users that do not belong to any group. You can use the default Global Policy value, or enable/disable each policy feature as required. Click the feature in the left column to configure its properties for the Group Default policy. 110

111 Lesson 10 Group Policy Management Step 4: Configure Group Policies Select the name of the user group (such as gtest1 in the previous example) in the left column of the main Policy screen to configure the Group Policy for each individual user group. For each group, you can use the Group Default policy, or enable/disable each policy feature as required. Click the feature in the left column, such as Annotations, to configure its properties for the individual group. When finished, click the Update button. 111

112 Lesson 10 Group Policy Management Step 5: Configure Global Policy Select Global in the left column to configure the global policy settings, and then enable each policy feature as required. Click the feature in the left column to configure its properties for the Global Policy, such as Annotations. When finished, click the Update button. This step enables or disables these features globally, and the current state will become immediately active. You must configure your default Group Policy and individual group policies first before enabling these features globally. 112

113 Lesson 10 Group Policy Management Step 6: Enable Group Policy Once you have all your policy settings configured, select the Enable Group Policy checkbox, and then click the Update button. 113

114 Lesson 10 Group Policy Management PROJECTS 1. Create a group policy to provide separate annotations for different groups of users. 2. Create a group policy to allow one group, via attachment control, to receive.exe file attachments, while blocking this extension to all other groups. 114

115 Lesson 10 Group Policy Management NOTES 115

116 Lesson 10 Group Policy Management 116

117 Lesson 11 HALO Lesson 11 HALO (High Availability and Load Optimization) This lesson describes how to administer and manage the eprism Security Appliance, and contains the following topics: Clustering Queue Replication 117

118 Lesson 11 HALO Clustering HALO (High Availability Load Optimization), is the failsafe clustering architecture for high availability for the eprism Security Appliance. HALO enables two or more eprism systems to act as a single logical unit for processing a mail stream while providing load balancing and high-availability benefits. The eprism systems participating in the cluster will be grouped together by connecting a network interface to a separate network called the Cluster Network. The eprism systems will communicate clustering information with each other via this network. Systems can also be added or removed from clusters without interruption to mail services. It is recommended that all systems in the cluster should be running on the same platform (such as M-3000), and that the cluster network be separated from the main production network. One system is configured to be the Cluster Console, which is the master system where all cluster administration and configuration will be performed. When an eprism system is added to the cluster, its configuration will automatically be synchronized with the Cluster Console. Any changes to the configuration on the Cluster Console will also be replicated to every cluster member. The eprism cluster will be treated as a logical unit for processing mail and system configuration. Configuring Clustering The following sections describe how to install and configure a cluster. In these examples, a cluster of two systems is described. The procedure requires the following steps: 1. Ensure all systems are of the same hardware, and have the same software versions and licenses. 2. Configure a network interface for clustering. 3. Create the cluster. 4. Add Cluster members. 118

119 Lesson 11 HALO Step 1: Hardware and Licensing All cluster members, including the Cluster Console, should be the same level of hardware (such as an M-4000), and be running the same version of software and update patches. All cluster members must also have all the same additional features (such as Kaspersky Anti-Virus) installed and licensed before integration into the cluster. Step 2: Cluster Network Configuration The following instructions describe how to configure the network settings for two eprism systems in a cluster. 1. Connect an unused network interface from each eprism to a common network switch. Alternately, you can connect two eprism together using a network crossover cable. This will form the cluster network, a control network where clustering information will be passed back and forth between the eprism systems that form the cluster. 2. On each eprism system, go to the Basic Config Network screen. 3. On the network interface that you want to use for clustering, ensure that the Trusted Subnet and Admin Login checkboxes are enabled. 119

120 Lesson 11 HALO 4. In the Clustering section of the Network settings screen, select the Enable Clustering checkbox, and choose the network interface that is connected to the cluster control network. Step 3: Creating the Cluster The following instructions describe how to create the cluster and initialize the Cluster Console system. 1. Select HALO Cluster Administration from the menu. Before continuing, ensure that this is the system that you want to be the Cluster Console system. 2. Click the Configure button to start the cluster configuration process. 120

121 Lesson 11 HALO 3. The system will prompt you for information on setting up the cluster. First, you must the admin user and password for the system that will be configured as the Cluster Console. Click the Add or Update Member button to add the system as the Cluster Console. Click Close to finish. 4. The Cluster Management console is then displayed. 121

122 Lesson 11 HALO Step 4: Adding Cluster Members The following instructions describe how to add other systems to the cluster. 1. Add cluster members by clicking the Add/Remove button in the Cluster Management console. 2. Enter the Member hostname or IP Address, an optional name for the system, and the Admin login ID and password. Click the Add or Update Member button to add the system. 3. When systems are added to a cluster, the configuration of the Cluster Console system is replicated automatically to the new cluster member. This process will take some time to complete, and a progress bar will appear showing that the cluster member is initializing. Caution: It is critical that no other configuration changes are made to the cluster member or cluster Master while the cluster member is initializing. 122

123 Lesson 11 HALO When a system is added to the cluster, the configuration of the Cluster Console is replicated to the new node with the following exceptions: Specific network and hardware related settings such as host name and IP address Users and any BorderPost related information Any reporting related information Centralized management information STA databases Vacation related information is only partially replicated 4. When the initialization of the member is complete, the Cluster Management console will appear, showing both the Cluster Console and the new cluster member. 123

124 Lesson 11 HALO Cluster Management The Cluster Management screen, shown below, is accessed on the Cluster Console via HALO Cluster Administration, and shows mail processing statistics for each individual cluster member. All cluster management and configuration must be performed from the Cluster Console system only. Any configuration changes made to the Cluster Console are automatically replicated to the cluster member servers. Add members and configure startup options Cluster Console Mail queue utilities These commands apply to all cluster members. Last replication time Examine queue activity Cluster member Mail queue utilities Examine queue activity for each cluster member 124

125 Lesson 11 HALO Queue Replication The Queue Replication feature enables mail queue replication and stateful failover between two eprism systems. In the event that the primary owner of a mail queue is unavailable, the mirror system can take ownership of the mirrored mail queue for delivery. Without queue replication, a system with received and queued messages that have not been delivered may result in lost mail if that system suddenly fails. In large environments, this could translate into hundreds or thousands of messages. Queue replication actively copies any queued mail to the mirror system, ensuring that if one system should fail or be taken offline, the mirror system can take ownership of the queued mail and deliver it. If the source system successfully delivers the message, the copy of the message on the mirror server is automatically removed. In the following diagram, system A and system B are configured to be mirrors of each other s mail queues. When a message is received by system A, it is queued locally, and a copy of the message is also immediately sent over the failover connection to the mirror queue on system B. If system A fails, you can go to system B and take ownership of the queued mail to deliver it. Messages are exchanged between the systems to ensure that the mirrored mail queues are properly synchronized, which prevents duplicate messages from being delivered when a failed system has come back online. System A System B Failover Link Queue Replication Mirrors queued mail for system B Mirrors queued mail for system A 125

126 Lesson 11 HALO Configuring Queue Replication 1. Select HALO Queue Replicator from the menu to configure queue replication. 2. Select the checkbox to enable queue replication on this system. Replication must be enabled on both the host and client systems in the Basic Config Network screen. 3. Select Basic Config Network from the menu, and then scroll down to the Queue Replication section. 126

127 Lesson 11 HALO 4. Select the checkbox to enable queue replication on this system. This will allow another system to backup its mail queue on this system. 5. Specify the IP address of the system that will be backing up mail for this eprism in the Replication Host field. 6. Specify the IP address of the system that will be backing up its mail queue to this eprism in the Replication Client field. 7. Select the network interface to use for queue replication. Importing and Processing Mirrored Messages If you have two systems that are mirroring each other s mail queues and one of those systems fails, you must go to the mirror server and import and deliver the mirrored mail to ensure that it is processing and delivered. Deliver mirrored messages as follows: 1. Ensure that the source server has failed. Before importing any mirrored mail, you must ensure that the source server is not working. If you import and process the mirrored mail on the mirror server, this may result in duplicate messages if the source server starts functioning again. 2. On the mirror server, select Mail Delivery Queue Replicator from the menu. 3. You may wish to view the current mirrored my mail by clicking the Review button. 4. Click the Deliver button. This will take ownership of any queued mail mirrored from the host server, and process and deliver it. 127

128 Lesson 11 HALO PROJECTS 1. Configure a cluster of two eprism systems. 2. Enable Queue Replication between two eprism systems. Test it by unplugging one system, and the delivering any existing queued mail from the mirror system. 128

129 Lesson 11 HALO NOTES 129

130 Lesson 11 HALO 130

131 Lesson 12 System Management Lesson 12 System Management This lesson describes how to administer and manage the eprism Security Appliance, and contains the following topics: Status and Utility Mail Queue Quarantined Mail Centralized Management Tiered Administration 131

132 Lesson 12 System Management Status and Utility The Management Status & Utility screen provides the following information: A snapshot of the system status, including information on uptime, load average, amount of swap space, current date and time, disk usage, RAID status, NTP status, and anti-virus pattern file status. The bottom of the screen also provides configuration information. Controls to start and stop the mail systems and flush the mail queues. DNS lookup function, which is useful for resolving delivery problems related to DNS. Status From the Status screen, you can view a number of system statistics such as the total system Uptime, load average, the amount of used swap and disk partition space, RAID status, NTP server status, and Anti-Virus pattern update status. 132

133 Lesson 12 System Management Utility Functions The Utility Functions allow you to control the following system services: Stop/Start Mail Services You can stop or start all mail services by clicking on the Mail System Control option. Disable/Enable Sending and Receiving Alternately, you can also enable or disable only the Receiving or Sending of mail by clicking the appropriate button. This is useful if you only want to stop the processing of mail in one direction only. For example, you may want to turn off the sending of mail to troubleshoot errors with SMTP delivery, while still being able to receive incoming mail. Flush Mail Queue The Flush Mail Queue button is used reprocess any queued mail in the system. Current Admin and WebMail Users This section of the Status & Utility screen allows you to see who is logged in via the admin interface, or through a WebMail session. Note: If you are using clustering, an admin login may show up several times on the list because of additional RPC calls related to clustering communications. 133

134 Lesson 12 System Management Configuration Information The configuration information screen shows you important system information, such as the current version of the system software, the time it was installed, and licensing and hardware information. 134

135 Lesson 12 System Management Mail Queue The Mail Queue screen contains information on mail waiting to be delivered. You can search for a specific mail message using the search function. Messages that appear to be undeliverable can be removed by selecting them and then clicking the Remove button. The mail queue can also be flushed by clicking the Flush Mail Queue button. Quarantined Mail The quarantine folder contains messages that have been blocked because of a virus, malformed message, or an illegal attachment. View the details of a message by clicking on its ID number. Remove the message from quarantine by clicking the Remove button. Quarantined messages can also be forwarded to their original destination by clicking the Forward to Original Recipient button. 135