M1000, M2000, M3000. eprism User Guide

M1000, M2000, M3000 eprism User Guide

Preface 5 CHAPTER 1 eprism Overview 7 What s New in eprism 5.0 8 eprism Overview 10 eprism Deployment 17 How Messages are Processed by eprism 19 CHAPTER 2 Administering eprism 23 Connecting to eprism 24 Configuring the Admin User 28 Web Server Options 31 Customizing the eprism Interface 32 CHAPTER 3 Configuring Mail Delivery Settings 33 Network Settings 34 Static Routes 38 Mail Routing 39 Mail Delivery Settings 41 Mail Aliases 46 Mail Mappings 48 Virtual Mappings 50 CHAPTER 4 Directory Services 53 Directory Service Overview 54 Directory Servers 56 Directory Groups 58 Directory Users 61 LDAP Aliases 65 LDAP Mappings 67 LDAP Recipients 69 LDAP Relay 71 LDAP Routing 74 CHAPTER 5 Configuring Email Security 77 SMTP Mail Access 78 Anti-Virus 80 1

Malformed Messages 83 Attachment Control 85 SPF (Sender Policy Framework) 88 Encryption and Certificates 90 CHAPTER 6 Anti-Spam Features 97 Anti-Spam Feature Overview 98 Email Spam Processing 99 eprism Anti-Spam Controls 102 Specific Access Patterns 104 Pattern Based Message Filtering 107 Objectionable Content Filtering 115 RBL (Real-time Blackhole List) 117 DCC (Distributed Checksum Clearinghouse) 119 STA (Statistical Token Analysis) 123 Trusted Senders 133 Spam Quarantine 136 Spam Options 141 CHAPTER 7 User Accounts and Remote Authentication 143 POP3 and IMAP Access 144 Local User Mailboxes 145 Mirror Accounts 147 Strong Authentication 148 Remote Accounts and Directory Authentication 150 Relocated Users 153 Vacation Notification 154 Tiered Administration 157 CHAPTER 8 Secure WebMail and eprism Mail Client 159 Secure WebMail 160 eprism Mail Client 164 CHAPTER 9 Policy Management 167 Policy Overview 168 Creating Policies 171 2

CHAPTER 10 System Management 177 System Status and Utilities 178 Mail Queue Management 181 Quarantine Management 182 License Management 184 Software Updates 186 Security Connection 187 Reboot and Shutdown 188 Backup and Restore 189 Centralized Management 197 Problem Reporting 202 CHAPTER 11 HALO (High Availability and Load Optimization) 203 HALO Overview 204 Configuring Clustering 206 Cluster Management 212 Configuring the F5 Load Balancer 216 Queue Replication 217 CHAPTER 12 Reporting 221 Viewing and Generating Reports 222 Viewing the Mail History Database 231 Viewing the System History Database 234 Report Configuration 237 CHAPTER 13 Monitoring System Activity 239 Activity Screen 240 System Log Files 242 SNMP (Simple Network Management Protocol) 245 Alarms 248 CHAPTER 14 Troubleshooting Mail Delivery 251 Troubleshooting Mail Delivery 252 Troubleshooting Tools 253 Examining Log Files 254 Network and Mail Diagnostics 258 Troubleshooting Content Issues 263 3

APPENDIX A Using the eprism System Console 265 APPENDIX B Restoring eprism to Factory Default Settings 269 APPENDIX C Message Processing Order 271 APPENDIX D Customizing Notification and Annotation Messages 273 APPENDIX E Performance Tuning 275 Setting Default Performance Settings 276 Advanced Settings 277 APPENDIX F SNMP MIBS 283 MIB Files Summary 283 MIB OID Values 287 APPENDIX G Third Party Copyrights and Licenses 291 4

Preface Preface This eprism User Guide provides detailed information on how to configure and manage your eprism Email Security Appliance, and contains the following topics: Chapter 1 eprism Overview on page 7 Chapter 2 Administering eprism on page 23 Chapter 3 Configuring Mail Delivery Settings on page 33 Chapter 4 Directory Services on page 53 Chapter 5 Configuring Email Security on page 77 Chapter 6 Anti-Spam Features on page 97 Chapter 7 User Accounts and Remote Authentication on page 143 Chapter 8 Secure WebMail and eprism Mail Client on page 159 Chapter 9 Policy Management on page 167 Chapter 10 System Management on page 177 Chapter 11 HALO (High Availability and Load Optimization) on page 203 Chapter 12 Reporting on page 221 Chapter 13 Monitoring System Activity on page 239 Chapter 14 Troubleshooting Mail Delivery on page 251 The following Appendices contain supplemental information for eprism: Appendix A Using the eprism System Console on page 265 Appendix B Restoring eprism to Factory Default Settings on page 269 Appendix C Message Processing Order on page 271 Appendix D Customizing Notification and Annotation Messages on page 273 Appendix E Performance Tuning on page 275 Appendix F SNMP MIBS on page 283 Appendix G Third Party Copyrights and Licenses on page 291 Related Documentation If release notes are included with your product package, please read them for the latest information on installing and managing your eprism. The following documents are included as part of the eprism documentation set: Release Notes Provides up to date information on the product, including any known issues. If instructions in the release notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes. 5

eprism Installation Guide Provides instructions on how to install and provide the initial configuration for the eprism Email Security Appliance. eprism User Guide Provides detailed information on how to configure and administer the eprism Email Security Appliance. Contacting Technical Support St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST) 15015 Avenue of Science San Diego, CA 92128 Main: 858.676.2277 FAX: 858.676.2299 Technical Support: 858.676.5050 Technical Support Email: eprism-support@stbernard.com Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ Main: 44.1276.401.640 FAX: 44.1276.684.479 Technical Support: 44.1276.401.642 Technical Support Email: support@uk.stbernard.com Copyright Information 2003-2005 St. Bernard Software, Inc. All rights reserved. St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged. Information in this document is subject to change without notice. 6

CHAPTER 1 eprism Overview This chapter provides an overview of the architecture and features of the eprism Email Security Appliance, and contains the following topics: What s New in eprism 5.0 on page 8 eprism Overview on page 10 eprism Deployment on page 17 How Messages are Processed by eprism on page 19 7

eprism Overview What s New in eprism 5.0 The eprism Email Security Appliance 5.0 release contains the following new features and improvements: New User Interface The eprism user interface has been redesigned for easier navigation and more efficient administration of eprism s powerful features. Improved Performance eprism 5.0 improves its current performance with a 30% or greater improvement in mail processing. eprism's security and spam filtering techniques have been improved to provide greater mail processing efficiency. Directory Services Improvements eprism 5.0 adds significant improvements to its Directory Services integration, enhancing support for OpenLDAP, iplanet, and Active Directory LDAP implementations. The following new features have been added: LDAP Recipients This feature is used in conjunction with the Reject on Unknown Recipient Anti-Spam feature. LDAP Recipients performs real-time direct LDAP lookups to verify the existence of recipients. LDAP Domain Routing This feature is used to perform an LDAP search to find the mail route host for a domain. This is a preferred method for mail routing for organizations with a large amount of domains. LDAP SMTP Relay Authentication This feature is used in conjunction with the SMTP Relay Authentication to allow clients to be authenticated via LDAP for SMTP relay purposes. Select Basic Config -> Directory Services on the menu to configure all LDAP directory features. OCF (Objectionable Content Filter) The Objectionable Content Filter defines a list of key words that will cause a message to be blocked if any of those words appear in the message. This feature is useful for organizations that need to manage their email in accordance with regulatory requirements. The Objectionable Content Filter provides enhanced content filtering functionality and flexibility, allowing users to restrict content of any form including objectionable words or phrases, offensive content and/or confidential information. The OCF list can be updated and customized to meet the specific needs of any organization. Rules can also be applied to both inbound and outbound messages preventing unwanted content 8

What s New in eprism 5.0 from entering an organization and prohibiting the release of sensitive information. OCF can be configured via Mail Delivery -> Anti-Spam -> OCF. Large MTU Support In Basic Config -> Network, in the Network Interface section, you can enable the Large MTU (Maximum Transfer Unit) parameter which sets the MTU of the interface to 1500. This may improve performance connecting to servers on a local network. The default MTU is 576. Configurable Content Reject Message (SMTP) In Mail Delivery -> Delivery Settings -> Advanced, there is a new option to configure the content rejection message that appears in the SMTP 552 error message. 9

eprism Overview eprism Overview eprism is a dedicated Mail Firewall designed for deployment between internal mail servers and the Internet. eprism supports the standard mail protocols for processing email messages, while offering a secure method for their processing and delivery. eprism has been designed specifically to resist operating system attacks and protect your mail servers from direct SMTP and HTTP connections. Firewall-Level Network and System Security eprism delivers the most complete security available for email systems. eprism runs on S-Core, St. Bernard s customized and hardened Unix operating system. S-Core is field tested for over 10 years as the operating system for the St. Bernard Firewall Server. S-Core does not allow uncontrolled access to the system. There is no command line access and the system runs as a "closed" system, preventing accidental or deliberate misconfiguration by administrators, which is a common cause of security vulnerabilities. eprism has been awarded Common Criteria EAL 4+ certification. EAL 4+ indicates that eprism has passed all of the requirements needed to gain Evaluation Assurance Level 4 (EAL 4) and has passed some additional modules that elevate the certification above the standard EAL4 to include EAL5 vulnerability testing. 10

eprism Overview eprism Deployment eprism is generally configured to accept all mail for a domain or sub-domain, store and process mail according to specified policies, and deliver the mail to one or more internal mail servers for collection by users. eprism is ideally suited for deployment in parallel with an existing firewall, on a DMZ, or on an internal network. See eprism Deployment on page 17 for more detailed information on deploying eprism. Mail Delivery Security eprism has a sophisticated mail delivery system with several security features and benefits to ensure that the identifying information about your company's email infrastructure remains private. For a company with multiple domain names, eprism can accept, process and deliver mail to private email servers. For a company with multiple private email servers, the eprism can route mail based on the domain or subdomain to separate groups of email users. Security features such as mail mappings and address masquerading allow the ability to hide references to internal host names. Content Filtering eprism implements attachment controls and content filtering based on pattern and text matching. These controls prevent the following issues: Breaches of confidentiality Legal liability from offensive content Personal abuse of company resources Attachment controls are based on the following characteristics: File Extension Suffix The suffix of the file is checked to determine the attachment type, such as.exe, or.jpg. MIME Content Type MIME (Multipurpose Internet Mail Extensions) can be used to identify the content type of the message. Content Analysis The file is analyzed from the beginning to look for characteristics that can identify the file type. This analysis ensures that the attachment controls are not circumvented by simply renaming a file. 11

eprism Overview Virus Scanning The eprism Email Security Appliance features optional virus scanning based on Kaspersky Anti- Virus. Messages in both inbound and outbound directions can be scanned for viruses and malicious programs. eprism s high performance virus scanning provides a vital layer of protection against viruses for your entire organization. Automatic pattern file updates ensure that the latest viruses are detected. Malformed Message Protection Similar to malformed data packets used to subvert networks, malformed messages allow viruses to avoid detection, crash systems, and lock up mail servers. eprism ensures that only correctly formatted messages are allowed into your mail systems. Message integrity checking protects your mail servers and clients, and improves the effectiveness of existing virus scanning implementations. Anti-Spam Features The eprism Email Security Appliance provides a complete and robust set of anti-spam features specifically designed to protect against the full spectrum of current and evolving spam threats. eprism s anti-spam features are based on the following features: eprism s Anti-Spam Features Realtime Blackhole Lists (RBL) to reject known spam sources Distributed Checksum Clearinghouse (DCC) to control bulk mail Statistical Token Analysis (STA) for advanced statistical analysis Trusted Senders List This feature, accessed via WebMail/ePrism Mail Client, allows users to create their own personal Trusted Senders List based on a sender s email address. These email addresses will be exempt from eprism s spam controls. Spam Quarantine The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to connect to eprism to view and manage their own quarantined spam. Messages can be deleted, or moved to the user's local mail folders. Automatic notification emails can be sent to end users notifying them of the existence of messages in their personal quarantine area. 12

eprism Overview Secure WebMail eprism s Secure WebMail provides remote access support for internal mail servers. With Secure WebMail, users can access their mailboxes using email web clients such as Outlook Web Access, Lotus inotes, or eprism s own web mail client, eprism Mail Client. eprism addresses the security issues currently preventing deployment of web mail services by providing the following protection: Strong authentication (including integration with Active Directory) Encrypted sessions Advanced session control to prevent information leaks on workstations Authentication eprism supports the following authentication methods for administrators, WebMail users, Trusted Senders List, and Spam Quarantine purposes: User ID and Password RADIUS and LDAP RSA SecurID tokens SafeWord tokens CRYPTOCard tokens Encryption All mail delivered to and from eprism can be encrypted using TLS (Transport Layer Security). This includes connections to remote systems, local internal mail systems, or internal mail clients. Encrypted messages are delivered with complete confidentiality both locally and remotely. Encryption can be used for the following: Secure mail delivery on the Internet to prevent anyone from viewing your email while in transit. Secure mail delivery across your LAN to prevent malicious users from viewing email other than their own. Create policies for secure mail delivery to branch offices, remote users and business partners. eprism supports TLS/SSL encryption for all user and administrative sessions. TLS/SSL may also be used to encrypt SMTP sessions, effectively preventing eavesdropping and interception. 13

eprism Overview HALO (High Availability and Load Optimization) All systems can be clustered together to increase additional capacity, throughput, or provide load balancing and optional high availability. eprism is the first email firewall to provide enterprises with a carrier-grade failsafe clustering architecture for high availability. HALO ensures email is never lost due to individual system failure through its unique security, cluster management, load balancing and optimization, and "stateful failover" queue replication capabilities. Cluster Management The cluster management feature allows administrators to manage eprism clusters and to synchronize configuration settings across all systems in the cluster. Combined reports and email database searches may be derived from clustered systems. Specific features include: Configuration Cloning This function allows systems to be added to clusters and to assume the configuration of a defined "master" Cluster Console system. Cluster Synchronization Systems within a cluster can be synchronized to the defined "master" system. Any changes to the configuration of the Cluster Console master are reflected in the configuration of all systems in the cluster. Cluster Reporting eprism reports can be generated for a single system or for all systems in a cluster. The email database can be searched by system or by cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message. Load Balancing and Optimization A basic requirement of high availability is to have an automated or semi-automated mechanism for switching the mail stream between available systems in the cluster, depending on their individual availability or health. Utilizing DNS round-robin techniques, or dedicated load balancing hardware, email can be directed to eprism systems in a cluster depending on their availability and current load. Queue Replication To prevent the loss of email messages during a system failure, eprism has created a unique solution to this problem with "stateful failover" queue replication technology that replicates queues and intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a cluster should fail, and there exists undelivered mail in its queue, a mirror system can take ownership of that queue s messages and successfully process and deliver them. 14

eprism Overview Policy Controls Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment control to be customized and applied based on the group or domain membership of the recipient. User groups can be imported from an LDAP-based directory, and then policies can be created to apply customized settings to these groups. For example, you can set up an Attachment Control Policy to allow your Development group to accept and send executable files (.exe), while configuring your attachment control settings for all your other departments to block this file type to prevent the spread of viruses among the general users. LDAP Directory Service Support eprism integrates with LDAP (Lightweight Directory Access Protocol) directory services such as Active Directory, OpenLDAP, and iplanet, allowing you to perform the following: LDAP lookup prior to internal delivery You can configure eprism to check for the existence of an internal user via LDAP before delivering a message. This feature allows you to reject mail to unknown addresses in relay domains, reducing the number of attempted deliveries of spam messages for unknown local addresses. Group/User Imports An LDAP lookup will determine the group membership of a user when applying policy-based controls. LDAP users can also be imported and mirrored on eprism to be used for services such as the Spam Quarantine. Authentication LDAP can be used for authenticating IMAP access, user mailbox, and WebMail logins. SMTP Relay Authentication LDAP can be used for authenticating clients for SMTP Relay. Mail Routing LDAP can be used to lookup Mail Routes for a domain to deliver mail to its destination server. Local User Mailboxes eprism can host user mailboxes and act as a fully functioning mail server for small offices. eprism fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for retrieving and sending mail. Manageability eprism provides a complete range of monitoring and diagnostics tools to monitor the system and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional security, and comprehensive logs record all mail activity. Web Browser-based Management The web browser management interface displays a live view of system activity and traffic flows. The management interface can be configured to 15

eprism Overview display this information for one or many systems, either systems in a local cluster or systems that are being centrally managed. Reporting and Auditing The reporting and audit features deliver a comprehensive set of statistics that may be generated at any time or scheduled for automatic delivery. eprism includes a wide range of predefined reports, including information on system health, mail processing, spam, virus filtering statistics, and user mail volumes. Administrators can easily create customized reports. Enterprise integration with SNMP Using SNMP (Simple Network Management Protocol), eprism can generate both information and traps to be used by tools like HP OpenView, Tivoli, BMC Patrol and CA Unicenter. This extends the administrator s view of eprism and allows an instant view of significant system events, including traffic flows and system failures. Alarms eprism can generate system alarms that can automatically notify the administrator via email and console alerts of a system condition that requires attention. Security Connection Unique to St. Bernard, the Security Connection provides an automated software update service. By enabling the Security Connection, you are automatically notified of any new patches and updates. St. Bernard continuously monitors for new vulnerabilities and issues new updates to defend against them, ensuring that you have them as soon as they are available. Internationalization eprism supports internationalization for annotations, notification messages, and mail database views. 16

eprism Deployment eprism Deployment eprism is designed to be situated between your mail servers and the Internet so that there are no direct SMTP (Simple Mail Transport Protocol) connections between external and internal servers. eprism is typically installed in one of three locations: In parallel with the firewall On your DMZ (Demilitarized Zone) Behind the existing firewall on the Internal network SMTP port 25 traffic is redirected from either the external interface of the firewall, or from the external router to eprism. When the mail is accepted and processed, eprism initiates an SMTP connection to the internal mail server to deliver the mail. eprism in Parallel with the Firewall The preferred deployment strategy for eprism is to be situated in parallel with an existing network Firewall. eprism's inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of your network. This parallel deployment eliminates any mail traffic on the firewall and decreases its overall load. 17

eprism Overview eprism on the DMZ Deploying eprism on the DMZ is an equally secure method of deployment configuration. This type of deployment prevents any direct connection from the Internet to the internal servers, but does not ease the existing load on the firewall. eprism on the Internal Network You can also deploy eprism on the Internal Network. Although this configuration allows a direct connection from the Internet into the internal network, it is a perfectly legitimate configuration when dictated by existing network resources. 18

How Messages are Processed by eprism How Messages are Processed by eprism The following sections describe the sequence in which the various eprism security features are applied to any inbound mail messages and how these settings affect their delivery. SMTP Connection An SMTP connection request is made from another system. eprism accepts the connection request unless one of the following checks (if enabled) is triggered: Reject on unauthorized SMTP pipelining Rejects mail when the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This stops messages from bulk mail software that use SMTP command pipelining improperly to speed up deliveries. Reject on unknown sender domain Rejects mail when the sender mail address has no DNS A or MX record. Reject on missing reverse DNS Rejects mail from hosts where the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. This setting is rarely used because many servers on the Internet do not have valid reverse DNS records, and enabling it may result in rejecting mail from legitimate sources. Reject on non-fqdn sender Rejects mail when the address in the client MAIL FROM command is not in fully-qualified domain form (FQDN). Reject on Unknown Recipient Rejects mail if the specified recipient does not exist. The system will perform an LDAP lookup on the recipient's address to ensure they exist before delivering the message. Specific Access Pattern (Reject) The server address or other envelope field matches a Specific Access Pattern that is set to reject the message. Mail Header and Message Properties The connection is now accepted. The message will be accepted for processing unless one of the following occurs: Reject on missing addresses Rejects mail when no recipients in the To: field, or no senders in the From: field were specified in the message headers. Maximum number of recipients Rejects mail if the number of recipients exceeds the specified maximum (default = 1000). Maximum message size Rejects mail if the message size exceeds the maximum. 19

eprism Overview Malformed Content, Virus Checking, and Attachment Control Messages are scanned for malformed messages, viruses, and specific attachments. If there is a problem, eprism can be configured with a variety of actions, such as sending the message to a Quarantine folder. OCF (Objectionable Content Filter) Messages are scanned for objectionable content and a configurable action is taken. Pattern Based Message Filters and Specific Access Patterns The messages are scanned to see if they match any existing Pattern Based Message Filters (PBMF), or Specific Access Patterns (SAP) set to Trust or Allow Relaying. Senders in the Trusted Sender list are excluded from processing (for low priority PBMFs only.) SPF (Sender Policy Framework) If enabled, the message is checked to see if it passes an SPF DNS lookup. Anti-Spam Processing If the message arrives from an "untrusted" source, it will be processed for spam as follows: If RBL is enabled, rejects mail if the server address is in an RBL. This can be overridden with a Pattern Based Message Filter. If DCC is enabled, the message will be examined for identification as "bulk" mail. If STA is enabled, the message will be examined for identification as "spam" mail. Mail Mappings The message is now accepted for processing, and the following occurs: If the recipient address is not for a domain or sub-domain for which eprism is configured to accept mail (either as an inbound mail route or a virtual domain) then the message is rejected. If the recipient address is mapped in the Mail Mappings table, then the "To" field in the message header will be modified as required. Virtual Mappings The message is now examined for a match in the Virtual Mapping table. If such a mapping is found, the envelope-header recipient field will be modified as required. LDAP virtual mappings will then be processed. Virtual mappings are useful for the following: 20

How Messages are Processed by eprism Acting as a wildcard mail mapping, such as everything for example.com goes to exchange.example.com. You can create exceptions to this rule in the mail mappings for particular users. ISPs who need to accept mail for several domains and the envelope-header recipient field needs to be rewritten for further delivery. To deliver to internal servers, use Mail Delivery -> Mail Routing. Note: In all cases, mappings rely on successful DNS lookups for an MX record. Relocated Users When mail is sent to an address that is listed in the relocated user table, the message is bounced back with a message informing the sender of the relocated user's new contact information. Mail Aliases When mail needs to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. An alias results in the creation of a new mail message to be created for the named address or addresses. This mail message is then entered back into the system to be mapped, routed, and so on. This process also occurs with local user accounts for whom a "forwarder address" has been configured. Local user accounts will be treated like aliases in this case. Local aliases are typically used to implement distribution lists or to direct mail for standard aliases such as mail to the "postmaster" account. LDAP aliases are then processed. LDAP functionality can be used to search for mail aliases on directory services such as Active Directory. Mail Routing During the mail routing process, there is no modification made to the mail header or the envelope. A mail route specifies two things: Which domains eprism will accept mail for (other than itself). Which hosts the mail should be delivered to. The message is now delivered to its destination. See Message Processing Order on page 271 for a summary of the message processing order. 21

eprism Overview 22

CHAPTER 2 Administering eprism This chapter describes how to administer and configure basic settings for the eprism Email Security Appliance, and contains the following topics: Connecting to eprism on page 24 Configuring the Admin User on page 28 Web Server Options on page 31 Customizing the eprism Interface on page 32 23