Documentation Administration Manual iq.suite 12.1 For Microsoft Exchange Document Version 1.0
EDITOR S NOTE Editor s Note All rights reserved. This manual and the programs described therein are copyright-protected products of GROUP Business Software AG, Deutschland. No part of this publication may be reproduced without written permission from GROUP Business Software AG. All hardware and software names used are registered names and/or trademarks of their respective manufacturer/proprietor. Copyright 2013 GROUP Business Software AG, Hospitalstraße 6, 99817 Eisenach, Deutschland Edition: October 2013 2013 GBS
Table of Contents TABLE OF CONTENTS 1 Preface... 1 1.1 Hotline... 1 1.2 Copyright... 1 1.3 Warranty... 2 1.4 Microsoft Certification... 2 1.5 License Terms... 2 1.6 Third-Party Copyright Notes... 3 1.7 Details on the Manuals... 4 2 Quickstart... 5 2.1 Installation on an Exchange Server... 5 2.2 Installation on Several Exchange Servers... 5 2.3 Starting the iq.suite Administration Console... 6 2.4 Configuration in the iq.suite Administration Console... 6 2.4.1 Required Basic Configuration Steps... 6 2.4.2 Required Policy Configuration Steps... 7 2.4.3 Recommended Basic Configuration Steps... 7 2.4.4 Virus Scanning in Exchange Databases... 8 2.5 Observing Data in iq.suite Monitor... 8 3 Installation... 9 3.1 System Requirements... 9 3.2 Installation of Virus Scanners... 10 3.3 Setup... 11 3.3.1 Installation of iq.suite on a Exchange Server... 11 3.3.2 Installation of iq.suite in Multi-Server Environments... 17 3.3.2.1 Configuration Access... 18 3.3.2.2 Administration... 18 3.3.2.3 Running the Multi-Server Installation... 18 3.3.3 Installation of the iq.suite Administration Console on a Workstation... 20 3.3.4 Installation in Cluster... 20 3.4 Update to iq.suite 12.1 for Exchange... 21 3.5 Uninstallation of iq.suite 12.1 for Exchange... 22 4 Getting Started... 23 4.1 Technical Description... 23 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE I
TABLE OF CONTENTS 4.1.1 iq.suite Administration Console...23 4.1.2 The iq.suite Server...25 4.1.2.1 iq.suite Grabber...25 4.1.2.2 iq.suite Services...26 4.1.2.3 iq.suite Quarantine...28 4.1.2.4 Active Directory / LDIF...30 4.1.2.5 Compressed Files and Archives: iq.suite Unpacker...30 4.1.2.6 Network Service...31 4.1.2.7 Email Processing Sequence...32 4.1.3 iq.suite Configuration...33 4.2 User Interface...35 4.2.1 Toolbar Icons...36 4.2.2 Navigation Icons...36 4.3 iq.suite Basics...39 4.3.1 iq.suite Jobs (Policy Configuration)...39 4.3.1.1 Mail Transport Jobs and Sample Jobs...39 4.3.1.2 Information Store Jobs...40 4.3.1.3 Processing Order of iq.suite Jobs...41 4.3.1.4 Address Conditions and Address Lists...42 4.3.1.5 Conditions...42 4.3.1.6 Actions...43 4.3.2 Basic Configuration... 44 4.3.2.1 Templates...44 4.3.2.2 Quarantine Configuration...46 4.3.2.3 Utility Settings...46 4.3.3 iq.suite Monitor...50 4.4 Standard Tabs of Mail Transport Jobs...51 4.4.1 General Tab...51 4.4.2 Addresses Tab...55 4.4.2.1 Example I: Virus Scanning...57 4.4.2.2 Example II: Blocking Attachments...57 4.4.2.3 Example III: Adding a Disclaimer...59 4.4.3 Conditions Tab... 60 4.4.4 Actions Tab...63 4.4.5 Server Tab... 67 4.4.6 Details Tab...67 4.5 Job Types...68 5 General Configuration...71 5.1 Configuration Reports...71 5.2 iq.suite Server Settings...72 PAGE II ADMINISTRATION - IQ.SUITE FOR EXCHANGE
TABLE OF CONTENTS 5.2.1 Packed Files and iq.suite Monitor... 72 5.2.2 Collective Notification... 74 5.2.3 Central Whitelists... 75 5.2.4 Definition of Email Addresses and Internal Domains... 76 5.2.5 Special Users... 77 5.3 Settings for an Individual iq.suite Server... 79 5.3.1 General Server Settings... 79 5.3.2 Individual Email Addresses for an iq.suite Server... 80 5.3.3 Using a Proxy Server... 81 5.3.4 User Access to Quarantine... 81 5.3.4.1 Allow Users to Request Quarantined Items by Email... 83 5.3.4.2 Allow Users to Request Quarantined Items via HTTP... 83 5.3.5 Quarantine Maintenance... 83 5.3.6 Setting Bridge Options... 85 5.3.7 View a List of All Jobs... 87 5.4 Proxy Servers... 88 5.5 Address Lists... 89 5.5.1 iq.suite Address Lists... 89 5.5.2 Creating, Editing and Deleting Custom Address Lists... 89 5.5.3 Using and Handling Addresses within a Job... 92 5.6 Creating Notification Templates... 94 5.6.1 List of Notification Variables... 95 5.7 Creating a Database Connection to an SQL Server... 106 5.7.1 Overview... 106 5.7.1.1 Connection to SQL Servers... 106 5.7.1.2 Using SQL Servers... 106 5.7.2 Configuration of the Database Connection... 107 5.7.2.1 SQL Server and iq.suite Server... 107 5.7.3 Setting up Central Blacklists/Whitelists... 110 5.7.4 Setting up a Local Quarantine Database... 111 5.7.5 Troubleshooting SQL Servers... 113 5.8 Folder Settings... 114 5.8.1 Quarantine Configuration... 114 5.8.2 Defining Quarantine Summary Notifications... 118 5.8.2.1 Template Configuration... 119 5.8.2.2 Quarantine Configuration... 119 5.8.3 Configuring a Globale Quarantine Summary Notification... 124 5.8.4 Whitelist Notification / Blacklist Notification... 125 6 iq.suite Monitor... 127 6.1 Server Status... 128 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE III
TABLE OF CONTENTS 6.1.1 General Tab...128 6.1.2 Test Tab... 129 6.1.3 Information Store Scan Tab...130 6.2 Quarantines...131 6.2.1 General...131 6.2.2 Filter Options... 132 6.2.3 Example Quarantined Email in Default Quarantine... 133 6.2.4 Example Quarantined Email in Information Store Quarantine... 136 6.2.5 Sending From Quarantine... 138 6.2.6 Adding Senders to an Address List...139 6.2.7 Badmails... 140 6.3 Bridge Quarantines...140 6.4 CORE Classifiers...140 6.5 iq.suite Reports...141 7 iq.suite Crypt...143 7.1 Overview...143 7.1.1 Job Types...144 7.1.2 PGP/GnuPG Getting Started... 145 7.1.3 S/MIME2 Getting Started...145 7.1.4 Global Mappings...146 7.2 PGP/GnuPG General Information...148 7.2.1 Encryption/Decryption with PGP or GnuPG...148 7.2.2 PGP/MIME...149 7.2.3 Preliminaries for PGP or GnuPG...149 7.2.4 Configuration of the PGP or GnuPG Crypt Engine...150 7.3 Automatic Key Import with PGP/GnuPG...155 7.3.1 Sample Job: PGP or GnuPG Key Import...155 7.4 Encryption with PGP/GnuPG...158 7.4.1 Sample Job: Encrypting Emails with PGP/GnuPG...158 7.5 Decryption with PGP/GnuPG...165 7.5.1 Sample Job: Decrypting Emails with PGP/GnuPG...165 7.6 S/MIME General Information...168 7.6.1 Using S/MIME in iq.suite...168 7.6.2 Configuration of the S/MIME2 Engine...169 7.6.3 Using the Windows Certificate Store...171 7.6.3.1 Advantages...171 7.6.3.2 Configuration Description...173 7.7 Automatic Certificate Import with S/MIME...175 7.8 Encryption with S/MIME...176 PAGE IV ADMINISTRATION - IQ.SUITE FOR EXCHANGE
TABLE OF CONTENTS 7.8.1 Sample Job: Encrypting Emails with S/MIME... 177 7.9 Decryption with S/MIME... 183 7.9.1 Sample Job: Decrypting Emails with S/MIME... 183 7.10 Signing with S/MIME... 187 7.10.1 Sample Job: Signing Emails with S/MIME... 188 7.11 Verifying S/MIME Signatures... 189 7.11.1 Sample Job: Verifying Email Signatures with S/MIME... 189 7.12 Using iq.suite KeyManager... 190 7.12.1 Using S/MIME Certificates... 190 7.12.1.1 KeyManager Connection Configuration... 191 7.12.1.2 Engine Configuration: S/MIME2 Engine... 195 7.12.1.3 Sample Job: Configuring a KeyManager Job (S/MIME)... 196 7.12.1.4 Using the Windows Certificate Store... 197 7.12.2 Using PGP Keys... 200 7.12.2.1 Engine Configuration: PGP synchronized with KeyManager... 200 7.12.2.2 KeyManager Connection Configuration... 204 7.12.2.3 Sample Job: KeyManager Job Configuration (PGP)... 204 7.13 Encryption with WebCrypt Pro... 205 7.13.1 Encryption Procedure with WebCrypt Pro... 205 7.13.2 WebCrypt Pro Server Connection Configuration... 206 7.13.3 Sample Job: Encrypting Emails with WebCrypt Pro... 210 7.14 Using the Outdated S/MIME Solution... 212 7.14.1 Description of Operational Sequence... 212 7.14.2 Configuration of the S/MIME Engine... 213 7.14.3 Migration to the New S/MIME2 Engine... 217 8 iq.suite Watchdog... 221 8.1 Overview on iq.suite Watchdog... 221 8.2 Virus Scanning... 222 8.2.1 Virus Scanning on the Mail Server... 222 8.2.2 Virus Scanning in the Information Store... 223 8.2.3 Virus Scanners... 224 8.2.3.1 Notes on Virus Scanners... 224 8.2.3.2 Enabling Virus Scanners... 224 8.2.3.3 Standard Tabs Virus Scanners... 225 8.2.3.4 Specialties of Avira Scan Engine... 230 8.2.3.5 Specialties of McAfee Scan Engine... 230 8.2.3.6 Specialties of Sophos Scan Engine... 231 8.2.3.7 Specialties of Norman External Scan Engine... 231 8.2.4 Sample Job: Checking Emails for Viruses... 232 8.2.4.1 Selecting Virus Scanners... 232 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE V
TABLE OF CONTENTS 8.2.4.2 Defining Actions...234 8.2.5 Sample Job: Virus Scan in the Information Store... 236 8.2.5.1 Create EWS User (as of Exchange Server 2013)...236 8.2.5.2 Configure the Information Store Job...237 8.2.6 Sample Job: Checking Password-Protected Archives for Viruses...245 8.3 File Restrictions for Attachments...246 8.3.1 Notes on File Restrictions...246 8.3.2 Fingerprints...248 8.3.2.1 Configure Fingerprint Categories...248 8.3.2.2 Defining New Fingerprints...248 8.3.2.3 Creating Fingerprints with Name Patterns...249 8.3.2.4 Creating Binary Patterns for Fingerprints...251 8.3.3 Sample Job: Denying File Attachments by Type... 254 8.3.3.1 Selecting Fingerprints...254 8.3.3.2 Defining Actions...255 8.3.4 Sample Job: Limiting Email Size... 257 8.3.4.1 Specifying Email Size...257 8.3.4.2 Defining Actions...258 8.3.5 Sample Job: Denying Attachment Types and Sizes... 259 8.3.5.1 Specifying Fingerprint and Size...259 8.3.5.2 Defining Actions...261 9 iq.suite Wall...263 9.1 Spam Protection Overview...264 9.1.1 Address Filtering (Blacklists and Whitelists)...264 9.1.2 Spam Filtering Job...264 9.1.3 Spam Analyzer...265 9.1.4 Text Analysis...265 9.2 Address Filtering...266 9.2.1 Blocking Email Addresses...266 9.2.1.1 Sample Job: Blocking Certain Sender Addresses...266 9.2.2 Replacing Text with Regular Expressions...267 9.2.2.1 Sample Job: Replacing Domains...268 9.2.2.2 Sample Job: Modifying Email Header Line...270 9.2.2.3 Sample Job: Modifying Email Body...271 9.2.3 Limiting the Number of Recipients...272 9.2.3.1 Sample Job: Limiting the Number of Recipients...273 9.3 Spam Filtering with the Spam Filtering Job...275 9.3.1 Job Functionality...275 9.3.2 Sample Job: Advanced Spam Filtering... 278 9.3.2.1 Defining Actions...278 PAGE VI ADMINISTRATION - IQ.SUITE FOR EXCHANGE
TABLE OF CONTENTS 9.3.3 Practical Tips on False Positives... 283 9.3.4 Tables: Definite Criteria... 284 9.3.4.1 Definite No-Spam Criteria... 284 9.3.4.2 Definite Spam Criteria... 285 9.3.5 Spam Filtering for Experts: Using Combined Criteria... 287 9.3.6 Tables: Combined Criteria... 289 9.3.6.1 Combined No Spam Criterion... 289 9.3.6.2 Combined Classification Criteria... 289 9.3.6.3 Combined Header Criteria... 290 9.3.6.4 Combined Subject Criteria... 291 9.3.6.5 Combined Message Body Criteria... 291 9.4 Spam Filtering with Spam Analyzers... 293 9.4.1 Using SASI for Spam Filtering... 293 9.4.1.1 SASI Engine Configuration... 293 9.4.1.2 Advanced Spam Filtering Job Configuration... 297 9.4.2 Text Analysis with Dictionaries... 298 9.4.3 Setting up Dictionaries... 300 9.4.4 Searching for Text in Dictionaries... 302 9.4.5 Sample Job: Checking and Denying Text Contents... 303 9.5 Text Analysis for Credit Card Numbers... 305 9.5.1 Sample Job: Text Analysis for Credit Card Numbers... 305 9.6 CORE Classification... 309 9.6.1 Using CORE for Spam Filtering... 310 9.6.1.1 Using the preset CORE Classifier... 310 9.6.1.2 Creating a new CORE Classifier... 310 9.6.2 Using CORE for Content Classification... 312 9.6.2.1 Classifier Configuration... 312 9.6.2.2 Sample Job: New CORE Classification Job... 313 9.7 Text Analysis with Regular Expressions (Advanced Actions)... 317 9.7.1 Sample Job: Regular Expressions in File Attachments... 317 9.7.2 Sample Job: Transfer Matches to External Application... 320 10 iq.suite Convert... 325 10.1 Overview... 325 10.2 Sample Job: Compress Attachments as ZIP... 326 10.2.1 Selection... 326 10.2.2 Compression Options... 328 10.3 Sample Job: Converting Attachments to PDF... 330 10.3.1 Selecting Attachments... 331 10.3.2 Conversion Options... 332 10.3.3 Variable Settings... 333 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE VII
TABLE OF CONTENTS 10.4 Sample Job: Converting TNEF-Mail to MIME...335 10.5 Sample Job: Conversion via Command Line...337 10.5.1 Selecting Attachments...338 10.5.2 Conversion Options...339 10.5.3 Configuring Your Own Application...340 11 iq.suite Trailer...343 11.1 Overview...343 11.1.1 Procedure for Trailer Configuration...343 11.2 Configuring Trailer Elements (optional)...344 11.2.1 Conventional and Personalized Trailer Images...344 11.2.1.1 Creating Trailer Image Categories...345 11.2.1.2 Importing Conventional Trailer Images...346 11.2.1.3 Configuring Personalized Trailer Images...347 11.2.2 Trailer Attachments...350 11.2.2.1 Creating a Trailer Attachment Category...351 11.2.2.2 Creating Conventional Trailer Attachments...352 11.2.2.3 Creating Binary Trailer Attachments...354 11.2.3 Trailer Search Pattern... 356 11.3 Configuring Trailer Documents...358 11.3.1 Creating a Trailer Document...358 11.3.2 Assigning Trailer Images to a Trailer Document...362 11.3.2.1 Inserting Images in the HTML Format...362 11.3.2.2 Inserting Images as HTTP Link...364 11.3.3 Assigning a Trailer Attachment to a Trailer Document...365 11.3.3.1 Inserting a QR Code Image...365 11.4 Configuring a Trailer Job...367 11.4.1 General Job Configuration...367 11.4.1.1 Selecting the Trailer...367 11.4.1.2 The Trailer tab...367 11.4.1.3 The Attachments tab...369 11.4.1.4 The Position tab...371 11.4.2 Scenario: Attaching a Legal Disclaimer... 373 11.4.3 Scenario: Attaching Customized Signatures... 375 11.4.4 Szenario: Attaching Customized Signatures with Personalized Image... 378 11.4.5 Scenario: Adding a Company Logo to the Trailer... 379 11.4.6 Scenario: Adding vcard Data to the Trailer...379 12 iq.suite Connect...381 12.1 Overview...381 12.2 Connect Engines...381 PAGE VIII ADMINISTRATION - IQ.SUITE FOR EXCHANGE
TABLE OF CONTENTS 12.3 Sample Job: Storing File Attachments in SharePoint... 382 12.3.1 Configuring a SharePoint Engine... 382 12.3.2 Sample Job: Storing File Attachments in SharePoint... 386 13 iq.suite Bridge... 389 13.1 Overview... 389 Glossary... 391 Index... 407 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE IX
TABLE OF CONTENTS PAGE X ADMINISTRATION - IQ.SUITE FOR EXCHANGE
1 Preface PREFACE - HOTLINE 1.1 Hotline To give you the best possible support, we need the following information from you in the event of a fault: Product version License number Exchange server version including any service pack Operating system and version including any service pack Configuration files Log files The GBS Support Team is available from 08:30 AM to 06:00 PM (time zone: EST). Europe, Asia, other Tel.: +49 (0)1806 49 01 11 Fax: +49 721 49 01 1922 Email D: hotline@de.gbs.com USA & Canada: Tel.: +1 78169 42260 or: +49 (0)1806 49 01 11 Email: hotline@gbs.com 1.2 Copyright GROUP Business Software AG, hereafter referred to as GBS, is the owner of the full commercial copyright of this documentation protected by law. All rights not explicitly granted remain the property of GBS. Copyright 1992-2013 GROUP Business Software AG, All rights reserved. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 1
PREFACE - WARRANTY 1.3 Warranty GBS assumes no liability, express or implied, for the documentation. This includes quality, design, adherence to commercial standards, or suitability for a specific purpose. The product descriptions are general and descriptive in nature. They can be interpreted neither as a promise of specific properties nor as a declaration of guarantee or warranty. The specifications and design of our products can be changed at any times without prior notice, especially to keep pace with technical developments. For up-to-date information, please contact the GBS Sales Department. 1.4 Microsoft Certification GBS is awarded as Microsoft Gold Certified Partner and Gold Independent Software Vendor (ISV). iq.suite für Microsoft Exchange is certified as Certified for Windows Server 2008 R2. 1.5 License Terms The GBS license terms are available on the product CD and the GBS website. Any license agreements from third-party software manufacturers are included with the software product as a PDF file. PAGE 2 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
PREFACE - THIRD-PARTY COPYRIGHT NOTES 1.6 Third-Party Copyright Notes The package includes third-party products listed in the "Third Party License Agreements" document. This document is available in the program directory. In addition, the following applies: Microsoft, MS, Windows and the Windows Logo are registered trademarks of Microsoft Corporation in the United States of America and/or other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. The components listed below are also protected by copyright, although not explicitly listed in the "Third Party License Agreements" document: AntiVir powered by Avira Copyright (c) 2006 Avira GmbH The file dbghelp.dll Copyright (c) Microsoft Corporation Sophos SASI Copyright (c) 2006, Sophos Group ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 3
PREFACE - DETAILS ON THE MANUALS 1.7 Details on the Manuals Personal Designations Our Manuals are addressed equally to both genders. Therefore, we make every effort to use gender-neutral language. Since it is not entirely possible to avoid personal designations, we use the word forms he/she, his/hers or him/her in these cases. Symbols Warning. Refers to critical situations. Please carefully read these messages to minimize the risk of data loss, damage to your system, etc. Information. Refers to important but uncritical situations. Tip. Provides assistance for a specific issue or describes special workarounds and features. Freely accessible documentation is available on our website under www.gbs.com. If you have any suggestions on how we can make further improvements, we would be happy to get your feedback. Send an email to: manual@de.gbs.com PAGE 4 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
2 Quickstart QUICKSTART - INSTALLATION ON AN EXCHANGE SERVER 2.1 Installation on an Exchange Server Make sure that all required programs have been installed and system requirements are met. Refer to System Requirements on page 9. Be sure to install (double-click) the correct installation package for your operating environment. Follow the Installation instructions. Unless you specify a different installation directory, iq.suite is installed in the default directory, i.e.: On a 32-bit system: C:\Programme or Program Files\GBS\iQ.Suite On a 64-bit system: C:\Programme (x86) or Program Files (x86)\gbs\iq.suite\ Disable any real-time or on-access scan functions of your scan engines for the...\iq.suite\grpdata directory. For further Information on installing the software, please refer to Installation on page 9. 2.2 Installation on Several Exchange Servers For further Information, please refer to Installation of iq.suite in Multi-Server Environments on page 17. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 5
QUICKSTART - STARTING THE IQ.SUITE ADMINISTRATION CONSOLE 2.3 Starting the iq.suite Administration Console iq.suite is a server product that is configured through iq.suite administration console. For iq.suite to work, the iq.suite service must be running 1. To start the console select PROGRAMS -> GROUP BUSINESS SOFTWARE -> IQ.SUITE -> IQ.SUITE MANAGEMENT CONSOLE. Before the iq.suite administration console exits, you are prompted to save any changes. Pending changes are indicated by an asterisk (*) at the top node. To save your configuration, click on the button. The configuration is saved in the ConfigData.xml file located under GBS\iQ.Suite\Config. 2.4 Configuration in the iq.suite Administration Console Following the installation, use the iq.suite administration console to perform the following settings. 2.4.1 Required Basic Configuration Steps The Basic Configuration is used to define the valid servers, email addresses, shared templates and utility settings. 1. Under BASIC CONFIGURATION -> GENERAL SETTINGS -> EMAIL ADDRESSES TAB, check the entries for the iq.suite administrators and the internal domains. Refer to iq.suite Server Settings on page 72. 2. To use the iq.suite Watchdog virus scanner functions, enable the virus scanners installed on your server under UTILITY SETTINGS -> VIRUS SCANNERS. Refer to Enabling Virus Scanners on page 224. 1. For further Informationen on the iq.suite service, please refer to iq.suite Services on page 26. PAGE 6 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
QUICKSTART - CONFIGURATION IN THE IQ.SUITE ADMINISTRATION CONSOLE 2.4.2 Required Policy Configuration Steps Use the Policy Configuration feature to define and enable selected jobs according to the company s policies. 1. Under Sample jobs, locate the template you wish to use. 2. To create a new job, select the template and drag it to the MAIL TRANSPORT JOBS folder. Give the job a name and edit its properties. Then, under Properties, activate the job. 3. Make sure that the jobs are performed in the correct order. Refer to Processing Order of iq.suite Jobs on page 41. 4. Save your changes. Also refer to Starting the iq.suite Administration Console on page 6. For further Information on setting up jobs and company policies, please refer to iq.suite Jobs (Policy Configuration) on page 39. 2.4.3 Recommended Basic Configuration Steps In the Basic Configuration, it is recommended to define individual settings for address lists, templates, etc. However, these settings are not necessary for simply testing the system. 1. Under General Settings, proceed as follows: a) When required, define the proxy servers settings. Refer to Proxy Servers on page 88. b) Configure the Address lists (for selections in job rules) and Trailers (for iq.suite Trailer). c) When required, change the texts of the standard templates. 2. Under Utility Settings, configure any additional components required, e.g. CORE classifiers, dictionaries, fingerprints and virus scanners (for iq.suite Watchdog) and the Crypt Engines (for iq.suite Crypt). For further Information on Basic Configuration, please refer to Basic Configuration on page 44. Module-specific settings are described in the corresponding sections. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 7
QUICKSTART - OBSERVING DATA IN IQ.SUITE MONITOR For Information on further customizing options, please refer to General Configuration on page 71. 2.4.4 Virus Scanning in Exchange Databases In the Policy Configuration under Information Store Jobs, you can enter appropriate settings for each iq.suite server separately. It is not possible to create your own Information Store jobs. A new Information Store Job is automatically provided whenever a new server is specified. If the server is removed, the Information Store Job will also be deleted. For further Information on Information Store Jobs, please refer to Virus Scanning in the Information Store on page 223. 2.5 Observing Data in iq.suite Monitor After having saved your settings, use the iq.suite Monitor to monitor the operation of iq.suite. With iq.suite Monitor, you can view current data in real-time and manage, for instance, the Quarantines of the configured iq.suite servers. For further Information, please refer to iq.suite Monitor on page 127. PAGE 8 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
3 Installation INSTALLATION - SYSTEM REQUIREMENTS 3.1 System Requirements The following system requirements apply to iq.suite for Exchange 12.1. If installing an iq.suite Version > 12.1, requirements may be different. Please read the product changes described in the Readme.html file. By default, the Readme.html file is displayed on screen after the installation. To install the iq.suite, your system must meet the following requirements: RAM: Exchange recommendation plus additionally 512 MB. Further memory is needed for third-party systems such as virus scanners as well as for database access (OLEDB driver). Hard disk: Minimum 400 MB for installation. Additional space for quarantine. Microsoft.Net Framework 2.0. Microsoft.Net Framework 4.0 (Client Profile and Microsoft Redistributable Packages). If not installed yet, the components are installed in the course of iq.suite installation. Windows Scripting (for installation only) Supported operating systems: Windows Server 2003 (32-bit and 64-bit) Windows Server 2003 R2 (32-bit and 64-bit) Windows Small Business Server 2003 as of SP 1 (32-bit and 64-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2008 R2 (64-bit) Windows Small Business Server 2008 (32-bit and 64-bit) Windows Small Business Server 2011 (64-bit) Windows Server 2012 (64-bit) Supported Exchange servers: Exchange Server 2003 Exchange Server 2007 from SP 1 with the roles: Hub Transport Server Mailbox Server ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 9
INSTALLATION - INSTALLATION OF VIRUS SCANNERS Edge Transport Server As a minimum, "Update Rollup 4 for Exchange 2007 SP1" installed. Exchange Server 2010 (64-bit) on Windows Server 2008 R2 with the roles: Hub Transport Server Mailbox Server Edge Transport Server Exchange Server 2013 (64-bit) on Windows Server 2012 iq.suite is installed on the Mailbox Server role. Supported languages: German, English Further system requirements apply if using the SASI Engine 2. Disable any real-time or on-access scan functions of your scan engines for the...\iq.suite\grpdata directory. 3.2 Installation of Virus Scanners Optionally, during iq.suite installation the virus scanners of our business partners Avira, Sophos and McAfee can be installed as integrated scanners. The Avira Scan Engine is fully preconfigured and ready for immediate use 3. For using the McAfee 4 or Sophos 5 virus scanner additional configurations are required. iq.suite allows to use virus scanners from other third-party manufacturers as well. However, these virus scanners are not supplied with iq.suite and must be installed on the server before. Refer to Enabling Virus Scanners on page 224. 2. For further Information, please refer to the separate SASI document. Download under www.gbs.com. 3. For further Informationen on Avira virus scanner, please refer to the separate document for SAVAPI engine. Download under www.gbs.com. 4. For further Informationen, please refer to the separate document for the McAfee virus scanner. Download under www.gbs.com. 5. For further Informationen, please refer to the separate document for the Sophos virus scanner. Download under www.gbs.com. PAGE 10 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INSTALLATION - SETUP Disable any real-time or on-access scan functions of your scan engines for the...\iq.suite\grpdata directory. 3.3 Setup 3.3.1 Installation of iq.suite on a Exchange Server 1. Select the required installation package. The following iq.suite installation packages are available: Installation on 32-bit operating systems (Windows Server 2003/2008): Exchange 2003 Installation on 64-bit operating systems (Windows Server 2003/2008/2008 R2): Exchange 2007 SP1 (from Update Rollup 4) Exchange 2010 iq.suite for Exchange 12.1 supports the Exchange 2007/2010 Server roles Mailbox, Hub Transport and Edge Transport through the optional setup components iq.suite Transport Grabber, Information Store Scan and LDIF support. The highlighted setup components are preselected for different server role scenarios. Server role / Setup Single Server Mailbox Hub Trans- Edge component (Mailbox + Hub port Transport) Transport Grabber Yes No Yes Yes Information Store Scan Yes Yes No No LDIF Support No No No Yes ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 11
INSTALLATION - SETUP Exchange Windows 2007 Mailbox Cluster / Exchange 2010 Database Availibility Groups (DAG): This iq.suite version can be operated on a Windows failover cluster with clustered Exchange 2007 Mailbox Server role or Exchange 2010 DAG. As manual configurations are required during installation, we only support installations performed by our Consulting. Server 2008: Due to changed standard permissions under Windows Server 2008 (UAC), we recommend to use administrator rights for the administration tasks as well the configuration of iq.suite, in order to ensure access to the iq.suite installation folder. Installation on 64-bit operating systems (Windows Server 2012): Exchange 2010 Exchange 2013: iq.suite is installed on the Mailbox Server role. 2. Start the installation package by a double click. To be able to install the iq.suite, a number of Microsoft software components must have been installed. If these components are missing on your system, they will be installed by the installation package. Without these components, the iq.suite installation cannot be started. Confirm the corresponding installation message when prompted to do so. During installation a system restart might be required. 3. Select the desired language. The selected language applies to the iq.suite administration console and configuration elements such as the notifications sent to the users. The latter are included in the standard configuration: PAGE 12 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INSTALLATION - SETUP 4. Accept the License Agreement and click NEXT to continue. 5. Depending on the installed Microsoft Exchange Server version different iq.suite features are available. Select the features to be installed. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 13
INSTALLATION - SETUP When Microsoft Exchange Server < 2013 is installed, iq.suite uses VSAPI interface to scan the Information Store. In case another application is using the VSAPI to scan the Information Store, the iq.suite feature is disabled. To use iq.suite s Information Store scan, the other application has to be uninstalled. When using EWS for the Information Store scan, other applications using EWS do not have to be uninstalled. 6. Click on NEXT. In case you have defined two or more virtual servers, you will now be prompted for the active virtual server on which iq.suite is to be registered: 7. If you are not running iq.suite on multiple servers and wish to use a central configuration file for administration purposes, confirm the default setting and click on NEXT 6 : 6. Refer to Installation of iq.suite in Multi-Server Environments on page 17. PAGE 14 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INSTALLATION - SETUP 8. In the next dialog, specify the administrator s email address: 9. If you are using a proxy server, select Enable Proxy Server and enter the proxy settings (IP address, port, user, password). All of the proxy server settings can later be changed under the Basic Configuration 7. 7. Refer to Proxy Servers on page 88. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 15
INSTALLATION - SETUP 10. Click on NEXT. The screen displays a summary of your settings. Check your configuration settings and make sure that the on-access scanner for the...\grpdata directory is disabled. PAGE 16 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INSTALLATION - SETUP 11. The configuration settings are added as default entries to the configuration of the iq.suite server 8.Confirm the summary by clicking on INSTALL. The iq.suite is then installed to the following directory: \<Program directory>\gbs\iq.suite\. 12. Click on FINISH in the final dialog to complete the iq.suite installation. For special reporting and statistics features, an additional package can be postinstalled manually when required. The installation only takes a few minutes and does not require a separate license. Afterwards, the features are available under IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> IQ.SUITE REPORTS. 3.3.2 Installation of iq.suite in Multi-Server Environments If installing iq.suite on multiple Exchange servers, you can control both the administration and configuration centrally. The iq.suite distinguishes between three areas: iq.suite administration console 9 The iq.suite is administrated with the iq.suite administration console, which is used for basic configuration settings and the configuration of the iq.suite policies as well as for monitoring server functions and quarantines. The iq.suite administration console can be installed on the iq.suite servers or separately, for instance on separate administrator workstations 10. The graphical user interface corresponds to a Microsoft Management Console (MMC). Server components The server components and the iq.suite Windows service are installed on the Exchange server. As central elements of the iq.suite, the server components require permanent access to the iq.suite configuration. Configuration 8. For further information, please refer to iq.suite Server Settings on page 72. 9. Start -> Programs -> GROUP Business Software -> iq.suite -> iq.suite Management Console. 10. Also refer to Installation of the iq.suite Administration Console on a Workstation. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 17
INSTALLATION - SETUP The iq.suite configuration is saved as XML file (ConfigData.xml). Created and updated using the iq.suite administration console, the configuration file is read by one or several iq.suite server components. Typically, a common configuration is used for a central administration of multiple iq.suite servers. 3.3.2.1 Configuration Access For configurations in multi-server environments it may be useful to setup a share directory accessed by the iq.suite servers. This allows to reduce the administration work (e.g. for job synchronization) as the iq.suite servers share the configuration settings. To be able to use a common configuration, it has to be stored in a network share that can be freely accessed by all servers 11. Please note that each server requires Read access to this network path. In case the network is temporarily inaccessible, the iq.suite server will use the last available configuration for processing. Any configuration changes performed in the meantime will not take effect until the network share is accessible again 12. 3.3.2.2 Administration iq.suite administration can be performed either from any iq.suite server with an iq.suite administration console installed or from a separate administration workstation. To avoid a loss of configuration data through mutual overwriting, make sure that the configuration is never edited in more than one iq.suite administration console at any one time. 3.3.2.3 Running the Multi-Server Installation Please observe the following when installing the first server: 1. At least install the iq.suite server component on the first server. A configuration file will be created, unless it already exists. 11. Refer to Running the Multi-Server Installation. 12. Related topic: Creating a Database Connection to an SQL Server on page 106. PAGE 18 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INSTALLATION - SETUP If the first server is to be used for administration, install the entire iq.suite, including a local administration console. If you wish to administrate iq.suite for all servers from a workstation, only install the server component locally. 2. During setup, define how to proceed with configuration data: Create local configuration : A new configuration will be created. Use this option for the first server. iq.suite administration will be performed from this first server. Use existing configuration : If a configuration already exists the configuration settings will remain. Use this option when updating the iq.suite. Specify path to configuration manually : The configuration is stored centrally. The path can be configured manually. Use this option for all other servers. 3. Enable sharing of the selected directory (local or manual path) for network access and make sure that the other servers have sufficient rights to access the network path (read/write). 4. Observe the following when installing further servers: Install the server component locally. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 19
INSTALLATION - SETUP Under the settings for the configuration file, select Specify path to configuration manually and specify the directory previously enabled for sharing not the filename. The network path has to be specified as UNC path. Mappings to network drives are not permitted. 3.3.3 Installation of the iq.suite Administration Console on a Workstation The iq.suite administration console on the workstation can also be operated under Windows XP, Windows 7 or Windows 8. In the product selection dialog, select iq.suite for Exchange. Install the iq.suite Management Console (iq.suite administration console) only, by deactivating all other features: Under the settings for the configuration file, select Specify path to configuration manually and proceed as described under Step 4. 3.3.4 Installation in Cluster For a current description of how to install iq.suite in a Windows cluster, please refer to the iq.suite Installation Manual. Download under www.gbs.com. PAGE 20 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INSTALLATION - UPDATE TO IQ.SUITE 12.1 FOR EXCHANGE 3.4 Update to iq.suite 12.1 for Exchange After having update to a major version, you need a new license file. The update to iq.suite 12.1 for Exchange retains your previous configuration settings and quarantine data. The installation sequence is largely the same as for a new installation (refer to Setup on page 11). However, after having selected the setup language with the installation file extracted, the following message appears: Confirm with YES and follow the setup instructions. iq.suite is updated to the new version. Then confirm the following message to keep the existing configuration settings: In a multi-server environment sharing a common configuration file, you need to perform the update on all iq.suite servers and on the administrator workstation (if applicable). For special reporting and statistics features, an additional package can be postinstalled manually when required. The installation only takes a few minutes and does not require a separate license. Afterwards, the features are available under IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> IQ.SUITE REPORTS. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 21
INSTALLATION - UNINSTALLATION OF IQ.SUITE 12.1 FOR EXCHANGE The additional package is located in the same directory as the regular iq.suite installation package. 3.5 Uninstallation of iq.suite 12.1 for Exchange Run the uninstall program: 1. Click on SETTINGS -> CONTROL PANEL -> SOFTWARE. 2. Select iq.suite 12.1 and click on CHANGE. When the Execute as dialog is displayed, make sure that the option Execute program with restricted rights is disabled. Then, the setup routine is called. 3. In the dialog click on WELCOME -> NEXT -> REMOVE PROGRAM. 4. Click on NEXT and confirm with REMOVE. The setup then uninstalls the iq.suite without removing your configuration or the quarantine data. 5. Decide whether to keep or to delete your configuration and the quarantine data: a) If you wish to delete all iq.suite components, enable the Delete all user and Registry data option. b) Conversely, if you wish to keep your configuration and quarantine data, simply click on FINISH. In this case, you can use the existing data for a new iq.suite installation (same or higher version). PAGE 22 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
4 Getting Started GETTING STARTED - TECHNICAL DESCRIPTION 4.1 Technical Description The technical foundation of the iq.suite is referred to as iq.suite architecture and consists of the following main components: iq.suite administration console Graphical user interface that is used to configure iq.suite. Refer to iq.suite Administration Console on page 23. iq.suite server Includes functions and processes related to the Exchange server. Refer to The iq.suite Server on page 25. iq.suite configuration Refers to the iq.suite tree structure used by the iq.suite server for processing. The main component of the iq.suite configuration is the config.xml file. Refer to iq.suite Configuration on page 33. 4.1.1 iq.suite Administration Console The iq.suite administration console is the graphical user interface used to manage and configure the iq.suite. It is a so-called "Snap-In" for the MMC. The iq.suite administration console can be used to manage individual Exchange servers with iq.suite installed as well as entire "iq.suite server farms". This simplifies daily administration tasks, in particular in a multi-server environment. With the iq.suite administration console, the administrator has access to all configuration information needed and to iq.suite Monitor of the iq.suite servers (quarantine, status information, etc.). The following access methods are used for configuring the system and for accessing the quarantine: 1. Standard Windows file access ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 23
GETTING STARTED - TECHNICAL DESCRIPTION Windows file access is used for accessing the iq.suite configuration file, for instance to change security settings. The iq.suite configuration file can be available locally or accessible through an UNC path. 2. SOAP and SSL iq.suite Monitor is accessed through SOAP and SSL using a permanently assigned communication port 13. The iq.suite administration console supports two operating modes. 1. Local administration In this mode, the iq.suite administration console is run directly on the Exchange server where all iq.suite components are installed. This mode is suited for smaller systems and for managing the server locally. 2. Remote administration In this case, the iq.suite administration console is not installed on the Exchange server, but on a client. The iq.suite administration console supports the following client operating systems: Windows Server 2003 (32-bit and 64-bit) Windows Server 2003 R2 (32-bit and 64-bit) Windows Small Business Server 2003 ab SP 1 (32-bit and 64-bit) Windows Small Business Server 2008 (32-bit and 64-bit) Windows XP Professional as of SP3 (32-bit) or SP2 (64-bit) Windows Vista as of SP2 (32-bit and 64-bit) Windows 7 (32-bit and 64-bit) Windows 8 (32-bit and 64-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2008 R2 (64-bit) Windows Server 2012 (64 Bit) Remote administration is suited for central administration in multi-server environments, with the iq.suite administration console accessing one or more Exchange servers to configure and administrate the iq.suite. 13. For further information on iq.suite Monitor, please refer to iq.suite Monitor on page 127. PAGE 24 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - TECHNICAL DESCRIPTION 4.1.2 The iq.suite Server The term iq.suite server refers to the iq.suite functions and processes that are exclusively run on the Exchange server. For Microsoft Exchange server 2003, the iq.suite server can be installed in simple environments as well as more complex front-end/back-end environments. For Microsoft Exchange server 2007/2010 the roles HubTransport, Mailbox and Edge are supported. As of Microsoft Exchange server 2013, the iq.suite is installed on the Mailbox role, usually. However, installation on the Client Access role is not possible. The iq.suite server consists of several elements described in the following sections. 4.1.2.1 iq.suite Grabber iq.suite Grabber is a component that ensures that all emails, schedule queries, etc. sent, received or routed by the Exchange server are intercepted (grabbed) and processed. Transport Grabber Transport Grabber monitors the Windows SMTP transport flow. It grabs emails while they are being transported and provides them to iq.suite for processing. The SMTP protocol is used in Microsoft Exchange 2003 for transport purposes. One element of this protocol is the SMTP Advanced Queue, which is used to channel the entire email traffic, regardless of whether emails are internal (between mailboxes on the same server or mailbox store), incoming or outgoing. In all cases, the emails must go through the Advanced Queue. The Transport Grabber is latched in to this SMTP Advanced Queue. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 25
GETTING STARTED - TECHNICAL DESCRIPTION As a registered event sink, the Transport Grabber monitors the email traffic. Relevant emails are intercepted and forwarded to the so-called iq.suite Service. The email is detained until processing by the iq.suite Service and the server has been successfully completed. Once processed, the emails are returned to the transport flow. Exchange-internal information, for instance replication emails, is recognized as such by the Transport Grabber and left in the Exchange system unchanged. Microsoft Exchange Server 2007 is supplied with its own Windows SMTP transport protocol, with the role of the Transport Grabber played by the so-called Transport Agent. This agent provides the same functionality and processing features as the Transport Grabber. VSAPI-Grabber/EWS Up to and including Microsoft Exchange Server 2010 iq.suite uses the socalled VSAPI grabber for virus scannings in the Information Store. The VSAPI grabber grabs components such as emails or schedule requests from the public or private Information Stores through the VSAPI interface and provides them to the iq.suite for virus scanning. This allows to determine and eliminate virus-infected files, for instance, that have found their way into the Information Store through other channels than email and have therefore been stored unchecked. Since VSAPI is no longer supported by Microsoft as of Microsoft Exchange Server 2013, the iq.suite uses the EWS interface to check the public and private Information Stores for viruses. Please note that the scanning method with EWS might differ from the method with VSAPI. Refer to Virus Scanning in the Information Store on page 223. 4.1.2.2 iq.suite Services The iq.suite Services refer to the combination of the Windows services,iq.suite Information Store Scan Service (for Information Store scanning), iq.suite Service (working service) and iq.suite Control Service. PAGE 26 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - TECHNICAL DESCRIPTION iq.suite Service The iq.suite Service is a working service started on a permanent basis that takes care of and executes all processing requests of the iq.suite grabbers. The iq.suite Service has access to all information required: the configured iq.suite jobs the installed iq.suite license the Active Directory iq.suite Quarantine Using this information, the service scans emails for viruses and spam, quarantines them or adds legal disclaimers. When processing is complete, the iq.suite Service returns the emails to the transport flow. iq.suite Information Store Scan Service The iq.suite Information Store Scan Service is a Windows service that is used for virus checks in the Information Stores. Before starting this service, please make Before sure the iq.suite Service is already running. stopping and/or disabling the iq.suite Service, please stop the iq.suite Information Store Scan Service, first. iq.suite Control Service The iq.suite Control Service is responsible for starting the iq.suite Service and the iq.suite Information Store Scan Service and then controls and monitors its performance. If the iq.suite Service or the iq.suite Information Store Scan Service is temporarily stopped (not disabled), it is automatically restarted by the iq.suite Control Service after a few seconds. In a Windows cluster, the iq.suite Control Service is not used at all. Instead, monitoring is performed by the cluster service. Please note that the behavior depends on which service is stopped: If the iq.suite Control Service is manually stopped, the both other services arestopped as well, i.e. iq.suite is disabled. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 27
GETTING STARTED - TECHNICAL DESCRIPTION If the iq.suite Service is manually stopped and disabled, it is not automatically restarted by the iq.suite Control Service. The working service needs to be restarted manually. All emails arriving on the mail server during that time are detained (InQ) until the working service has been restarted. If the iq.suite Information Store Scan Service is manually stopped and disabled, it is not automatically restarted by the iq.suite Control Service. The Information Stores are not checked for viruses until the service is started manually. 4.1.2.3 iq.suite Quarantine The iq.suite Quarantine is a separate iq.suite area used to store unwanted emails. Virus-infected emails, spam or other unsolicited emails are intercepted on the server and moved to the iq.suite Quarantine, in order to prevent them from being delivered to the recipients. Once installed, each iq.suite server provides a number of quarantines. Further quarantines can be created by the administrator. The iq.suite Quarantine consists of the following: Quarantine directory in the file system:...\grpdata\quarantine\default-quarantine. Emails copied to the quarantine Quarantine database (index database: LocIdxDB.mdb) For each email quarantined, iq.suite automatically creates an entry in the quarantine database. This database is a Microsoft Jet database file that contains the following data: Email subject Date and time Email sender Email recipient Email sender (SMTP) Email recipient (SMTP) Short description of the applicable restriction Email size PAGE 28 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - TECHNICAL DESCRIPTION Name of the iq.suite job that quarantined the email Name of the Exchange server Name of the email file Processing history Exception: In a privacy quarantine you can configure that information like the subject line, the names of the attachments and/or the sender addresses or recipient addresses are not displayed in the quarantine view. When an iq.suite Quarantine is displayed using the iq.suite administration console, the information from the quarantine database is shown first. When a quarantine entry is opened, further Information is read from the email file. For communicating with the quarantine, iq.suite uses SOAP (Simple Object Access Protocol) and SSL (Secure Socket Layer). This applies both to "local" access directly on the server and to access from remote Windows workstations. By default, port 8008 is used for communication. You can change this port in the iq.suite administration console (IQ.SUITE SERVERS node), but you must then also make this change in all other iq.suite administration consoles that access the server. All computers must use the same port. SSL is used to encrypt the SOAP communications channel. All of the required components are included in the installation package. Only authorized persons have access to the iq.suite quarantines via the network. The user privileges are set through the access rights in the access.acl file (...\GBS\iQ.Suite\AppData\). These privileges are checked by the iq.suite service. If not logged in to the server, you must authenticate yourself when calling the iq.suite Quarantine for the first time. The authentication information is temporarily stored so that subsequent calls (in particular of other quarantines) use the same login information. If that fails, a user name and password input dialog appears. Users who have access rights to the access.acl file also have access to the quarantines. For successful access, the following requirements must be met: The iq.suite Service is running. The communication port (default: 8008) is available. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 29
GETTING STARTED - TECHNICAL DESCRIPTION The computer name can be resolved and accessed through TCP/IP. The user has the required Windows user rights for the access.acl file. 4.1.2.4 Active Directory / LDIF The iq.suite does not make any changes or additions to the Active Directory (AD). However, iq.suite does read various information from the Active Directory. When started, the iq.suite Service determines the available Global Catalog server, which is used, for instance, for resolving addresses in distribution lists during email processing. The iq.suite administration console uses the Active Directory to select sender/recipient conditions. With iq.suite Trailer, sender information can be incorporated in outgoing emails, with iq.suite looking for the required details in the Active Directory. If no Active Directory is available, for instance because the corresponding ports are not open, an LDIF file can be used. Using the LDIF file can be enabled during the installation ( LDIF Support mode). This file can be created, for instance, be created an LDAP export from an Active Directory, a Exchange user directory or a Notes Address Book (NAB). 4.1.2.5 Compressed Files and Archives: iq.suite Unpacker Files are often compressed (zipped) before being sent by email. To allow compressed files to be scanned for viruses, iq.suite unpacks the files before running the scan. An unpacker is automatically installed with the iq.suite. The unpacker supports the following archive formats: ACE ACE SFX ARJ BINHEX (Mac) BZIP2 CAB GZIP Java Archive (.jar) LZH (LH ARC) MacBinary MSCOMPRESS RAR RPM Self-extracting Self-extracting Self-extracting ARJ CAB LZH/LHA PAGE 30 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - TECHNICAL DESCRIPTION Self-extracting RAR UUE (Executable compressed ASCII archive) Self-extracting ZIP TAR TGZ (Tape Archiv) ZIP ZOO 7-Zip Archives can themselves contain further archives. By default, such recursively compressed files are extracted to a recursion depth of 5. All archives exceeding this recursion depth are moved to the Badmail quarantine (refer to Badmails on page 140). The standard upper limit for an email including unpacked files is 500 MB. Such a limit is particularly important to handle so-called "ZIP of Death" attacks. The recursion depth and the space restriction can be changed under IQ.SUITE SERVERS -> PROPERTIES -> GENERAL TAB. 4.1.2.6 Network Service To ensure that the network service is working properly certain rights on the iq.suite/log directory, the iq.suite/grpdata/inq directory, and the iq.suite/grpdata/outq directory are pre-set by default. If you use different directories in your iq.suite configuration, please make sure that the following rights are set: Full-access Change Read, Process Listing directory content Read Write ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 31
GETTING STARTED - TECHNICAL DESCRIPTION 4.1.2.7 Email Processing Sequence PAGE 32 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - TECHNICAL DESCRIPTION 1. An incoming or outgoing email follows the transport flow and arrives on the mail server. 2. iq.suite monitors the transport flow (SMTP Transport) at position x and temporarily removes the email from the delivery process. The designations of SMTP Transport and Transport Grabber depend on the system used: Designation MS Exchange 2003 / SMTP Gateway MS Exchange 2007/2010/2013 SMTP Transport SMTP Advanced Queue MS Exchange Transport Service Transport Grabber Transport Grabber Transport Agent 3. The iq.suite Service fetches the email and checks the iq.suite configuration to determine whether or not the email needs to be processed by iq.suite. 4. The emails to be checked are processed according to their job priority set in the iq.suite configuration. When processing is complete, the iq.suite Service releases the email and performs any configured changes to the email, as required. 5. The email is returned to the transport flow. 6. The email transport is resumed and the email is delivered to the recipient. 4.1.3 iq.suite Configuration All information required to run iq.suite is saved in the iq.suite configuration file, as ConfigData.xml. The structure of the ConfigData.xml file is similar to that of a database: various entries exist for each configuration area. Since all configuration settings are stored in a single file, the configuration can be easily distributed and backed up. If you have a problem with the configuration, you can simply send the Config- Data.xml file to the GBS Support Team for assistance. The configuration settings are needed by both the iq.suite server and the iq.suite administration console. The iq.suite server needs them, for instance, to be informed of the iq.suite jobs to be carried out. To make changes to the configuration with the iq.suite administration console, the console must be able to ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 33
GETTING STARTED - TECHNICAL DESCRIPTION access the ConfigData.xml file. The configuration file can be placed either in a local directory or a network share. The iq.suite configuration used by the iq.suite administration console and the iq.suite server is specified through an entry in the Windows Registry. The path to the configuration file can be entered in the format C:\...\ConfigData.xml or as UNC path (\\Servername\Share\ConfigData.xml). If the iq.suite configuration file specified is not available, iq.suite uses the "last known good" configuration, which is logged in the Windows Event Log. The last known good configuration is saved locally for each server and is updated whenever the iq.suite configuration is changed and access from the iq.suite To configuration file to the last known good configuration is possible. open a non-standard configuration with the administration console, you must specify the file with a special parameter. Run the iq.suite.msc file with the parameter config and the desired configuration file, e.g.: C:\Program Files\GBS\iQ.Suite\iQ.Suite.msc config "C:\OtherDirectory\Subdirectory\ConfigData.xml" You can also specify a UNC path here. PAGE 34 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - USER INTERFACE 4.2 User Interface The iq.suite administration console is divided into three areas: Menu and toolbar Configuration area for global, cross-module functions such as saving, updating, etc. Navigation area Multi-level menu for the configuration and administration of iq.suite. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 35
GETTING STARTED - USER INTERFACE Display area Displays the iq.suite contents. The context-sensitive Online Help is available in each dialog/window by clicking the icon or selecting OPERATION -> SHOW HELP FILE from the menu. 4.2.1 Toolbar Icons Previous Move up one position Next Move down one position Up one level Save Delete object Activate job Properties of the selected item Deactivate job Update view New item Export list Enable filter in quarantine/badmail Help Disable filter in quarantine/badmail 4.2.2 Navigation Icons Logo Folder element for Trailer modules. Parent node. The Basic Configuration contains the fundamental configuration elements for all iq.suite modules. Folder element for general iq.suite settings. Folder element for proxy server settings. Folder element for address lists. Folder element for Trailer configuration documents. Folder element for Trailer search patterns. Folder element for Trailer search patterns, that can be extended with regular expressions. Folder element for Trailer images. PAGE 36 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - USER INTERFACE Individual iq.suite address list. This address list is included in the iq.suite standard configuration and cannot be changed. Folder element for notification templates. The folder contains the individual templates for each job type and recipient. Folder element for Trailer attachment categories. Individual notification template. Folder element for image categories. Image element. Element of a Trailer attachment category. Element of a Trailer file attachment. Individual notification template. Folder element for database connections. a) Parent node Policy Configuration. This includes all configurations for iq.suite jobs. b) Information Store Scan jobs c) Mail Transport Jobs Folder element for Information Store jobs. Folder element for die configurations of individual iq.suite servers. Servers can be added, removed and configured. The common properties of all servers are set under BASIC CONFIGURATION -> IQ.SUITE SER- VERS. This includes default email addresses and the internal domain(s). Folder element for folder settings. Includes the configuration documents for quarantines and iq.suite Bridge. Folder element and configuration document of the privacy quarantine. Folder element of the quarantine structure. Includes all quarantine folders. Individual Bridge quarantine. Folder element for Mail Transport jobs. Folder element for sample jobs of individual job types. Parent node. iq.suite Monitor includes views for all quarantine folders on each available server. The quarantine folders contain copies of the original emails, including attachments. iq.suite job for the iq.suite Wall module. Different job types are available. Folder element for Crypt elements. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 37
GETTING STARTED - USER INTERFACE Folder element for utility elements. Individual CORE classifier. Folder element for fingerprints. Individual configuration document of a fingerprint. Configuration document of an individual fingerprint. Folder element for dictionaries. Includes all dictionaries available for content checking. Folder element for virus scanners. Includes all configuration documents needed to enable a virus scanner. Folder element of the Bridge quarantine structure. Includes all quarantine folders of iq.suite Bridge. Folder element for archive connectors. Folder element for Crypt engines and configuration document for PGP and GnuPG engines. Configuration document for S/MIME engines. Individual configuration document for a Web- Crypt Pro server connection. Configuration document of a PDFCrypt engine. Folder element and configuration document for a global mapping element. Folder element and configuration document for a KeyManager connection. Individual quarantine object. Invalid quarantine object. Object resent from the quarantine. Folder element for anti spam engines. Quarantine object in the Information Store. PAGE 38 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - IQ.SUITE BASICS 4.3 iq.suite Basics 4.3.1 iq.suite Jobs (Policy Configuration) The iq.suite jobs are the primary instrument used to configure the iq.suite. Each iq.suite job performs a module-specific action such as scanning an email for viruses (iq.suite Watchdog), scanning for spam (iq.suite Wall), encrypting (iq.suite Crypt), etc. Typically, companies use corporate policies to set how emails are to be handled. These policies can be implemented through iq.suite jobs. All configured iq.suite jobs are grouped in the iq.suite administration console under Policy Configuration. Corporate Policy Example The company-x wants to prevent spam from being delivered to the recipients. In addition, the recipients are to be informed that an email addressed to them has been classified as spam, so that they can decide for themselves whether this email is to be deleted or delivered. To implement this company policy, use a Wall Spam Filtering job. The job ensures that an email classified as spam is moved to the iq.suite Quarantine area and not delivered to the recipient. The quarantine settings make sure that the recipient is informed of his/her quarantined email through a summary notification. 4.3.1.1 Mail Transport Jobs and Sample Jobs Use a separate Mail Transport Job for each application scenario that you wish to implement in the email process, e.g. decryption with PGP, check for viruses, check for spam, sign with S/MIME, etc. To make the configuration of Mail Transport Jobs as easy as possible, sample jobs are provided for a wide range of applications. These examples are templates that you can drag and drop to the MAIL TRANSPORT JOBS area and then modify the copies to suit your requirements. If no appropriate sample job is available for a specific scenario, you can also create Mail Transport Jobs manually: RIGHT-CLICK -> NEW. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 39
GETTING STARTED - IQ.SUITE BASICS Inactive The iq.suite takes into account all active jobs (no X in icon) located under MAIL TRANSPORT JOBS and processes them in the specified job order. Refer to Processing Order of iq.suite Jobs on page 41. jobs are not taken into account for processing emails. Thus, configured jobs do not have to be removed from the configuration if they are to be temporarily disabled. Using a number of different conditions (to be defined in the job), you can set which criteria an email has to meet in order to be processed by the job. 4.3.1.2 Information Store Jobs Information Store Jobs are used for virus scanning (and cleaning) in public or private folders. Like Mail Transport Jobs, the Information Store Jobs perform different actions whenever a virus is detected. The definition of a new iq.suite server (BASIC CONFIGURATION) automatically results in the creation of an Information Store Job 14. The Information Store scan is a sever setting. Therefore, you can configure one Information Store Job per server. Manually creating an Information Store Job is not possible. When the server is removed, the associated Information Store Job is deleted as well. Information Store Jobs can only be used in combination with the iq.suite Watchdog module. 14. Related topics: Virus Scanning in the Information Store on page 223 and Sample Job: Virus Scan in the Information Store on page 236. PAGE 40 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - IQ.SUITE BASICS 4.3.1.3 Processing Order of iq.suite Jobs In the Mail Transport Jobs area, the order in which jobs are processed is set through the position number. The job with position number 1 is executed first, followed by the job with position number 2, etc. New jobs are placed at the end of the list. To change the position of a job within the processing order, use the and icons in the toolbar or RIGHT-CLICK -> ALL TASKS -> UP/DOWN. To define a reasonable sequence of jobs, you have to decide which functions are to be performed first. A reasonable sequence could be, for instance: 1. Key import job, e.g. Crypt - Key import with PGP. 2. Decryption job for all incoming emails, e.g. Crypt - Decrypt with PGP. 3. Virus scanning job, e.g. Watchdog - Virus Scanning Job. Without decryption required, the virus scanning job should be the first one executed. This is to ensure that any emails quarantined by other jobs (and can therefore be delivered to the recipient after all) are not infected. For further Information on the quarantine, please refer to Quarantine Configuration on page 46. 4. Job to limit the number of recipients of an email, e.g. Wall - Recipient Limit Filtering Job. This would allow to prevent a server crash resulting from a mail-flooding attack. This job is best executed right after the virus scanning job. It ensures that the recipient lists are not modified by any preceding job. 5. Blocking job, e.g. to block large emails or unknown archives (Watchdog - Attachment/Size Filtering Job). The advantage of running this job early is that the affected emails are excluded from further processing and therefore do not unnecessarily use server resources. 6. Job for conversion to PDF or PDF/A (Convert - Convert Outgoing Attachments). 7. Compression job (Convert - Compress Outgoing Attachments). 8. Job to append a legal disclaimer (Trailer - Trailer Job). 9. Job to integrate an email archiving solution, e.g. with iq.suite Store (Bridge - Store Archiving). 10. Define further jobs as required. Use the position numbers to include them at the appropriate position within the job chain. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 41
GETTING STARTED - IQ.SUITE BASICS 4.3.1.4 Address Conditions and Address Lists Address conditions refer to email addresses. Using sender/recipient conditions, you can set that a job applies to specific users or user groups only. In addition, you can set exceptions (e.g. for departments), or perform specific actions for emails from specific employees. In each iq.suite job, address conditions can be selected either directly or through an address list (Addresses tab). The advantage of address lists is that they can be reused in any number of jobs, which simplifies the job configuration and reduces administrative work. For further Information on address lists, please refer to Address Lists on page 89 and General Tab on page 51. 4.3.1.5 Conditions Besides address conditions, you can also set various other conditions to be taken into account by an iq.suite job (Conditions tab). For instance, conditions concerning email features such as specific words in the subject, the level of relevance, etc. Refer to Conditions Tab on page 60. Besides these features (which emails already have before they are processed by the iq.suite), iq.suite jobs can also react to email properties set by a previous iq.suite job. Refer to Actions on page 43. With the conditions you can, for instance, create a job that quarantines and deletes all emails (without forwarding them to their recipient) that were sent from the domains *@gmx.net and *@hotmail.com, are larger than 500 KB, contain the word "Look" in the subject field and belong to the fingerprint category SOUND. This use case can be performed with a Watchdog Attachment/Size Filtering job. PAGE 42 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - IQ.SUITE BASICS 4.3.1.6 Actions Once all requirements for an incoming or outgoing email are met, the email is processed by a job and the associated actions are executed, e.g. scan for viruses, attach trailer, filter spam, etc. Besides these job actions, which are different for each job type, it is also possible to execute various other actions. These actions are set in the Actions tab, for instance sending a notification to the administrator if processing was successful, when an email is quarantined, or when it is redirected to another recipient. These actions are performed in addition to the job-specific actions. Some job types allow to perform different actions depending on the outcome of the job. For instance, the Watchdog virus scan job provides different actions depending on whether a) a virus was detected or b) a virus was detected and removed. In the first case, the infected email is quarantined (for instance), in the latter a notification is sent to the administrator to inform him/her of the virus found. iq.suite jobs can also be configured in such a way that they react to email properties set by a previous iq.suite job, e.g. specific headers or iq.suite tags. In this way, it is possible to set up dependencies between iq.suite jobs: An iq.suite job adds specific properties to the email, e.g. a defined iq.suite tag, and a subsequent iq.suite job reacts to this tag and then performs certain actions. The tags can be removed from the email again, as required. Refer to Actions Tab on page 63. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 43
GETTING STARTED - IQ.SUITE BASICS 4.3.2 Basic Configuration The "objects" configured in the Basic Configuration area complement a job by adding essential information to the job s functions or defining additional actions to be executed. For instance, the following objects could be added to a virus scan job: Virus scanner: Configuration under Utility Settings. Quarantine: Virus-infected emails are not delivered to the recipient but moved to the quarantine. Configuration under Folder Settings as Default Quarantine. Templates: A notification is sent to the administrator in case of a virus-infected email. For further information on the templates, please refer to Templates on page 44. The objects are created/stored under BASIC CONFIGURATION and then used by iq.suite jobs. Each object can be used for any number of jobs. 4.3.2.1 Templates In certain situations, it is possible to notify recipients, senders and/or administrators, e.g. when a job could not be executed. Depending on the job type (spam filtering, virus scanning, archiving, etc.), the iq.suite provides a wide range of notification templates that can be freely reused and integrated in many jobs. Under GENERAL SETTINGS -> TEMPLATES, you will find the notification templates that you can use directly or as basis for your own templates. A distinction is made between the following notification types: Notifications for Mail Transport Jobs The notification templates are grouped by iq.suite module (Watchdog notifications, Crypt notifications, etc.). Use these templates to inform others about the actions executed by the job. Example: A Watchdog virus scan job detects a virus-infected email. The administrator is to be informed of this event. PAGE 44 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - IQ.SUITE BASICS Configuration: Apply the Admin: Virus found template from the Watchdog Notifications area to the Watchdog virus scan job (Actions tab). Notifications for Information Store Jobs Use templates from the Information Store Notification area to inform the administrator about job actions performed by the Information Store Job. Example: An object in the Information Store could not be checked. The administrator is to be informed of this event. Configuration: Apply the Admin: Unscannable Object template to the Information Store Job (Actions tab). Collective notifications By default, iq.suite servers are configured not to send a separate notification for each job event, but to collect notifications and send them as Collective notification. Refer to Collective Notification on page 74 and Central Whitelists on page 75. Quarantine summary reports Quarantine summary notifications are not integrated into specific jobs, but configured directly for the iq.suite server. The quarantine summary notifications focuses on individual quarantines in order to periodically inform administrators, recipients, senders or others about the emails moved to the quarantine. Refer to Defining Quarantine Summary Notifications on page 118, Quarantine Configuration on page 114 and Configuring a Globale Quarantine Summary Notification on page 124. User list summary reports User lists are used to collect a user s email addresses known to be trustworthy (whitelist) or untrustworthy (blacklist). The Whitelist summary report is used to inform users about new entries in their user whitelist. Similarly, the Blacklist summary report is used for the ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 45
GETTING STARTED - IQ.SUITE BASICS user blacklist. Refer to Whitelist Notification / Blacklist Notification on page 125. 4.3.2.2 Quarantine Configuration The quarantine is a separate iq.suite area used to store unwanted or harmful emails such as spam or virus-infected emails. Rather than delivering these emails to their recipients, they are blocked and quarantined. To relieve administrators, the recipient can be automatically informed of the fact that an email addressed to him/her has been quarantined. This is done by way of a quarantine summary notification 15. The recipient for himself/herself decides whether the email is to be deleted, left in quarantine or delivered to him/her after all. Some sample jobs use multiple quarantines, in order to categorize the emails according to the spam level (Low, Medium, High). Depending on the relevance of the spam properties identified, the emails are assigned to a spam level and stored under the corresponding category, e.g. the category ANTI-SPAM: HIGH under IQ.SUITE MONITOR -> QUARANTINE. The quarantine is configured under Folder Settings, e.g. which jobs will use this quarantine, or how long are quarantined emails to be kept. For further Information on setting up the quarantine, please refer to Quarantine Configuration on page 114. 4.3.2.3 Utility Settings Utilities are auxiliary components that can be integrated into iq.suite jobs. Which utilities can be used in which iq.suite job depends on the job type. For instance, Trailer documents can only be used in Trailer jobs. Please note that the selected utility component must be enabled if it is to be used by an iq.suite job. 15. Refer to Defining Quarantine Summary Notifications on page 118. PAGE 46 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - IQ.SUITE BASICS 4.3.2.3.1 CORE Classifiers CORE classifiers are used by iq.suite Wall for spam detection and content classification. A classifier for spam detection is supplied with iq.suite. For further Information on CORE, please refer to CORE Classification on page 309. 4.3.2.3.2 Fingerprints Fingerprints are used by iq.suite Watchdog and iq.suite Convert to identify file types. A comprehensive range of fingerprints, subdivided into categories, is included with iq.suite. Normally, you do not have to make any changes to these fingerprints. For further Information on configuring fingerprints, please refer to Fingerprints on page 248. 4.3.2.3.3 Dictionaries Here you can create dictionaries of text strings that you want iq.suite Wall content and spam filtering to block. We have already created a few dictionary categories that you can customize to your needs. For further Information on setting up dictionaries, please refer to Setting up Dictionaries on page 300. 4.3.2.3.4 Virus Scanners iq.suite Watchdog uses third-party virus scanners to check for viruses. Some virus scanners are available in the iq.suite as integrated scanners, others have to be installed seperately on the server. For further Information on installation and configuration of the virus scanners, please refer to Installation of Virus Scanners on page 10 or Enabling Virus Scanners on page 224. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 47
GETTING STARTED - IQ.SUITE BASICS 4.3.2.3.5 Bridge Connectors Bridge iq.suite uses special connectors to set up a connection between the email environment and an archiving system or external application. Once configured, the connector is included in a Bridge connector job. Refer to Job Types on page 68. 4.3.2.3.6 Archival Connectors Store uses special connectors to set up a connection between the email environment and the archiving system. Once configured, the connector is included in a Store archiving job. Refer to Job Types on page 68. 4.3.2.3.7 Anti-Spam Engines Sophos SASI Engine SASI is an interface used for fighting against spam and mass-mailing. To analyze the emails, the SASI engine checks them against known patterns of typical spam. The pattern database is located on the server where the iq.suite is installed. This database is automatically updated at periodical intervals. The update interval is configurable. The SASI engine is automatically activated when the SASI option is enabled in the iq.suite Wall Advanced Spam Filtering Job 16. For further Information on the configuration, please refer to Using SASI for Spam Filtering on page 293. 4.3.2.3.8 Crypt Crypt Engines For encryption and decryption, iq.suite Crypt uses PGP, GnuPG or S/MIME. For each methode an individual Crypt engine is abvailable in the iq.suite configuration. The Crypt engines are installed on the server and configured in the iq.suite BASIC CONFIGURATION. For further Information on configuring each engine, please refer to the chaptes under iq.suite Crypt on page 143. 16. Refer to SASI results on page 290. PAGE 48 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - IQ.SUITE BASICS Global Mappings iq.suite Crypt encryption and decryption jobs allow to set how to handle addresses for which key IDs exist in a public key ring or a Windows certificate store. Using a mapping table, these key IDs are assigned to recipient addresses. To be able to use specific recipient addresses in several Crypt jobs without having to enter them as mapping table for each of these jobs, you can define such addresses as Global Mappings. For further Information on mapping recipient addresses to public keys, please refer to Open the Mapping tab: on page 163 and Open the Mapping tab: on page 181. KeyManager Connection iq.suite KeyManager is an iq.suite Crypt extension designed for managing S/MIME certificates. It not only allows to manage self-signed, public and personal certificates, but also those classified as trustworthy by a certificate authority such as VeriSign ("true" certificates). Manually managing and post-editing "true" certificates is no longer required, as certificate management is performed centrally. Refer to Using the Outdated S/MIME Solution on page 212. 4.3.2.3.9 Trailer Trailers are pieces of text attached to outgoing emails, e.g. salutations, disclaimers, etc. Under Trailer, you will find a number of preconfigured Trailer documents, which you can assign to a Trailer job (Trailer tab). The templates can be reused and applied in any number of Trailer jobs 17. For further information on including the Trailer document in a job, please refer to Scenario: Attaching a Legal Disclaimer on page 373 and Scenario: Attaching Customized Signatures on page 375. For further information on including the Trailer search pattern in a job, please refer to Trailer Search Pattern on page 356. 17. Related topics: Creating a Trailer Document on page 358 and Copy the Attach Sender Signature job to MAIL TRANSPORT JOBS. Activate the job. on page 375. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 49
GETTING STARTED - IQ.SUITE BASICS 4.3.3 iq.suite Monitor iq.suite Monitor reflects the iq.suite operational environment and enables monitoring and statistical analysis of iq.suite operations for each server. More specifically, iq.suite Monitor offers various analysis and administration features for quarantined emails. All servers set up under BASIC CONFIGURATION -> IQ.SUITE SERVERS can be monitored by iq.suite Monitor. PAGE 50 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS 4.4 Standard Tabs of Mail Transport Jobs Regardless of its specific task, every Mail Transport Job features a number of standard functions that are fully integrated into the job. This chapter describes these standard functions. Subsequent job descriptions will no longer address these standard features, but only focus on the job-specific functions. Save the iq.suite configuration whenever you have made any changes ( icon). The configuration is saved to the ConfigData.xml file located under GBS\iQ.Suite\Config. Pending changes are identified through an asterisk (*) at the top node. 4.4.1 General Tab The General tab provides various configuration settings, most of which are not job-specific and can be configured for all jobs. Example of a Crypt job for encryption with GnuPG: Name: Assign a name to this job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 51
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS Disabled Enabled: If a job is to be executed by iq.suite, it needs to be enabled. Disabled jobs are marked with a X in the icon. iq.suite takes into account all enabled jobs and processes them in the specified job order. Refer to Processing Order of iq.suite Jobs on page 41. jobs are part of the configuration, but they are not executed. Thus, it is not necessary to remove a job from the configuration if you wish to (temporarily) disable the job. Subject extension: When the job is executed, it is possible to add an entry to the subject line of the email, e.g. processing information. Normally, this configuration is set in the Actions tab under Add subject extension. The settings in the Subject extension field only apply if the job has been processed successfully but the email does not meet the requirements for triggering a job action. Example: A spam job is configured to check emails for unwanted contents. For non-spam emails, the text specified under Subject extension is added to the subject line. For spam emails, however, the configured job action is triggered e.g. the email is quarantined and the Subject extension field is ignored. The text to be inserted can be either specified manually or defined by way of variables ( ). For a list of available variables, please refer to List of Notification Variables on page 95. Please note that special rules apply to iq.suite Crypt. These rules are explained in detail along with the corresponding job description. Quarantined emails: Where required, it is possible to deliver quarantined emails to the original recipient (or another person) by resending them manually from the Quarantine: IQ.SUITE MONITOR -> SEND OBJECT FROM QUARAN- TINE. Before resending an email from the quarantine, perform a root cause analysis and reinsert the email in the job processing chain if required. PAGE 52 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS Ignore emails resent from quarantine : The email is not reinserted into the processing chain, but forwarded to the next job, i.e. the email is not checked again. Check emails resent from quarantine : The email is reinserted at the beginning of the job processing chain, i.e. it is processed again by all jobs. Use this option, for instance, if you have been unable to determine the reason why the email was quarantined. For further Information on sending quarantined emails, please refer to Sending From Quarantine on page 138. Options With Job is mission critical : Enable this option for jobs that are so important that emails should under no circumstance be delivered to their recipients if they have not been checked by this job, for instance when an error occurs in the virus scan job and virus protection can no longer be ensured. Emails that cannot be processed due to a job error are moved to the Badmail quarantine and retained there until checked or released by an authorized person. this option enabled, each email processed by this job will be moved to the Badmail quarantine as long as the processing error has not been resolved. With the Job is mission critical option disabled, the emails are ignored and skipped by this job. Instead of that, they are passed to the next job in the processing chain and processed by this job. All processing errors are recorded in the Windows Event Log. If the processing error occurs repeatedly, the job is disabled and the administrator is automatically informed by email. The disabled job is automatically restarted after 15 minutes. Similarly, quarantines can also be set to mission critical. Refer to Setting up a Local Quarantine Database on page 111. Write processing log ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 53
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS The processing log (audit files) allows to monitor how the emails are processed by the job. Enable this option for test purpose or to provide evidence that, for instance, emails were encrypted. Each job with this option enabled is recorded as separate entry. The log is stored under the iq.suite installation directory in the Log folder. Any recipient groups are resolved and a separate line is written to the file for every single recipient. Also take into account the configurations on the iq.suite server. Refer to Settings for an Individual iq.suite Server on page 79. Name of the text file: Audit_all_<last modified date>.log Example: Audit_all_20100909.log. To update the file, restart the iq.suite services. Besides the Job ID, a very important element is the result of the operations performed by iq.suite. Depending on the job type, different results are returned. The most common results are: Restricted The email matches the defined restrictions. Unrestricted The email does not match the defined restrictions. Success The email was successfully processed by the job. The actions configured for successful processing were executed. Error The email was not successfully processed by the job. The actions configured for unsuccessful processing were executed. Ignore For iq.suite Crypt only: The email was successfully processed by the job. As configured, no actions were performed, e.g. in case of optional decryption. Fault PAGE 54 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS The email could not be processed successfully for some of the recipients, e.g. because no valid certificate was available. In this context, Error would mean that the email could not be processed for any of the recipients. Verbose processing log : With this option enabled, further Information is written to the processing log for quarantined emails. Enable this option for troubleshooting. Ignore S/MIME signed emails: With this option enabled, S/MIME emails signed by the client are excluded from the job. 4.4.2 Addresses Tab In each job, the Addresses tab allows to set to which senders and/or recipients a job applies. To do so, use the Sender/Recipient conditions. Split up mails with multiple recipients : When an email is addressed to several recipients and some of them do not fulfill the configured sender/recipient conditions, this option allows to set that the email is to be split into two emails: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 55
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS One email is addressed to the recipients who fulfill the sender/recipient conditions. This is the email processed by the job. The other email is addressed to the recipients who do not fulfill the sender/recipient conditions. This email is not processed by the job. Sender/Recipient conditions: The most current use cases (All, External or Internal sender/recipients or Local users) can be handled with the default settings provided here. Select the senders/recipients the job is to apply to. ADVANCED button: Use these settings for more complex address conditions, e.g. to use address lists. Refer to Address Lists on page 89. Set for which senders the job actions are to be executed (Run this job when a message arrives from). If you specify an entire group, department, etc., you can exclude individual persons or subgroups from this rule by selecting the Except where addressed from option to define exceptions. The address conditions for recipients (And where addressed to) are set in the same way. Click on the BASIC button to return to the default settings. PAGE 56 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS As a rule, the fields Run this job when a message arrives from and Where addressed to are linked by a logical AND. Both conditions must return true for the job to be executed. 4.4.2.1 Example I: Virus Scanning Corporate policy: Both incoming and outgoing emails are to be checked for viruses. Job configuration: 4.4.2.2 Example II: Blocking Attachments Corporate policy: External emails coming from the Internet and containing video files are to be blocked. Exception: They are addressed to members of the <Marketing> department or <Management>. Procedure: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 57
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS 1. Set the senders to whom the job is to apply. As these are external emails, select in the standard view under Message from the External senders/recipients option. 2. Set the recipients to whom the job is to apply. As the recipients are employees of the company, select in the standard view under Addressed to the Internal senders/recipients option. 3. Set the recipients who are to be allowed to receive emails with video attachments (exceptions). To do so, click on the ADVANCED button and afterwards on Except where addressed to. In the subsequent address dialog, select the <Marketing> department and <Management>, for instance through address lists: BASIC CONFIGURATION -> GENERAL SETTINGS -> ADDRESS LISTS. Job configuration: Also refer to Creating, Editing and Deleting Custom Address Lists on page 89 and Address Filtering (Blacklists and Whitelists) on page 264. PAGE 58 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS 4.4.2.3 Example III: Adding a Disclaimer Corporate policy: Each outgoing email is to provided with a legal disclaimer. Exception: The email is addressed to specific mailing lists. Internal emails are to be excluded altogether. Procedure: 1. Set the senders to whom the job is to apply. As these are emails from employees, set in the standard view under Message from the All internal senders/recipients option. 2. Set the recipients to whom the job is to apply. As these are external recipients, set in the standard view under Addressed to the All external senders/recipients option. 3. Set the exceptions. To do so, click on the ADVANCED button and afterwards on Except where addressed to. Enter the mailing lists used in your company by creating a separate address list (BASIC CONFIGURATION -> GENERAL SET- TINGS -> ADDRESS LISTS) and specifying this list as exception. Job configuration: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 59
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS 4.4.3 Conditions Tab In each job, you can specify a number of conditions (requirements) to be fulfilled by an email for a job to be executed. These requirements include address rules (Addresses tab) as well as conditions (Conditions tab), e.g. specific words in the email subject line. A job, e.g. a virus scan job, is only started if all of the conditions for an email return true. Then, depending on the job result, the actions defined in the Actions tab are executed and the email processed accordingly, e.g. quarantined. The condition parameters can be set according to your specific requirements: To configure a condition, enable the corresponding options and click on the link in the lower part of the window. The different conditions have the following meaning:... with specific words in the subject : Set one or more words to be checked for in the email subject line. For instance, iq.suite could search for the word pharma in the subject of incoming emails. If found, the email is moved to the quarantine. Enter the word in the input line and click on ADD. The word is added to the search list. After having completed this list, select the search method (logical AND or logical OR). PAGE 60 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS... with following subject command : Set a string of characters that iq.suite will interpret as command. The command is manually added to the email subject by the sender. Depending on the job option selected, this command results in the job being executed or ignored. This allows an internal sender, for instance, to send an unencrypted email although an encryption job is enabled. Also, when signing an email or adding a trailer, it may be useful for the internal sender to be able to use a command that either executes or ignores a specific job. If the subject contains several commands, only the first one is executed. The character string is removed from the subject before delivery. The command may only include characters from the 7-bit ASCII character set. The command is not case-sensitive.... marked as importance : A job is only performed for emails with a specific level of importance (Low, Normal or High). Emails marked as such by the sender (e.g. High) are moved to a separate quarantine. Set the level of importance the email needs to have for the job to be executed.... with the following iq.suite tags and values : A job is only performed for emails with specific iq.suite tags or values. This command can be used, for instance, to create a dependency between the current job actions and the iq.suite tag (outcome) of a preceding job. Example: If, for a spam filtering job, you define the tag SpamLevel with the value High (ACTIONS -> ADD -> IQ.SUITE TAG AND VALUES), you can use this result in the conditions of the subsequent job. This allows to set that the actions of the second job are not to be performed (condition "is not") if the value High is found. The iq.suite tags are deleted before delivery. The control elements do not appear in the email header.... with the following headers and values : This condition is similar to the preceding one except for that iq.suite checks the email headers and the job actions depend on the content of the X header field (FURTHER ACTIONS -> ADD HEADER AND VALUE). This allows to use, for instance, results returned by open-source tools. The headers and values can be used to select the emails according to whether or not they contain the specified header or value. These control elements appear in the email header. If that is not desired, use the condition... with the following iq.suite tags and values instead. Using regu- ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 61
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS lar expressions, it is also possible to search for specific patterns. If a match is found in the To field, the job is either executed or ignored, as configured.... addressed to the following SMTP senders : With this condition selected, the email sender address is checked. As opposed to the sender/recipient conditions in the Addresses tab, the exact sender address string is checked in the SMTP log (SMTP command: Mail From -> Envelope-From). For normal operations, we recommend to use the regular sender/recipient conditions. The SMTP sender addresses should only be checked in individual cases, e.g. after a domain change.... sent by the following SMTP recipients : This condition is similar to the preceding one, except for here it is the exact recipient address string that is checked (SMTP command: RPCT-To -> Envelope-To).... sender is in the user list : Before the email is delivered to the registered (internal) recipients, iq.suite checks whether the (external) sender is listed in the recipient s user list. Select the recipient s list (blacklist or whitelist) to be checked. Depending on the configuration, the job is either executed or ignored if the sender of the email is on a user list. This allows to set, for instance, that a job will only be executed if the email sender is not included in the recipient s blacklist. There is no user list available for external addresses or group addresses.... with following headers : Specify the email header fields to be searched for. As opposed to... with the following headers and values, this condition only checks the existence of a header. You can specify one or several headers. If the latter, you can distinguish between logical AND and logical OR relations. If linked by a logical AND, all of the headers specified must appear in the email for the job actions to be executed. If linked by OR, one header is sufficient to trigger the actions.... with TNEF mail body : The job is only executed for emails in TNEF format.... with HTML mail body : The job is only executed for emails in HTML format.... containing a read request : The job is only executed if the email sender has requested a read confirmation. PAGE 62 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS For If... containing a delivery request : The job is only executed if the email sender has requested a receipt confirmation. the job to be executed, all of the content-related conditions selected must be fulfilled at the same time as the applicable address conditions (logical AND). you want the processing of the conditions logged along with the job, select the Include full processing history option in the quarantine. This log allows to check why a job was not executed. Note: In privacy quarantines not all email data is listed. 4.4.4 Actions Tab The Actions tab is used to set the actions that are to be executed in addition to the job-specific functions. The actions depend on the job result (success/error). The following standard actions are available for most of the jobs: Copy to Quarantine : A copy of the email is stored in the quarantine. Select the quarantine to be used. Where required, it is possible to attach a label to the quarantined email in order to obtain additional information on the quaran- ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 63
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS tined email. The emails in the quarantine can also be sorted according to the label. The label is configured by way of variables. With Delete email : The email is irrevocably deleted from the server and not delivered to the recipients. Normally, this setting will only be used for virus-infected emails or spam. With the Copy to Quarantine option enabled, a copy of the email can be kept in the quarantine. Add email sender/recipient to user list : When the job is executed, the (external) sender of the email is added to the (internal) recipient s user list. Conversely, the (external) recipient of the email is added to the (internal) sender s user list. Specify whether the entry is to be made for a blacklist or a whitelist. this action, spammers can be automatically added to the user blacklist of the internal recipient. Delete attachment : Unwanted attachments are irrevocably removed from the email. Add subject extension : Additional information can be added to the email s Subject field, for instance to show that emails have been checked by a job (e.g. [spam checked]). This can be useful for test purpose. The text to be added can be either specified manually or defined by way of variables ( ). For a list of available variables, please refer to List of Notification Variables on page 95. You can also set whether the text is to appear at the beginning or the end of the subject. Send notification to administrators : After the job has been executed, a notification is to be sent to the administrators, e.g. when the job was successful. Select the notification template with the contents to be used (GENERAL SET- TINGS -> TEMPLATES). Alternatively, you can also click on the icon to create a new template and then select it. To modify the layout, you can either use the HTML toolbar or directly enter HTML formatting tags 18. Send notification to all senders : After the job has been executed, a notification is to be sent to the email senders, e.g. when the job was successful. Set whether only internal senders (employees) are to receive a notification or external senders as well. If the latter, enable the Also send to external users 18. Refer to Templates on page 44. PAGE 64 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS option. For certain types of notifications (e.g. for acknowledge receipts) you can provide a sender address that differs from the usual notification address defined under GENERAL SETTINGS -> IQ.SUITE SERVERS SETTINGS -> ADRESS SETTINGS -> NOTIFICATION SENDER). Activate the Use a custom sender email address option and enter the desired address in the following field. In this case we recommend you, to activate the Suppress delivery reports option, as well. This prevents creation of NDRs that are usually created for emails without a sender address, e.g. spam. Send notification to all recipients : Similarly to the previous option, you can also set that the recipients receive a notification. In that case, you can set whether the notification is to be sent as separate email or integrated into the email body. If the latter, you can place the integrated notification at the beginning or at the end of the email body ( Append as inline notification option). This requires that the email is neither signed nor encrypted and contains an email body. Otherwise, the setting for the integrated notification is ignored and a separate notification is sent instead. ADD button: Select further actions, which you can then configure: Notification : Enable this option if you want to send a notification to other persons than administrators, all senders or all recipients. For these persons the settings are set in the previous window. Start external program : Define a new application in order to have actions executed by this application. To start an external application, specify its ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 65
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS path and any necessary parameters. This option can be used to run separate scripts. Add iq.suite tag and value : iq.suite tags can be added to an email while processed by iq.suite to perform special iq.suite actions. For instance, the email can be provided with additional information used by a subsequent job for further processing. Before delivery to the original recipient, the iq.suite tags are removed again. Add header field and value : Define a new X header field and specify the desired value, e.g. to return a spam analysis result as value. As opposed to the Add iq.suite tag and value option, the header information is not deleted when the email is delivered to the original recipient. Redirect mail : The email can be redirected to another freely selectable recipient. Optionally, a copy of the email can be sent to the original recipient as well. Click on the address book icon to select further recipients or define own addresses. If the email is also to be delivered to the original recipient or original sender, enable the corresponding option. If you redirect a TNEF email to an external address, the recipient will receive an empty email, possibly with a winmail.dat attachment. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or with other email programs. Remove header field : Use this action to remove arbitrary X header fields from emails, e.g. to delete an X header field that was created previously on another server. For this, enable the Remove header field option, click on NEXT and define the field to be removed in the dialog displayed. PAGE 66 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - STANDARD TABS OF MAIL TRANSPORT JOBS 4.4.5 Server Tab The Server tab is used to select the servers where the job is to be enabled. For instance, this could be useful if you are using a common configuration on several servers, but do not wish to run the job on all of these servers. To be included in the selection list, a server needs to be correctly configured. For further Information on configuring iq.suite servers, please refer to Settings for an Individual iq.suite Server on page 79. SELECT button: Click this button to assign the job to one or several servers. EDIT button: Click this button to open the server s properties and change them as required. Refer to General Server Settings on page 79. 4.4.6 Details Tab The Details tab can be used for a detailed description of the job. It is not required for configuration purposes, but allows to enter information about the job and its configuration, e.g. on the actions to be executed or dependencies to other jobs. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 67
GETTING STARTED - JOB TYPES 4.5 Job Types There is a number of different job types, which you can find under POLICY CONFI- GURATION -> MAIL TRANSPORT JOBS -> RIGHT-CLICK -> NEW: Job Type Bridge Connector Connect SharePoint Convert Command Line Convert Compression Convert PDF Convert TNEF to MIME Crypt Inbound Crypt Key Import Crypt Outbound RPost Registered email Store Archiving Store Journaling Trailer Wall Advanced Action Wall Content Filtering Function This job exports the emails and passes them to a thirdparty system connected via an external interface. This job exports email attachments to a connected Social Business Collaboration System. This job converts email attachments. The job is started through command line. This job converts email attachments to ZIP or 7-ZIP. This job converts email attachments to PDF or PDF/A. This job converts TNEF emails to MIME format. This job decrypts or verifies incoming emails with PGP, GnuPG or S/MIME. This job automatically imports PGP keys or S/MIME certificates in the public key or the certificates database. This job encrypts or signs outgoing emails with PGP, GnuPG or S/MIME. This job sends emails as registered email (RPost). This job links the iq.suite modules with the iq.suite Store server and archives emails before delivery. This job creates copies of the emails at defined journaling locations. This job attaches a previously created trailer to some or all outgoing emails. This job checks emails and attachments for regular expressions and replaces text strings. This job checks emails and attachments for restricted text content. PAGE 68 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GETTING STARTED - JOB TYPES Job Type Wall CORE Classification Wall Credit Card Number Filtering Wall E-Mail Address Filtering Wall Recipient Limit Filtering Wall Spam Filtering Watchdog Attachment Filtering Watchdog Attachment/Size Filtering Watchdog Email Size Filtering Watchdog Protected Attachment Detection Watchdog Virus Scanning WebCrypt Pro Encryption Function This job classifies emails according to their contents or checks them for spam using CORE. For classification by content, you will need to create a new classifier. Use this spam filtering job for testing purposes only. CORE analysis is included in the Wall Spam Filtering Job as combined criterion and only needs to be enabled. The jobs checks emails and file attachments for credit card numbers. This job checks emails for address restrictions. This job checks emails for a maximum allowable number of recipients per email (the recipients in the To field of each email). This job checks emails for spam using a range of criteria. This job checks emails for denied file attachments. The various file formats are identified with fingerprints. This job checks emails for denied file attachments. Also allows to set the maximum size of an attachment. This job checks emails for size and denies files that are larger than the allowed maximum size (per email size). This job checks emails for password-protected archives. This job scans emails for viruses. This job encrypts incoming and/or outgoing emails even when the communication partner does not use any encryption technology. For each job type, you can define individual conditions, all of which must apply for the specified action to be executed. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 69
GETTING STARTED - JOB TYPES PAGE 70 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CONFIGURATION REPORTS 5 General Configuration 5.1 Configuration Reports The configuration reports provide an overview of the current configuration: 1. BASIC CONFIGURATION -> RIGHT-CLICK -> ALL TASKS -> SHOW CONFIGURATION REPORTS: A list of all configuration reports is displayed: 2. Select the desired report and click on. The report is opened as HTML file in the web browser. 3. Click on to display a print preview of the report. 4. Use to save the selected report as HTML file. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 71
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS 5.2 iq.suite Server Settings Select iq.suite Server Settings to configure the default settings for all iq.suite servers 19. In addition, each server can be configured individually. For further Information, please refer to Settings for an Individual iq.suite Server on page 79. To configure the iq.suite server settings, click on BASIC CONFIGURATION -> GENE- RAL SETTINGS -> IQ.SUITE SERVERS -> RIGHT-CLICK -> PROPERTIES. 5.2.1 Packed Files and iq.suite Monitor Use the General tab to set specific iq.suite server settings: Under Communication Port, enter the port number for iq.suite Monitor (default: 8008). The value entered here apply to all servers. Be sure to set the correct communication port. Otherwise, communication with the servers will be impossible 20. 19. For further Information, please refer to The iq.suite Server on page 25. PAGE 72 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS Limit disk workspace per processed email: In rare cases the processing of an email is very load intensive and might lead to insufficient memory for other components. To avoid server restrictions and performance problems, you can limit the disk space available for the processing of an email. If this value is exceeded, the email is moved to the Badmail quarantine. Maximum number of extracted archive levels: Archives cannot only include compressed files but also further archives and an arbitrarily large number of sub-archives. In this field enter the at most permitted depth for the decompression of such archives. If this limit is exceeded, the further processing depends on the settings in the When email is unscannable, then field. Maximum number of extracted email elements per email: At the processing of an email with many individual elements like email bodies, file attachments or files contained in archives, the server performance can be affected strongly. Hence, by default, the element number which is unpacked per email is limited on 10 000 elements. If this limit is exceeded, the further email processing depends on the settings in the When email is unscannable, then field. Search for embedded archives in attachments : It is possible to hide ZIP or RAR files within file attachments, such as pictures, which means attachments can be used to infiltrate unwanted or harmful data such as EXE files or viruses 21. The Search for embedded archives in attachments option allows to apply a mechanism that identifies and extracts archives hidden in attachments. Once extracted, the files are analyzed using standard iq.suite methods. Please note that enabling this option may reduce the overall email processing speed 22. When email is unscannable, then: Emails that contain unscannable elements (e.g. due to archives, password protected files or similar) or emails that exceed the configured number of archive levels can be processed as follows: 20. For further Information on allocating rights and security settings, please refer to iq.suite Monitor on page 127. 21. Instructions are available on the Internet usually relating to hiding in images. 22. To avoid excessive performance losses and ensure the stability of the iq.suite, the analysis of attachments for archive recognition is limited in time and volume. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 73
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS The email is moved to the Badmail quarantine. Only after being checked by the administrator the email is delivered to the recipients out of the Badmail quarantine. As an alternative the further processing of the affected element is stopped with reaching the defined limit. If available, the next email element is checked, e.g. another file attachment. With this, the processing corresponds to the regular email processing, at which the scannable email elements are analyzed by the configured virus scanners. We recommend you to configure a Watchdog Protected Attachment Detection job to log unscannable email elements. Refer to Sample Job: Checking Password-Protected Archives for Viruses on page 245. 5.2.2 Collective Notification As a general rule, each job can be configured that when a specific event occurs, the recipients, senders and/or administrators are informed of this event (Actions tab). If several events occur for an email, the iq.suite servers are not configured (by default) to send separate notifications for each event. Instead, all notifications are combined to a single collective notification, i.e. the recipients receive a single notification with a list of all events that have occurred. The template used is the Template for Collective Notifications. You can change this template or create new ones 23. If you prefer to send individual email notifications for each event, disable under IQ.SUITE SERVERS -> RIGHT-CLICK -> PROPERTIES -> GENERAL TAB the Create collective notification option. 23. Related topics: Defining Quarantine Summary Notifications on page 118 and Whitelist Notification / Blacklist Notification on page 125. PAGE 74 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS 5.2.3 Central Whitelists In multi-server environments, each server involved creates its own user whitelists. Thus, without server synchronization, each user is provided with a separate whitelist for each of the servers, which all need to be maintained individually. In order to manage these whitelists centrally and simplify administration, you can set up a Microsoft SQL Server instead of the standard local database based on the Microsoft Jet engine. This Microsoft SQL Server will write the information for all iq.suite servers involved to a central SQL database. To create a central user whitelist, proceed as follows: 1. Create a database connection between the SQL server and the iq.suite server: BASIC CONFIGURATION -> DATABASE CONNECTIONS. Refer to Setting up Central Blacklists/Whitelists on page 110. 2. Under GENERAL SETTINGS -> IQ.SUITE SERVERS -> PROPERTIES -> GENERAL TAB -> SELECT DATABASE CONNECTION FOR WHITELIST ENTRIES set the appropriate option. 3. Run the Whitelist.sql script in the SQL Server Enterprise Manager to create the required SQL server tables. Refer to Setting up Central Blacklists/Whitelists on page 110. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 75
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS 5.2.4 Definition of Email Addresses and Internal Domains iq.suite requires a number of basic settings concerning the email domain of the emails processed. During installation, the email address of the iq.suite administrator specified is used for the following iq.suite basic settings: Administrator(s): Status notifications on the iq.suite installation as well as the configured administrator notifications are sent to the address specified in this field. By default, the installation enters the administrator address prompted for. Notification sender: The email address entered here is shown as sender address in the system notifications of the iq.suite. By default, the installation enters a dummy address. The email domain is determined from the administrator address prompted for. Reply address: If users reply to a system notification the reply email is sent to the address specified in this field. By default, the installation enters the administrator address prompted for. Internal domains: The email domains specified here are treated as internal email domains, all others as external ones. This setting is used by iq.suite rules to distinguish between incoming and outgoing emails by way of an PAGE 76 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS email s sender and recipient address. For instance, a spam filter job will only run on incoming emails, while a trailer job is to be run only on outgoing emails. For each entry, use a separate line. Subdomains are automatically included if the main domain is preceded by the wildcard prefix "*.", e.g. *.domain.com. By default, the installation enters the administrator address prompted for. These entries apply to all iq.suite servers. The settings can be changed at any time in this dialog. 5.2.5 Special Users For certain scenarios iq.suite requires special access rights on all involved iq.suite servers. To fulfill in-house policies regarding access rights, you can create special user accounts to perform the scenarios with this user instead of the iq.suite administrator. Define these users in the iq.suite servers settings in the Options tab. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 77
GENERAL CONFIGURATION - IQ.SUITE SERVER SETTINGS Global Quarantine Summary Reports: This option is only relevant in server environments with more than one iq.suite server. Refer to Configuring a Globale Quarantine Summary Notification on page 124. Global iq.suite Server: Select the iq.suite server to be defined as global iq.suite server. This server will create the global quarantine summary notifications. User/Password: The globale iq.suite server requires administrative access rights for all quarantines of all the involved iq.suite servers. Enter the name and the password for the user who possesses those access rights (e.g. the iq.suite administrator or a special user). Microsoft Exchange 2013 Information Store Scan: As of Microsoft Exchange 2013 EWS is used for virus checks in the Information store instead of VSAPI. Refer to Sample Job: Checking Emails for Viruses on page 232. User/Password: In this field enter the name (including the domain) and the password of the EWS user created on the Exchange server. Client Access Server: If the Client Access Server role and the Mailbox role are used on the same Exchange server, you can leave this field blank. If the Client Access Server role is installed seperated from the mailbox role, please enter the server name or the IP address of the Client Access Server (CAS). PAGE 78 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER 5.3 Settings for an Individual iq.suite Server Click on BASIC CONFIGURATION -> IQ.SUITE SERVERS and double-click on the required server in the right section. To define a new server, click on IQ.SUITE SER- VERS -> RIGHT-CLICK -> NEW -> IQ.SUITE SERVER. 5.3.1 General Server Settings Enter the (NetBIOS) name of the Exchange server. During the installation, the current Exchange server name is automatically entered. Set the maximum number of emails processed simultaneously by the iq.suite in the Number of threads field. A reasonable maximum depends on the capacity and performance of your server. Select the Event logging level. You can view this log with the Windows Event Viewer. The options range from None to Maximum. Set the number of days the emails are to remain in the Badmail Quarantine (Badmail directory). When this period expires, the emails are automatically deleted. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 79
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER Set the number of days after which a job processing log in the Log directory is to be deleted. Refer to Selecting Virus Scanners on page 232. In the iq.suite jobs, you can set that "audit" files are created to log and view the email processing operations performed by a job 24. Under Write processing log enter how often these files are to be created and under Delete processing log after x days set how long the files are to be kept in the Log directory. To be able to view a newly created server in the iq.suite Monitor, refresh the view: IQ.SUITE MONITOR -> RIGHT-CLICK -> REFRESH. 5.3.2 Individual Email Addresses for an iq.suite Server Both the user-defined and default installation settings in the properties for all iq.suite servers are copied to each individual server. These are the iq.suite Server Default Settings. To specify different settings for a specific server, select the Customize address settings option and enter the new addresses in the associate fields. 24. Refer to Write processing log on page 53. PAGE 80 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER 5.3.3 Using a Proxy Server If your network environment requires a proxy server for Internet connections, you can select the proxy for each iq.suite server, for instance for downloading updates from the Internet. 1. Create a proxy server configuration in the iq.suite. Refer to Proxy Servers on page 88. 2. Select in the Proxy Server tab the Custom proxy server option and select the previously created proxy server configuration. 5.3.4 User Access to Quarantine Blocked emails are quarantined and prevented from delivery to the internal recipients. Depending on the iq.suite configuration, internal users are able to access their quarantined emails to proceed certain actions. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 81
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER Especially for spam filtering with iq.suite Wall, user access on the quarantine is a reasonable supplement for the spam quarantine administration. With the iq.suite, users can access their quarantined emails themselves. Therefore, it helps to reduce the administrator s workload by allowing users to forward quarantined emails to their inboxes. The internal users are informed on quarantined emails by a quarantine summary notification. This summary notification contains links for executing certain actions, e.g.: Request: Delivery of the quarantined email to the recipient of the summary notification. This action is not available for privacy quarantines. Release: Delivery of the quarantined email to all recipients of the original email. This action is not available for privacy quarantines. Remove: Deletion of the quarantined email. The user gets access through an email request or an HTTP request. For each server, you can specify whether and how users can access their quarantined email. For this, select BASIC CONFIGURATION -> IQ.SUITE SERVERS -> <SERVER NAME> -> RIGHT-CLICK -> PROPERTIES and open the Quarantine access tab: PAGE 82 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER 5.3.4.1 Allow Users to Request Quarantined Items by Email Quarantine requests are started by an email request. This email is generated automatically when the user clicks on the link for a quarantined email in the summary notification and is sent to the email address entered in the Mailbox field on this tab 25. This requires that the email address exists and is sent through the server on which the iq.suite and the applicable quarantines are installed. We recommend you to set up the mailbox on the same server. The message content is read out, thereby triggering the action requested by the user. iq.suite recognizes request emails through the following: the email address (specified in the Mailbox field). the keyword for a user request in the email (User Request). Finally, the request email is placed in the specified mailbox. To delete request emails once they have been processed, select the Delete request mails after processing option. 5.3.4.2 Allow Users to Request Quarantined Items via HTTP Quarantine requests are started by an HTTP request. When the user clicks on the required action, the default web browser opens. The user is notified that the request is being processed. The requirement for this request is a free port (default: 8009). The feedback message is set in the OK_Response.html file in the iq.suite\appdata directory. For further Information on configuring user-specific quarantine access, please refer to Quarantine Configuration on page 114. 5.3.5 Quarantine Maintenance Use this tab to specify the time at which the quarantine on the servers is to be purged. This deletes all emails marked for deletion to make space for newer emails. Default setting: each Saturday at 03:00 AM. 25. Refer to Defining Quarantine Summary Notifications on page 118. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 83
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER If necessary, you can also purge quarantines manually. Click on IQ.SUITE MONI- TOR -> SERVER -> RIGHT-CLICK -> ALL TASKS -> PURGE QUARANTINE. 1. Under BASIC CONFIGURATION -> IQ.SUITE SERVERS -> <SERVER NAME> -> PROPERTIES, open the Quarantine Maintenance tab:, 2. If you wish to modify the time and/or the purge period, click on EDIT and specify the desired time and day: PAGE 84 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER 5.3.6 Setting Bridge Options This tab is used to convert TNEF emails to the MIME format. This can be useful, for instance, in specific archiving scenarios. If using Microsoft Exchange up to version 2003, the conversion to MIME requires the following: The iq.suite server must have access to an Exchange Store via WebDAV protocol. To test this, check the OWA access from the iq.suite server. A mailbox / public folder has to be created on the Exchange server where the conversion will be performed. This account must be provided with specific access rights. Mailbox: member of the Local Admins group Public folder: Publishing Author role 1. Under BASIC CONFIGURATION -> IQ.SUITE SERVERS -> <SERVER NAME> -> PROPERTIES, open the Bridge Options tab: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 85
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER 2. Under Operating Mode, select your Exchange Server version. If you select Microsoft Exchange 2007 or newer, proceed to Step 5. 3. Under Domain\User and Password, enter the authentication data of the newly created mailbox or public folder in the following form: <domain\user login>. 4. If you have set up a mailbox for conversion, you can keep the default setting Use mailbox of user defined above. However, if the mailbox is located on another server or if you have set up a public folder for conversion, select the Use remote mailbox or public folder option and enter the corresponding path in WebDAV format. 5. Test the MIME conversion using the test function: IQ.SUITE MONITOR -> SER- VERS -> SELECT SERVER -> SERVER STATUS -> TEST TAB -> TNEF-TO-MIME DECODER TEST -> START: PAGE 86 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - SETTINGS FOR AN INDIVIDUAL IQ.SUITE SERVER 5.3.7 View a List of All Jobs The iq.suite Jobs tab provides a list of all jobs defined on this server. To edit a job on the server, select the job properties. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 87
GENERAL CONFIGURATION - PROXY SERVERS 5.4 Proxy Servers If you have already specified proxy server connection data during the iq.suite installation, these proxy server settings are entered under BASIC CONFIGURATION -> GENERAL SETTINGS -> PROXY SERVER. When required, change these settings: Proxy name or IP: Enter the full name or IP address of the proxy server, e.g. proxy.mydomain.de or 172.x.x.1. Proxy port: Enter the port number used for communication with the proxy server. Default: 8000. Proxy user and Proxy password (optional): Authentication data used by the update service to log in to the proxy server. To delete a proxy server, right-click and select DELETE. Please note that you cannot delete a proxy server that is being used by an object. PAGE 88 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - ADDRESS LISTS 5.5 Address Lists Under BASIC CONFIGURATION -> GENEREAL SETTINGS-> ADRESS LISTS, you find preconfigured lists that you can use to start with. For instance, use the Anti- Spam: Blacklist address list to collect addresses from well-known spam domains. For emails whose sender address is listed in a blacklist, you can configure a Wall job in order to block such emails and not deliver them to the intended recipients. Conversely, use the AntiSpam: Whitelist address list to exclude known trustworthy email addresses from being checked, e.g. addresses from business partners. You can also create your own address lists and later assign them to a job. 5.5.1 iq.suite Address Lists The iq.suite address lists are created from the settings of the main iq.suite server and cannot be freely changed. The entries are determined during the installation, however they can be manually configured subsequently. Refer to iq.suite Server Settings on page 72. Use the iq.suite address lists to configure jobs for specific sender/recipient groups. If you select Empty sender (<>), the iq.suite jobs will also be able to process emails without any sender address, for instance to perform specific job actions for iq.suite system notifications or spam without sender address. 5.5.2 Creating, Editing and Deleting Custom Address Lists You can create your own address lists to be selected and used for individual jobs. Create a custom address list from domain addresses, group addresses or addresses from other organizational units. iq.suite takes the available data from the Active Directory (AD). To create an address list perform the following steps: 1. Click on BASIC CONFIGURATION -> ADDRESS LISTS -> RIGHT-CLICK -> NEW -> ADDRESS LIST. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 89
GENERAL CONFIGURATION - ADDRESS LISTS 2. Enter a meaningful name for the address list and click on : 3. Select the addresses to be added and click on ADD. To add your own addresses to the address list, enter them in the input field. You can use the placeholders asterisk (*) and question mark (?). It is also possible to enter formally invalid email addresses such as info@domain. For each entry, use a seperate line.. This text search function is also availa- To search for an entry, click on ble for dictionaries 26. To remove an entry from the list, select it and click on REMOVE. 4. Click on OK. 26. For further Information on finding and replacing, please refer to Searching for Text in Dictionaries on page 302. PAGE 90 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - ADDRESS LISTS 5. If the Allow adding addresses from the quarantine option is enabled, the quarantined email s sender address can be added to any address list out of the quarantine (IQ.SUITE MONITOR -> ADD BUTTON) 27. By default, the following address lists are enabled for direct access. Creating your own address lists extends this selection correspondingly: Anti-Spam: Blacklist Anti-Spam: Newsletter Blacklist Anti-Spam: Newsletter Whitelist Anti-Spam: Whitelist 6. Click on OK again. Your address list has now been created and can be edited or deleted under ADDRESS LISTS. To delete the address list, right-click and select DELETE. 27. Refer to iq.suite Monitor on page 127. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 91
GENERAL CONFIGURATION - ADDRESS LISTS 5.5.3 Using and Handling Addresses within a Job In each job, the Addresses tab allows to set to which senders and recipients a job applies, e.g. whether a job is to be valid for all users or restricted to internal or external recipients. Both conditions in the Message from and Addressed to fields must come True for an action to be triggered (logical AND). For further Information on sender/recipient conditions and sample configurations, please refer to Addresses Tab on page 55. 1. Click on ADVANCED. 2. Select the sender/recipient condition for which a specific action is to be executed. For instance, if you wish to run a job for all addresses included in the Sample List address list, click on the following entry: PAGE 92 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - ADDRESS LISTS 3. Select the desired address list (here: Sample List): 4. Conform with OK. The address list will now be used in the iq.suite job. For sample configurations of sender/recipient conditions, please refer to Addresses Tab on page 55. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 93
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES 5.6 Creating Notification Templates In each iq.suite job, you can specify the persons to be notified on erroneous or successful job processing (administrators, senders and/or recipients). For each job type, notification templates are available to be selected within a job (Actions tab). The preconfigured notification templates for the iq.suite modules are stored under BASIC CONFIGURATION -> GENERAL SETTINGS -> TEMPLATES. To create a new notification template, proceed as follows: 1. Click on TEMPLATES -> <TEMPLATE TYPE> -> <TEMPLATE> -> RIGHT-CLICK -> NEW. 2. Enter the Notification subject. 3. In the Notification Text tab, click on EDIT. Enter the notification text. To customize the layout of your text, use the Formatting toolbar (the commands are internally converted to HTML code). To enter HTML tags directly, open the source code with. 4. Confirm with OK. Select the new notification template in a job. In the Jobs tab of the notification template, the jobs that use the template are listed. Related topics: Defining Quarantine Summary Notifications on page 118, Collective Notification on page 74 and Whitelist Notification / Blacklist Notification on page 125. PAGE 94 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES 5.6.1 List of Notification Variables The notification variables listed in the following table may be used in the notification texts and notification subject lines. Simply insert the desired variables necessary. as In certain cases, it may be more appropriate not to display individual rows of the notification template, for example, if a cellular phone number has not been entered for all users in the Active Directory. You can use the [COND] conditional variable in these cases by manually entering it in the source text of any notification template. Refer to [COND] variable: on page 360. Category, type of variable Variable Description General available variables General: Applicable recipients [VAR]RestrictedRecipients [/VAR] Recipients of the email that triggered the action who were defined in the address conditions. General: Date [VAR]DateOnly[/VAR] Date on which the job that started the action was processed. General: Date and Time General: ID of a quarantined email General: Invalid recipients General: iq.suite Report General: iq.suite Report (details) [VAR]Date[/VAR] [VAR]QuarantineDocRef[/VAR] [VAR]UnrestrictedRecipients [/VAR] [VAR]ToolReport[/VAR] [VAR]ToolReportDetails[/VAR] Date and time at which the job that started the action was processed. Unique identifier of the quarantined email. Recipients of the email that triggered the action who were not defined in the address conditions. Summary of the scan results. Scan results with all details. General: Job name [VAR]Jobname[/VAR] Name of the job that started the action. General: Message ID [VAR]MsgID[/VAR] ID of the email. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 95
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable General: Number of recipients General: Quarantine folder Variable [VAR]NumberRecipient[/VAR] [VAR]Quarantine[/VAR] Description Number of recipients to which the email is addressed. The quarantine in which an email was stored. General: Recipient(s) [VAR]Recipients[/VAR] Recipients of the email that triggered the action. General: Sender [VAR]Mailsender[/VAR] Sender of the email that triggered the action. General: Sender (SMTP) [VAR]From[/VAR] Sender SMTP of the email that triggered the action. General: Server [VAR]Server[/VAR] Server through which the affected email was sent (the name entered in the configuration settings). General: Server (network name) [VAR]ServerFQDN[/VAR] Server through which the affected email was sent (the server s network name Fully Qualified Domain Name). General: Subject [VAR]Subject[/VAR] Subject line of the email that triggered the action. General: Time [VAR]TimeOnly[/VAR] Time at which the job that started the action was processed. iq.suite Convert Convert: Name of the converted attachment Convert: Size difference of the converted attachment (in %) Convert: Size difference of the converted attachment (in KB) [VAR]AttachmentName[/VAR] [VAR]SizeDeltasPerc[/VAR] [VAR]SizeDeltasKB[/VAR] Name of the converted file attachment; in form of a list for multiple attachments. Size difference of the converted file attachment (in %); in form of a list for multiple attachments. Size difference of the converted file attachment (in KB); in form of a list for multiple attachments. PAGE 96 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description Convert: Size of the converted attachment (in bytes) Convert: Size of the converted attachment (in KB) Convert: Total number of converted attachments Convert: Total size difference of the converted attachments (in KB) Convert: Total size difference of the original email (in KB) Convert: Total size of the converted attachments (in bytes) Convert: Total size of the converted attachments (in KB) [VAR]AttachmentSize[/VAR] [VAR]AttachmentSize KB[/VAR] [VAR]ConvertedCount[/VAR] [VAR]SizeDeltaSumKB[/VAR] [VAR]MailSizeDeltaKB[/VAR] [VAR]AttachmentSize Sum[/VAR] [VAR]AttachmentSize SumKB[/VAR] Size of the converted file attachment prior to conversion (in bytes); in form of a list for multiple attachments. Size of the converted file attachment prior to conversion (in KB); in form of a list for multiple attachments. Total number of converted file attachments. Total size difference of the converted file attachments of this email (in KB). Total size difference or the original email following conversion (in KB). Total size of the converted file attachments prior to conversion (in bytes). Total size of the converted file attachments prior to conversion (in KB). iq.suite Watchdog Watchdog: Attachment name Watchdog: Attachment size Watchdog: Attachment type [VAR]AttachmentName[/VAR] [VAR]AttachmentSize[/VAR] [VAR]FingerprintName[/VAR] Names of the denied/infected file attachments. Size of the denied/infected file attachment. Name of the denied file type. Watchdog: Email size [VAR]MessageSize[/VAR] Overall size of the email. Watchdog: Email size limit [VAR]SetSizeLimit[/VAR] Maximum email size specified in the job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 97
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Watchdog: Fingerprint category Watchdog: Virus name Watchdog: Virus scanner Variable [VAR]Fingerprintcategory[/VAR] [VAR]Virusname[/VAR] [VAR]virusscanner[/VAR] Description Category of the denied file type. Names of the viruses found. Names of the scan engines that have found the viruses. Information Store Scan IS-Scan: Database [VAR]VSAPI_Database[/VAR] Name of the Information Store where the email was located at the time of the virus scan. IS-Scan: Database URL IS-Scan: Delivery time IS-Scan: Error description [VAR]VSAPI_Url[/VAR] [VAR]VSAPI_DeliveryTime [/VAR] [VAR]VSAPI_ErrorText[/VAR] URL of the Information Store where the email was located at the time of the virus scan. Date and time at which the email was delivered. Description of an error caused by the Information Store job. IS-Scan: Folder [VAR]VSAPI_Folder[/VAR] Name of the Information Store folder where the email was located at the time of the virus scan. IS-Scan: Mailbox [VAR]VSAPI_Mailbox[/VAR] Name of the owner of the mailbox where the email was located at the time of the virus scan. IS-Scan: Message URL [VAR]VSAPI_MessageUrl [/VAR] Information Store URL of the email at the time of the virus scan. IS-Scan: Server [VAR]VSAPI_Server[/VAR] Name of the server on which the virus scan was performed through the Information Store scan. IS-Scan: Submit time [VAR]VSAPI_SubmitTime [/VAR] Date and time at which the email was sent. IS-Scan: Virus name [VAR]virusname[/VAR] Names of the viruses found. PAGE 98 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description IS-Scan: Virus scanner [VAR]virusscanner[/VAR] Names of the scan engines that have found the viruses. iq.suite Wall iq.suite Wall - Content filtering Wall: Content checking details Wall: Denied dictionaries [VAR]DeniedContent- TabHTML[/VAR] [VAR]DeniedWordlists[/VAR] Detailed information on the words/sentences found. Dictionaries triggering the action, value/threshold reached. Wall: Denied words [VAR]DeniedWord[/VAR] Word triggering the action, value/threshold reached. Wall: Mail part [VAR]DeniedMailParts[/VAR] Attachments/message bodies causing the action. iq.suite Wall - Spam filtering Wall: CORE classification category Wall: CORE classification result [VAR]CORECategory[/VAR] [VAR]COREPrediction[/VAR] Category in which the email is placed (classified) by CORE. Example: NON-SPAM, SPAM. Precise value for categorizing emails. Wall: SASI result [VAR]SASIAnalysis[/VAR] Return value of the SASI engine, after having checked the email for spam. Wall: SCL result [VAR]SCLAnalysis[/VAR] Return value of the SCL probability level after having checked the email for spam. Wall: Spam analysis details [VAR]SpamReportHTML[/VAR] Detailed information on each spam criterion. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 99
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description Wall: Spam level [VAR]SpamLevel[/VAR] iq.suite Wall adds a spam level in the form of an asterisk rating in steps of 10 in the header of each scanned email (e.g. X-SPAM-TAG: * indicates a spam probability between 0 and 10, X-SPAM-TAG: *** a probability between 20 and 30). You can define a rule that looks for this string in the Outlook message header and applies actions to emails with more than a certain number of asterisks a. Wall: Spam probability [VAR]SpamValue[/VAR] Calculated spam probability value (from 0 to 100). This value is compared with the individually defined threshold values in the advanced spam filtering job. iq.suite Wall - Address Filtering Wall: Max. number of recipients Wall: Restricted recipients Wall: Restricted senders [VAR]SetRecipientLimit[/VAR] [VAR]DeniedRecipient[/VAR] [VAR]DeniedSender[/VAR] The maximum number of recipients defined in the job. Names of the recipients who have triggered an action. Names of the senders who have triggered an action. iq.suite Wall - Quarantine summary notification Summary: Current summary report date Summary: Current summary report date and time Summary: Current summary report time [VAR]Nowdate[/VAR] [VAR]Now[/VAR] [VAR]Nowtime[/VAR] Date at which the current summary notification was generated. Date and time at which the current summary notification was generated. Time at which the current summary notification was generated. PAGE 100 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description Summary: Fully qualified domain name [VAR]FQDN[/VAR] Full domain name of the server on which the quarantine for which a notifications to be generated is located. Summary: HTTP port [VAR]HTTPPort[/VAR] Port of the HTTP server. Summary: HTTP server Summary: Last summary report date Summary: Last summary report date and time Summary: Last summary report time Summary: List of quarantined emails [VAR]HTTPServer[/VAR] [VAR]Lastdate[/VAR] [VAR]Last[/VAR] [VAR]Lasttime[/VAR] [VAR]HtmlList[/VAR] HTTP server through which HTTP user requests are sent. Date at which the previous summary notification was generated. Date and time at which the previous summary notification was generated. Time at which the previous summary notification was generated. Complete list of all quarantined items for a recipient with HTML formatting (compulsory field in the quarantine summary notification). Summary: Quarantine [VAR]Displayname[/VAR] Name of the quarantine from where the email list was generated. Summary: Recipients [VAR]RcptTo[/VAR] Recipients of the summary notification. Summary: Request follow-up summary by email Summary: Request follow-up summary via HTTP [VAR]Link::MAIL_SendRecent lyadded[/var] [VAR]Link::HTTP_SendRecen tlyadded[/var] Creates an additional link in the summary notification. Users can manually request an intermediate report of their summary notification by email. Creates an additional link in the summary notification. Users can manually request an intermediate report of their summary notification via HTTP. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 101
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description Summary: Reply to [VAR]ReplyTo[/VAR] Address to which replies to the summary notification are to be sent (NotificationReplyTo). Summary: Sender [VAR]From[/VAR] Sender of the summary notification. Summary: Server [VAR]Server[/VAR] Short name of the server where the quarantine is located for which a notification is to be generated. Summary: Subject [VAR]Subject[/VAR] Subject of the summary notification. iq.suite Wall - Collective notifications Collective notification: list of notifications Collective notification: table of contents [VAR]NotificationList[/VAR] [VAR]TOCList[/VAR] HTML list of all notifications (Body), separated by dashes. Numbered HTML list of all notifications (Subject). Each entry in the list has a link to the corresponding entry in the notification list ("Notification- List" variable). iq.suite Wall - Whitelist Whitelist: Clear whitelist by email Whitelist: Clear whitelist by web Whitelist: Send whitelist by email Whitelist: Send whitelist by web [VAR]link::MAIL_ClearWhiteli st[/var] [VAR]link::HTTP_ClearWhiteli s[/var] [VAR]link::MAIL_SendWhitelis t[/var] [VAR]link::HTTP_SendWhiteli st[/var] Creates an additional link in the summary notification. Users can manually delete a whitelist by email (all entries are removed). Creates an additional link in the summary notification. Users can manually delete a whitelist via HTTP (all entries are removed). Creates an additional link in the summary notification. Users can manually request a whitelist by email. Creates an additional link in the summary notification. Users can manually request a whitelist via HTTP. iq.suite Wall - Blacklist PAGE 102 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description Blacklist: Clear blacklist by email Blacklist: Clear blacklist by web Blacklist: Send blacklist by email Blacklist: Send blacklist by web [VAR]link::MAIL_ClearBlacklis t[/var] [VAR]link::HTTP_ClearBlackli st[/var] [VAR]link::MAIL_SendBlacklis t[/var] [VAR]link::HTTP_SendBlackli st[/var] Creates an additional link in the summary notification. Users can manually delete a blacklist by email (all entries are removed). Creates an additional link in the summary notification. Users can manually delete a blacklist via HTTP (all entries are removed). Creates an additional link in the summary notification. Users can manually request a blacklist by email. Creates an additional link in the summary notification. Users can manually request a blacklist via HTTP. iq.suite Crypt Crypt: Analysis results [VAR]Crypt_Security[/VAR] Displays the Crypt mode used and its result (email has not been encrypted or decrypted, etc.). Crypt: Crypt Engine [VAR]Crypt_Engine[/VAR] Name of the selected Crypt engine. Crypt: Crypt method [VAR]Crypt_Method[/VAR] Name of encryption method (PGP, S/MIME or PGP/MIME). Crypt: Crypt mode [VAR]Crypt_Handling[/VAR] Job security settings: encrypt, sign, encrypt and sign. Crypt: Number of imported keys Crypt: Recipients processed WebCrypt Pro: Error code [VAR]Crypt_NumberImported[ /VAR] [VAR]Crypt_AffectedRecipient s[/var] [VAR]Crypt_ErrorCode[/VAR] Number of imported keys (the email sections from which the keys were imported are counted). Recipients for whom a Crypt action has been executed. Error code returned in case of an error. Error numbers between 1 and 20 refer to errors of the WebCrypt Pro server. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 103
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description iq.suite Bridge Bridge: Connector [VAR]Bridge_Engine[/VAR] Display name of the Bridge connector defined under Utilities (from the configuration of the Bridge job). Bridge: Error code Bridge: Error description [VAR]Bridge_ErrorCode[/VAR ] [VAR]Bridge_ErrorDescription [/VAR] Error code returned by Bridge in case of an error, e.g. when no connection to the Bridge Connector can be established. Error description returned by Bridge in case of an error, e.g. when no connection to the Bridge Connector can be established. iq.suite Store (archive) Store Archiving: ID [VAR]Archive_ID[/VAR] ID (in archive) of the email archived with success. Store Archiving: Engine Store Archiving: Error code Store Archiving: Error description Store Archiving: Size (in bytes) Store Archiving: Time (in seconds) [VAR]Archive_Engine[/VAR] [VAR]Archive_ErrorCode[/VA R] [VAR]Archive_ErrorDescriptio n[/var] [VAR]Archive_Size[/VAR] [VAR]Archive_Time[/VAR] Display name of the archiving engine, set under Utilities (from configuration of the Store job). Error code returned by the archive interface in case of an error. Error description returned by the archive interface in case of an error. Number of archived bytes (total of all exported emails). Time in seconds needed for archiving. Userlist: Entries [VAR]HtmlList[/VAR] Complete list of all entries for the corresponding recipient with HTML formatting (compulsory field in the blacklist/whitelist notification). PAGE 104 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING NOTIFICATION TEMPLATES Category, type of variable Variable Description Userlist: Fully Qualified Domain Name [VAR]FQDN[/VAR] Full network name of the server hosting the blacklist/whitelist for which the summary notifications are generated. Userlist: HTTP Port [VAR]HTTPPort[/VAR] Port of the HTTP server. Userlist: HTTP Server [VAR]HTTPServer[/VAR] HTTP server through which HTTP user requests are sent. Userlist: Name [VAR]Displayname[/VAR] Name of the blacklist/whitelist used to generate the list of emails. Userlist: Number [VAR]SummaryPart[/VAR] If more than 3 000 new entries are listed in a blacklist/whitelist, the user receives several blacklist/whitelist notifications. The variable returns the consecutive number of the notification ("1" for the first 3 000 entries, "2" for the next 3 000, etc.). Userlist: Number of entries [VAR]CollectedSize[/VAR] Total size of the blacklist/whitelist notification. Userlist: Recipients [VAR]RcptTo[/VAR] Recipients of the blacklist/whitelist notification. Userlist: Reply address [VAR]ReplyTo[/VAR] Address to which the replies to the blacklist/whitelist notifications are to be sent (NotificationReplyTo). Uselist: Sender [VAR]From[/VAR] Sender of the blacklist/whitelist notification. Userlist: Server [VAR]Server[/VAR] Short name of the server hosting the blacklist/whitelist for which the notifications are generated. Userlist: Subject [VAR]Subject[/VAR] Subject of the blacklist/whitelist notification. a. For further Information on creating rules in Outlook, please refer to the Outlook help. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 105
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER Note that the tokens [VAR] and [/VAR] must always be written in capital letters. For further Information on options and syntax of the variables, please refer to Copy the Attach Sender Signature job to MAIL TRANSPORT JOBS. Activate the job. on page 375. 5.7 Creating a Database Connection to an SQL Server 5.7.1 Overview 5.7.1.1 Connection to SQL Servers By default, the iq.suite data is written to a local database based on the Microsoft Jet engine, without further configuration settings required. If you prefer to have the iq.suite data written to an SQL database instead, you can use a Microsoft SQL Server. This requires adequate knowledge of how to use SQL servers. Supported systems: Microsoft SQL Server 2000 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express (with restricted CPU/memory capacity) Microsoft SQL Server 2008 R2 5.7.1.2 Using SQL Servers A Microsoft SQL Server could be used in multi-server environments without server synchronization in order to ensure that each user receives a single central whitelist only for all servers involved. Refer to Setting up Central Blacklists/Whitelists on page 110. In addition, a Microsoft SQL server could also be used for quarantine databases. For this, install an SQL server locally on each iq.suite server. In this way, only one database connection needs to be set up. Refer to Setting up a Local Quarantine Database on page 111. PAGE 106 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER Please note that iq.suite is optimized for being used as a local database based on the Microsoft Jet engine. Complex server environments require a number of configurations of both iq.suite and Microsoft SQL Server, which go beyond the scope of this document. 5.7.2 Configuration of the Database Connection The following sections describe the configuration of database connections between the iq.suite and a Microsoft SQL Server. Please note that a distinction is made between a central Microsoft SQL Server for central user whitelists and a local Microsoft SQL Server for the quarantine. 5.7.2.1 SQL Server and iq.suite Server If the SQL server and the iq.suite server are installed on the same computer, the following requirements must be met: The installations of the SQL server and the iq.suite server are complete. The database(s) have been set up and the corresponding tables created. At least one user is defined as database user. This database user has sufficient rights to the database. The ADO driver has been installed on the iq.suite server. If the SQL server and the iq.suite server are installed on different computers, the following has to be additionally ensured: The protocol set on the SQL server meets the requirements for external server operation. After the SQL server configuration the service has to be restarted. The database connection between the iq.suite and the SQL server is established through the ADO protocol: 1. Create a new database connection under BASIC CONFIGURATION -> GENERAL SETTINGS -> DATABASE CONNECTIONS: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 107
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER 2. Under Connection string, enter the ADO string information (refer to example below). Enter the required values manually or use the iq.suite variables (Server, Database, etc.), which will be replaced with associate values on each server at runtime. 3. Under Database user, enter the name of the SQL user who is allowed to access the database. In the next field, enter the associated password. The values entered here can be retrieved from the ADO string by way of the [ADOUser] and [ADOPwd]variables. 4. Under Command Timeout, define after how many seconds the database connection is canceled, if no data is returned from the database. At great databases we recommend starting with the value '60' (seconds). The example below illustrates one of many possible configuration possibilities for the ADO string 28. Sample connection string: 28. For further Information on this and other options and configurations of the Microsoft SQL ADO string, please refer to the applicable documentation from Microsoft. PAGE 108 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER Provider=SQLOLEDB;User ID=[ADOUser];Password=[ADOPwd];Trusted_Connection=No;Initial Catalog=[DBCatalog];Data Source=LOCALHOST\SQLEXPRESS; Provider=SQLOLEDB: mandatory parameter needed to specify the provider. Enter the value manually (no iq.suite variable available). User ID=[ADOUser];Password=[ADOPwd]: mandatory parameters; enter the parameters User ID= and Password= manually in the string and set the iq.suite variables Database user and Password. The inserted variables [ADOUser] and [ADOPwd] will be replaced with the contents of the fields set under Step 3 below. Using variables is the recommended procedure, as this prevents values in the ADO string from being output in clear text. As an alternative, enter the values manually, in which case you should leave the fields under Step 3 below empty. Trusted_Connection=No: optional parameter for SQL authentication. In order for the SQL server to identify the iq.suite server as Trusted Server, manually enter Trusted_Connection=No; (no iq.suite variable available). Initial Catalog=[DBCatalog]: mandatory parameter, which sets the database to be used. Manually enter the Initial Catalog= parameter in the string and set the iq.suite variable Database. If using the SQL server for the quarantine, the variable [DBCatalog] will be replaced with the name of the database set under QUARANTINE -> PROPERTIES in the Folder name field. If using the SQL server for a central whitelist, the variable [DBCatalog] will be replaced with the fixed name Whitelist. You can use a database connection for several databases by means of the variable [DBCatalog] within a SQL server. Please note that to ensure connection, the databases have to be created with exactly this name. Data Source=LOCALHOST\SQLEXPRESS: mandatory parameter for the SQL server entity used. In this example, this is a locally installed Microsoft SQL Server 2005 Express. Enter the Data Source= parameter manually or set the variable [Server]. This variable will be replaced with the server s NetBIOS name at runtime. If working with sub-domains in more complex ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 109
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER environments, you can also use the iq.suite variable Server (network), in which case the [ServerFQDN] variable is set and the server s FQDN (Fully Qualified Domain Name) is read. If the SQL server is used for central whitelists, enter the name of the central SQL server manually. 5.7.3 Setting up Central Blacklists/Whitelists When emails are processed in a multi-server environment, each server creates its own user whitelists. Thus, without server synchronization, each user is provided with a separate whitelist for each of the servers, which all need to be maintained individually. In order to manage these whitelists centrally and simplify administration, you can set up a Microsoft SQL Server instead of the standard local database based on the Microsoft Jet engine. This Microsoft SQL Server will write the information for all iq.suite servers involved to a central SQL database. To configure central whitelists, a database connection between the SQL server and the iq.suite server has to be configured first. Then, additional settings are required within the iq.suite in order for iq.suite to be able to retrieve entries from the whitelist database. Procedure: Configuration for the database connection depends on the server environment. 1. Depending on the operating environment, proceed as described for the corresponding scenarios under Configuration of the Database Connection on page 107. 2. Under Data Source= enter the central SQL server. Please note that in the database connection ADO string, the [DBCatalog] variable for the whitelist database is replaced with the fixed database name Whitelist. If you plan to use this variable, the database name has to be Whitelist. 3. Under BASIC CONFIGURATION -> IQ.SUITE SERVERS -> PROPERTIES in the Database connection for whitelist entries field, select the SQL server. This field provides a selection of all data sources specified under GENERAL SET- TINGS -> DATABASE CONNECTIONS. PAGE 110 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER 4. Open the Advanced Spam Filtering job. In the Actions tab, click on the DEFINITE CRITERIA button and enable the Emails from senders in user whitelist option. 5. Open the SQL Server Enterprise Manager. 6. Navigate to the program directory \GBS\iQ.Suite\Support. 7. Copy the contents of the WHITELIST.sql script to the Query window of the SQL Server Enterprise Manager: SQL SERVER ENTERPRISE MANAGER -> TOOLS -> SQL QUERY ANALYZER. 8. Run the command (query) by selecting Execute Query (F5). The tables required for the central whitelist are added to the SQL server. 5.7.4 Setting up a Local Quarantine Database Besides using the Microsoft SQL Server for whitelists, it can also be used locally for quarantine databases. Normally, the index of a quarantine is maintained in the local database (Microsoft Jet engine). In case the capacity of a Jet database is insufficient, these entries can also be written to a locally installed SQL server. This requires having installed Microsoft SQL on the mail server. Procedure: Configuration for the database connection depends on the server environment. 1. Depending on the operating environment, proceed as described for the corresponding scenarios under Configuration of the Database Connection on page 107. 2. On each server, set Data Source= to Localhost in order to access the locally installed SQL server. Please note that in the database connection ADO string, the [DBCatalog] variable for the quarantine database is replaced with the folder name (FOLDER SETTINGS -> QUARANTINE -> RIGHT-CLICK -> PROPERTIES -> FOLDER NAME). This allows to use one database connection for several quarantine databases. If you plan to use the [DBCatalog] variable, the database on the SQL server must have this folder name. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 111
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER When using SQL databases, it might happen that the database service fails or becomes inaccessible. As a result, the quarantine cannot be accessed during that period of unavailability and any emails that should have been quarantined cannot be stored properly. To handle this business-critical situation, you can use the Quarantine is mission critical option for quarantines (FOLDER SETTINGS -> <QUARANTINE> -> RIGHT-CLICK -> PROPERTIES) 29. This option allows to deal with emails in the event of a quarantine error. 3. Create a new quarantine: FOLDER SETTINGS -> QUARANTINE -> NEW -> QUA- RANTINE. In the Connection string field, select the previously configured database connection. 4. Open the SQL Server Enterprise Manager. 5. Navigate to the program directory \GBS\iQ.Suite\Support. 6. Copy the contents of the QUARANTINE.sql script to the Query window of the SQL Server Enterprise Manager: SQL SERVER ENTERPRISE MANAGER -> TOOLS -> QL QUERY ANALYZER. 7. Run the command (query) by selecting Execute Query (F5). The tables required for the quarantine are added to the SQL server. 29. Refer to Quarantine is mission critical on page 116. PAGE 112 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - CREATING A DATABASE CONNECTION TO AN SQL SERVER 5.7.5 Troubleshooting SQL Servers Problems that occur during the installation or configuration of an SQL server can have various causes. Therefore, the troubleshooting steps below can only provide basic information as to possible causes: Check the port (default: 1433) or adjust it to your server environment. Path for Microsoft SQL Server 2005: CONFIGURATION TOOLS -> SQL SERVER CONFIGU- RATION MANAGER -> SQL NATIVE CLIENT CONFIGURATION -> CLIENT PROTO- COLS -> TCP/IP. Make sure the SQL server browser is enabled. Path for Microsoft SQL Server 2005: CONFIGURATION TOOLS -> SQL SERVER CONFIGURATION MANAGER -> SQL SERVER 2005 SERVICES -> SQL SERVER BROWSER (Status: Running). If a central SQL Server has been installed on a different computer than the iq.suite server, the following requirements must also be met: If using Microsoft SQL Server 2005: CONFIGURATION TOOLS -> SQL SERVER SURFACE AREA CONFIGURATION -> SURFACE AREA CONFIGURATION FOR SERVI- CES AND CONNECTIONS. Select under MSSQLSERVER -> DATABASE ENGINE - > REMOTE CONNECTIONS the Using both TCP/IP and named pipes option in order to authorize the connection on the SQL server as configured in the ADO string. After configuration is complete, the SQL server service has to be restarted. Also refer to the quarantine configuration options (mission critical) in case of a database service failure described in the preceding section. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 113
GENERAL CONFIGURATION - FOLDER SETTINGS 5.8 Folder Settings 5.8.1 Quarantine Configuration After having installed iq.suite, each iq.suite server provides several quarantines for storing unwanted emails. The emails actually affected are defined in the job configuration (Addresses and Conditions tabs). Additionally, you have to set the Copy to Quarantine action and to specify the desired quarantine. At iq.suite installation, the Quarantine directory is created in the data directory, which initially contains the default quarantines and later all other newly created quarantines. There are two types of quarantines: Regular quarantines The iq.suite standard configuration already contains some predefined regular quarantines, such as the default quarantine. Regular quarantines are marked with a red icon. Privacy quarantines Privacy quarantines are mostly identical to regular quarantines. As a difference, in privacy quarantines you can configure that information like subject line, names of file attachments and/or sender/recipients addresses are not displayed for secrecy reasons (Options tab). Since this email data is not available in the quarantine view of the iq.suite monitor, certain actions are not possible, e.g. the resending or saving of the email. Privacy quarantines are marked with a blue icon. The emails moved to the quarantine (quarantined emails) can be viewed in iq.suite Monitor. When the quarantine is opened for the first time in iq.suite Monitor, you need to observe the access right authentication rules. 1. Select under BASIC CONFIGURATION -> FOLDER SETTINGS -> QUARANTINE the desired quarantine or right-click on QUARANTINE and select NEW -> QUARAN- TINE to set up a new one. PAGE 114 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - FOLDER SETTINGS The quarantine s Folder Name cannot be changed. This field can only be edited when you create a new quarantine. By default, the folder name is taken from the entry under Name. Only the characters A-Z and 0-9 are used, all others are converted to underscores. The proposed name can be overwritten. Enter the folder name only, not an absolute path. If using an SQL server as quarantine index database, the folder name is also used as database name. Under Delete mails after set after how many days the quarantined emails are to be removed from the quarantine. To remove all emails from the quarantine simultaneously, select IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> QUARANTINE AREAS -> <QUARANTINE> -> RIGHT-CLICK -> ALL TASKS -> COMPRESS QUARANTINE. Use the Size of body excerpts field to set whether or not and how much text from the email body (message body) is to be stored in the quarantine. When setting this field, please take into account the privacy aspects and the required space in the database. Options: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 115
GENERAL CONFIGURATION - FOLDER SETTINGS Write job processing logs : Use this option to log the processing of the last iq.suite job, e.g. to trace back the reasons for quarantining an email. You can call the corresponding email in the iq.suite Monitor and view the processing log including all details in the Processing tab. Include full processing history : This option is an extension of the Write job processing logs option. If enabled, not only the last iq.suite job having dealt with the email is logged, but the entire job processing chain, including all previous jobs. This log provides information as to why a job was not executed. Quarantine is mission critical If enabled, any quarantine error is communicated to the job, after which the job is aborted and the job s troubleshooting routine is started. The action performed with the email (ignore job or move to the Badmail quarantine) depends on the mission critical setting in the job itself. For further Information on the mission critical jobs, please refer to Options on page 53. Example: A job used to check attachments detects a video file in an email addressed to an employee. The job is configured to block such emails and move them to the default quarantine. The email is not delivered to the recipient. Due to a quarantine error, the default quarantine is not available, i.e. the email cannot be quarantined. The following settings for the job and the quarantine are conceivable: a) Both the quarantine and the job are not mission critical: Result: The quarantine error is ignored. The email cannot be quarantined, but it is not delivered either. b) The quarantine is not mission critical but the job is mission critical: Result: Refer to a) above. c) The quarantine is mission critical but the job is not mission critical: Result: The job is aborted and the email is passed as it is to the next job in the job chain. PAGE 116 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - FOLDER SETTINGS d) Both the quarantine and the job are mission critical: Result: The email is moved to the Badmail quarantine and not delivered. As long as the quarantine error has not been eliminated, it will systematically be signaled to the job if the Quarantine is mission critical option is enabled. If the job itself is not mission critical, it will disable itself after a certain time and no longer process any emails. On the other hand, if the job is mission critical as well, each email will be moved to the Badmail quarantine (and not delivered) until the error has been resolved. Regardless of the actual mission critical setting, the iq.suite administrators are informed by email of recurring quarantine or job errors. 2. If you create a privacy quarantine, the Options tab is available for configuration. Define which email data is not to be displayed in quarantined emails: 3. Open the Summary Reports tab, and configure, if required, a summary notification for the selected quarantine. Refer to Defining Quarantine Summary Notifications on page 118. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 117
GENERAL CONFIGURATION - FOLDER SETTINGS 4. Once the configuration has been saved, the quarantine is automatically created by the iq.suite service and displayed in iq.suite Monitor 30. You may have to refresh the view. Under normal circumstances, the size of a quarantine is limited to 1 GB due to the index database. 5.8.2 Defining Quarantine Summary Notifications A Quarantine Summary Notification periodically informs the users about the emails addressed to them and quarantined by iq.suite. Using the summary notification, the users can check the senders of quarantined emails and decide whether they want to have the email delivered after all. The actions actually available to the users as well as the additional information provided in the summary notification are set individually for each quarantine and each summary notification. If you have configured blacklist/whitelist support, you can provide the users with access to their blacklists or whitelists. If you want to allow users to add senders to their user whitelists or blacklists from the summary notification, use the template Quarantine summary report with whitelist support or Quarantine summary report with blacklist support. If a summary notification is to be sent to the users for a specific quarantine, then you have to configure: a template used to set the summary notification layout. a quarantine for which the summary notification is to be created. The fields are used to set which emails and which email fields are to be listed in the summary notification. The [VAR]HTMLList[/VAR] variables and the specification of the email fields form the essential configuration elements. These entries define which content should be displayed in the summary notification. 30. For further Information on quarantines, please refer to Quarantines on page 131. PAGE 118 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - FOLDER SETTINGS Each iq.suite server sends an individual quarantine summary notification, by default. In a server environment with several iq.suite servers, however, each user receives several quarantine summary notifications. To prevent this, configure a global quarantine summary notification. Refer to Configuring a Globale Quarantine Summary Notification on page 124. 5.8.2.1 Template Configuration 1. Open the desired template: BASIC CONFIGURATION -> GENERAL SETTINGS -> TEMPLATES -> QUARANTINE SUMMARIES. If blacklist/whitelist support has been enabled, separate templates will be available. 2. Change the layout of the summary notification as required 31. 3. Use the available variables to set the content of the summary notification. A summary notification consists of general information (e.g. the number of quarantined emails of the user) and links that allow to trigger specific actions, e.g. request a quarantined email. Each entry in the summary notification consists of a descriptive text (e.g. Number of emails ) and the corresponding variable ([VAR]collectedsize[/VAR]). Do not remove the variable [VAR]HTMLList[/VAR] (summary notification: List of quarantined emails). This entry defines the HTML list. 5.8.2.2 Quarantine Configuration The users are to periodically receive summary notifications informing them of any emails addressed to them that were blocked and quarantined. 1. Open the desired spam quarantine: BASIC CONFIGURATION -> FOLDER SET- TINGS -> QUARANTINE. 2. In the Summary reports tab, click on ADD to configure a new summary notification. In a server environment with several iq.suite servers, we recommend you, to send global quarantine summary notifications with a global iq.suite server. 31. For further Information on templates, please refer to Creating Notification Templates on page 94. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 119
GENERAL CONFIGURATION - FOLDER SETTINGS Template: Select the configured summary notification under BASIC CONFIGU- RATION -> GENERAL SETTINGS -> TEMPLATES -> QUARANTINE SUMMARIES. Summary data: Set which emails are to be listed in the summary notification. If the New mails only option is selected, the only quarantined emails listed are those that were newly quarantined, i.e. not included yet in the previous summary notification. Options: By default, quarantined emails requested or released by the user are not scanned again by the active iq.suite jobs. Each email requested from the summary notification is delivered unscanned when resent. If these emails should be scanned a second time by all iq.suite jobs, select the Process with iq.suite jobs option. 3. In the Recipients tab, define the notification type and the recipients of the summary notification: Notification type: The notification type determines the content of the summary notification. PAGE 120 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - FOLDER SETTINGS Administrative summary report : The summary notification contains information on all quarantined emails for all users. User-related summary report : The summary notification contains information on the emails put in quarantine for specific users. In the case of a user-related summary report, the specified User type determines to whom user-specific summary notifications are sent: Send summary report to all email recipients / sender : The user-specific summary notification is sent to all original email senders whose emails were quarantined, and to all recipients to whom these emails were originally addressed. Send summary report to the following addresses only : The userspecific summary notification will only be sent to those users whose addresses are specified (select using the Address dialog). In the case of an administrative summary report, the following recipients may be specified: Send to all iq.suite administrators : The administrative summary notification is delivered to all iq.suite administrators (entry under iq.suite Server). ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 121
GENERAL CONFIGURATION - FOLDER SETTINGS Only send to following addresses : The administrative summary notification will be sent to those users whose addresses are specified (select using the Address dialog). In general, administrative summary notifications should only be configured for authorized users or administrators. 4. In the Summary Fields tab, specify which fields of the quarantined emails are to be included in the summary notification. From the Variable list, select the fields to be read from the quarantined email. For instance, if you select Subject, the Subject line of the quarantined email is included in the summary notification. The recipient of the summary notification can perform an action for the selected email by clicking on the links in the notification. Select the actions the user will be allowed to execute: Request : The quarantined email is delivered to the recipient of the summary notification. Enable this action in user-related summary notifications. PAGE 122 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - FOLDER SETTINGS Release : The quarantined email is forwarded to all original recipients of the email. Enable this action in administrative summary notifications. Remove : The quarantined email is marked for deletion in the quarantine. Add to whitelist : The sender of the email is added to the user whitelist. Add to blacklist : The sender of the email is added to the user blacklist. A list of all quarantines is available under FOLDER SETTINGS -> QUARANTINE. The 'summary report' column shows for which quarantines a summary notification has been configured (Yes/No). You can create several summary notifications with different contents for the same quarantine. The emails are retrieved separately from the quarantine for each summary notification, even if the schedule is the same for all of them. 5. In the Whitelist Fields or Blacklist Fields tab, select the quarantined email fields to be listed in the whitelist or blacklist notification. Refer to Whitelist Notification / Blacklist Notification on page 125. 6. Select the Schedule tab and click on ADD. Specify the desired period: a) Weekly, e.g. every Monday at 10:00 PM. b) Monthly (calendar days), e.g. on the 15th and the last day of the month. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 123
GENERAL CONFIGURATION - FOLDER SETTINGS c) Monthly (weekdays), e.g. every second and fourth week of the month on Monday. In this example, an action is run every 15th and on the last day of the month at midnight. 5.8.3 Configuring a Globale Quarantine Summary Notification In a server environment with several iq.suite servers using the same iq.suite configuration with the same quarantines, we recommend you, to configure a global quarantine summary notification that contains all notifications for all the quarantines of a user into one notification. Without global quarantine summary notifications each internal user receives an individual summary notification for each of his/hers quarantines from each involved iq.suite server. Specify a global iq.suite server. This server collects all the required quarantine data from all involved quarantines to one global quarantine summary notification and sends it to the internal users. 1. Open the iq.suite servers settings: GENERAL SETTINGS -> IQ.SUITE SERVERS SETTINGS -> OPTIONS TAB. 2. Under iq.suite Server select the iq.suite server that shall be defined as global iq.suite server. 3. Under User/Password enter the name and the password for the user who has the administrative rights on all the quarantines of all iq.suite servers (e.g. the iq.suite administrator). 4. Define for which quarantines a global quarantine summary notification shall be created. Open the desired quarantines under FOLDER SETTINGS -> QUA- RANTINE and enable in the Summary Notification tab the Create globale quarantine summary notification option. When this option is not enabled, each involved iq.suite server will send individual summary notifications for this quarantine. PAGE 124 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
GENERAL CONFIGURATION - FOLDER SETTINGS 5.8.4 Whitelist Notification / Blacklist Notification While quarantine summary reports inform users about the emails quarantined by the iq.suite, the whitelist or blacklist notifications inform the user of new For entries in his/her whitelist or blacklist. a recipient of a quarantine summary notification to be able to manage the entries in his/her whitelist and request a whitelist report, select the template with Whitelist Support for the quarantine summary notification. The same applies by analogy for blacklists. Refer to Defining Quarantine Summary Notifications on page 118. Under Whitelist template or Blacklist template, select the associate template defined under GENERAL SETTINGS --> TEMPLATES --> QUARANTINE SUMMARIES 32. 32. Related topics: Defining Quarantine Summary Notifications on page 118 and Setting up Central Blacklists/Whitelists on page 110. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 125
GENERAL CONFIGURATION - FOLDER SETTINGS PAGE 126 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
6 iq.suite Monitor IQ.SUITE MONITOR - With iq.suite Monitor, certain activities of the iq.suite servers can be watched and actions executed, e.g. the quarantined emails can be displayed (incl. the Badmail quarantine), scanners or connectors tested etc. All iq.suite servers configured under BASIC CONFIGURATION -> IQ.SUITE SERVERS are displayed in the iq.suite Monitor area after refreshing the view 33. iq.suite Monitor accesses the servers via the network using SSL encryption. Therefore, iq.suite Monitor normally requires a login as authorized user. If you are not logged in to the server locally, a login dialog will prompt you for a user name and password to access the corresponding domain. The iq.suite Monitor access rights are set in the properties of the access.acl file located in the...\gbs\iq.suite\appdata\ directory. In the Security tab provide the desired users at least with Read rights. The login dialog for another server appears only if your current user does not have sufficient access rights for the second server. It is possible to log in to several servers at the same time using different user names and thus to access every iq.suite Monitor on each server. During the iq.suite installation, access rights are granted according to the rights to the parent drive, i.e. the administrator will usually automatically have access. To observe quarantine data in iq.suite Monitor, proceed as follows: 1. Set up the desired quarantine as described under Quarantine Configuration on page 114. 2. Click on the desired server. 3. Authenticate yourself with a user name and a password with sufficient rights to access the iq.suite data on the server s file system. 4. In iq.suite Monitor open the quarantine you wish to view, e.g. the BADMAIL quarantine. All emails moved to the Badmail quarantine will be displayed (up to a maximum of 10 000). 33. Refer to Settings for an Individual iq.suite Server on page 79. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 127
IQ.SUITE MONITOR - SERVER STATUS 5. The quarantined emails can be opened, filtered, and resend as required. 6.1 Server Status For each of the configured iq.suite servers, the Server Status feature provides information on server settings relevant for the iq.suite and test functions to check certain configurations: IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> SER- VER STATUS -> GENERAL TAB. 6.1.1 General Tab The General tab provides general information on the current iq.suite version, the date of the last virus scanner update, licensed modules etc. This tab cannot be modified: PAGE 128 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - SERVER STATUS 6.1.2 Test Tab The Test tab is used to check specific iq.suite settings: Scan Engine Test : Use this option to test whether the virus scanners used work correctly. To do so, the software checks whether the scan engine recognizes the EICAR test virus or the anti-spam engines used recognize the GTUBE test spam string. Both test strings contain harmless code that is unable to damage your system environment. The test results are indicated by OK or ERROR. Scan Engine / Antispam Update : Use this option to test whether virus scanner and anti-spam engine updates are performed correctly. Further, you can start synchronization of the KeyManager certificates. Anti-spam engines as well as some of the virus scanners periodically download data from a defined download site. This ensures that iq.suite uses the most recent data when processing emails, e.g. the most recent search patterns for spam recognition. The test results are indicated by OK or ERROR. TNEF-to-Mime Decoder Test : Use this option to test whether the decoder used for converting TNEF emails to MIME works correctly. This option is only ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 129
IQ.SUITE MONITOR - SERVER STATUS relevant if you are using iq.suite Bridge or iq.suite Store and want to archive internal emails (TNEF emails) in MIME format. Archive Connector Test : Use this option to test whether the archive connector used works properly. This option is only relevant if you are using iq.suite Store for Microsoft Exchange and wish to archive emails through the iq.suite Store archiving interface. 6.1.3 Information Store Scan Tab Use the Information Store Scan tab to restart Information Store scanning or to display the latest scan report: Rescan: Starts scanning of the Information Store. As an alternative to this function configure Information Store scanning in the Information Store job. When scanning is restarted, all elements in the Information Store are checked one more time. Please note that Information Store scanning may take a long time and uses a lot of processor capacity. It is therefore advisable to restart scanning during periods of low system usage and virus scanner updates. Show report: Displays detailled information on the last Information Store scan (e.g. time and date of the last scan, whether a virus has been detected and in which database, etc.). PAGE 130 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - QUARANTINES 6.2 Quarantines 6.2.1 General If you have selected the Copy to Quarantine option in the Actions tab of a job, all affected emails are quarantined under IQ.SUITE MONITOR -> SERVERS -> <SER- VER NAME> -> QUARANTINE AREAS. By default, iq.suite provides the following quarantines: Badmail quarantine: Contains emails classified as badmail. Refer to Badmails on page 140. Information Store quarantine: Contains emails quarantined by an Information Store job. Refer to Virus Scanning in the Information Store on page 223. Anti-spam quarantines: Each of these quarantines contains emails classified as spam by an iq.suite Wall anti-spam job. Depending on the classification level, spam emails are moved to one the quarantines. Refer to CORE Classification on page 309. Default quarantine: Contains all quarantined emails that could not be assigned to any other quarantine. This is the quarantine where emails are stored by default. Additional quarantines can be created to classify the quarantined emails stored in the default quarantine. Furthermore, emails can be stored in privacy quarantines to prevent certain email data from being displayed in the iq.suite Monitor. Refer to Quarantine Configuration on page 114. For each email that meets the requirements configured in the job, the Copy to quarantine action generates a quarantined email, which is stored in the configured quarantine 34. 34. Refer to Quarantine Configuration on page 114. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 131
IQ.SUITE MONITOR - QUARANTINES 6.2.2 Filter Options Within a quarantine, you can filter emails according to numerous selection criteria such as by date/time, job type, label, etc. To do so, click on : To reset the options, click on. PAGE 132 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - QUARANTINES 6.2.3 Example Quarantined Email in Default Quarantine To view information about a quarantined email (e.g. to find out the reason why it was quarantined), double-click on the email: 1. The Message tab contains general information such as date, time and the email sender. Note that certain information is not displayed in privacy quarantines and most of the quarantine actions available for regular quarantines can not be executed. Icons: Save selected attachments as. Send email from quarantine. Delete email in quarantine. Set, edit or delete the label for the email. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 133
IQ.SUITE MONITOR - QUARANTINES Save email as. Open Online Help. Next email in quarantine/badmail. Previous email in quarantine/badmail. To add the email s SMTP sender to an address list for anti-spam protection, click on the ADD TO button. The address lists shown with this button are set individually 35. Once you have added the sender address to the address list, a message appears: To copy the email to another Quarantine on this server, click on the COPY TO button. You can also assign a CORE classification category to the email 36. You can select the CORE classifier available on this server and then assign a category to the email: You will then find this email in the corresponding CORE classifier category: IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> CORE CLASSIFIER AREAS -> <CLASSIFIER NAME> -> <CATEGORY NAME>. 2. The Processing Log tab displays the Name and type of the job that has quarantined the email. 35. For further Information, please refer to Address Lists on page 89. 36. Refer to CORE Classifiers on page 140. PAGE 134 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - QUARANTINES Server name. Reason for quarantining the email. Processing details. 3. The Resent Log tab displays details on the resend from quarantine process. With RIGHT-CLICK -> ALL TASKS from the context menu to apply one of the following actions to a quarantined email: Send the quarantined email to any recipient. Refer to Sending From Quarantine on page 138. Add a label to the quarantined email. Add the sender or sender domain to an address list. Refer to Adding Senders to an Address List on page 139. Copy the quarantined email to another quarantine. iq.suite Monitor displays a maximum of 10 000 quarantined emails (the most recent ones). To view older quarantined emails, restrict the list displayed using the appropriate filter options. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 135
IQ.SUITE MONITOR - QUARANTINES 6.2.4 Example Quarantined Email in Information Store Quarantine To view information about a quarantined email (e.g. to find out the reason why it was quarantined), open the quarantined email: 1. The Object tab contains general information such as date, time and the email sender. Icons: Delete email in quarantine. Set, edit or delete the label for the email. Save email as. Open Online Help. Next email in the quarantine. Previous email in the quarantine. PAGE 136 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - QUARANTINES To copy the item to another quarantine on this server, click on the COPY button. 2. The Processing tab displays the following information: Name and type of the job that has quarantined the email. Server name. Reason for quarantining the email. Processing details. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 137
IQ.SUITE MONITOR - QUARANTINES 6.2.5 Sending From Quarantine if you want to send a quarantined email to its original recipient or another user, you can resend it directly from the quarantine without having it rechecked by an iq.suite job: 1. Open the quarantine which contains the desired quarantined email, right-click on the email and select ALL TASKS -> RESEND QUARANTINE ITEM. As an alternative, you can send the email directly from the Properties dialog by clicking on : 2. To change the recipient, enable the Change email recipients option and then click on (Select Address). The From field of the email contains the original sender (i.e. not a forwarded email). No address lists are available to select an address for resending from quarantine 37. 37. For further Information on address lists, please refer to Address Lists on page 89. PAGE 138 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - QUARANTINES 3. Normally, you do not want any jobs to process the quarantined email. For this, select the Deliver the email bypassing any iq.suite jobs on this server This The option. is a global setting. If you have enabled jobs that are to scan emails resent from quarantine, select the Resubmit the email to all iq.suite jobs on this server option. Otherwise, the Check emails resent from quarantine job setting will not apply and all emails will be forwarded unprocessed. Resubmit the email to all iq.suite jobs on this server option only applies to those jobs for which the Quarantined emails: Check emails resent from quarantine option is enabled. All jobs will be excluded for which the Ignore emails resent from quarantine option is enabled. 6.2.6 Adding Senders to an Address List If the email of a specific sender has been quarantined but you wish future emails from this sender to be accepted, you can add the sender to one of your address lists, e.g. Anti-Spam: Whitelist: 1. Open the quarantine the desired quarantined email is stored: RIGHT-CLICK ON THE EMAIL -> ALL TASKS -> ADD SENDER TO ADDRESS LIST. 2. Select the address list to which the sender is to be added. 3. As an alternative to select an individual sender, you can define all senders from a specific domain as trustworthy. Those emails are sent directly to the recipients. For this, select the Add mail domain to address list option. This avoids having to add every single email sender from a domain (e.g. a customer) to the address list individually. The address is added in the form *@company-x.com. In both cases, the Addresses may be added from Quarantine option must be enabled within the address list. Otherwise, the selected sender address cannot be added to the list. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 139
IQ.SUITE MONITOR - BRIDGE QUARANTINES 6.2.7 Badmails Badmails refer to emails that cannot, or only incompetely be processed by iq.suite jobs, and therefore are moved to a seperate Badmail quarantine (IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> QUARANTINE AREAS -> QUA- RANTINE -> BADMAIL). For safety reasons, emails should be moved to the Badmail quarantine if a virus scanner is not attainable temporarily and the emails could not be checked for viruses therefore. But also very big emails which could cause performance problems due to their high disk space requirement can be moved to the Badmail quarantine. Define these settings directly at the iq.suite server. Refer to Packed Files and iq.suite Monitor on page 72. Badmails are a special type of quarantined emails. Thus, the same functions and options apply to badmails as for quarantined emails. Please note that badmails cannot be checked for viruses or spam! At each iq.suite server one seperate Badmail quarantine is available. Further Badmail quarantines cannot be created. 6.3 Bridge Quarantines If using iq.suite Bridge, you can create multiple quarantines. 6.4 CORE Classifiers The CORE technology is used for content filtering and classification with iq.suite Wall. The CORE classifiers used to this end divide the emails into various content categories. Here, you can manage and teach your CORE classifiers. Listed below each classifier are the categories you have created with the associated emails. To teach the classifier, drag and drop emails from the quarantines to the classifier categories. Then right-click on the classifier you want to teach and select ALL TASKS -> TEACH CLASSIFIER. For further Information on the CORE technology and using CORE classifiers, please refer to CORE Classification on page 309. PAGE 140 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE MONITOR - IQ.SUITE REPORTS 6.5 iq.suite Reports For special reporting and statistics features, an additional package can be postinstalled manually when required. The installation only takes a few minutes and does not require a separate license. Afterwards, the features are available under IQ.SUITE MONITOR -> SERVERS -> <SERVER NAME> -> IQ.SUITE REPORTS. The iq.suite Reporting and Statistics functions is used to retrieve detailed information on email processing. Eight predefined reports and one advanced statistics report are available. The advanced statistics report can be defined individually. The reports can be accessed through iq.suite Monitor. The reports list the policy violations detected (e.g. viruses, unwanted file attachments) both graphically and in tabular form. Specific reports are available for the most current iq.suite issues. In addition, information on iq.suite quarantines is also provided. Reports can be created for freely selectable periods of time. Reports over several pages can be displayed using. The reports can be printed and exported with a wide range of options for further processing: The report data is temporarily stored during processing and written to the evaluation database at half-hour intervals, i.e. processed emails do not immediately appear in the reports. Click on IQ.SUITE REPORTS and double-click on the required report in the right pane to open it. In the window that now appears, enter the desired time span for the report. Click on to export the analysis in one of several formats for importing into another application. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 141
IQ.SUITE MONITOR - IQ.SUITE REPORTS PAGE 142 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
7 iq.suite Crypt 7.1 Overview IQ.SUITE CRYPT - OVERVIEW iq.suite Crypt is used to encrypt, decrypt, sign or verify emails. With its flexible configuration options, Crypt lets you centrally define corporate encryption policies. Powerful asymmetrical and symmetrical encryption is implemented with standard methods such as PGP, GnuPG or S/MIME, which can also be used in parallel 38. For the user, the encryption is fully transparent, regardless of the email client used. The GBS solution draws the boundary of confidential communication on the server and not at the client. Within your company, the email is transmitted unencrypted. Advantages: 1. Email security on the way through the Internet or other public networks. The email cannot be read by unauthorized persons. 2. Convenient key management. The keys are stored only once on the server. 3. Since encryption is not performed on the clients, the required installation and training is considerably reduced. Users benefit from outstanding ease of use. 4. Virus checking possible before or afterwards. 5. Content analysis possible before or afterwards. As a general rule, to send encrypted email, a cryptography tool is required on both communication sides on the server (or the client). There are two widely used encryption methods: PGP or GnuPG, a free alternative to PGP S/MIME 38. For further Information on cryptography and encryption methods, please refer to the Crypt Whitepaper. Download under www.gbs.com. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 143
IQ.SUITE CRYPT - OVERVIEW iq.suite Crypt can use either with PGP/GnuPG or S/MIME to encrypt and decrypt emails. These two methods are not compatible with each other, i.e. you cannot, for example, use S/MIME to decrypt a PGP-encrypted email. You can, however, use both standards at the same time on your server. As an alternative to the methods described above is WebCrypt Pro for email encryption and decryption. WebCrypt Pro enables email encryption even if the communication partner does not use any encryption solution 39. With iq.suite KeyManager self-signed and public/private keys from accredited certification authorities (e.g. VeriSign) can be administrated centrally and can be synchronized with a local certificate store 40. 7.1.1 Job Types Depending on how to use iq.suite Crypt, various job types are available: Job: Crypt Key Import Importing PGP keys and S/MIME certificates Job: Crypt Outbound with PGP/GnuPG or S/MIME Encrypting or signing emails Job: Crypt Inbound with PGP/GnuPG or S/MIME Decrypting or verifying emails For further Information on setting up jobs, please refer to the description provided for the sample jobs, e.g. Sample Job: PGP or GnuPG Key Import on page 155. iq.suite Crypt can encrypt and decrypt emails with PGP/GnuPG, PGP/MIME or S/MIME. As these methods are not compatible with each other, create a separate job for each Crypt type. 39. Please note that WebCrypt Pro requires a separate license. Refer to Encryption with WebCrypt Pro on page 205. 40. Please note that KeyManager requires a separate license. Refer to Using iq.suite KeyManager on page 190. PAGE 144 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - OVERVIEW 7.1.2 PGP/GnuPG Getting Started 1. Install PGP or GnuPG. 2. Generate a key pair. 3. Add your private key to the private key ring. 4. Add the public key to the public key ring. 5. Let your communication partners know your corporate public key. 6. Configure the PGP or GnuPG engine. Refer to Configuration of the PGP or GnuPG Crypt Engine on page 150. 7. Save your communication partner s public key. Refer to Automatic Key Import with PGP/GnuPG on page 155. 8. Optionally, set up and enable the key import job and import the public keys. Refer to Sample Job: PGP or GnuPG Key Import on page 155. 9. Sign public keys of the recipients. 10. Set up the decryption job. Refer to Decryption Sequence with PGP or PGP/MIME on page 165 and Sample Job: Decrypting Emails with PGP/GnuPG on page 165. 11. Set up the encryption job. Refer to Encryption Sequence with PGP or PGP/MIME on page 158 and Sample Job: Encrypting Emails with PGP/GnuPG on page 158. 7.1.3 S/MIME2 Getting Started 1. Configure a S/MIME2 engine. Refer to Configuration of the S/MIME2 Engine on page 169. 2. Import your PFX files into the local Windows certificate store. For test purpose, use the sample certificates stored under <Install- Dir>\iQ.Suite\GrpData\smimedata\demo certificates. 3. Configure a decryption job. Refer to Decryption Sequence with S/MIME on page 183 and Sample Job: Decrypting Emails with S/MIME on page 183. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 145
IQ.SUITE CRYPT - OVERVIEW 4. In the iq.suite configure an encryption job. Refer to Encryption Sequence with S/MIME on page 176 and Sample Job: Encrypting Emails with S/MIME on page 177. 7.1.4 Global Mappings iq.suite Crypt encryption and decryption jobs allow to set how to handle addresses for which key IDs exist in a public key ring or a Windows certificate store. Using a mapping table, these key IDs are assigned to recipient addresses. To be able to use specific recipient addresses in several Crypt jobs without having to enter them as mapping table for each of these jobs, you can define such addresses as Global Mappings. To create an address as global mapping, select BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT SETTINGS -> GLOBAL MAPPINGS: Email address: Specify the desired recipient address to be created as global mapping, e.g. an individual address or an entire domain. Wildcards are permitted. PAGE 146 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - OVERVIEW Key ID: Specify the key ID associated with the email address, as entered in the public key ring. Create each address that is to be available for multiple jobs as a separate global mapping. Within Crypt jobs, you can set whether all or no global mappings are to be used. Refer to Open the Mapping tab: on page 163 and Open the Mapping tab: on page 181. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 147
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION 7.2 PGP/GnuPG General Information Using PGP or GnuPG for encryption, the sender encrypts the email with the recipient s public key before sending it. Only the recipient can decrypt this email with his/her private key. As opposed to symmetrical encryption using passwords, no secure lines are needed to exchange keys between senders and recipients 41. 7.2.1 Encryption/Decryption with PGP or GnuPG Encryption: 1. An internal sender sends an email to an external recipient. 2. On the server, Crypt determines the key for all recipients and calls PGP or GnuPG for email encryption. 3. PGP or GnuPG encrypts all message bodies and file attachments on a perfile basis. The originals are then replaced with their encrypted counterparts. 4. When this is complete, the encrypted emails are released and sent to the external recipients. Decryption: To decrypt emails with Crypt, specify the senders whose email you want to decrypt. This can be all senders with an Internet domain or individual users included in the address settings. 1. An encrypted email addressed to an internal user arrives on the internal mail server. 2. Crypt first checks all attachments. Then Crypt checks for an encrypted message body by looking for a standard PGP text string: -----BEGIN PGP MESSAGE----- 3. If found (meaning the email was encrypted), Crypt decrypts the message body and any attachments using the recipient s private key. 41. For further Information on PGP, please refer to http://www.pgpi.org/. For further Information on GnuPG, please refer to ttp://www.gnupg.org/. PAGE 148 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION 4. Decryption uses a password, which must be the same for all private keys in the key ring. To allow use of the private key, the password is passed from Crypt to PGP. 5. The encrypted parts are replaced with the decrypted ones and the decrypted email is released for delivery to the client. 7.2.2 PGP/MIME iq.suite Crypt supports encryption and decryption with PGP/MIME. PGP/MIME was developed from the first PGP/Inline process. Specified in RFC 3156, PGP/MIME uses the same encryption format as S/MIME, but uses PGP technology, which encrypts the entire email as a whole rather than its individual parts. The email content type is multipart/encrypted (or multipart/signed). As opposed to normal PGP encryption, formatting information and non-ascii characters are not lost with this encryption method. The PGP signature is included separately in an attachment, which simplifies reading and replying and also reduces the likelihood of errors. Please note that some clients do not support PGP/MIME. 7.2.3 Preliminaries for PGP or GnuPG To use PGP or GnuPG encryption and decryption with Crypt, proceed as follows: 1. Install PGP or GnuPG on your server, following the installation instructions for PGP/GnuPG. 2. In PGP, generate a key pair consisting of the public key and the secret private key. The public key is made publicly available so that all potential senders can use it. The private key must be kept secret in a secure location. 3. Configure the Crypt engine for PGP or GnuPG under BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT SETTINGS -> CRYPT ENGINES. 4. Import the recipients public keys into the PGP key ring e.g. using the iq.suite Import job. 5. Sign the keys. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 149
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION Make 6. Configure and activate an appropriate Crypt job. sure that you sign the public keys and/or mark them as trusted after their import into the PGP key ring, otherwise they cannot be used. 7.2.4 Configuration of the PGP or GnuPG Crypt Engine If you are using PGP or GnuPG, check the version you have installed. The Crypt engines are configured for GnuPG as of version 1.2.x and PGP as of version 6.5.8. This applies to all settings including the variables. To configure other versions of GnuPG or PGP, proceed as follows: 1. Copy the preconfigured GnuPG or PGP engine by right-clicking and selecting ALL TASKS -> DUPLICATE. 2. Enter a meaningful name for the new engine, e.g. include the version number in the name. 3. Change the settings and variables for your version. For this, please refer to your PGP or GnuPG documentation. 4. Save the Engine. 5. Once you have set up the new PGP or GnuPG engine, it is available for all jobs. This example illustrates how to configure the GnuPG engine. The configuration for PGP is identical. 1. Open under BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT SETTINGS -> CRYPT ENGINES the GnuPG 1.2.x and 1.4.x engine. PAGE 150 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION In the General tab, perform the following settings: GBS Crypt Interface: DLL file that links the iq.suite with the GnuPG engine. Do not change this entry. PGP executable: Specify the GnuPG EXE file with its absolute path, e.g. c:\program files\crypt\gnupg\gpg.exe. Timeout: Number of seconds after which the attempt to connect to the Crypt engine is interrupted if unsuccessful. Take your server s performance into account when setting this value. PGP directory: Absolute path to the GnuPG directory. Public key ring: Absolute path to the file containing the GnuPG public keys, e.g. gnupg\pubring.gpg. Private key ring: Absolute path to the file containing the GnuPG private keys, e.g. c:\program files\crypt\gnupg\secring.gpg. Key ring passphrase: passphrase for the private key ring. The password may contain all printable characters from the 7-bit ASCII character set (US-ASCII) except the quotation mark. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 151
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION Signature key ID: Key identification of the (private) corporate key to be systematically used for signing, e.g. info@mycompany.com You can also enter the relative path to the files except for the configuration of the GnuPG 1.0.6 engine, which requires the absolute path. 2. Open the PGP Options tab: Parameters: The parameters entered here apply to GnuPG Version 1.2.x. and 1.4.x. In the PGP configuration, the parameters apply to PGP version 5/6/08. If you have another version of PGP or GnuPG installed, you may have to change these settings. In that case, please contact the GBS Support Team. Options: The same applies to the options as for the parameters. Add this extension: After encryption with PGP or GnuPG, this file extension is appended to each encrypted email section (except for the message body) before being sent. Crypt uses these extensions only for PGP (not for PGP/MIME). Specify the Crypt method in the job. Remove this extension: During decryption, any file extensions added to encrypted email sections are removed again (except for the message body). PAGE 152 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION The extensions entered here are normally used for PGP encryption and iq.suite Crypt assumes that these emails have received the extension during encryption. Crypt uses these extensions only for PGP (not for PGP/MIME). Specify the Crypt method in the job. 3. Open the Fingerprints tab: The fingerprints in the upper section of the tab identify the PGP key to be imported. Whenever an email section arrives with a fingerprint specified in this tab, the key import job will know that it is a PGP key. The fingerprints in the lower section identify emails that have already been PGPencrypted and/or PGP-signed on the client and are being processed for sending on the server. It is possible to define exceptions for these emails in the Crypt job. The fingerprints apply to the Crypt PGP encryption method only, not to PGP/MIME. All known fingerprints for identifying PGP keys and encrypted PGP emails are preconfigured 42. 4. Open the Variables tab: 42. For further Information on fingerprints, please refer to Fingerprints on page 248. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 153
IQ.SUITE CRYPT - PGP/GNUPG GENERAL INFORMATION These variables entered here apply to GnuPG Version 1.2.x. and 1.4.x. In the PGP configuration, the variables apply to PGP Version 6.5.8. If you have another version of PGP or GnuPG installed, you may have to change these variables. In that case, please contact the GBS Support Team. To add a variable click on ADD, and to edit it click on EDIT. 5. Open the Jobs tab. The Jobs tab lists the jobs that use the GnuPG engine. PAGE 154 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - AUTOMATIC KEY IMPORT WITH PGP/GNUPG 7.3 Automatic Key Import with PGP/GnuPG Using iq.suite Crypt, it is possible to automatically import the public keys (sent by communication partners along with the encrypted email) into the key ring. 1. The sender s public key is copied from the email. 2. The public key is imported into the key ring. 3. The email is delivered to the recipient. 7.3.1 Sample Job: PGP or GnuPG Key Import 1. Consider the preparations for PGP or GnuPG usage. Refer to Preliminaries for PGP or GnuPG on page 149. 2. Copy the Key import with GnuPG (or PGP) job to MAIL TRANSPORT JOBS. The job should be executed after a decryption job. Activate the job 43. 3. Open the Options tab: In the Options tab, select the Crypt engine. The PGP encryption method is preset to PGP. 43. This example only illustrates the job-specific details. For a description of the settings in the standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 155
IQ.SUITE CRYPT - AUTOMATIC KEY IMPORT WITH PGP/GNUPG For the Crypt engine, you can choose between PGP and two GnuPG versions. If you also want to check attachments such as ZIP archives for keys, enable the Scan inside compressed attachments option. In case you intend to import a PGP key, make sure you have entered the correct PGP version. The default version is 6.5.8. If you are using a different version, create a new entry under BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT SETTINGS -> CRYPT ENGINES. To view the settings for the Crypt engine selected here, click on. For further Information, please refer to Configuration of the PGP or GnuPG Crypt Engine on page 150. 4. Open the Actions tab: Open the Actions tab to specify the actions to be performed when the key import has been completed successfully (SUCCESS ACTIONS button) and those to be performed when an error has occurred (ERROR ACTIONS button). PAGE 156 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - AUTOMATIC KEY IMPORT WITH PGP/GNUPG ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 157
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG 7.4 Encryption with PGP/GnuPG Encryption Sequence with PGP or PGP/MIME 1. The user sends an email via his/her client in the usual way. 2. On the server, Crypt retrieves the public key for the email recipients from the GnuPG or PGP key ring. 3. The email is encrypted. With PGP, all of the email elements are encrypted individually (attention: any formatting and embedded images are lost); with PGP/MIME, the email is encrypted as a whole (formatting remains intact). 4. The email is delivered to its recipients. 7.4.1 Sample Job: Encrypting Emails with PGP/GnuPG 1. Consider the preparations for PGP or GnuPG usage. Refer to Preliminaries for PGP or GnuPG on page 149. 2. Copy the Encrypt with GnuPG (or PGP) job to MAIL TRANSPORT JOBS. a) Activate the job 44. b) Configure the recipient addresses in the job. If necessary, create and enable several jobs. If encryption is configured for a sender-recipient combination, such a sender will normally be unable to send an unencrypted email to one of the configured recipients. However, it could be desirable to reach some of these recipients with an unencrypted email. To do this, select in the iq.suite a command: CONDITIONS -> CONDITION:...WITH FOLLOWING SUBJECT COMMAND. When the sender add this command to the email s subject line, the job will not be executed and the email will be sent in unencrypted form. Searching for the command is not case-sensitive. The search is stopped as soon as the command has been found and it is removed from the subject. 44. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 158 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG The subject command may only contain characters from the 7-bit ASCII character set (US-ASCII - 126 characters possible). The conditions set in both the Addresses and Conditions tabs must come true for the job to be run (logical AND). 3. Open the Crypt Engine tab: In the Crypt Engine tab, specify the encryption method for this job. Under Select method, specify the desired encryption method. In the following field, select the version of the Crypt engine that you have installed. Specify in the following fields how exception emails (special cases) are to be handled, e.g. TNEF emails: Ignore : The email is passed to the next job without being further processed by this job. The email is not encrypted. Execute actions : The actions specified in the Actions tab are performed. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 159
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG Proceed : The job processes the email like those that do not fall into this category. The special cases are: When emails is in TNEF format, then: The Outlook TNEF format cannot be processed by iq.suite Crypt. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or when using other email clients. Email already S/MIME or PGP/MIME encrypted/signed: Emails that arrive on the server encrypted or encrypted and signed with S/MIME or PGP/MIME. In your corporate email policies, specify how such emails are to be handled. Email already S/MIME or PGP/MIME signed only: Not encrypted emails that are already signed by the user with S/MIME or PGP/MIME and when they arrive on the server. Email already PGP encrypted and/or signed: If PGP/MIME or S/MIME is used, the email structure and the headers allow to determine whether the email is encrypted or signed. If encrypted with PGP, only the contents of the individual email elements are replaced with the encrypted part, not the entire email. The structure remains unchanged. As a consequence, to determine whether an email has been partially or entirely encrypted by PGP, the fingerprints set in the configuration are applied to all of the elements of the email (message body and attachments). To define the PGP fingerprints for individual email elements, please refer to Configuration of the PGP or GnuPG Crypt Engine on page 150. PGP Options: Encrypt attachments only : Only the email attachments will be encrypted. All other elements of the email, such as the message body, remain unencrypted. If this option is disabled, all elements of the email (attachments, body, HTML text) will be encrypted. PGP Universal Server compatibility : This option ensures compatibility with the PGP Universal Server. Enable this option if an encryption partner uses the PGP Universal Server. Set up two different encryption jobs, if PAGE 160 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG you communicate with encryption partners with Universal Server and encryption partners without Universal Server. Remove HTML bodies : For HTML emails encrypted with PGP/GnuPG, decryption or display problems may occur on the recipient side 45. While email programs such as Mozilla Thunderbird or Microsoft Outlook simply display the email body as text and ignore the HTML body, Lotus Notes attempts to display the HTML body as well. This can cause difficulties, especially in reply emails. In this case, enable the option that allows to remove the HTML body before encrypting the email with PGP/GnuPG. This issue does not occur when iq.suite for Microsoft Exchange is also used on the recipient side. Convert e-mail bodies to UTF-8 : The message bodies are converted into Unicode character set. 4. Open the Crypt Mode tab: In the Crypt Mode tab, specify the encryption mode and security settings (VPN channel) to be called with this job. 45. These problems are due to technical PGP/GnuPG restrictions. As a general rule, neither PGP nor GnuPG supports encrypting HTML bodies. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 161
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG In the sample jobs, the Crypt mode is preconfigured. The individual options show the possible security settings for outgoing emails (VPN channels). The options only apply to encryption, since signatures are added with the private key. If this key is missing, no signature can be added and the actions specified in the Actions tab are performed. Optional encryption : The emails are encrypted with the existing public certificates. Any emails to recipients for whom no valid certificate is available are sent unencrypted. The information from the Subject extension field (General tab) is added to the email subject. Low security : Emails are encrypted with the existing public keys. Emails to recipients for whom a valid key exists are sent encrypted. For all recipients without a valid key, the actions specified in the Actions tab are performed. Medium security : Emails are encrypted with the available public keys only if at least one valid key exists. All outgoing emails are encrypted. Recipients with a valid key can open the emails with their private key. Thus, recipients without a valid private key that matches one of the public keys used will not PAGE 162 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG be able to open the encrypted emails. The actions specified in the Actions tab are performed only if no valid key exists at all. High security : Emails are encrypted with the available public keys only if valid keys exist for all recipients. The actions specified in the Actions tab are performed as soon as one key is invalid or missing. Jobs are performed only for recipients specified in the Addresses tab. If you enter only the communication partners with a valid public key, you can select a high security setting to create tap-resistant channels without missing keys triggering the actions specified in the Actions tab. Create a separate job for each security setting. Thus, to send emails at maximum security to some recipients while offering others optional decryption or verification, set up two jobs. 5. Open the Mapping tab: In the Mapping tab, specify the type of address mapping for encryption and, if necessary, create your own mapping table. First use mapping list below : The entries in the user-defined mapping table below have priority over the entries in the public key ring. If no key ID is ente- ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 163
IQ.SUITE CRYPT - ENCRYPTION WITH PGP/GNUPG red in this table, the job looks for this key ID in the public key ring and the associated key is used. The encryption job looks for a key ID under the recipient address in the public key ring only if no suitable entry has been found in the table. This setting is advisable for implementing encrypted communications with another company through secure VPN channels. First use public key ring (default): The entries in the public key ring have priority over the entries in the user-defined mapping table. The encryption job looks for the required key ID in the mapping table below only if no entry matching the recipient address has been found in the key ring. Example: Separate encryption for emails to the management. Use public key ring only : The job looks for keys only by recipient address in the public key ring. In this case, the mapping table is not enabled. Some existing entries may not be deleted. Use this option to communicate with individuals who each have their own key. Use global mappings : If specific recipient addresses are to be used in multiple Crypt jobs, you can create these addresses as "global mappings" 46. Enable this option if you want the job to use all recipient addresses defined as global. Please note that local addresses are read before the global addresses. 46. Refer to Global Mappings on page 146. PAGE 164 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - DECRYPTION WITH PGP/GNUPG 7.5 Decryption with PGP/GnuPG Decryption Sequence with PGP or PGP/MIME 1. On the server, iq.suite Crypt retrieves the private key for the incoming email from the GnuPG or PGP key ring. 2. The email is decrypted. With PGP, the encrypted email elements are decrypted, with PGP/MIME the email as a whole. 3. The email is delivered to the recipient. 4. Users receive their email through their clients as usual; encryption is completely transparent for the recipients. 7.5.1 Sample Job: Decrypting Emails with PGP/GnuPG 1. Consider the preparations for PGP or GnuPG usage. Refer to Preliminaries for PGP or GnuPG on page 149. 2. Copy the Decrypt with GnuPG (or PGP) job to MAIL TRANSPORT JOBS. a) Activate the job 47. b) Configure the recipient addresses in the job. If necessary, create and enable several jobs. 3. Open the Crypt Engine/Mode tab: In the Crypt Engine/Mode tab, specify the decryption method and the security settings to be used by this job. You can also select additional options here. 47. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 165
IQ.SUITE CRYPT - DECRYPTION WITH PGP/GNUPG Under Select method, select the desired encryption method. In the subsequent field, select the Crypt engine version installed. When emails is in TNEF format, then: The Outlook TNEF format cannot be processed by iq.suite Crypt. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or when using other email clients. Recipient option: Remove S/MIME signature : This setting is not necessary for PGP decryption and available only when the PGP/MIME or S/MIME encryption method is selected. For further Information on this option, please refer to Open the Crypt Engine/Mode tab: on page 183. Email VPN (inbound security settings): For incoming emails addressed to internal users, the following security settings exist for decryption: Optional decryption (default): The emails are decrypted with the existing private keys and the signature verified with the existing public keys. If an error occurs during decryption or verification, e.g. because the private key is missing or the email was modified (making verification impossible), the configured actions are performed. Unencrypted emails are delivered PAGE 166 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - DECRYPTION WITH PGP/GNUPG to the recipients and the information from the Subject extension field (General tab) is added to the email subject. Enforce selected mode : The only incoming emails delivered to the recipient are those that match the selected mode. For emails that do not match the selected mode, the actions specified in the Actions tab are performed. Crypt mode: Decrypt : The email is decrypted only. An existing signature will not be verified, i.e. the email is delivered to its recipient without verification. Process what: All mail contents : All elements of the email are decrypted. This option requires that the entire incoming email was encrypted. If, for instance, only the attachments were encrypted, the specified actions are performed. Attachments only : Only the attachments are decrypted. If the email also contains an encrypted message body, the email will be delivered with encrypted message body to the recipient. Jobs are performed only for recipients specified in the Addresses tab. If you enter only the communication partners with whom you have, for instance, agreed that all emails are to be sent both signed and encrypted, you can select the Enforce selected mode to create tap-proof channels without errors caused by emails in the wrong mode triggering the specified actions in the Actions tab. Create a separate job for each security setting. Thus, to send emails at maximum security to some recipients while offering others optional decryption or verification, set up two different jobs. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 167
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION 7.6 S/MIME General Information To encryt/decrypt or sign/verify emails with S/MIME, certificates are required. The certificate structure is defined in the X.509 standard. As opposed to PGP, at S/MIME the user does not create the key pair himself but receives the keys from a Certification Authority. For test purposes, you can use the sample certificates stored under <Install- Dir>\iQ.Suite\GrpData\smimedata\demo certificates. Valid and certified certificates can be acquired from a trust center. 7.6.1 Using S/MIME in iq.suite As of version 11, iq.suite supports a new implementation to process emails with S/MIME. The new S/MIME method (tk_smime2) is the improved, more modern version for using S/MIME. The newer cryptographic algorithms and certificate formats make email processing faster and improve the performance remarkably compared to the previous S/MIME solution (tk_smime). If you are currently using the outdated S/MIME method, we recommend you to switch to the new method in order to be able to use future feature implementations. Migration is simple and only takes a few steps. Refer to Migration to the New S/MIME2 Engine on page 217. The outdated S/MIME method uses the certificate database certs.db for storing the certificates. With the new method, this database is replaced by a local Windows certificate store and cannot be used together with the S/MIME2 engine (tk_smime2). Compared to the database certs.db, the Windows certificate store offers a user interface that allows a convenient and direct certificate storage and certificate administration 48. 48. Refer to Using the Windows Certificate Store on page 197. PAGE 168 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION For more complex scenarios such as synchronization of several servers, you can connect Crypt to iq.suite KeyManager. iq.suite KeyManager can be used with or without using the local Windows certificate store and includes options to reference your own PKI 49. If the certificates of your communication partners have been entered in a LDAP server, you can work with iq.suite KeyManager to continue using LDAP. 7.6.2 Configuration of the S/MIME2 Engine To use the new S/MIME method, configure a S/MIME2 engine: BASIC CONFIGURA- TION -> UTILITY SETTINGS -> CRYPT ENGINES -> S/MIME2. GBS Crypt Interface: DLL file that establishes the connection from iq.suite to the S/MIME2 engine. Don t change this entry! 49. Furthermore, S/MIME certificates can be easily managed with iq.suite KeyManager. Refer to Using iq.suite KeyManager on page 190. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 169
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION Timeout: Enter the number of seconds to pass before a scan order to the Crypt engine is aborted. When choosing the time value, take into account the performance or your server. Certificates: Specify the components that will manage the certificates in the future: Use KeyManager : Enable this option when using iq.suite KeyManager to manage the S/MIME certificates 50. Click on to configure a Key- Manager server connection. Refer to Using the Windows Certificate Store on page 197. Use Windows Certificate Store : Enable this option to manage certificates with a local Windows certificate store. For detailed information on using the Windows certificate store, please refer to Using the Windows Certificate Store on page 171. 4. Open the Fingerprints tab: 50. Refer to Using iq.suite KeyManager on page 190. PAGE 170 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION The fingerprints identify the S/MIME certificates. As soon as an email element includes one of the fingerprints, the key import job recognizes it as a S/MIME certificate. All known fingerprints for the identification of S/MIME certificates and encrypted S/MIME emails are preconfigured 51. 5. Open the Jobs tab: The Jobs tab shows in which jobs the S/MIME2 engine is used. 7.6.3 Using the Windows Certificate Store 7.6.3.1 Advantages As a local store, the Windows certificate store replaces the certs.db database that was used in the outdated S/MIME solution. Furthermore, through the Windows MMC, it offers you a user interface that lets you easily manage the S/MIME certificates. Certificates can be classified in the folders iq.suite Trusted, iq.suite Unknown and iq.suite Untrusted according to their trust status and be changed by simply dragging and dropping, for example from "unknown" to "trusted". The Windows certificate store can only be used locally and not in distributed systems. Multiple iq.suite Crypt installations can be synchronized with iq.suite Key- Manager. 51. For further information on fingerprints, please refer to Fingerprints on page 248. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 171
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION Private keys can be distinguished from certificates by the icons used in the certificate store. The Windows certificate store can only be used associated with the Crypt engine S/MIME2. If you are working with the Crypt engine S/MIME (outdated S/MIME method), the certificate store cannot be used. We recommend you to migrate to the new S/MIME method. Refer to Migration to the New S/MIME2 Engine on page 217. Using the Windows certificate store is appropriate to manually manage certificates in smaller environments where only few certificates have to be managed. For extensive application environments with a lot of communication partners, multiple mail servers with iq.suite Crypt module installed, or with a lot of certificates to be managed, we recommend to use iq.suite KeyManager. iq.suite KeyManager also allows you to easily manage private keys and validate certificates. For further information, please refer to Using the Outdated S/MIME Solution on page 212. PAGE 172 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION 7.6.3.2 Configuration Description If the Windows certificate store is used without iq.suite KeyManager, it can be used to manage S/MIME certificates: 1. In the Active Directory, create a new user who has access to the Windows certificate store, e.g. <certsmanager>. This user account is used to access the certificates in the certificate store. 2. Add the user to the local administrators' group and assign the right to execute batch files. This allows the iq.suite to log in to this account in batch mode. Under Windows 2003: LOCAL SECURITY POLICY -> LOCAL POLICIES -> USER RIGHTS ASSIGNMENTS -> LOGON AS A BATCH JOB. 3. Log in with the authentication information of the previously created user or open the local Windows certificate store within its user context: runas /profile /user:<domain name>\<user name> mmc.exe. 4. Add the certificate snap-in: FILE -> ADD/REMOVE SNAP-IN -> ADD -> CERTIFICA- TES -> ADD -> MY USER ACCOUNT -> FINISH. 5. In the iq.suite, click on BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT -> CERTIFICATES -> WINDOWS CERTIFICATION MANAGEMENT: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 173
IQ.SUITE CRYPT - S/MIME GENERAL INFORMATION a) Under User and Password, enter the authentication information of the user (here: <certsmanager>). b) Enable the desired Options for the notification of identical certificates or for the log level. 6. Save the configuration. The Compatibility tab only applies in connection with the migration from S/MIME to S/MIME2. Refer to Migration to the New S/MIME2 Engine on page 217. The Update tab only applies when iq.suite KeyManager is used. Refer to Using the Windows Certificate Store on page 171. Only make sure that the option Don t update program data' is selected. 7. Create a Crypt engine for S/MIME 2: CRYPT -> CRYPT ENGINES - > S/MIME 2. Refer to Configuration of the S/MIME2 Engine on page 169. a) Disable Use KeyManager'. b) Enable Use Windows certificate store' and select the Windows certificate store that you previously configured. 8. If you have so far used the certificate database certs.db and you want to continue to use the included certificates, import them into the Windows certificate store: a) Use, for example, the iq.suite Certificate Manager to import certificates from the certificate database first into the file system. For any questions, contact the GBS Support Team. Note that the trust status is automatically set to "Trusted". b) Copy the Certificate import with S/MIME job to MAIL TRANSPORT JOBS 52. Activate the job. The job is expected to start after the decryption/verification job. c) In the Options tab under Method, select S/MIME' and in the following field, select the previously configured Crypt engine S/MIME 2'. Enable Unpack compressed attachments'. 9. When the Certificate import with S/MIME job starts the next time, in the local Windows certificate store, the folders iq.suite Trusted, iq.suite 52. Refer to Automatic Certificate Import with S/MIME on page 175. PAGE 174 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - AUTOMATIC CERTIFICATE IMPORT WITH S/MIME Unknown and iq.suite Untrusted are created and the certificates edited by the job are stored in the iq.suite Untrusted folder. Drag and drop the certificates to assign them to the desired folders. 10. Configure Crpyt Inbound Jobs (decryption/signature analysis) 53 and Crypt Outbound Jobs (encryption/signature creation) 54 as described in the corresponding chapters. However, select the new Crypt engine S/MIME 2'. 7.7 Automatic Certificate Import with S/MIME With iq.suite Crypt, it is possible to import the certificates from communication partners automatically into the Windows certificate store or iq.suite KeyManager, regardless of whether signatures are verified or not. This allows to import several certificates in attachments simultaneously 55. The Import job identifies certificates from: Signed emails, i.e. the signed part is recognized. ZIP archives. PKCS#7-encoded file attachments. DER-encoded file attachments. Importing the Certificate 1. The certificate is copied from the email. a) If using the Windows certificate store the certificate is imported into the local certificate store and stored in the iq.suite Unknown folder. b) If using iq.suite KeyManager, the certificate is loaded into iq.suite Key- Manager. The imported certificates are stored with the status unknown in the folder for the external certificates first. Periodically, the certificates are validated and set to the original trust status. 2. The email is delivered to the recipient. 53. Refer to Decryption with S/MIME on page 183 and Signing with S/MIME on page 187. 54. Refer to Encryption with S/MIME on page 176 and Verifying S/MIME Signatures on page 189. 55. For easy S/MIME certificate management, we recommend you to use iq.suite KeyManager. Refer to Using iq.suite KeyManager on page 190. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 175
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME 3. For a description for the Windows certificate store configuration and for the certificate import job, please refer to Configuration Description on page 173. 7.8 Encryption with S/MIME In S/MIME encryption, the sender s emails are encrypted with the recipient s public key, and only the recipient can decrypt them with his own private key. S/MIME-encrypted emails can be exchanged only with people whose email client also supports S/MIME encryption. If your communication partner also has a server with iq.suite Crypt installed, encryption and decryption are performed directly on the server and no longer depend on the email client. The configuration of iq.suite Crypt for using S/MIME is based on policies, i.e. the addresses for encrypting, decrypting, signing and validating signatures can be defined individually for users, user groups, and for the company. Encryption Sequence with S/MIME An email is sent from the client to a recipient. The email is to be encrypted. 1. Crypt writes the data to be encrypted to the hard disk in the form of a multipart MIME message body. 2. This data and the recipient name are passed to the S/MIME interface. 3. The certificate is eather searched for in the local Windows certificate store or is loaded by iq.suite KeyManager. The certificate is used to encrypt the file. 4. Crypt inserts the S/MIME-encrypted part as new MIME message body into the email. PAGE 176 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME 7.8.1 Sample Job: Encrypting Emails with S/MIME Copy the Encrypt/Sign with S/MIME job to MAIL TRANSPORT JOBS. Activate the job 56. If encryption is configured for a sender-recipient combination, such a sender will normally be unable to send an unencrypted email to one of the configured recipients. However, it could be desirable to reach some of these recipients with an unencrypted email. To do this, select in the iq.suite a command: CONDITIONS -> CONDITION:...WITH FOLLOWING SUBJECT COMMAND. When the sender add this command to the email s subject line, the job will not be executed and the email will be sent in unencrypted form. Searching for the command is not case-sensitive. The search is stopped as soon as the command has been found and it is removed from the subject. The subject command may only contain characters from the 7-bit ASCII character set (US-ASCII - 126 characters possible). The conditions set in both the Addresses and Conditions tabs must come true for the job to be run (logical AND). 5. Open the Crypt Engine tab: In the Crypt Engine tab, specify the encryption method for this job. 56. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 177
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME Select method: Select S/MIME for encryption. Select crypt engine: Select the previously configured Crypt engine for S/MIME2. Specify in the following fields how exception emails (special cases) are to be handled, e.g. TNEF emails: Ignore : The email is passed to the next job without being further processed by this job. The email is not encrypted. Execute actions : The actions specified in the Actions tab are performed. Proceed : The job processes the email like those that do not fall into this category. The special cases are: When emails is in TNEF format, then: The Outlook TNEF format cannot be processed by iq.suite Crypt. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or when using other email clients. PAGE 178 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME When email is already S/MIME or PGP/MIME encrypted/signed, then: Emails that arrive on the server have been encrypted and/or signed with S/MIME or PGP/MIME by the client, i.e. by the internal user. In your corporate email policies, specify how such emails are to be handled. When email is already S/MIME or PGP/MIME signed only, then: Emails that arrive on the server have been signed with S/MIME or PGP/MIME by the client, i.e. by the internal user. In your corporate email policies, specify how such emails are to be handled. Certificate options: These fields work only properly when using the S/MIME 2 Crypt engine. If you are using the outdated Crypt engine S/MIME, please keep the preconfigured job settings. Ignore certificate purpose : The certificate purpose defines the usage of the certificate, e.g. server authentification or encryption. If you enable this option, the iq.suite will ignore the intended purpose specified within the certificate. With this, the Crypt job is executed even if the intended purpose and the job functionality do not match, e.g. the intended purpose encryption with a job for signature creation. Allow expired certificates for encryption : For email encryption, expired certificates are not used from Crypt jobs, by default. Enable this option if the emails are to be encrypted though the corresponding certificate is expired. Allow expired certificates for signing : For signature creation, expired certificates are not used from Crypt jobs, by default. Enable this option if the emails are to be signed though the corresponding certificate is expired. Allow unknown trust status for encryption : By default, certificates with the trust status trusted are used from Crypt encryption jobs only. Enable this option to use certificates with the trust status unknown. KeyManager tenant : This field is relevant for iq.suite KeyManager only. Keep this field empty. 6. Open the Crypt Mode tab: In the Crypt Mode tab, specify the encryption mode and security settings (VPN channel) to be called with this job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 179
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME The Crypt Mode selected in this example is Sign and encrypt. The available options are: Sign and encrypt : The email is signed and encrypted. Encrypt : The email is encrypted but not signed. Sign : The email is signed but not encrypted. The individual options show the possible security settings for outgoing emails (VPN channels). The options only apply to encryption, since signatures are added with the private key. Signing fails if this certificate is missing, in which case the actions specified in the Actions tab are performed. Optional encryption : The emails are encrypted with the existing public keys. Any emails to recipients for whom no valid key is available are sent unencrypted and, if configured, the information from the Subject extension field (General tab) is added to the email subject. Low security : Emails are encrypted with the existing public keys. Emails to recipients for whom a valid key exists are sent encrypted. For all recipients without a valid key, the actions specified in the Actions tab are performed. Medium security : Emails are encrypted with the available public keys only if at least one valid key exists. All outgoing emails are encrypted. Recipients PAGE 180 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME with a valid key can open the emails with their private key. Thus, recipients without a valid private key that matches one of the public keys used will not be able to open the encrypted emails. The actions specified in the Actions tab are performed only if no valid key exists at all. Jobs High security : Emails are encrypted with the available public keys only if valid keys exist for all recipients. The actions specified in the Actions tab are performed as soon as one key is invalid or missing. Send additional user information for KeyManager certificate request : This option is relevant for iq.suite KeyManager only. are performed only for recipients specified in the Addresses tab. If you enter only the communication partners with a valid public key, you can select a high security setting to create tap-resistant channels without missing certificates triggering the actions specified in the Actions tab. Create a separate job for each security setting, i.e. in order to send mail at maximum security to some recipients while offering others optional decryption, set up two jobs. 7. Open the Mapping tab: In the Mapping tab, specify the type of address mapping for encryption and, if necessary, create your own mapping table. You can, for example, use a mapping table to use one certificate for a certain group of communication partners (e.g. a company certificate of a business partner). With the address mapping, this company certificate will be used for all recipients of the partner company. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 181
IQ.SUITE CRYPT - ENCRYPTION WITH S/MIME First use mapping list below : The entries in the user-defined mapping table below have priority. If this table contains a key ID for a recipient address, the job looks for this key ID in the local Windows certificate store and uses the associated certificate. The encryption job looks for a key ID under the recipient address in the certificate store only if no suitable entry has been found in the mapping table. In this case, the key ID must be the email address in the certificate. This setting is advisable for implementing encryption with a specific company through secure VPN channels. First use public key ring : The entries in the certificate store have priority. If no entry matching the recipient address is found in the certificate store, the job looks for a key ID in the mapping table below. Use public key ring only (default): Certificates are exclusively searched for in the certificate store by way of the recipient address. In this case, the mapping table is not enabled. Any table entries are kept. Use global mappings : If specific recipient addresses are to be used in multiple Crypt jobs, you can create these addresses as "global mappings". Refer to Global Mappings on page 146. PAGE 182 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - DECRYPTION WITH S/MIME Enable this option if you want the job to use all recipient addresses defined as global. Please note that local addresses are read before the global addresses. 7.9 Decryption with S/MIME Decryption Sequence with S/MIME An encrypted email is to be decrypted on the server as it arrives. 1. Crypt writes the data to be decrypted to the hard disk in the form of a multipart MIME message body. This data is passed to the S/MIME interface. 2. If a private key is found for the email recipient in the Windows certificate store or in iq.suite KeyManager, the email is decrypted. 3. Crypt then inserts the MIME-encrypted part as new MIME message body into the email. 7.9.1 Sample Job: Decrypting Emails with S/MIME Copy the Decrypt/Verify with S/MIME job to MAIL TRANSPORT JOBS. Activate the job 57. 4. Open the Crypt Engine/Mode tab: In the Crypt Engine/Mode tab, specify the decryption method and the security settings to be used by this job. You can also select additional options here. 57. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 183
IQ.SUITE CRYPT - DECRYPTION WITH S/MIME Under Select method, select the S/MIME option. In the subsequent field, select the previously configured Crypt engine for S/MIME2. When emails is in TNEF format, then: The Outlook TNEF format cannot be processed by iq.suite Crypt. The TNEF format is used by Exchange when an Outlook user (not Outlook Express!) sends an email within an Exchange organization. This format is not used for communication via the Internet or when using other email clients. Recipient option: Remove S/MIME signature (default): Using Crypt, S/MIME-signed emails can be checked for valid signatures on the server. iq.suite Crypt is able to remove the signature without telling the end user (email recipient) that the signature has been verified. This setting is available only if the decryption method is PGP/MIME or S/MIME. E-mail VPN (inbound security settings): For incoming emails addressed to internal users the following security settings exist for decryption: Optional decryption (default): The emails are decrypted with the existing private keys and the signature verified with the existing public keys. If an error occurs during decryption or verification, e.g. because the private key is missing or the email was modified (making verification impossible), PAGE 184 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - DECRYPTION WITH S/MIME the configured actions are performed. Unencrypted emails are delivered to the recipients and the information from the Subject extension field (General tab) is added to the email subject. Enforce selected mode : The only incoming emails delivered to the recipient are those that match the selected mode. For emails that do not match the selected mode, the actions specified in the Actions tab are performed. Crypt mode: Decrypt : The email is decrypted only. An existing signature will not be verified, i.e. the email is delivered to its recipient without verification. Crypt mode: Decrypt and verify : The emails which are already signed and encrypted when they arrive on the server are both decrypted and verified. Crypt mode: Verify : The email is only verified. It does not depend on whether the email is encrypted or not. Select this mode to be sure that the emails exchanged with a certain communication partner are signed but not encrypted. Process : This option is only available for S/MIME. The following options are working properly only if using the new S/MIME method: Allow expired certificates for verification : Expired certificates are no longer used by Crypt jobs by default. Enable this option to check the email signature though the corresponding certificate is already expired. Allow unknown trust status for verification : Only certificates with the trust status trusted are used by Crypt jobs by default. Enable this option to use certificates with the trust status unknown as well. No import of certificates on verification : On verification the certificates are imported by Windows Certificate Store. To prevent this, enable this option. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 185
IQ.SUITE CRYPT - DECRYPTION WITH S/MIME Jobs are performed only for recipients specified in the Addresses tab. If you enter only the communication partners with whom you have, for instance, agreed that all emails are to be sent both signed and encrypted, you can select forced mode to create tap-proof channels without errors caused by emails in the wrong mode triggering the specified actions in the Actions tab. Create a separate job for each security setting. Thus, to send emails at maximum security to some recipients while offering others optional decryption or verification, set up two different jobs. PAGE 186 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - SIGNING WITH S/MIME 7.10 Signing with S/MIME iq.suite Crypt also supports digital signing with S/MIME. Like a written signature, a digital signature provides verification of the sender s identity, allowing the recipient to be sure that the email was actually sent by the specified sender and has not been modified on its way. The signature does not prevent viewing of the email along its transmission route. However, iq.suite Crypt is able to encrypt signed emails as a whole. The signature is generated with the private key, while the recipient verifies its authenticity with the public key. Graphically illustrated and somewhat simplified, this process looks like this: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 187
IQ.SUITE CRYPT - SIGNING WITH S/MIME Processing Sequence for S/MIME Signatures An email is sent from the client to a recipient. The email is to be signed. 1. Crypt writes the data to be signed to the hard disk. 2. Crypt searchs the sender s personal key or the company certificate in the Windows certificate store or in iq.suite KeyManager. 3. This data and the private key are then passed to the S/MIME interface. 4. The data to be signed is signed with the private key. 5. Crypt then inserts the signature into the email and attaches the certificate. 7.10.1 Sample Job: Signing Emails with S/MIME Copy the Encrypt with S/MIME job to MAIL TRANSPORT JOBS. Activate the job 58. 1. In the Crypt Mode tab, set the encryption method to Sign. 2. In the Crypt engine tab, define how to proceed on special emails by selecting the appropriate option under When email is already S/MIME or PGP/MIME signed only, then. For a detailed description of the individual fields, please refer to Sample Job: Encrypting Emails with S/MIME on page 177. 58. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 188 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - VERIFYING S/MIME SIGNATURES 7.11 Verifying S/MIME Signatures S/MIME-signed emails arriving on the server are verified with the sender s public certificate, thereby identifying the specified sender. Processing Sequence on S/MIME Verification A S/MIME-signed email arrives on the server. The signature is to be verified. 1. Crypt writes the signed data and the signature to the hard disk. 2. This data and the certificate for verification are then passed to the S/MIME interface. The sender s certificate is searched in the local Windows certificate store or in iq.suite KeyManager. If no certificate is found there, Crypt checks whether the certificate is contained in the email. If the certificate is found, it is imported and used. 3. If in the job the Remove S/MIME signature option is enabled (Crypt Engine/Mode tab), the signature is removed with all certificates attached. The S/MIME engine automatically imports the certificates into the Windows certificate store or the iq.suite KeyManager. Therefore, importing the certificates (or an Import job) is not absolutely necessary. Use the Crypt Key Import job, if you wish to import certificates with different formats or certificates in attachments. Refer to Automatic Certificate Import with S/MIME on page 175. 7.11.1 Sample Job: Verifying Email Signatures with S/MIME To have all signatures where applicable automatically verified and encrypted emails automatically decrypted, enable the Optional decryption option in the Crypt Engine/Mode tab of the Decrypt/Verify with S/MIME job. If you want to allow signed emails only, drag the Encrypt/Verify with S/MIME job to the MAIL TRANSPORT JOBS folder and set the security settings to Enforce selected mode and the Crypt mode to Verify. For further information on the individual fields, please refer to Sample Job: Decrypting Emails with S/MIME on page 183. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 189
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 7.12 Using iq.suite KeyManager iq.suite KeyManager, as modular extension of iq.suite Crypt, can be used for the convenient and complete administration of S/MIME certificates in combination with the iq.suite. Keys in OpenPGP standard (PGP and GnuPG) can be managed, imported in and exported from the KeyManager. With iq.suite KeyManager, self-signed certificates and certificates issued by certification authorities such as VeriSign can be managed centrally. The status of the certificates can be queried and updated automatically with OCSP and/or by using certificate revocation lists (CRLs). However, the KeyManager also offers possibilities for manual control and administration e.g. to avoid unnecessary costs. 7.12.1 Using S/MIME Certificates Whenever a certificate is needed from the iq.suite to process an email, a certificate is requested from the KeyManager server. Provided such a certificate is available in the KeyManager database, it is passed to the iq.suite, e.g. for encrypting/decrypting emails or signing/signature verification. If no matching certificate is found, iq.suite KeyManager addresses the request to a selected certification authority, e.g. S-TRUST (VeriSign). With the update mechanism in the Windows certificate store configuration of the iq.suite, iq.suite Crypt is able to fill the local certificate store according to their trust status with the certificates stored in iq.suite KeyManager periodically. With this, the iq.suite is able to encrypt emails independent from iq.suite KeyManager without permanent network accessability. Communication between iq.suite KeyManager and iq.suite is possible via HTTP or HTTPS. The KeyManager server has to be installed and configured before configuring the iq.suite. On this server, it must be possible to address the KeyManager web service. As soon as the server environment is operating properly, perform the following steps 59 : Configure a KeyManager connection and activate the configuration. PAGE 190 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER Activate the available S/MIME engine. Behalten Sie die Voreinstellungen bei. Activate the Enctypt/Sign with S/MIME job. In order to use a proxy server, configure a proxy server connection. This connection can be selected afterwards in the configuration document that is used for the connection between Crypt and KeyManager. 7.12.1.1 KeyManager Connection Configuration For multi-tenant functionality with iq.suite KeyManager several KeyManager connections can be used: CRYPT -> CERTIFICATES -> KEYMANAGER -> <RIGHT-CLICK> - > ALL TASKS-> DUPLICATE. Pleate note that only one KeyManager connection will be operational when using PGP. 1. Click on BASIC CONFIGURATION --> UTILITY SETTINGS -> CRYPT -> CERTIFICA- TES -> IQ.SUITE KEYMANAGER: 59. For further Information on installation and administration of iq.suite KeyManager, please refer to the separate KeyManager manual. Download under www.gbs.com. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 191
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER For a standard KeyManager server installation, no settings have to be configured in this tab. GBS KMS Interface: This DLL is used to establish the connection between iq.suite and the KeyManager server. Do not change this entry! Timeout: Enter the number of seconds after which the attempt to connect to the KeyManager service is canceled if unsuccessful. When entering this value, take into account your server s performance, the size of the emails and the speed of your network connection between iq.suite and the KeyManager server. Possible values range from 30 to 900 seconds. Run KeyManager connection as: In a standard installation these fields can be ignored. Basically, these settings are used to call the KeyManager interface in a different user context. Under User and Password, enter the authentification data of the user. Tenant: For tenancy support, enter the tenants GUID (refer to the tenancy view in iq.suite KeyManager). In case of several tenants, a separate KeyManager connection has to be configured for each tenant. On pending certificates: When using iq.suite KeyManager for creating signatures, new certificates can be created. At such a configuration the first job execution fails, since creation of the certificate is not completed yet. Enable the option Wait for certificate creation and make sure the Send additional user information for KeyManager certificate request option in the Crypt Mode tab of the job is enabled. 2. Open the Options tab: PAGE 192 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER Server name / address: Enter the FQDN (Fully Qualified Domain Name) or the IP address of the server to which the emails are to be send from the iq.suite server. If using HTTPS as transport protocol between the iq.suite server and the web service, the server name must match the "Common Name" specified within the SSL certificate. If using HTTP, you may also enter the IP address of the web service server. Server port: Enter the port number of the server on which the web service is running. The port is used to establish the connection between the KeyManager server and the iq.suite server in order to have emails encrypted. Typically, port 80 is used for connections via HTTP and port 443 for connections via HTTPS. If set to 0, the default values are used (port 80 or 443). Server protocol: Select the desired protocol to be used for transmitting the emails. For security reasons, we recommend to use HTTP for test scenarios only. If using the HTTPS protocol, also set the following: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 193
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER Root certificate path: Enter the path to the web service server s root certificate used (path to trusted certificates). This certificate was used to sign the SSL certificate and stored in the iq.suite server file system. User name/user password: Enter the web service user authentication data used to perform the email encryption via HTTPS. This user account must have been set up on the web service server. If no root certificate is specified, the identity of the web service server is not checked. This compromises the protection against attacks in insecure networks provided by SSL. If your are using the Windows Certificate Manager for exporting certificates from the web service server to the iq.suite server (WINDOWS -> CONTROL PANEL -> INTERNET OPTIONS), the root certificate must be available in PEM format (base- 64 encoded X.509). A binarily exported certificate or a non-root certificate will not be accepted. 3. Open the Options tab: To establish the connection to your KeyManager server via a proxy server, select the desired proxy server in the Proxy Server tab: PAGE 194 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER No proxy server : No proxy server is used. Proxy server of iq.suite Server : The proxy server used is the one defined for the iq.suite server. These proxy server settings can be set during the installation. Custom proxy server : The proxy server used is the one set under BASIC CONFIGURATION -> GENERAL SETTINGS. 7.12.1.2 Engine Configuration: S/MIME2 Engine Create an S/MIME2 engine 60 : BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT -> CRYPT ENGINES -> S/MIME2. 60. For further information on the configuration of the S/MIME2 engine, please refer to Configuration of the S/MIME2 Engine on page 169. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 195
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER In the General tab, enable the Use KeyManager option. Then, select the previously created KeyManager connection. To use a Windows certificate store in the iq.suite e.g. for a fallback, enable the Use Windows Certificate Store option. Then, select the previously created configuration document for the certificate store. For configuration, proceed as described under Using the Windows Certificate Store on page 171. 7.12.1.3 Sample Job: Configuring a KeyManager Job (S/MIME) Assign the previously configured S/MIME2 engine to a KeyManager job: For email encryption with iq.suite KeyManager, you need a Crypt Outbound job. Use, for example, the sample job Encrypt/Sign with S/MIME. Refer to Sample Job: Encrypting Emails with S/MIME on page 177. In the Crypt Engine tab, leave the KeyManager tenant field empty. In the Crypt Mode tab, select the desired mode: If you select Encryption, the emails are encrypted with the certificates stored in iq.suite KeyManager. PAGE 196 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER If you select Sign or Sign and verify, the emails are signed or signed and encrypted with the certificates stored in iq.suite KeyManager. If you are using a connector in iq.suite KeyManager and the connector requires specific user information to request a certificate, this information has to be passed by the iq.suite. Otherwise, you can only request certificates already existing in iq.suite KeyManager, e.g. imported or self-produced certificates, but not create new ones. For this, activate the Send additional user information for KeyManager certificate requests option. Note that the first and last names have to be available in the Active Directory. For email decryption with iq.suite KeyManager, a Crypt Inbound job has to be created. Use, for example, the sample job Decrypt/Verify with S/MIME. Refer to Sample Job: Decrypting Emails with S/MIME on page 183. 7.12.1.4 Using the Windows Certificate Store Certificates that are created and/or managed in iq.suite KeyManager can optionally be imported into a local Windows certificate store and be used to encrypt or decrypt emails or to create or verify the signature. The advantage of this solution is that the S/MIME functionality is not affected even in case of temporary KeyManager server failures. Email processing is not delayed because of missing certificates. Through persistent synchronization with iq.suite KeyManager, it is guaranteed that always the current certificates are used 61. Note that an automatic certificate import from the certificate store to the KeyManager server is not possible. 61. For further information on the Windows certificate store, please refer to Using the Windows Certificate Store on page 197. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 197
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER Processing: By the client, an email is sent to a recipient who is supposed to receive the email which is encrypted. 1. Crypt writes the data to be encrypted to the hard disk in form of a Multipart MIME message body. 2. This data and the recipient name is passed to the S/MIME interface. 3. The certificate is searched for in the local Windows certificate store and is used to encrypt the file. If the corresponding certificate is not found, an appropriate certificate is searched for on the KeyManager server. 4. Crypt adds the resulting S/MIME component to the email as a new MIME message body. Configuration: If you plan to use the Windows certificate store associated with iq.suite KeyManager, proceed as follows: 1. Configure a KeyManager server connection. Refer to KeyManager Connection Configuration on page 191. 2. Configure the local Windows certificate store in iq.suite (Refer to Configuration Description on page 173): a) Open the General tab: Under User and Password, enter the authentication information of the user needed for the certificate store (here: <certsmanager>). The certificate store is executed in this user context. Enable the desired Options for notification of identical certificates or for the log level. b) Open the Compatibility tab and disable the Compatibility mode with old S/MIME solution' option. c) Open the Update tab: Enable the option Use default values for update'. By default, every 60 minutes, a synchronization with iq.suite KeyManager is started (minimum: 15 minutes). PAGE 198 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER Synchronization can be initiated manually as required: IQ.SUITE MONITOR -> SERVER -> SERVER STATUS -> TEST TAB-> SCANNER REFRESH. The directory <InstallDir>\iQ.Suite\Bin\wincert is used to create logs that log successful or incorrect processing of the certificate store. 3. Make a refresh in the Certificate Manager to refresh the views (F5). 4. Create a Crypt engine for S/MIME 2: CRYPT -> CRYPT ENGINES -> S/MIME 2. Refer to Configuration of the S/MIME2 Engine on page 169. a) Enable Use KeyManager' and select the previously configured KeyManager server connection. b) Enable Use Windows Certificate Store'. Since during the initial phase of the synchronization with iq.suite KeyManager a very high data volume is synchronized and transferred, the import process can take some time and might produce a timeout. By default, a timeout occurs after 900 seconds. Raise that value if timeouts often occur in your system environment. 5. Certificates stored in iq.suite KeyManager are regularly synchronized with the data of the Windows certificate store. New and modified certificates are imported into the corresponding folders (iq.suite Trusted, iq.suite Untrusted, iq.suite Unknown) according to the specified trust status. 6. Use the KeyManager import function on the KeyManager server to import the users' existing personal certificates, if required. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 199
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 7.12.2 Using PGP Keys As of iq.suite Version 11.1, the PGP keys managed in iq.suite KeyManager can be used by iq.suite Crypt jobs. As a prerequisit, GnuPG 1.4 has to be used. It is made sure by regular synchronization with iq.suite KeyManager that the respectively most current key managed in the KeyManager is used. With this, PGP functionality remains unimpaired at temporary breakdowns of the KeyManager server. Synchronization is performed automatically in the intervals defined in the engine. 7.12.2.1 Engine Configuration: PGP synchronized with KeyManager Configure a Crypt engine of the type PGP synchronized with KeyManager : 1. Click on BASIC CONFIGURATION --> UTILITY SETTINGS -> CRYPT -> CRYPT ENGI- NES -> PGP SYNCHRONIZED WITH KEYMANAGER: In the General tab, perform the following settings: PAGE 200 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER GBS Crypt Interface: DLL file that links the iq.suite with the GnuPG engine. Do not change this entry! Executable file: Specify the GnuPG EXE file with its absolute path, e.g. c:\program files\crypt\gnupg\gpg.exe. Timeout: Number of seconds after which the attempt to connect to the Crypt engine is interrupted if unsuccessful. Take your server s performance into account when setting this value. Key ring passphrase: passphrase for the local, private key ring - not the password for the keys/keyring provided by KeyManager. The password may contain all printable characters from the 7-bit ASCII character set (US-ASCII) except the quotation mark. Signature key ID: Key identification of the (private) corporate key to be systematically used for signing, e.g. info@mycompany.com 2. Open the PGP Options tab: Add this extension: After encryption with PGP or GnuPG, this file extension is appended to each encrypted email section (except for the message body) before being sent. Crypt uses these extensions only for PGP (not for PGP/MIME). Specify the Crypt method in the job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 201
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER Remove this extension: During decryption, any file extensions added to encrypted email sections are removed again (except for the message body). The extensions entered here are normally used for PGP encryption and iq.suite Crypt assumes that these emails have received the extension during encryption. Crypt uses these extensions only for PGP (not for PGP/MIME). Specify the Crypt method in the job. 3. Open the Fingerprints tab: The fingerprints in the upper section of the tab identify the PGP key to be imported. Whenever an email section arrives with a fingerprint specified in this tab, the key import job will know that it is a PGP key. The fingerprints in the lower section identify emails that have already been PGPencrypted and/or PGP-signed on the client and are being processed for sending on the server. It is possible to define exceptions for these emails in the Crypt job. The fingerprints apply to the Crypt PGP encryption method only, not to PGP/MIME. All known fingerprints for identifying PGP keys and encrypted PGP emails are preconfigured 62. PAGE 202 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 4. Open the Update tab: To enable the synchronization, enable the option Update program data using predefined settings. With the default settings, the iq.suite is synchronized with iq.suite KeyManager in a 60-minutes interval (minimum: 15 minutes). After 900 seconds a timeout occurs. If you want to be notified on successful synchronizations via email, enable the option Send admin notifications on successful updates. To disable the synchronization, enable the Don t update program data option. If required, the synchronization can be started manually: IQ.SUITE MONITOR -> SERVER -> SERVER STATUS -> TEST TAB -> SCANNER UPDATE. 5. Open the Jobs tab. The Jobs tab lists the jobs that use the GnuPG engine. 62. For further Information on fingerprints, please refer to Fingerprints on page 248. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 203
IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 7.12.2.2 KeyManager Connection Configuration For synchronization with iq.suite KeyManager, a KeyManager connection is required. Refer to KeyManager Connection Configuration on page 191. 7.12.2.3 Sample Job: KeyManager Job Configuration (PGP) Assign the previously configured PGP synchronized with KeyManager engine to a KeyManager job: For email encryption with iq.suite KeyManager, you need a Crypt Outbound job. Use, for example, the sample job Encrypt with GnuPG. Refer to Sample Job: Encrypting Emails with PGP/GnuPG on page 158. In the Crypt Engine tab under Methode, select the PGP or PGP/MIME option. In the same tab, select the PGP synchronized with KeyManager engine. For email decryption with iq.suite KeyManager, you need a Crypt Inbound job. Use for example, the sample job Decrypt with GnuPG. Refer to Sample Job: Decrypting Emails with PGP/GnuPG on page 165. In the Crypt Engine tab under Methode, select the PGP or PGP/MIME option. In the same tab, select the PGP synchronized with KeyManager engine. PAGE 204 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO 7.13 Encryption with WebCrypt Pro WebCrypt Pro is a modular extension of iq.suite Crypt and enables secure encrypted email communication with recipients who do not use any encryption solution. Using WebCrypt Pro ensures a trusted and uninterrupted email Please communication with no S/MIME certificates or PGP/GnuPG keys required. note that WebCrypt Pro requires a separate license. The required WebCrypt Pro Relay Service is provided by our partner Applied Security GmbH (apsec). For further Information, please contact the GBS Sales Team. WebCrypt Pro requires installing the following components: a WebCrypt Pro gateway 63 a WebCrypt Pro web service 7.13.1 Encryption Procedure with WebCrypt Pro Before emails are delivered to the intended recipients, they are intercepted by the iq.suite and forwarded from the WebCrypt Pro web service to the WebCrypt Pro gateway, where the emails are encrypted. The encrypted emails are sent back to the iq.suite and finally delivered to the recipients from the iq.suite server. To encrypt the email, the recipients log in to the WebCrypt Pro user portal with their email address and password. The password is created when the first encrypted email arrives on the WebCrypt Pro server and has to be transmitted using separate means of communication. Before configuring iq.suite, you need to install and set up the WebCrypt Pro gateway and the WebCrypt Pro web service. Once the server environment is operational, proceed as follows: 1. Configure a WebCrypt Pro server connection in the iq.suite: BASIC CONFI- GURATION -> UTILITY SETTINGS -> CRYPT SETTINGS-> CRYPT ENGINES -> WEB- 63. For further Informationen on installation and configuration of the WebCrypt Pro Relay Service, please refer to the separate document TechDoc_WebCryptPro.pdf. Download under www.gbs.com. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 205
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO CRYPT SERVER CONNECTION. Refer to WebCrypt Pro Server Connection Configuration on page 206. 2. Create and enable a WebCrypt Encryption job in the iq.suite. In the Settings tab under WebCrypt server connection, select the previously configured WebCrypt Pro engine. Refer to Sample Job: Encrypting Emails with WebCrypt Pro on page 210. 7.13.2 WebCrypt Pro Server Connection Configuration Configure a WebCrypt Pro server connection in the iq.suite: BASIC CONFIGURA- TION > UTILITY SETTINGS -> CRYPT SETTINGS-> CRYPT ENGINES -> WEBCRYPT SERVER CONNECTION. For a standard WebCrypt Pro server installation, all you need to do in this tab is to set the URL of the WebCrypt Pro service. GBS Crypt Interface: This DLL is used to establish the connection between iq.suite and the WebCrypt Pro server. Do not change this entry! PAGE 206 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO Timeout: Enter the number of seconds after which the attempt to connect to the WebCrypt Pro service is canceled if unsuccessful. When entering this value, take into account your server s performance, the size of the emails and the speed of your network connection between iq.suite and the WebCrypt Pro server. Possible values range from 30 to 900 seconds. Run connection as: In a standard installation, these fields can be ignored. Basically, these settings are used to call the WebCrypt Pro interface in a different user context. 3. Open the Options tab: Server name / address: Enter the FQDN (Fully Qualified Domain Name) or the IP address of the server to which the emails are to be send from the iq.suite server. If using the HTTPS transport protocol between the iq.suite server and the web service, the server name must match the "Common Name" specified within the SSL certificate. If using HTTP, you may also enter the IP address of the web service server. Server port: Enter the port number of the server on which the web service is running. This port is used to establish the connection between the web ser- ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 207
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO vice and the iq.suite server in order to have emails encrypted. Typically, port 80 is used for connections via HTTP and port 443 for connections via HTTPS. If set to 0, the default values are used (port 80 or 443). Server protocol: Select the protocol to be used for transmitting the emails. For security reasons, we recommend you to use the HTTP protocol for test scenarios only. If using HTTPS as protocol, also set the following: Root certificate path: Enter the path to the web service server s root certificate used (path to trusted certificates). This certificate was used to sign the SSL certificate and stored in the file system of the iq.suite server. User / Password: Enter the web service user authentication data used to perform the email encryption via HTTPS. This user account must have been set up on the web service server. If If no root certificate is specified, the identity of the web service server is not checked. This compromises the protection against attacks in insecure networks provided by SSL. your are using the Windows Certificate Manager for exporting certificates from the web service server to the iq.suite server (WINDOWS -> CONTROL PANEL -> INTERNET OPTIONS), the root certificate must be available in PEM format (base- 64 encoded X.509). A binarily exported certificate or a non-root certificate will not be accepted. 4. Open the Proxy Server tab: To establish the connection to your WebCrypt Pro server via a proxy server, select the desired proxy server on the Proxy Server tab: PAGE 208 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO No proxy server : No proxy server is used. Proxy server of iq.suite Server : The proxy server used is the one defined for the iq.suite server. These proxy server settings can be set during the installation. Refer to Installation of iq.suite on a Exchange Server on page 11. Custom proxy server : The proxy server used is the one set in the BASIC CONFIGURATION. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 209
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO 7.13.3 Sample Job: Encrypting Emails with WebCrypt Pro After having completed the configuration of the WebCrypt Pro server connection, assign this connection to a WebCrypt Pro job. Copy the Encrypt with WebCrypt Pro job to MAIL TRANSPORT JOBS. Activate the job 64. 1. Open the Conditions tab: Use the Conditions tab to set the applicable conditions of a job. For further Information on how to use conditions, please refer to Conditions Tab on page 60. A preconfigured special condition is available for WebCrypt Pro encryption jobs. To ensure that sending the passwords to the email recipients works properly, this default setting should not be changed. When sending the passwords, the WebCrypt Pro service writes a specific X header into the email (to connect to the WebCrypt Pro portal). Before the email is actually delivered to the recipient, it is included in the regular iq.suite process. Due to the configured condition, the WebCrypt Pro encryption job recognizes that the email comes from the WebCrypt Pro service and therefore does not process this email. The content-related conditions and the address-related conditions set in the Addresses tab must simultaneously come true for a job to be run (logical AND). 1. Open the Settings tab: Use the Settings tab to select the WebCrypt Pro server connection previously defined under WebCrypt Pro Server Connection Configuration on page 206: 64. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 210 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - ENCRYPTION WITH WEBCRYPT PRO Attach email as.eml : As a general rule, images (e.g. background pictures) embedded in emails cannot be displayed in the WebCrypt Pro portal. Instead, they are marked with a red X in the email body. To be able to display embedded images within the email body, this option allows to add the original message as file attachment to the email. Within this EML file, embedded images are displayed in the proper way. File attachments extra : The original attachments remain available in emails even after WebCrypt Pro encryption. Thus, in the WebCrypt Pro user portal, they are both displayed in the EML file and attached as file attachment. File attachments only in.eml : The original attachments are removed from the emails when encrypted with WebCrypt Pro. Use this option to reduce the encryption time for emails with many or large attachments. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 211
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION 7.14 Using the Outdated S/MIME Solution If you are currently using the outdated S/MIME method, we recommend you to switch to the new method in order to be able to use future feature implementations. If you still prefer using the outdated method, follow the procedure below. 7.14.1 Description of Operational Sequence To use the outdated S/MIME solution, proceed as follows: 1. Create a X.509 certificate as a root certificate, e.g. root.pfx. Afterwards create a company certificate from the root certificate, e.g. company.pfx. For test purpose, you can use the sample certificates stored under <Install- Dir>\iQ.Suite\GrpData\smimedata\demo certificates. Valid and certified certificates can be acquired from a trust center. 2. Copy both of the files to the /GrpData/smimedata directory. We recommend you to keep a copy of the root certificate in a safe place. 3. Configure a Crypt engine for S/MIME. Refer to Configuration of the S/MIME Engine on page 213. 4. Configure and enable the Encrypt/Sign With S/MIME job. In the Crypt Mode tab, set the Crypt mode to Sign. 5. To encrypt or decrypt emails with Crypt and S/MIME, configure and enable the Encrypt/Sign with S/MIME job. In that case, under the Crypt Mode tab, be sure to set the Crypt mode to Encrypt. 6. If you want to both encrypt/decrypt and sign/verify emails with Crypt and S/MIME, set the Crypt mode in the Crypt Mode tab to Sign and encrypt. PAGE 212 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION 7.14.2 Configuration of the S/MIME Engine 1. To use S/MIME for encrypting or signing, configure the S/MIME Crypt engine: If BASIC CONFIGURATION -> UTILITY SETTINGS -> CRYPT ENGINES -> S/MIME. you require several S/MIME Crypt engines in order to support different certificates, you need to use a separate certificate folder for each of the engines (smimedata1, smimedata2, etc.). GBS Crypt Interface: This is the DLL file that links iq.suite with the GnuPG engine. Do not change this entry! Timeout: Enter the number of seconds after which the attempt to connect to the Crypt engine is interrupted if unsuccessful. Take your server s performance into account when entering this value. KeyManager: The Use KeyManager option is relevant only in case of using iq.suite KeyManager 65. With this option, the certificates will be managed with iq.suite KeyManager. If required, import the existing personal certificates of the users with the import action of the KeyManager into the iq.suite KeyManager server. 65. Refer to Using iq.suite KeyManager on page 190. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 213
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION Public key folder: The S/MIME data folder, which among others contains the two database files with the certificates, is created in the smimedata folder under GrpData. Do not change this folder name! Root certificate: Copy the root certificate (PFX file) to the Public key folder, and enter the certificate name including the folder name. Example: smimedata\root.pfx. If you have to save your root certificate to a different folder, specify the absolute path to this certificate. Example: c:\program files\crypt\smime\root.pfx. Company certificate: The company certificate (PFX file) is generated from the root certificate and must be placed in the same folder as the root certificate. Example: smimedata\company.pfx. If you have specified a folder other than smimedata for the root certificate, enter here the same absolute path than the one entered in the Root certificate field. Example: c:\program files\crypt\smime\company.pfx. Root password: Enter the password for the root certificate above. The password may contain all printable characters from the 7-bit ASCII character set (US-ASCII) except the quotation mark. Company password: Enter the password for the company certificate above. The password may contain all printable characters from the 7-bit ASCII character set (US-ASCII) except the quotation mark. 2. Open the S/MIME Options tab: PAGE 214 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION If you have saved your communication partners certificates in an LDAP directory, fill in the following fields: Parameters: If you are using an LDAP server, add [LDAP] to the end of this line. LDAP server/ldap port: Name or the IP address of the LDAP server and its port number. LDAP path: Full LDAP branch to be searched. Example: CN=Users,DC=Subdomain,DC=Domain,DC=DE. LDAP user: Username of a user with LDAP access rights. LDAP password: Password for the LDAP user. Do not use space characters. 3. Open the Fingerprints tab: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 215
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION The fingerprints identify the S/MIME certificates to be imported. When an email section arrives with a fingerprint specified here, the key import job will know it is an S/MIME certificate. All known fingerprints for identifying S/MIME certificates and encrypted S/MIME emails are preconfigured 66. 4. Open the Variables tab: The variables are preconfigured for the GBS Crypt interface tk_smime.dll and should not be changed. 5. Open the Jobs tab: The Jobs tab lists the jobs that use the S/MIME engine. 66. For further Information on fingerprints, please refer to Fingerprints on page 248. PAGE 216 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION 7.14.3 Migration to the New S/MIME2 Engine If you are currently using the outdated S/MIME method, we recommend you to switch to the new method. If so far you managed certificates in the certificate database certs.db and now you want to use the Windows certificate store, you can import the certificates used so far into the certificate store to continue using them. Use, for example, the iq.suite Certificate Manager to import certificates from the certificate database first into the file system. In case of questions, please contact the GBS Support Team. Note that the trust status is automatically set to "trusted". So far, private keys were provided in the file system. They can continue to be used by being imported together with the certificates or by remaining in the file system. For importing/exporting, the Certificate Manager can be used. If, for S/MIME2, you want to use the local certificate store to manage certificates, proceed as described below. To use iq.suite KeyManager, proceed as described under Using iq.suite KeyManager on page 190. 1. In the iq.suite, configure the local Windows certificate store as described under Configuration Description on page 173. In the Compatibility tab, specify the following settings: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 217
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION If private keys were so far stored in the file system according to the outdated S/MIME method, and the certificates stored there are continued to be used, enable the Compatibility mode with old S/MIME solution option. Keep the root certificate and the company certificate information from the outdated S/MIME configuration (S/MIME ENGINE -> GENERAL TAB). Newly created private keys will then be stored at the same place as previously. Default: <InstallDir>\GrpData\smimedata. Root certificate: Directory where the root certificate is stored. Default: <InstallDir>\GrpData\smimedata\root.pfx. Under Root password, enter the corresponding password. The password may contain all printable characters from the 7-bit ASCII character set (US-ASCII) except the quotation mark. If, on recipient side, Crypt is also used, no root certificate is required. In such cases, leave the Root certificate field blank. Company certificate: Directory where the company certificate is stored. The company certificate is created from the root certificate and has to be PAGE 218 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION stored in the same directory as the root certificate. Default: <Install- Dir>\GrpData\smimedata\company.pfx. Under Company pasword, enter the corresponding password. The password may contain all printable characters of the 7-bit ASCII character set (US-ASCII), except the quotation mark. 2. Import all certificates and keys into the certificate store. 3. Create a Crypt engine for S/MIME 2: CRYPT -> CRYPT ENGINES -> S/MIME 2. Refer to Configuration of the S/MIME2 Engine on page 169. a) Disable Use KeyManager. b) Enable Use Windows Certificate Store' and select the previously configured Windows certificate store. 4. Copy the Certificate import with S/MIME job to MAIL TRANSPORT JOBS 67. a) Activate the job. It is expected to start after the decryption/verification job. b) In the Options tab under Method, select S/MIME' and in the following field, the previously configured Crypt engine S/MIME 2'. Enable Unpack compressed attachments'. c) When the job starts the next time, the folders iq.suite Trusted, iq.suite Unknown and iq.suite Untrusted are created in the local Windows certificate store, and the public certificates edited by the job are stored in the iq.suite Unknown folder. d) Drag and drop the certificates to assign them to the desired folders. 5. Open the previously configured Crpyt Inbound Jobs (decryption/signature verification) 68 and Crypt Outbound Jobs (encryption/signature creation) 69. However, in the Crypt Engine tab, select the new Crypt engine S/MIME 2'. 67. Refer to Automatic Certificate Import with S/MIME on page 175. 68. Refer to Decryption with S/MIME on page 183 and Signing with S/MIME on page 187. 69. Refer to Encryption with S/MIME on page 176 and Verifying S/MIME Signatures on page 189. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 219
IQ.SUITE CRYPT - USING THE OUTDATED S/MIME SOLUTION PAGE 220 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
8 iq.suite Watchdog IQ.SUITE WATCHDOG - OVERVIEW ON IQ.SUITE WATCHDOG 8.1 Overview on iq.suite Watchdog iq.suite Watchdog provides comprehensive protection of your environment from email attacks, viruses and harmful content in emails and file attachments. The security concept provided by Watchdog allows to analyze over 200 file formats. Using a fingerprint technology, this also includes archives. Combined with iq.suite Crypt, encrypted emails and file attachments are analyzed as well. In addition, it is possible to use multiple scan engines in parallel for virus scanning with various algorithms, which further increases the security of your infrastructure. Job Types Job: Watchdog Virus Scanning Virus scanning in emails addressed to internal users or external communication partners. Job: Information Store Scan Virus scanning in Exchange databases (public and private Information Store) on access & proactive/background. Job: Watchdog Attachment Filtering Blocking specific file types in attachments. Job: Watchdog Email Size Filtering Limiting email size. Job: Watchdog Attachment/Size Filtering Limiting attachment type and/or size. For further Information on the procedure, please refer to Virus Scanning on page 222. iq.suite Watchdog is used for virus scanning purpose primarily. In addition, emails can be checked and blocked if they contain certain prohibited attachment types, e.g. multimedia data or Microsoft Office documents. In addition, emails or ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 221
IQ.SUITE WATCHDOG - VIRUS SCANNING archives which exceed an at most permitted size can be blocked. To do so, Watchdog checks the file s fingerprint. For further Information on the procedure, please refer to File Restrictions for Attachments on page 246. 8.2 Virus Scanning With iq.suite Watchdog, the incoming emails arriving on the mail server can be scanned for viruses before delivery to the recipients. For this, virus scanners from third-party manufacturers are used. Refer to Virus Scanning on the Mail Server on page 222. Also data stored in the public and/or private Information Store of Microsoft Exchange can be scanned for viruses. In this case, however, not the virus scanners are used for virus scanning but, depending on the Exchange server version, the server s VSAPI or EWS 70. Refer to Virus Scanning in the Information Store on page 223. 8.2.1 Virus Scanning on the Mail Server The Watchdog Virus Scanning job is used for virus scanning on the mail server. The job configuration determines the virus scanners used for scanning and determines the emails for which a job will be executed. If you have selected several scan engines, the emails are checked by all of them, cleaned if they are infected. If configured, further actions are performed as previously defined. The following example illustrates the working principle of a virus scanning job: The job checks, for instance, an email with the result virus found. It triggers a virus alarm and initiates a series of actions you defined in the job. The following job actions are possible in case of an detected virus: The email is cleaned and delivered afterwards to the recipients. The email is quarantined and deleted from the mail server. It is not delivered to the recipients. The virus-infected attachments are deleted from the email. Afterwards it is delivered to the recipients. 70. For further Informationen on VSAPI or EWS, please refer to http://technet.microsoft.com. PAGE 222 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING In addition, further job actions can be processed, e.g.: An additional text is added to the email s subject line. For example a quarantined email can be extended with <virus found>. The administrator, the sender and/or the recipients are notified. Any other, user-definable persons are notified. etc. 8.2.2 Virus Scanning in the Information Store Besides virus scanning at transport level, iq.suite is also able to scan data in the public and/or private Microsoft Exchange Information Store. The scanning process can be configured as a realtime on-demand scan or time-controlled for a defined scan procedure. Basic types of Information Store scanning: On-demand Scan: Incoming emails are scanned in realtime before client access. When a client tries to open an email, a comparison is performed to ensure that all elements (message body and file attachments) have been checked by the current virus signature file. If they have not, the email is scanned before being forwarded to the client. The scan procedure can be time scheduled. Time-scheduled Scan: The public and/or private Information Store can be scanned within a configurable time period. The Information Store can be scanned at off-peak time or at the weekends to reduce delays for client queries. Starting time and scan duration are set in the time schedule. After this period the scan will stop. The scan will be restarted with the next starting time. This scan procedure is appropriately usable in configurations in which incoming emails are checked for viruses by a Watchdog job. If a virus is found in an email, the object can be either blocked, replaced or ignored/not marked. Refer to Defining Actions on page 241. Emails blocked by the Information Store scan may result in error messages during Information Store backups. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 223
IQ.SUITE WATCHDOG - VIRUS SCANNING Stopping or uninstalling iq.suite and terminating the Information Store scan jobs releases any elements that were blocked due to virus infection and also disables the Information Store s active virus protection mentioned above. A sample job is provided under Sample Job: Virus Scan in the Information Store on page 236. 8.2.3 Virus Scanners 8.2.3.1 Notes on Virus Scanners For virus scanning the iq.suite supports different third-party virus scanners. Either the virus scanners must be installed on the server separately to be called and started by Watchdog. Or they are installed as integrated scanners in the course of the iq.suite setup through which they are immediately usable after finishing the installation. Virus scanners are connected to a Watchdog job with a configured scan engine. For each supported virus scanner, the iq.suite standard configuration provides a preconfigured scan engine under BASIC CONFIGURATION -> UTILITY SETTINGS -> SCAN ENGINES. This menu item is the interface between your scan engine and iq.suite Watchdog. For further Information on the configuration, please refer to Enabling Virus Scanners on page 224. iq.suite Watchdog supports the following scan engines (virus scanners): Avira Scan Engine (integrated scanner) McAfee Scan Engine (integrated scanner) Sophos Scan Engine (integrated scanner) Sophos External Scan Engine Norman External Scan Engine 8.2.3.2 Enabling Virus Scanners Different virus scanners can be used within iq.suite to check emails for viruses. iq.suite calls an enabled scan engine through the GBS AV Interface 71. PAGE 224 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING Disable any real-time or on-access scan functions of your scan engines for the...\iq.suite\grpdata directory. If you do not want to use an integrated scanner (refer to the list under Notes on Virus Scanners on page 224), proceed as follows: 1. Make sure that the iq.suite supports the desired virus scanner (refer to the list under Virus Scanning on page 222). If your virus scanner is not listed, please contact the GBS Support Team. 2. Install the virus scanner on the server. 3. Enable the viurs scanner in the scan engine configuration: BASIC CONFIGURA- TION -> UTILITY SETTINGS -> SCAN ENGINES -> GENERAL TAB -> ENABLED: YES. 4. In the General and Options tabs, enter the values for your scan engine 72. A list of return codes is available in the Details tab. Consider the scan engine descriptions in the sections below. 5. Disable the virus scanners which shall not be used for virus scanning: GENE- RAL TAB -> ENABLED: NO. 6. Test your scan engine for correct operation: IQ.SUITE MONITOR -> <SERVER NAME> -> SERVER STATUS -> TEST -> SCANNER TEST. If successful, an OK is returned along with a message saying that an EICAR test virus was found. The EICAR test virus is a harmless code string that is unable to create any damage to your environment. 8.2.3.3 Standard Tabs Virus Scanners The following section provides a detailed description of the standard configuration options for all virus scanners. In the subsequent sections, only the particularities of the corresponding virus scanner are described. 71. GBS Anti Virus Interface = GAVI 72. For further Information on configurable parameters, please refer to the third-party documentation of your virus scanner. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 225
IQ.SUITE WATCHDOG - VIRUS SCANNING Enabled: Status of the virus scanner. To use a virus scanner, set this option to Yes. GBS AV Interface: Name of the GBS Anti Virus Interface DLL. This DLL establishes the connection between the iq.suite and the virus scanner. This entry is preset for each virus scanner and must not be changed. Parameter: Name of the parameter to be used by the virus scanner for scanning. Different clean parameter : To set the virus scanner so that emails or attachments are cleaned when a virus is detected, enable this option and specify the corresponding parameter in the Clean parameter field. If you wish to use the scan engine for virus scanning only, use the Watchdog job Virus checking with AntiVir Engine and disable the Remove virus option in the Actions tab. If the virus scanner is to clean any virus-infected files found, use the Watchdog job Virus checking and cleaning with AntiVir Engine. In this case, the field mentioned above needs to be enabled and the actions to be performed for infected emails must have been set accordingly. PAGE 226 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING Timeout: Enter the number of seconds after which an unsuccessful attempt to connect to the server is aborted (minimum: 60 seconds). Take into account the performance of your server. Recommended value : 60 to 120 seconds. Record detailed log data : Creates a log file with detailed processing data of the scanner, e.g. for troubleshooting. Allow multiple concurrent calls : Sets that the scan engine can process several emails at the same time. The specific number of calls is set under IQ.SUITE SERVER > PROPERTIES > GENERAL TAB -> NUMBER OF THREADS. Refer to Settings for an Individual iq.suite Server on page 79. The Return Code Settings tab provides the preconfigured return codes returned to the iq.suite. The value of the return code is used to trigger an action. For instance, emails with the return code "virus" are subjected to the actions configured for virus-infected emails. The meaning of the preconfigured codes is to be found in the Details tab. Use the EDIT and ADD buttons to change or add return codes as required. Virus scanners featuring this tab provide a mechanism used by the iq.suite to download the latest virus patterns and/or scanner version from the Internet. Virus scanners without this Update tab perform the required updates autonomously. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 227
IQ.SUITE WATCHDOG - VIRUS SCANNING Update interval: Interval in minutes at which the program checks for pattern updates. Minimum: 15 minutes. Update timeout: Period of time after which the update process is aborted. Minimum: 60 seconds. Recommended value: 60 to 120 seconds. Send admin notification on successful updates : In the case of update errors, notifications are sent automatically. To be notified on successful updates as well, enable this option. Don t update program data : No automatic engine or pattern updates will be performed. Update program data using predefined settings : Automatic engine or pattern updates are performed whenever the iq.suite finds a more recent data version. Downloading the most recent version is possible without further configuration. Update program data using customized settings : Perform local update from (no proxy) : If the automatic engine or pattern update is to be controlled through a central server, use this field to specify the directory of the central server where the patterns are stored. The central server downloads the updates from the Internet and provides them to PAGE 228 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING individual client computers as web server. This procedure uses the Internet Update Manager from Avira 73. The client computers are provided with access to the patterns on the central server through a shared directory, for instance. Download server uses proxy settings : If the automatic engine or pattern updates are to be downloaded from another server, use this field to specify the target address of this server. Under normal circumstances, the preconfigured Avira download server will be correct and should therefore not be changed. Proxy Server Tab Virus scanners featuring this tab can use a proxy server for updating the virus patterns. Select the desired proxy server: No proxy server : No proxy server is used. Proxy server of iq.suite Server : The proxy server used is the one defined for the iq.suite server. These proxy server settings can be set during the installation. Refer to Installation of iq.suite on a Exchange Server, Step 9. Custom proxy server : The proxy server used is the one set in the BASIC CONFIGURATION. For further Information on how to create a new proxy server, please refer to Proxy Servers on page 88. 73. For further Information on installing and setting up the Avira Internet Update Manager, please refer to the Avira website under www.avira.com. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 229
IQ.SUITE WATCHDOG - VIRUS SCANNING 8.2.3.4 Specialties of Avira Scan Engine The virus scanner Avira Scan Engine is included as integrated scanner in the installation package and is enabled by default 74. The virus patterns required for virus scanning are updated regularly to ensure optimal virus-protection against new malware. For this, the iq.suite downloads the new patterns provided by Avira from the Internet. The download interval is set in the Update tab. By default, the updated patterns are stored under \iq.suite\bin\savapi\update\extract 75. Refer to Standard Tabs Virus Scanners on page 225. If you wish to use a proxy server for downloading the pattern updates, select the proxy server in the Proxy Server tab. Refer to Standard Tabs Virus Scanners on page 225. 8.2.3.5 Specialties of McAfee Scan Engine As of iq.suite Version 10.1, the McAfee Scan Engine can be used as an integrated scan engine directly after the iq.suite setup 76. The required McAfee licence can be requested at the iq.suite licensing and must not be acquired separately. As of iq.suite Version 10.1 the McAfee Scan Engine < 8.5 is no longer supported. Though the scanner is able to work furthermore, virus scanning will achieve however continuously worse test results, since the virus patterns used are no longer updated. 74. For further Information, please refer to the separate document on SAVAPI3.2. Download under www.gbs.com. 75. For a description of a virus scanner s standard tabs, please refer to Standard Tabs Virus Scanners on page 225. 76. For further information, please refer to the seperate McAfee virus scanner document. Download under www.gbs.com. PAGE 230 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING The iq.suite downloads the initial virus patterns from the McAfee download area and checks this area regularly for updated patterns. This ensures optimal virusprotection against new malware. The search interval for new patterns is set in the Update tab. Updated patterns are stored by default under \iq.suite\bin\mcafee3\update\extract. If you wish to use a proxy server for downloading the pattern updates from the Internet, select the proxy server in the Proxy Server tab. Refer to Standard Tabs Virus Scanners on page 225. 8.2.3.6 Specialties of Sophos Scan Engine Until iq.suite Version 11.0 the Sophos virus scanner was only available as external scanner version ( Sophos External Scan Engine ). As of iq.suite Version 11.0, the Sophos Scan Engine can be used as an integrated scan engine directly after the iq.suite setup 77. The required Sophos licence can be requested at the iq.suite licensing and must not be acquired separately. The iq.suite downloads the initial virus patterns from the Sophos download area and checks this area regularly for updated engine and pattern files. This ensures optimal virus-protection against new malware. The search interval for new patterns is set in the Update tab. Updated patterns are stored by default under \iq.suite\bin\savi\update. If you wish to use a proxy server for downloading the pattern updates from the Internet, select the proxy server in the Proxy server tab. Refer to Standard Tabs Virus Scanners on page 225. 8.2.3.7 Specialties of Norman External Scan Engine The Norman External Scan Engine is found automatically. You only need to enable the scan engine 78. 77. For further information, please refer to the seperate Sophos virus scanner document. Download under www.gbs.com. 78. For a description of a virus scanner s standard tabs, please refer to Standard Tabs Virus Scanners on page 225. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 231
IQ.SUITE WATCHDOG - VIRUS SCANNING Parameters: /nodecomp: Do not scan compressed files. /norecursion: Do not scan compressed files within compressed files. 8.2.4 Sample Job: Checking Emails for Viruses Copy the Virus Scanning With AntiVir Engine job to MAIL TRANSPORT JOBS. Activate the job 79. 8.2.4.1 Selecting Virus Scanners In the Scan Engines tab, select the virus scanners used. The default setting is the AntiVir engine. If you have selected more than one virus scanner, you can change the order of the virus scanners to be used with the arrow keys (Up and Down). Click on the EDIT button to change the virus scanner configuration or click on SELECT: 79. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 232 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING You can also select several scan engines. To add scan engines, select them and using the arrow buttons move them to the right field Selected Items to add them (or to the left field Available Items to remove them). Selected virus scanners appear in the right window section. Alternatively, you can double-click on the scan engines to move them from left to right or vice-versa. To open the Basic Configuration settings for a selected scan engine, click on EDIT. For the scan engine to work correctly, it must have been installed, configured and enabled. You can use iq.suite Monitor to test the scanner s functionality. Refer to Enabling Virus Scanners on page 224. At least one virus scanner must run error free (default and recommended option): It is sufficient if only one of the virus scanners is able to scan the email. Thus, the email is delivered even if not checked by the other configured scanners (for instance due to a failure). All virus scanners must run error free : All defined virus scanners must scan the email. If one of the configured scanners fails or is disabled (and the email cannot be checked for that reason), the email is moved to the Badmail quarantine. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 233
IQ.SUITE WATCHDOG - VIRUS SCANNING Emails identified as virus-infected are never delivered to the recipient if you have selected the Delete email option under ACTIONS TAB -> VIRUS FOUND/REMOVING NOT SUCESSFUL. 8.2.4.2 Defining Actions In the Actions tab, specify the actions to be taken when the job finds a virusinfected email: This job scans emails for viruses but does not attempt to clean infected emails and attachments. Though all virus scanners are capable of cleaning infected objects, it is advisable to quarantine infected attachments immediately, as, in practice, viruses are usually received in spam and therefore not to be delivered to the recipients. PAGE 234 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING As the job is to perform a virus scan only, select under BASIC CONFIGURATION -> UTILITY SETTINGS -> SCAN ENGINES the engine and disable the Alternative clean parameter option. Enable this option only if the job shall clean the virus-infected email or file attachment. Scan options: Extra archive scan with iq.suite unpacker : If you are using a virus scanner that does not have an integrated unpacker, enable this option. An integrated unpacker will then extract the compressed files before passing them to the virus scanner. Scan e-mail body (recommended option): Enable this option to check the message body on viruses. VIRUS FOUND/REMOVING NOT SUCCESSFUL: Define the actions to be performed if a virus was found but the iq.suite should not try to remove this virus. By default, a copy of the blocked email is quarantined and the affected file attachments are removed. The email is only delivered to the recipients if the message body was virus-free and the file attachment could be removed. The administrator is informed about the virus detected by a notification. Remove Virus: Define if the iq.suite shall try to remove a detected virus. If this option is enabled, define under VIRUS WAS REMOVED the actions to be executed when the virus could be removed successfully. Object unscannable: Define the actions to be executed on objects that cannot be scanned from the iq.suite, e.g. due to an unknown format. By default, he administrator is notified in case of an unscannable object. Check whether the virus-infected emails addressed to your company are often also spam. If they are, it is best to delete the entire email and not just the file attachment. This saves filtering of the remaining message body. Thus, subsequent jobs do not have to process the email server load is reduced. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 235
IQ.SUITE WATCHDOG - VIRUS SCANNING 8.2.5 Sample Job: Virus Scan in the Information Store 8.2.5.1 Create EWS User (as of Exchange Server 2013) For Microsoft Exchange Server as of 2013 a seperate EWS user with certain access rights must be created. Since for Microsoft Exchange Server < 2013 this user is not required, proceed with chapter Configure the Information Store Job on page 237. Create EWS user with certain access rights: 1. Open the Exchange Management Console, e.g. via https:\\localhost\ecp. 2. Create a new user (including mailbox). In this example the user is called <ews_user>: PAGE 236 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING 3. Open the Exchange Management Shell and provide the user with the required rights by calling the SetEWSPermissions.ps1 script in the GBS/iQ.Suite/Bin directory. To set the access rights on the Exchange server, enter the following: SetEWSPermissions.ps1 -User <user name> (without domain) Example: SetEWSPermissions.ps1 -User ews_user The required access rights for the ews user are set. Access rights can only be set for public folders that are currently available in the Information Store. When changing the database-related settings for the public folders (e.g. adding a new folder), the script must be executed again to set the required rights for the changed elements. 4. Specify the ews user including the password in the iq.suite Servers settings: GENERAL SETTINGS -> IQ.SUITE SERVERS SETTINGS -> OPTIONS TAB. Enter the user name including the domain e.g. ews_user@mydomain.com. 8.2.5.2 Configure the Information Store Job Open the server s Information Store job: POLICY CONFIGURATION -> INFORMATION STORE JOB. When you enable or disable the Information Store scan job, for Exchange servers < 2013 it takes up to two minutes for the Exchange Store to register the change. 8.2.5.2.1 General Settings In the General tab, you can enable the Information Store scan for both the private and the public Information Store. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 237
IQ.SUITE WATCHDOG - VIRUS SCANNING Enabled: Activate the Information Store job, so that certain options which are grayed out by default become active. Select Information Stores to scan: Select the parts of the Information Store whose elements shall be scanned for viruses. Virus Scan: Since Microsoft is no longer supporting the VSAPI interface, for Microsoft Exchange Server 2013 the procedure for scanning the Information Store for viruses has been changed. Instead of VSAPI the iq.suite uses for Exchange server versions 2013 the EWS interface. Please note that no real-time scanning is provided for EWS. We recommend you, to use both, the scheduled scanning method and the option to start Information Store scanning manually. Refer to Information Store Scan Tab on page 130. Scan mode: Realtime : New incoming emails are scanned in real-time before a client is given access. If a client attempts to open an email, a comparison is carried out to ensure that all elements (message body and file attachments) have already been scanned by the current virus signature file. If this scan did not take place, the corresponding element is sent to the virus scanner before it is finally forwarded to the client. You can use a PAGE 238 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING schedule to configure this analysis method to only be used during a particular time frame, if necessary. Scheduled : Using a scheduled scan, it is possible to trigger a scan of the public and/or private Information Store within a configurable time frame. The scan cycle for the entire Information Store can sometimes be very intensive in terms of system load and time, so schedules can be used to shift the times to the beginnings or ends of days or to weekends to reduce delays in responding to client queries. The start time and duration of the scan cycle is specified in the schedule. The scan is terminated after this period expires, regardless of whether all elements have already been scanned or not. The scan cycle will restart when the next start time comes around. This scan method may find useful application in configurations where emails were already scanned for viruses upon receipt by a Watchdog job. For Microsoft Exchange Server < 2013 checked elements are not checked again, by subsequent Information Store scans. As of Microsoft Exchange Server 2013 this procedure has been changed by Microsoft. Now, the elements are scanned one after another in the order the elements are found. If required, set the scan duration to a higher value to ensure that all elements can be scanned within the defined scan interval. Rescan times for realtime scanning: Enter the times or the scan periods in which the virus scan takes place. Click on ADD. Real-time virus scan: Enter the scan start time for the virus scan. The Information Store scan starts at a particular time and ends when the last element has been processed. Scheduled virus scan: Enter the scan start time and scan duration for the virus scan. The duration of the Information Store scan depends on the application environment in use. Indicators for appropriate settings may be found in the event log. Note that the Information Store scan starts at the specified time and ends after the specified scan duration ends, no matter whether all elements have been completely scanned yet or not. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 239
IQ.SUITE WATCHDOG - VIRUS SCANNING 8.2.5.2.2 Options 'Job is mission critical': This option in Information Store jobs behaves identically to the same option for mail transport jobs. See Options on page 53. Use SMTP server to send notifications : As soon as an Information Store job finds a virus, or as soon as an object cannot be scanned, a notification may be sent to the administrator. In the following cases it is only possible to send these notifications over the SMTP protocol: The iq.suite is running on a Microsoft Exchange server 2007/2010 without a Hub Transport Server role. The iq.suite is running on a Microsoft Exchange server 2013 Server or higher without a Client Access role. For such cases, enter the authentication data for the SMTP server (name or IP address or name and port number). 8.2.5.2.3 Selecting Scan Engines Proceed as described under Selecting Virus Scanners on page 232. PAGE 240 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING 8.2.5.2.4 Defining Actions Use the Actions tab to set the actions to be performed if the job detects a virusinfected email: Extra archive scan with iq.suite unpacker : If you are using a virus scanner that does not have an integrated unpacker, enable this option. An integrated unpacker will then extract the compressed files before passing them to the virus scanner. VIRUS FOUND/REMOVING NOT SUCCESSFUL: Specify the actions to be performed if a virus was found and the file could not be cleaned: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 241
IQ.SUITE WATCHDOG - VIRUS SCANNING Specify whether a copy of the object is to be quarantined and provided with a label. A separate default quarantine is available for the Information Store scan. With the Information Store scan option, the following actions can be performed: block object : Functionality of this option depends on the Exchange server version: For Microsoft Exchange servers < 2013 access on emails with virusinfected objects is denied. Current Microsoft email clients generate an error message when the user tries to open a blocked email. The blocked email can always be deleted from the client, however. Please note that emails blocked by the Information Store scan might cause error messages while saving the Information Store data. For Microsoft Exchange servers 2013 access on emails with virusinfected objects is not denied and the email clients do not generate messages. With this, it is possible, that users open emails with virusinfected objects. iq.suite processing of virus-infected emails is the same as with the treat as uninfected option, however, infected objects are described in the scan report of the Information Store scan (iq.suite Monitor). PAGE 242 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING replace with : You can replace infected elements (e.g. an attachment) with an information text. The infected element is then deleted. treat as uninfected : For the purpose of testing it might be reasonable that an infected element is not flagged infected. Subsequent virus scans will then find the virus again. This action is intended for testing only, as it provides no protection for users and the system. Send... to Administrator : A notification will be sent to the administrator(s). Use the ADD button to define further actions, for instance sending notifications to other users or starting an external application. REMOVING SUCCESSFUL: Define the actions to be performed if the file was cleaned successfully. Copy infected item to Quarantine : Specify whether a copy of the object is to be quarantined and labeled. The copy is created before cleaning so that the object is quarantined in its original state. Send... to Administrator : Define whether a notification is to be sent to the administrator(s). OBJECT UNSCANNABLE: This option allows to control the behavior of the iq.suite when it finds encrypted objects, which obviously cannot be opened and checked for viruses. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 243
IQ.SUITE WATCHDOG - VIRUS SCANNING In the Information Store scan field, select one of the following options: Use standard procedure : The object is treated in the standard way, as configured under GENERAL SETTINGS -> IQ.SUITE SERVER SET- TINGS for "unscannable objects". treat as error : Functionality of this option depends on the Exchange server version: For Microsoft Exchange servers < 2013 the object will be rescanned with the next scan. If previous scans have not treated the object as uninfected, access is denied. For Microsoft Exchange servers 2013 the object is treated as described for the treat as uninfected option. treat as uninfected : The object is treated as if it were virus-free. It is not rescanned before virus scanning is restarted. In addition, you can send a notification to the administrator as well as set further actions by clicking on the ADD button. After having configured the Information Store job, the job starts according to the server settings 80. As an alternative, you can initiate the Information Store scan manually 81. 80. Refer to Virus Scanning in the Information Store on page 223. PAGE 244 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - VIRUS SCANNING 8.2.6 Sample Job: Checking Password-Protected Archives for Viruses For iq.suite jobs to be able to process emails, the emails need to be fully unpacked (including all attachments), which is impossible for password-protected archives such as ZIP files. Therefore, emails with such attachments are systematically blocked as being "unscannable" and moved to the iq.suite Badmail quarantine. Refer to Badmails on page 140. To be able to handle password-protected archives in a rule-based way, use the Watchdog Protected Attachment Detection job. This job is designed to process emails with password-protected archives, marks the archives as "unscannable" and performs the actions set in the Actions tab. This allows a subsequent antivirus job to ignore the scan error codes returned by the virus scanner. In this way, password-protected archives can be checked according to specific rules. For instance, such emails can be blocked for certain persons/groups only. Moving the emails to the Badmail quarantine can be globally disabled using the iq.suite Make Server settings. Refer to Packed Files and iq.suite Monitor on page 72. sure that, in the job chain, the Watchdog Protected Attachment Detection job is started before the virus scanning job. Job configuration Copy the Watchdog Protected Attachment Detection job to MAIL-TRANSPORT JOBS. Activate the job 82. As preconfigured, this job adds information to the email subject and sends a notification to the administrator. A copy of the email is stored in the default quarantine. However, the email is not blocked ( Delete email disabled). Depending on the configuration, the email is passed to a virus scan job and then delivered. 81. Refer to Information Store Scan Tab on page 130. 82. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 245
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS If emails are to be blocked and not delivered to their recipients, enable the Delete email option. In this case, the email is kept in the default quarantine until checked and released by the administrator. 8.3 File Restrictions for Attachments 8.3.1 Notes on File Restrictions iq.suite Watchdog is used for virus scanning purposes primarily. In addition, emails with attributes of certain file restrictions defined in the job, can be blocked: Blocking emails that contain certain attachment types, e.g. multimedia data or prohibited MS Office documents. Blocking emails that exceed the allowed file size. Blocking emails that contain certain attachment types and the attachments exceed the allowed file size. Blocking emails that contain certain attachment types The file needs to be identified by iq.suite Watchdog. To do so, Watchdog checks the file s fingerprints 83, which contains the binary file patterns. These patterns identifies the file. The result of the analysis is compared with the file restrictions defined in the job and blocked or delivered accordingly. For denied files, the job actions are performed, for instance for an email with a denied attachment: The email is quarantined and not delivered to the recipients. The denied attachments are deleted. Then the email is delivered to the recipients. The email is deleted. In addition, further job actions can be performed, e.g.: Add a subject extension, e.g. <prohibited attachment found> in the subject field of a quarantined email. Notify the administrator, the sender and/or the recipient. 83. For further Information on configuration of fingerprints, please refer to Fingerprints on page 248. PAGE 246 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS Notify any other, user-definable persons. etc. The iq.suite standard configuration contains various sample jobs for file restrictions (refer to SAMPLE JOBS). Use the sample jobs or define new ones, using the job type Watchdog Attachment Filtering. To block emails with attachments that exceed a certain file size, use a job of the type Watchdog Attachment/Size Filtering. For a detailed job description, please refer to Sample Job: Denying File Attachments by Type on page 254. Blocking emails of a certain file size An email can be blocked by analyzing the email s file size. If the allowed size is exceeded, the email is blocked. Use the sample jobs under SAMPLE JOBS or define a new one, using the job type Watchdog E-Mail Size Filtering. To block emails with attachments that exceed a certain file size, use a job of the type Watchdog Attachment/Size Filtering. For a detailed job description, please refer to Sample Job: Limiting Email Size on page 257. Blocking emails with attachments of a certain type and size An email can be blocked by analyzing the type and size of the file attachments. For this, use a job of the type Watchdog Attachment/Size Filtering. The maximum attachment size is specified in the Fingerprint/Size tab. This job can check and deny attachment types while at the same time filtering by attachment size. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 247
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS 8.3.2 Fingerprints 8.3.2.1 Configure Fingerprint Categories To be able to block emails that contain attachments of a certain file type, the denied file types have to be defined. For this, the fingerprints are used. The iq.suite standard configuration contains various fingerprint definitions that are classified in individual fingerprint categories. For example, the fingerprint category IMAGES contains fingerprints for Bitmaps, GIFs, JPGs, etc. A fingerprint can be used in various fingerprint categories. To assign a fingerprint to a new fingerprint category, proceed as follows: 1. Create a new fingerprint category: BASIC CONFIGURATION -> UTILITY SETTINGS -> FINGERPRINTS -> RIGHT-CLICK -> NEW -> FINGERPRINT CATEGORY. 2. Name the category and confirm with OK. The new category is created. 3. To copy existing fingerprints, drag and drop the desired fingerprint to the new category by holding down the CTRL key. A plus sign then appears in the cursor. If you don t hold down the CTRL key, the fingerprints are moved, not Exceptions: When copied! To copy fingerprints from the ALL FINGERPRINTS category, drag and drop them to the desired category. you delete a fingerprint from any category with the DEL key, it is permanently deleted and cannot be restored. To remove a fingerprint from a category without permanently deleting it, right-click it and select REMOVE FINGERPRINT(S) FROM THIS CATEGORY. Make sure that the fingerprints you want to delete or remove are no longer used by an iq.suite job. 8.3.2.2 Defining New Fingerprints The Name Pattern identifies an attachment by means of its file name and/or its file extention, e.g. Att01.cdf or *.cdf. PAGE 248 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS Name patterns can be used to quickly react to new virus attacks even before a virus pattern update is available from the manufacturer of your anti-virus application. In such a case, define a new fingerprint with the virus name pattern and include it in a Watchdog Attachment Filtering job. You can also block individual files. If your company employs custom software that uses its own file formats, you can also create fingerprints for these files, which you can use, for instance, to prevent files of this type being sent as email attachments to recipients outside the company. The Binary Pattern identifies a file attachment by means of distinct binary file data. The binary pattern defined in the fingerprint as hexadecimal value is searched for in the file. If this pattern is found, the file is blocked from the job using the defined fingerprint. In the fingerprint s Jobs tab, the jobs that use the Unlike fingerprint are listed. name patterns, a binary pattern represents a distinct mapping to a file format and therefore is not manipulable so easily. 8.3.2.3 Creating Fingerprints with Name Patterns If a file s binary pattern is unknown, it can be identified using a name pattern. To create a new fingerprint, proceed as follows: 1. Click on BASIC CONFIGURATION -> UTILITY SETTINGS -> FINGERPRINTS -> <FIN- GERPRINT CATEGORY> -> RIGHT-CLICK -> NEW -> FINGERPRINT. 2. Name the fingerprint: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 249
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS In this example, the fingerprint is assigned to the fingerprint category FONTS. 3. Open the Pattern Settings tab: PAGE 250 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS a) If you select the Check Binary and Name Pattern option, both the filename pattern and the binary pattern of the checked file must correspond with the data in the fingerprint properties. If you have not selected this option, but both patterns have been specified in the fingerprint properties, only one of the patterns must match to identify the file format. For further Information on entering name and binary patterns, please refer to Selecting Fingerprints on page 254. b) Under Name Pattern, enter the file extension for the file. Seperate multiple entries with a semicolon (;). The asterisk (*) can be used as placeholder, e.g. *.cfd. If you enter a complete file name, e.g. Att01.cdf, only files that contain this string are found. Remain the Name Pattern field empty, if only the binary pattern is to be checked. 4. Save the fingerprint and include it in a job. To extend the fingerprint with a binary pattern, proceed as described under Creating Binary Patterns for Fingerprints on page 251. 8.3.2.4 Creating Binary Patterns for Fingerprints If you want to create additional fingerprints with binary patterns, you need the hexadecimal values of the file to be detected. For this, please contact the manufacturer of the software to which the file type applies. To create a fingerprint with a binary pattern, proceed as follows: 1. Open the Pattern Settings tab and click on the ADD button: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 251
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS Binary patterns contain a start position and an end position that define the search section within the file and the hexadecimal value that defines the search pattern. The Start position defines the position within a file from which a pattern search is performed. The position of the first byte in the file corresponds to offset 1. The second byte corresponds to offset 2, etc. The End position defines the position within a file up to which the pattern search is performed. The end position is the offset up to which the pattern has to be found. If under the start position or the end position a minus sign is prefixed, the bytes are counted in reverse. The entry -1, for instance, is the last byte of the file, -2 would then be the last but one byte, etc. A start position of 1 and an end position of -1 means that the entire file will be searched for the specified pattern. For instance, with 11 as start position and -10 as end position, the search is then performed from the eleventh byte to the tenth byte from the end. You can also enter two negative values, for instance -6 as start position and - 1 as end position. The search is then performed from the last byte to the sixth from last byte. You cannot enter a negative start position and a positive end position. The binary pattern defined under Hexadecimal Values is searched for in the file between the start position and the end position. In this example, the hexadecimal value 42 4D is searched for that is part of a BMP file. PAGE 252 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS A fingerprint can consist of several binary patterns. For example, to identify the BMP file mentioned above, not only the string 42 4D is required but the hexadecimal value 00000000 as well. To complete the binary pattern for a BMP file, you must add one more entry with the ADD button. Only when both binary patterns are found in a file, the file does match the pattern and can be identified as a BMP file. For further Information on the Name and binary pattern have to match option, By please refer to Fingerprints on page 248. defining the start and end position, please note that the server load increases with the number of bytes to be evaluated. For example, with the setting Start position 1 and End position -1, the server load is much higher than with the setting Start position 1 and End position 4. With the first setting, each file is searched completely; with the other setting, only the first 4 bytes of a file are scanned. Example of a Simple Fingerprint: ZIP file Start End Hex value 1 4 504B0304 Example of a More Complex Fingerprint: Windows Meta File Start End Hex value 1 13 576F72642E446F63756D656E74 1-1 57006F007200640044006F00630075006D0065006E0074 1 10 D0CF11E0A1B11AE10000 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 253
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS 8.3.3 Sample Job: Denying File Attachments by Type Copy the Block Video Files job to MAIL TRANSPORT JOBS. Activate the job 84. 8.3.3.1 Selecting Fingerprints Open the Fingerprints tab: a) Scan inside compressed attachments : The software also checks compressed attachments (e.g. ZIP or RAR archives ) for prohibited files. If a prohibited file attachment is detected, the entire compressed file is blocked. If this option is disabled, only the archive (in this case the ZIP file itself) is analyzed. b) Ignore inline attachments : File attachments detected as inline attachments ( content disposition type) can be excluded from search. For this, enable this option. 84. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 254 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS c) Fingerprint conditions: Click on Video or No fingerprints selected to select a fingerprint category or an individual fingerprint from the list 85. The following view appears: Use the ADD and REMOVE buttons to assign entire categories or individual fingerprints to the list of denied and/or allowed fingerprints. You can enter a category such as VIDEO under Denied Fingerprints and define one or more fingerprints from that category as exception under Allowed Fingerprints. To keep a clear overview, do not use the same job for too many categories. 8.3.3.2 Defining Actions In the Actions tab, specify the actions to be performed when the job finds an attachment with a denied fingerprint. 85. For further Information on fingerprints, please refer to Fingerprints on page 248. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 255
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS In this example, a copy of the email is quarantined and the virus-infected attachments are deleted. The email is delivered to its recipient, but the denied attachments are removed. A notification of the denied fingerprint is sent to the administrator. Click on the ADD button to define further actions. PAGE 256 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS 8.3.4 Sample Job: Limiting Email Size Copy the Block Emails Larger 100 MB job to MAIL TRANSPORT JOBS. Activate the job 86. The email size limit applies to the email as a whole, including subject, message body, header and attachments. 8.3.4.1 Specifying Email Size In the Email Size tab, enter the email size limit in kilobytes: With the setting above, the maximum allowed size of each incoming or outgoing email is 100 000 kilobytes. 86. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 257
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS 8.3.4.2 Defining Actions In the Actions tab, specify the actions to be performed when the job finds an email that exceeds the maximum size: In this example, a copy of the email is placed in quarantine and the email is deleted without being delivered to its recipient. A notification of the excessive email size is sent to the administrator. Click on the ADD button to define further actions. PAGE 258 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS 8.3.5 Sample Job: Denying Attachment Types and Sizes. Unlike Under POLICY CONFIGURATION -> SAMPLE JOBS, you will find a number of preconfigured jobs for blocking various file formats and sizes: Block Office Files > 10 MB Block Sound Files > 5 MB Block Video Files > 5 MB checking the email size, checking the format and the size of attachments applies to attachments only. Neither the subject nor the message body nor the email header are taken into account. Copy the Block Office Files > 10 MB job to MAIL TRANSPORT JOBS. Activate the job 87. 8.3.5.1 Specifying Fingerprint and Size In the Fingerprint/Size tab, enter the maximum allowed email size and the fingerprint format: 87. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 259
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS Unlike for simple fingerprint checking, the Scan inside compressed attachments option is not available here. To limit the size of compressed files, enter their formats in this job. Fingerprint/Size conditions: To specify the size in kilobytes, click on 10 000. To select a fingerprint category, an individual fingerprint or the maximum size from the list of fingerprints, click on Microsoft Office 88. The following view is displayed: Use the ADD and REMOVE buttons to assign entire categories or individual fingerprints to the list of denied and/or allowed fingerprints. You can enter a category under Denied Fingerprints and define one or more fingerprints from that category as exception under Allowed Fingerprints. To keep a clear overview, do not use the same job for too many categories. 88. For further Information on fingerprints and on entering name and binary patterns, please refer to Fingerprints on page 248. PAGE 260 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS 8.3.5.2 Defining Actions In the Actions tab, specify the actions to be performed when the job finds an email that is denied by an Attachment/Size job: In this example, a copy of the email is quarantined, the virus-infected attachments are deleted, and the email is delivered without its attachments. A notification of the restriction is sent to the administrator. You can select this notification from the drop-down list of available notification templates 89. 89. Refer to Creating Notification Templates on page 94. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 261
IQ.SUITE WATCHDOG - FILE RESTRICTIONS FOR ATTACHMENTS PAGE 262 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
9 iq.suite Wall IQ.SUITE WALL - iq.suite Wall is used to scan emails and file attachments for spam or unwanted content before they are sent to the recipient and to quarantine them if necessary. Quarantine summary notifications regularly inform end users about the emails that have been quarantined for them. Targeted address analysis and classification are used to restrict incoming or outgoing email addresses as well as limit the number of recipients per email. In addition to using spam pattern analysis, the iq.suite Wall content analysis can be used to analyze emails for specific content and to block them if they violate company policy. Content analysis is also useful for externally addressed emails in order to ensure that outgoing emails conform to the internal security level. Job Types Address filtering Job type: Wall Email Address Filtering Content filtering Job type: Wall Content Filtering Spam filtering Job type: Wall Spam Filtering Text classification with CORE Job type: Wall CORE Classification Restrict number of recipients Job type: Wall Recipient Limit Filtering Credit card number filtering Job type: Wall Credit Card Number Filtering ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 263
IQ.SUITE WALL - SPAM PROTECTION OVERVIEW 9.1 Spam Protection Overview iq.suite Wall provides a comprehensive protection against spam through a wide range of analysis methods. To ensure an efficient and highly performing spam protection, we recommend you to use these methods combined: 9.1.1 Address Filtering (Blacklists and Whitelists) An address analysis job allows to prevent emails coming from senders known to be unrequested from being delivered to the recipients. The unrequested email addresses or entire domains are entered in a blacklist used as filter. On the other hand, an address analysis can also be used to exclude emails from spam analysis if they come from known "acceptable" senders. Such addresses are entered in whitelists. How blocked emails are further processed (e.g. deleted or quarantined), depends on the job configuration. If they are quarantined, the recipient decides for himself what to do with the email (deliver, delete, etc.) and how future emails from this sender are to be handled. To do so, he/she can add the sender s address to his/her personal blacklist or whitelist (User Blacklist/User Whitelist). For further Information, please refer to Address Filtering (Blacklists and Whitelists) on page 264. 9.1.2 Spam Filtering Job The Wall Spam Filtering job checks emails for typical spam features. For this, the job distinguishes between definite criteria and combined criteria. Definite criteria classifies the email as either 100% spam or 100% non-spam. The combined criteria are used to calculate how likely it is that the email checked is spam (spam probability). The more combined criteria are used, the higher the probability to classify emails as either spam or non-spam. For further information, please refer to CORE Classification on page 309. PAGE 264 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM PROTECTION OVERVIEW 9.1.3 Spam Analyzer Spam analysis can be performed through anti-spam engines from third-party manufacturers. In the iq.suite, the engines are provided as analyzers. In general, these analyzers don t have to be modified. For configuration, sample jobs are available. For further Information, please refer to CORE Classification on page 309. 9.1.4 Text Analysis Dictionaries offer a possibility of checking email content for unwanted words. Whenever a configured maximum number of occurrences of search terms listed in the dictionary is exceeded, the email is classified as spam. For further Information, please refer to Text Analysis with Dictionaries on page 298. Besides using dictionaries, a text analysis can also be performed using the CORE Analyzer (COntent Recognition Engine), which also analyzes and classifies email content. With CORE, the text analysis is based on a statistical learning theory for text classification, where a representative set of incoming and outgoing emails (including Spam) is analyzed and then used to train a classifier. When combined with the filtering methods above, CORE contributes to a significantly higher spam recognition rate. For further Information, please refer to Using CORE for Spam Filtering on page 310 and Using CORE for Content Classification on page 312. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 265
IQ.SUITE WALL - ADDRESS FILTERING 9.2 Address Filtering The Wall E-Mail Address Filtering jobs focuses on the senders and recipients of the emails. You can deny specific senders, so that no email from these addresses is delivered to your users, and you can deny specific recipients, so that none of your employees (or only selected people) can send email to them. Moreover, this job type allows to limit the number of recipients for each email to prevent mass mailing. With regular expressions, complicate text replacements can be performed (e.g. modifications of the email s address properties). 9.2.1 Blocking Email Addresses 9.2.1.1 Sample Job: Blocking Certain Sender Addresses To block emails from known spam domains or other unsolicited senders, use the sample job Block Specific Sender Addresses. This job contains a blacklist with email addresses from domains known as spam domains. Emails from sender Please addresses listed in the blacklist are blocked and quarantined. note that the provided list of spam domains is no recommendation from GBS and the information is not kept up-to-date. The list simply provides a basis for your own configurations. Therefore, check the entries and change them as required. 1. Copy the Block Specific Sender Addresses job to MAIL TRANSPORT JOBS. Activate the job 90. 2. Open the Addresses tab. If required, modify the default settings. a) To add addresses to the blacklist manually, click on ANTI-SPAM: BLACKLIST -> USER-DEFINED ADDRESS LISTS -> ANTI-SPAM: BLACKLIST -> EDIT BUT- TON 91. 90. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. 91. Refer to Creating, Editing and Deleting Custom Address Lists on page 89. PAGE 266 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - ADDRESS FILTERING b) To add addresses to the blacklist automatically at least in one job, this action has to be enabled, e.g. in the sample job Block Offensive Language: For this, in the Actions tab, enable the Add email sender/recipient to user list Blacklist option. As soon as an email is quarantined by this job, the sender address is added to the blacklist. 3. For the internal users, configure a quarantine summary notification including blacklist and whitelist functionality. With this, your employees can add a sender address to their user whitelist out of the quarantine summary notification. The receivers of the summary notification can react on emails which were classified as spam and quarantined falsely. Emails from senders listed on the users whitelist will not be quarantined in the future 92. 9.2.2 Replacing Text with Regular Expressions Wall E-Mail Address Filtering jobs can be used not only for email blocking but also for complex text replacements. With regular expressions, email processing can be controlled and email properties can be modified. For this, the email fields are checked for specific patterns defined as regular expression. When a match is found in an email field, it is replaced with the defined replacement text. Regular expressions can also be used in job conditions. Whenever a search pattern defined in the conditions is found, the job is either executed or ignored, as configured. Possible applications: Modify sender or recipient address (SMTP Envelope) Modify email header Modify email body Redirect emails based on email content 92. Refer to Defining Quarantine Summary Notifications on page 118. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 267
IQ.SUITE WALL - ADDRESS FILTERING Wall We Adress Filtering Jobs do not allow search and replace functionality within file attachments. For this use the Wall Advanced Action Job. Refer to Text Analysis with Regular Expressions (Advanced Actions) on page 317. support the ICU library functionality. Make sure that the regular expressions defined comply with this syntax. Please note that, by default, the syntax is not case-sensitive. 9.2.2.1 Sample Job: Replacing Domains The following describes how to modify the domain of the SMTP recipient address of an incoming email. Changing the SMTP sender address for outgoing emails works in the same way. Copy the Wall E-Mail Address Filtering job to MAIL TRANSPORT JOBS. Activate the job 93. 9.2.2.1.1 Setting the Regular Expression Click in the Regular Expression tab on SMTP RECIPIENT -> ADD: 93. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 268 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - ADDRESS FILTERING Regular Expression: Set the search pattern as regular expression. This pattern is searched for in recipient addresses in the SMTP Envelope of the email. Replacement Text: Set the replacement text as regular expression. If a match is found, the pattern found is replaced with this text. In the example above, the recipient addresses from a domain matching the pattern @mycompany.com are changed to @internal.local. For advanced domain changes, e.g. to change the order of first name and last name, you need more complicated regular expressions. Example: The recipient address david.galler@mycompany.com is to be changed to galler.david@internal.local. Search pattern: ^([a-z]+)\.([a-z]+)@mycompany\.com$ Replacement text: $2.$1@internal.local The two expressions ([a-z]+) represent the first name and the last name of the address. In the replacement text, $2.$1 defines the order of ([a-z]+), i.e. of the first name and the last name. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 269
IQ.SUITE WALL - ADDRESS FILTERING 9.2.2.2 Sample Job: Modifying Email Header Line Regular expressions can be used to modify individual lines of the email header. The following describes how to replace the text in the X-Mailer header line with the text ---. Copy the Wall E-Mail Address Filtering job to MAIL TRANSPORT JOBS. Activate the job 94. 9.2.2.2.1 Setting the Regular Expression Click in the Regular Expression tab on EMAIL HEADER -> ADD: Specify a regular expression for the email header line to be modified (here: X- Mailer): Name of the email header: Specify the name of the email header line to be modified by the regular expression. Processing Mode: In MIME emails, long header lines are often broken across several lines, which can make reading the header line rather compli- 94. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 270 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - ADDRESS FILTERING cated. Therefore, we recommend to enable the Header Folding mode. The option Search in email header raw data should only be used if the line break pattern (i.e. the number of tab stops or blanks) is known and can be replaced using regular expressions. Regular Expression: Set the search pattern as regular expression. This pattern is searched for in the specified header of the email. Replacement Text: Set the replacement text. If a match is found, the pattern found is replaced with this text. 9.2.2.3 Sample Job: Modifying Email Body Regular expressions can be used to modify individual words or phrases of the email body. This, for instance, allows to prevent sensitive information from being sent by email. This requires that the searched text has a structure that can be described and searched for in the email body using regular expressions. Copy the Wall E-Mail Address Filtering job to MAIL TRANSPORT JOBS. Activate the job 95. 9.2.2.3.1 Setting the Regular Expression Click in the Regular Expression tab on EMAIL BODY -> ADD: 95. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 271
IQ.SUITE WALL - ADDRESS FILTERING Specify a regular expression for the words or the phrase in the email body to be modified: Email Body Format: Specify the format of the email body for which the text is to be replaced or select All to search in all email bodies, regardless of the format. Regular Expression: Set the search pattern as regular expression. This pattern is searched for in the email bodies. Replacement Text: Set the replacement text. If a match is found, the pattern found is replaced with this text. 9.2.3 Limiting the Number of Recipients To prevent mail flooding with bulk emails, you can limit the number of recipients for each email. As soon as the defined limit is reached, the configured job actions are performed. For this, use a job of the type Wall E-Mail Address Filtering. PAGE 272 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - ADDRESS FILTERING 9.2.3.1 Sample Job: Limiting the Number of Recipients 1. Copy the Block Emails With More Than 50 Recipients job to MAIL TRANS- PORT JOBS. Activate the job 96. 2. In the Number Of Recipients tab, enter the maximum number of recipients per email: In this example, each incoming or outgoing email can be addressed to at most 50 recipients. In case the emails are addressed to a list of recipients grouped in a single address, the Exchange server needs be able to resolve this list into individual recipients in order to determine the number of recipients. An address actually representing a mailing list will be considered a single recipient if it lies outside of the scope of the Exchange server. 3. In the Actions tab, specify the actions to be performed when the job finds an email with too many recipients. By default, a copy of the email is quarantined 96. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 273
IQ.SUITE WALL - ADDRESS FILTERING and the email is deleted without being delivered to its recipients. A notification of the number of recipients is sent to the administrator. You can select this notification from the drop-down list of available notification templates 97. 97. Refer to Creating Notification Templates on page 94. PAGE 274 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB 9.3 Spam Filtering with the Spam Filtering Job 9.3.1 Job Functionality The Wall Advanced Spam Filtering job specifically checks the email header, the subject line and the message body for typical spam features. For this, the job distinguishes between definite criteria and combined criteria. Definite criteria classifies the email unambiguously as spam or non-spam, whereas the combined criteria only express a tendency for or against spam. The definite criteria are criteria like sender addresses that are listed in a blacklist or a whitelist. As soon as the job detects a sender addresses that is listed in a blacklist, the email is classified as spam without further analysis. The configured job actions are performed, e.g. the email is blocked and quarantined (quarantine High). One definite criteria is sufficient to classify an email as either 0% spam or 100% spam. The combined criteria are evaluated only if no definite criteria has classified the email unambiguously as spam or non-spam and focus on less significant spam attributes such as a high number of HTML links in the message body of the email. One single combined criteria that classifies an email as spam has only little impact on the email classification. However, the more other combined criteria classify the emails as spam as well, the higher the calculated spam probability. The spam probability for each email is calculated through evaluation of all combined criteria and ranges from 1% to 99%. Depending on this result, the email is assigned to one of the four threshold ranges None, Low, Medium or High. With this, the job actions defined for this threshold are performed. In the job, the following actions are defined for the threshold ranges: 1. Threshold range: None. This means a spam probability of 0%. Threshold value: 0. A definite criterion classified the email unambiguously as non-spam. By default, no job actions are performed. The email is forwarded to the next job in the job chain. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 275
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB 2. Threshold range: Low. This means a spam probability of 1-9%. Threshold value: 1-9. At least one combined criterion classified the email as spam. Due to a low spam probability no job actions are performed, by default. The email is forwarded to the next job in the job chain. 3. Threshold range: Medium. This means a spam probability of 10-49%. Threshold value: 10-49. Some combined criteria classified the email as spam. Due to a medium spam probability the email is blocked, by default. A copy of the email is quarantined and the calculated value of the emails spam probability is added into the subject line of the quarantined email. 4. Threshold range: High. This means a spam probability of 50-100%. Threshold value: 50-100. Many combined criteria classified the email as spam. Due to a high spam probability the email is blocked and not delivered to the recipients. A copy of the email is quarantined and the calculated value of the emails spam probability is added into the subject line of the quarantined email. If required, modify the job actions for the single threshold ranges. Job actions: For emails with the spam probability of 0%, the subject can be extended with a corresponding text (Add subject extension). Emails with a spam probability below 10% can be moved into the Anti-Spam: Low quarantine for classification with CORE. Refer to CORE Classification on page 309. For emails with a spam probability between 10% and 49%, the SCL field can be processed in Exchange 2003 98, so that the email is automatically moved to the recipient s Junk Mail folder or the email is moved into the Anti-Spam: Medium quarantine. The administrator can classify the email for CORE. The recipients receive a summary report on the quarantined emails and can request their delivery if required. 98. Refer to Write spam result in Exchange SCL field : on page 281. PAGE 276 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Emails with a spam probability between 50% and 100% can be moved into the Anti-Spam: High quarantine for CORE classification. The Low, Medium and High ranges can be adjusted with sliders in the Actions tab and linked to corresponding actions, which are then performed for all emails in that range. However, we recommend you to keep the job configuration pre-set in the Advanced Spam Filtering job. The settings in this sample job perform strongly by experience. If your spam detection rate is unsatisfactory, try to optimize the definite spam criteria before modifying the combined criteria. If necessary, teach your own CORE classifier 99. By default, the job is configured so that a high spam probability for instance over 91% can be achieved only when definite spam characteristics have been identified by several combined criteria. The definite or combined criteria do not affect the execution of the remaining configured jobs, such as checking the attachments by iq.suite Watchdog. Thus, if you have enabled the definite No spam criterion Emails with attachments and set the threshold value (Minimum number) to 2, then the spam filtering job immediately classifies these emails under the spam probability range None. The subsequent Watchdog job will process the email as usual. 99. Refer to CORE Classification on page 309. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 277
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB 9.3.2 Sample Job: Advanced Spam Filtering Copy the Advanced Spam Filtering job to MAIL TRANSPORT JOBS. Activate the job 100. 9.3.2.1 Defining Actions In the Actions tab, specify the threshold value for the spam probabilities and specify the job actions to be performed for identified spam emails. 1. In this example, the following actions are configured for the spam probabilities None, Low, Medium and High: For emails assigned to the spam probability None, no job actions are performed, by default (unambiguously non-spam). If required, add a subject extension, e.g. Wall spam checked". 100. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 278 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB For emails assigned to the spam probability Low, no job actions are performed, by default (0-9% spam probability). Click on the LOW button to adjust the job actions. For emails assigned to the spam probability Medium, job actions are performed (10-49% spam probability). Click on the MEDIUM button to adjust the job actions: Emails are assigned to this range if some combined criteria have found major spam indications or many combined criteria have found many minor spam indications. The first action defined is to copy the email to the quarantine (Anti-Spam: Medium), where it is labeled MEDIUM. The original email is delivered to the recipient. The second action is to add a subject extension to inform the recipient of the email s spam probability. With this, local users can set up their own Outlook message rules to deal with these emails. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 279
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB You can configure a quarantine summary notification for quarantine category in order to notify local users of quarantined emails addressed to them (Refer to Defining Quarantine Summary Notifications on page 118). You can also use the Microsoft SCL value to forward the emails directly to the users Junk Mail folder through the Exchange Store. For emails assigned to the spam probability High (10-49% spam probability) job actions are performed. Click on the HIGH button to modify the settings, if required. The High spam probability is meant for emails that are most likely spam and should therefore not be delivered. In this case, the email is quarantined (Anti-Spam: High). Because of the big number of spam sent every day, no notifications are sent to the administrator 101. A high volume of spam can result in large quarantines, which can reduce system performance. When you no longer need the emails (e.g. for CORE Classification), you should therefore disable the Low and High quarantine copy. Depending on your email environment, you may want to set different threshold values for the Medium and High ranges. Before you do change the thresholds, though, observe whether the job yields good filtering results with these settings. Your aims should be: to maximize the number of spam in the Anti-spam: High quarantine, to maximize the number of non-spam in the Anti-spam: Low quarantine, and therefore to minimize the volume of email going into the Anti-spam: Medium quarantine. 2. If required, adjust the spam criteria. Click on the DEFINITE CRITERIA button: 101. Refer to Creating Notification Templates on page 94. PAGE 280 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB In the No Spam tab, select the definite criteria to be analyzed by the job. As soon as one of these criteria are found, the email is classified as 100% nonspam 102. In the Spam tab, select the definite criteria to be analyzed by the job. As soon as one of these criteria is found, the email is classified as 100% spam 103. Make sure you keep both the whitelist and the blacklist up-to-date. 3. Click on OK to return to the Actions tab. 4. If required, enable the options Write spam result in Exchange SCL field or Write spam value in mail header field. Write spam result in Exchange SCL field : The Microsoft spam filter IMF (Intelligent Message Filter) can be used as definitive criterion (non-spam). The result of the spam filters calculation is 102. Refer to the description of the definite non-spam criteria under CORE Classification on page 309. 103. Refer to the description of the definite spam criteria under Definite Spam Criteria on page 285. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 281
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB an integer value between -1 and 9. This result is the so-called SCL (Spam Confidence Level). The higher the spam probability, the larger the SCL. An SCL of 0 means that the email is probably non-spam, the value -1 is used for unfiltered emails, for instance, internal emails from senders within the same Exchange organization. The Exchange SCL value trigger specified actions, such as automatically moving emails to the user s Outlook Junk Mail folder. In the Exchange System Manager, you can centrally define what is to be done with emails with SCL values above a set threshold. You do not have to specify the action on the same system that assigns the SCL. As the IMF writes the SCL value into the email, any defined actions can only be performed on the target system. To that end, the email gateway must also run Exchange 2003. Even if you do not want to or cannot use the IMF, this option will let you set the spam probability value of the spam filtering job as SCL result, thus allowing you to use the Exchange Store functionality for possible actions or further processing. Internally, the spam probability value is converted to SCL values to enable Outlook to use them. If you are using the quarantine summary notification feature, users are notified of all relevant spam emails (refer to Defining Quarantine Summary Notifications on page 118). In that case, you do not have to use the Exchange Store forwarding to Junk Mail folders. For further Information on the Exchange SCL field, please refer to http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx Write spam value in mail header field : The spam probability value (Low, Medium or High) is always written in the email header. For this, the result is converted to a string of asterisks (one asterisk corresponding to a value up to 10, two asterisks to a value up to 20, three asterisks up to 30, etc.) to which an Outlook rule can be applied. You can also specify the result separately for each spam probability: ACTIONS TAB -> ADD -> ADD X-HEADER. In this case, the result is dis- PAGE 282 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB played directly as a numeric value instead of being converted to a string of asterisks. 9.3.3 Practical Tips on False Positives In rare cases, the job classifies normal and wanted emails as spam. In cases of frequent so-called false positives, we recommend the following procedure: 1. If the affected emails all exceed the spam probability threshold by only a small amount, increase the threshold value slightly. 2. If emails from a particular sender are regularly classified incorrectly as spam, add this sender to the Active Directory or to the whitelist (under DEFINITE CRI- TERIA -> DEFINITE "NO SPAM" CRITERIA), so that these emails are no longer checked for spam. 3. Try to identify key words typically used in the affected emails and enter them in the Business Words dictionary. These words will then be taken into account through the No Spam criterion Body business phrases so that emails containing them will receive a lower spam value. 4. Train your own CORE spam classifier. Refer to CORE Classification on page 309. 5. If the classification remains unsatisfactory after having performed the steps above, try to determine the criteria that are responsible for the false classification, e.g. using the processing log in the quarantine or the notification variable Spam analysis details 104. If it is often the same criterion, try to reduce its significance slightly to a lower value (Criterion relevance field). This way, the job will take into account the criterion to a lesser extent when determining the spam probability. 6. If you are sufficiently familiar with the characteristics of typical emails in your business environment (both spam and non-spam), you can also use the Combined Criteria under Advanced Configuration to optimize each criterion for your environment. This is especially useful if you had to reduce the relevance of a criterion by a large amount or disable it altogether. This can, 104. Refer to List of Notification Variables on page 95. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 283
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB however, result in a reduced effectiveness of the spam filter. For further Information, please refer to Spam Filtering for Experts: Using Combined Criteria on page 287. 9.3.4 Tables: Definite Criteria 9.3.4.1 Definite No-Spam Criteria In the job, you can define the No-Spam criteria described in the table below. The emails which match at least one of these criteria will be clearly identified as nonspam: Criterion Trusted senders (Whitelist) Emails from Active Directory users Emails from senders in Outlook user whitelist Emails from user whitelist entries Subject phrases Description Whitelist: Addresses of all known senders that are always allowed and that are known not to send spam. This normally includes all regular communication partners as well as the domains of your customers and suppliers. Keeping this list up-to-date and comprehensive ensures that your system resources will not be burdened with unnecessary checking. Trustworthy addresses include all users and contacts entered in the Active Directory. Trustworthy addresses include all entries in the Microsoft Outlook user whitelist. This only applies under Exchange 2007 with the "Safelist Aggregation component enabled. a The email addresses included in the user whitelist are let through without prior checking for spam. All emails containing specific words in the subject line are accepted without being checked for spam. This feature allows to set specific "passwords" to ensure that emails with critical contents are systematically delivered without being checked. These words are defined in a dictionary, which is then specified in the anti-spam job. The additional option allows to have the message body checked for these words as well (besides the subject). PAGE 284 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Criterion Many attachments Emails with a minimum size of E-Mails sind in TNEF- Format Emails encrypted and/or signed Microsoft Exchange No spam SCL value Description Emails with file attachments. Most spam emails do not contain any attachments. Use this field to specify a threshold. Example: Minimum number = 2 means that all emails with two or more file attachments are delivered without spam checking. Spam emails are usually rather small, i.e. large emails are less likely to be spam. Use this field to specify a threshold as of which emails are no longer checked for spam. TNEF emails. This Exchange-specific format is not being used by spammers yet. Encrypted and/or signed emails. Spammers do not send encrypted or signed emails. Spam Confidence Level (SCL), spam filter (Intelligent Message Filter IMF) from Exchange 2003. SCL accepts integers from -1 to 9. Exchange assigns -1 for emails from senders from the same Exchange organization. The Wall Spam Filtering job treats this value as definite no spam criterion b. a. For further information on "Safelist Aggregation", please refer to the Microsoft website b. Refer to Write spam result in Exchange SCL field :. 9.3.4.2 Definite Spam Criteria In the job, you can define the Spam criteria described in the table below. The emails which match at least one of these criteria will be clearly identified as spam: Criterion Denied senders (Blacklist) Emails from user blacklist entries Description Blacklist: All sender addresses known to be originators of spam. The default configuration contains a list of known addresses to which you can add further addresses. The email addresses listed in the user blacklist are automatically classified as spam. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 285
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Criterion Denied character sets Exchange SenderID request returns "FAIL" Emails with GTUBE test pattern Description This function checks the charset field in the email header for the character sets in the specified list. Emails with a matching character set are immediately classified as spam. If enabled, the mail s sender ID is also checked. This allows to prevent "spoofing", i.e. the falsification of sender email address domains. The analysis is based on entries in a DNS, which is used to determine from which IP addresses emails from specific domains are allowed to be sent or not. The Sender ID result is provided with the email. Wall checks the mail s Sender ID and classifies the result "FAIL" as spam. To be able to use the SenderID function, a number of other functions need to be enabled on the server, such as the associated SenderID filter. The filter is enabled under SERVER > PROTOCOLS > SMTP > PROPERTIES -> IDENTIFICATION. In addition, both server and client (Outlook) must be configured. a If enabled, emails containing the GTUBE b spam test string are also checked. Use this option to check the functionality of the spam detection feature. A spam will be identified as such if you do not use a spam analyzer for spam checking. a. For further Information on the "SenderID", please refer to the Microsoft website. b. GTUBE (Generic Test for Unsolicited Bulk Email) PAGE 286 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB 9.3.5 Spam Filtering for Experts: Using Combined Criteria In general, the default settings of the Advanced Spam Filtering job perform strongly and do not have to be modified. In case of many false positives, proceed as described under Practical Tips on False Positives on page 283. We recommend you to adjust single combined criteria only if these measures do not fulfill your requirements. The differences between definite and combined criteria are described under Job Functionality on page 275. The combined criteria are only used for emails that are not already classified with the definite criteria as spam or non-spam. Each activated combined criterion evaluates the email with a certain spam probability. The individual values of all combined criteria are weighted according to their defined relevance to establish an overall result. Each criterion has a defined relevance to the overall result, which can be set from Low to Very high. The higher the relevance of a criterion, the more impact on the overall result. If required, you can disable the criterion by deselecting the checkbox. An individual value can be assigned to most criteria for Minimum and Maximum. Below the minimum value, this criterion is not used in the overall weighting of the email. When the maximum score is reached or exceeded, this criterion considers the email as spam. Depending on the overall result, the email is assigned to one of the spam probability ranges None, Low, Medium or High. The threshold values of the individual areas are decisive. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 287
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Example: Email Classification by Combined Criteria In this example, the combined criterion Body phrases in the Spam (Body) tab is enabled. To check the message bodies of all incoming emails for spam, this criterion uses the Anti-spam: Frequently Used Spam Phrases dictionary. This dictionary has a weighting value of 5 (General tab in the dictionary 105 ). If a word or phrase from this dictionary is found in an email, for instance check it out, it receives a score of 5. Specify the number of occurrences required for this criterion to be taken into account in the overall score (Minimum threshold) and as of which value the criterion classifies the email as spam (Maximum score). The default value is 30. With this, six different words from this dictionary must be found in the message body of the email to be classified as spam according to this criterion. If only three words are found, the email is not definitely spam according to this criterion, but the probability of it being spam is already quite high. The relevance of this criterion is 105. Refer to Text Analysis with Dictionaries on page 298. PAGE 288 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB set to Very high, thus it has strong impact on the overall result of the email as spam. Words that occur more than once in an email are counted only once. If, for instance, the phrase check it out occurs three times within the same email, it would add only 5 to the score, not 15 (as in a normal Wall Content Filtering job). 9.3.6 Tables: Combined Criteria 9.3.6.1 Combined No Spam Criterion Criterion HAM phrases in message body Description Checks whether the message body contains business words that are typical for the user. 9.3.6.2 Combined Classification Criteria Here, the results of other spam filtering products which often use only a single spam filtering method are included. Their combination with other criteria in the spam filtering job eliminates the disadvantages of these products. Criterion CORE Classification Exchange SCL value Description The results of the CORE classification with the internal SPAM classifier are used to determine the spam probability. The returned percentage probability value is included with a high relevance for classification (default setting). a The Intelligent Message Filter (IMF) also determines a spam probability for each email, the so-called Spam Confidence Level (SCL) from -1 to 9. The higher the spam probability, the higher the SCL. This is used to include the SCL value in the iq.suite spam evaluation. b ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 289
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Criterion SASI results Description SASI checks emails against known spam patterns. c By default, the threshold as of which an email is considered spam is set at 50. To avoid negative spam detection rates, we recommend you to keep this value. If combined with the CORE classification criterion, the spam recognition rate can be significantly increased. Keep the default settings and enable both criteria. a. Also refer to CORE Classification on page 309. b. Also refer to Definite No-Spam Criteria on page 284. Also refer to Write spam result in Exchange SCL field : on page 281. For further information, please refer to the Microsoft website. c. For further information, please refer to www.gbs.com. 9.3.6.3 Combined Header Criteria Criterion Suspicious sender properties Suspicious recipient properties Digits in sender address(es) Number of recipients Known spam x-mailer Description Checks whether the email has a From header and whether this header is completed and corresponds with the sender in the SMTP protocol. Checks whether the email contains a To header, whether this header is completed and whether it or the CC header contains at least one of the SMTP recipients. Checks whether one of the sender addresses (SMTP or email header) contains digits. Checks the number of recipients of an email. Checks whether the X-Mailer entry in the email is an email client typically used to send spam. PAGE 290 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Criterion Known spam results Description Takes into account the result of a previously run spam analysis to classify emails as spam or non-spam. The result (number of spam indications found) is written to the email X-header. iq.suite reads the X-header and writes the number of spam indications into the criterion. The values for the minimum/maximum number of spam indications are then used for evaluation. The result may come from an external system or have been determined by iq.suite on another server. 9.3.6.4 Combined Subject Criteria Criterion Subject missing Recipient address in subject Junk sequence in subject Subject phrases Subject concealed phrases Description Checks whether the email has a subject field with content. Checks whether the part preceding the @ of a recipient address is found in the subject of the email. Checks the email subject for long strings of hiding characters (blanks) and meaningless junk character strings. Checks whether the email subject contains words typically found in spam. Checks the email subject for any concealed words from the dictionaries specified. 9.3.6.5 Combined Message Body Criteria Criterion Recipient address in body Junk sequence in subject Description Checks whether the part preceding the @ of a recipient address is found in the message body of the email. Checks the message bodymessage body for long strings of spaces or meaningless character strings. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 291
IQ.SUITE WALL - SPAM FILTERING WITH THE SPAM FILTERING JOB Criterion Body phrases Body concealed phrases Suspicious HTML code Suspicious HTML links Many HTML Links Embedded images Description Checks the message body for words typically found in spam. Checks the message body for any concealed words from the dictionaries specified. Checks the message body for any HTML constructs. Checks the message body for any spammer links. Checks the message body for many HTML links in relation to the size of the text. Can be used to identify spam content conveyed through embedded images (internal reference to attachments). For instance, it is possible that (in configurations without SASI) emails with embedded images are systematically considered spam, unless embedded images are standard practice for email communication in the corresponding environment. PAGE 292 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS 9.4 Spam Filtering with Spam Analyzers 9.4.1 Using SASI for Spam Filtering SASI (Sophos Anti Spam Interface) is an interface used for fighting against spam and other junk emails. It is used as additional spam criterion in the Advanced Spam Filtering job. To do so, the SASI engine sends DNS requests to blacklist servers in the Internet 106. To analyze the emails, the SASI engine checks them against known patterns of typical spam. The pattern database is located on the server where the iq.suite is installed. This database is automatically updated at periodical intervals. The result of this analysis is a value that is used to calculate the spam probability within the advanced spam filtering job. Please note that SASI is an additional feature for iq.suite Wall and as such requires a separate license. For further information, please contact the GBS Sales Team. 9.4.1.1 SASI Engine Configuration If you plan to use SASI for fighting spam, first configure the SASI engine for periodical updates. The configured engine is automatically used whenever a spam filtering job with SASI enabled is called. Open the SASI engine: BASIC CONFIGURATION -> UTILITY SETTINGS -> ANTI-SPAM ENGINES. Enable the engine. 106. For further Information on using SASI, please refer to the separate documentation. Download under www.gbs.com. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 293
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS 9.4.1.1.1 General Settings Under normal circumstances, no special settings are required in this tab. SASI interface: This is the DLL file that links the iq.suite with the SASI engine. Do not change this entry! Timeout: Enter the number of seconds after which a scan request addressed to the SASI engine is to be canceled. Be sure to take into account the performance of your server. Write detailed log data: Creates a log file with detailed processing data of the scanner, e.g. for troubleshooting. PAGE 294 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS 9.4.1.1.2 Engine Update Settings To ensure permanent spam protection, the files used for identifying spam need to be periodically updated. This update can be performed automatically at specific intervals. Further configuration settings are normally not required: Update interval: Interval in minutes at which the program checks for pattern updates. Minimum: 15 minutes. Update timeout: Period of time after which the update process is aborted. Minimum: 60 seconds. Recommended value: 60 to 120 seconds. Update Settings: Don t update program data : No automatic engine or pattern updates will be performed. Update program data using predefined settings : Automatic engine or pattern updates are performed whenever the iq.suite finds a more recent data version. Downloading the most recent version is possible without further configuration. Update program data using customized settings : Perform local update from (no proxy) : If the automatic engine or pattern update is to be controlled through a central server, use this field ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 295
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS to set the directory of the central server where the patterns are stored. Download server (uses proxy settings) : If the automatic engine or pattern updates are to be downloaded from another server, use this field to set the target address of this server. 9.4.1.1.3 Using a Proxy Server To use a proxy server as communication interface, select the appropriate option in the Proxy Server tab: No proxy server : No proxy server is used. Proxy server of iq.suite Server : The proxy server used is the one defined for the iq.suite server. These proxy server settings can be set during the installation. Refer to Installation of iq.suite on a Exchange Server on page 11, Step 9. Custom proxy server : The proxy server used is the one set in the BASIC CONFIGURATION. For further information on how to create a new proxy server, please refer to Proxy Servers on page 88. PAGE 296 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS In a configuration where the most recent spam patterns are downloaded automatically, the Update pattern database option must be enabled in the Update tab. 9.4.1.2 Advanced Spam Filtering Job Configuration 1. Open the Advanced Spam Filtering job under MAIL TRANSPORT JOBS. Activate the job and keep the default settings. 2. In the Actions tab, enable the criterion SASI results under COMBINED CRITE- RIA -> SPAM (CLASSIFICATION), and make sure that the engine is enabled as well. We recommend you to keep the default setting. Relevance of this criteria: Set the relevance (weighting) for the entire criterion (ranging from Low - Very high). The values for the relevance and the coefficient are multiplied and yield the result for this criterion. HAM/SPAM threshold: By default, the threshold as of which an email is considered spam is set at 50. To avoid negative spam detection rates, we recommend you to keep this value. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 297
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS No-spam coefficient: Use the No-Spam coefficient to reduce the weighting for the No-Spam result. The higher this coefficient, the higher the influence of SASI on the overall result in the No-Spam range. If combined with the CORE classification criterion, the spam recognition rate can be significantly increased. Keep the default settings and enable both criteria. 3. Once this job is activated, the configured SASI engine is automatically enabled. 4. Select IQ.SUITE MONITOR -> SERVER -> SERVER STATUS -> TEST TAB -> UPDATE VIRUS SCANNER to check the pattern update. The test returns a log file as well as an error or success message. Save the iq.suite configuration whenever you have made any changes ( icon). The configuration is saved to the ConfigData.xml file located under GBS\iQ.Suite\Config. Pending changes are identified through an asterisk (*) at the top node. 9.4.2 Text Analysis with Dictionaries At the dictonary-based text analysis, the subject line, the message body and the file attachements of emails are searched for unwanted words or phrases. Each search term is written into a list of words (dictionary). For each list, a value (weight) is set. The text analysis can be limited to specific senders or recipients, e.g. for spam protection in external emails addressed to internal users. For instance, you can use the dictionary Anti-Spam: Pharmacy Offers to search for pharmaceutical terms that indicate spam such as overweight, aging, etc. In this example, the value for this dictionary is 20 (General tab). If several applicable terms are found, their values are added to an overall value. If the terms overweight and aging are found in the email, it is given the overall value 40. This overall value is checked against a threshold set in the job. If the latter is exceeded, the job actions are trig- PAGE 298 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS gered, e.g. the email is quarantined. The actions available are the same as for address filtering. Refer to Address Filtering (Blacklists and Whitelists) on page 264. Besides performing a text analysis for incoming emails, you can also ensure that outgoing emails comply with internal confidentiality requirements. Using the dictionaries, it is possible to check the outgoing emails for information that is not supposed to get "outside". In both cases, use the sample jobs of the type Wall Content Filtering. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 299
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS 9.4.3 Setting up Dictionaries To add futher entries to an existing dictionary or to create a new list, proceed as follows: 1. Click on BASIC CONFIGURATION -> UTILITY SETTINGS -> DICTIONARIES. Create a new dictionary or open the existing one to be extended, e.g. the Anti-Spam: Pharmacy Offers dictionary: 2. In this example, the weighting of this dictionary is 20. Possible values are from 1 to 200. This weighting applies to each word or phrase and determines the relationship to other dictionaries and to what extent the dictionary is taken into account in the job. Refer to Sample Job: Checking and Denying Text Contents on page 303. 3. The List of words/phrases field contains the search terms. Click on the input field and add words and phrases that you want to forbid. For each entry, use a seperate line (ENTER key). The following wildcards can be used in dictionaries: Asterisk (*): The asterisk represents none or more characters within a word or phrase. PAGE 300 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS Example: *check* will find check, checkpoint, intercheck and intercheckpoint. check* will find check and checkpoint, but not intercheck nor intercheckpoint. The asterisk must be placed at the beginning or end of a word or phrase. Plus sign (+): The plus sign has the same function as the asterisk, but indicates that the search term is part of a word or phrase. Example: +check+ will find checkpoint, intercheck and intercheckpoint, but not check on its own. check+ finds only checkpoint. The plus sign must also be placed at the start or end of a word or phrase. If you enter a word or phrase without wildcard, only that exact word/phrase will be found. For example, if you enter check, only the whole word check will be found. 4. To sort the dictionary in ascending order, click on, and to sort it in descending order, click on. 5. The jobs tab lists the jobs that use the dictionary: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 301
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS 9.4.4 Searching for Text in Dictionaries To search for and replace text in dictionaries, double-click on the dictionary to open it and click on : Under Search for, enter the desired search term. If required, enable the desired Search options. If you do not specify any additional options, the function looks for the entered character string everywhere, i.e. also within words and phrases. Find whole word only : You can separate words with any non-alphanumeric character including paragraph marks and manual line breaks. Case sensitive : Makes the search case-sensitive. Count matches only : Only the number of matches is displayed, not the matches themselves: To replace a string with another, click on REPLACE: You can also use the text search and replace function for your own addresses. Refer to Address Lists on page 89. PAGE 302 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS 9.4.5 Sample Job: Checking and Denying Text Contents To scan emails on certain text contents, use jobs of the type Wall Content Filtering. 1. Copy a sample job to MAIL TRANSPORT JOBS or configure a new one. In this example, the Block offensive content job is used. Activate the job 107. 2. In the Content Restriction tab, specify the procedure to check emails on certain text contents and define the dictionaries to be used by this job: Options: This job checks the subject line, the message body and compressed files that can be extracted for entries in the dictionaries Offensive Language (English) or Offensive Language (German). If the Scan in selected attachments option is enabled, the file attachments are checked for prohibited terms as well. Click on SELECT and define the types of the file attachments using the fingerprints 108. 107. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. 108. For further information on fingerprints, please refer to Fingerprints on page 248. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 303
IQ.SUITE WALL - SPAM FILTERING WITH SPAM ANALYZERS Set threshold: The overall threshold value is set at 50. The sum of all prohibited words or phrases is multiplied by this threshold. Thus, the weighting for both dictionaries is 10 the defined job actions (Actions tab) are performed, if at least 5 prohibited terms are found in an email. Compressed files are extracted to the extent possible and a text extract is created. Specify the desired compressed files under EDIT ARCHIVES. If the Search in text extract option is enabled, the visible text is checked only. If the Search in raw data option is enabled, hidden text is checked as well (e.g. HTML tags, meta information, control characters, etc.). 3. To use further dictionaries in the job, click on EDIT: Use and to add and remove dictionaries in the list. The double arrows add or remove all existing dictionaries. All dictionaries listed under Selected Items are used from the job. 4. In this job, a copy of the email is quarantined and the email is deleted without being delivered to its recipient. A notification is sent to the administrator. You can select this notification from the drop-down list of available notification templates 109. 109. Refer to Creating Notification Templates on page 94. PAGE 304 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - TEXT ANALYSIS FOR CREDIT CARD NUMBERS 9.5 Text Analysis for Credit Card Numbers Cashless financial transactions increasingly rely on card-based payments. In this context, credit cards have become a very popular form of payment in both business and private sectors, which is mainly due to their international acceptance. As a result, credit cards are being increasingly used for electronic banking. Therefore, the security of credit cards has become a major issue for their holders and the issuing banks. So, to avoid any abuse, it is essential that credit card numbers transmitted by email are exclusively delivered to the intended recipient. 9.5.1 Sample Job: Text Analysis for Credit Card Numbers 1. Copy the Block Emails with Credit Card Information job to MAIL TRANS- PORT JOBS. Activate the job 110. 2. When required, modify the address evaluation so that only emails which are addressed to enterprise external recepients are processed (Addresses tab). 3. Open the Content Restrictions tab: 110. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 305
IQ.SUITE WALL - TEXT ANALYSIS FOR CREDIT CARD NUMBERS Scan options: Subject line, message body and file attachements are checked for credit card numbers by default. Extract archives: Enable this option to allow scanning of compressed file attachments. For this, the compressed files have to be unpacked first. To prevent certain archives from being checked, click on the EDIT ARCHI- VES button and define the exceptions Though files of the file type Microsoft Office 2007 and Open Office are archives as well, such files do not have to be unpacked for being checked. Therefore, such file types are not unpacked from the job by default. 4. Open the Options tab: PAGE 306 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - TEXT ANALYSIS FOR CREDIT CARD NUMBERS Maximum size to be searched (in KB per element): Defines the maximum amount of KB to be checked within a file. The first 100 KB are checked by default. Digits to reveal (in report): Amount of digits of a credit card number that is displayed in the processing log. With the default setting 4, only the last four digits are displayed in the iq.suite Monitor. All other digits are marked with an X. Range to search for proximity phrases (characters): At the rating of a number sequence, the proximity text can be examined for keywords that indicate a credit card number, e.g. "credit" or "card number". If such a keyword is found, the probability that the number sequence is a credit card number increases. The 100 characters before and after the number sequence are examined by default. Prefer wellknown issuers: The first six numbers of a credit card number indicate the numbering of a credit card issuer, e.g. American Express. If this option is enabled, a number sequence with a numbering of a wellknown issuer gains a higher probability than a number sequence which cannot be assigned to any issuer. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 307
IQ.SUITE WALL - TEXT ANALYSIS FOR CREDIT CARD NUMBERS Prefer common number seperation: This option defines that common number groups that indicate a credit card number have strong influence on the identification of a credit card number. If this option is enabled, common number groups gain a higher probability than unknown number sequences. In order to interprete a number sequence as a credit card number, the number sequence may be disrupted by hyphens or blanks merely. Report hits with high probability only: With this option, an unknown number sequence is only rated as a credit card number if the analysis result reports a high probability. Disable this option in the case of many False Positives (many credit card numbers are not found by the job). Report unknown issuers / Report wellknown issuers: This global setting defines whether the job considers credit card information of wellknown and/or unknown issuers. With both options enabled, all number sequences are checked independent of the issuer. Proximity search: Define the keywords that indicate a credit card number, e.g. credit or card number. If a number sequence is found, the proximity phrases are checked for these keywords. If a keyword is found, the probability that the number sequence is a credit card number increases. Numbers to ignore: If certain number sequences shall not be interpreted as a credit card number, enter this permissible number sequence in this field. These numbers will be ignored by the job. 5. If a credit card number is found, the email is stored in the default quarantine by default and the email is not delivered to the recipients. The administrator is notified. PAGE 308 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - CORE CLASSIFICATION 9.6 CORE Classification With CORE (COntent Recognition Engine), emails can also be categorized/checked for unwanted content without matching against dictionaries. CORE is based on the Support Vector Machines (SVM) method, a statistical learning theory for text classification, where the analyzer is "learned" through a representation of text as vector. The goal of SVM is to reliably assign incoming emails to predefined categories in order to be able to filter out spam according to the text content and handle the emails according to specific topics. This theory is implemented through training emails used to train a classifier. The training emails used comprise a representative set of emails that a company receives (spam and non-spam, including business email, newsletters, offers and inquiries) and are used as basis for categorization. For this, the trainings emails are copied into the CORE classifier. Once trained, the classifier can be used in the Wall CORE Classification job. If you are not satisfied with the result of the analysis, you can retrain the classifier any time by adding further emails to each category. The more representative this selection is, the better this method will work in a production environment. As spammers use frequently changing (and often non-existing) addresses and varying content, CORE is especially suited for blocking spam because it is trainable, while dictionaries require more maintenance work to keep with the pace at which spammers change their methods. In addition to check external emails addressed to internal users, CORE can be used to check emails addressed to external users as well. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 309
IQ.SUITE WALL - CORE CLASSIFICATION 9.6.1 Using CORE for Spam Filtering 9.6.1.1 Using the preset CORE Classifier The iq.suite provides a trained spam classifier, which can be used immediately in the Advanced Spam Filtering job. For this, enable the combined criterion CORE classifier in the job. This classifier cannot be modified or extended. When installed, it is stored in a different location than your own classifiers. 9.6.1.2 Creating a new CORE Classifier To use CORE with your own CORE classifier, proceed as follows: 1. Create a new classifier with two categories: BASIC CONFIGURATION -> UTILITY SETTINGS -> CORE CLASSIFIER -> NEW -> NEW CLASSIFIER: 2. Enter a name for the classifier. Do not use special characters. The folder name is entered automatically and the folders are created under iq.suite\grpdata\quarantine\. PAGE 310 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - CORE CLASSIFICATION 3. Save the configuration with. 4. Refresh the iq.suite Monitor: RIGHT-CLICK -> REFRESH. 5. Drag and drop the emails from the quarantines to the CORE classifier and place each one in a suitable category. 6. To teach the classifier in iq.suite Monitor, open the context menu and select ALL TASKS -> TEACH CLASSIFIER. After completing the teaching process, log files are created in the classifier folder you have created and the status in iq.suite Monitor is changed. A message appears in the Event Viewer. 7. Open the Advanced Spam Filtering job under POLICY CONFIGURATION -> MAIL TRANSPORT JOBS. 8. In the Actions tab, click on the COMBINED CRITERIA button. 9. Open the Spam (Classification) tab: 10. In the spam criterion CORE classifier, select your own CORE classifier. 11. Save the configuration. The job will now use the newly created classifier, which you can retrain any time. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 311
IQ.SUITE WALL - CORE CLASSIFICATION 9.6.2 Using CORE for Content Classification CORE can not only be used for spam protection purposes but also for content classification, e.g. to categorize emails depending on the text contents. 9.6.2.1 Classifier Configuration Emails addressed to info@company-x.com are to be automatically categorized by their content into different predefined categories, e.g. request, query, support, etc. Then, the emails are to be forwarded to the recipients according to this classification. 1. Under BASIC CONFIGURATION -> UTILITY SETTINGS -> CORE CLASSIFIERS, create a new classifier with several categories: 2. Enter a name for the classifier. Do not use special characters. The folder name is entered automatically and the folders are created under iq.suite\grpdata\quarantine\. 3. To define the categories, click on ADD: PAGE 312 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - CORE CLASSIFICATION 4. Save the classifier configuration. 5. Refresh the iq.suite Monitor: RIGHT-CLICK -> REFRESH. The new CORE classifier and the created categories are displayed. 6. Drag and drop the trainings emails from the quarantines to the CORE classifier and place each one in a suitable category. 7. To teach the classifier in iq.suite Monitor, open the context menu and select ALL TASKS -> TEACH CLASSIFIER. After completing the teaching process, log files are created in the classifier folder you have created and the status in iq.suite Monitor is changed. A message appears in the Event Viewer. 8. Create several Wall CORE Classification jobs with this CORE classifier and enable them. Refer to Sample Job: New CORE Classification Job. 9.6.2.2 Sample Job: New CORE Classification Job 1. Copy the Wall CORE Classification job to MAIL TRANSPORT JOBS. Activate the job 111. 2. In the Subject extension field of the General tab, enter the CORE classification result variable [VAR]CORECategory[/VAR], which will be added to the subject line of each email whose content has been classified by CORE and further processed. This tells the recipients that the email has been automatically forwarded to them based on its content. 3. In the Addresses tab, set up the address conditions. Under Run this job when a message arrives from, enter the external senders and under And where addressed to, enter the address info@company-x.com 112 : 111. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. 112. For futher information on addresses, please refer to Address Lists on page 89. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 313
IQ.SUITE WALL - CORE CLASSIFICATION 4. In the CORE Options tab, select under Select classifier the classifier you have just created: 5. Define when to trigger the job actions: PAGE 314 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - CORE CLASSIFICATION a) With the Always, regardless of classification option, actions are performed independent of the category in which the email is classified. You can use this option, for instance, to quarantine all emails in a particular category (a label is set with a variable for this purpose), create an X-header with the CORE classification result or the CORE classification category, add a subject extension to all emails before delivery to the recipients. b) The When CORE result reaches selected threshold option refers to a defined threshold of a category. In this example, the job actions are performed for emails that are classified as requests with a threshold above 50%. For all other emails, no action is performed. With these actions, you can control further processing of your emails, e.g. using Outlook rules or other applications. 6. In the Actions tab, specify the actions to be performed when the job has classified an email as request with a probability of more than 50%: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 315
IQ.SUITE WALL - CORE CLASSIFICATION To let you check whether CORE has classified the email correctly, it is quarantined and the administrator is notified. In productive operation, you can disable these two actions. 7. Click on ADD and enable the Redirect mail action. Enter the email address of the department or person who deals with inquiries in your company 113. The configuration for the first category is finished. For each category to be redirected, create a seperate job. For this, duplicate the job with RIGHT-CLICK -> ALL TASKS -> DUPLICATE. Repeat the procedure for each category. 113. For further Information on entering addresses, please refer to Address Lists on page 89. PAGE 316 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) 9.7 Text Analysis with Regular Expressions (Advanced Actions) In order to manage email processing and modify email properties regular expressions can be used to search emails for certain text strings. If a match is found during email processing, the text string can be replaced by a freely definable substitution text. You can use regular expressions in the following iq.suite jobs: Wall E-Mail Adress Filtering jobs Wall Advanced Action jobs Within Wall E-Mail Adress Filtering jobs you can use regular expressions to search in email fields. In order to use regular expressions to search in file attachments, use Wall Advanced Action jobs. This job type can also be used by an external application to validate matches. 9.7.1 Sample Job: Regular Expressions in File Attachments In order to search for regular expressions in file attachments, configure a Wall Advanced Action job. Both in the name and in the contents of the file attachment you can search for matches. However, replacing text is only possible in the name of the file attachment. Configuration: 1. Under MAIL TRANSPORT JOBS create a Wall Advanced Action job. Enable the job 114. 2. In the Content tab define regular expressions for search and text replacement for SMTP sender, SMTP recipient, email header and email body. If required, refer to the description under Replacing Text with Regular Expressions on page 267 and Sample Job: Transfer Matches to External Application on page 320. 3. Open the Attachments tab: 114. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 317
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) Use fingerprint configuration to specify the file attachment types which shall be checked. To exclude single fingerprints, define exceptions. 4. In the sub tab File name click on ADD: PAGE 318 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) Regular Expression: Define the search pattern as a regular expression. The regular expression is used to search for matches in the file name of the file attachment. The text strings which correspond to a definitions of a regular expression can be replaced by enabling Replace matches by using this regular expression'. In the following entry field, enter the regular expression the match shall be replaced. 5. Click on APPLY. Open the sub tab File content, click on ADD and specify a search pattern for the content of the file attachment. Please note that matches in the content of file attachment cannot be replaced. 6. Click on APPLY and save configuration. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 319
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) 9.7.2 Sample Job: Transfer Matches to External Application Use a Wall Advanced Action job to transfer results of a text analysis determined by a regular expression to an external application. This allows, for example, validation of found matches. Depending on the type of application many use cases are possible. This section demonstrates how it works. Configuration: 1. Under MAIL TRANSPORT JOBS create a Wall Advanced Action job. Enable the job 115. 2. Open the Content tab and define regular expressions for search and text replacement for SMTP sender, SMTP recipient, email header. If required, refer to the description under Replacing Text with Regular Expressions on page 267. 3. In the Content tab open the sub tab EMail Body and click on ADD. 115. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 320 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) Email Body Format: If required, you can restrict job execution to certain formats of the message text by selecting the desired option. With the default option All body formats the job starts for all formats. If the character set of the email body is unknown, the local character set is used. Regular Expression: Define search patterns as regular expressions. The regular expression is used to search for matches in the email s message text. If a text string corresponds to the definition of a regular expression, this match can be transferred to an external application. In addition, matches can be replaced completely or partially. To replace the text, enable the Replace matches by using this regular expression' option and specify a text for replacement in the following entry field. 4. Open the Options tab: This tab is only relevant if regular expressions, matches and/or a replacement text shall be transferred to an external application. To validate every match that was found, the external application is called for every single match. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 321
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) Provide matches as files : The data to be passed to an external application is transferred by command line, usually. However, if the data contains characters that cannot be processed, such as line breaks, data can be written to temporary files. Every object is provided as a seperate file (regular expressions, matches and/or replacement texts). As soon as the file is delivered to the application, it is deleted immediately. Please note that processing lasts longer if files are used - compared to delivery via command line. Specify the objects to be transferred to the application by using parameters (refer to step 5). Verify matches with the following application : Enable this option if data is to be transferred to an external application. 5. Click on EDIT in order to configure the connection settings: Command Line: Enter the path to the external application (execution file). Parameters: iq.suite provides parameters that can be transferred to the application by command line or by using certain files. The parameters must also be defined in the application. Parameters for data transfer by command line: PAGE 322 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) [regex_regex]: Regular expression that was found. [regex_match]: Match that was found by a regular expression. [regex_replacement]: Replacement text for the match. Parameters for data transfer by file: [regex_regex_file]: File that contains the regular expression. This parameter is only available if configured in the job. [regex_match_file]: File that contains the match that was found found by a regular expression. This parameter is only available if configured in the job. [regex_replacement_file]: File that contains the replacement text. This parameter is only available if configured in the job. [cmd_repfile]: File used for the report. Timeout: If the application is unable to process the data in the specified time, a time-out occurs and processing is stopped. User/Password: If start of the application requires a certain user account, enter this user s authentification data in this field. 6. Open the Actions tab and define the success and error actions that shall be performed. Please note that the success actions will be performed if at least one match was replaced. 7. Save the job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 323
IQ.SUITE WALL - TEXT ANALYSIS WITH REGULAR EXPRESSIONS (ADVANCED ACTIONS) PAGE 324 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
10 iq.suite Convert IQ.SUITE CONVERT - OVERVIEW 10.1 Overview iq.suite Convert allows to perform a rule-based conversion of email attachments prior to delivery, e.g. to PDF, PDF/A, ZIP, 7-ZIP or using the command line to any other format. iq.suite Convert can also be used to convert TNEF emails to the MIME format. PDF reduces the risk of data manipulation and, due to its widespread use, also avoids compatibility problems when opening files on the recipient side. Compression to ZIP additionally allows to reduce the size of the file and therefore of the email, which in turn relieves your infrastructure and increases the overall performance. Fingerprints allow to restrict the attachments to be converted according to the file type. Job Types Compress attachments to ZIP or 7-ZIP Job: Convert Compression Convert attachments to PDF or PDF/A Job: Convert PDF Convert TNEF emails to the MIME format Job: Convert TNEF To MIME Execute actions for attachments from the command line Job: Convert Command Line As a rule, emails encrypted or signed with S/MIME or PGP/MIME are processed by iq.suite Convert jobs in order to avoid difficulties on the recipient side. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 325
IQ.SUITE CONVERT - SAMPLE JOB: COMPRESS ATTACHMENTS AS ZIP 10.2 Sample Job: Compress Attachments as ZIP Before they are delivered, it is possible to compress email attachments to ZIP or 7-ZIP (Open Source software) and, where required, protect them with a password. The significant reduction of the file size resulting from the compression process allows to reduce both the server load caused by the email traffic and the disk space required in the recipients mailboxes. As a general rule, images embedded in email bodies are not compressed in order to avoid display errors on the recipient side. Copy the Convert Compression job to MAIL TRANSPORT JOBS. Activate the job 116. As preconfigured, this job only processes internal emails addressed to external recipients. If an email attachment was successfully compressed, an extension is added to the email subject line. 10.2.1 Selection Use the Selection tab to set further properties related to the compression and the attachments to be converted. 116. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 326 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: COMPRESS ATTACHMENTS AS ZIP Under Compression is equal to or greater than, specify the minimum compression percentage to be reached for an attachment to be processed. With the default setting of 10% the file size of a compressed file attachment must be at least 10% smaller than the original file. If this value cannot be reached, the file attachment is not compressed. Depending on the number and size, it may be useful to limit the processing time allowed for each attachment (< 900 seconds). If an attachment cannot be processed within the period of time specified under Abort compression after, processing is aborted and continued with the next attachment or next email. In this case, the email is delivered with the attachment in original format. To limit the size of the attachments to be processed, use the Attachment size fields. Without any size restrictions, even very small attachments will be compressed although the size reduction is negligible as regards the disk space saved. On the other hand, processing a large number of very large files may seriously affect the server s performance. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 327
IQ.SUITE CONVERT - SAMPLE JOB: COMPRESS ATTACHMENTS AS ZIP By default, the job compresses attachments of any file type except for already compressed archives and embedded (inline) images. Using fingerprints, you can specify further file types to be excluded from compression. Refer to Fingerprints on page 248. 10.2.2 Compression Options Open the Options tab: The preset default compression method is ZIP with the compression level set to Normal compression. Alternatively, you can also select the OpenSource compression with 7-ZIP and/or change the compression level: High compression : The focus is on maximum compression for maximum space saving. Please note that this may significantly increase the duration of the compression process. In this case, you may have to adjust the period of time after which the process is aborted (Selection tab). Normal compression (default): The focus is on achieving a compromise between quick and high compression. From experience, this is the setting that yields reasonable results. PAGE 328 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: COMPRESS ATTACHMENTS AS ZIP Quick compression : The focus is on quick compression and minimizing the computing time and resources needed. Please note that with this setting the compression level achieved may be less than maximum. No compression : The attachments are simply converted to the ZIP format, but not compressed. To protect compressed attachments with a password, you can choose between ZIP encryption and the AES encryption algorithm. Enter the password to be used in the subsequent field. Please keep in mind that this password must be known to the email recipients and that the unpacker used on the recipient side must support the encryption method. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 329
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 10.3 Sample Job: Converting Attachments to PDF Before they are sent to the recipients, the attachments contained in an email can be converted to PDF or PDF/A. This allows to meet corporate policies and security requirements, for instance that is not allowed to send editable files to external recipients. The conversion to the PDF format allows to reduce the risk of data manipulation, e.g. in Office files or images. Furthermore, once converted, any additional information included in the original files such as markups, metadata, etc. is no longer available to the recipients. In addition, the conversion to the widely used PDF format avoids the problem that recipients are not able to open the files due to a proprietary format or compatibility issues related to outdated software versions. Copy the Convert PDF job to MAIL TRANSPORT JOBS. Activate the job 117. As preconfigured, this job only processes internal emails addressed to external recipients. Except for PDF files, all attachments are converted. Using fingerprints, it is possible to exclude further file types from conversion. 117. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 330 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 10.3.1 Selecting Attachments Use the Selection tab to set what is to be done with the original attachments. By default, they are removed and only sent as PDF. Depending on the number and size, it may be useful to limit the processing time allowed for each attachment (< 900 seconds). If an attachment cannot be processed within the period of time specified under Abort compression after, processing is aborted and continued with the next attachment or next email. In this case, the email is delivered with the attachment in original format. To limit the size of the attachments to be processed, use the Attachment size fields. By default, the job compresses the attachments of all file types except for attachments already provided in PDF format. By specifying fingerprints, you can specify further file types to exclude them from conversion. Refer to Fingerprints on page 248. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 331
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 10.3.2 Conversion Options Open the Options tab: By default, attachments are converted to PDF. If you want the attachments to be converted to the ISO standard PDF/A format, activate the Use PDF/A format option. In both cases, you can modify the PDF output through variables. PAGE 332 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 10.3.3 Variable Settings Click on ADD to create a new variable definition: Under Variable enter a name and under Value specify a value. Click on APPLY to confirm. 118 Example: Users sometimes use special fonts to format documents. If these fonts are unavailable on the server where the documents are converted to PDF, they are replaced with default fonts. To change these default fonts, you can set the following conversion variables: Variable Value Description PRINTFONTALIAS _ORIGINAL<_x> Name of the missing character set, e.g. Britannic Bold. <_x>: As normally more than one font will have to be replaced, you can use the <_x> counter (_1, _2, _3 etc.) to specify several fonts. If the character set specified is unavailable, it is replaced with the character set in the variable PRINTFONTALIAS_ALIAS<_x >. 118. For further Information on configurable PDF variables, please refer to the separate document on Convert parameters. Download under www.gbs.com. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 333
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF Variable Value Description PRINTFONTALIAS _ALIAS<_x> PRINTFONTALIAS _FLAGS<_x> Name of the replacement character set, e.g. Arial. SCCVW_FONTALIAS_ALIASNAME: a The replacement character set is used. If a default character set exists, it is overwritten. Character set to be used instead of the character set specified in the PRINTFONTALIAS_ORIGINAL <_x> variable. Sets if and how the settings in PRINTFONTALIAS_ORIGINAL <_x> and PRINTFONTALIAS_ALIAS<_x > are used. a. Further values can be configured besides SCCVW_FONTALIAS_ALIASNAME. For further Information, please refer to the separate document on Convert parameters. PAGE 334 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING TNEF-MAIL TO MIME 10.4 Sample Job: Converting TNEF-Mail to MIME Some iq.suite jobs do not process any TNEF emails. For iq.suite jobs to be able to process the emails sent by Outlook users within the same Exchange organization, it is possible to convert internal TNEF emails to the MIME format. 1. Copy the Convert TNEF To MIME job to MAIL TRANSPORT JOBS. Activate the job 119. 2. In general, it is not required to modify the Options tab. We recommed you to keep the default settings: To be able to influence the representation of TNEF emails in the individual case, please take into account following details. Conversion: Define whether the Exchange server or the considerably faster internal method of the iq.suite is used for TNEF to MIME conversion. Please note that for the use of the Exchange server certain iq.suite Bridge options have to be configured for every iq.suite server (see below). 119. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 335
IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING TNEF-MAIL TO MIME Use Exchange : TNEF emails are converted to MIME by the Exchange server. The iq.suite internal method is not used. Avoid Exchange : If the TNEF emails can be converted to MIME by the internal method of the iq.suite without loss (7-bit TNEF), the conversion is performed without using the Exchange server. If only RTF components are contained in the TNEF email, the Exchange server is used instead (8-bit TNEF). Without Exchange : TNEF emails are converted to MIME without using the Exchange server. Please note that the iq.suite converts the message body of the TNEF email into plain text, if there is HTML or if there is no additional message body in the HTML or text format available. Since RTF data might be getting lost, representation errors could occur. TNEF Correlator: If the TNEF correlator contained in the email header does not comply with the TNEF correlator in the TNEF part (winmail.dat), the Exchange server removes the TNEF part at the conversion instead of converting it. This occurs due to a problem of the Exchange server through which the file attachments are missing after the conversion 120. Enable this option if it is ensured that the TNEF part is valid and shall be converted. If the Use Exchange option or the Avoid Exchange option is selected, additional configurations are necessary: 3. Navigate to your iq.suite server: BASIC CONFIGURATION -> IQ.SUITE SERVERS -> DOUBLE-CLICK <IQ.SUITE SERVER>. 4. Select the Bridge Options tab and enable the Enable Bridge system mailbox or system folder option. 5. Adjust further settings as required. For further Information, please refer to Setting Bridge Options on page 85. 6. Test the MIME conversion with the test function under IQ.SUITE MONITOR -> SERVER -> <SERVER NAME> -> SERVER STATUS -> TEST TAB -> TNEF-TO-MIME DECODER TEST -> START. 120. Please refer to Microsoft Support. PAGE 336 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: CONVERSION VIA COMMAND LINE 7. Set the job s priority so that it is started before the iq.suite jobs that are unable to process TNEF emails, for instance before a Convert job for PDF conversion. Refer to Sample Job: Converting Attachments to PDF auf Seite 330. 10.5 Sample Job: Conversion via Command Line The Convert Command Line job allows to run your own application (.exe,.bat) that performs specific actions with the attachments, e.g. convert specific file types to TIFF. When processing the email, the job starts this application. The application must contain certain parameters, which are read by the job and passed to iq.suite via the command line. The actions specified in your own application and in the iq.suite job are applied to the attachments of the email. Copy the Convert Command Line job to MAIL TRANSPORT JOBS. Activate the job 121. 121. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 337
IQ.SUITE CONVERT - SAMPLE JOB: CONVERSION VIA COMMAND LINE 10.5.1 Selecting Attachments Use the Selection tab to set what is to be done with the original attachments. By default, they are preserved and the result of the job action is attached to the email as additional file attachment. To limit the size of the attachments to be processed, set the Attachment size fields accordingly. By default, all attachments are processed, except for embedded objects such as embedded images. You can specify fingerprints if you want to exclude specific files from being processed. Processing embedded attachments (e.g. embedded images) is also possible. PAGE 338 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: CONVERSION VIA COMMAND LINE 10.5.2 Conversion Options File extension: The file extension specified here is added to the converted attachments. Specify this file extension if the application to be run modifies the file type, but does not change its extension. Click on EDIT to configure the application: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 339
IQ.SUITE CONVERT - SAMPLE JOB: CONVERSION VIA COMMAND LINE 10.5.3 Configuring Your Own Application Command line: Enter the path to the application. Parameters: iq.suite provides a number of parameters for the command line. For any action to be applied to attachments, you have to define at least the parameters [Cmd_InFile] (input file) and [Cmd_OutFile] (output file) in the application: [Cmd_InFile]: Content of the original file attachment (input file). [Cmd_OutFile]: Content of the converted attachment (output file). The original file attachment is replaced with the content of this file. If no output file is created, the file attachment is not replaced. [AttachmentName](optional): Name of the original file attachment. Surround this parameter with quotes. [AttachmentSize](optional): Size of the original file attachment (binary in bytes). [Cmd_ReportFile] (optional): If the application to be run writes a processing report to this file, the report is later included in the job report. Timeout: Specify a timeout for the application. If the attachments cannot be processed within the period of time specified here, processing is aborted. PAGE 340 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONVERT - SAMPLE JOB: CONVERSION VIA COMMAND LINE User/Password: If the external application is to be started under another account, use these fields to specify the authentication data of the desired user. The 8-bit character set (ASCII) has to be used when calling the file. Therefore, to ensure that a batch file is called with the correct character set encoding, run the following command-line command: chcp 1252 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 341
IQ.SUITE CONVERT - SAMPLE JOB: CONVERSION VIA COMMAND LINE PAGE 342 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
11 iq.suite Trailer 11.1 Overview IQ.SUITE TRAILER - OVERVIEW iq.suite Trailer allows to integrate individual trailer texts into emails as disclaimers (so-called trailers). With this, you can add greetings, company information, legal disclaimers or notices to emails that are sent to external recipients. In addition, you can combine them with graphic elements such as the company logo, images, vcards, or other Trailer attachments. Due to the flexibility of iq.suite Trailer it is possible to configure individual trailers for different departments, groups of persons or Internet domains and append them to emails for a specific period of time. Easy trailer configuration and a central management of the trailers, in turn, help to ensure a uniform appearance and corporate identity of the company to the outside world. 11.1.1 Procedure for Trailer Configuration 1. To attach a trailer to emails, at least one configured Trailer job is required. Refer to General Job Configuration on page 367. 2. Usually, every Trailer job contains at least one Trailer document with the content of the trailer that is attached to the email. The Trailer documents are configured before the Trailer job (refer to Creating a Trailer Document on page 358). Then, the Trailer documents can be selected in the job (Trailer tab). 3. If required, you can include Trailer images or Trailer attachments to the trailer. Like Trailer documents both elements are configured before configuring the Trailer job (refer to Conventional and Personalized Trailer Images on page 344 bzw. Trailer Attachments on page 350). The Trailer images are selected in the Trailer document, the Trailer attachments in the job (Attachments tab). 4. In addition, you can use Trailer search patterns for Trailer positioning. Like Trailer documents the Trailer search patterns are configured before configu- ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 343
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) ring the Trailer job (refer to Creating a Trailer Document on page 358). Then, the Trailer search patterns are selected in the job (Position tab). 11.2 Configuring Trailer Elements (optional) In order to realize certain szenarios, you can use optional Trailer elements such as images, search patterns or Trailer attachments in the Trailer job or Trailer document. These optional elements are configured seperately and can be selected in Trailer jobs or Trailer documents later on. 11.2.1 Conventional and Personalized Trailer Images Frequently, the Trailers for HTML emails shall not only include text but also contain images. Images can be provided by one of the following Trailer image types: conventional Trailer images personalized Trailer images When the image shall be used for all employees or a certain user group such as the company logo or small icons, create a conventional Trailer image. Conventional Trailer images are not stored in the Active Directory. When the image refers to a single person such as an employees photo or his/her scanned signature, create a personalized Trailer image. Personalized Trailer images are stored in the Active Directory by storing the user s image in a certain attribute, e.g. in the thumbnailphoto. This attribute is used by Outlook. Usually, conventional and personalized Trailer images are directly integrated in the Trailer document (refer to Inserting Images in the HTML Format on page 362). For this, the images must be imported to the iq.suite server, before adjusting them to the Trailer document. As an alternative, the images can be inserted as HTTP link (without a previous import). Refer to Inserting Images as HTTP Link on page 364. PAGE 344 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) Information from the Globale Catalog is used to display Trailer images. For this, Active Directory and Globale Catalog must be synchronized. The Exchange server provides this functionality not before Exchange Server 2007 SP1. Please ensure synchronization if you use older Exchange server versions. Please note that images must be available as GIF, JPG or PNG image and cannot be appended to RTF emails. 11.2.1.1 Creating Trailer Image Categories In the iq.suite, conventional and personalized Trailer images are managed in Trailer image categories. By default, you can find the following sections under TRAILER -> TRAILER IMAGES. All Trailer Images: Displays a list of all images imported to the iq.suite and available as trailer. Unassigned Trailer Images: Displays a list of all images that have not been assigned to an image category. Depending on the internal sender address, it is possible to attach different trailers to emails for different groups or domains. Image categories can be used to store images in a systematic way, for instance to store all logos under one image category or to sort the photos of the employees by department. Configuration: 1. Click TRAILER -> TRAILER IMAGES -> RIGHT-CLICK -> NEW -> TRAILER IMAGE CATEGORY and enter the name of the new image category: 2. Click OK to create the new category. 3. Add a Trailer image to the new category: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 345
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) a) Conventional Trailer image: <SELECT IMAGE CATEGORY> -> RIGHT-CLICK -> NEW -> TRAILER IMAGE. Refer to Importing Conventional Trailer Images on page 346. b) Personalized Trailer image: <SELECT IMAGE CATEGORY> -> RIGHT-CLICK -> NEW -> TRAILER IMAGE. Refer to Configuring Personalized Trailer Images on page 347. To assign images to another image category, right-click on the image and click ALL TASKS -> MOVE TO -> <NAME OF THE IMAGE CATEGORY>. 11.2.1.2 Importing Conventional Trailer Images 1. Assign a Trailer image to the desired image category: <IMAGE CATEGORY> -> RIGHT-CLICK -> NEW -> TRAILER IMAGE. 2. Click on BROWSE and select the desired image from the file system. Please note that the images must be available in either GIF or JPG format. Under Image preview, the selected image is displayed. PAGE 346 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) Icons: Import again Open image viewer Export Opens the file system to change the image displayed in the preview box. The default image viewer is opened. If the program defined as default image viewer is an image processing application, this allows to directly process the selected image. Then import the image again:. Opens the file system to change the image displayed in the preview box, e.g. after running the image processing software. Please note that any images that have not been exported will no longer be available after having closed the administration console. 3. The Information tab provides detailed information on the imported Trailer image. 4. Click on APPLY -> OK and save the administration console. 5. Then, insert the image in the Trailer text of the Trailer document. Refer to Assigning Trailer Images to a Trailer Document on page 362. 11.2.1.3 Configuring Personalized Trailer Images 1. Add a personalized Trailer image to the desired image category: <SELECT IMAGE CATEGORY> -> RIGHT-CLICK -> NEW -> PERSONALIZED TRAILER IMAGE. 2. Open the General tab to configure the personalized Trailer image: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 347
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) Attachment name: With this name personalized Trailer attachments are appended to the Trailer. Field name in AD: Enter the attribute in which personalized Trailer images shall be stored in the Active Directory (AD). Every Active Directory field can be used to store images for personalized Trailers. Since thumbnailphoto is used by Outlook, this field is pre-defined. The employee s image is determined automatically from this field and is attached to the Trailer. Image format: Select the appropriate image format for the images in the Active Directory. Please note that the images must be available as GIF, JPG or PNG. Default image: If for an employee no image is available, an outline image is displayed by default. Any image can be used as default image, e.g. a different outline image or the company logo. In order to change the default image, proceed as described under Changing the Default Image on page 349. The default image is rescaled to the size of the image stored in the Active Directory. To prevent rescaling, enable the Ignore image size option. PAGE 348 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) When you create a new personalized Trailer image the configuration Default image for used Trailer images is set by default. After replacing the outline image used in this configuration, the default image cannot be restored. 3. Then, insert the image in the Trailer text of the Trailer document. Refer to Assigning Trailer Images to a Trailer Document on page 362. 11.2.1.3.1 Changing the Default Image The outline image used in the standard configuration as default image can be replaced: 1. Import the desired default image to the iq.suite server as a conventional Trailer image. Refer to Importing Conventional Trailer Images on page 346. 2. Select the default image in the configuration of the personalized Trailer image: Save the configuration. As of now, if no image is found for an employee, this image is inserted in the Trailer. 3. In order to prevent insertion of any default image, add the following command in the Trailer text of the Trailer document (HTML tab): [COND]<Name of the field in AD>;<IMG alt=<image name> src= [IMG]<image ID>[/IMG] >[/COND]. For this, take the appropriate values for field name, image name and image ID from the source code. Click the icon: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 349
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) 11.2.2 Trailer Attachments With Trailer Attachments personalized data that is, for example, stored in the Active directory, can be attached as a Trailer attachment, e.g. vcards or public PGP or S/MIME keys. The data for the Trailer attachment can be converted as a QR code and can be displayed in the Trailer as a QR code image. Email recipients can select and use the vcard data or QR code images. Moreover, binary file attachments such as PDF or Office documents that are stored in the file system can be attached rule-based as a binary Trailer attachment. Unlike other Trailer elements such as Trailer texts or Trailer images the Trailer attachments are not integrated into the email body but are attached to emails like a conventional file attachment instead. Configured Trailer attachments are inserted directly in the Trailer jobs. In order to insert the Trailer attachment as QR code image a Trailer document is required. PAGE 350 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) The Trailer attachments must be available in ASCII character set. Binary data is not supported. 11.2.2.1 Creating a Trailer Attachment Category In the iq.suite, the Trailer attachments are managed in Trailer attachment categories under TRAILER -> TRAILER ATTACHMENTS. All Trailer Attachments: Displays a list of all attachments imported to the iq.suite and available as trailer. Unassigned Trailer Attachments: Displays a list of all attachments that have not been assigned to an attachment category. Depending on the internal sender address, it is possible to attach different Trailer attachments to emails for different groups or domains. Attachment categories can be used to store attachments in a systematic way, for instance to store vcards in a seperate category or to sort PGP keys by department. Configuration: 1. Click on TRAILER -> TRAILER ATTACHMENTS -> RIGHT-CLICK -> NEW -> TRAILER ATTACHMENT CATEGORY and enter the name of the new attachment category. 2. Click OK to create the new attachment category. 3. Add a Trailer attachment to the new category. a) Conventional Trailer attachment: <SELECT ATTACHMENT CATEGORY> -> RIGHT-CLICK -> NEW -> TRAILER ATTACHMENT. Refer to Creating Conventional Trailer Attachments on page 352. b) Binary Trailer attachment: <SELECT ATTACHMENT CATEGORY> -> RIGHT- CLICK -> NEW -> TRAILER ATTACHMENT (BINARY). Refer to Creating Binary Trailer Attachments on page 354. To assign Trailer attachments to another attachment category, right-click on the attachment and click ALL TASKS -> MOVE TO -> <NAME OF THE ATTACHMENT CATEGORY>. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 351
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) 11.2.2.2 Creating Conventional Trailer Attachments This section describes how to create a conventional Trailer attachment e.g. for text attachments as PGP or S/MIME keys or vcards. To attach Trailer attachments such as PDFs or Office documents, binary Trailer attachments are required. Refer to Creating Binary Trailer Attachments on page 354. 1. If required, create a new Trailer attachment category: TRAILER -> TRAILER ATTACHMENTS -> RIGHT-CLICK -> NEW -> TRAILER ATTACHMENT CATEGORY -> <NAME OF NEW ATTACHMENT CATEGORY>. 2. Add a Trailer attachment to the new attachment category: <ATTACHMENT CATEGORY> -> RIGHT-CLICK -> NEW -> TRAILER ATTACHMENT. To assign Trailer attachments to another attachment category, right-click on the attachment and click ALL TASKS -> MOVE TO -> <NAME OF THE ATTACHMENT CATEGORY>. 3. Open the General tab to configure the Trailer attachment: Name: With this name the Trailer attachment is listed in the attachment category. PAGE 352 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) Attachment name: The attachment name corresponds to the file name of the Trailer attachment and ends with a file named extension. For example, the extension *.txt appends the Trailer attachment in the text format. For vcards the file name extension *.vcf must be used ('vcard file'). You can use variables to pesonalize file attachment names. e.g. for vcards. With the variables [VAR]firstname[\VAR][\VAR]lastname[\VAR].vcf it is easy to identify vcard owners by the name of the file attachment. 4. Open the Attachment tab: Content type: Select the type of file attachement to be created. To create a vcard, select the VCard option. To create another attachment type, e.g. a QR code image or a public PGP key, select the user defined option. Custom content type: Enter the content type the Trailer Attachment shall be created, e.g. text/plain or text/html. This option is only relevant for user defined Trailer Attachments. Data: Enter the data used to create the Trailer Attachment. Click on the icon to use variables for data from the Active Directory, e.g. to create personalized vcards. If the data shall be provided as a QR code, we recommend ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 353
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) you not to exceed a size of 1500 bytes. Larger amounts of data may not be represented correctly. Provide text as QR code image in Trailer documents: Enable this option to convert Trailer attachments in QR code. The created QR code image can be selected in Trailer documents with the icon. QR code images are created in the PNG format. If a QR code image is used in a Trailer document, the option is greyed-out and cannot be disabled manually. 5. Save the configuration and assign the Traile attachment to a Trailer job. 11.2.2.3 Creating Binary Trailer Attachments This section describes how to create a binary Trailer attachment, e.g. for PDF or office documents. 1. If required, create a new attachment category for your binary Trailer attachments. Then, assign a binary Trailer attachment to this category: <ATTACH- MENT CATEGORY> -> RIGHT-CLICK -> NEW -> BINARY TRAILER ATTACHMENT. 2. Open the General tab to configure the Trailer attachment: PAGE 354 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) Name: Name the document. With this name the binary Trailer attachment will be listed in the attachment category. Attachment name: Click on. Select the binary attachment that shall be appended from the file system. Content type: Usually, the attachment s file extension is used for file type identication. However, some clients use the file s MIME content type. For those clients enter the attachment s MIME content type under Custom content type. If no MIME content type shall be used or if the content type is unknown, you can keep the default setting Binary. 3. Save the configuration. Assign the Trailer attachment to a Trailer job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 355
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) 11.2.3 Trailer Search Pattern Trailers can be inserted at different positions within an email. This position is set in the Trailer job (Position tab). In certain cases however, it may be useful to search for specific patterns within the email. For instance, trailer texts are not to be appended at the end of a forwarded email (i.e. not at the end of the original message), but at the beginning. In this case, you need to define a search pattern that identifies the beginning of the original message. The sample pattern displayed marks the beginning of the original message by adding a specific text string such as "Original Message". The iq.suite standard configuration includes a number of search patterns for common email clients (e.g. for Microsoft Outlook) that are enabled by default. If you do not need certain search patterns in your infrastructure, you can simply disable them. To configure your own search patterns, create a new Trailer search pattern document and insert the associate patterns: UTILITY SETTINGS -> TRAILER -> TRAILER PATTERNS. Use to search and replace individual elements. PAGE 356 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER ELEMENTS (OPTIONAL) If using certain email clients, such as Apple or Mac applications, it may be necessary to mark the beginning of the message body. Otherwise the trailer cannot be inserted at the right email position. For such a use case, Trailer search patterns can be extended with regular expressions: UTILITY SETTINGS -> TRAILER -> TRAI- LER PATTERNS (REG. EXPRESSION). Those Trailer search patterns are marked with the sign. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 357
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS 11.3 Configuring Trailer Documents 11.3.1 Creating a Trailer Document The actual content of the trailer appended to an email are defined in Trailer documents: 1. Create a new Trailer document: UTILITY SETTINGS -> TRAILER -> TRAILER DOCUMENT -> NEW -> TRAILER DOCUMENT: Enable the document. Use for a period of time only : Set the period of time the Trailer shall be valid. If no time is specified, the document will be valid for an unlimited period of time and appended to each outgoing email. PAGE 358 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS Only enabled Trailer documents can be appended to emails (even when the job itself is enabled). The advantage of the separate activation and deactivation of individual Trailer documents is that it simplifies administration. For instance, when normally three Trailer documents are appended to emails but one of them is to be temporarily removed, this can be achieved by disabling the corresponding Trailer document. Thus, it is not necessary to modify the job. 2. Open the Content tab. Basically, emails can be processed in either HTML, RTF or plain text format. To add a trailer to an email, the trailer texts must also be available in the corresponding email format (HTML, RTF or Plain Text). As these email formats are not displayed in the same way e.g. HTML with colors versus plain text without any formatting at all, the trailer texts should be designed according to the email format. For instance, line breaks can be used in plain text trailers to emphasize specific elements (as opposed to bold or italics). Create separate trailer texts for each of these email formats by selecting the corresponding tab and designing the trailer accordingly. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 359
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS a) A number of formatting options are available for HTML emails. For instance, you can include tables, links, variables, images or QR code images in the trailer, which are converted to HTML commands internally. For detailed information on using images, please refer to Assigning Trailer Images to a Trailer Document on page 362. To enter HTML code manually, open the source code using. Please note that full support for all HTML functions cannot be guaranteed. When using complex HTML codes, the RTF format may not be displayed as desired. [COND] variable: In certain cases, it may be useful not to display trailer lines, for instance the Active Directory does not contain a mobile phone number for all users. In this case, it would be better to omit this line altogether in the trailer. In notification templates and Trailer documents e.g. like "Sender signature with conditional fields, the [COND] variable is used to this end. As an alternative, you can also insert the variable manually in the source text of any Trailer document. Example: Name: [VAR]FirstName;[/VAR] [VAR]LastName;[/VAR] Phone: [VAR]OfficeNumber;HomeNumber[/VAR][COND]MobileNumber; Mobile:[VAR]MobileNumber[/VAR][/COND] Fax: [VAR]OfficeFaxNumber[/VAR] Be sure to use the proper syntax. The first semicolon (here: after [COND]MobileNumber;) must be followed by a line break. iq.suite Trailer checks whether an entry exists in the Active Directory for the field specified after [COND](here: MobileNumber). If no entry exists for this user, the entire line following the semicolon is removed from the trailer, including [/COND] and the line break. b) To append a trailer to text emails, the trailer text must be available as plain text. Formatting the trailer is not possible. In HTML trailers with a simple structure (no tables, no images, etc.), the text trailer can be automatically generated from the HTML trailer. If a more complicated HTML code is used, the plain text result will not be up to expectations. Use the PAGE 360 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS Modify Plain Text option to design another trailer text or trailer layout for text emails. This allows to take into account the specific requirements of text emails. c) For RTF and TNEF emails in the Exchange environment, the RTF format of the trailer is created from unformatted plain text (default setting). This means that the Trailers are appended unformatted. To display formatted Trailer texts after all, set the Generate RTF format based on field to HTML. In this way, the RTF format is generated from HTML. This, for instance, also allows to send formatted trailers for internal emails within an Exchange organization that uses Outlook (but not Outlook Express!). The TNEF format is processed through RTF. Please note that full support for all HTML functions cannot be guaranteed. When using complex HTML codes, the RTF format may not be displayed as desired. Trailer jobs can not process signed or encrypted TNEF emails generally. 3. Click on the Preview icon to check that the display matches the desired result. Confirm with OK 122. 4. In the Jobs tab, the jobs that use the Trailer document are listed. Use the default Trailer documents for trailer configuration and adjust them to your requirements. We recommend you to define texts and design of the trailer after consulting the specialty departments, particularly for Legal Disclaimers. 122. For further Information on editing trailer texts, please refer to Creating a Trailer Document on page 358. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 361
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS 11.3.2 Assigning Trailer Images to a Trailer Document Images can only be integrated into HTML emails and must be available in an uncompressed BMP format with a 24-bit color depth. The maximum size is 15 000 pixels (i.e. the equivalent of 150 * 100 pixels). As some web browsers are known to have difficulties when displaying large tables, we recommend you to keep the images as small as possible. As it is not possible to integrate images into RTF emails, be sure to check the settings in the senders email client. 11.3.2.1 Inserting Images in the HTML Format To include images directly into a Trailer document, the images must be available on the iq.suite server. Refer to Importing Conventional Trailer Images on page 346. 1. Open the desired Trailer document. 2. Enable the Trailer document, open the Trailer text tab and click under HTML format on EDIT. 3. With the icon select the desired Trailer image: PAGE 362 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS 4. Confirm with OK to insert the image in the trailer text. The Content tab provides a preview. 5. With PREVIEW the Trailer document is displayed in a preview. 6. Confiirm your configurations with OK. 7. Enable the job and save the configuration. Send a test mail to yourself or to a test user. Example of a Trailer with a Trailer image: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 363
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS 11.3.2.2 Inserting Images as HTTP Link To minimize the size of emails, you can also insert an HTTP link rather than the image itself. Email clients are able to load images from this link and display them to the recipient. Depending on the email program used and the applicable user settings, the images are displayed after a confirmation or manual click on the link by the user. The following requirements must be met: The image is available online and in a format that can be processed by web browsers, e.g. JPG. The sender s email client sends emails in HTML format. The recipient is online. Adjust the Trailer document as follows: PAGE 364 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS 1. Open a Trailer document: CONTENT TAB -> HTML FORMAT -> EDIT. 2. Put the cursor to the position in the trailer text at which the picture shall be inserted and click on. 3. Under Picture Source, enter the URL to the desired image file. 4. Where required, use the Alternate Text field to set an alternative text to be shown if the image cannot be displayed in the web browser. 5. Confirm with OK to insert the URL in the trailer text. The Trailer text tab provides a preview. 11.3.3 Assigning a Trailer Attachment to a Trailer Document Trailer Attachments such as vcards are directly assigned to a Trailer job. A Trailer document is only required if the Trailer Attachment data shall be inserted as a QR code image. 11.3.3.1 Inserting a QR Code Image 1. Open the Trailer document to which the Trailer Attachment shall be assigned. 2. Enable the Trailer document, open the Trailer text tab and click under HTML format on EDIT. 3. With the icon select the desired Trailer Attachment: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 365
IQ.SUITE TRAILER - CONFIGURING TRAILER DOCUMENTS 4. With PREVIEW the Trailer document is displayed in a preview. For QR code images no preview is available. 5. Confiirm your configurations with OK. PAGE 366 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB 11.4 Configuring a Trailer Job 11.4.1 General Job Configuration This chapter describes specialities on the configuration of Trailer jobs. For a description of the settings under standard tabs, please refer to Standard Tabs of Ttailer Mail Transport Jobs on page 51. jobs ignore emails signed and sent by the client (S/MIME signature), as iq.suite Trailer needs to modify the email to insert the trailer, after which the signature would become invalid. 1. Copy the Legal Disclaimer Job to MAIL TRANSPORT JOBS. Activate the job. 2. Define the job settings in the standard tabs. 11.4.1.1 Selecting the Trailer 11.4.1.2 The Trailer tab 3. In the Trailer tab define, which of the Trailer documents shall be used by the job and shall be attached as a Trailer. By default, The Trailer document Legal Disclaimer is selected: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 367
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB Deactivate automatic generation of HTML body: Since no Trailer images can be appended to text mails, a HTML body is created by default and appended to the email in addition to the text body (option is disabled). If for text mails no additional HTML body shall be created, activate this option. Please note that the option on TNEF mails does not have any consequence and no HTML body may be contained in the MIME mail. EDIT opens the selected Trailer document. With SELECT you can select the desired Trailer document: PAGE 368 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB All configured Trailer documents are displayed left-side of the dialog. All Trailer documents that are listed right-side of the dialog are used by the job and will be attached as a Trailer. Use the arrow buttons in the middle to navigate the objects. With EDIT you can open the selected Trailer document. Refer to Creating a Trailer Document on page 358. 11.4.1.3 The Attachments tab In the Attachments tab define which Trailer Attachments shall be integrated into the trailers. With the arrow buttons right-side of the dialog determine the order the Trailer Attachments are inserted (the topmost object is inserted first): ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 369
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB EDIT opens the selected Trailer attachment. With SELECT you can select the desired Trailer attachment: PAGE 370 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB All configured Trailer attachments are displayed left-side of the dialog. All Trailer Attachments that are listed right-side of the dialog are used by the job and will be attached. Use the arrow buttons in the middle to navigate the objects. With EDIT you can open the selected Trailer Attachment. Refer to Creating Conventional Trailer Attachments on page 352. 11.4.1.4 The Position tab Use the Position tab to set at which place of the email the trailer is to be inserted. However, as trailers represent variable pieces of text, it is possible to freely insert a trailer anywhere within the message body: Placeholder : Using a defined placeholder, the trailer can be manually inserted at a position defined by the user. To do so, define a variable in the Placeholder field, e.g. TRAILER. The user who wishes to insert the trailer into his/her email, enters this placeholder between square brackets at the desired position (here: [TRAILER]). The placeholder is later replaced with the actual trailer text. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 371
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB Automatically detect position... : The Trailer is automatically inserted at the position defined through a search pattern. The search pattern can be used, for instance, to set that a trailer is to be appended to a specific message. For instance, it may be desirable not to append a trailer at the end of the original message of a forwarded email, but at the end of the new (forwarding) message. This option can be used together with the Placeholder option above. In this case, the Placeholder option has priority. This means that the position option only applies if no placeholder has been set by the user. If no position matches the search pattern, the text is appended at the end of the message. Add trailer at the end of email message if... : The trailer is automatically inserted at the end of the message. This option can only be used together with the Placeholder option. If no placeholder has been set by the user in the email, the text is appended at the end of the message body (also if forwarded). You can set up an automatic notification to be sent to your administrator whenever a trailer has been successfully appended to an email (Actions tab). As you wish to append a trailer to outgoing emails only, be sure to select the email outgoing server in the Server tab only! PAGE 372 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB When 11.4.2 Scenario: Attaching a Legal Disclaimer This chapter describes specialities on the configuration of a recipient-specific and country-specific legal disclaimer. Refer to the details described under Standard Tabs of Mail Transport Jobs on page 51. 1. Copy the Legal Disclaimer job to MAIL TRANSPORT JOBS. Activate the job 123. 2. Set up the address conditions. Please note that the Trailers can only be configured for a specific department when you select a group list. setting up address conditions, keep in mind that mailing lists and similar addresses should not contain a Trailer text. Set up any such exceptions in the address conditions under Except where addressed to. 3. Use the Conditions tab to define whether a specific character string in the email subject line (word in subject or subject command) is to be taken into account when the job is executed 124. If, on the server, a trailer is defined with a legal disclaimer or a marketing message, the sender will normally be unable to disable this trailer. However, for private emails or emails addressed to mailing lists, it could be preferable to allow emails without trailer. In some departments, it may also be desirable to add a specific trailer to selected emails only. For such cases, you can define in the iq.suite a command which senders can add to the subject line of the email, if required. If the job finds such a command, the job is not run and no trailer is attached (CONDITIONS TAB-> WITH FOLLOWING SUBJECT COMMAND). Searching for the command is not case-sensitive. The search is stopped as soon as the command has been found and the string is removed from the subject. Subsequent commands are ignored. 123. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. 124. Refer to Conditions Tab on page 60. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 373
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB The command may only contain characters from the 7-bit ASCII character set. The conditions set in both the Addresses and Conditions tabs must come true for the job to be run (logical AND). 4. Select the desired Trailer in the Trailers tab: The standard configuration contains a pre-configured Trailer document, already. 5. Use the Position tab to set at which place of the email the trailer is to be inserted. Typically, marketing trailers or legal disclaimers are placed at the beginning or the end of the message, i.e. right before or after the message body. PAGE 374 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB 11.4.3 Scenario: Attaching Customized Signatures iq.suite Trailer is able to insert sender-specific information into an email directly on the server. This lets you create signatures for different individuals or departments combined with conditions without having to keep redundant information. Note that signatures in this context refers to closing phrases and sender information, and not to digital signatures. While standardized signatures ensure a consistent corporate image, using a server-based signing process ensures that your data is always up-to-date, correct and consistent throughout the company. Even in case of relocations, changed phone or room numbers or new departmental structures, the applicable information is taken from the Active Directory (AD) and automatically used for the email signature. To allow access to cross-domain information, iq.suite Trailer uses the Global Catalog an index containing the relevant information of all users within an Active Directory. The Active Directory itself is read only and remains unaffected by the use of the Global Catalog. When you create a new Trailer, you can select the available variables for first name, last name, department, etc. from a drop-down list. If a value does not exist, a general default value can be inserted. You can also use any other value from the Active Directory, e.g. user-defined attributes. To do so, read the Active Directory values with ADSI Edit 125. 1. Copy the Attach Sender Signature job to MAIL TRANSPORT JOBS. Activate the job 126. 2. Use the preconfigured Trailer document Signatures and adjust it to your requirements. 3. As a rule, individual signatures are valid indefinitely. Make sure that the Use for a period of time only option in the General tab is disabled. 125. For further Information on ADSI Edit, please refer to your Windows Server documentation. 126. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 375
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB 4. In the Content tab, select one of the HTML, Text or RTF tabs to create the trailer text for the corresponding email format. If you have selected HTML or Text, a window opens in which you can edit your trailer. Click on the Variables icon and select the desired information: To design the trailer text for the RTF format, proceed as described under Creating a Trailer Document on page 358 (Step 5). 5. The variables appear in the input field and can be formatted according to the company guidelines with spaces, dashes, bold type, etc. To start a new line, press SHIFT+ENTER; for a new paragraph (two lines), press ENTER. The tokens [VAR] and [/VAR] are case-sensitive and must always be written in capital letters. If required, use the conditional variable [COND]. Refer to [COND] variable: on page 360. The variables insert the contents of the corresponding field in the Active Directory. If a variable cannot be resolved, [VAR]myvalue[/VAR] is inserted in the text. Possible causes: The variable does not contain a value, e.g. due to information missing in the Active Directory. PAGE 376 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB The variable or token does not exist, e.g. due to a spelling mistake (upper/lower case). For instance, writing [Var] instead of [/VAR] will generate an error. To include generally applicable information, use a default setting, which you can enter and edit directly in the text. This value is added to the outgoing email. Place a semicolon after the variable, followed by the default value that applies to all users (refer to bold values in screenshot above). Example:[VAR]myvalue;HELLO[/VAR] Thus, if no value is found in the Active Directory for myvalue, HELLO is used instead. Special case: [VAR]myvalue;[/VAR] If you have entered an empty character string as your default value, i.e. no entry after the semicolon, nothing is added to the message in case no value is available in the Active Directory. Make sure that the Active Directory entries are always up-to-date. 6. Save the signature Trailer with OK. 7. If required, configure a Trailer search pattern. Refer to Trailer Search Pattern on page 356. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 377
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB 11.4.4 Szenario: Attaching Customized Signatures with Personalized Image You can add personalized images to your customized signatures. With this the Trailers do not only contain employee-related data such as name and phone number, but also the employee s image or his/her scanned signature. Especially for emails sent by sales or customer service representatives, Trailer personalization might be reasonable. Images are inserted in the HTML email body. For every employee for whom an image shall be appended an image must be available in the Active Directory (AD). The images are not imported to the iq.suite server but must be stored within a user attribute such as thumbnail- Photo. Images must be available as GIF, PNG or JPG to be integrated to a Trailer. We recommend not to exceed file size of 200 KB, since big file attachments might lead to negative effects on the side of the recipient or during email transport. Configuration: 1. Copy the Attach sender signatur to MAIL TRANSPORT JOBS. When configuring the job you can refer to the job configuration of the legal disclaimer. Refer to General Job Configuration on page 367. 2. Create a personalized Trailer image. Refer to Configuring Personalized Trailer Images on page 347. 3. Modify the text and the configuration of the Trailer document Sender signatur with personalized image. Refer to Creating a Trailer Document on page 358. 4. Insert the personalized Trailer image in the Trailer document. Refer to Assigning Trailer Images to a Trailer Document on page 362. 5. Save the job. PAGE 378 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB 11.4.5 Scenario: Adding a Company Logo to the Trailer 1. Copy the Legal Disclaimer job to MAIL TRANSPORT JOBS. Activate the job 127. 2. Create a Trailer image for the company logo. Refer to Conventional and Personalized Trailer Images on page 344. 3. Create a Trailer document with the desired Trailer texts. Refer to Creating a Trailer Document on page 358. 4. Insert the Trailer image in the Trailer document. Refer to Assigning Trailer Images to a Trailer Document on page 362. 5. Save the job. 11.4.6 Scenario: Adding vcard Data to the Trailer 1. Create a Trailer Attachment as described under Creating Conventional Trailer Attachments on page 352. Use the variables to insert the desired vcard data. 2. Copy the Sender Signature with VCard and QR Code Image job to MAIL TRANSPORT JOBS. Activate the job 128. a) In the Attachment tab select the configured Trailer Attachment. b) In the Position tab define the position, the Trailer shall be placed in the email body. 3. Save the job. The configured Trailer Attachment is not inserted in the email body but appended to the email. Representation of file attachments within the email is determined by the used mail client of the recipient. Hence, with some clients the Trailer file attachments cannot be distinguished from conventional file attachments. 127. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. 128. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 379
IQ.SUITE TRAILER - CONFIGURING A TRAILER JOB PAGE 380 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
12 iq.suite Connect 12.1 Overview IQ.SUITE CONNECT - OVERVIEW With iq.suite Connect social business collaboration plattforms can be connected to the iq.suite. iq.suite Connect offers an automated solution for central storage of file attachments. For the pre-processing, filtration and classification of emails and file attachments iq.suites sophisticated rule set is used, to allow rule-based selection and transfer of the file attachments to a collaboration system. If required, the file attachments are replaced in the email by URLs which refer to their location in the collaboration system. This prevents redundant data storage within mailboxes and connected systems, and moreover, reduces the load on the mail server during email transport. By clicking on the URLs, email recipients have access to the file attachments originally attached to the email. Your individual guidelines and an automated classification guarantee that only file attachments of business relevant emails are transferred to and stored on your collaboration system. Into combination with the spam checking and virus checking modules of the iq.suite, safety of your collaboration platform is supported and required disc space is reduced. 12.2 Connect Engines Connect engines are used to connect collaboration systems with iq.suite. After configuring the Connect engines, they can be selected in Connect jobs. For every supported collaboration platform an individual engine type is provided for iq.suite configuration. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 381
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT 12.3 Sample Job: Storing File Attachments in SharePoint iq.suite Connect allows to connect iq.suite to Microsoft SharePoint 2010 and Microsoft SharePoint 2013. Email s file attachments are loaded and stored onto the SharePoint server according to your configuration. If the file attachments contained in emails are replaced by URLs, internal and external email recipients require appropriate access rights on the SharePoint server. Otherwise the file attachments cannot be opened. Connection with Microsoft SharePoint requires installation of SharePoint Client Runtime on iq.suite server. Open the SUPPORT\CONNECT directory and execute the SPClient_<86/64>.msi setup file. Installation is completed in few installation steps. 12.3.1 Configuring a SharePoint Engine SharePoint connection is provided by a SharePoint engine. For flexible configuration several engines and/or Connect jobs can be used. Configuration: 1. Create a new SharePoint engine: BASIC CONFIGURATION -> UTILITY SETTINGS - > CONNECT ENGINES: PAGE 382 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT 2. Usually, the default settings in the Timeout field can be kept. If the Connect engine causes frequent timeouts in your system environment, you should increase the number of seconds in this field. A timeout can occur if engine tests or upload events are not finished within the specified period of time. Every file attachment claims the same period of time for the upload. Please take into account that the size of the file attachments affects upload duration. 3. Open the Options tab: ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 383
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT Server name / address: Enter the server name or the IP address of the Sharepoint server to which the emails are to be send from the iq.suite server. If using HTTPS as transport protocol between the iq.suite server and the SharePoint server, server name must match the "Common Name" specified within the SSL certificate. Server port: Enter the port number of the SharePoint server. The port is used to establish connection between SharePoint and the iq.suite server. Typically, port 80 is used for connections via HTTP and port 443 for connections via HTTPS. If set to 0, the default values are used (port 80 or 443). Server protocol: Select the desired protocol to be used for email transport. For security reasons, we recommend to use HTTP for test scenarios only. If using the HTTPS protocol, a SharePoint server certificate that is available on the Exchange server, can be used. In this case, enter the path to the certificate on the Exchange server under Certificate path. Certificate path: Enter the path to the SharePoint server certificate on the Exchange server. This certificate is used for validation. If no path is entered, PAGE 384 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT the SSL certificate of the SharePoint server is considered as trustable without previous validation. Library: Name of the SharePoint upload library e.g. Shared Documents' (SharePoint 2010) or Documents (SharePoint 2013). This library will be used to store the file attachments. You can specify the SharePoint library in the Connect job as well, however, the job settings overwrite the engine settings. This behavior is important if you use several Connect jobs and/or Connect engines. Domain: Name of the domain, in which the following user is located. User/ Password: Data for user authentication on the SharePoint server. This user requires read and write permissions on the Library previously defined, in order to transfer the file attachments to the SharePoint server. 4. Save the configuration. 5. Test the connection between iq.suite and SharePoint server: IQ.SUITE MONI- TOR -> SERVER -> <SERVER NAME> -> SERVER STATUS -> SETTINGS -> TEST TAB -> CONNECT TEST -> START. Please note: The test does not check, whether the required user rights are set on the SharePoint server. 6. After the successful test, assign the engine to a Connect job. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 385
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT 12.3.2 Sample Job: Storing File Attachments in SharePoint After configuration of the SharePoint engine assign the engine to a Connect job. 1. Under MAIL TRANSPORT JOBS create a new Connect SharePoint job. Enable the job 129. 2. Open the Options tab to modify upload behavior of the file attachments on the SharePoint server: SharePoint Engine: Select the connect engine previously created under Configuring a SharePoint Engine on page 382. Library: Name of the SharePoint upload library e.g. Shared Documents' (SharePoint 2010) or Documents (SharePoint 2013). This library will be used to store the file attachments. You can specify the SharePoint library in the Connect job as well, however, the job settings overwrite the engine settings. This behavior is important if you use several Connect jobs and/or Con- 129. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to Standard Tabs of Mail Transport Jobs on page 51. PAGE 386 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT nect engines. Please make sure, that the authorised SharePoint user is provided with the required permissions on this library. Directory path: Path to the directory which is used for storing the file attachments. If the Create directories option is disabled, the defined directories must exist. If the Create directories option is enabled, the defined directories are created in the SharePoint library during the upload. Collision behavior: This option defines how to upload a file attachment in the case that a file with the same name already exists. Please note that this behavior depends on the settings on the SharePoint server as well. Cancel Upload : The upload for this file attachment is canceled. Overwrite : If possible, the existing file is overwritten with the new one. Since the file cannot be checked out for this procedure, the new file cannot be checked in with versioning. In this respect, it doesn t matter which option was selected under Check-in behavior. Check out and overwrite : If possible, the existing file is checked out and overwritten with the new file. The new file can be checked in with versioning, according to the settings under Check-in behavior. Check-in behavior: This option specifies whether and how to check in the uploaded file attachments into the SharePoint library. Please note that this behavior depends on the settings on the SharePoint server as well. No check-in : The file attachments are uploaded but not checked in. Check in as minor version : The file attachments are checked in as a minor version (e.g. version number 3.2 -> 3.3). Check in as major version : The file attachments are checked in as a new major version (e.g. version number 3.2 -> 4.0). Overwrite existing version : The file attachments are checked in. The existing version (not the existing file!) is overwritten. If no version exists (and therefore cannot be overwritten), the file attachment is uploaded but not checked in. Check-in comment: For identifying the uploaded file attachments, you can enter a SharePoint comment. Use variables to display, for example, the message ID or the original email recipient. File attachment links: This option specifies whether and how to insert the URL of an uploaded file attachment in the email. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 387
IQ.SUITE CONNECT - SAMPLE JOB: STORING FILE ATTACHMENTS IN SHAREPOINT Do not insert : No URL is inserted. Insert at end of email : The URL is inserted at the end of the email body. Insert at top of email : The URL is inserted at the beginning of the email body. Option Remove file attachments from email : This option specifies whether successfully uploaded file attachments are to be removed from the email. File attachments that could not be uploaded are kept unchanged. We recommend you, not to enable this option, when the Do not insert option is selected under Links to attachments. Perform success actions: This option specifies when to perform a job s success actions. At least one upload successful : At least one of the email s file attachments has been uploaded successfully. All uploads successful : All of the email s file attachments have been uploaded successfully. 3. Save the job. PAGE 388 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
13 iq.suite Bridge 13.1 Overview IQ.SUITE BRIDGE - OVERVIEW iq.suite Bridge provides an interface between your email environment and CRM, ERP and archiving systems. iq.suite Bridge helps you fulfill any regulatory compliance requirements, such as SOX, HIPAA, GDPdU, etc. Emails are reviewed before delivery (Pre-Review mode) and after delivery (Post-Review mode). Your corporate policies and an automated classification ensure that only business-related emails are reviewed. The classification results and other information are passed to the compliance system for further evaluation. The interaction between the iq.suite and your compliance system ensures that emails are processed in compliance with legal requirements and according to the results of the review. The iq.suite Bridge interface and integration module is the first archiving tool that uses fine-tunable email preprocessing, filtering and classification policies. As an integrated, highly customizable solution, it lets you implement rule-based longterm email archiving that conforms with legal requirements and with your corporate policies. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 389
IQ.SUITE BRIDGE - OVERVIEW PAGE 390 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
Glossary ACL Access Control List; list of entries in an object used for controlling access rights. Active/Passive Clustering Windows cluster to enhance reliability of the Exchange Server. Active Directory (AD) Directory of network objects (users, mailboxes, etc.) This is the directory service for Windows Server, which stores information about objects within the network and provides this information to authorized administrators and users. Active Directory allows network users to access all network resources to which they have access rights with a single login. Administrators are provided with an intuitive, hierarchical representation of the network and a single management location for all network objects. ADO Active Data Objects; ActiveX control element used to establish a connection to a database in order to access the database contents. Within iq.suite, an ADO connection string also allows to integrate local or remote SQL servers, e.g. for Quarantine databases or to configure central whitelists. AES Advanced Encryption Standard; symmetric encryption system based on the Rijndael algorithm with a variable block size/key length of 128, 192 or 256 bits. The variable key length is used to distinguish between different AES variants, i.e. AES-128, AES-192 and AES-256. API Application Programming Interface; software user interface for calling program functions and exchanging data. ASCII American Standard Code for Information Interchange; ISO-standardized 7-bit code used to display characters such as upper case and lower case letters, digits and special characters. As each character is represented with 7 bits, 128 characters are represented altogether and used in many databases. National special characters outside the English ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 391
language (e.g. German umlauts) are available in the Extended ASCII version with an 8-bit character set. ASP Application Service Provider. Single-source provider of IT services at an agreed price. asymmetric encryption Public private key encryption method, which uses two keys a public key and a private key, which together form a pair. Each sender needs the public key of each recipient. Because the two keys are different, this method is called asymmetrical. The public key is published so that any recipient can choose to receive encrypted messages. The private key used to decrypt messages is known only to its owner. authentication A procedure to verify whether a person is entitled to access specific services. Authentication may, for example, use digital signatures. See also digital signature. bitmap A bitmap is a non-compressed, pixel-based image format for graphics and photos. Because it does not support compression, the bitmap file format (*.BMP files) is not commonly used on the Internet. Also refer to GIF and JPEG. CA Certification Authority. See Certification Authority. certificate Digital certificates are electronic documents linked to a public key. Certificates are digitally signed by a trustworthy authority (Certification Authority/trust center; also refer to PKI) that certifies that the key belongs to a specific person and has not been altered. The certification authority s digital signature is an integral part of the issued certificate. and allows anyone with access to this certification authority s public key to verify its authenticity. Using this method at multiple levels results in a Public Key Infrastructure (PKI). The advantage of such an infrastructure is that only the public key of the so-called root instance, i.e. the root certificate, will be required for complete verification, as the intermediate certificates are validated automatically. Also refer to public key and private key. PAGE 392 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
Certification Authority The Certification Authority (CA) is a trustworthy public authority that certifies cryptographic keys (see certificate). It is part of a PKI. The CA issues certificates and adds its digital signature to confirm the validity of the data they contain. This is usually the name of the key owner of the and any additional information to allow identification of the owner, the owner s public key, its validity period, and the name of the certification body. The degree of trust put in such a certificate depends on the operational procedures applied by the Certification Authority, i.e. the methods used to check the owner s identity. Once a certificate has been issued, the CA must provide a possibility to revoke the certificate and must provide revocation lists (CRLs) if any of the certificate data becomes invalid. This is in particular the case, when any of the owner s private keys have been compromised. Also refer to public key and private key. client/server systems The server is a program that provides a service and a client is a program that uses this service. These services can both be installed on the same computer or be distributed across a network consisting of at least one central computer (the server), which makes its data, programs and any other connected devices available to one or more network stations (the clients). compression File size reduction to reduce network load and transfer times and/or save storage space. Multiple files can be compressed into a single archive. There are many compression formats, some of which are self-extracting. The most common ones are ZIP, TAR, ARJ, GZip, ARC and LZH. Which of these are used depends in part on the computer system: on UNIX systems, for example, GZip and TAR tend to be used, while ZIP and ARJ are the preferred choice for Windows systems (also refer to Packer). Because viruses can easily hide in archives, content security tools must be able to perform recursive analyses on nested archives, i.e. decompress the files repeatedly to scan them in their original state. console A collection of administration tools in the MMC containing objects, such as snap-ins, extension snap-ins, monitoring controls, tasks, wizards and documentation used to manage the Windows 2000 system hardware, software and network components. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 393
content security The management and scanning of the content of digital correspondence. Content security products protect computer networks and users from dangerous content that is either deliberately or accidentally embedded in emails or Internet transmissions. CORE COntent Recognition Engine; a language-independent method used for checking and classifying emails according to categories. The analysis of the emails is performed through a vector-related evaluation of representative text, e.g. business emails, newsletters, offers etc., based on SVM (Support Vector Machines). As spammers use frequently changing (and often non-existing) addresses and varying contents, CORE is better suited for blocking spam than working with dictionaries or keywords. The statistical method used by CORE deals with this difficulty by providing a company-specific "learning program". You can define your own categories and CORE will "learn" how to assign mails and documents to the appropriate categories. This allows emails to be identified and categorized where a dictionary would fail. CRL Certificate Revocation List. When information in a certificate becomes invalid during its lifetime, it must be revoked. Because certificates are digital documents, they can not be collected or destroyed. Revoked certificates are therefore registered in another document, the revocation list. A standard for revocation lists is defined in the X.509 protocol. decompressor Also called "unpacker". Program for decompressing files and file archives. See compression. digital signature The electronic equivalent of a handwritten signature. It is used to verify the authenticity of an electronic document (i.e. its originator), its integrity as well as its binding character (i.e. the sender must not be able to contest its creation). This can be achieved with asymmetric encryption, which uses private keys to generate information with which others can verify the integrity and authenticity of received mail using the associated public key. DLL Dynamic Link Library. DLLs are libraries under Windows, which contain objects that can be loaded (dynamically) whenever they are needed at runtime. This technology is not only PAGE 394 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
used to save memory, but also, and primarily, to set up widely accessible libraries with ready-to-use (standard) objects, which can be used when developing software. DNS Domain Name Service; assigns the logical names of computers on the Internet to their corresponding IP address. encryption Making a message illegible to prevent it from being read by unauthorized people. A range of different encryption methods can be used. Also refer to PGP, GnuPG and S/MIME. EWS Exchange Web Services provide an interface for managing storage information of the Exchange server. The web services are available as of Microsoft Exchange Server 2007 and allow client applications to access certain functions of the Exchange server. As of Microsoft Exchange Server 2013 the iq.suite uses EWS for virus scans on the Information Store instead of the previously used VSAPI. false positives Inbound email wrongly classified as spam. fingerprint Unique feature of a file, by which it can be identified. Consists, for example, of the file s content or, if this is not possible, of a unique characteristic of the filename, such as its extension. Fingerprints are used to determine whether files should be blocked or passed by a mail filter. You can create your own file patterns, which Watchdog uses to identify the file types of attached files. GIF Graphics Interchange Format; standard Internet graphics format. Supports a color depth of 256 (8 bits per pixel) and compression of image data to reduce file size, which results in shorter transfer times and relieves network load. As opposed to the JPEG format, GIF does not provide gradual color transitions. Also refer to compression. global settings General settings that apply to the entire iq.suite. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 395
GnuPG GNU Privacy Guard; free cryptographic system used to encrypt/decrypt data (e.g. emails) and create/verify digital signatures. Emails containing confidential information can thus be sent to one or more recipients, who are the only ones capable of decrypting this information. A digital signature is created to ensure the authenticity and the integrity of the data transmitted. Both functions can be combined. Typically, the signature is created first and attached to the data. This package is then encrypted and sent to the recipient(s). Grabber Basic module used to verify emails. The Grabber acts as an interface that actively "grabs" the emails. Also refer to MailGrabber. IIS A Microsoft Web server. IIS provides Internet functions, from the creation of web pages to the development of server-based web applications. IIS supports most Internet protocols such as NNTP, FTP and SMTP. Exchange 2000 extends the IIS functionality, using the server for message routing. Information Store for public folders The part of the Information Store used for managing information in public folders. An Information Store for public folders consists of a Rich Text file with the extension.edb and a system-specific streaming Internet content file with the extension.stm. Also refer to MIME. Information Store Storage technology used in Exchange 2000 for storing user mailboxes and mail folders. There are two kinds of stores: mailbox stores and Information Stores for public folders. Installable File System - IFS Storage technology for setting up archiving systems. Makes mailboxes and public folders available as conventional folders and files for Win32 standard processes Web storage system such as Microsoft s Internet Explorer and the command prompt. Also refer to Web storage system. ISO International Standards Organization; developers of the OSI model for communication networks. PAGE 396 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
job A job defines a sequence of actions that are performed when a particular event takes place or a particular rules applies. Jobs can be selectively disabled and enabled. Several jobs can be defined for each module, which are then processed according to their assigned priority for all modules. JPEG Joint Photographic (Experts) Group Format; also JPG; standard Internet format for photographs and other images with a high level of detail or a high color resolution. Supports high compression ratios up to a color depth of 16 777216 (24 bits per pixel), which results in shorter transfer times and relieves network load. As opposed to the GIF format, the JPEG format is particularly well suited for images with many color tones. junk mail All forms of unsolicited emails, such as invitations to view websites, images, chain letters, hoax virus warnings, advertising etc. Junk mails cost company resources and time for their recipient. Also refer to spam (often used as synonyms). junk mail is also the name of a folder in Microsoft email programs (e.g. Outlook, Windows Live Mail). In the GBS documentations, we only use the term junk mail to name the folder. In other cases, we use the term spam or the generic term unsolicited email. key ring The key ring contains all keys required for encryption. One key ring is used for the public keys, a second one for the private keys. For PGP or GnuPG, this key ring file is stored in the directory specified by the user at installation. For GnuPG, these are the pubring.gpg and secring.gpg files, for PGP the pubring.pkr and secring.skr files. Also refer to public key and private key. label Labels can be used to provide quarantine mails with additional information. For instance, a virus-infected email can be labeled VIRUS or spam labeled with the corresponding spam level. The label is written to the selected quarantine mail and displayed in the quarantine view. LDAP Lightweight Directory Access Protocol; Internet protocol developed to promote the adoption of the X.500 directory standard after the original DAP (Directory Access Protocol) ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 397
proved too complex for use with simple Internet clients. LDAP provides a standard for Internet-based communication with databases, enabling, for example, access to an online directory service to retrieve information such as email addresses or certificates. Using gateways, it is not restricted to that specific directory service. The entries are packed as objects and structured in a hierarchical tree. They consist of attributes with types and values, with object classes defining which value types can be assigned to which attributes. Possible types include IA5 (ASCII) character strings, ASCII images, sound, URLs and JPEGs. LDIF LDAP Data Interchange Format; used for exchanging address data on LDAP servers. Being (ASCII) text-based, LDIF files can be conveniently edited with standard text editors. It is supported by many clients for importing and exporting address books (e.g. Outlook, Outlook Express, Netscape, The Bat!). Mail flooding Mail flooding is bulk sending of a large number of emails, usually from a single domain at intervals of a few seconds. These attacks overload the mail server handling the flood of messages, which severely affects its performance. These messages are usually unwanted mail sent with malicious intent. Also refer to spam). MailGrabber Extension of the Grabber. The MailGrabber is a module that actively "grabs" emails from the email traffic and then processes them directly on the server. To do so, the MailGrabber calls the associate function modules configured. MIME Multi-purpose Internet Mail Extensions; STM files. Originally a method for encrypting nontext objects to allow their transmission using SMTP and email. Today, this method is used universally for data transfers through the Internet. Providing the ability to define custom control codes for special characters such as accents and to attach all types of files extends the functionality of email communications. Also refer to S/MIME. MMC Microsoft Management Console administration environment containing administration tools and applications used to manage networks, computers, services, etc. The MMC lets you create, save and open collections of tools and applications. PAGE 398 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
module A program unit with definable boundaries and action, which is embedded in an overall system as an independent, autonomous program component. object The basic unit of Active Directory (AD). A defined and named set of attributes representing a real object or person, such as a user, a printer, a computer or an application. OEM Original Equipment Manufacturer; company that buys other manufacturers products or components and incorporates these in other products that it sells under its own name. on-access scanner Virus scanner component that usually runs in the background and continuously checks the files accessed by the computer. The on-access scanner ensures permanent monitoring of the file system on servers and workstations. organization unit An Active Directory (AD) container used for storing objects, such as user accounts, groups, computers, printers, applications, file sharing and other organization units. Organization units can be used for assigning and saving specific rights to object groups (for example users and printers). An organization unit can not contain objects from other domains. The organization unit is the smallest unit to which administration rights can be assigned or delegated. Outlook Web Access Outlook Web Access for Microsoft Exchange 2000 Server provides user access to email, personal calendars, group scheduling, contacts and applications for cooperation via a web browser. Can be used by UNIX and Macintosh users, users without access to an Outlook 2000 client and for users connecting through the Internet. Provides platform-independent access for users stored on the server, for users with limited hardware resources, and for users without access to their own computers. packer Compression program. See compression. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 399
passphrase A long but easy-to-memorize character sequence (e.g. short sentences with punctuation) used in place of a password for increased security. PDF/A Portable Document Format (for Archiving); ISO standard for the PDF format used for longterm archiving of electronic documents. Defines a number of requirements for a standardcompliant PDF and sets the use of PDF/A for outputs to screen or printer. PGP Pretty Good Privacy; program for encrypting and decrypting emails. Uses the public key and asymmetric encryption, i.e. the sender and the recipient use two different keys (one public, the other private). Can also be used to electronically sign documents. Guarantees the recipient of such a document that the sender is the real author and the document was not sent or modified by another user. PGP is freeware and available from many shareware archives. In the context of email, PGP is a platform-independent standard, like GnuPG and S/MIME. Phishing Phishing is a deceit methode at which personal access dates like passwords, account data etc. are found out by fraudsters. A phishing email is sent to the Internet users, which pretends to be from a trustworthy, mostly commercial source address, e.g. from a bank or an insurance company. The email contains a request to log-in to the company s home page or gateway and to confirm/correct the personal data for this user. By clicking on the link in the phishing email a forged web presence is displayed for the user. PKCS#12 PKCS#12 is a file format in the PKI environment that securely saves key pairs and provides built-in security mechanisms. PKCS#12 file are normally used to distribute keys. policies Overall configuration of all jobs within a company. POP3 Post Office Protocol 3 (3 for the version of the protocol); a transfer protocol used for controlling the receipt of email from a remote server on which messages are stored until their retrieval by the recipient. POP3 uses TCP/IP. Developed specifically for receiving email, it does not (as opposed to SMTP) require a dedicated line. PAGE 400 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
private key The private key is the part of a pair of keys that a user has to store at a safe place. It is used to decrypt information addressed to the owner of the private key and to generate digital signatures. Private keys are protected by a password or a passphrase. The safest place is a security token such as a smartcard. Also refer to public key. public folder hierarchy The structure or hierarchy of public folders on a single Information Store for public folders. public key The public key is the part of a pair of keys that is made publicly accessible, e.g. on a trust center (LDAP) server. It is used to encrypt messages addressed to the owner of the public key and to check his digital signatures. A public key certified by a CA is termed certificate. Quarantine An archive folder in which virus-infected and/or blocked files are stored and where they can be accessed by authorized persons. registry The Windows registry is a central hierarchical built-up Windows database in which the system configurations are stored. The registry contains information, which is questioned on by the operating system during running operation. Use the registry editor Regedit to edit the registry data. replication Synchronization of data between two identical databases on two different servers. RFC The Request for Comments is a document for specification of a technology suggested for standardization of the Internet. If a suggestion is accepted after a substantial check by the audience, a RFC can be established as a standard. RFC 821 Defines the SMTP protocol and is today s basis for transporting emails on the Internet. RFC 822 Defines the email format. ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 401
RFC 2822 Subsequent document of RFC 822. RFC 5322 Subsequent document of RFC 2822. root certificate The highest instance of a certificate. Refer to certificate. RSA Commonly used encryption method named after its inventors Rives, Shamir and Adleman. Used also with PGP. In RSA encryption, two large prime numbers are linked to form an even larger single prime number, which is then used for encryption. As of a certain bit width (about 100 bit), not even the fastest supercomputers can crack this encryption. The required processing capacity is doubled with every additional bit. Also refer to ECC. RTF Rich Text Format; generic file format used for transferring formatted text between applications, also between different operating systems. rules Rules are used to restrict the number of emails or databases to be checked by an iq.suite job. The rules filter the messages and databases according to user-defined policies, which allows to optimize the company s security concept. S/MIME Secure Multipurpose Internet Mail Extensions; as the secure version of MIME, S/MIME is the industry standard for the encryption of emails sent between the same and different types of email systems. S/MIME can use a range of signature and encryption algorithms. Also refer to PGP. SCL The Spam Confidence Level is a threshold value, which defines the spam probability of an email. According to the SCL value certain actions can be performed. The SCL is an integer numeric value between -1 and 9 in which -1 denotes the lowest and 9 the highest spam probability. In dependence of the settings for the single values, corresponding actions are performed, such as forwarding into the quarantine. The threshold value is determined by the spam filter IMF, which analyzes the email content. The result is a calculated SCL value. PAGE 402 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
SMTP Simple Mail Transfer Protocol; protocol for sending and receiving email. Based on RFC 821 and belonging to the TCP/IP family. SMTP messages consist of a header containing at least a sender and recipient ID, and the actual message. An email program the User Agent (UA) forwards messages to a dedicated server the Message Transfer Agent (MTA) in its own network. The MTA, in turn, forwards the email to other MTAs along the transmission path according to the store and forward principle until the email reaches its recipient. Because SMTP works with 7-bit ASCII, special characters (accents, umlauts, etc.) cannot be represented and no protection is provided against unauthorized access. On the other hand, ESMTP uses 8 bits for transmission. Unlike POP3, SMTP requires a dedicated line. snap-in Software representing the smallest unit of an MMC extension. Each snap-in represents one unit of management behavior. The System Manager is such an Exchange snap-in in MMC. SOAP Simple Object Access Protocol; an XML-based communications protocol that provides a common language for completing transactions. Allows platform-independent communication between applications through the Internet. With SOAP, goods orders can, for example, be placed without knowing the actual structure of the target system. SQL Structured Query Language; a declarative database language for relational databases. With Database Connection local and external SQL servers can be connected to the iq.suite, e.g. for quarantine databases or for configuration of central Whitelists. SSL Secure Socket Layer; a method for sending data securely through a network. Developed by Netscape, SSL allows data to be encrypted for transmission (RSA encryption) to protect it from third-party access. Used, for example, for sending credit card information. SVM Support Vector Machines; mechanism used by CORE to analyze and classify emails. symmetrical method In this case, emails are decrypted using the same key with which they were encrypted. This is called the symmetrical method as the keys are identical. This means that the key has to ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 403
be accessible to both the sender and the recipient of the email. Keys are exchanged between recipient and sender using password-protected key files. The recipient of an email receives the password for the key file required to decrypt the email from the sender via an alternative route, i.e. on a secure line. TCP Transmission Control Protocol; Besides IP (see IP address), the main protocol used on the Internet. Provides applications with a connection-oriented, reliable duplex service in the form of a data stream. TCP/IP Combination of TCP and IP (see IP address); originally developed for UNIX networks, it is today used as the main network protocol of the Internet. It splits data into convenient packages and sends them across the network using IP addresses to find the message destination. There, TCP reassembles the data packets again. TCP/IP also allows several Internet applications to be run using a single modem or ISDN line. TNEF Transport Neutral Encapsulation Format; file format for Microsoft Exchange for attachments. trust center Trust centers are typically commercial service providers that issue, manage and provide public keys, e.g. under http://www.d-trust.net/. They usually combine three functions: the actual Certification Authority (CA) certifies the information submitted; the Registration Authority (RA) is responsible for identifying the participants and issuing out the certificates; the Directory Service provides the information required for the creation and verification of certificates and signatures (e.g. timestamps or CRLs). trusted domain A domain that is trusted by another domain. Users in trusted domains can, for example, access the resources or receive user rights in a trusting domain. trusting domain Refer to trusted domain. PAGE 404 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
trust level A certificate can be classified as trusted. Whenever a CA certificate is considered trustworthy, this trust also applies to all lower-ranking certificates. UAC User Account Control; UNC Universal Naming Convention. A naming convention for files and other resources. The two backslashes (\) at the beginning of a name indicate that the corresponding resource is located on a network station. The syntax for UNC names is\\server name\shared resource. variables Refer to metasymbol. VPN Virtual Private Network; a simulated private network that uses public networks (for example the Internet) to connect its nodes. Encryption is used to prevent unauthorized listening to communications across the VPN. VSAPI Virus Scanning Application Program Interface provided by Microsoft up to Microsoft Exchange Server 2013. iq.suite used this interface to scan Information Stores for viruses. Since VSAPI is no longer supported by Microsoft as of Microsoft Exchange Server 2013, the interface is replaced by EWS. Web storage system Web-based Information Store which provides access to a wide variety of information, such as email and multimedia files. The Web Store concept combines messaging, file access and Exchange database functions (e.g. multiple databases and transaction logging). Web Store is the technology embedded in the Exchange 2000 Information Store and provides a logical view of physical databases. Also refer to Information Store and Installable File System. wildcard A character which represents another character or a character string. The most common wildcards are the question mark and the asterisk, which are used by the DOS command ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 405
interpreter. The question mark (?) represents individ?al letters and num??rs, while the asterisk (*) represents a string of one or more consecutive ch*cters. X.509 Standard for creating and coding certificates, CRLs and authentication services. X.509 is globally the most commonly used standard for certificate structures. ZIP of Death A rather small 42 KB email containing an attachment of recursively packed ZIP files which, in themselves, are neither dangerous nor virus-infected. They do, however, contain over 1 million packed files that, once unpacked, add up to 49,000,000 Gigabytes. When processed by a virus scanner decompression tool, this inconspicuous email initiates virtually endless loops, usually resulting in a system crash. This not only affects the virus scanners of client computers but also the mail servers which usually crash and paralyze the entire email traffic within a few minutes. PAGE 406 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
Index INDEX A Actions 63 Active Directory 30 Address conditions 55, 57 63 Address filtering Sample job 266 Sender and recipient 266 Sequence 264 Address lists 42 Create, change 89, 91 Delete 91 Use in job 55, 92 Addresses Invalid 90 Split up mails with multiple recipients 55 Addresses tab 55 ADO Connection string 108 Advanced Queue 25 Anti-spam 309 Actions 278 Combined criteria 288 Configuration 287 Definite criteria 309 Practical Tips 287 AntiVir Configuration 230 Installation 10 Archives Formats 30 Hide archives 74 Recursion depth 31 Scan inside compressed attachments 254 Upper limit for unpacked files 31 Attachment size Actions 261 Compressed attachments 260, 326 Restrict 258 Valid for 259 B Badmail 31, 116, 140 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 407
INDEX Basic configuration 44 Blacklists Summary report 123, 125 Business-critical, see Mission-critical C CA, see Certification Authority Certificate 392 Collective notification Server settings 74 Company certificate 214 Compress Attachments 326 Compress attachments 326 Conditions 42, 60, 89 Configuration Architecture 33 Basic 44 Management Console 39 Non-standard 34 Reports 71 Save 6 Content filtering Dictionaries 303 Convert Attachments to PDF 330 Attachments to ZIP 326 TNEF to MIME 335, 337 Convert attachments 330 341 Convert Richtext to MIME Sample job 335, 337 CORE 394 Anti-spam 310 Classification from quarantine 134 Classify contents 312 Combined criteria 289 Teach 140 Train classifier 310 Corporate policy 39, 57 CRL, definition 394 D Database connections Connection string (ADO) 108 Server 74 SQL 106 Details tab 67 PAGE 408 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INDEX Dictionaries create, select 300, 303 Threshold 304 Weighting 300 Display window 36 Domain Internal 76 Settings 72 E EICAR test virus 129, 225 Email processing - sequence 33 Encrypt attachments only 160 Event Sink 26 EWS 26, 78, 236 Exchange SCL value 281 Combined criteria 289 Definite criteria 285 F File restrictions Actions 255 Attachments 254, 257 Fingerprints, see Fingerprints Sequence 246 Fingerprints Binary patterns 251, 253 Create name patterns 249 Exceptions 255, 260 Fingerprint categories 248, 249 Function bar 35 Further actions 65 G General tab 51 Global mappings 146, 164 Grabber Definition 396 GTUBE test spam string 129, 286 I Icons 36 Information storage Background scan 239 Information store Blocking objects 223 Do not mark infected 243 On-demand Scan 223 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 409
INDEX Proactive scan 223 Replace 243 Information store jobs 40 Installation 9 Console on the workstation 20 In cluster 20 Multi-server environment 17 On multiple Exchange servers 17 On the Exchange server 11 System requirements 9 Virus scanners 10 Internal domain 76 iq.suite Architecture 23 Console 23 Grabber 25, 33 Menu bar 36 Monitor 127 Policy configuration 39 Quarantine, see Quarantine Reports 141 Server New server 79 Service 26 Standard settings 80 Start 6 Stop 6 User interface 35 iq.suite Server 25, 79, 80 iq.suite Servers 72 J Job types 63, 68 Jobs definition 397 duplicate 316 List 87 Order 41 Standard tabs 51 K KeyManager 190 199 L Label 133, 136 LDAP server 176, 214, 215 LDIF 30 PAGE 410 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INDEX Legal disclaimer Addressing 373 Logs 53, 55, 227 M Mail header tag 61, 66 Mission-critical Jobs 53 Quarantines 112 N Notification templates Create 44, 94 Placeholders 95 Notifications Send 65 Number of recipients 273 Number of threads 79 O Order of iq.suite jobs 41 P PDF/A 400 PGP Decryption Crypt Engine 165 Requirements 165 Encrypt attachments only 160 Encryption 158, 159, 163 Crypt mode 161 Fingerprints 153, 160, 202 Key Import 155, 156 Sign 150 Preliminaries 149 Processing sequence 148 Quickstart 145 Universal server compatibility 160 Variables 203 Version control 156 Placeholder, see Wildcard 405 Policy configuration 39 Position 41 Priority 41 Processing log, see Logs Processing order 41 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 411
INDEX Q QR codes 350 Quarantine 401 Access rights 127 Configure 114 Copy to quarantine 114, 131 CORE classification 134 Deliver bypassing any iq.suite jobs on this server 139 Filter options 132 Functioning 28, 46 Information store 137 Maintenance 83 Mission-critical 112 Resubmit email to iq.suite jobs 139 Send from quarantine 138 With SQL 111 Quarantine summary report 46, 118 R Redirect email 66 Regular expressions 62, 267 Root certificate 214 S S/MIME Decryption 183 Encryption 177, 179, 181 Import certificates 175, 189 LDAP server 176, 189, 214 Quickstart 146 Sign 187 Verify signatures 189 SASI 48, 290, 293 298 Savapi 230 SCL 281, 285, 289 Sender ID 286 Sender/recipient conditions 56, 89 Server Central whitelists 74 Database connection (SQL) 74 Email addresses 80 New server 79 Properties 79 Settings 72 Status 128 Summary report, see Collective notification Signature PAGE 412 ADMINISTRATION - IQ.SUITE FOR EXCHANGE
INDEX Attachments 375 SMTP Advanced Queue, see Advanced Queue Spam filtering Combined criteria 288 Definite criteria 309 SASI 290 Sender ID 286 Spam test 129, 286 Split 55 Split up mails with multiple recipients 55 SQL Server Central whitelists 110 Quarantine 111 When to use 106 SQL server Database connections 106 Standard tabs 51 Start external program 65 Statistics 141 Subject extension 52 Summary report Blacklists 123, 125 Collective notification, see Collective notification Quarantine, see Quarantine summary report Whitelists 74, 123, 125 SVM, definition 403 T Tabs, standard 51 Templates see Notification templates Test spam string, see GTUBE Test virus, see EICAR Text filtering Threshold 304 Text module Create 356, 358, 373 TNEF format 66, 160, 178 Trailer Create 343, 358 Create signature 375 Remove from Job 368 Select 367, 373 Trailer Attachments 350 U Uninstallation 22 Unpacker 30 ADMINISTRATION - IQ.SUITE FOR EXCHANGE PAGE 413
INDEX Update iq.suite 21 Patterns 295 User quarantine 81 Quarantine access by email 83 Quarantine access via HTTP 83 Utility settings 46 V Variables 52, 64, 95, 106 vcards 350 Virus scanners Avira Scan Engine 230 Configure 224 Enable 225 Install 10 McAfee Scan Engine 230 Norman Scan Engine 231 Options 227 Select 232 Sophos Scan Engine (SAVI) 232 Test 129, 225 Update settings 227 Virus scanning Actions 222, 234 Extra archive scan 235 Information Store Scan 223 Password-protected archives 245 Sample job 232 VPN channels 166, 184 VSAPI 26, 405 W Wall Mail jobs 265, 309 WebCrypt Pro 205 210 Whitelists Central 74, 110 Summary report 74, 123, 125 With SQL 110 Wildcards 300, 405 Write spam result to Exchange SCL field 281 Write spam value to mail header field 282 X X-header field 66, 281, 282 PAGE 414 ADMINISTRATION - IQ.SUITE FOR EXCHANGE