Filter. SurfControl Filter 5.0 for SMTP Administrator's Guide. The World s #1 Web & Filtering Company

Transcription

1 Filter SurfControl Filter 5.0 for SMTP Administrator's Guide The World s #1 Web & Filtering Company

2 CONTENTS NOTICES... I Notices...ii Comments on this Guide?...ii Technical Support...iii SurfControl Sales...iii INTRODUCTION...1 In This Chapter...2 About SurfControl Filter...3 What s New in Version FINDING YOUR WAY AROUND...7 In This Chapter...8 How Filter Works...9 Filter Core Components Filter Services...11 Launching SurfControl Filter...12 Launching Filter Components...13 SETTING UP FILTER...15 In This Chapter...16 Connecting to a Different Filter Server...16 Adding An Filter Server...17 Editing Server Details...18 Selecting an Server...19 Disconnecting from An Filter Server...19 Launching Server Configuration...20 Configuration Workflow...21 Configuring the Receive Service...22 General Receive Service Settings...22 Receive Service Configuration...24 Pre-Screening...29 Configuring the Rules Service...53 Rules Service Properties...53 Rules Service Configuration...55 Queue Management...56 Configuring the Send Service...65 Send Service General Settings...66 Connections...67 Routing...69 Smart Host Routing...74 Requeuing...77 SurfControl Filter for SMTP 5.0 Administrator s Guide 1

3 Configuring The Administration Service...80 Administration: Properties...80 Configuring Administrators...81 Configuration Complete...86 Backing up your Server Configuration...86 MONITORING In This Chapter...88 Launching the Monitor...88 Parts of the Monitor Window...89 Service Panes...90 The Server Status Panes...93 Queue Statistics and Status Bar...95 QueueView...96 Launching QueueView...96 QueueView Window...97 Deleting a Queued or Dead WORKING WITH RULES In This Chapter Launching the Rules Administrator Rules Administrator Window Rules Pane Rules Object Pane How Filter Uses Rules Rules Objects Building a Rule Connecting Rules Objects Enabling a Rule Deleting A Rule Positioning of Rules Moving rules around Pre-defined Rules Rule Groups Exporting Rules Importing Rules Configuring the Rules Administrator Configuring Dictionary Scanning Configuring Password Protected Archives Configuring Document Decomposition Configuring HTML Parsing RULES OBJECTS In This Chapter Adding A Rule Object to a Rule Reverse Logic Administrator s Guide SurfControl Filter for SMTP 5.0

4 Who Objects From Users and Groups Configuring The From Users and Groups Object Configuring an LDAP Connection Testing the LDAP Connection Inbound / Outbound Mail Object Configuring the Inbound / Outbound Mail Object To Users and Groups Configuring The To Users and Groups Object What Objects Anti-Spam Agent Object Anti-Spam Agent Tools Configuring the Anti-Spam Agent Object Updating the Anti-Spam Agent Object Anti-Virus Agent Configuring the Anti-Virus Agent Object The Pre-configured Anti-Virus Agent Rule Updating the Anti-Virus Agent Anti-Virus Scanning Object Configuring the Anti-Virus Scanning Object Multiple Scans Avoiding Conflicts with Third-Party AV Products Dictionary Threshold Object Configuring the Dictionary Threshold Object External Program PlugIn Object Configuring the External Program Plugin Object File Attachment Object Configuring the File Attachment Object Illegal MIME Format Configuring the Illegal MIME Format Object LexiMatch Object Configuring the LexiMatch Object Loop Detection Object Configuring the Loop Detection Object Message Size Object Configuring the Message Size Object Number of Recipients Object Configuring the Number of Recipients Object URL Category List Object Configuring the URL Category List Object Virtual Image Agent Object Configuring the VIA Object The Virtual Learning Agent Object Configuring the VLA Object When Object Configuring the When Object Operations Objects SurfControl Filter for SMTP 5.0 Administrator s Guide 3

5 Archive Message Configuring the Archive Message Object Compress Attachments Objects Configuring the Compress Attachments Object Footers and Banners Object Configuring the Footers and Banners Object Header Modification Object Configuring the Header Modification Object HTML Stripper Configuring the HTML Stripper Object Routing Object Configuring the Routing Object Strip Attachments Object Configuring the Strip Attachments Object Notify Objects Blind Copy Object Configuring the Blind Copy Object Notification Object Configuring the Notification Object Actions Objects Allow Object Configuring the Allow Object Delay Message Object Configuring the Delay Message Object Discard Message Object Configuring the Discard Message Object Isolate Message Object Configuring the Isolate Message Object MESSAGE ADMINISTRATOR In This Chapter Launching the Message Administrator The Message Administrator Window Configuring Message Administrator Launching Message Administrator Options General Tab Messages Tab File Types Tab HTML Viewer Tab Columns Tab The Message Toolbar The Queues and Logs Panel The Message List Panel Arranging Columns Quick Search using the Shortcut Menu The Message Parts Panel Viewing Decomposed Messages Administrator s Guide SurfControl Filter for SMTP 5.0

6 The Message Contents Panel Examining Messages Analyzing Messages Working with Queues Working with Queues on Multiple Servers Forwarding a Copy of the Selected Message Using Logs Using Queues and Logs with Multiple Servers DICTIONARY MANAGEMENT In This Chapter Launching Dictionary Management The Dictionary Management Window Adding a Dictionary Adding Words to a Dictionary Editing Dictionary Words Deleting Words From A Dictionary Deleting a Dictionary Importing Dictionaries Importing a SurfControl Dictionary Pack Importing a Unicode Text File Exporting Dictionaries Exporting a Dictionary as a Dictionary Pack Exporting a Dictionary as a Unicode File SCHEDULER In This Chapter Launching the Scheduler Scheduler window Scheduled Events Scheduling Anti-Virus Agent Updates Scheduling Anti-Spam Agent Updates Scheduling URL Category Updates Scheduling Queue Synchronization Scheduling Database Management Tasks Purging the Database Archiving the Database Shrinking the Database REPORTING In This Chapter Installing Report Central Allocating memory to the tembdb transaction log Logging On for the First Time Remote Access SurfControl Filter for SMTP 5.0 Administrator s Guide 5

7 System requirements for remote access Getting Started With Report Central Launching SurfControl Report Central Finding your way around Configuration Options Setting up Users Specifying logon details Specifying user permissions Specifying Report permissions Changing User Details Specifying a Mail Server Databases Connecting to a Different Database Resolving Database Memory Issues Increasing Memory to the Java Virtual Machine Increasing the TempDB Transaction File Archiving / Deleting Reports Enabling report archiving / deletion Deleting reports Archiving reports Reporting Standard Reports Rules Reports Traffic Statistics Reports Setting up Reports Selecting a report Specifying report criteria Specifying Running Options Schedule Options Generating Reports Saving Reports Public Folder Private Folder Sub-Folders Completed Reports REMOTE ADMINISTRATION In This Chapter Administration Client Web Administrator Launching Web Administrator Launching Web Administrator Locally Launching Web Administrator From a Remote Location Message Administrator Dictionary Management Adding a Dictionary Adding Words to a Dictionary Administrator s Guide SurfControl Filter for SMTP 5.0

8 Viewing Logs Remotely PERFORMANCE MONITORING In This Chapter Windows Performance Monitoring VIRTUAL LEARNING AGENT In This Chapter Workflow Before You Begin Starting the VLA Training Wizard VLA Tutorial Training File Keywords Counter Category Trivial Words DATABASE TOOLS In This Chapter Launching Database Tools Configuration Database Backing up the Configuration Database Restoring the Configuration Database Log Database Creating a New Log Database Archiving the Log Database Restoring an Archived Log Database Deleting a Log Database Truncating the Log Database Transaction Log SQL User Management Creating a New SQL User Account Changing the Password on a SQL User Account Deleting a SQL / MSDE Account Managing Database Authentication APPENDIX A Anti-Spam Agent Categories & Criteria Core / Liability Categories Productivity Categories APPENDIX B Supported File Types File Attachments Object Document Decomposition APPENDIX C Anti-Virus Return Codes SurfControl Filter for SMTP 5.0 Administrator s Guide 7

9 APPENDIX D Editing Autoreply.txt APPENDIX E Third-Party Reporting Database Schema SMTP Relationships System Log Relationships Message Relationships Administrator s Guide SurfControl Filter for SMTP 5.0

10 Chapter 2 Notices

11 2 NOTICES NOTICES Copyright 2004 SurfControl plc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner. This product includes software developed by the Apache Software Foundation ( This product contains work based on the wvware program, which is licensed under the Free Software Foundation General Public License. This product incorporates code from GoAhead Software Inc., Copyright 2003 GoAhead Software, Inc. All Rights Reserved. SurfControl is a registered trademark, and SurfControl and the SurfControl logo are trademarks of SurfControl plc. All other trademarks are property of their respective owners. COMMENTS ON THIS GUIDE? You can view updated documentation and support information at Was this guide helpful? us at documentation@surfcontrol.com to suggest changes or make a correction. Version 5.0, printed June 2005 ii Administrator s Guide SurfControl Filter for SMTP 5.0

12 NOTICES 2 TECHNICAL SUPPORT For the latest support information on SurfControl products, visit Read the Top Issues - This page has a quick list that covers the most common support issues with the SurfControl products. If your problem is here, you will have an immediate answer. Search our Knowledge Base - our new, constantly updated Knowledge Base contains articles, FAQs and glossary items to answer your questions about all SurfControl products. If your question or problem cannot be answered by the Top Issues or is not in the Knowledge Base, fill out an Online Support Request Form Telephone Support - If you would like to speak with a Technical Support Representative, our excellent SurfControl Technical Support is just a phone call away. SURFCONTROL SALES For product and pricing information, or to place an order, contact SurfControl. To find your nearest SurfControl office, please visit our Website. SurfControl Filter for SMTP 5.0 Administrator s Guide iii

13 2 NOTICES iv Administrator s Guide SurfControl Filter for SMTP 5.0

14 Chapter 1 Introduction In This Chapter page 2 About SurfControl Filter page 3 What s New in Version 5.0 page 4

15 1 INTRODUCTION IN THIS CHAPTER This chapter introduces SurfControl Filter and its features. 2 Administrator s Guide SurfControl Filter for SMTP 5.0

16 INTRODUCTION 1 ABOUT SURFCONTROL FILTER SurfControl Filter is a server-based software solution that enables you to implement an Acceptable Usage Policy for within your organization. SurfControl Filter does this by scanning the content, sender, destination, attachments and size of all to and from the Internet then applying rules that you have established to support your Policy. The Rules Administrator makes it easy to configure rules that exactly match your requirements. Properties are added to the rules using a simple drag and drop technique which though requiring careful planning initially is then easy to set up and apply. If a message triggers a rule then the Filter can selectively allow, isolate, delay or discard the message. Other options include Add a Footer, Blind Copy an Administrator / Manager, reply to the sender and notify the recipient. You can also have a message sent to an archive file for future reference. The action taken is defined by the rules that you set up and configure. Further information about developing an Acceptable Usage Policy for your business can be found on our website at SurfControl Filter for SMTP 5.0 Administrator s Guide 3

17 1 INTRODUCTION WHAT S NEW IN VERSION 5.0 Table 1 describe the advancements in functionality that version 5.0 delivers. Table 1 New Features in version 5.0 Feature Advanced Anti-Spam Protection Enhanced Anti-Spam Agent Directory Harvest attack detection Web Threat Protection What it does Digital Fingerprinting, Heuristics, Neural Net, and LexiRules provide industry-leading anti-spam effectiveness with zero administration cost. Prevents spammers stealing your addresses by brute-force attacks. URL Category List Protects against the inappropriate and fraudulent Web links in e- mails. Confidential Data Protection Expanded Dictionaries support Easier Virtual Learning Agent Includes 10 pre-packaged language packs, including: English, French, Spanish, Dutch, Italian, German, Portuguese, Japanese, Chinese Traditional, and Chinese Simplified. Uses adaptive reasoning technology tool to understand and protect your confidential data. Improved Security Denial of Service protection Detects and manages suspicious SMTP connections and offers fine-tuning of all SMTP connections, internal and external. Secure Remote Access Locks down remote administration by user logon. Expanded Scalability Unlimited Connection Threads Pipelining and Chunking (esmtp) LDAP Organizational Units Easier Administration Grouping of Rules Expanded Filtering in Rules Supports unlimited simultaneous connections, scaling up to meet requirements of the most demanding mail gateways. Significantly improves mail throughput between mail servers that support these commands, such as MS Exchange and Lotus Domino. Tailors message-processing rules based on organizational structures already defined in LDAP. Organize your rules by the type of threats being managed. The default ruleset includes anti-spam, network security, and other useful groupings. Supports inbound/outbound Who functionality, filtering of PDF, TNEF, and RTF, and supports Office 2003 and Web Archive formats. 4 Administrator s Guide SurfControl Filter for SMTP 5.0

18 INTRODUCTION 1 Table 1 New Features in version 5.0 Feature Redesigned Server Configuration notifications of failed events Report Central Single Management Console What it does Offers more powerful way to configure any server and view settings by service. Instant awareness that any scheduled event has not been successful. Provides web-based reporting of filtering activity, with ability to lock down reporting access by user. Allows easy administrative access to each SurfControl server within the organization, providing a single portal view of multiple SurfControl & Web Filter deployments. SurfControl Filter for SMTP 5.0 Administrator s Guide 5

19 1 INTRODUCTION 6 Administrator s Guide SurfControl Filter for SMTP 5.0

20 Chapter 2 Finding Your Way Around In This Chapter page 8 How Filter Works page 9 Launching SurfControl Filter page 12 Launching Filter Components page 13

21 2 FINDING YOUR WAY AROUND IN THIS CHAPTER This chapter explains how SurfControl Filter works, and the basics of navigating around the product. 8 Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

22 FINDING YOUR WAY AROUND 2 HOW FILTER WORKS Figure 1 shows how a message is processed by Filter: Figure 1 The filtering process SurfControl Filter 5.0 for SMTP Installation Guide 9

23 2 FINDING YOUR WAY AROUND FILTER CORE COMPONENTS There are three core components that you will use to manage Table 1 Filter Core Components Component What it does Find out more Message Administrator Monitor Rules Administrator The Message Administrator displays isolated s so that you can release, move or delete them. It also shows the activity logs. The Monitor shows the progress of s through SurfControl Filter in real time. Use the Rules Administrator to set up rules to meet the needs of your Acceptable Use Policy. See Message Administrator on page 255. See Monitoring on page 87. See Working with Rules on page 101. and Rules Objects on page 131 As well as the three core components, Filter contains the following additional components which enhance Filter s capabilities. Table 2 Additional Components Component What it does Find out more Dictionary Management Dictionaries are used in rules to detect particular kinds of content use the Dictionary Management tool to configure Dictionaries to suit your needs. See Dictionary Management on page 281. Scheduler Queue View Virtual Learning Agent (VLA) Web Administrator Use the Scheduler to automate tasks such as: Anti-Spam Agent, URL Category List and Anti-Virus Agent updates. Database Maintenance Queue Synchronization Queue View displays information about messages currently held in queues. The VLA is a unique tool that you can train to understand and detect specific content. Use the Web Administrator to Manage isolated s View logs Manage dictionaries from a remote location. See Scheduler on page 301. See QueueView on page 96. See In This Chapter on page 390. See Web Administrator on page Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

24 FINDING YOUR WAY AROUND 2 FILTER SERVICES SurfControl Filter s functionality is managed by four software services: Receive Service Rules Service Send Service Administration Service The services fit together like this: Figure 2 Flow of through Filter Services. You can stop or start any of the services see page 12. SurfControl Filter 5.0 for SMTP Installation Guide 11

25 2 FINDING YOUR WAY AROUND LAUNCHING SURFCONTROL FILTER From the Start Menu, select Programs SurfControl Filter, then select the Filter component you want to launch. Figure 3 Launching Filter When Filter is running, you will see the following icon in the system tray: If you right-click the icon, a menu will display from which you can launch any of the Filter Components and stop and start the services: 12 Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

26 FINDING YOUR WAY AROUND 2 LAUNCHING FILTER COMPONENTS When you launch one Filter component you can launch a selection of other components from within the application. If you can launch a component, you will see the icon for it on the toolbar: Table 3 Launching Filter Components Component Dictionary Management Icon Message Administrator Monitor Queue View Rules Administrator Scheduler Virtual Learning Agent (VLA) Web Administrator SurfControl Filter 5.0 for SMTP Installation Guide 13

27 2 FINDING YOUR WAY AROUND 14 Installation Guide, rev 1.0 SurfControl Filter 5.0 for SMTP

28 Chapter 3 Setting Up Filter In This Chapter page 16 Connecting to a Different Filter Server page 16 Launching Server Configuration page 20 Configuration Workflow page 21 Configuring the Receive Service page 22 Configuring the Rules Service page 53 Configuring the Send Service page 65 Configuring The Administration Service page 80 Configuration Complete page 86

29 3 SETTING UP FILTER IN THIS CHAPTER This chapter explains how to connect to SurfControl Filter, and how to configure the Receive, Rules and Send services so that is filtered correctly. CONNECTING TO A DIFFERENT FILTER SERVER If you have more than one server running Filter, you can choose which of these servers you want the Monitor to connect to. For example you can view the activity taking place on server A using an instance of Filter installed on server B. Server B can be running either a full install or just the Filter Administration Client. You can manage your Filter Server connections from any of the following Filter components: Monitor Message Administrator Rules Administrator Dictionary Management 16 Administrator s Guide SurfControl Filter for SMTP 5.0

30 SETTING UP FILTER 3 ADDING AN FILTER SERVER If you want monitor activity taking place on another server, you need to add its connection details to the list of available servers. To add a new server to the list, follow procedure 1 Procedure 1: Adding an Server Step Action 1 From any of the Filter components listed above, select File > Select Server > Add New The Add a New Server dialog will display. 2 In the Server Name field, enter the name of the server whose traffic you want to monitor. Alternatively, click Browse to navigate to a server. 3 Enter the user name and password for accessing the server. 4 Enter the connection port for the mail server you want to add. This is the port used by the Administration Service. 5 Click OK to confirm your changes. Filter will automatically try to monitor activity on the server you have added. If it fails to do this, check that you have entered the server details correctly. SurfControl Filter for SMTP 5.0 Administrator s Guide 17

31 3 SETTING UP FILTER EDITING SERVER DETAILS You can change the details of a mail server that you have added to the list: Procedure 2: Editing Server Details Step Action 1 From any of the Filter components listed on page 16, select File > Select Server > Edit. The Select Server dialog will display. 2 Select the server whose details you want to edit. 3 Click OK. The Edit Server dialog will display. 4 You can change the user name, password and connection port. You cannot change the server name. When you have made your changes click OK. 18 Administrator s Guide SurfControl Filter for SMTP 5.0

32 SETTING UP FILTER 3 Procedure 3: Selecting a Server Step Action SELECTING AN SERVER When you add a server, it is displayed on the Select Server menu so that you can select it: 1 From any of the Filter components listed on page 16, select File > Select Server 2 The available servers are displayed on the Select Server menu. The current server is marked with a check. 3 Select the server you want to connect to 4 Filter will attempt to monitor activity on that server. If the connection fails, check that the server details are correct. DISCONNECTING FROM AN FILTER SERVER To disconnect from the server you are currently connected to, select File > Disconnect from Server. activity taking place on that server will no longer be displayed in Filter. SurfControl Filter for SMTP 5.0 Administrator s Guide 19

33 3 SETTING UP FILTER LAUNCHING SERVER CONFIGURATION To open the Server Configuration console, launch the Monitor, then select File Server Configuration. Alternatively, click the Server Configuration icon on the Monitor toolbar. The Server Configuration console looks like this: Each branch of the console tree controls a group of Server Configuration settings When you select a branch the settings display in the right hand pane of the console. Figure 1 Server Configuration console 20 Administrator s Guide SurfControl Filter for SMTP 5.0

34 SETTING UP FILTER 3 CONFIGURATION WORKFLOW To set up Filter correctly, you need to configure each of the four Services. Some of the Services have more than one group of configuration settings, over a series of branches. Table 1 shows how the Server Configuration console is structured, which branches relate to which Service, and where to find out more about each one. Table 1 Configuration tasks Service Branch Sub-branch Find out more Receive service General settings page 22 Configuration SMTP settings page 24 Connections page 27 Pre-Screening Protected Domains page 30 Trusted IPs page 33 Blacklist page 37 Reverse DNS Lookup page 42 Realtime Black hole List page 45 (RBL) Directory Harvest detection Denial of Service detection Remote User Authentication page 47 page 50 page 51 Rules service General settings page 53 Configuration page 55 Queue Management page 56 Send service General settings page 66 Connections page 67 Routing page 69 Smart Host Routing page 74 Requeuing scheme page 77 Administration Properties page 80 Configuration page 81 SurfControl Filter for SMTP 5.0 Administrator s Guide 21

35 3 SETTING UP FILTER CONFIGURING THE RECEIVE SERVICE The Receive service accepts SMTP traffic on port 25 and checks each against a series of pre-screening criteria. If the message passes these checks, Filter accepts the message and hands it over to it to the Rules Service for further processing. It is important to configure the Receive Service correctly to keep your system running efficiently and securely, and to maintain the flow of legitimate . GENERAL RECEIVE SERVICE SETTINGS The General Receive Service Settings branch looks like this: Figure 2 Receive service: General settings Received mail drop-off folder When an has passed the pre-screening checks, Filter accepts the message and deposits it in the Received mail drop-off folder (also called the In folder). By default the path of the Received mail drop-off folder is: C:\Program Files\SurfControl Filter\In\ You can enter a different path, or click Browse to choose another location. 22 Administrator s Guide SurfControl Filter for SMTP 5.0

36 SETTING UP FILTER 3 Logging The Logging options control where details of messages handled by the Receive service are recorded. Check the boxes to enable the logging you want you can select any or all of the following three options: Table 2 Logging options Logging Option Real-time console System log Traffic log What it does Details of incoming messages will display in the Receive console of the Monitor. For more information about the Monitor consoles, see Service Panes on page 90 System events related to incoming mail, such as the sending of notification messages will be displayed in the System log in Message Administrator. See Using Logs on page 279. Information about each incoming mail message will be displayed in the Traffic Log in Message Administrator. See Using Logs on page 279. SurfControl Filter for SMTP 5.0 Administrator s Guide 23

37 3 SETTING UP FILTER RECEIVE SERVICE CONFIGURATION The Receive Service Configuration branch has two sub-branches: SMTP Settings Connections SMTP Settings The SMTP Settings affect how Filter receives incoming for filtering. The SMTP Settings branch looks like this: Figure 3 SMTP Settings 24 Administrator s Guide SurfControl Filter for SMTP 5.0

38 SETTING UP FILTER 3 Table 3 shows the options for SMTP Settings. Table 3 SMTP Settings Field Receive Service SMTP Port Computer Name Telnet SMTP Greeting Description The port used by Filter to receive SMTP traffic. This is displayed in the Receive Service SMTP Port. You can change the port by entering a different port number here. You can specify which computer name the Receive service uses in its greeting when it receives a connection: Windows Computer Name The Receive service will use the fully-qualified primary domain name of the computer where Filter is installed. Specify Computer Name The Receive service will use the computer name you specify. You can use any commonly accepted form of host name, for example the domain name or the IP address. By default Filter will use the Windows Computer Name. The SMTP greeting is the greeting which is sent to a remote computer when it initiates a connection by sending a HELO or EHLO command. By default, the SMTP greeting is: 220 [server name].[domain name] You can add to this text so that the SMTP greeting consists of the default text plus any additions. You can use the SMTP greeting text to communicate your organization s policy on how that mail server can be used. For example if you do not allow the mail server to be used as a relay host you can warn mail clients not to try to relay mail through your server. SurfControl Filter for SMTP 5.0 Administrator s Guide 25

39 3 SETTING UP FILTER To change any of these settings, follow procedure 4: Procedure 4: Changing the SMTP settings Step Action Changing the Receive Service SMTP Port 1 To change the Receive Service SMTP Port, enter a different port number in the box. Make sure that the port is not being used by another service. Changing the Computer Name 1 Select Specify Computer Name. 2 Enter the computer name of the server where Filter is installed Customizing the Telnet SMTP Greeting 1 Select Customize. The Customize Greeting Text dialog will display. 2 Enter the Telnet SMTP greeting you want to use. This will display under the default greeting. Note: You can t delete or edit the default greeting text. When a HELO or EHLO command is received all the text visible in the box will be sent as a greeting. 3 Click OK to close the Customize Greeting Text dialog. When you have made your changes, click OK on the Server Configuration console. 26 Administrator s Guide SurfControl Filter for SMTP 5.0

40 SETTING UP FILTER 3 Connections The Connections settings affect how many connections The Receive service can accept, and how much incoming it can process at any one time. It is important to set these limits at appropriate levels for your system s capacity so that your network does not accept more connections than it has the resources to cope with. The Connections branch looks like this: Figure 4 Connections settings SurfControl Filter for SMTP 5.0 Administrator s Guide 27

41 3 SETTING UP FILTER Table 4 shows the connections that you can limit. Check the checkboxes of the limits you want to set. If a box is not checked filter will not limit the number of connections. Table 4 Connection options Option Description Default Maximum Connection Settings Maximum active inbound connections Limit maximum connections for each trusted IP address Limit maximum connections for each non-trusted IP address Idle connection timeout Data Size Limit maximum message size Limit maximum data per connection SMTP Options Limit maximum messages per connection The total number of incoming connections that Filter will accept at any one time. Limit the number of connections Filter will accept from the IP addresses on the Trusted IPs List. See Trusted IPs (Relay Sources) on page 33. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections. Limit the number of connections from IP addresses not on the trusted IP addresses list. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections. The number of seconds the receive service will wait to receive data before terminating the connection. Limit the size (in MBytes) of inbound messages that Filter will accept. Limit the total amount (in MBytes) of data that Filter will accept in a single connection. Limit the total number of s that Filter will accept in a single connection MB MB Administrator s Guide SurfControl Filter for SMTP 5.0

42 SETTING UP FILTER 3 PRE-SCREENING You can add an extra layer of protection against unwanted s by setting up Pre-Screening. The Pre-screening branch controls which connections Filter will accept, which means you can automatically drop connections from untrustworthy sources and control incoming , even before filtering takes place. The Pre-Screening branch has eight sub-branches: Protected Domains Trusted IPs (Relay Sources) Blacklist Reverse DNS Lookup Realtime Blackhole List (RBL) Directory Harvest detection Denial of Service detection Remote user authentication SurfControl Filter for SMTP 5.0 Administrator s Guide 29

43 3 SETTING UP FILTER Note: There must always be at least one domain on the Protected Domains list. Protected Domains The Protected Domains branch is where you identify the domains for which you want to be filtered, and for which Filter will accept . When you installed Filter, you entered the primary domain name, but if your network has more than one domain (for example mycompany.co.uk and mycompany.com,) you must enter the others so that they can send and receive e- mail. To add a protected domain, follow procedure 5. Procedure 5: Adding a Protected Domain Step Action 1 On the Server Configuration console, select Receive Service > Pre-Screening > Protected Domains. 2 You will see the Protected Domains options displayed in the right hand pane of the console. 3 Click Add 4 The Protected Domain Properties dialog will display. 5 In the Domain Name field enter the name of the domain you want Filter to accept for, e.g. mycompany.co.uk The Administrator Address field will fill in automatically as Postmaster@ the domain you specify: e.g. Postmaster@mycompany.co.uk You can edit this address for example you could change it to admin@mycompany.co.uk 30 Administrator s Guide SurfControl Filter for SMTP 5.0

44 SETTING UP FILTER 3 You can also edit the details of a protected domain: Procedure 6: Editing a protected domain Step Action 1 Select the domain you want to change. 2 Click Edit The Protected Domain Properties dialog will display. 3 Make your changes to the Domain Name or Administrator s Address by typing in the fields. You can also delete a domain from the protected domain list so that Filter will no longer accept for that domain. Procedure 7: Deleting a protected domain Step Action 1 Select the domain you want to delete from the list. 2 Click Delete. You will be asked to confirm your choice. 3 Click OK. The domain will be removed from the list and Filter will no longer accept for that domain. Warning: Filter does not check the Protected Domains list for duplicate entries on the Blacklist. Make sure you do not add the protected domain to the blacklist or s to the protected domain will be rejected. SurfControl Filter for SMTP 5.0 Administrator s Guide 31

45 3 SETTING UP FILTER Warning: Disabling Anti-Spoofing makes it possible for spammers to send spoofed s into your organization. Anti-Spoofing Sometimes spammers use a technique called spoofing to fake their From: address so that their messages appear to be from a protected domain. By default SurfControl Filter will block these messages. Filter can examine and authenticate the IP address of all incoming mail, and reject messages that cannot be authenticated. If you do not enable this function, messages from the protected domain will be accepted, without examining the From address. If your organization includes users who send mail from the protected domain from an unlisted IP address (for example dial-up users) you should set up SurfControl Filter to authenticate addresses using Receive Service Remote User Authentication. This will allow legitimate mail from these users to get through, while still denying messages from fraudulent addresses. See Remote User Authentication on page 51 for information about how to set up remote users. By default Anti-Spoofing is enabled. SurfControl recommends that you keep it enabled. Anti-Relay Protection Spammers may attempt to relay messages via your mail server using old-style routing techniques. These routing techniques are not commonly used any more but may still be recognized by your mail server. SurfControl Filter can detect various routing relay techniques and deny e- mails that have been forwarded or routed using one of the following routing methods: Table 5 Routing relay techniques Relay Method Bang routing Quoted routing Source routing Percent hack routing Example user%@domain1.com@domain.com If you do not deny Source Routing, SurfControl Filter will strip any additional routing information from the incoming message, so a message would be delivered as user@company.com 32 Administrator s Guide SurfControl Filter for SMTP 5.0

46 SETTING UP FILTER 3 Procedure 8: Changing the Anti-Spoof / Anti-Relay Settings Step Action 1 In the Server Configuration console, navigate to the Protected Domains branch. 2 Click Advanced. The Anti-Spoof settings will display. 3 By default, all anti-spoofing and anti-relay protection options are enabled. To disable an option, uncheck the box. SurfControl recommends you keep all options selected to protect your system. 4 Click OK. Trusted IPs (Relay Sources) Trusted IPs are IP addresses of mail servers that are allowed to send to and / or from the protected domain. You should include details of all the mail servers in your organization for which you want to filter . The purpose of the Trusted IP list is to identify: The IP addresses of the protected domains The IP addresses of any other nodes that need to access the protected domains from outside the network. SurfControl Filter for SMTP 5.0 Administrator s Guide 33

47 3 SETTING UP FILTER When you specify a Trusted IP, you also need to specify what can be relayed through that server by choosing a relay type. You can choose from the following: Table 6 Relay types Type Outbound Inbound Outbound and inbound Open relay Denied Description The mail server can send only to IP addresses outside the protected domain. Message sender: must be in the protected domain Message recipient: must be outside the protected domain The mail server can send only to IP addresses inside the protected domain. Message sender: must be outside the protected domain Message recipient: must be inside the protected domain. The mail server is allowed to send to any IP addresses (other than blacklisted ones). Message sender: can be inside or outside the protected domain. Message recipient: can be inside or outside the protected domain. One of these, either the sender or the recipient, must be inside the protected domain. The mail server is allowed to send to any other domain (including blacklisted domains) without any relay restrictions. Filter will accept any from the supplied IP address regardless of the domain name. Use with caution. The mail server is denied a connection to Filter and will therefore be unable to relay through it. In effect the mail server will be blacklisted for more information on blacklisting, see Blacklist on page 37. You can also specify that Filter will accept only from the Trusted IPs in the list. Select the Deny connections from all IP addresses not listed below checkbooks to deny connections from any IP address that is not on the list. 34 Administrator s Guide SurfControl Filter for SMTP 5.0

48 SETTING UP FILTER 3 To add a Trusted IP, follow procedure 9: Procedure 9: Adding a Trusted IP Step Action 1 In the Server Configuration console, navigate to the Trusted IPs branch. 2 Click Add to open the Edit Relay Source dialog. 3 Enter the IP address of the mail server for which you want to be filtered. 4 Select a Relay Type. See table 6 for more information. 5 When you have made your choice, click OK. Note: You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message: Duplicate entry, please try again You can also edit the details of a Trusted IP: Procedure 10: Editing a Trusted IP Step Action 1 In the Server Configuration console, navigate to the Trusted IPs branch. 2 Select the IP address you want to edit. 3 Click Edit to open the Edit Relay Source dialog. 4 Change the IP address and / or the Relay type. 5 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 35

49 3 SETTING UP FILTER To delete a Trusted IP, follow procedure 11. Procedure 11: Deleting a Trusted IP Step Action 1 In the Server Configuration console, navigate to the Trusted IPs branch. 2 Select the IP address you want to delete. 3 Click Delete. 4 You will be asked to confirm your choice. Click Yes to delete the IP address. When a mail client attempts to connect to Filter, the status of the connection is displayed in the Receive console of the Monitor. Table 7 shows some common status messages you may see and an example scenario to explain how each one might occur: Table 7 Receive service status messages Message The sender must be from a protected domain as its IP is in the Trusted Outbound list. The recipient must not be to a protected domain as the sender s IP is in the Trusted Outbound list. The sender must not be from a protected domain as the sender s IP is in the Trusted Inbound list. The recipient must be to a protected domain as the sender s IP is in the trusted Inbound list. Connection rejected deny connection for unknown [n.n.n.n] (sender in Deny Connection list). Deny from example@address.com IP n.n.n.n (Deny Connection list) Example Scenario The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the sender is not in the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the recipient is inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender is inside the protected domain, or is spoofed to appear to be from inside the protected domain. The mail client s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender has attempted to send an e- mail to an IP address outside the protected domain. The IP address has been added to the Trusted IP list with a setting of Denied. The mail client is prohibited from making a connection to the Receive service. The address example@address.com has been added to the Blacklist. The Receive service will reject any mail client trying to send an from example@address.com, unless the mail client s IP is added to the Trusted IP list with a setting of Open Relay. 36 Administrator s Guide SurfControl Filter for SMTP 5.0

50 SETTING UP FILTER 3 Note: To blacklist an IP address, enter it in the Trusted IPs (Relay Sources) list with a setting of Denied. See Trusted IPs (Relay Sources) on page 33. Blacklist If there are addresses or domains from which you do not want to receive s, you can add them to the Blacklist. This is an important step in preventing unwanted content because: The Receive service will reject the before the message content is transferred to your mail server. No hard disk space is wasted storing unwanted s. Fewer messages have to be processed by the Rules service, conserving system resources. Procedure 12: Adding an item to the blacklist Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Add The Add / Edit deny list entry dialog will display. 3 Enter the domain or address you want to blacklist. In the Comment field you can enter a brief description of the item, or an explanation of why it is blacklisted. Note: The name of the domain and the comment must be less than 255 characters each. (Sheet 1 of 2) SurfControl Filter for SMTP 5.0 Administrator s Guide 37

51 3 SETTING UP FILTER Procedure 12: Adding an item to the blacklist Step Action 4 Click OK. You will see the blacklisted item displayed in the right pane of the console. (Sheet 2 of 2) Warning: Make sure you do not add the protected domain to the blacklist or e- mails to the protected domain will be rejected. 38 Administrator s Guide SurfControl Filter for SMTP 5.0

52 SETTING UP FILTER 3 If you have added a domain to the blacklist, but want filter to accept from individuals within that domain, you can exclude individuals from the blacklist. For example if your organization was pursuing a grievance with another organization, you might want to block all from that organization except for their legal department. Procedure 13: Excluding an item from the blacklist Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Exclude. The Exclusions from the Blacklist dialog will display. 3 Click Add The SMTP List Entry dialog will display. 4 Enter the address you want to exclude from the blacklist. Note: The address must be less than 255 characters. 5 Click OK. SurfControl Filter for SMTP 5.0 Administrator s Guide 39

53 3 SETTING UP FILTER You can edit an item on the Exclude list follow procedure 14 Procedure 14: Editing an item on the Exclude list Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Exclude. The Exclusions from the Blacklist dialog will display. 3 Select the item you want to Edit and click Edit The SMTP List Entry dialog will display. 4 Make your changes to the item and click OK. If you have added an item to the Exclude list and want to remove it, you can delete it from the exclude list follow procedure 15 Procedure 15: Deleting an item from the Exclude list Step Action 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Click Exclude. The Exclusions from the Blacklist dialog will display. 3 Click Delete. You will be asked to confirm your choice. 4 Click Yes to delete the item. Filter will no longer accept from this IP address or address. 40 Administrator s Guide SurfControl Filter for SMTP 5.0

54 SETTING UP FILTER 3 Importing a Blacklist If you have a large number of domains or addresses you want to blacklist or exclude, you can create a text file containing all the items, and import it into Filter. The text file can contain both the items you want to blacklist, and the items you want to exclude from the blacklist. Follow procedure 16: Procedure 16: Importing a Blacklist Step Action Creating the text file 1 Create a new.txt file using any text editor. 2 In the.txt file, enter the domains or address you want to blacklist. Each item on the list must follow this format: type;domain or address;comment Each item on the list must begin on a new line. If you do not want to add a comment, leave a blank after the final semicolon. type is a numerical code to identify whether the item is a domain, an address or an address on the exclusion list: 0 = domain 1 = address 2 = address to be excluded from the blacklist Here are some example Blacklist entries: 0;yahoo.co.uk;internet mail 1;mailinglist.org.uk; known spammer 2;legitimat @mailinglist.org.uk; legitimate newsletter 3 When you have finished editing the file, save it. You can save it to any location that is accessible to the server where Filter is installed. However, saving it within the SurfControl Filter folder will save time as the import facility automatically looks there first. Importing the blacklist file 1 In the Server Configuration console, navigate to the Blacklist branch. 2 Select Import. 3 From the dialog box that opens, navigate to your saved blacklist file. 4 Select your saved blacklist file and click Open. 5 If the blacklist file has been imported into Filter successfully, you will see a confirmation message, and the list of blacklisted domains / addresses displayed in the right hand pane of the console. If the file does not import successfully, check that each entry has the correct syntax. SurfControl Filter for SMTP 5.0 Administrator s Guide 41