eprism Email Security Appliance 6.0 Release Notes St. Bernard is pleased to announce the release of version 6.0 of the eprism Email Security Appliance. This release adds several new features while considerably improving the functionality of existing features. What's New in 6.0 Intercept Anti-Spam eprism 6.0 introduces the Intercept Anti-Spam engine that offers considerable improvements to eprism s existing anti-spam technology: Simplified and Efficient Administration Intercept provides administrators with powerful default settings and simpler actions to increase the efficiency of Anti- Spam administration. Intercept s default Anti-Spam settings provide a strong default configuration to ensure that organizations can deal with a majority of spam messages with little additional configuration. Intercept s improved anti-spam technologies require no training to capture a majority of spam when first enabled. Powerful and Comprehensive Anti-Spam Processing Intercept introduces enhanced spam fighting technologies to provide a more informed and accurate decision on whether a message is spam or legitimate mail. The addition of technologies such as Spam Dictionaries, IP Reputation and DomainKeys ensures that Intercept catches spam and reduces false positives. Hosted Anti-Spam Services New hosted technologies such as Bulk Analysis, DNS Black Lists and reputation-based detection allow customers to more efficiently monitor and trap real-world spam and provide feedback for analysis purposes. Intercept is configured via Mail Delivery Anti-Spam Intercept on the menu.
New Anti-Spam Features eprism v6.0 incorporates several new and exciting anti-spam features to help simplify the administration of the eprism, while ensuring a high level of spam detection and low false positive statistics. Local IP Reputation Many spammers and attackers do not send mail from legitimate mail sources. eprism inspects the incoming IP address and decides whether the IP address is valid or not based on the incoming connection s behaviour. This information is then used in the overall Intercept decision process to help determine the nature on an incoming message. Reputation-based Detection Helps to identify spam by reporting behavior information about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages. This is based on information collected from customer eprism e-mail servers and global DNS Block Lists. This information can be used by eprism to either reject the message immediately or contribute to the Intercept score. Spam Dictionaries Pre-defined spam dictionaries containing known spam words and phrases are included with eprism to help eliminate the need to initially train eprism systems. By providing spam default dictionaries, eprism systems can provide comprehensive spam protection after installation without any additional configuration. DomainKeys eprism s existing anti-phishing features have been enhanced to include Yahoo DomainKeys. DomainKeys is a popular sender authentication technology to validate sending servers to ensure they are delivering legitimate mail. Threat Prevention eprism 6.0 introduces threat prevention capabilities that allow organizations to detect and block incoming threats in real-time. Threat types can be monitored and recorded to track client IP behaviour and reputation. By examining mail flow patterns, eprism detects whether a sending host is behaving maliciously by sending out viruses, spam or attempting denial-ofservice (DoS) types of attacks. Inbound mail connections can be blocked or throttled before the content is processed to lessen the impact of a large number of inbound messages. Threat Prevention features can also be integrated with third party perimeter devices, such as F5 BIG-IP traffic managers and Cisco IOS based devices. By pushing threat information to a perimeter device, threats can be blocked at the network edge to reduce incoming mail traffic before it reaches eprism. Threat Prevention is configured via Mail Delivery Threat Prevention on the menu. 2
Message Encryption eprism encryption support now includes the ability to encrypt and decrypt individual messages when used in conjunction with a third party encryption product. E-mail encryption helps organizations address compliancy needs while ensuring that the privacy of confidential e-mails is maintained. This integration allows organizations to ensure that encrypted messages are still processed by eprism for security issues such as viruses, malformed mail, and content filtering and scanning. Message encryption is configured via Mail Delivery Encryption on the menu. Advanced Content Filtering and Scanning Several new content filtering features have been added to provide more powerful filtering rules that can be integrated directly into organizational policies. These additional functions allow organizations to have greater control and flexibility over e-mail policy decisions. Advanced Content Scanning eprism s advanced content scanning feature can perform deep scanning of e-mail attachments for content filtering purposes, ensuring that private and confidential content is not sent out over the Internet. Document attachments such as PDFs and Microsoft Word documents can be scanned for individual words and phrases that may be blocked due to compliancy policies. Expanded Filtering Options New content filtering actions have been added to allow filter rules to be created that encrypt, quarantine, BCC, notify, redirect or discard messages, in addition to existing filter actions. These new filter options provide greater flexibility when setting up and enforcing e-mail policies using eprism. Dictionaries eprism 6.0 adds custom dictionary support for content filtering allowing organizations to easily match simple words and phrases against message and attachment content. Policy Integration Content filtering is integrated with eprism s policy engine allowing organizations to create different sets of filter rules for different sets of users, groups and domains. Content filtering and scanning is configured via Mail Delivery Content Management on the menu. Policy Improvements eprism 6.0 introduces an improved policy engine that provides more policy options and enhanced granularity. These updated policy features provide complete flexibility and control over incoming and outgoing e-mail traffic. Policy Feature Integration eprism v6.0 offers more features for defining policy, including Anti-Virus, Intercept Anti-Spam, Content Filtering, Attachment Control, Compliancy, Dictionaries support, Annotations and DomainKeys. Almost all aspects of eprism s e-mail security features are integrated with policies to provide organizations with complete control and flexibility over how their email is handled. 3
Improved Policy Granularity Organizations now have more granularity over policy decisions allowing administrators to customize policy rules for specific users or a set of users. Different actions and rules can be applied to different users to provide more comprehensive organizational policies. User-based Policies eprism 6.0 introduces user-based policies to the existing group and domain policies. Administrators can now create policies on a per user basis to provide a more granular policy configuration. Policy Diagnostics Administrators can run diagnostics to view the result of their policy configuration. By entering the e-mail address of a specific user, a chart will display what policies are applied to that user and the final result. Diagnostics reduce the administrative effort by helping to eliminate any policy conflicts. Policies are configured via Mail Delivery Policy on the menu. Advanced Log Searches A new advanced search menu allows administrators to search all current and archived log files of a particular log type for specific patterns. Advanced log searches are accessed via Status/Reporting System Logs Advanced Search. Log Rollout and Offload eprism can automatically compress older files to save disk space when a certain amount of log files have been generated. For backup purposes and offline reporting, eprism can also copy log and reporting files to another system at regular intervals using FTP or SCP file copy utilities. This allows administrators to backup the log files to a separate host for analysis and storage. Configure log rollout and offload via Status/Reporting System Logs Rollout and Offload. Show Multiple Recipients on Activity Screen On the main Activity screen, messages with multiple recipients can be expanded to see all recipients of the message and their disposition by clicking the Show Recipients button. New Mail Delivery Options The following new options have been added to the Mail Delivery Delivery Settings menu. Maximum time in queue for bounces Specifies how many days a systemgenerated bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable. Maximum original message text in bounces Specifies the maximum amount of original message text (in bytes) that is sent in a non-delivery notification. Deliver mail to local users Disable this option to prevent delivery to local users. The postmaster (admin) account will not be affected by this setting. 4
The following new options have been added to the Delivery Settings (Advanced) screen. Multiple recipient reject mode Indicates the reject handling of messages with multiple recipients, such as reject if all recipients reject a message, or if only one recipient rejects a message. This option only applies to features with reject actions such as Malformed and Very Malformed Mail, Attachment Control, Attachment Scanning, PBMF, OCF, Anti-Virus, and Intercept Anti-Spam features, including those used within a policy. Send EHLO Always send EHLO when communicating with another server, even if their banner does not include ESMTP. Disable this option if you are experiencing communications problems with specific SMTP servers. Received Header Setting The Received Header is the mail server information displayed in the Received: mail header of a message. The default is "St. Bernard eprism Email Security Appliance", but this can be modified to a more generic identifier to prevent attackers from knowing the mail server details. Configurable Mail Routing SMTP Port The SMTP port in Mail Delivery Routing Mail Routing can now be configured to ports other than 25 for special cases where mail delivery on another port is required. Product Notes Supported Web Browsers The following web browsers are supported for administering eprism 6.0 via the web interface: Microsoft Internet Explorer 6 and greater Firefox 1.0 and greater Mozilla 1.0 and greater Netscape 6.0 and greater Safari 1.0 and greater Attachment Content Scanning License Attachment Content Scanning is a licensed option and requires a separate license key to work after an initial 30-day evaluation period. Uploading PBMF Filter Rules from a Previous Version When upgrading to eprism 6.0 from a previous version, any existing Pattern Based Message Filter (PBMF) rules are automatically converted to 6.0 format. 5
Manually uploading a PBMF rule file from a previous version will not work unless changes are made to the upload file. In eprism 6.0, the "Valid" action has been modified to be "Accept+Train". The following procedure must be performed when uploading earlier versions of PBMF rules to an eprism 6.0 system. 1. Open your PBMF rules file (pbmf.csv) in a text editor or application that can read CSV files, such as Excel. 2. Modify the PBMF rule file to change every instance of the action "Valid" to "Accept+Train". 3. Save the PBMF rule file. 4. On the eprism 6.0 system, go to Mail Delivery Content Management Pattern Filters (PBMF) on the menu. 5. Click Upload File. 6. Select the updated PBMF file and click Continue. 7. Review the PBMF rules to ensure they were uploaded correctly. Attachment Scan Option The DS (Disable Scan) option in the attachment types list in Attachment Control has been changed to "Scan" in eprism 6.0. This option has been modified to more accurately reflect in the interface that scanning of attachments will be performed on this attachment type. Mail Routing Options Moved All routing features such as Mail Routing, Mail Aliases, Mail Mappings, and Virtual Mappings have been moved in the menu to Mail Delivery Routing. Known Issues In This Release PBMF Bypass Action does not Override Reputation-based Detection The PBMF "Bypass" action will not override an action from a reputation-based reject. To whitelist a system rejected by reputation-based Detection, create a PBMF rule with the action "Accept" instead of "Bypass." Threat Detection Still Active for Addresses in "mynetworks" Networks defined in the Threat Detection "mynetworks" static IP list are still scanned by Threat Prevention when they should be skipped. SPF Intercept Weight using DomainKeys Weight The SPF Intercept Weight is taking its value from the DomainKeys weight in Mail Delivery Anti-Spam Intercept Advanced. SQL Logging not Working The ability to create SQL logs (via Status/Reporting Reporting Configure Advanced) is not working in this release. 6
Policy Not Saved when Selecting Pattern Filters When configuring a policy, you must first click Apply to save the current policy before selecting the Pattern Filters link to add a PBMF. When finished adding a pattern filter, click Cancel to return to the policy screen. Modifying PBMF Action adds "Train" Action When modifying a PBMF to use the "Reject", "Accept", or "Relay" action, the "Train" action will also be added, such as "Reject+train". You must edit the PBMF again to set to "Reject" and then click Apply. Admin HTTP/S Ports The web server admin ports are not configurable via Misc Configure Web Admin on the eprism system console. After a system restart, the ports will revert to the defaults (80 and 443). LDAP Recipients and LDAP Relay: "$" Character not allowed in bind For the LDAP recipients and LDAP relay features, the bind password cannot contain a "$" character. Open Relay Tests Various Open Relay tests behave differently when testing e-mail systems. eprism is a secure mail gateway, and a correctly configured eprism does not and should not operate as an open relay. 7
Installation Notes For new installations of eprism 6.0, see the eprism Installation Guide for detailed instructions on setting up eprism for the first time. Upgrading from a Previous Version The eprism Email Security Appliance 6.0 upgrade replaces the current version running on eprism systems. eprism 6.0 supports an upgrade from the following versions: eprism 4.0 Update 2 eprism 5.0 Update 2 The upgrade procedure must be performed in the following order: 1. Perform a complete backup. 2. Restart the system in Re-install/Restore mode. 3. Load the new software image. 4. Install the new version of eprism. 5. Re-license the system and any additional options. 6. Restore system data from backup. Please see the How to Upgrade to eprism 6.0 document for detailed instructions on how to upgrade your current eprism software to 6.0, including instructions for eprism systems in a HALO cluster. Contact St. Bernard Technical Support if you require assistance with this procedure. Last Document Revision: February 8, 2006 8