Symantec Hosted Mail Security Administration Guide

Symantec Hosted Mail Security Administration Guide

Symantec Hosted Mail Security Administration Guide Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. LiveUpdate, Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation in the United States and certain other countries. pages is a trademark of Microsoft Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THIS DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-tothe-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you use. Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ent/enterprise.html. Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: www.symantec.com/techsupp/ent/enterprise.html Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about Symantec Value License Program Advice about Symantec's technical support options

5 Nontechnical presales questions Issues that are related to CD-ROMs or manuals Maintenance agreement resources Additional enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Additional services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. These services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise Services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

6

Contents Chapter 1 Chapter 2 Introducing Symantec Hosted Mail Security About Symantec Hosted Mail Security... 12 How Symantec Hosted Mail Security works... 12 How Symantec Hosted Mail Security protects against virus threats... 13 What happens during a virus scan... 14 If a virus is detected... 15 How Symantec Hosted Mail Security protects against spam... 16 About automatic spam filters... 16 About customized allow and deny lists... 19 How Symantec Hosted Mail Security protects against undesirable content 20 How content filtering dictionaries work... 21 About URL click-through protection... 21 About spam beacon blocking... 21 About language identification blocking... 22 Where to find more information about Symantec Hosted Mail Security... 22 Contacting Technical Support... 23 Contacting Customer Service... 23 Reporting missed spam to Symantec... 23 Reporting false positives to Symantec... 24 Configuring Symantec Hosted Mail Security About the Symantec Hosted Mail Security Console... 26 Redirecting your inbound MX records... 27 Setting up your outbound server... 29 Understanding hierarchy levels and user roles... 30 Managing domain accounts... 32 Searching for a domain or alias domain... 32 Viewing domain configuration information... 33 Adding alias domain names... 34 Deleting alias domain names... 35 Managing user accounts... 35 Designating how user accounts are created or deleted... 36 Creating user accounts manually... 36 Manually deleting user accounts... 40 Adding user accounts automatically through SMTP Discovery... 41

8 Contents Deleting user accounts automatically through SMTP Discovery... 42 About access rights for the User role... 42 Using alias email addresses to manage user accounts... 43 Preventing users from adding their own aliases... 44 Limiting the number of email aliases per user... 44 Adding alias email addresses... 44 Deleting email addresses... 45 Converting primary addresses to aliases... 47 Viewing information about user configuration... 48 Editing user accounts... 48 About user authentication methods... 49 Selecting password authentication... 49 Selecting LDAP authentication... 50 Selecting POP3 authentication... 52 Selecting IMAP authentication... 53 About groups and group policy sets... 54 Chapter 3 Chapter 4 Managing domain and user policies About domain policies... 58 Editing domain policies... 58 Working with Sender Allow and Deny lists... 60 About the Recipient Shield list... 63 Working with antivirus policies... 64 Specifying actions for antivirus classification... 65 Configuring antivirus notifications... 66 About antispam filtering policies... 66 Specifying actions for antispam classifications... 66 Specifying actions for antispam content groups... 68 Configuring Spam Quarantine reporting... 70 About content policies... 74 Editing and creating content groups... 74 Specifying HTML Shield polices... 76 Specifying ClickProtect policies... 77 Specifying language policies... 78 Configuring file attachment policies... 79 Specifying notification policies... 83 Viewing and editing notification options... 85 About user-level policy configurations... 88 About distribution lists... 88 About Fail Safe protection... 89 Working with message quarantines

Contents 9 Viruses Quarantine... 93 Spam Quarantine... 94 Attachments Quarantine... 95 Content Quarantine... 96 Safe Message View... 97 Chapter 5 Chapter 6 Glossary Reports and logs About reports and logs...100 Traffic Overview report...100 Threats Overview report...102 Virus Threats report...104 Spam Threats report...105 Content Threats report...106 Attachments Threats report...107 ClickProtect Overview report...108 ClickProtect Log report...109 Quarantine Release Overview report...109 Quarantine Release Log report...111 User Activity report...112 Event Log report...113 Audit Trail report...114 Inbound Server Connections report...115 FailSafe Overview report...116 FailSafe Event Log report...117 Troubleshooting and frequently asked questions Index

10 Contents

Chapter 1 Introducing Symantec Hosted Mail Security This chapter includes the following topics: About Symantec Hosted Mail Security How Symantec Hosted Mail Security works How Symantec Hosted Mail Security protects against virus threats How Symantec Hosted Mail Security protects against spam How Symantec Hosted Mail Security protects against undesirable content Where to find more information about Symantec Hosted Mail Security Contacting Technical Support

12 Introducing Symantec Hosted Mail Security About Symantec Hosted Mail Security About Symantec Hosted Mail Security Symantec Hosted Mail Security provides comprehensive protection from viruses, spam, unwanted message content, and other threats that spread through email. It protects your mail servers and internal network by scanning and filtering your incoming Internet email traffic before it enters your mail system. It lets you scan and filter your outgoing Internet email traffic to prevent the spread of malicious or inappropriate content and to enforce mail security policies. You set and manage your mail security policies, access quarantined mail, and view reports through a secure Web portal. You can configure Symantec Hosted Mail Security to protect your network perimeter from the following types of threats: Computer viruses, worms, Trojan horses, and mass-mailers Denial-of-service attacks and messages that overload the system Directory harvesting attacks and other email-based attacks Unsolicited bulk email messages (spam), email fraud, and other spam threats Inappropriate or malicious message content How Symantec Hosted Mail Security works Symantec Hosted Mail Security is a protective filter that scans all of your incoming Internet email traffic before it enters your mail system. You can also configure it to scan all of your outgoing Internet email traffic to prevent the spread of malicious or inappropriate content and to enforce mail security policies. Symantec Hosted Mail Security resides outside your firewall, which reduces the processing burden on your mail servers and reduces your network s exposure to vulnerabilities and attacks. Symantec Hosted Mail Security creates a proxy gateway for your inbound and outbound Internet email traffic. Messages are filtered in real-time as they pass to and from the Symantec Hosted Mail Security gateway and your mail servers. Symantec Hosted Mail Security handles the filtering processes in its cache. Only messages that are quarantined for virus, spam, or content filtering violations are stored on disk. Symantec Hosted Mail Security uses multiple levels of dynamic filtering technology to determine whether a message may contain malicious or inappropriate content or attachments. It scans all parts of the message, including the message header, message body, and attachments. Depending on

Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against virus threats 13 your configuration, it scans first for viruses or virus behavior, then for spam, and then for content filtering rules. When a violation is detected or if a scan error occurs, Symantec Hosted Mail Security stops scanning and handles the message based on the filtering policy settings that you have configured. Figure 1-1 Figure 1: Email Traffic Flow How Symantec Hosted Mail Security protects against virus threats Symantec Hosted Mail Security includes all of the virus scanning technologies that are available in Symantec antivirus products. It protects against viruses, worms, and Trojan horses in all major file types, including compressed files and archive file formats. It also protects against mobile code (for example, ActiveX or JavaScript ) and script-based threats. Symantec Hosted Mail Security protects your mail system from messages and attachments that overload the system and cause denial-of-service. This includes container files that are overly large, that contain large numbers of embedded

14 Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against virus threats compressed files, or that are otherwise designed to maliciously use resources and degrade performance. Symantec Hosted Mail Security provides the following types of protection from virus threats that spread through email: Automatic scanning for virus signatures Symantec engineers continually track reported outbreaks of computer viruses and threats. When a new virus or other threat is identified, information about that virus (a signature) is stored in a virus definitions file. The virus definitions file contains the necessary information to detect and eliminate the virus. Symantec Hosted Mail Security updates its virus definitions every 5 minutes. Updates are handled automatically without having to restart services or redeploy software. This ensures no interruption in scanning services during the updates. Automatic scanning for virus-like characteristics using advanced heuristics Heuristic methods of virus detection are designed to detect viruses for which no known definitions exist. Advanced heuristics analyze a program s structure, behavior, and other attributes for virus-like characteristics, such as self-replication. Symantec Hosted Mail Security uses advanced heuristics to analyze a file if it detects certain behaviors in the file that warrant further analysis. Automatic protection from messages and attachments that can cause denial of service Symantec Hosted Mail Security includes maximum size and scanning depth levels to reduce exposure to denial-of-service attacks. Blocking by subject line You can configure Symantec Hosted Mail Security to block messages by the subject line. This lets you handle emerging threats for which a virus definition has not been created. Note: Internet email is only one avenue by which a virus or threat can infiltrate your network. For comprehensive protection, you should ensure that every server and workstation at your site is protected by a server or desktop antivirus solution. What happens during a virus scan When Symantec Hosted Mail Security scans a file, it first decodes and decompresses it. It then looks for known viruses by comparing segments of the file to the sample code inside of a virus definitions file. The virus definitions file

Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against virus threats 15 If a virus is detected contains nonmalicious bits of code, or virus definitions, for thousands of viruses. If Symantec Hosted Mail Security finds a match, the file is considered infected, and it is handled according to your configuration settings. Advanced heuristics, which includes Symantec Bloodhound technology, help detect viruses for which no known definitions exist. Symantec Hosted Mail Security uses advanced heuristics to analyze a file if it detects certain behaviors in the file that warrant further analysis. During a heuristics scan, the file is copied into a self-contained virtual computer that emulates the operating system environment. The antivirus scanner then runs the file and probes for and assesses suspicious behavior, such as whether the file replicates itself a number of times in a specified time frame. In most cases, the antivirus scanner can determine in milliseconds whether a file is likely to be infected by a virus. If it considers the file likely to be infected, it handles the file according to the settings that you have configured for handling infected files. If Symantec Hosted Mail Security encounters a file that it cannot scan or it encounters a file attachment that violates a scanning rule, it logs the error and handles the file according to your configuration settings. You can configure Symantec Hosted Mail Security to handle infected files in the following ways: Table 1-1 Action Clean the message Actions for infected files Result Attempts to remove the virus and preserve the attachment. If the file is successfully repaired, text is added to the email message to notify recipients that a virus was detected and that the file was cleaned. Quarantine the message after attachment is stripped Removes the infected attachment from the email message and sends the message to the quarantine for administrator review. Strip Attachment Deny Delivery Do Nothing or Allow Delivery Removes the infected attachment from the email message and delivers the rest of the message. Text is added to the message to notify recipients that a virus was detected in the attachment and that the attachment was removed. Blocks delivery of the email message and its attachments. Delivers the email message and its attachments with no filtering or notification.

16 Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against spam How Symantec Hosted Mail Security protects against spam About automatic spam filters Symantec Hosted Mail Security lets you handle spam in the following ways: Spam filters are continuously and automatically updated to protect against new and emerging spam threats. Symantec Hosted Mail Security uses multiple filtering technologies to maximize spam detection and minimize false positives. You can define specific email addresses, DNS names, and IP addresses from which email is always accepted or always denied. Symantec Hosted Mail Security provides multiple layers of filtering technology to protect your network environment from spam. As incoming messages pass through these filters, they are scored and classified as spam, potential spam, or legitimate messages. Legitimate messages are sent to the recipient. Based on how you configure Symantec Hosted Mail Security, spam and potential spam messages can be rejected, quarantined, or copied to another recipient, for example, an administrator. Symantec maintains a global network of over 2 million decoy email addresses and domains that attracts and collects the latest spam. Tens of millions of email messages pass through the Symantec Probe Network each month. These messages are sent to Symantec Security Response for analysis to identify new spamming techniques and threats. Symantec technicians continuously finetune existing filters and develop new filters to respond to new and evolving threats. These filters are automatically updated every 10 minutes to ensure that your environment stays protected. Table 1-2 provides information about the types of spam filtering technology that is used in Symantec Hosted Mail Security.

Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against spam 17 Table 1-2 Spam Filtering Technologies Filter type Protection type Reputation Service Symantec monitors email sources from around the world to determine how much of the email messages that are sent from those sources are legitimate. Email from those sources can then be blocked or allowed based on the reputation value of the source as determined by Symantec. Protects against high-volume spam sources and messages from open or unsecured relays. Protects against false positives by allowing email traffic from sources that are contained on the safe list. The Reputation Service is a dynamic database of IP addresses that is continuously compiled and updated. It consists of the following lists: Open proxy list: A list of IP addresses of identity-masking relays that are used by spammers. This includes proxy servers with open or unsecured ports. Safe list: A list of IP addresses from which virtually no outgoing email is spam. Suspect list: A list of IP addresses from which virtually all outgoing email is spam. Heuristic filters Heuristic filters scan all parts of a message to test for characteristics that are usually inherent in spam, such as opt-out links, specific phrases, and forged headers. The filters assign an overall score to the message that is based on the number of spam characteristics that are found. If the message exceeds the spam threshold, it is considered spam. Protects against spam that is too new to be detected by other types of filters.

18 Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against spam Filter type Protection type Language filters MIME attachment signature filters Language filters can detect whether a message is written in one of 11 supported languages and then apply only the heuristic filters that were created for that language. This helps improve performance. The supported languages include Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Portuguese, Russian, and Spanish. Attachment signatures target specific types of MIME attachments, such as ZIP files, for objectionable or malicious content. Symantec Hosted Mail Security treats any message as spam if any MIME attachment in the message matches a Symantec MIME filter. Protects global network environments from spam that is written in a language other than English. Protects against embedded images and executables in MIME attachments that contain objectionable or malicious content. Signature filters Messages that flow into Symantec Security Response (SSR) are analyzed for unique signatures and variations of signatures that are characteristic of a spam attack. Using this signature, Symantec can group and match seemingly random messages that originated from a single attack. Symantec continuously updates its database of known spam based on these signatures. Protects against highly randomized, HTML-based spam attacks. Protects against HTML-based evasion techniques that are used by spammers. URL filters URL filters scan messages bodies for embedded URLs. The filters compare the URLs to the known-spammer list. The filters can identify and remove special characters that have been added to the URL link to conceal the Web address. Symantec builds its known-spammer list based on URLs that are collected by the Symantec Probe Network and trusted third-party spam URL lists. Protects against spam messages that direct recipients to inappropriate Web sites, such as pornographic sites. Protects against spam messages that direct recipients to fraudulent Web sites. Protects against tactics that spammers use to evade spam filters, such as disguised URLs and extreme randomization.

Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against spam 19 About customized allow and deny lists You can define specific email addresses, DNS names, and IP addresses from which email is always accepted or always denied. Email addresses that you add to the deny list are always blocked. Deny lists are better suited for handling unwanted email messages from senders that you know, such as an individual or company whose sender address is unlikely to change frequently. Spammers use a variety of techniques to evade detection, such as changing or masking their sender addresses. Deny lists are not an effective tool against this type of threat. Email addresses that you add to the allow list bypass the spam filters in Symantec Hosted Mail Security. This feature can help minimize the risk of a legitimate message being handled as spam. However, bypassing the spam filters can pose a security risk. Spammers who send fraudulent or malicious content often use techniques in which they spoof or hijack an email address or domain so that the message appears to be sent from a legitimate and trusted sender. Note: The Allow List only applies to spam and content filtering. Messages are scanned for viruses and worms.

20 Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against undesirable content How Symantec Hosted Mail Security protects against undesirable content Symantec Hosted Mail Security lets you monitor incoming and outgoing email messages and attachments for inappropriate content to enforce corporate mail policies, reduce legal liability, and ensure compliance with regulatory requirements. The content filtering features in Symantec Hosted Mail Security can detect and remove malicious HTML tags, scripting objects, and certain types of embedded images to protect your network from email-based threats. You can configure whether email messages that violate content or attachment policies are quarantined, rejected, stripped of the file attachment, or copied to another recipient, for example, an administrator. Table 1-3 describes content compliance and security features provided by Symantec Hosted Mail Security. Table 1-3 Feature Content compliance and security features Predefined content keyword categories Lets you filter content by keywords and phrases that are contained in the Symantec-provided content dictionary. The content dictionary consists of the following categories: Profanity Sexual Overtones Racially Insensitive Customized content keyword categories Spam-specific keyword categories URL click-through protection Lets you add custom categories to the content dictionary and add your own keywords and phrases to satisfy your own security and business needs. Lets you define customized lists of keywords that are used to filter email for spam. Lets you enable or disable a user s ability to follow a URL or other Web hyperlink that is contained in the body of an email message. You can also monitor information about the Web sites that users are visiting and other statistics. Spam beacon blocking Removes certain types of embedded images from email messages that are used to send information about the user the source of the message. Spammers embed these images to gather information about the system and to verify that the recipient s address is a valid address. Language identification blocking Lets you specify languages in which you will allow messages.

Introducing Symantec Hosted Mail Security How Symantec Hosted Mail Security protects against undesirable content 21 How content filtering dictionaries work The content dictionary that is provided by Symantec contains commonly filtered words and phrases that are grouped by categories. You can select the categories that you want to use to filter content. You can also define your own custom categories and keywords to use for filtering. When you enable content filtering, Symantec Hosted Mail Security matches the individual words that are contained in an email message to the words that are contained in the content filtering categories that you have selected for filtering. As the filtering process continues, the content filtering scanner builds a word chain so that it can examine the context. For example, if the word cancer succeeds the word breast in a word chain, it is likely that the message is about a medical condition and is not inappropriate. The content filtering scanner scores a message based on the number of matches that are found and adjusts the score based on the context of the words. If the score exceeds the built-in threshold, the message is considered to be a content filtering violation, and it is handled according to the configuration settings. About URL click-through protection About spam beacon blocking You can enable or disable a user s ability to follow a URL or other Web hyperlink that is contained in the body of an email message. This lets you enforce email security policies, reduce legal liabilities, and protect your network environment from security risks. Symantec Hosted Mail Security maintains information about the hyperlinks that were followed, who visited the sites, who sent the email message, and other statistical information so that you can monitor activities. You can configure whether a site is automatically blocked, whether the user must respond to a confirmation prompt before proceeding, and whether the user receives a notification message. You can also create an allow list of URLs that you want to exclude from click-through protection. Spam beacons or Web bugs are small graphics that are embedded in HTML content that can gather and send information about your system to the source (usually a URL). They typically are transparent, 1x1 pixel graphics and are nearly invisible. Web bugs are often used on Web sites to monitor surfing behavior. However, spammers can also hide them in their mass mailings as spam beacons. When the recipient opens the message, the spam beacon sends a signal back to the spammer s URL that confirms that the recipient s email address is valid.

22 Introducing Symantec Hosted Mail Security Where to find more information about Symantec Hosted Mail Security You can configure Symantec Hosted Mail Security to automatically remove these types of images from HTML content that is contained in incoming Internet email messages. About language identification blocking Symantec Hosted Mail Security can identify what language an email is written in, and filter email based on this information. You can choose to allow Symantec Hosted Mail Security to only deliver email in certain languages, or you can allow all languages, which is the default setting. The default policy is to allow email in all languages. Where to find more information about Symantec Hosted Mail Security The following documentation is available to assist you with using and configuring Symantec Hosted Mail Security: Symantec Hosted Mail Security Console and Spam Quarantine User s Guide If you are connected to the Symantec Hosted Mail Security Console, the console contains embedded help to assist you with using and configuring Symantec Hosted Mail Security. What s This links provide information about each option. If you are connected to the Internet, the following online resources are available on the Symantec Web site: Symantec.com/techsupp/ent/enterprise.html: Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Securityresponse.symantec.com: Provides access to the Virus Encyclopedia, which contains information about all known viruses; information about virus hoaxes; and access to white papers about virus threats

Introducing Symantec Hosted Mail Security Contacting Technical Support 23 Contacting Technical Support Contacting Customer Service Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp. When contacting the Technical Support group, please have the following: The page where you were working and details of the particular function you were trying to perform The exact wording of any messages that appeared in the message box or in the status line Any software or hardware behavior that seemed unusual A description of how you tried to solve the problem The version of the product you were using To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, and then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals Reporting missed spam to Symantec You can submit spam or suspected spam messages that were not detected by Symantec Hosted Mail Security to the Symantec Brightmail Logistics and Operations Center (BLOC). Symantec engineers will analyze the message for spam characteristics and will issue updates to the spam filtering rules as needed.

24 Introducing Symantec Hosted Mail Security Contacting Technical Support You should submit the missed spam within 24 hours of when you received the message to ensure timely updates and to avoid analyzing messages for which updated rules have already been issued. You can submit the missed spam to one of the following email addresses: North America Europe, Middle East, Africa Japan, Asia, Pacific Rim Gsubmit@submit-1.brightmail.com eurosubmit@submit-23.brightmail.com apacsubmit@submit-22.brightmail.com Note: These addresses are for missed spam messages only. You must submit the message as an RFC-822 MIME-encoded attachment. Reporting false positives to Symantec You can submit messages that were incorrectly tagged as spam to the Symantec Brightmail Logistics and Operations Center (BLOC). Symantec engineers will analyze the message and issue updates to the spam filtering rules as needed. You can submit false positives to one of the following email addresses: North America Europe, Middle East, Africa Japan, Asia, Pacific Rim Gfeedback@feedback-1.brightmail.com eurofeedback@feedback-23.brightmail.com apacfeedback@feedback-22.brightmail.com Note: These addresses are for false-positive messages only. You must send the message as an RFC-822 MIME-encoded attachment.

Chapter 2 Configuring Symantec Hosted Mail Security This chapter includes the following topics: About the Symantec Hosted Mail Security Console Redirecting your inbound MX records Setting up your outbound server Understanding hierarchy levels and user roles Managing domain accounts Managing user accounts About user authentication methods About groups and group policy sets

26 Configuring Symantec Hosted Mail Security About the Symantec Hosted Mail Security Console About the Symantec Hosted Mail Security Console The Symantec Hosted Mail Security Console is a browser-based interface. You access the console through a secure Web portal at the following URL: https:\\hostedmailsecurity.symantec.com When you subscribe to Symantec Hosted Mail Security, you will receive a welcome kit that includes your initial log on name and password. You can change this password. For more information about requesting a new password, setting passwords, and changing passwords and for more information about working in the console, see the Symantec Hosted Mail Security Console and Spam Quarantine Report User s Guide. You can do the following configuration tasks from the Symantec Hosted Mail Security Console: Configure the inbound and outbound server settings Set domain-level and user-level policies Create groups of users and assign policies to them Add and configure alias domain accounts Add and configure user accounts and aliases Configure the authentication settings for user logons When you log on to the console as an Administrator, the Overview page is displayed by default. The Overview page provides high-level information about the email traffic to your domains over the previous 24 hours. Customer Administrators will see the information for all the domains that have been defined for the customer. Domain Administrators will see the information for only the domain in which the user role was defined. You can configure Symantec Hosted Mail Security so that users can access their spam message quarantines through their Spam Quarantine Reports. The reports contain links that take them directly to their spam quarantine without having to log on through the console. Note: Some of the settings in the Symantec Hosted Mail Security Console are determined by your level of user rights. Some of the options that are described in this manual may not be available.

Configuring Symantec Hosted Mail Security Redirecting your inbound MX records 27 Redirecting your inbound MX records Symantec Hosted Mail Security creates a proxy gateway for your inbound and outbound Internet email traffic. Messages are filtered in real-time as they pass to and from the Symantec Hosted Mail Security gateway and your mail servers. Before you can enable scanning of your incoming or outgoing Internet email, you must change the Mail Exchange (MX) records on your Internet-facing mail server or with your Internet Service Provider (ISP) to direct your email traffic to Symantec. When you subscribe to Symantec Hosted Mail Security, Symantec sends you instructions that are specific to your organization on how to configure the Mail Exchange (MX) records for your domain name server (DNS) to direct your inbound and outbound email traffic to Symantec. Table 2-1 provides general information about the settings for inbound email traffic: Table 2-1 MX settings for inbound email MX record Preference level <domain_name>.inbound10.symantecmail.com 10 <domain_name>.inbound10.symantecmail.net 10 <domain_name>.inbound20.symantecmail.com 20 <domain_name>.inbound20.symantecmail.net 20 <domain_name>.inbound30.symantecmail.com 30 <domain_name>.inbound30.symantecmail.net 30 You should remove all previous listings of your mail server. Additional domains should be redirected in the same manner. To ensure that all inbound email traffic is filtered and protected by Symantec Hosted Mail Security, you must restrict all IP access to your mail servers with the exception of the following Symantec subnets: 198.65.127.0/24 216.183.112.64/26 You must also configure your inbound server information on the console. You must have Administrator rights to perform this task on the console.

28 Configuring Symantec Hosted Mail Security Redirecting your inbound MX records Note: It may take several days for your MX record redirect to propagate to all the email servers that may be sending email to your email server. During that time, your email server may still receive email directly from those email servers until they are updated with your latest MX record information. To configure your inbound server settings 1 On the Symantec Hosted Mail Security Console, on the console toolbar, click Setup. 2 On the Configuration toolbar, click Inbound Servers. 3 On the Inbound Servers Setup page, in the SMTP Host Address field, type the fully qualified IP address or DNS address of your SMTP host server. 4 In the Port field, type the port number on your SMTP host server to which the Symantec Hosted Mail Security service should connect. The default port number is 25. 5 In the Preference field, type a number to indicate the order of connection preference if you are configuring multiple servers. The Symantec Hosted Mail Security service will attempt to connect to the server that has the lowest preference number first. If you assign the same preference number to multiple servers, Symantec Hosted Mail Security will balance the delivery. 6 If the server is immediately available to accept connections, check the Active checkbox. You must check this checkbox to allow Symantec Hosted Mail Security to connect to the server. 7 Click Save Changes.

Configuring Symantec Hosted Mail Security Setting up your outbound server 29 Setting up your outbound server To enable outbound filtering, you must configure the outbound configuration settings on the security console to include the IP addresses that are associated with the outbound service on your mail server. You must also establish a relay to send outbound traffic to the appropriate outbound domains. Table 2-2 provides general information about the settings for outbound email traffic. Table 2-2 Settings for outbound email Domain Preference level <domain_name>.outbound10.symantecmail.com 10 <domain_name>.outbound10.symantecmail.net 10 <domain_name>.outbound20.symantecmail.com 20 <domain_name>.outbound20.symantecmail.net 20 <domain_name>.outbound30.symantecmail.com 30 <domain_name>.outbound30.symantecmail.net 30 You must also configure your outbound server information on the console. You must have Administrator rights to perform this task on the console. To set up your outbound server 1 On the Symantec Hosted Mail Security Console, on the console toolbar, click Setup. 2 On the Configuration toolbar, click Outbound Servers. 3 On the Outbound Server page, in the Server IP Address Range field, type the fully qualified IP address of the outbound SMTP host server. 4 Click Add New Address. 5 Click Save.

30 Configuring Symantec Hosted Mail Security Understanding hierarchy levels and user roles Understanding hierarchy levels and user roles Symantec Hosted Mail Security uses a hierarchical architecture to control data and security. User roles are assigned for each level in the hierarchy. Table 2-3 describes user roles and hierarchy levels. Table 2-3 User role Customer Domain User accounts Roles and hierarchy levels Contains one or more domain entries. For example, you can group all of the domain names that are used by your company or division within a company. Symantec sets up this account information for you when you purchase your license. Contains the primary and alias domains that your organization uses for its email addresses. The domain is the part of the email address that follows the at (@) symbol. For example, in the email address user@mycompany.com, the domain is mycompany.com. You must own the rights to these domain names and your mail transfer agent (MTA) must be configured to receive email for these domains. Primary domain accounts can only be added by Symantec. Users with Customer Administrator rights can add alias domains. Contains the complete email addresses (email accounts) in your organization that can receive email. The complete email address (user@mycompany.com) is considered the primary email account. You can also add alias email accounts. You can add user accounts manually or automatically through the SMTP discovery feature. User account entries can only be added by users with Domain Administrator rights or higher. You must define at least one entity for each hierarchy level. Depending on the hierarchy level, an entity may be a full domain name, email domain name, or a user s email address. The name of each entity within a hierarchy level must be unique. For example, the same domain name cannot be defined in multiple customer entities. Administrator and user roles define the level of access that a user has within the Symantec Hosted Mail Security console.

Configuring Symantec Hosted Mail Security Understanding hierarchy levels and user roles 31 Table 2-4 describes administrator and user roles. Table 2-4 Role Administrator and user roles Customer Administrator Domain Administrator Quarantine Manager The Customer Administrator can do the following: Add, edit, and delete alias domains, user accounts, and user aliases Configure global and domain-level filtering policies for incoming and outgoing email Add, edit, or delete mail server hosts View and manage all quarantine areas for each domain View reports and statistical information that is generated for each domain The Domain Administrator can do the following: Add, edit, and delete user information for a specific email domain Configure domain-level filtering policies for incoming and outgoing email messages Add, edit, or delete mail server hosts at the domain level View and manage all quarantine areas for the email domain View reports and statistical information that is generated for the domain The Quarantine Manager can do the following: View all quarantine areas for the primary and alias domains to which they are assigned View reports and statistical information Quarantine Managers cannot cross boundaries between primary domains and cannot change filtering policies. Reports Manager Reports Managers can view reports and statistical information for the primary and alias domains to which they are assigned. Reports Managers cannot cross boundaries between primary domains and cannot change filtering policies. User Users who are assigned to the User role have limited rights within the security console. They can view their spam quarantine and adjust personal spam policy settings. They cannot change virus or content filtering policy settings and cannot view messages or attachments that have been quarantined for virus or content filtering violations.

32 Configuring Symantec Hosted Mail Security Managing domain accounts Users who are assigned to the Domain Administrator, Quarantine Manager, or Reports Manager roles can perform any of the functions of their role and any role that has a lower level of rights. Managing domain accounts When you subscribe to Symantec Hosted Mail Security, Symantec sets up a domain account for your company on the Symantec Hosted Mail Security Console. Symantec uses the fully qualified name of your domain name server (DNS) for this account. You must own the rights to this domain name. Primary domain accounts can only be added or deleted by Symantec. However, you can add alias domains to map to your primary domain to manage your user and domain configurations. Searching for a domain or alias domain The Search Domains feature lets you search for a specific primary domain or alias domain or for a range of domain names, for example, all domain names that begin with a specific letter. To search for a domain or alias domain 1 On the Symantec Hosted Mail Security Console, on the console toolbar, click Setup. 2 On the Configuration toolbar, click Domains. 3 On the Configuration page, click Search. 4 In the Domain list, select one of the following search criteria: starts with is contains Searches for domain names that start with the characters that you type in the text field. Searches for the exact characters that you type in the text field. The text that you type must exactly match the domain name. Searches for domain names that include the characters that you type in the text field. 5 In the text field, type the text for which you want to search. 6 Click Search. The domain names that match the search criteria are listed in the Domain list. To include alias domains in the list, check Show Domain Aliases.

Configuring Symantec Hosted Mail Security Managing domain accounts 33 Viewing domain configuration information You can view basic configuration information about your primary domain and alias domain accounts. Table 2-5 describes information you can view about the account. Table 2-5 Domain account Domain Created Contact Email Existing Users Qty Inbound Package Outbound Package Quarantine Period User Aliasing Domain Aliases Domain configuration Indicates the name of the domain whose information is being displayed. Indicates the date and time when the domain was added to Symantec Hosted Mail Security. Indicates the email address that is used to contact a representative for the domain. Indicates the total number of user accounts (email addresses) defined in the domain. Specifies whether Symantec Hosted Mail Security is being used to filter inbound mail. Specifies whether Symantec Hosted Mail Security is being used to filter outbound mail. Indicates the number of days that data for quarantined emails are stored before being automatically deleted. Indicates whether users can define and manage alias email addresses associated to their primary email addresses and, if enabled, how many alias email addresses can be defined per primary email address. Indicates any alias domain names that have been defined for the domain and whether the Customer Administrator can define alias domain names for the Domain. To view domain configuration information 1 On the Symantec Hosted Mail Security Console, on the console toolbar, click Setup. 2 On the Configuration toolbar, click Domains. 3 On the Configuration page, under Domain, click the name of the domain for which you want to view configuration information. The Domain Details field shows the basic configuration information about the domain that you selected.