Email Security 8.0 Administrator s Guide

Email Security 8.0 Administrator s Guide 1

Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. 2015 Dell, Inc. Trademarks: Dell, the DELL logo, SonicWALL, MySonicWALL, Reassembly-Free Deep Packet Inspection, Dynamic Security for the Global Network, SonicWALL Global Response Intelligent Defense (GRID) Network, and all other SonicWALL product and service names and slogans are trademarks of Dell, Inc. Microsoft Windows, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers. 2015 01 P/N 232-002500-00 Rev. B 2 Dell SonicWALL Email Security Administrator Guide

Chapter 1. Planning Email Security Deployment......................... 9 Dell SonicWALL Email Security and Mail Threats......................... 9 Defining Email Security Deployment Architecture........................ 10 Inbound and Outbound Email Flow................................ 12 Proxy versus MTA............................................. 12 Should You Choose an All in One or a Split Architecture?.............. 12 Typical Dell SonicWALL Email Security Deployments.................... 13 Email Security as the First-Touch / Last-Touch Server................. 13 Email Security Not as a First-Touch / Last Touch Server............... 14 Chapter 2. System................................................ 15 Introduction..................................................... 15 License Management............................................. 16 Available Services............................................. 17 License Table................................................ 17 Administration................................................... 18 Email Security Master Account................................... 19 Password Policy.............................................. 19 Invalid Login Policy............................................ 19 Login Custom Text............................................ 19 Quick Configuration............................................ 20 Setting Your Network Architecture................................... 21 Adding an Inbound Mail Server for All in One Architecture.............. 21 Adding an Outbound Mail Server for All in One Architecture............ 25 Adding a Server for Split Architecture.............................. 28 Adding a Remote Analyzer...................................... 29 Adding a Control Center........................................ 29 Configuring Inbound Email Flow for a Remote Analyzer................ 29 Configuring Outbound Email Flow for a Remote Analyzer.............. 30 Configuring Remote Analyzers to Communicate with Control Centers..... 30 Deleting a Remote Analyzer from a Split Configuration................ 30 Testing the Mail Servers........................................ 30 Changing from an All in One Configuration to a Split Configuration....... 31 Configuring MTA................................................. 31 Mail Transfer Agent Settings..................................... 31 Non-Delivery Reports (NDR)..................................... 31 Email Address Rewriting........................................... 34 Trusted Networks................................................ 35 LDAP Configuration............................................... 36 Configuring LDAP............................................. 36 LDAP Query Panel............................................ 37 Add LDAP Mappings........................................... 39 1

Multiple LDAP Server Support.................................... 40 Configuring Email Security for Multiple LDAP Servers................. 40 User View Setup................................................. 42 Updates........................................................ 44 General Settings.............................................. 44 Web Proxy Configuration........................................ 45 Monitoring...................................................... 46 Configure System Monitoring.................................... 46 Viewing Alerts................................................ 47 Alert Suppression Schedule..................................... 48 System Logging Facility......................................... 49 Connection Management.......................................... 51 Intrusion Prevention............................................ 51 Quality of Service............................................. 54 Manually Edit IP Address Lists................................... 58 Backup/Restore Settings........................................... 61 Manage Backups.............................................. 61 Schedule Backup.............................................. 62 Managing Restores............................................ 62 Host Configuration................................................ 63 General Settings.............................................. 63 HTTPS Settings............................................... 64 Date & Time Settings........................................... 64 Network Settings.............................................. 65 CIFS Mount Settings........................................... 66 Advanced...................................................... 67 General Settings.............................................. 67 Miscellaneous Settings......................................... 68 Reset Settings................................................ 69 Branding....................................................... 70 Quick Settings................................................ 70 Packages.................................................... 72 Certificates..................................................... 73 Settings..................................................... 73 Generate CSR................................................ 74 Configure.................................................... 75 Audit Trail...................................................... 76 Diagnostics..................................................... 77 Chapter 3. Anti-Spoofing.......................................... 79 How Anti-Spoofing Works.......................................... 79 Enabling Inbound SPF Validation.................................... 79 2 Dell SonicWALL Email Security Administrator Guide

SPF Hard Fail................................................ 80 SPF Soft Fail................................................. 81 Configuring Inbound DKIM Settings.................................. 81 Configuring Inbound DMARC Settings................................ 83 DMARC Incoming Reports...................................... 85 Configuring Outbound DKIM Settings................................. 86 Generating DNS Record........................................ 87 Using Outbound DKIM Settings................................... 87 Chapter 4. Anti-Spam............................................. 89 Managing Spam................................................. 89 Spam Identification............................................ 89 Default Spam Management......................................... 90 Address Books.................................................. 92 Using the Search Field......................................... 92 Adding People, Companies, or Lists............................... 92 Deleting People, Companies, or Lists.............................. 93 Import Address Book........................................... 94 Anti-Spam Aggressiveness......................................... 95 Configuring GRID Network Aggressiveness......................... 95 Configuring Adversarial Bayesian Aggressiveness Settings............. 95 Unjunking Spam.............................................. 96 Determining Amounts and Types of Spam.......................... 96 Languages...................................................... 96 Black List Services (BLS).......................................... 96 Adding to the Black List......................................... 97 Email that Arrives from Sources on the Black Lists Services............ 97 Spam Submissions............................................... 97 Managing Spam Submissions.................................... 97 Probe Accounts............................................... 99 Managing Miscategorized Messages.............................. 99 Forwarding Miscategorized Email to Email Security................... 99 Configuring Submit-Junk and Submit-Good Email Accounts............ 99 Problem with Forwarding Miscategorized Email..................... 100 Anti-Phishing................................................... 100 What is Enterprise Phishing?................................... 100 Preventing Phishing........................................... 101 Configuring Phishing Protection................................. 101 Using Email Security s Community to Alert Others................... 102 Report Phishing and Other Enterprise Fraud....................... 102 Domain Keys Identified Mail (DKIM).............................. 103 3

Chapter 5. Anti-Phishing......................................... 105 What is Enterprise Phishing?...................................... 105 Preventing Phishing............................................. 106 Configuring Phishing Protection.................................... 106 Chapter 6. Anti-Virus............................................ 109 How Virus Checking Works........................................ 109 Configuring Anti-Virus Protection................................... 110 Checking for Updates............................................ 111 Configuring Zombie and Spyware Protection.......................... 111 Configuring Flood Protection....................................... 113 Chapter 7. Auditing.............................................. 115 Searching Inbound and Outbound Emails............................. 115 Audit Simple Search.......................................... 115 Audit Advanced View.......................................... 116 Configuring Auditing............................................. 118 Using Message Audit............................................ 119 Judgment Details............................................. 119 Chapter 8. Policy & Compliance.................................... 123 Email Security and Mail Threats.................................... 123 Standard Module vs. Compliance Module............................. 124 Basic Concepts for Policy Management.............................. 124 Defining Word Usage......................................... 124 Defining Email Address Matching................................ 125 Defining Intelligent Email Attachment Matching..................... 125 Defining Disguised Text Identification............................. 126 Inbound vs. Outbound Policy Filters................................. 128 Preconfigured Inbound Filters................................... 128 Preconfigured Outbound Filters.................................. 129 Adding Filters................................................ 130 Language Support............................................ 134 Managing Filters................................................ 135 Editing a Filter............................................... 135 Deleting a Filter.............................................. 135 Changing Filter Order......................................... 135 Advanced Filtering............................................ 135 Policy Groups.................................................. 138 Compliance Module.............................................. 140 Dictionaries................................................. 140 Approval Boxes.............................................. 141 Encryption.................................................. 143 Record ID Definitions.......................................... 143 4 Dell SonicWALL Email Security Administrator Guide

Archiving................................................... 144 Chapter 9. Encryption Service..................................... 147 How Encryption Service Works..................................... 147 Outbound Messages.......................................... 148 Enabling the Secure Mail Policy.................................... 148 Licensing Email Encryption Service................................. 149 Configuring Encryption Service..................................... 150 Whitelisting IP Addresses......................................... 151 Users in Encryption Service....................................... 151 Adding a New User........................................... 151 Updating an Existing User...................................... 152 Adding an Existing User....................................... 152 Importing Users.............................................. 152 Exporting Users.............................................. 153 Cobrand and Reporting........................................ 153 Sending Secure Mail Messages.................................... 158 Chapter 10. Users, Groups & Organizations.......................... 159 Working with Users.............................................. 159 Finding All Users............................................. 159 Sort....................................................... 160 Signing In as a User.......................................... 160 Edit User Rights.............................................. 160 Resetting User Message Management Setting to Default.............. 160 Add....................................................... 161 Remove.................................................... 161 Import..................................................... 162 Export..................................................... 162 Working with Groups............................................. 163 About LDAP Groups.......................................... 163 Add a New Group............................................ 163 Finding a Group.............................................. 164 Removing a Group........................................... 164 Listing Group Members........................................ 164 Setting an LDAP Group Role.................................... 164 User View Setup............................................. 165 Anti-Spam Aggressiveness..................................... 166 Languages.................................................. 167 Junk Box Summary........................................... 168 Spam Management........................................... 169 Phishing Management......................................... 170 Virus Management........................................... 171 5

Forcing All Members to Group Settings............................ 171 Assigning Delegates.......................................... 172 Working with Organizations........................................ 172 Signing In as an OU Admin..................................... 173 Configuring OU Settings....................................... 173 Removing an Organization..................................... 174 Email Security User Roles......................................... 174 Users and Groups in Multiple LDAP................................. 175 Users...................................................... 175 Groups..................................................... 177 Chapter 11. Junk Box Management................................. 179 Junk Box Simple View.......................................... 180 Junk Box Advanced View........................................ 180 Outbound Messages Stored in Junk Box.......................... 181 Supported Search in Audit and Junkbox.............................. 182 Boolean Search.............................................. 182 Wildcard Search............................................. 182 Phrase Search............................................... 182 Fuzzy Search................................................ 182 Junk Box Settings............................................... 183 Junk Box Summary.............................................. 184 Frequency Settings........................................... 184 Message Settings............................................ 185 Miscellaneous Settings........................................ 186 Other Settings............................................... 187 Chapter 12. Reports and Monitoring................................ 189 Monitoring Methods.............................................. 189 System Status............................................... 189 MTA Status................................................. 190 Real-Time System Monitor..................................... 191 Performance Monitoring....................................... 191 Reporting in Email Security........................................ 194 Generating Per-Domain Reports................................. 195 Overview Reports............................................... 195 Dashboard.................................................. 196 Return on Investment......................................... 197 Bandwidth Savings........................................... 197 Inbound Good vs Junk......................................... 198 Outbound Good vs Junk....................................... 198 Inbound vs Outbound Email.................................... 198 Top Outbound Email Senders................................... 198 6 Dell SonicWALL Email Security Administrator Guide

Junk Email Breakdown Report.................................. 198 Anti-Spam Reports.............................................. 199 Spam Caught................................................ 199 Top Spam Domains........................................... 199 Top Spam Recipients......................................... 199 Anti-Phishing Reports............................................ 199 Phishing Messages........................................... 199 Anti-Virus Reports............................................... 200 Inbound Viruses Caught....................................... 200 Top Inbound Viruses.......................................... 200 Outbound Viruses Caught...................................... 200 Top Outbound Viruses......................................... 200 Policy Management Reports....................................... 200 Inbound Policies Filtered....................................... 200 Top Inbound Policies.......................................... 201 Outbound Policies Filtered..................................... 201 Top Outbound Policies........................................ 201 Compliance Reports............................................. 201 Inbound Messages Decrypted................................... 201 Inbound Messages Archived.................................... 201 Top Inbound Approval Boxes................................... 202 Outbound Messages Encrypted................................. 202 Outbound Messages Archived.................................. 202 Top Outbound Approval Boxes.................................. 202 Directory Protection.............................................. 203 Number of Directory Harvest Attacks (DHA)........................ 203 Top DHA Domains............................................ 203 Connection Management Reports................................... 203 Allowed vs Blocked Connections................................. 203 Blocked Connection Breakdown................................. 203 Greylisted Connections........................................ 204 DMARC Reporting............................................... 204 DMARC Reports............................................. 204 Configure Known Networks..................................... 205 Scheduled Reports.............................................. 206 Customize a Report........................................... 206 Add Scheduled Report........................................ 207 Download Report............................................. 208 Chapter 13. Downloads........................................... 209 Anti-Spam Desktop for Outlook..................................... 209 Junk Button for Outlook........................................... 209 7

Send Secure for Outlook......................................... 209 8 Dell SonicWALL Email Security Administrator Guide

Chapter 1 Planning Email Security Deployment Determine the appropriate architecture for Email Security before you deploy it in your network. This section discusses the different modules available in Dell SonicWALL Email Security and network topology planning. Note For installation and set up instructions for your Dell SonicWALL Email Security solution, refer to the Email Security Series Getting Started Guide document. Dell SonicWALL Email Security and Mail Threats Email Security determines that an email fits only one of the following threats: Spam, Likely Spam, Phishing, Likely Phishing, Virus, Likely Virus, Policy Violation, or Directory Harvest Attack (DHA). It uses the following precedence order when evaluating threats in email messages: Virus Likely Virus Policy Filters Phishing Likely Phishing Spam Likely Spam For example, if a message is both a Virus and a Spam, the message is categorized as a Virus since Virus is higher in precedence than Spam. If Dell SonicWALL Email Security determines that the message is not any of the above threats, it is delivered to the destination server. Planning Email Security Deployment 9

Defining Email Security Deployment Architecture SonicWALL Email Security can be configured in two ways: All in One In this configuration, all machines running Dell SonicWALL Email Security analyze email, quarantine junk mail, and allow for management of administrator and user settings. In an All in One configuration, you can also deploy multiple Email Security servers in a cluster setup wherein all of the gateways share the same configuration and data files. To set up such a cluster, begin by creating a shared directory, on either one of the Dell SonicWALL Email Security servers or on another dedicated server (preferred) running the same operating system. This shared directory will be used to store data including user settings, quarantine email, etc., from all the Dell SonicWALL Email Security servers in the cluster. 10 Dell SonicWALL Email Security Administrator Guide

Split In a Split network configuration, there are two kinds of servers: Control Centers and Remote Analyzers. In this configuration there is typically one Control Center and multiple Remote Analyzers, but the Control Center can be set up in a cluster as well. The Split configuration is designed for organizations with remote physical data centers. The Split configuration allows you to manage Dell SonicWALL Email Security so that email messages are filtered in multiple remote locations through multiple Remote Analyzers. The entire setup is centrally managed from a single location through the Control Center. Control Center clusters are not supported by Dell SonicWALL Email Security appliance. The Control Center, in addition to managing all data files, controls, monitors and communicates with all Remote Analyzers. The data files consist of statistical data such as how much email has been received, network usage, remote hardware space used, and hourly spam statistics. The Control Center stores or quarantines junk email it receives from the Remote Analyzers. It also queries LDAP servers to ensure valid users are logging in to Dell SonicWALL Email Security. End users can log in to a Control Center to manage their junk mail. Remote Analyzers analyze incoming email to determine whether it is good or junk. It sends junk email to the Control Center where it is quarantined. It routes good mail to its destination server. Only administrators can log in to a Remote Analyzer. Note The Replicator is the Dell SonicWALL Email Security component that automatically sends data updates from the Control Center to the Remote Analyzer, ensuring that these components are always synchronized. Replicator logs are stored in the Control Center s logs directory. You can review replication activity from these logs for troubleshooting purposes. Planning Email Security Deployment 11

Inbound and Outbound Email Flow Dell SonicWALL Email Security can process both inbound and outbound email on the same machine. In an All in One configuration, each Email Security instance can support both inbound and outbound email. In a Split configuration, each Remote Analyzer can support both inbound and outbound email. For inbound email flow, DNS configuration and firewall rules need to be set to direct email traffic to Dell SonicWALL Email Security. Whereas, for outbound email flow, the downstream email server must be configured to send all email to Dell SonicWALL Email Security (Smart Host Configuration). Proxy versus MTA Dell SonicWALL Email Security can run either as an SMTP proxy or an MTA (Mail Transfer Agent). The SMTP proxy operates by connecting to a destination SMTP server before accepting messages from a sending SMTP server. Note that SMTP proxies can only send email to one server. Some benefits of the SMTP proxy are: All processing occurs in memory, significantly reducing the latency and providing higher throughput There is no queue and Dell SonicWALL Email Security does not lose any email messages. Dell SonicWALL Email Security automatically respects your existing failover strategies if your mail infrastructure experiences a failure. The MTA service operates by writing messages to disk and allows for routing of a message. Some benefits of the MTA are: Able to route messages to different domains based on MX records or LDAP mapping. Able to queue messages by temporarily storing messages on disk and retrying delivery later in case the receiving server is not ready. Allows Dell SonicWALL Email Security to be the last touch mail gateway for outbound traffic Should You Choose an All in One or a Split Architecture? Dell SonicWALL recommends the All in One configuration whenever possible because of its simplicity. Choose a Split configuration to support multiple physical data centers and if you want to centrally manage this deployment from a single location. Dell SonicWALL strongly recommends that after you deploy the chosen architecture, you do not change the setup from a Control Center to a Remote Analyzer or vice versa, as there are no obvious advantages, and some data might be lost. Thus, it is important to make the deployment architecture decision before installing Email Security. 12 Dell SonicWALL Email Security Administrator Guide

Typical Dell SonicWALL Email Security Deployments Email Security as the First-Touch / Last-Touch Server In a deployment with first-touch and last-touch in the DMZ, change your MX records to point to the Dell SonicWALL Email Security setup. Also, all the inbound and outbound connections (typically port 25) for Dell SonicWALL Email Security must be properly configured in your firewalls. In this configuration, Dell SonicWALL Email Security can be configured on the inbound path to be either a SMTP Proxy or a MTA. On the outbound path, it must be configured to be a MTA. This setup also can be extended to a cluster with multiple SonicWALL Email Security servers all using a shared drive for data location. For more information on routing using Smart Host, refer to Adding an Inbound Mail Server for All in One Architecture on page 21. To configure Email Security in this configuration, you also need to: 1. Configure Email Security server with a static IP address on your DMZ. 2. In your firewall, add an inbound NAT Rules s private IP address to an Internet addressable IP address for TCP port 25 (SMTP). 3. In the public DNS server on the Internet, create an A record, mapping a name such as smtp.my_domain.com, to the Internet addressable IP address you assigned in step 2. 4. Update your email domain s MX record to point to the new a record. You need to deploy the Dell SonicWALL Email Security for each MX record. Planning Email Security Deployment 13

Email Security Not as a First-Touch / Last Touch Server A network topology where Dell SonicWALL Email Security is not the first-touch and last-touch SMTP server. is not recommended because security mechanisms such as SPF and Connection Management cannot be used. In this configuration Dell SonicWALL Email Security can be configured to be either an MTA or a proxy. 14 Dell SonicWALL Email Security Administrator Guide

Chapter 2 System Introduction In this chapter, you will learn how to configure the system more extensively and learn more about additional system administration capabilities. This chapter contains the following sections: License Management on page 16 Administration on page 18 Setting Your Network Architecture on page 21 Configuring MTA on page 31 Email Address Rewriting on page 34 Trusted Networks on page 35 User View Setup on page 42 Updates on page 44 Monitoring on page 46 Connection Management on page 51 Backup/Restore Settings on page 61 Host Configuration on page 63 Advanced on page 67 Branding on page 70 Certificates on page 73 Audit Trail on page 76 System 15

License Management The License Management page allows you to view current Security and Support Services for your Dell SonicWALL Email Security solution. Serial Number The serial number of your Dell SonicWALL Email Security appliance/software. Authentication Code The code you entered upon purchasing the Dell SonicWALL Email Security appliance/software. Model Number The model number of the Dell SonicWALL Email Security appliance. If you are using the Dell SonicWALL Email Security software, the model number is listed as Software. Manage Licenses Clicking this button allows you to log in to your mysonicwall.com account to register appliances and manage all security services, upgrades, and changes. Refresh Licenses Click this button to manually synchronize the state of licenses on this server with the mysonicwall.com website. Upon successfully synchronizing, the licenses on your appliance or software are automatically updated to those on your online account. Note that once your appliance or software is successfully registered, the Email Security server contacts the online license manager once every hour and updates to the most recent information. Upload Licenses Click this button to manually update your licenses. This feature is useful in the event that you are unable to use the dynamic licensing feature for any reason. Before clicking this button, download a license file from the mysonicwall.com website. Then, click the Choose File button, select the license file you downloaded, and click the Upload button. Your product s licenses will update based on the license file. Note that the hourly license update will synchronize with the online license manager, and overwrite licenses applied by the offline method. 16 Dell SonicWALL Email Security Administrator Guide

Available Services Dell SonicWALL Email Security comes with several services that must be licensed separately. For maximum effectiveness, all services are recommended. The following services available: Email Security The standard license that comes with the software and enables basic components. This license allows the use of basic policy filters. Email Protection Subscription (Anti-Spam and Anti-Phishing) This license protects against email spam and phishing attacks. Email Anti-Virus (Kaspersky and SonicWALL Time Zero) Provides updates for Kaspersky anti-virus definitions and SonicWALL Time Zero technology for immediate protection from new virus outbreaks. Email Anti-Virus (SonicWALL Grid A/V and SonicWALL Time Zero) Provides updates for SonicWALL Grid anti-virus definitions and SonicWALL Time Zero technology for immediate protection from new virus outbreaks. License Table The following table provides details about the different types of licenses: Security Service Status Free Trial Count Expiration Name of the Dell SonicWALL Email Security service. The status may be one of the following: Licensed Services has a regular valid license. Free Trial Service has been using the 14-day free trial license. Not Licensed Service has not been licensed, neither through a regular license nor through a free trial license. Perpetual The Base Key license comes with the purchase of the product and is perpetual. Note that the Base Key is the only perpetual license. Dell SonicWALL offers the opportunity to try out various services for a trial period of 14 days. Try This link leads to information about the service, and allows you to sign up for a free trial license. If a free trial is accepted, the Try option is removed from this column, and the Status column is updated to Free Trial. Number of users to which the license applies. Expiration date of the service. Never Indicates the license never expires. Date A specific date on which the given service expires. System 17

Administration The Administration page allows you to change the master account Username and Password. SonicWALL strongly recommends that you change the master account password from the default password. 18 Dell SonicWALL Email Security Administrator Guide

Email Security Master Account To update your administrator settings, follow the steps listed below: 1. Change your Username by entering the new name in the text box. The Username you originally registered with appears as the default Username (admin@domain.com) 2. Type the Old Password in the text box. 3. Type a new password in the Password text box. 4. Type the same password in the Confirm Password text box. 5. Click Apply Changes. Password Policy This section allows you to configure settings for passwords. Require A-Z Select this option to require that passwords have at least one capital letter. Require a-z Select this option to require that passwords have at least one lowercase letter. Require 0-9 Select this option to require that passwords have at least one digit. Require Special Select this option to require that passwords have at least one special character. Allow OU Admins to change password policy Select this option to allow Organizational Units (OU) administrators access to changing the password policy. Password length Specify the amount of characters required for passwords. Change password link expiry Specify the amount of time users are able to use passwords for before requiring a change of password. Invalid Login Policy The System > Administration > Invalid Login Policy feature allows administrators to configure a User Lockout feature, locking out user accounts if the number of unsuccessful attempts to login is reached. Note that Invalid Login Policy is only available if the Global Administrator configures this feature for all users. You can configure the following settings: Number of unsuccessful attempts before lockout Specify the number of invalid attempts allowed before the user account is locked. The default value is 5, but can range between 0-9. If the value is set to 0, the feature is disabled. Lockout Interval This is the amount of time the user account is locked. The user will have to wait for this time interval lapse before being able to login again; any correct or incorrect attempts will not be allowed. The default value is 15 minutes. The hours value can range from 0-72 hours, and the minutes value can range from 1-59 minutes. Alert administrator when account is locked Select this checkbox to alert administrator with an emergency message about the user account lockout. Login Custom Text Enter custom text in the space provided for users to see upon logging in to Dell SonicWALL Email Security. System 19

Quick Configuration Most organizations that are using Dell SonicWALL Email Security can configure their system by using the Quick Configuration window. Note that you must configure the same choices for message handling for each Dell SonicWALL appliance to use Quick Configuration. For more complex installations and advanced options, use the appropriate options in the left-hand side links of the Server Configuration page. 20 Dell SonicWALL Email Security Administrator Guide

Setting Your Network Architecture There are different ways to configure and deploy Dell SonicWALL Email Security, and the first decision to make is the choice of network architecture. See Planning Email Security Deployment on page 9 for more information on what network architecture is appropriate for your need. You must decide whether you are setting up a Split or All in One architecture, as that choice impacts other configuration options. You can change the architecture later, but if you do so, you will need to add your mail servers and reset configuration options again. To configure Dell SonicWALL Email Security as your desired network architecture, navigate to the System > Network Architecture > Server Configuration page. Adding an Inbound Mail Server for All in One Architecture From System > Network Architecture > Server Configuration page, set the server to All in One configuration by choosing the radio button next to All in One. Then, click Apply. In the Inbound Email Flow section, click the Add Path button. Source IP Contacting Path This section allows you to specify the IP addresses of other systems that are allowed to connect to and relay through this path. Select from the following: Any source IP address is allowed to connect to this path Use this setting if you want any sending email server to be able to connect to this path and relay messages. Using this option could make your server an open relay (see Caution note below). Any source IP address is allowed to connect to this path but relaying is allowed only for specified domains Use this setting if you want any sending email servers to connect to this path, but you want to relay messages only to the domains specified. Simply enter the domains in the space provided, adding one domain per line. Only these IP addresses can connect and relay Use this setting if you know the sending email server IP addresses and you do not want any other servers to connect. Separate multiple IP addresses with a comma. System 21

Caution Dell SonicWALL Email Security strongly recommends against an open relay. Open relays can reduce the security of your email network and allow malicious users to spoof your email domain. Path Listens On This section allows you to specify the IP addresses and port number on which the path listens for connections. Listen for all IP address on this port This is the typical setting for most environments, as the service listens on the specified port using the machine s default IP address. The usual port number for incoming email traffic is 25. Listen only on this IP address and port If you have multiple IP addresses configured on this machine, you can specify which IP address and port number to listen on. Destination of Path Destination of path allows you to specify the destination server for all incoming email traffic in this path: This is a Proxy. Pass all email to destination server This setting configures the path to act as a proxy and relay messages to a downstream email server. If the downstream server is unavailable, incoming messages will not be accepted. Enter the host name or IP address and the port number of the downstream email server. This is a Proxy. Route email in Round-Robin or Failover mode to the following multiple destination servers This setting configures the path to act as a proxy and relay messages to a downstream email server. If Round-Robin is selected, email is loadbalanced by sending a portion of the email flow through each server listed in the text box. If Failover is selected, email is sent to the servers listed in the text box only if the downstream server is unavailable. Email is queued if all of the servers listed are unavailable. 22 Dell SonicWALL Email Security Administrator Guide

This is an MTA. Route email using SmartHost to destination server This setting is similar to the This is a Proxy. Pass all email to destination option, except that incoming messages are accepted and queued if the downstream server is unavailable. In this instance, this path acts as a SMTP smarthost. With this setting selected, you can also include Exceptions, specifying which domains should use MX record routing and which should use the associated IP address or hostname. This is an MTA. Route email using SmartHost in Round-Robin or Failover mode to the following multiple destination servers This setting is similar to the previous MTA option, however incoming messages can be routed to multiple servers. If Round-Robin is selected, email is load-balanced by sending a portion of the email flow through each server listed in the text box. If Failover is selected, email is sent to the servers listed in the text box only if the downstream server is unavailable. Email is queued if all of the servers listed are unavailable. This is an MTA. Route email using MX record routing. Queue email if necessary This setting routes any mail by standard MX (Mail Exchange) records. Messages can be queued on disk and will retry transmissions later if the destination SMTP server is not immediately available. This is an MTA. Route email using MX record routing with these exceptions This setting routes any mail by standard MX (Mail Exchange) records. However, email messages sent to the email addresses or domains in the table to the right are routed directly to the associated IP address or hostname. Messages can be queued on disk and will retry transmissions later if the destination SMTP server is not immediately available. Note You can specify email addresses in addition to domains in this routing table. Also, hostnames can be specified instead of IP addresses. For example, if you want to route customer service emails to one downstream server and the rest of the traffic to a different downstream server, you can specify something like: service@mycompany.com 10.1.1.1 mycompany.com internal_mailserver.mycompany.com System 23

Advanced Settings The following settings are optional. Use this text instead of a host name in the SMTP banner This setting allows you to customize the host name of the server that appears in the heading of the email messages relayed through this path. By default, the host name is used. Action for messages sent to email addresses that not in your LDAP server This setting allows you to designate a port for messages from email recipients who are not listed in your LDAP server. Reserve the following port This setting is for any miscellaneous internal localhost to localhost communication between Email Security components. 24 Dell SonicWALL Email Security Administrator Guide

Enable StartTLS on this path Select this check box if you want a secure internet connection for email. Dell SonicWALL Email Security uses Transport Layer Security (TLS) to provide the secure internet connection. When StartTLS is enabled, email can be sent and received over a secure socket. The source and destination email addresses and the entire message contents are all encrypted during transfer. When finished configuring settings, click Apply to add an inbound path for this All in One server. The newly configured path will display in the Inbound Email Flow section. Test Mail Servers To test the inbound mail servers, click the Test Mail Servers button. A pop-up window will display with the test result status of the inbound mail servers. Adding an Outbound Mail Server for All in One Architecture Source IP Contacting Path From System > Network Architecture > Server Configuration page, set the server to All in One configuration by choosing the radio button next to All in One. Then, click the Add Path button in the Outbound Email Flow section. This section allows you to specify the IP addresses of other systems that are allowed to connect to and relay outgoing mail. Select from the following: Any source IP address is allowed to connect to this path Use this setting if you want any sending email server to be able to connect to this path and relay messages. Using this option could make your server an open relay. Caution You need to use this setting if you configure your Dell SonicWALL Email Security installation to listen for both inbound and outbound email traffic on the same IP address on port 25. System 25

Only these IP addresses can connect and relay through this path Use this setting if you know the sending email server IP addresses and you do not want any other servers to connect. Separate multiple IP addresses with a comma. Note If your configuration is running in Split mode, and this path is on a remote analyzer, the control center must be able to connect and relay through this path. Path Listens On This section allows you to specify the IP addresses and port number on which this path listens for connections. Listen for all IP address on this port This is the typical setting for most environment as the service listens on the specified port using the machine s default IP address. The default port for is 25. Listen only on this IP address and port If you have multiple IP addresses configured in this machine, you can specify which IP address and port number to listen to. Destination of Path Destination of path allows you to choose whether to make a path through the Dell SonicWALL Email Security, or through one of the following: If Round robin is specified, email will be load-balanced by sending a portion of the email flow through each of the servers specified in the text box in round-robin order. All of the servers will process email all the time. If Fail over is specified, the first server listed will handle all email processing under normal operation. If the first server cannot be reached, email will be routed through the second server. If the second server cannot be reached, email will be routed through the third server, and so on. MTA with MX record routing - This setting configures this path to route messages by standard MX (Mail Exchange) records. To use this option, your DNS server must be configured to specify the MX records of your internal mail servers that need to receive the email. MTA with MX record routing (with exceptions) - This setting configures this path to route messages by standard MX (Mail Exchange) records, except for the specified domains. For the specified domains, route messages directly to the listed IP address. 26 Dell SonicWALL Email Security Administrator Guide

This section allows you to specify the destination server for incoming email traffic in this path. This is a Proxy. Pass all email to destination server This setting configures the path to act as a proxy and relay messages to an upstream MTA. If the upstream server is unavailable, outgoing messages will not be accepted or queued. This is an MTA. Route email using SmartHost to destination server This setting is similar to the This is a Proxy. Pass all email to destination option, except that outgoing messages are accepted and queued if the upstream MTA is unavailable. This is an MTA. Route email using SmartHost in Round-Robin or Failover mode to the following multiple destination servers This setting is similar to the previous MTA option, however outgoing messages can be routed to multiple upstream MTAs. If Round- Robin is selected, email is load-balanced by sending a portion of the email flow through each MTA listed in the text box. If Failover is selected, email is sent to the MTAs listed in the text box only if the upstream MTA is unavailable. Email is queued if all of the MTAs listed are unavailable. This is an MTA. Route email using MX record routing. Queue email if necessary This setting routes any outbound email messages by standard MX (Mail Exchange) records. This is an MTA. Route email using MX record routing with these exceptions This setting routes any outbound email messages by standard MX (Mail Exchange) records. However, email messages sent to the email addresses or domains in the table to the right are routed directly to the associated IP address or hostname. Messages are queued if necessary. System 27

Advanced Settings The following settings are optional. Use this text instead of a host name in the SMTP banner This setting allows you to customize the host name of the server that appears in the heading of the email messages relayed through this path. By default, the host name is used. Reserve the following port This setting allows you to designate a port for miscellaneous localhost to localhost communication between components. Enable StartTLS on this path Select this check box if you want a secure internet connection for email. Dell SonicWALL Email Security uses Transport Layer Security (TLS) to provide the secure internet connection. Click the Configure StartTLS button to configure encrypted email communications. When finished configuring settings, click Apply to add an outbound path for this All in One server. Test Mail Servers To test the inbound mail servers, click the Test Mail Servers button. A pop-up window will display with the test result status of the inbound mail servers. Adding a Server for Split Architecture Navigate to the System > Network Architecture > Server Configuration page. Then, complete the following to add a server for Split Architecture. 1. Set the server to Split configuration by choosing the radio button next to Split. 2. Next, select whether the server is the Remote Analyzer or Control Center. If you selected Control Center, select all that apply to the machine (Main Control Center, Search Engine Server, or Reporting Server) 28 Dell SonicWALL Email Security Administrator Guide

3. Click Apply. Adding a Remote Analyzer Remember that you must add one or more Remote Analyzers to a Split Configuration. Remote Analyzers can process inbound messages, outbound messages, or both. 1. Click the Add Path button in the Server Configuration - Remote Analyzer section. 2. Enter the Remote Analyzer s hostname or IP address. 3. Enter the Remote Analyzer Server Address Port number. 4. If your network requires SSL, check the Requires SSL checkbox. 5. Click the Add button. Note If there is a high volume of network traffic, it might take some time before the new Remote Analyzer is displayed in the System > Network Architecture > Server Configuration window. Any changes you make at the Control Center are propagated to the Remote Analyzers you just added. You can monitor their status on the Reports page as well. Adding a Control Center 1. Click Add Path in the Control Center section of the Server Configuration window. 2. Enter the Control Center Hostname. 3. If feasible, use the default port number. If not, enter a new Control Center Server Address Port Number. 4. Click Add. Configuring Inbound Email Flow for a Remote Analyzer While logged into the Control Center, click the Add Path button next to the Inbound Remote Analyzer. An Add Inbound Path window appears. Follow the instructions in Adding an Inbound Mail Server for All in One Architecture on page 21 System 29

Configuring Outbound Email Flow for a Remote Analyzer While logged into the Control Center, Click the Add Path button next to the Outbound Remote Analyzer. An Add Outbound Path window appears. Follow the instructions in Adding an Outbound Mail Server for All in One Architecture on page 25. Make sure that the Control Center can connect and relay email messages through this path - step 1 in the Add Outbound Path dialog. Configuring Remote Analyzers to Communicate with Control Centers After you have set up the Control Center, configure each Remote Analyzer so that it can communicate with its Control Center. 1. Log in to each server set up as a Remote Analyzer. 2. From the Server Configuration > Control Center section, click the Add Path button to identify from which Control Center this Remote Analyzer will accept instructions. 3. Enter the hostname of your Control Center. If your Control Center is a cluster, you must add each individual hostname as a valid Control Center. Note If your Control Center is a cluster, add each individual hostname as a valid Control Center by repeating steps 2-3. Deleting a Remote Analyzer from a Split Configuration Before deleting a Remote Analyzer, ensure there are no messages in the queue for quarantine: 1. Stop SMTP traffic to the Remote Analyzer by turning off the Email Security Service. Click Control Panel > Administrative Tools > Services > MlfASG Software > Stop. 2. After a few minutes, view the last entry in the mfe log on the Remote Analyzer log. 3. View the mfe log in the Control Center logs directory to ensure the last entry in the mfe log for the Remote Analyzer is there Turn off the ability of the associated email server to send mail to this Remote Analyzer, and/or point the associated email server to another installed and configured Remote Analyzer. Testing the Mail Servers Click the Test Mail Servers button. Email Security displays a window that indicates either a successful test or an unsuccessful test. Note It takes 15 seconds for the Dell SonicWALL Email Security to refresh its settings. If the first test fails, try the test again. 30 Dell SonicWALL Email Security Administrator Guide

Changing from an All in One Configuration to a Split Configuration There are only two situations that warrant changing your configuration: You are a current Dell SonicWALL Email Security customer running All in One architecture and want to upgrade to a Split Network configuration. You are a new customer and have incorrectly configured for All in One architecture and you want to configure for Split Network Configuring MTA Navigate to the System > Network Architecture > MTA Configuration screen to configure the Mail Transfer Agent (MTA) settings. You can specify how the MTA will handle a case in which Email Security is unable to deliver a message right away. Note that most installations will not require any change to the MTA settings. Mail Transfer Agent Settings This section allows you to configure the Retry and Bounce intervals for the Mail Transfer Agent. Delivery Messages are bounced if the recipient domain returns a permanent failure (5xxx error code). In the case of transient failures (4xx error codes, indicating a delay), the MTA will retry delivery of the message periodically based on the schedule specified in the Retry interval field. Delayed messages that cannot be delivered within the time period specified in the Bounce after field will be bounced; no further attempts will be made to deliver them. Choose to Ignore 8-bit Mime encoded content by selecting the Off or On radio button. Click Save when finished configuring the Mail Transfer Agent Settings. Non-Delivery Reports (NDR) When an email cannot be sent due to either a transient delay or a permanent failure, the sender may receive a notification email, or a Non-Delivery Report (NDR), describing the failure. Administrators can use this pane to customize the schedule and contents of those notification emails. System 31

Transient Failure Settings To enable Transient NDR, select the Send NDR for transient failures check box. Specify the interval (days, hours, minutes) at which notifications are sent, the email address and sender name (for example, ericsmith@example.com and Eric Smith ), a customized subject line for the NDR (for example, Delay in sending your email ), and a customized body for the NDR. Permanent Failure Settings Enter an email address and a name from which NDRs will be sent (for example, ericsmith@example.com and Eric Smith ), a customized subject line for the NDR (for example, Your email could not be sent ), and a customized body for the NDR. Note that Permanent Failure Settings cannot be disabled. General Settings All NDRs include a diagnostic report about the problem that prevented delivery, including the headers of the original message. Permanent NDRs may optionally have the contents of the original message attached. To enable the option to Attach original message to the NDR, select the check box. 32 Dell SonicWALL Email Security Administrator Guide

When finished configuring this section, click Save. Customized Fields Certain fields in the subject line, body, and sender of the DSN can be specified by the administrator: $subject the subject of the original email $hostname the hostname from which the NDR is sent $originator the sender of the original email $recipient the intended recipient of the original email $timequeued the time at which the original email was queued $date the current date $retryafter the interval at which delivery of delayed emails is retried $bounceafter the time after which delivery attempts will cease for delayed emails System 33

Example Sender postmaster@$hostname Example Subject Delivery Status Notification (re: $subject) Example Body Your email from $originator regarding $subject has bounced. It was sent on $timequeued to $recipient. No further attempts at delivery will be made. Have a nice day! Note Some mail servers, such as Microsoft Exchange, may send their own NDRs or rewrite the contents of NDRs sent from other products. Please see the Administrator's Guide for information on integrating this product's NDR functionality with Microsoft Exchange. Email Address Rewriting Use this dialog to rewrite email addresses for inbound or outbound emails. These operations affect only the email envelope (the RFC 2821 fields); the email headers are not affected in any way. For inbound email, the To field (the RCPT TO field) is rewritten. For outbound email, the From field (the MAIL FROM field) is rewritten. Select the Inbound or Outbound tab, then click the Add New Rewrite Operation button. Enable this Rewrite Operation Select this check box to enable the new rewrite operation. Type of Operation Enter the text that triggers the rewrite operation in the Original RCPT TO envelope address text field. For example, if you want to rewrite a domain from corp.example.net, enter corp.example.com in this section. 34 Dell SonicWALL Email Security Administrator Guide

The following operations are possible: If Exact Match is selected, the operation is triggered by the exact email address (including the domain). The full email address is rewritten. For example, an email sent to billy@corp.example.com could be rewritten so that the address is mandy@example.net. If Starts With is selected, the operation is triggered when the starting characters of the full email address (including the domain) match the characters specified. The entire email address including the domain is replaced. For example, if the operation is intended to be triggered by email addresses that start with billy@corp, an email sent to billy@corp.example.net could be rewritten so that the address was mandy@sales.example.com. If Ends With is selected, the operation is triggered when the ending characters of the full email address (including the domain) match the characters specified. The entire email address including the domain is replaced. For example, if the operation is intended to be triggered by email addresses that end with.com, an email sent to billy@example.com could be rewritten so that the address was mandy@corp.example.net. If Domain is selected, the operation is triggered by a particular email domain. The operation rewrites only the domain portion of the email address. For example, an email sent to joe@corp.example.com could be rewritten so that the address is joe@example.net. If an asterisk, *, is entered, all domains are matched, and the rewrite operation will be triggered by any domain. If LDAP Rewrite to Primary is selected, the operation is applied to every inbound email. The operation rewrites the entire email address to be the primary mail attribute in LDAP. For example, an email sent to joe@corp.example.com could be rewritten so that the address is joe@example.com. If LDAP Email List Expansion is selected, the operation is triggered by the email list you select. Click the Select Email List button to choose an email list to expand. This operation replaces the email list in the envelope with a RCPT TO header for each member of the list. For example, an email sent to sysadmins@corp.example.com could be rewritten so that the addresses in the envelope are joe@example.com, sue@example.com, and malcom@example.com. Perform the following actions Enter the text that triggers the rewrite operation in the Rewrite entire RCPT TO envelope address to be text field. For example, if you want to rewrite a domain from example.com to be example.net, enter example.net here. Name of Rewrite Operation Enter a descriptive name for the operation you are creating here. When finished configuring the Email Address Rewrite Option, click the Save This Rewrite Operation button. The new operation appears on the respective Inbound or Outbound tab. Trusted Networks When the Email Security receives email messages from an upstream server that uses a nonreserved or public IP address, the GRID Network effectiveness may degrade. To avoid this degradation on the GRID Network, users can put public IP addresses on a privatized list. To add IP addresses to a Trusted Network, click the Add Server button. In the box that displays, type in the IP addresses you want to add, then click Save. The IP addresses appear on the Server List. System 35

LDAP Configuration Dell SonicWALL Email Security uses Lightweight Directory Access Protocol (LDAP) to integrate with your organization s email environment. LDAP is an Internet protocol that email programs use to look up users contact information from a server. As users and email distribution lists are defined in your mail server, this information is automatically reflected in Email Security in real time. Many enterprise networks use directory servers like Active Directory or Lotus Domino to manage user information. These directory servers support LDAP, and Email Security can automatically get user information from these directories using the LDAP. You can run Dell SonicWALL Email Security without access to an LDAP server as well. If your organization does not use a directory server, users cannot access their Junk Boxes, and all inbound email is managed by the message-management settings defined by the administrator. Dell SonicWALL Email Security uses the following data from your mail environment: Login Name and Password When a user attempts to log into the Email Security server, their login name and password are verified against the mail server using LDAP authentication. Therefore, changes made to the usernames and passwords are automatically uploaded to Dell SonicWALL Email Security in real time. Multiple Email Aliases If your organization allows users to have multiple email aliases, Email Security ensures any individual settings defined for the user extends to all the user s email aliases. This means that junk sent to those aliases aggregates into the same folder. Email Groups or Distribution Lists Email groups or distribution lists in your organization are imported into Dell SonicWALL Email Security. You can manage the settings for the distribution list in the same way as a user s settings. LDAP groups allow you to assign roles to user groups and set spam-blocking options for user groups. Configuring LDAP Navigate to the System > LDAP Configuration screen to configure your Email Security solution for username and password authentication for all employees in the enterprise. Dell SonicWALL recommends completing the LDAP configuration to get the complete list of users who are allowed to login to their Junk Box. If a user does not appear in the User list in the User & Group screen, their email will be filtered, but they cannot view their personal Junk Box or change default message management settings. Enter the server information and login information to test the connection to the LDAP server. 1. Click the Add Server button to add a new LDAP Server. Configuring the LDAP server is essential to enabling per-user access and management. These settings are limited according to the preferences set in the User Management pane. See the User View Setup on page 42 for details. 2. The following checkboxes appear under the Settings section: Show Enhanced LDAP Mappings fields Select this option for Enhanced LDAP, or LDAP Redundancy. You will have to specify the Secondary Server IP address and Port number. Auto-fill LDAP Query fields when saving configurations Select this option to automatically fill the LDAP Query fields upon saving. 36 Dell SonicWALL Email Security Administrator Guide

3. Enter the following information under the LDAP Server Configuration section: Friendly Name The friendly name for your LDAP server. Primary Server Name or IP address The DNS name or IP address of your LDAP server. (Configuration checklist parameter M) Port number The TCP port running the LDAP service. The default LDAP port is 389. (Configuration checklist parameter N) LDAP server type Choose the appropriate type of LDAP server from the dropdown list. LDAP page size Specify the maximum page size to be queried. The default size is 100. Requires SSL Select this check box if your server requires a secured connection. Allow LDAP referrals Leaving this option unchecked will disable LDAP referrals and speed up logins. You may select this option if your organization has multiple LDAP servers in which the LDAP server can delegate parts of a request for information to other LDAP servers that may have more information. 4. In the Authentication Method section, specify if the LDAP login method for your server is by Anonymous Bind or Login. Specify the Login name and Password. This may be a regular user on the network, and typically does not have to be a network administrator. Note Some LDAP servers allow any user to acquire a list of valid email addresses. This state of allowing full access to anybody who asks is called Anonymous Bind. In contrast to Anonymous Bind, most LDAP servers, such as Microsoft's Active Directory, require a valid username/password in order to get the list of valid email addresses. (Configuration checklist parameter O and P) 5. Click the Test LDAP Login button. A successful test indicates a simple connection was made to the LDAP server. If you are using anonymous bind access, be aware that even if the connection is successful, anonymous bind privileges might not be high enough to retrieve the data required by Dell SonicWALL Email Security. 6. Click Save Changes. LDAP Query Panel To access the LDAP Query Panel settings window, click the Friendly Name link or the Edit button of the server you wish to configure. If the Auto-fill LDAP Query Fields checkbox is selected in the Settings section, the following fields will be automatically filled in with default values after the basic configuration steps are completed. Configuring Query Information for LDAP Users 1. Enter values for the following fields: Directory node to begin search The node of the LDAP directory to start a search for users. (Configuration checklist parameter Q). Filter The LDAP filter used to retrieve users from the directory. User login name attribute The LDAP attribute that corresponds to the user ID. Email alias attribute The LDAP attribute that corresponds to email aliases. System 37

Use SMTP addresses only Select the checkbox to enable the use of SMTP addresses. 2. Click the Test User Query button to verify that the configuration is correct. 3. Click Save Changes to save and apply all changes made. Note Click the Auto-fill User Fields button to have Dell SonicWALL Email Security automatically complete the remainder of this section. Configuring LDAP Settings for Groups 1. Enter values for the following fields: Directory node to begin search The node of the LDAP directory to start a search for users. (Configuration checklist parameter Q). Filter The LDAP filter used to retrieve groups from the directory. Group name attribute The LDAP attribute that corresponds to group names. Group members attribute The LDAP attribute that corresponds to group members. User member attribute The LDAP attribute that specifies attribute inside each user's entry in LDAP that lists the groups or mailing lists that this user is a member of. 2. Click the Test User Query button to verify that the configuration is correct. 3. Click Save Changes to save and apply all changes made. Note Click the Auto-fill Group Fields button to have Dell SonicWALL Email Security automatically complete the remainder of this section. If you have a large number of user mailboxes, applying these changes could take several minutes. 38 Dell SonicWALL Email Security Administrator Guide

Add LDAP Mappings On some LDAP servers, such as Lotus Domino, some valid addresses do not appear in LDAP. Use this section with LDAP servers that only store the local or user portion of the email addresses. Click the View Rules button. The LDAP Mappings screen displays: Domain Mappings Domain Choose this option from the first dropdown menu to add additional mappings from one domain to another. Replace with If this option is chosen from the second dropdown menu, then the domain is replaced. For example, if the Domain is engr.corp.com then Replaced with corp.com, then mail addressed to anybody@engr.corp.com is instead sent to anybody@corp.com. Also add If this option is chosen from the second dropdown menu, then when the first domain is found, the second domain is added to the list of valid domains. For example, if engr.corp.com is the first domain and sales.corps.com is the second, then when the domain engr.corp.com is found in the list of valid LDAP domains, then sales.corps.com is also added to that list. Character Substitutions Left hand side character is Choose this option from the first dropdown menu to add character substitution mappings. Replace with If this option is chosen from the second dropdown menu, then the character is replaced in all characters to the left of the @ sign in the email address. For example, if the space character,, is the first character, and the - is the second character, then an email addressed to Colin Brown@corp.com would be sent to Colin-Brown@corp.com. Also add If this option is chosen from the second dropdown menu, then a second email address is added to the list of valid email addresses. For example, if - is the first character, and. is the second character, then if Obi-W-Kenobi@corp.com is a valid email address, the address Obi.W.Kenobi@corp.com would also be considered a valid email address. Note This screen does not make changes to your LDAP system or rewrite any email addresses; it only makes changes to the way Dell SonicWALL Email Security interprets certain email addresses. System 39

Multiple LDAP Server Support Dell SonicWALL Email Security allows administrators to set different filters and rules for each LDAP server. In very large organizations, multiple LDAP servers can feed one Email Security instance. The following table describes the actions that can be taken on a group, domain, or global level.. Function Domain/OU LDAP Group Global Directory Harvest Attack prevention Y - Y Policy Y Y Y Reporting Y - Y Roles - Y Y Settings Y* Y Y Configuring Email Security for Multiple LDAP Servers The LDAP configuration page allows administrators to configure more than one LDAP server. All LDAP servers are listed. For each LDAP server, you can edit or delete it without affecting the connection of other LDAP servers. To add an LDAP server: 1. Log in as the Email Security administrator. 2. Click System and then LDAP Configuration. 3. Click the Add Server button. 4. Fill in the connection information for the LDAP server you wish to add. Be sure to give it a unique friendly name so that you can easily identify it in the list of servers. 5. When you are finished, click Save Changes. Use the test button to confirm that the LDAP server is properly connected and configured. Administering Multi-LDAP Environments Administrators must log into a specific domain unless they are the Dell SonicWALL Email Security administrator. Once a domain administrator is logged in, he or she can modify the Email Security settings for the domain, including the anti-spam settings. The Email Security administrator can see all the LDAP servers attached to Dell SonicWALL Email Security. This administrator logs in with no domain specified. Editing LDAP Connection Information The Email Security administrator configures multiple domains. To edit the settings of an existing LDAP server: 1. Log in as the Email Security administrator. 2. Navigate to the System > LDAP Configuration page. 3. Click the server name link or the Edit (pencil) button associated with the friendly name of the LDAP server you want to change. 4. Edit the details of the LDAP server using the information you have collected. 40 Dell SonicWALL Email Security Administrator Guide

5. In the Global Configurations section, you can enter aliases for your pseudo-domains. In this example, the administrator can configure aliases (on the right side) to correspond with the pseudo-domain. Aliases must be unique and can consist of lowercase alpha-numeric characters and underscores. Aliases are separated by commas. If you set an alias to the domain name, users can log in using their email address. 6. In the Settings subsection, choose whether you want the domains to appear in the login dropdown box. If this box is checked, all users will be able to see all domains. If it remains unchecked, users must log in with their fully-qualified login, such as user@sonicwall.com. You can also choose how often SonicWALL ES refreshes the LDAP usermap. 7. When you are done, click Apply Changes and use the test button to confirm that the LDAP server is properly connected and configured. System 41

User View Setup Configure how the end users of the Email Security solution access the system and what capabilities of the solution are exposed to the end users on the System > User View Setup page. To set up System > User View Setup, follow the procedures below: 1. Select which items appear in the User Navigation Toolbar: Select the Login enabled checkbox to allow users to log into Email Security and have access to their per-user Junk Box. If you disable this, mail will still be analyzed and quarantined, but users will not have access to their Junk Box. Select the Anti-Spam Techniques checkbox to include the user-configurable options available for blocking spam emails. Users can customize the categories People, Companies, and Lists into their personal Allowed and Blocked lists. You can choose to grant users full control over these settings by selecting the Full user control over antispam aggressiveness settings checkbox, or force them to accept the corporate aggressiveness defaults by leaving the checkbox empty. 42 Dell SonicWALL Email Security Administrator Guide

Select the Reports checkbox to provide junk email blocking information about your organization. Even if this option is checked, users may view only a small subset of the reports available to administrators. Select the Settings checkbox to provide options for management of the user's Junk Box, including individual Spam Management. 2. Determine the User Download Settings: With the Allow users to download SonicWALL Junk Button for Outlook checkbox selected, users will be able to download the Email Security Junk Button for Outlook. The Junk Button is a lightweight plugin for Microsoft Outlook. It allows users to mark emails they receive as junk, but does not filter email. With the Allow users to download SonicWALL Anti-Spam Desktop for Outlook and Outlook Express checkbox selected, users will be able to download the Anti-Spam Desktop. Anti-Spam Desktop is a plugin for Microsoft Outlook and Outlook Express that filters spam and allows users to mark emails they receive as junk or good email. 3. Determine the settings for Quarantined Junk Mail Preview Settings: Select the Users can preview their own quarantined junk mail checkbox to enable users to view their individual mail that is junked. Choose which other types of users can preview quarantined junk mail. These roles are configured within Dell SonicWALL Email Security. 4. Users are not usually shown reports which include information about users, such as email addresses. Select the Reports view settings checkbox to give user access to those reports. 5. Determine the Miscellaneous Settings: Enter an Optional login help URL. An administrator can specify a URL for any customized help web page for users to view on the Login screen. If no URL is entered, Email Security provides a default login help screen. If a URL is entered, that page is launched when the user clicks the Login Help link. Select the Show Forgot Your Password Link checkbox to enable this feature for users. 6. Click Apply Changes. System 43

Updates Dell SonicWALL Email Security uses collaborative techniques as one of many tools to block junk messages. The collaborative database incorporates thumbprints of junked email from Dell SonicWALL Anti-Spam Desktop and users. Your server uses the HTTP protocol to communicate with a data center hosted by us to download data used to block spam, phishing, viruses, and other evolving threats. Navigate to the System > Updates page to configure settings for updates to the Email Security service. General Settings Check for Spam, Phishing, and Virus Blocking Updates Select how often your Dell SonicWALL Email Security appliance contacts the data center to check for updates. The recommended frequency is 20 minutes. Setting this value too low generates unnecessary HTTP traffic, may adversely affect the performance of your Email Security appliance or software, and will not improve junk blocking effectiveness. Setting this value too high may result in less frequent updates, also causing this junk blocking to be less effective. 44 Dell SonicWALL Email Security Administrator Guide

Submit Unjunk Thumbprints This is an optional checkbox that submits thumbprints to the data center with a user Unjunks a message. Thumbprints sent from the Dell SonicWALL Email Security appliance or appliance contributes to the collaborative community by improving junk-blocking accuracy. Note that these thumbprints contain no readable information. Submit Generic Spam Blocking Data This is an optional checkbox that sends generic spam-blocking data to the data center to assist in customer support and to help improve spam blocking. No emails, email content, header information, or any other uniquely identifiable information is ever sent. Web Proxy Configuration Test Connectivity When your server contacts the data center to download data, it uses the HTTP protocol. If your organization routes HTTP traffic through a proxy, you can specify the proxy server in this section. If your organization routes HTTP traffic through a proxy which requires basic authentication, enter the Username and Password to configure the Email Security solution to authenticate with the HTTP proxy server automatically. When finished configuring the Updates settings, click the Apply Changes button. Click the Test Connectivity button to verify if you are successfully connected to the Data Center. System 45

Monitoring The System > Monitoring screen allows you to configure system monitoring settings and alerts. Note that some of these fields may be pre-defined based on the information provided upon initial setup of the Dell SonicWALL Email Security. The Monitoring page is also used to set up the postmaster for the MTA. If Email Security has been configured to be an MTA, enter the email address to which postmaster notifications generated by the MTA should be sent. Notifications are not sent more than once every ten minutes. If you are running Dell SonicWALL Email Security in split mode, and you route outbound email through the Email Security, you must enter the IP addresses or fully-qualified domain names of any Remote Analyzers through which outbound email is routed in this text box on the Control Center. Configure System Monitoring 46 Dell SonicWALL Email Security Administrator Guide

The following settings are available for configuration: Email address of the administrator who receives emergency alerts The email address of the mail server administrator. Enter the complete email address. For example, user@example.com. Email address of administrator who receives outbound quarantine notifications The email address of the administrator who receives notifications when an outbound message has been quarantined. Notifications are not sent more than once every ten minutes. If this field is left blank, notifications are not sent. Postmaster for the MTA The email address that receives notifications generated by the MTA. Name or IP address of backup SMTP servers Enter the name or IP address of one or more SMTP servers that can be used as fallback servers to send alerts to if the configured downstream email server(s) cannot be contacted. For example, mail2.example.com or 10.100.0.1. Customized Signature Enter a signature to append at the end of your email messages. View Alerts Click this button to view all configured alerts. See Viewing Alerts on page 47 for more information. Test Fallbacks Click this button to test the name or IP address(es) listed as backup SMTP servers. Viewing Alerts Under the Configuring System Monitoring section of the System > Monitoring page, You can also click the View Alerts button to see the Alert history for a specific Host. Alerts in Email Security provide the following details: A time stamp In local time System 47

In GMT The severity of the alert, which is one of the following: Info Warning Critical The domain of which the alert applies A summary of the alert Details that include the following: Host Name Two to three lines of description of an alert or trigger A trigger message if available If available, the alert will also include the following: Recommended action with possible suggestions on a next step An alerts configuration page General alert settings You may apply a severity filter to better assist you in viewing the alerts. Select the checkbox(es) of which alerts you want to view, then click Apply Filter. Alert Suppression Schedule To turn off alerts during a product maintenance window, suppress alerts for a period of short time by clicking the Schedule Alert Suppression button. 1. Select from the dropdown list which host you want to Suppress Alert for. 2. Select severity of alerts to suppress from the dropdown list. The following options are available: Info Alerts, Info + Warning Alerts, and Info + Warning + Critical Alerts. 3. Set the Start time and End time. 4. Enter Your name. 5. Enter the Reason for suppressing alerts. 6. Click Submit to finish setting an alert suppression schedule. 48 Dell SonicWALL Email Security Administrator Guide

System Logging Facility This section allows you to configure system logging (syslog). Setting the Severity Level Choosing a severity means that messages of that severity and higher are sent to the syslog. For example, choosing the default level of SYSLOG_ALERT means that only messages of SYSLOG_ALERT and SYSLOG_EMERGENCY are sent to the syslog. Note The severity level chosen for the syslog is not related to the log level chosen for Email Security logging on the System > Advanced page. Choose one of the syslog levels listed below (shown in order of decreasing severity). Note that logging lower severity messages means more data is logged. SYSLOG_EMERGENCY The system is unusable. Because this is the highest on the severity scale, this level minimizes the amount of logging. SYSLOG_ALERT Action must be taken immediately. This is the default severity level for the syslog. SYSLOG_CRITICAL Critical conditions. SYSLOG_ERROR Error conditions. SYSLOG_WARNING Warning conditions. SYSLOG_NOTICE Normal, but significant conditions. SYSLOG_INFORMATIONAL Informational messages. SYSLOG_DEBUG Debug-level messages. Because this is the lowest on the severity scale, this level maximizes the amount of logging. System 49

Local and Remote Storage Local Select the Local checkbox to write syslogs to the Dell SonicWALL Email Security server. For Windows software installations of Email Security, syslogs are written to the Windows Event Viewer. For Email Security appliances, syslogs are written to files on the Dell SonicWALL Email Security server. For appliances, syslog files may be downloaded from the System > Advanced page. Remote Select the Remote checkbox to send syslogs to remote servers. Specify the IP addresses and ports of one or two servers to receive syslog messages. Port 514 is the recommended port for syslog. Note that the second server is not a fallback server. If both checkboxes are selected, syslogs are written locally and sent to both remote servers. If both If neither box is selected, syslogs are not written anywhere. Send Message Details Select this checkbox to send information about every email that passes through your Dell SonicWALL Email Security servers to the syslog. This option is only available if the syslog severity chosen is one of the lowest two levels, SYSLOG_INFO or SYSLOG_DEBUG. Caution If you receive a lot of email, this can result in a very large amount of data being sent to the syslog. 50 Dell SonicWALL Email Security Administrator Guide

Connection Management Dell SonicWALL Email Security uses collaborative techniques as one of many tools to block junk messages. The collaborative database incorporates thumbprints of junked email from Dell SonicWALL Anti-Spam Desktop and users. Your server uses the HTTP protocol to communicate with a data center hosted by us to download data used to block spam, phishing, viruses, and other evolving threats. The System > Connection Management screen includes the following subsections: Intrusion Prevention Protection against Denial of Service (DoS) attacks, Directory Harvest Attacks (DHA), and invalid email addresses. Quality of Service Enables a greater control over the server connection from suspicious clients. Intrusion Prevention From the System > Connection Management screen, navigate to the Intrusion Prevention section. Note that your LDAP must be configured before Directory Protection can be configured. The following sections describe how to configure the Intrusion Prevention components: Directory Harvest Attack (DHA) Protection on page 51 Denial of Service (DoS) Attack Protection on page 53 Directory Harvest Attack (DHA) Protection Spammers not only threaten your network with junk mail, they also stage Directory Harvest Attacks (DHA) to get a list of all users in an organization s directory. DHA makes unprotected organizations vulnerable to increased attacks on their email and other data systems. DHA can threaten your network in the following ways: Expose the users in your directory to spammers The people at your organization need their privacy in order to be effective. To expose them to malicious hackers puts them and the organization at significant risk from a variety of sources. Users whose email addresses have been harvested are at risk. Once a malicious hacker knows their email, users are at risk for being spoofed: someone can try to impersonate their email identity. In addition, exposed users can be vulnerable to spoofing by others. IT departments routinely receive email from people pretending to be providing upstream services, such as DNS services. Expose users to phishing Exposed users can be targeted to receive fraudulent email. Some receive legitimate-appearing email from banks or credit cards asking for personal or financial information. Some exposed users have been blackmailed; Reuters reported cases where users were told if they did not pay up, their computers would be infected with viruses or pornographic material. Expose your organization to Denial of Service Attacks DHA can lead to denial of service attacks because malicious hackers can send lots of information to valid email addresses in an effort to overwhelm the capacity of your mail server. Expose your organization to viruses DHA provides a highly effective means of delivering virus-infected email to users. System 51

Exposes users to fraudulent email masquerading as good email Directory Harvest Attacks can perpetuate fraudulent email messages by giving malicious hackers the ability to target your users individually and by name. The following table lists and describes the available actions for messages sent to email addresses that are not in your LDAP server: Setting Directory Harvest Attack (DHA) Protection Off Processes all messages the same (whether or not email address is in LDAP) No action is taken on messages Permanently Delete All email messages addressed to users not in the organization s directory is permanently deleted Result No directory protection. The sender does not receive notification about the email they have sent. This option can lead to permanently deleting legitimate mail with a typographical error in the address. 52 Dell SonicWALL Email Security Administrator Guide

Setting Reject Invalid Email Addresses (Tarpitting) SMTP clients that specify invalid recipients are tarpitted Always Store in Junk Box (regardless of spam rating) Email that is sent to an invalid address is stored in the Junk Box. Email Security does not process the email to determine if it is spam or another form of unwanted email. Result Responses to invalid recipient commands are delayed for some time period to slow down the rate that they can attack an organization s mail system. Warning: Enabling tarpitting protection uses your system resources (CPU, memory) that may slow down your server. Email Security recommends this option to protect the confidentiality of your directory population. The following table lists and describes the available actions for DHA protection to recipient domains: Options Apply to all recipient domains SonicWALL recommends that most organizations choose Apply to all recipient domains. Apply only to the recipient domains listed below Apply to all recipient domains except those listed below Results Applies DHA protection to all recipient domains. Applies DHA protection to the recipient domain(s) listed. Applies DHA protection to all recipient domains except for those listed. Denial of Service (DoS) Attack Protection A Denial of Service (DoS) attack aims at preventing authorized access to a system resource or the delaying of system operations and functions for legitimate users. The Denial of Service Attack Protection adds an extra level of security to thwart an attack. DoS attacks can threaten your network in the following ways: Bandwidth consumption The available bandwidth of a network is flooded with junkmail addressed to invalid recipients. Resource starvation The mail servers of an organization are overwhelmed trying to process the increased volume of messages coming from infected computers, which leads to the mail servers to run out of resources (CPU, memory, storage space). To configure Denial of Service (DoS) attack protection, follow the procedures listed below: 1. Navigate to the System > Connection Management screen. 2. Select the Enable DoS protection checkbox. Read and acknowledge the warning. To use the DoS Attach Protection feature, your Dell SonicWALL Email Security appliance must be the first destination for incoming messages. If you are routing mail to your Email Security appliance from an internal mail server or using an MTA, do not use DoS Attack Protection. 3. Specify trigger by selecting the number of connections to allow from a given IP address. 4. Specify action to take by selecting either of the following: System 53

Deferral for a set period of time Completely block all further connections 5. Click the Apply Changes button. Quality of Service From the System > Connection Management screen, navigate to the Quality of Service section. The following sections describe how to configure the Quality of Service components: Throttling on page 54 Connections on page 54 Messages on page 55 Miscellaneous on page 55 Throttling This section allows you to set specific thresholds to limit the sending ability of suspicious clients by limiting offensive IP addresses. Some examples of thresholds include: one connection per hour one message per minute for the next 24 hours ten recipients per message To configure the Throttling feature from the System > Connection Management screen, follow the procedures below: 1. Select the Enable Throttling checkbox. 2. Specify the Trigger: Specify the number of connections, messages, or the number of recipients from a given IP address Specify the percentage of invalid emails to recipients. This setting only applies to recipient commands 3. Specify an action to take: Deferral for a set period of time Completely block all further connections limit a number of connections, messages, or recipients, for a number of minutes over a range of time 4. Click the Apply Changes button. Note Some scenarios can be implemented with either Denial of Services Attack Protection or Throttling settings. You can choose to throttle mail from clients above one threshold and choose to block clients above a second threshold. Connections The Connections section allows you to impose a limit on the number of simultaneous inbound and outbound connections that your Email Security server can accept. 54 Dell SonicWALL Email Security Administrator Guide

On the inbound path, this value limits the number of simultaneous connections external hosts can make to the Email Security appliance or software. On the outbound path, this value limits the number of simultaneous connections internal hosts can make to the Email Security to deliver messages. When the connections limit is exceeded, the Email Security sends a transient failure message (421 error code). Specify the Limit number of inbound / outbound connections in the fields provided. Messages The Messages section allows you to limit messages based on message characteristics, such as message size and number of recipients. If too many recipients are specified in a message, the Email Security sends a transient failure message (4xx error code). If the message size limit is exceeded, the Email Security sends a permanent failure message (5xx error code). Specify the Limit number of recipients and Limit message size (in bytes) in the fields provided. These values apply to both inbound and outbound paths. Miscellaneous The miscellaneous section allows you to enable certain connection management settings, such as Bounce Address Tag Validation, Greylisting, and GRID Network IP reputation. Bounce Address Tag Validation (BATV) Bounce Address Tag Validation (BATV) reduces the number of unauthorized Non-Delivery Reports (NDR) delivered to your organization. BATV protects your organization by adding a signature to all outbound mail. When an NDR arrives, BATV checks for a valid signature. If the signature does not exist or does not pass the security check, then Email Security rejects the NDR. If the signature is authentic and the NDR is valid, Email Security continues analyzing the NDR. BATV is not enabled by default. Although BATV is a powerful tool to eliminate invalid messages, some configurations on other mail servers may cause the BATV system to reject legitimate messages. The user who sent out the message is not notified that the message did not reach the intended recipient. Some reasons for false positives may include: LDAP upstream of Dell SonicWALL Email Security Null reverse paths instead of From fields Divergent Dell SonicWALL Email Security configuration Incorrect or altered reverse mail paths To enable BATV, follow the procedures below: 1. Log into your Dell SonicWALL Email Security as an administrator. 2. Navigate to the System > Connection Management page. 3. Scroll down to the Quality of Service > Miscellaneous section. 4. Select the Bounced Address Tag Validation (BATV) checkbox to enable the feature. 5. Click the Apply Changes button. System 55

Greylisting The Greylisting feature discourages spam without permanently blocking a suspicious IP address. When Greylisting is enabled, Email Security assumes that all new IP addresses that contact it are suspicious, and requires those addresses to retry before it will accept the email. The Greylist is the list of IP addresses that have contacted the Email Security once, and have been sent a request to retry the connection. The Greylist is cleared and restarted every night. Thus, if the connection is not retried before the Greylist is restarted, that server will be asked to retry the connection again when it sends a retry of the initial connection request. Dell SonicWALL Email Security also keeps track of the MTAs that have successfully retried the connection and are now deemed to be responsible MTAs. These IP addresses are added to a separate list. Connections from MTAs on this list are accepted without further retry requests, but the data from the connection is subjected to the rigorous checking performed by Email Security on all incoming mail. Greylisting is useful only foremail Security servers running the first touch server, which means receiving email directly from the Internet. Dell SonicWALL recommends disabling Greylisting if Email Security is not first touch. The benefits of enabling the Greylisting feature include: Increased effectiveness Less spam received into the gateway translates to less spam delivered to the Inbox. Better performance Greylisting reduces the volume of traffic at the gateway, as well as traffic to the downstream (for example, the Exchange server). As a result of the reduced volume, valuable system resources are freed up (such as sockets, memory, network utilization, etc.) allowing Dell SonicWALL Email Security to process more good mail in the same amount of time. Storage requirements With the increasing focus on archiving, Greylisting reduces the amount of junk that gets stored in an archive, again saving valuable resources. Greylisting and Connection Management Precedence Order If Greylisting is enabled, the Source IP Address is cross-checked against the Dell SonicWALL Email Security Connection Management components, in the following order: Allow-list If an IP address is on this list, it gets a free pass through Connection Management. Note the message is still subject to plug-in chain processing. Block-list This IP address is already blocked from connecting to Email Security. Defer-list Connections from this IP address are already configured to be deferred. DoS Checks to see if the IP address has crossed the DoS threshold, and if so, takes the appropriate action. Throttling Checks to see if the IP address has crossed the throttling threshold, and if so, takes the appropriate action. Responsible MTA List This IP address has already been through and passed the Greylisting filter. Greylist The IP address is added to the Greylist if this is first time the IP address has contacted theemail Security. To enable the Greylisting feature, follow the procedures below: 1. Navigate to the System > Connection Management page. 2. Scroll down to the Quality of Service > Miscellaneous section. 3. Select the Greylisting checkbox to enable the feature. 4. Click the Apply Changes button. 56 Dell SonicWALL Email Security Administrator Guide

Disable Strict MAIL FROM Checking GRID Network IP Reputation By default, this feature enforces the SMTP specification with regard to the Reverse Path, which is the MAIL FROM field or Envelope From field. This feature reduces the load on the downstream server (for example, Microsoft Exchange), as well as reduces the amount of junk email allowed into the system. To enable this feature, follow the procedures below: 1. Navigate to the System > Connection Management page. 2. Scroll down to the Quality of Service > Miscellaneous section. 3. Select the Disable strict MAIL FROM checking checkbox. 4. Click the Apply Changes button. The GRID Connection Management with Sender IP Reputation feature is the reputation a particular IP address has with members of the Dell SonicWALL GRID Network. When a connection is received from a known bad IP address, a 554 No SMTPd here error response is given, and the SMTP session is rejected. This feature is useful only for Dell SonicWALL Email Security servers running as first touch servers. Dell SonicWALL recommends disabling the GRID Network IP Reputation feature if Email Security is not first touch. GRID Network IP Reputation and Connection Management Precedence Order If IP Reputation is enabled, the source IP addresses is checked in the following order: Allow-list If an IP address is on this list, it gets a free pass through Connection Management. Note the message is still subject to analysis by the Email Security server as usual. Block-list This IP address is already blocked from connecting to Email Security server. Reputation-list If the IP address is not in the previous lists, the Email Security server checks with the GRID Network to see if this IP address has a bad reputation. Defer-list Connections from this IP address are deferred. A set interval must pass before the connection is allowed. DoS If the IP address is not on the previous lists, the Email Security server checks to see if the IP addressed has crossed the DoS threshold. If it has, the server uses the existing DoS settings to take action. Throttling Checks to see if the IP address has crossed the throttling threshold, and if so, takes the appropriate action. Not-grey-list This IP address has already been through and passed the grey-list filter. Note that this feature applies to the GRID Network IP Reputation only if it enabled. Greylist The IP address is added to the Greylist if this is first time the IP address has contacted the Email Security.Note that this feature applies to the GRID Network IP Reputation only if it enabled. To enable the GRID Network IP Reputation feature, follow the procedures below: 1. Navigate to the System > Connection Management page. 2. Scroll down to the Quality of Service > Miscellaneous section. 3. Select the GRID Network IP Reputation checkbox to enable the feature. Click the Disable checks for IP addresses of unauthenticated mail sender checkbox to disable this feature. 4. Click the Apply Changes button. System 57

Manually Edit IP Address Lists Allowed List This section allows you to manage the list of IP addresses to allow, defer, block, or throttle. Navigate to the System > Connection Management screen, then scroll down to the Manually Edit IP Address Lists section. This section includes the following subsections: Allowed List on page 58 Deferred List on page 58 Blocked List on page 59 Throttled List on page 60 When an IP address is added to the Allowed list, Email Security continues to check for spam and phishing attacks in messages from that IP address. To add an IP address to the list or edit the existing list, click the Edit Allowed List button. Enter the IP address, then click the Add New IP Address button when finished. To delete an IP address from the list, select the checkbox of the IP address you wish to delete, then click the Delete Checked IP Addresses button. Deferred List In the case of a connection from a deferred IP address, the transient message is 421 4.4.5 Service not available, connection deferred. 58 Dell SonicWALL Email Security Administrator Guide

To add an IP address to the list or edit the existing list, click the Edit Deferred List button. Enter the IP address, then click the Add New IP Address button when finished. To delete an IP address from the list, select the checkbox of the IP address you wish to delete, then click the Delete Checked IP Addresses button. Blocked List When the server receives a connection from an IP address on a blocked list, the Email Security responds with a 554 No SMTP service here error message, and reject the TCP/IP connection. To add an IP address to the list or edit the existing list, click the Edit Blocked List button. Enter the IP address, then click the Add New IP Address button when finished. To delete an IP address from the list, select the checkbox of the IP address you wish to delete, then click the Delete Checked IP Addresses button. System 59

Throttled List When the SMTP server receives a connection from an IP address on this list, the Email Security responds with a 421 4.4.5 Service not available, too many connections due to throttling error message and drops the TCP/IP connection. To add an IP address to the list or edit the existing list, click the Edit Throttled List button. Enter the IP address and the amount of hours to throttle for, then click the Add New IP Address button when finished. To delete an IP address from the list, select the checkbox of the IP address you wish to delete, then click the Delete Checked IP Addresses button. 60 Dell SonicWALL Email Security Administrator Guide

Backup/Restore Settings The System > Backup/Restore page allows the administrator to configure the backup and restore settings for the server. Note It is not necessary to perform either of these functions. Executing the backup and restore functions depend on the needs of your organization. Manage Backups On the Backup tab, the administrator can select from the following categories of data that can be backed up: Settings Select this category to back up ALL user settings, including network architecture, LDAP, per-user settings, and policies. Dell SonicWALL recommends that you back up your settings regularly since this data loss would require a complete reconfiguration of your settings. Per User Settings Select this category to enable a snapshot of the Per User Settings. This setting backs up all the settings configured for users in your user list. Junk Box Select this category to enable a snapshot of your Junk Box for future recovery. Enabling this category requires sufficient disk space and requires 30 to 60 minutes to complete the backup snapshot. Archive Select this category to enable back up of the archive. This setting backs up all messages that have been archived on this server s file system. Note that this setting does not back up messages that have been archived to an external SMTP server. Reports Data Select this category to enable a snapshot of your reports data. This backup setting is the least critical of the three backup settings. Reports data does not include critical information for system recovery. Click the Take Snapshot Now button to combine the files selected for backup into a single zip file called the Snapshot, which is saved onto the physical system running. There is only one snapshot file on a system at any time. When a new snapshot is taken, the existing snapshot file is overwritten. Click the Download Snapshot button to download the latest snapshot from the system. This file can then be saved onto a separate system if needed. Note that the size of the snapshot file that can be uploaded is size-limited. A warning dialog appears if you attempt to download a snapshot file that is too large to be uploaded again. The following are ways you can reduce the size of the snapshot file: Download the four categories of data in four separate snapshot files, instead of combining all the data into one big file. Reduce the amount of data in the reports database by removing older data more aggressively. The System > Advanced page allows you to set the length of time after which reporting data is removed. Reduce the amount of data in the quarantine database by removing older data more aggressively. The System > Junk Box Settings page allows you to set the length of time after which quarantined data is removed. Reduce the amount of data in the archive by removing older data more aggressively. The Policy & Compliance > Archiving page allows you to set the length of time after which archived messages are removed. System 61

Schedule Backup Scheduled Backups allow administrators to schedule daily, weekly, or monthly backups. First, you must select the Enable scheduled backup checkbox to use this feature. Backup Frequency Specify the Backup Frequency, including the Hour of Day, Day of Week, and Day of Month. Create Snapshot Select the categories to be included in the Scheduled Backup. The categories include: Settings, Junk Box, Archive, and Reports Data. See Manage Backups on page 61 for more details about these categories. FTP Server Authentication If you have a configured remote FTP server, click the FTP Server Authentication checkbox. Specify the FTP Server information, including the Port, Username, Password, and Destination Path. Click the Apply button when finished. Managing Restores Administrators can restore data from a snapshot file on the System > Backup/Restore > Restore tab. Restore From a Snapshot File Restore the Following Data Select one of the following methods to restore data from a snapshot file: Restore data from a snapshot file on the Email Security server This option takes the last snapshot file saved onto the Email Security server and restores data. Upload a snapshot file from your local hard drive and use it to restore data This option allows you to upload a snapshot file from your local hard drive. Click the Choose File button and select the file from your local hard drive. Select the checkboxes of the categories you want restored from the snapshot you are restoring. Categories include: Settings, Junk Box, Archive, and Reports Data. See Manage Backups on page 61 for more details about these categories. Click the Start Restoring Data button to begin the Restore process. 62 Dell SonicWALL Email Security Administrator Guide

Host Configuration The System > Host Configuration page allows you to make changes to the server on which the Dell SonicWALL Email Security product is installed. After applying these settings, you can then use the Restart Services or Reboot this Server buttons at the top of the Host Configuration page. This section includes the following subsections: General Settings on page 63 HTTPS Settings on page 64 Date & Time Settings on page 64 Network Settings on page 65 CIFS Mount Settings on page 66 General Settings The general settings of the Host Configuration allow you to configure the Hostname settings and Access PIN settings for Dell SonicWALL Email Security appliances. Hostname Changing the hostname causes a number of changes to be made to the Email Security settings, configuration files, and may rename some of the directories in the installation and data directories. To change the hostname of this server, enter the new fully-qualified hostname in the Hostname field, and then click the Apply Changes button. The hostname cannot be changed to an IP address. Note that the system performs a reboot upon a host name change and clicking the Apply Changes button. You may also click one of the buttons at the top of the page to Restart Services, Reboot this Server, or Shut Down Server. System 63

HTTPS Settings The HTTPS Settings section allows you to enable HTTP and HTTPS access on specific ports. The following are HTTPS settings you can configure: Enable HTTP access on port Select the checkbox to enable this setting. Enter the port number in the field provided. The default port for HTTP is Port 80. Enable HTTPS (SSL) access on port Select the checkbox to enable this setting. Enter the port number in the field provided. The default port for HTTPS is Port 443. Redirect access from HTTP to HTTPS Select the checkbox to enable this setting. Click the Apply Changes button. Date & Time Settings The Date & Time Settings section allows you to set the current date, time, and time zone for this host. You can also set the Network Time Protocol (NTP) settings from this section. For the Date & Time Settings, select from the Available time zones dropdown list the time zone you want set for this host. Specify the System date and time. Click the Enable Network Time Protocol checkbox to enable the NTP feature. Selecting this checkbox will synchronize the server time using UDP on port 123. You can then list up to 8 NTP servers in the NTP Server List. Click the Apply Changes button to save and apply settings in this section. 64 Dell SonicWALL Email Security Administrator Guide

Network Settings Ethernet0 Port This section allows you to configure the host system settings for Email Security. The Use the static settings below is selected so you are able to configure the following: Primary DNS Server IP address Fallback DNS server IP address Default gateway IPv4 address Default gateway IPv6 address (optional) By default, the Enable use of Ethernet0 port checkbox is selected. With this checkbox selected, you can change the IP address and Subnet mask. Click the Add Alias to add any additional IP addresses (IPv4 or IPv6) and Subnet Masks. Click Save to complete adding an alias to this Ethernet port. Click the Apply Changes button. Ethernet1 Port Click the Enable use of Ethernet1 port checkbox if your Email Security appliance supports dual NIC cards. You will then have to configure the IP address and Subnet mask. Click the Add Alias to add any additional IP addresses (IPv4 or IPv6) and Subnet Masks. Click Save to complete adding an alias to this Ethernet port. System 65

Click the Apply Changes button. CIFS Mount Settings CIFS Mounting allows the mounting of an external drive to store the appliance s data. The available data on the current drive is migrated to the external storage drive, increasing the storage limit for the appliance. For dual control centers, the same external drive can be mounted on both control centers to share the data. The two control centers can be configured to either share the load or as a failover. Provide the Hostname (FQDN), Shared Drive Name, Remote Login UserID, and Remote Login Password in the spaces provided. Then, click on one of the following: Mount Click this button to mount the external drive. If the external drive is empty, a warning message displays. Click Continue to migrate the local data to the external drive. If the external drive already contains Email Security-related data, the external drive will be directly mounted. Migrate Click this button to migrate the local data to the external drive. 66 Dell SonicWALL Email Security Administrator Guide

Unmount Click this button to unmount the external drive and revert back to the local drive. Note that data stored in the external drive will not be migrated back to the local drive. Test Mount Click this button to test whether or not the external drive has successfully mounted. Advanced The System > Advanced page allows you to configure a variety of settings, such as customize the STMP banner, configure logging levels, specify log levels, reinitialize to factory settings, download system/log files, as well as other advanced features. Note The Advanced page contains tested values that work well in most configurations. Changing these values can adversely affect performance. General Settings The General Settings section of the System > Advanced page includes Message Management settings, Other Settings, and SNMP Settings. Message Management Customize SMTP banner Use this setting to specify the SMTP banner. Be sure to use valid characters and syntax for an SMTP header. When remote SMTP servers contact the Email Security to send email through it, an SMTP header displays that identifies the server as a Dell SonicWALL Email Security server. Some companies may want to hide this information and present their own custom SMTP banner header information. Replace SonicWALL in Received: headers Use this setting to replace the name in the Received: header. If you do not want to have the Dell SonicWALL Email Security name in the Received headers when sending good email downstream to your servers. use this field to specify another name. DNS Timeout for SPF Enter a value between 1 to 30 seconds. Use this setting to configure the number of seconds Dell SonicWALL Email Security searches for the SPF record of the sender. If the Email Security cannot find the SPF record in the number of seconds specified, it times out and does not return the SPF record of the sender. The default value is 2 seconds. Saved emails will automatically be deleted when older than Enter the number of days of data that you want to preserve in the email archives. Lowering this number means less disk space is used, but note that you will not have report data older than the number of days specified. Permit users to add members of their own domain to their Allowed Lists Selecting the On button allows users to add people within their domain to their personal Allowed Lists. For example, if you work at example.com and enable this feature, all users at example.com can be added to your Allowed List. As a result, email messages between internal users are not filtered by the Email Security product. You can either add people manually or configure to automatically add each person to whom users send email. Save a copy of every email that enters your organization When the On button is selected, folders with the entire contents of every email are created in the logs directory of each server that analyzes email traffic (All-In-One Servers and Remote Analyzers). The System 67

emails are saved before being analyzed for threats by the Email Security product. Because saving inbound emails can be handled independently, there are separate folders for saved inbound email. Email entering your organization is located in: <Install Directory>\logs\fullhistory_in\ Save a copy of every email that leaves your organization When the On button is selected, folders with the entire contents of every email are created in the logs directory of each server that analyzes email traffic (All-In-One Servers and Remote Analyzers). The emails are saved before being analyzed for threats by the Email Security product. Because saving outbound emails can be handled independently, there are separate folders for saved outbound email. Email leaving your organization is located in: <Install Directory>\logs\fullhistory_out\ Other Settings Log level Use this setting to change the log level for the Email Security product. Change the log level to increase or decrease the amount of information stored in your logs. Log level 1 provides the maximum quantity of logging information; level 6 results in the least. The default level is 3. Reports data will be deleted when older than Enter the number of days of data you want to preserve for reporting information. Reducing this number means less disk space is used, but note that report data older than the number of days specified will not be available. The default value is 366 days. Test Connectivity to reports database Click the Test Connectivity button to verify that you can access the Reports database. If this test fails, custom reports will not work and the database is not updated. If this test fails during normal operation, contact a system administrator immediately. See the Reports & Monitoring Chapter for more information on accessing and customizing reports. SNMP Settings SNMP Click the On radio button to enable the Simple Network Management Protocol (SNMP) feature. SNMP works to monitor network availability, performance, and error rates. SNMP Community String Specify the community string for SNMP in the field provided. Miscellaneous Settings Upload Patch Use this setting to manually upload and install a new Email Security update. Usually when a new Email Security update is available, the Email Security product automatically downloads the update and alerts the administrator by email that it is available. In some instances, an administrator may want or need to apply a patch manually. For example, if an administrator has multiple servers running in split configuration mode (Remote Analyzer / Control Center configuration), updates must be applied manually. To upload a patch file manually, navigate to the System > Advanced page. Scroll down to the Miscellaneous Settings > Upload Patch section. Click the Choose File button, and select a file from your local hard drive to upload. Then, click the Apply Patch button. 68 Dell SonicWALL Email Security Administrator Guide

Download System/Log Files The Download System/ Log Files feature allows you to download or email log files and system configuration files from your server. To download system/ log files, select the Type of File from the dropdown list. You can use the Choose specific files list to select one or more files to download. Then, click the Download button. To email the system/log files, select the Type of File from the dropdown list. You can use the Choose specific files list to select one or more files to email. Click the Email To... button. Enter the Recipient email address in the dialog box that appears, and then click Send. Note that emailing very large files and directories can be problematic depending on the limitations of your email system. Reset Settings Cleanup Per User The Per User Cleanup tool deletes address books and settings filters of non-existent users in your Email Security user list. You can click the Use last generated report to clean up checkbox to reference the latest generated report for Per User Cleanup. The report is generated as a.txt file. Click Generate Report to generate an updated list of users. Click Cleanup Peruser to use the Per User Cleanup tool to delete files of non-existent users. Delete All Users Allowed and Blocked Lists All users allowed and block lists on this server can be permanently deleted. If you wish to retain any of this data, you will need to back it up from the System > Backup/Restore page and download it to your local hard drive before deleting. Click the Delete All button to perform this action. Reinitialize Appliance to Factory Settings Reinitialize the settings for this Email Security product to the factory default values. All log, settings, data, license keys, etc. on this server are permanently deleted. If you wish to retain any of this data, you will need to back it up from the System > Backup/Restore page and download it to your local hard drive before deleting. Click the Reinitialize Appliance button to perform this action. Reset Licenses Reset all license key information associated with this Dell SonicWALL Email Security product. Click the Reset Licences button to perform this action. License keys can be restored by visiting http://mysonicwall.com. Note After clicking the Reset Licenses button, you will no longer have access to a majority of the user interface features. Many left-hand navigation links will direct you to the License Management page. System 69

Branding Branding provides the ability to customize aspects of the user interface. Administrators can upload replacement assets for the key branding elements, including company name, logo, and other branding assets. Navigate to the System > Branding page to configure Branding feature settings. Quick Settings Use the Quick Settings tab on the System > Branding page to specify global settings for particular GUI elements. Any settings specified in this section takes precedence over those specified by deployed packages. Text Preferences Image Preferences Junk Summary Preferences The Contact Us URL is the email address or URL that appears as the Contact Us link at the footer of each page. This field supports http://, https://, and mailto:. To change the Contact Us URL, type the email address or URL in the field provided. Click the Test Connectivity button to verify the email address or URL you specified is valid. The image preference files can all be modified by clicking the Choose File button or clicking the Download icon. The Choose File option allows you to select a file from your local system. The Download icon downloads the default Dell SonicWALL image file. Note that an error message displays if you have uploaded an incorrect file type. The following Image Preferences can be modified: Web Icon file This field replaces the 4-bit Dell SonicWALL logo that appears in the address bar of every Webpage across all browser platforms. Logon logotype file This field replaces the logon, logout, and mini-logon generic bitmap that displays the Dell SonicWALL challenge screen layout and design. Logon backdrop art file This field replaces the logotype bitmap that appears upon every challenge screen. Page logotype file This field replaces the short version of the Dell SonicWALL logotype that appears at the top of each webpage s banner art. Page header art file This field replaces the Dell SonicWALL banner art bitmap at the top of each Webpage. Pop-up logotype file This field replaces the smaller version of the Dell SonicWALL logotype that appears at the top of each pop-up dialog s page banner art. Pop-up header art file This field replaces the smaller version of the Dell SonicWALL banner art that appears at the top of each pop-up dialog page. The Junk Summary Preferences can all be modified by clicking the Choose File button or clicking the Download icon. The Choose File option allows you to select a file from your local system. The Download icon downloads the default Dell SonicWALL image file. Note that an error message displays if you have uploaded an incorrect file type. 70 Dell SonicWALL Email Security Administrator Guide

The following Junk Summary Preferences can be modified: Junk Summary logotype file This field replaces the black-on-white logotype that always appears at the top of each Junk Summary email. Junk Summary header art file This field replaces the Junk Summary banner art bitmap at the top of each page. Click the Save button when you have finished modifying settings on the Quick Settings tab. System 71

Packages The Packages tab allows administrators to manage, upload, and apply branding packages to their GUI. The Manage Packages table displays the available packages the administrator can apply to the GUI, including the Dell SonicWALL brand package. Note that while this package can never be deleted, administrators can edit or delete all other brand packages that have been uploaded. To upload a new package from the System > Branding page, follow the procedures below: navigate to the Packages tab and click the Upload button under the Manage Packages section. 72 Dell SonicWALL Email Security Administrator Guide

Certificates The System > Certificates page allows administrators to configure settings specific to certificates, including trusted certificate authentication and enabling secured access. Settings Choose between self-signing and using a trusted certificate authority and enter the appropriate settings Enter the Certificate Name (required) and a Passphrase for Private Key (optional) in the available fields. Then, select one of the following: Enable secured access through a generic self-signed SSL certificate Enable secured access through a self-signed SSL certificate. You are then prompted to enter the hostname to be used when generating this certificate. Use an existing certificate issued by a trusted authority such as Verisign or Thawte. Upload the SSL Certificate and Key from your local drive by clicking the Choose File button. Enter the Password in the field provided. Click Apply when finished. System 73

Generate CSR If you do not have an existing certificate, navigate to the System > Certificates> Generate CSR page. Fill out the form and click the Generate CSR button to submit a Certificate Signing Request (CSR) for a trusted certificate to a trusted authority, such as Verisign or Thawte. 74 Dell SonicWALL Email Security Administrator Guide

Configure This screen allows you to view the Certificate Name, Type, and if it is SMTP or HTTPS. You can click the View icon of a specific certificate to see the certificate details. Click the Download icon to download the certificate to your local hard drive. Click the Delete icon to delete the certificate from the Email Security system. Click the Apply button when you re finished configuring the settings on this page. Note Certificates can be added to the this page from the Certificates > Settings page. System 75

Audit Trail The Audit Trail feature, or Audit Log, on Email Security is a set of destination and source records that provide tracks the actions performed on every email message that passes through Email Security. This feature logs all the activity performed by users, where the Global Administrator can view and search these activities. The Audit Trail feature includes information of any fields that may have been added, edited, or deleted; search queries in the Junkbox and Auditing pages; and all View, Unjunk, Delete, Sent Copy to, Download actions performed on messages in the Junkbox and Auditing pages. To use Audit Trail, follow the procedures listed: 1. Navigate to the System > Audit Trail page. 2. Click the Settings button. 3. On the popup window that displays, click the On or Off button to Enable Audit Trail. This enables auditing for both inbound and outbound email messages. 4. Specify how long to Keep auditing files for with the dropdown list. You can select between 1 day to 7 years. 5. Click the Apply button when finished. Click the Export to CSV button to export a list of Messages Found. The list is downloaded to your local system. 76 Dell SonicWALL Email Security Administrator Guide

Diagnostics The System > Diagnostics page allows the Administrator to run different diagnostic tests on a specific SMTP Host or DNS Server. The following Diagnostics Categories are available: Run SMTP Test for given Host or IP Run an SMTP test for the SMTP Hostname/IP specified in the respective field. Optionally, you may specify the Alternate DNS Server IP. Query DNS for given Host s A record Specify the Hostname/IP/Domain Name and select this option to query the DNS server for the A record. Optionally, you may specify the Alternate DNS Server IP. Query DNS for MX Record of the given Host Specify the Hostname/IP/Domain Name and select this option to query the DNS server for the MX record. Optionally, you may specify the Alternate DNS Server IP. Query DNS for SPF Policy of the given Host Specify the Hostname/IP/Domain Name and select this option to query the DNS server for the SPF Policy. Optionally, you may specify the Alternate DNS Server IP. Query DNS for DMARC Policy of the given Host Specify the Hostname/IP/Domain Name and select this option to query the DNS server for the DMARC Policy. Optionally, you may specify the Alternate DNS Server IP. Query DNS for DKIM Policy of given Host Specify the Hostname/IP/Domain Name and select this option to query the DNS server for the DKIM Policy. Optionally, you may specify the Alternate DNS Server IP. Ping the mentioned Host or IP Ping the Host or IP specified in the Hostname/IP/Domain Name field. Optionally, you may specify the Alternate DNS Server IP. Telnet on a mentioned Host:Port Specify the Hostname/IP:Port and select this option to Telnet into the server. System 77

78 Dell SonicWALL Email Security Administrator Guide

Chapter 3 Anti-Spoofing This chapter contains the following sections: Enabling Inbound SPF Validation on page 79 SPF Hard Fail on page 80 SPF Soft Fail on page 81 Configuring Inbound DKIM Settings on page 81 Configuring Inbound DMARC Settings on page 83 Configuring Outbound DKIM Settings on page 86 DMARC Incoming Reports on page 85 Configuring Outbound DKIM Settings on page 86 How Anti-Spoofing Works The Anti-Spoofing page on your Dell SonicWALL Email Security solution allows you to enable and configure settings to prevent illegitimate messages from entering your organization. Spoofing consists of an attacker forging the source IP address of a message, making it seem like the message came from a trusted host. By configuring SPF, DKIM, and DMARC settings, your Email Security solution will run the proper validation and enforcement methods on all incoming messages to your organization. The Anti-Spoofing page works in an order of precedence, where rules set at the top of the page are of a lower priority than rules set towards the bottom of the page. In general, a message will be subjected to SPF, DKIM, and DMARC if all are enabled. The results from DKIM validation will take precedence over the results from SPF validation, and DMARC validation results will take precedence over DKIM validation results. Enabling Inbound SPF Validation The Anti-Spoofing > Inbound tab features SPF validation for inbound email messages. Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing by verifying the sender IP addresses. SPF records, which are published in the DNS records, contain descriptions of the attributes of valid IP addresses. SPF is then able to validate against these records if a mail message is sent from an authorized source. If a message does not originate from an authorized source, the message fails. You can configure the actions against messages that fail. There are two types of SPF fails: SPF HardFail The SPF has designated the host as NOT being allowed to send messages and does not allow messages through to the recipient. SPF SoftFail The SPF record has designated the host as NOT being allowed through to the recipient. Anti-Spoofing 79

To enable SPF, click the Enable SPF validation for incoming messages checkbox. SPF Hard Fail With SPF Validation enabled for incoming messages, you can configure the following SPF Hard Fail settings: Ignore allow lists When a SPF hard fail occurs, mail messages from senders in the Allow list are not sent through to the recipient. This feature is enabled by default. Action for messages marked as SPF Hard Fail Select one of the following actions for messages marked as SPF Hard Fail: No Action No action is taken against messages marked as SPF hard fail. Permanently delete Messages marked as SPF hard fail are permanently deleted. Reject with SMTP error code 550 Messages marked as SPF hard fail are rejected with an SMTP error code 550. Store in Junk Box Messages marked as SPF hard fail are stored in the Junk Box. This is the recommended setting for most configurations. Send to [field] Messages marked as SPF hard fail are sent to the user specified in the available field. For example, you can send to [postmaster]. Tag with [field] added to the subject Messages marked as SPF hard fail are tagged with a term in the subject line. For example, you may tag the messages [SPF Hard Failed]. 80 Dell SonicWALL Email Security Administrator Guide

Add X-Header: X-[field]:[field] Messages marked as SPF hard failed add an X- Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value spfhard results in the email header as: X-EMSJudgedThisEmail:spfhard. Add Domain Click this button to add a domain and configure SPF hard fail-specific settings for that domain. SPF Soft Fail With SPF Validation enabled for incoming messages, you can configure the following SPF Soft Fail setting: Ignore allow lists When a SPF soft fail occurs, mail messages from senders in the Allow list are not sent through to the recipient. This feature is enabled by default. Configuring Inbound DKIM Settings Domain Keys Identified Mail (DKIM) uses a secure digital signature to verify that the sender of a message is who it claims to be and that the contents of the message have not been altered in transit. A valid DKIM signature is a strong indicator of a message s authenticity, while an invalid DKIM signature is a strong indicator that the sender is attempting to fake his identity. For some commonly phished domains, the absence of a DKIM signature can also be a strong indicator that the message is fraudulent. Users benefit from DKIM because it verifies legitimate messages and prevents against phishing. Remember that DKIM does not prevent spam - proper measures should still be taken against fraudulent content. Anti-Spoofing 81

To configure DKIM signature settings, navigate to the Anti-Spoofing > Inbound page and click the Enable DKIM validation for incoming messages checkbox. With DKIM validation enabled for incoming messages, you can configure the following settings: Ignore allow lists When a DKIM Failure occurs, mail messages from senders in the Allow list are not sent through to the recipient. This feature is enabled by default. Action for messages marked as DKIM signature failed Select one of the following actions for messages marked as DKIM signature failed: No Action No action is taken against messages marked as DKIM signature failed. Permanently delete Messages marked as DKIM signature failed are permanently deleted. Reject with SMTP error code 550 Messages marked as DKIM signature failed are rejected with an SMTP error code 550. Store in Junk Box Messages marked as DKIM signature failed are stored in the Junk Box. This is the recommended setting for most configurations. Send to [field] Messages marked as DKIM signature failed are sent to the user specified in the available field. For example, you can send to [postmaster]. Tag with [field] added to the subject Messages marked as DKIM signature failed are tagged with a term in the subject line. For example, you may tag the messages [DKIM Failed]. Add X-Header: X-[field]:[field] Messages marked as DKIM signature failed add an X-Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value dkim results in the email header as: X-EMSJudgedThisEmail:dkim. Add Domain Click to add a domain and configure DKIM fail-specific settings for that domain. The following settings are configurable: Domains List the domains to add, separating multiple domains with a comma. Ignore allow lists When a SPF hard fail occurs, mail messages from senders in the Allow list are not sent through to the recipient. This feature is enabled by default. 82 Dell SonicWALL Email Security Administrator Guide

Action for messages marked as DKIM signature failed Select one of the following actions for messages marked as DKIM signature failed: No Action No action is taken against messages marked as DKIM fail. Permanently delete Messages marked as DKIM fail are permanently deleted. Reject with SMTP error code 550 Messages marked as DKIM fail are rejected with an SMTP error code 550. Store in Junk Box Messages marked as DKIM fail are stored in the Junk Box. This is the recommended setting for most configurations. Send to [field] Messages marked as DKIM fail are sent to the user specified in the available field. For example, you can send to [postmaster]. Tag with [field] added to the subject Messages marked as DKIM fail are tagged with a term in the subject line. For example, you may tag the messages [DKIMFailed]. Add X-Header: X-[field]:[field] Messages marked as DKIM failed add an X- Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value dkim results in the email header as: X-EMSJudgedThisEmail:dkim. Domain required to have DKIM signature By default, this feature is enabled, which requires a DKIM signature for messages sent to the domain being added. Configuring Inbound DMARC Settings Domain-based Message Authentication, Reporting & Conformance (DMARC) is a policy that works in tandem with SPF and DKIM to fully authenticate incoming and outgoing email messages. A DMARC policy allows a sender to indicate that his emails are protected by SPF and/or DKIM, and also tells a receiver what to do if neither of those authentication methods passes, such as junk or reject the message. To configure DMARC settings, navigate to the Anti-Spoofing > Inbound page, and click the Enable DMARC Policy Enforcement for incoming messages checkbox. Anti-Spoofing 83

Note To use DMARC, you must also have DKIM and SPF enabled. Configure the following settings for DMARC: Exclude these sender domains Enter any sender domains (for example, sonicwall.com or gmail.com) you want excluded from DMARC policy enforcement in the space provided. Multiple domains can be entered, separated by a comma. Enable DMARC Outgoing Reports By default, this feature is enabled when the Enable DMARC checkbox is also enabled. Select the checkbox to disable the sending of DMARC reports to outside domains. Once DMARC is enabled, outgoing reports are automatically sent. The following settings can be configured if you are attempting to override reporting attributes for a specific domain: Domain Enter the domain name to send DMARC reports to. You have the option of using * as a value for the domain field. A few considerations: A configuration created with the domain name * will be considered the default domain. If the domain is not provided, DMARC will use configuration settings from the * domain. If no * domain is added, then a hard-coded default value, such as postmaster@domain, will be used as the Sender ID. Override DNS RUA Email Address Click the checkbox to override reports being sent to the RUA email address specified in the DNS record. An example from the DNS record is rua=mailto:aggrep@yourcompany.com. RUA Email Address If you selected the Override DNS RUA Email Address, specify the RUA Email Address you would like the reports sent to. 84 Dell SonicWALL Email Security Administrator Guide

Note The RUA is the aggregated report for domains with published domain records. Reports are sent daily. DMARC Incoming Reports You can configure DMARC Incoming Report settings by clicking the Add Domain button in the DMARC Incoming Reports Settings section. DMARC Incoming Reports will be collected and processed only for the domains added. In the Add Domain window that displays, enter the following information: Domain Enter the domain name to add for DMARC incoming reports. Override DNS RUA Email Address Click the checkbox to override reports being sent to the RUA email address specified in the DNS record. An example from the DNS record is rua=mailto:aggrep@yourcompany.com. RUA Email Address If you selected the Override DNS RUA Email Address, specify the RUA Email Address to which the reports are being sent. Note The RUA is the aggregated report for domains with published domain records. Reports are sent daily. Anti-Spoofing 85

Configuring Outbound DKIM Settings Navigate to the Anti-Spoofing > Outbound tab to configure outbound DKIM settings. To configure DKIM signature settings, click the Add Configuration button. The DKIM Outbound Configuration page displays: Configure the following settings: Domain Enter the domain name. Identity of Signer Enter an identity of the signer. Click the Same as domain checkbox to use the specified Domain name as the Identity of Signer. Selector Enter a value for the selector. The selector is used to differentiate between multiple DKIM DNS records within the same organization (for example, feb2014.domainkey.yourorganization.com. List of Header fields for Signing Click the Sign all standard headers button to include all headers, or specify the headers in the designated field. Separate multiple headers with a colon (for example, from:to:subject ). Generate Key Pair Specify the Key Size from the values in the drop down list, then click the Generate Key Pair button. Copy and paste the Public Key into your DNS record. The Private Key is simply for your own reference and should be stored on your local machine. Click the Save button to finish. The signature will be added to the DKIM Signature Configurations list. 86 Dell SonicWALL Email Security Administrator Guide

Generating DNS Record Once a domain has been successfully added to the Outbound DKIM Settings tab, you can generate a DNS Record. Under the DNS Record column for the domain you want to generate a record for, click the Generate button. The Generate DNS Record page displays with the following settings: Domain This field auto-populates with the Domain you entered when adding a new configuration. This field cannot be edited. Selector This field auto-populates with the Selector you entered when adding a new configuration. This field cannot be edited. Public Key This field populates with the Public Key for your DNS record. You can copy and paste from this field. Domain is testing DKIM Select the checkbox to enable testing DKIM for this domain. Subdomains required to have their own DKIM keys Select the checkbox to enable the requirement for all subdomains to have their own DKIM keys. Click the Generate DNS Record button to save the settings and generate your DNS record. Using Outbound DKIM Settings.The Settings column of each domain listed in the Outbound DKIM Signature Configurations list has the following icons: Edit Click this icon to edit the DKIM Signature settings. Note that not all fields are editable. Delete Click this icon to delete the DKIM Signature. Download Click this icon to download the Public Key for this DKIM Signature. Anti-Spoofing 87

Status The status icon notifies you if the DKIM Signature is enabled (green icon) or disabled (gray icon). 88 Dell SonicWALL Email Security Administrator Guide

Chapter 4 Anti-Spam This chapter contains the following sections: Managing Spam on page 89 Default Spam Management on page 90 Address Books on page 92 Anti-Spam Aggressiveness on page 95 Languages on page 96 Black List Services (BLS) on page 96 Spam Submissions on page 97 Anti-Phishing on page 100 Managing Spam Email Security uses multiple methods of detecting spam and other unwanted email. These include using specific Allowed and Blocked lists of people, domains, and mailing lists, patterns created by studying what other users mark as junk mail, and the ability to enable third-party blocked lists. Administrators can define multiple methods of identifying spam for your organization; users can specify their individual preferences to a lesser extent. In addition, Email Security provides updated lists and collaborative thumbprints to aid in identifying spam and junk messages. Spam Identification Email Security uses a multi-prong approach to identifying spam and other unwanted email. It is useful to understand the general operation so you can build your lists appropriately. When an email comes in, the sender of the email is checked against the various allowed and blocked lists first, starting with the corporate list, then the recipient s list, and finally the Email Security-provided lists. If a specific sender is on the corporate blocked list but that same sender is on a user s allowed list, the message is blocked, as the corporate settings are a higher priority than a user s. More detailed lists take precedence over the more general lists. For example, if a message is received from aname@domain.com and your organization s Blocked list includes domain.com but a user s Allowed list contains the specific email address aname@domain.com, the message is not blocked because the sender s full address is in an Allowed list. After all the lists are checked, if the message has not been identified as junk based on the Allowed and Blocked lists, Email Security analyzes messages headers and contents, and use collaborative thumbprinting to block email that contains junk. Anti-Spam 89

Default Spam Management Use the Anti-Spam > Default Spam Management window to select options for dealing with definite spam and likely spam. The default setting for definite spam and likely spam will quarantine the message in the user s junk box. To manage messages marked as definite spam or likely spam, follow the procedures listed: 1. Choose one of the following responses for messages marked as Definite Spam and Likely Spam: Response No Action Effect No action is taken for messages. Permanently Delete Reject with SMTP error code 550 The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved. The message is rejected and responds with a 550 error code, which indicates the user s mailbox was unavailable (for example, not found or rejected for policy reasons). 90 Dell SonicWALL Email Security Administrator Guide

Response Store in Junk Box (default setting) Send to Tag With Add X-Header Effect The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting. Forward the email message for review to the specified email address. For example, you could Send To [postmaster]. The email is tagged with a term in the subject line, for example, [SPAM]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted. This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X- Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value DefiniteSpam results in the email header as: X- EMSJudgedThisEmail:DefiniteSpam 2. Select the Accept Automated Allowed List checkbox to allow automated lists that are created by User Profiles to prevent spam. With this feature enabled, User Profiles analyze the recipients of emails from members of your organization and automatically added them to Allowed Lists. This helps reduce the false positives, which are good email messages judged as junk. This feature can be configured globally, for particular groups, or for specific users. Dell SonicWALL recommends enabling this feature. Note If this checkbox is unchecked in the Corporate, Group, or User windows, User Profiles have no effect. 3. Select the Skip spam analysis for internal email checkbox to exclude internal emails from spam analysis, resulting in a reduced amount of false positives. If you are routing internal mail through the Email Security product, Dell SonicWALL recommends that you enable this feature. 4. Select the Allow users to delete junk email checkbox to allow users to control the delete button on individual junk boxes. Note Leave this checkbox unselected if you have an extended away / out of the office message turned on so that your auto-reply does not automatically place all recipients on your Allowed list. 5. Click Apply Changes to save. Anti-Spam 91

Address Books The Anti-Spam > Address Books page enables you to allow or block people, companies, or mailing lists from sending you email. The page shows a compilation of allowed and blocked senders from your organization s lists and lists provided by default. If you attempt to add your own email address or your organization s domain, Email Security will display a warning. A user s email address is not automatically added to the allowed list because spammers sometimes use a recipient s own email address. Leaving the address off the allowed list does not prevent users from emailing themselves, but their emails are evaluated to determine if they are junk. Using the Search Field To search for an address, enter all or part of the email address in the Search field. For example, entering sale displays sales@domain.com as well as forsale@domain.com. Narrow your search by selecting the People, Companies, or Lists checkbox(es) below the Search field. Click Go to perform the search. Adding People, Companies, or Lists To add People, Companies, or Lists to the Allowed or Blocked lists, follow the procedures listed below: 1. From the Anti-Spam > Address Books page, click the Allowed or Blocked tab. 2. Click the Add button. 92 Dell SonicWALL Email Security Administrator Guide

3. Select the list type (People, Companies, Lists) from the dropdown menu. Enter one or more email addresses, separated by carriage returns, to add to the chosen list. Then, click Add to complete. When adding addresses, consider the following: You cannot put an address in both the Allowed and Blocked list simultaneously. If you add an address in one list that already exists on the other, it is removed from the first one. Email Security will warn you if you attempt to add your own email address or your own organization. Email addresses are not case-sensitive; Email Security converts the address to lowercase. You can allow and block email messages from entire domains. If you do business with certain domains regularly, you can add the domain to the Allowed list; Email Security allows all users from that domain to send email. Similarly, if you have a domain you want to block, enter it here and all users from that domain are blocked. Email Security does not support adding top-level domain names such as.gov or.abc to the Allowed and Blocked lists. Mailing list email messages are handled differently than individuals and domains because Email Security looks at the recipient s address rather than the sender s. Because many mailing list messages appear spam-like, entering mailing list addresses prevents misclassified messages. Deleting People, Companies, or Lists To delete people, companies, or lists from your Address Books, complete the following: 1. From the Anti-Spam > Address Books page, click the Allowed or Blocked tab. 2. Select the checkbox next to the address(es) you want to delete. 3. Click the Delete button. Anti-Spam 93

Import Address Book You can also import an address book of multiple addresses. Note that users and secondary domains should be added prior to importing their respective address books. The Address Book file for import must follow specific formatting to ensure successful importing: <TAB> delimiter between data <CR> to separate entries Each address book entry must include each of the following: Identifier Specified as <email address / primary domain> Domain / List / Email Specified as D / L / E Allowed / Blocked Specified as A / B Address List Specified as abc@domain.com, example.com See the following examples: EmailID<TAB>E<TAB>A<TAB>email1@company.com,email2@company.com<CR> Domain<TAB>L<TAB>B<TAB>list1@company.com,list2@compnay.com<CR> To import Address Books, follow the procedures listed: 1. From the Anti-Spam > Address Books page, click the Import button on either the Allowed or Blocked tabs. 2. Click the Choose File button. Select the correct file from your system. 3. Click the Import button. 94 Dell SonicWALL Email Security Administrator Guide

Anti-Spam Aggressiveness The Anti-Spam > Anti-Spam Aggressiveness page allows you to tailor the Email Security product to your organization s preferences. Configuring this window is optional. Email Security recommends using the default setting of Medium unless you require different settings for specific types of spam blocking. This section includes the following subsections: Configuring GRID Network Aggressiveness on page 95 Configuring Adversarial Bayesian Aggressiveness Settings on page 95 Unjunking Spam on page 96 Determining Amounts and Types of Spam on page 96 Languages on page 96 Configuring GRID Network Aggressiveness The GRID Network Aggressiveness technique determines the degree to which you want to use the collaborative database. Email Security maintains a database of junk mail identified by the entire user community. You can customize the level of community input on your corporate spam blocking. Selecting a stronger setting makes Email Security more likely more responsive to other users who mark a message as spam. Use the following settings to specify how stringently Email Security evaluates messages: If you choose Mildest, you will receive a large amount of questionable email in your mailbox. This is the lightest level of Anti-Spam Aggressiveness. If you choose Mild, you are likely to receive more questionable email in your mailbox and receive less email in the Junk Box. This can cause you to spend more time weeding through unwanted email from your personal mailbox. If you choose Medium, you accept Email Security s spam-blocking evaluation. If you choose Strong, Email Security rules out greater amounts of spam for you. This can create a slightly higher probability of good email messages in your Junk Box. If you choose Strongest, Email Security heavily filters out spam. This creates an even higher probability of good email messages in your Junk Box. Configuring Adversarial Bayesian Aggressiveness Settings The Adversarial Bayesian technique refers to Email Security s statistical engine that analyzes messages for many of the spam characteristics. This is the high-level setting for the Rules portion of spam blocking and lets you choose where you want to be in the continuum of choice and volume of email. This setting determines the threshold for how likely an email message is to be identified as junk email. Use the following settings to specify how stringently Email Security evaluates messages: If you choose Mildest, you will receive a large amount of questionable email in your mailbox. This is the lightest level of Anti-Spam Aggressiveness. If you choose Mild, you are likely to receive more questionable email in your mailbox and receive less email in the Junk Box. This can cause you to spend more time weeding through unwanted email from your personal mailbox. If you choose Medium, you accept Email Security s spam-blocking evaluation. If you choose Strong, Email Security rules out greater amounts of spam for you. This can create a slightly higher probability of good email messages in your Junk Box. Anti-Spam 95

If you choose Strongest, Email Security heavily filters out spam. This creates an even higher probability of good email messages in your Junk Box. Unjunking Spam Select the Allow users to unjunk spam checkbox if you want to enable users to unjunk spam messages. If unchecked, users cannot unjunk any spam messages. Determining Amounts and Types of Spam You can determine how aggressively to block particular types of spam, including sexual content, offensive language, get rich quick, gambling, advertisements, and images. For each of the aforementioned types of spam: Choose Mildest to be able to view most of the emails that contain terms that relate to these topics. Choose Mild to be able to view email that contains terms that relate to these topics. Choose Medium to cause Email Security to tag this email as likely junk. Choose Strong to make it more likely that email with this content is junked. Choose Strongest to make it certain that email with this content is junked. For example, the administrator has determined that they want to receive no email with sexual content by selecting Strong. They are less concerned about receiving advertisements, and selected Mild. You can also select the Allow Unjunk checkbox to allow users to unjunk specific flavors of spam. Languages From the Anti-Spam > Languages page, you can allow, block, or enter no opinion on email messages in various languages. If you select No opinion, Email Security judges the content of the email message based on the modules that are installed. After configuring Language settings, click the Apply Changes button. Note Some spam email messages are seen in English with a background encoded in different character sets such as Cyrillic, Baltic, or Turkish. This is done by spammers to bypass the anti-spam mechanism that only scans for words in English. In general, unless used, it is recommended to exclude these character sets. Common languages such as Spanish and German are normally not blocked. Black List Services (BLS) Public and subscription-based black list services, such as the Mail Abuse Prevention System (MAPS), Real-time Blackhole List (RBL), Relay Spam Stopper (RSS), Open Relay Behaviormodification Systems (ORBS) and others, are regularly updated with domain names and IP addresses of known spammers. Email Security can be configured from the Anti-Spam > Black List Services page to query these lists and identify spam originating from any of their known spam addresses. 96 Dell SonicWALL Email Security Administrator Guide

Note Email Security performance may vary if you add Black List Services because each email is placed on hold while the BLS service is queried. Adding to the Black List Click Add and enter the server name of the black list service, for example list.dsbl.org. Each black list service is automatically enabled when added. Email that Arrives from Sources on the Black Lists Services Select the Treat all email that arrives from sources on Black List Services as Likely Spam checkbox to prevent users from receiving messages from known spammers. If you select this checkbox, you will be warned that enabling this feature increases the risk of false positives, and you may not receive some legitimate email. Spam Submissions The Anti-Spam > Spam Submissions page allows you to manage email that is miscategorized and to create probe accounts to collect spam and catch malicious hackers. Managing miscategorized email and creating probe accounts increases the efficiency of Email Security s spam management. This page enables administrators and users to forward the following miscategorized email messages to their IT groups, create probe accounts, and accept automated allowed lists to prevent spam. Managing Spam Submissions To manage spam submissions, navigate to the Anti-Spam > Spam Submissions page. Then, follow the procedures listed: 1. Enter an Email address for Submitting Missed Spam in the text field. For example, you might address all missed spam email to mailto:submitmissedspam@your_domain.com. Anti-Spam 97

2. Enter an email address in Submitting Junked Good Mail in the text field. For example, you might address all misplaced good email to mailto:submitgood@your_domain.com. 3. Establish one or more Probe Email Accounts. Enter the email address of an account you want to use to collect junk email. The email address does not have to be in LDAP, but it does have to be an email address that is routed to your organization and passes through Email Security. For example, you might create a probe email account with the address mailto:probeaccount1@your_domain.com. Warning A probe account should NOT contain an email address that is used for any purpose other than collecting junk email. If you enter an email address that is in use, the owner of that email address will never receive another email - good or junk - again, because all email sent to that address will be redirected to the Dell SonicWALL corporation s data center. 4. Click the Apply Changes button. 98 Dell SonicWALL Email Security Administrator Guide

Probe Accounts Probe accounts are accounts that are established on the Internet for the sole purpose of collecting spam and tracking hackers. Email Security suggests that you use the name of a past employee as the name in a probe account, for example, fredjones@example.com. Configure the Probe Email Account fields to allow any email sent to your organization to create fictitious email accounts from which mail is sent directly to SonicWALL, Inc. for analysis. Adding this junk email to the set of junk email messages that the Email Security blocks enhances spam protection for your organization and other users. If you configure probe accounts, the contents of the email will be sent to Dell SonicWALL for analysis. Managing Miscategorized Messages The following happens when an email message is miscategorized: For false negatives, Email Security adds the sender address of the junked email to the user s Blocked List so that future email messages from this sender are blocked. (The original sender is blacklisted for the original recipient.) For false positives, Email Security adds the addresses of good email senders that were unjunked to the user s Allowed List. (The original sender is whitelisted for the original recipient.) If the sender email is the user s own email address, the address is not added to the allowed list, because spammers send email pretending to be from the user. Email sent to and from the same address will always be evaluated to determine if it is junk. These messages are sent to the global collaborative database. Good mail that was unjunked is analyzed to determine why it was categorized as junk. Forwarding Miscategorized Email to Email Security You must set up your email system so that email messages sent to the this_is_spam@es.your_domain.com and not_spam@es.your_domain.com pass through Email Security. Note The email addressed to not_spam@es.your_domain.com and this_is_spam@es.your_domain.com must pass through the Email Security system so that it can be analyzed. The same domain as the domain that is used to forward emails to. Using a domain that does not route, such as fixit.please.com, is recommended. Configuring Submit-Junk and Submit-Good Email Accounts Mail is considered miscategorized if Email Security puts wanted (good) email in the Junk Box or if Email Security delivers unwanted email in the user s inbox. If a user receives a miscategorized email, they can update their personal Allowed list and Blocked list to customize their email filtering effectiveness. This system is similar to the benefits of running MailFrontier Desktop in conjunction with Email Security, and clicking Junk or Unjunk messages, but does not require Email Security Desktop to be installed. Anti-Spam 99

The email administrator can define two email addresses within the appropriate configuration page in Email Security, such as this_is_spam@es.your_domain.comand not_spam@es.your_domain.com. As Email Security receives email sent to these addresses, it finds the original email, and appropriately updates the user s personal Allowed and Blocked list. Note Users must forward their miscategorized email directly to these addresses after you define them so that the Email Security system can learn about miscategorized messages. Problem with Forwarding Miscategorized Email A problem can arise if the user sends an email to this_is_spam@es.your_domain.com, and the local mail server (Exchange, Notes, or other mail server) is authoritative for this email domain, and does not forward it to the Email Security system. There are a few ways around this problem; the most common solution is included below as an example. To forward the missed email to Email Security for analysis, follow the procedures listed: 1. Add the this_is_spam and not_spam email addresses as this_is_spam@es.your_domain.com and not_spam@es.your_domain.com into the Email Security Junk Submission text field. Note Create an A and an MX record in your internal DNS that resolves es.your_domain.com to your Email Security server's IP address. 2. Tell users to forward mail to this_is_spam@es.your_domain.com or not_spam@es.your_domain.com.the mail goes directly to the Email Security servers. Anti-Phishing Email Security s Anti-Spam, Anti-Phishing > Anti-Phishing feature allows you to protect your organization against email containing fraudulent content. There are two audiences for fraud: the consumer and enterprise users. Email Security focuses on preventing fraud that enters the enterprise via email. Email is an entry point for malicious hackers. What is Enterprise Phishing? There are numerous types of enterprise phishing; Consumer phishers try to con users into revealing personal information such as social security numbers, bank account information, credit card numbers, and driver s license identification. This is known as identity theft. Recouping from having a phisher steal your identity can take many hours and can cost consumers many dollars. Being phished can bring your life to a virtual standstill as you contact credit card companies, banks, state agencies, and others to regain your identity. Enterprise phishers attempt to trick users into revealing the organization s confidential information. This can cost thousands of executive and legal team hours and dollars. An organization s electronic-information life can stop abruptly if hackers deny services, disrupt email, or infiltrate sensitive databases. Phishing aimed at the IT group in the organization can take the following forms: 100 Dell SonicWALL Email Security Administrator Guide

Email that appears to be from an enterprise service provider, such as a DNS server, can cause your organization s network to virtually disappear from the Web. Hacking into your web site can cause it to be shut down, altered, or defaced. Email might request passwords to highly sensitive databases, such as Human Resources or strategic marketing information. The email might take the form of bogus preventive maintenance. Other information inside the organization s firewall, such as Directory Harvest Attacks (DHA) to monitor your users. Phishing can also take the form of malicious hackers spoofing your organization. Email is sent that appears to come from your organization can damage your community image and hurt your customers in the following ways: Spoofed email can ask customers to confirm their personal information. Spoofed email can ask customers to download new software releases, which are bogus and infected with viruses. Preventing Phishing As with spam, Dell SonicWALL Email Security uses multiple methods of detecting phishing: Divergence Detection ensures that all contact points are consistent and legitimate. Contact points include email addresses, URLs, phone numbers, and physical addresses. Sender ID tests if the source of an email has permission to send email for that domain. Many Internet domains publish the list of IP addresses that are authorized to send email on their behalf. If the source IP address of an email is not on the domain s list of authorized addresses, Sender ID suggests that the message may be a forgery. Email Security factors Sender ID pass or fail into its junk algorithm, which can be enabled on the Anti-Spam, Anti- Phishing > Anti-Phishing page. Domain Keys Identified (DKIM) uses a secure digital signature to verify that the sender of a message is who it claims to be and that the contents of the message have not been altered in transit. A valid DKIM signature is a strong indicator of a message s authenticity, while an invalid DKIM signature is a strong indicator that the sender is attempting to fake his identity. For some commonly phished domains, the absence of a DKIM signature can also be a strong indicator that the message is fraudulent. Configuring Phishing Protection To configure your Email Security system to screen for phishing, navigate to the Anti-Spam, Anti-Phishing > Anti-Phishing page, then follow the procedures listed: 1. Click the radio button to choose which action to take for messages identified as Definite Phishing. 2. Click the radio button to choose which action to take for messages that contain Likely Phishing. 3. Select the Allow users to unjunk phishing messages checkbox if you want to allow users to unjunk fraudulent messages. 4. To send copies of fraudulent email messages to a person or people designated to deal with them, enter the recipients email addresses in the Send copies of emails containing phishing attacks to the following email addresses text box. Anti-Spam 101

5. Click Apply Changes. Using Email Security s Community to Alert Others Phishing is continuously evolving and adapting to weaknesses in the organization s network. Malicious hackers use any known weakness to infiltrate the corporate firewall. Email Security has tuned and enhanced their spam-management techniques to prevent phishing. Email Security also collects incidences of phishing and summarizes the email addresses, text, phone numbers, and domains of phishing perpetrators in a database, which stores the thumbprints of the phishing message. Report Phishing and Other Enterprise Fraud Email Security alerts organizations to phishing attacks and asks that you to report fraudulent email messages to mailto:fraud@sonicwall.com. Reporting phishing enables Email Security to alert other users to the phishing attacks you experienced. 102 Dell SonicWALL Email Security Administrator Guide

Domain Keys Identified Mail (DKIM) Dell SonicWALL Email Security supports Domain Keys Identified Mail (DKIM) verification of inbound email messages. With the DKIM verification feature, the recipient is able to identify the domain name associated with the sender by validating the DKIM signature in the message. Mail messages are filtered based on three parameters: if the message is DKIM signed, if DKIM verification is successful, and if DKIM is strictly enforced for the domain. After Email Security completes the verification of a message, the results are written into the Junk Summary, as well as in the SMTP X header of the mail message. Users benefit from DKIM because it verifies legitimate messages and prevents against phishing. Remember that DKIM does not prevent spam proper measures should still be taken against fraudulent content. Dell SonicWALL recommends that DKIM typically not be configured with overly aggressive settings. However, with some domains, such as paypal.com, aggressive DKIM settings may be useful to stop phishing. The recommended setting is to store email messages with invalid DKIM signatures in the Junk Box. See the table below for descriptions of each setting. To configure settings for the DKIM feature, navigate to the Anti-Spam, Anti-Phishing > Anti- Phishing page. Then, scroll to the DKIM Settings and select the action for an invalid DKIM signature: Action DKIM blocking off (deliver messages to recipients) Permanently Delete Bounce Back to Sender Store in Junk Box (recommended for most configurations) Send To Tag With Add X-Header Effect This is the default setting. All messages are delivered to the recipients. The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email. The message is returned to sender with a message indicating that it was not deliverable. The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting. Enter the email address of the person to receive this email. This email is tagged with a term in the subject line, for example, [DKIM Failed]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted. This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X- Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value fraud results in the email header as: S-EMSJudgedThisEmail:fraud. Anti-Spam 103

You can also add domains to the list of Enforced DKIM domains, which are domains required to have a DKIM signature. In the DKIM Settings section, click the Add Domain button. In the dialog box that appears, enter the Domains to enforce the DKIM feature and specify the Action for invalid DKIM Signature. Click Save when finished. 104 Dell SonicWALL Email Security Administrator Guide

Chapter 5 Anti-Phishing Email Security s Anti-Phishing page allows you to protect your organization against email containing fraudulent content. There are two audiences for fraud: the consumer and enterprise users. Email Security focuses on preventing fraud that enters the enterprise via email. Email is an entry point for malicious hackers. This chapter contains the following sections: What is Enterprise Phishing? on page 105 Preventing Phishing on page 106 Configuring Phishing Protection on page 106 What is Enterprise Phishing? There are numerous types of enterprise phishing; Consumer phishers try to con users into revealing personal information such as social security numbers, bank account information, credit card numbers, and driver s license identification. This is known as identity theft. Recouping from having a phisher steal your identity can take many hours and can cost consumers many dollars. Being phished can bring your life to a virtual standstill as you contact credit card companies, banks, state agencies, and others to regain your identity. Enterprise phishers attempt to trick users into revealing the organization s confidential information. This can cost thousands of executive and legal team hours and dollars. An organization s electronic-information life can stop abruptly if hackers deny services, disrupt email, or infiltrate sensitive databases. Phishing aimed at the IT group in the organization can take the following forms: Email that appears to be from an enterprise service provider, such as a DNS server, can cause your organization s network to virtually disappear from the Web. Hacking into your web site can cause it to be shut down, altered, or defaced. Email might request passwords to highly sensitive databases, such as Human Resources or strategic marketing information. The email might take the form of bogus preventive maintenance. Other information inside the organization s firewall, such as Directory Harvest Attacks (DHA) to monitor your users. Phishing can also take the form of malicious hackers spoofing your organization. Email is sent that appears to come from your organization can damage your community image and hurt your customers in the following ways: Spoofed email can ask customers to confirm their personal information. Spoofed email can ask customers to download new software releases, which are bogus and infected with viruses. Anti-Phishing 105

Preventing Phishing As with spam, Dell SonicWALL Email Security uses multiple methods of detecting phishing: Divergence Detection ensures that all contact points are consistent and legitimate. Contact points include email addresses, URLs, phone numbers, and physical addresses. Sender ID tests if the source of an email has permission to send email for that domain. Many Internet domains publish the list of IP addresses that are authorized to send email on their behalf. If the source IP address of an email is not on the domain s list of authorized addresses, Sender ID suggests that the message may be a forgery. Email Security factors Sender ID pass or fail into its junk algorithm, which can be enabled on the Anti-Phishing page. Domain Keys Identified (DKIM) uses a secure digital signature to verify that the sender of a message is who it claims to be and that the contents of the message have not been altered in transit. A valid DKIM signature is a strong indicator of a message s authenticity, while an invalid DKIM signature is a strong indicator that the sender is attempting to fake his identity. For some commonly phished domains, the absence of a DKIM signature can also be a strong indicator that the message is fraudulent. Phishing is continuously evolving and adapting to weaknesses in the organization s network. Malicious hackers use any known weakness to infiltrate the corporate firewall. Email Security has tuned and enhanced their spam-management techniques to prevent phishing. Email Security also collects incidences of phishing and summarizes the email addresses, text, phone numbers, and domains of phishing perpetrators in a database, which stores the thumbprints of the phishing message. Email Security alerts organizations to phishing attacks and asks that you to report fraudulent email messages to mailto:fraud@sonicwall.com. Reporting phishing enables Email Security to alert other users to the phishing attacks you experienced. Configuring Phishing Protection To configure your Email Security system to screen for phishing, navigate to the Anti-Phishing page, then follow the procedures listed: 1. Under the Action Settings section, click the radio button to choose which action to take for messages identified as Definite Phishing and messages identified as Likely Phishing: Response No Action Effect No action is taken for messages. Permanently Delete Reject with SMTP error code 550 Store in Junk Box (default setting) The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved. The message is rejected and responds with a 550 error code, which indicates the user s mailbox was unavailable (for example, not found or rejected for policy reasons). The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting. 106 Dell SonicWALL Email Security Administrator Guide

Response Send to Tag With Add X-Header Effect Forward the email message for review to the specified email address. For example, you could Send To [postmaster]. The email is tagged with a term in the subject line, for example, [PHISHING] or [LIKELY PHISHING]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted. This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X- Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value Fraud results in the email header as: X-EMSJudgedThisEmail:Fraud This option does not take protective action against the email. 2. Under the Miscellaneous section, select the Allow users to unjunk phishing messages checkbox if you want to allow users to unjunk fraudulent messages. 3. To send copies of fraudulent email messages to a person or people designated to deal with them, enter the recipients email addresses in the Send copies of emails containing phishing attacks to the following email addresses text box. 4. Click Apply Changes. Anti-Phishing 107

108 Dell SonicWALL Email Security Administrator Guide

Chapter 6 Anti-Virus Dell SonicWALL Email Security s Anti-Virus techniques protect your organization from inbound email-borne viruses and prevent your employees from sending viruses with outbound email. Once Dell SonicWALL Email Security has identified the email message or attachment that contains a virus or is likely to contain a virus, you choose how to manage the virus-infected email. Optional virus-protection modules for the entire organization are available. This chapter includes the following sections: How Virus Checking Works on page 109 Configuring Anti-Virus Protection on page 110 Configuring Flood Protection on page 113 How Virus Checking Works The Anti-Virus modules use virus-detection engines to scan email messages and attachments for viruses, Trojan horses, worms, and other types of malicious content. The virus-detection engines receive periodic updates to keep them current with the latest definitions of viruses. Dell SonicWALL Email Security supports McAfee and Kaspersky virus-detection engines. You can choose to buy and deploy one or both virus-detection engines supported by Email Security. Messages determined to be dangerous by McAfee or Kaspersky engine are categorized as Viruses. Dell SonicWALL Email Security also supports the Dell SonicWALL GRID antivirus automatically. GRID virus-detection works in with the McAfee and Kaspersky virus-detection engines to improve your protection from virus payloads. When any one of the virus-detection engines is activated, you also get the benefit of Dell SonicWALL Email Security s Time Zero Virus Technology. This technology uses heuristic statistical methodology and virus outbreak responsive techniques to determine the probability that a message contains a virus. If the probability meets certain levels, the message is categorized as Likely Virus. This technology complements virus-detection engines and enabling this technology provides the greatest protection for time zero viruses, the first hours that a virus is released, when major anti-virus companies have not yet modified their virus definitions to catch it. Anti-Virus 109

Configuring Anti-Virus Protection To configure Anti-Virus protection, follow the procedures listed: 1. Navigate to the Anti-Virus page of your Email Security solution. If you have licensed more than one virus-detection engines, they will all work in tandem. Licensed virus-detection engines can be used on both inbound and outbound paths. Be sure to select the Inbound or Outbound tab to configure settings for the correct path. 2. Determine how to treat email messages that contain Definite Viruses or Likely Viruses and select the action to take. The following table describes the available actions: Response No Action Permanently Delete Reject with SMTP error code 550 Effect No action is taken for messages. The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved. The message is rejected and responds with a 550 error code, which indicates the user s mailbox was unavailable (for example, not found or rejected for policy reasons). 110 Dell SonicWALL Email Security Administrator Guide

Response Store in Junk Box (default setting) Send to Tag With Add X-Header Effect The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting. Forward the email message for review to the specified email address. For example, you could Send To [postmaster]. The email is tagged with a term in the subject line, for example, [VIRUS]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted. This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X- Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value Virus results in the email header as: X-EMSJudgedThisEmail:Virus This option does not take protective action against the email. 3. In the Miscellaneous section, select the Allow Users to Unjunk Viruses checkbox to allow users to view messages with viruses from Junk Box. The virus is removed before the user accesses the message. This setting allows both Viruses and Likely Viruses to be unjunked. 4. Click Apply Changes. Checking for Updates To determine how frequently you want to check for virus definition updates, follow the procedures listed: 1. Click System > Updates. The Updates window appears. 2. Choose a time interval from the dropdown list adjacent to Check for Spam, Phishing, and Virus Blocking Updates. You can select every 5 minutes to every 2 hours. 3. Click the Apply Changes button. Configuring Zombie and Spyware Protection Unauthorized software may be running on a computer within your organization and sending out junk email messages such as: spam, phishing, virus, or other unauthorized content. This scenario could happen if your organization was subjected to a virus attack called Trojans or a user downloaded something from the web and unauthorized software got installed without user s knowledge. These unauthorized software programs that send out malicious content are called Zombies or Spyware. Anti-Virus 111

Dell SonicWALL Email Security's Zombie and Spyware Protection technology brings the same high standard of threat protection available on the inbound email path to email messages leaving your organization through the outbound path. To enable Zombie and Spyware Protection: 1. Navigate to the Anti-Virus page, and click on the Outbound tab. 2. Select the box Enable Zombie and Spyware Protection. 3. Use the Monitoring for Zombie and Spyware Activity section to configure several alerts to notify the administrator. The following alerts can be sent: Email is sent from an address not in LDAP More than (specify number) messages are identified as possible threats (within the last hour) More than (specify number) messages are sent by one user within the last hour The following table describes the available Action and Miscellaneous Settings for the Zombie Protection feature: Action Action for messages leaving your organization that are identified as spam, phishing attacks, or other threats Action for messages leaving your organization in which the From address is not in LDAP Description Select one of the following settings: Allow Delivery Allows the delivery of the message without interference. Permanently Delete The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved. Store in Junk Box Stores messages with potential threats in the outbound Junk Box. Select one of the following settings: Allow any From address Allows messages from all email addresses. Note that this is the only option you are able to use if you have not configured LDAP. Permanently delete The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved. Store in Junk Box Stores messages from unknown senders in the Junk Box. 112 Dell SonicWALL Email Security Administrator Guide

Action Activate/Deactivate Outbound Safe Mode preventing any dangerous attachments from leaving your organization When Outbound Safe Mode is on, take this action for any message with dangerous attachments Automatically turn Outbound Safe Mode on and alert administrators every 60 minutes that Safe Mode is on if Specify senders that will not trigger alerts or actions: Description Outbound Safe Mode blocks all emails with potentially dangerous attachments from leaving your organization. When there is a new virus outbreak and one or more of your organization s computers is affected, the virus can often propagate itself using your outbound email traffic. Outbound Safe Mode also minimizes the possibility of new virus outbreaks spreading through your outbound email traffic. Select the Safe Mode is on checkbox to enable the Outbound Safe Mode feature. If you have enabled Outbound Safe Mode, select one of the following actions when a message with dangerous attachments is received: Permanently delete The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved. Store in Junk Box Stores messages from unknown senders in the Junk Box. These settings do not take any action other than alerting the administrator of a potential zombie infection. Select any of the check boxes to send and alert to the administrator if: Email is sent from an address not in the LDAP (within the last hour) More than (specify number) messages are identified as possible threats within the last hour More than (specify number) messages are sent by one user within an hour Enter email addresses in this box that you want exempt from Zombie Protection. (This list might include any email addresses that are not in LDAP and email addresses that are expected to send a lot of messages.) Configuring Flood Protection The Flood Protection feature supports Zombie Protection by automatically blocking specified users from sending outbound mail when it exceeds the specified Message Threshold. To enable Flood Protection: 1. Navigate to the Anti-Virus page, and click the Outbound tab. Anti-Virus 113

2. Scroll down to the Flood Protection section. Then, click the Enable Flood Protection checkbox. 3. Configure the following settings: Message Threshold Specify the amount of outbound messages (between 1-10,000) that are sent by a sender. Then, specify the interval (in hours) by selecting a value from the dropdown list. The Flood Protection service activates when a sender has exceeded the amount of messages sent within the specified interval of hours. Alert sender when threshold is crossed Enable this option to alert the sender that he/she has exceeded the organizational threshold. Note that as a result, outbound emails are now affected. Action on outbound message from Flood Senders Select one of the following options to determine what action is taken on outbound messages from flood sender(s): Permanently delete The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved. Store in Junk Box The message moves to the Junk Box and flagged as likely virus with the category name flood_protection. The administrator is able to unjunk the message, which is then delivered from the outbound path. None No action is taken; messages go through as usual. Flood Protection Senders Exception List Found under the Flood Protection > Miscellaneous section, specify the list of outbound senders that are exempt from the Flood Protection rule. Flood Senders List Users that exceeded the specified Message Threshold values are added to this table by Email Address and the time which the Flood Sender was found exceeding the threshold. To remove a user from the Flood Senders List, select the checkbox next to the email address(es) you wish to remove, then click the Delete button. When finished configuring the Flood Protection settings, click the Apply Changes button. 114 Dell SonicWALL Email Security Administrator Guide

Chapter 7 Auditing Dell SonicWALL Email Security s Auditing module enables the user to monitor all emails, both inbound and outbound, that pass through the Email Security. This allows the user to monitor where emails have filtered into or locate the destination of a particular email. The Auditing chapter contains the following sections: Searching Inbound and Outbound Emails on page 115 Configuring Auditing on page 118 Using Message Audit on page 119 Searching Inbound and Outbound Emails Inbound emails processed by Email Security are those that originate from outside of your organization including the total number of junk messages and good messages. Below the search section a list of emails is displayed with the following information: the recipient of the email where the email is located the type of threat the email is identified as notes about the email attachments from the email the subject heading of the email the sender of the email the timestamp of the email Outbound emails processed by Email Security are those that come from the recipients of your organization. This includes both junk emails and good emails. Audit Simple Search To use the Audit Simple Search Mode, navigate to the Auditing page of your Email Security system, and follow the procedures listed: 1. Search for messages by selecting specific strings from the dropdown list in the following fields: Subject, From, To, or Unique Message ID. Ensure sentence fragments are surrounded by quotation marks. 2. Select the specific date or Show all to search from the dropdown list. Auditing 115

3. Click Search. Audit Advanced View This view provides support to search on multiple fields to get the results in more granularity. To use Advanced Search, follow the procedures listed: 1. On the Auditing page, click the Advanced View button. 2. To search for specific email threat types or in specific mail locations, select the desired checkboxes. 3. Click Search. Messages matching your search criteria are displayed. To move quickly through results pages, click in the field that says Page 1 of 5086744 and type the result page you want to view. You can also change the number of messages displayed on each page. 116 Dell SonicWALL Email Security Administrator Guide

As an example, suppose you wanted to see only messages that were Spam or Likely Spam. Clear all the checkboxes except the Spam and Likely Spam checkboxes. Leave all the locations selected and click Search. You can also Send Copy To, Download, or Export to csv specific messages. Send Copy To To send a copy of specific email messages, select the checkbox next to the message, then click the Send Copy To button. Enter the email address, then click Send. Download To download specific messages, select the checkbox next to the message, then click the Download button. The message will download to your local drive. Export to csv To export specific messages, select the checkbox next to the message, then click the Export to csv button. The messages are exported as a csv file on your local drive. Auditing 117

Configuring Auditing The Configure Auditing window on the Auditing page allows you to tailor the Email Security system to your organization s preferences for auditing emails. Configuration in this window is optional. Email Security sets the default in the ON positions with a default of 30 days for keeping auditing files. To configure auditing, follow the procedures listed: 1. From the Auditing page, click the Settings button. 2. Select the radio button(s) in the On position for the following: Auditing for inbound email Auditing for outbound email Enable Judgment Details logging 3. Select the length of time from the drop-down list to audit messages. Time ranges from one day to seven years. Click the Apply button. 118 Dell SonicWALL Email Security Administrator Guide

Using Message Audit Email Security enables you to diagnose why an email failed through the Message Audit window. To activate the window, click on the desired email address which is displayed in the inbound or outbound tab. Email Security displays the message audit. When the message audit window is open, data is displayed about the actions of the email, such as the IP address of the computer that sent the email, and also the details about the email itself, such as the subject heading and message size. The following tables describe message actions and message details with their descriptions:. Message Action Arrived into gateway from Direction Arrival notes Audit trails Description Shows the IP address from the computer that sent the email. The date and time are taken from the email header. The email is either inbound or outbound. Additional information about the arrival of the email, e.g. if the email arrived encrypted. Provides information on what happens to the email on a per recipient basis Message Field Subject From To Date Received Message Size Threat Category Attachment Description Subject title of the email Sender s email address Recipient s email address Date and time, taken from the email header Message size Identifies the threat status of the email Identifies the subtype of spam the email is categorized with Attachments with the email Judgment Details The Dell SonicWALL Judgment Details feature allows administrators to view blocked email and determine why it was blocked. This additional information allows them to tune their filters better and reduce false positives. Judgment Details are a description of why a particular email message was flagged as junk or possible junk by the Email Security. This might include keywords, suspicious headers, or other data that indicates a message is not legitimate. This information is only available to administrators. Auditing 119

Email Security has always collected data on why a particular email was rejected. A simplified version of the judgment details appears to users in their junk boxes, explaining that their messages were flagged as having attributes of a particular category of junk mail, including phishing or gambling. Judgment Details for administrators is a much more fine-grained tool that identifies exactly which words, phrases, headers, or contents causing Email Security to put the message in the Junk Box. Using Judgment Details Full judgment details are only available if judgment detail auditing has been configured on the auditing page. Auditing must also be turned on, or judgment detail auditing information is not stored. Only administrators can view judgment details. When judgment detail is being audited, an administrator can view a message. In addition to the existing message details, there will be a list of judgment details. To view judgment details, follow the procedures listed: 1. Click the Auditing page from the left-hand navigation bar. 2. Configure the search to find the message(s) you are interested in viewing and click Search. 3. Click on the link in the Subject column for the message you want details on. 4. The Message Audit window displays. Your judgment details appear as a part of this window. The specific fields recorded depend on whether the message was inbound or outbound. Not all fields will appear all the time - fewer judgment details are collected on outbound messages. Effectiveness Field Anti-Virus Policy Description The virus scanner that was first to find a virus in the message. The name of the policy that blocked emails with this characteristic. 120 Dell SonicWALL Email Security Administrator Guide

Effectiveness Field People, Companies, Lists Anti-Spam Aggressiveness Significant Keywords and Phrases Found Spammer s Tricks Language Detected GRID Network Reputation Misc Description If this message was blocked because of a list you configured, the list item that occurred in the message. Depending on the aggressiveness settings you have configured, where the message falls on the sensitivity ratings. The words in the email that increased the email s score. The known spammer tricks that have been coded against. Only the first-found spammer trick is reported in this window. The language the email is in. Some organizations block languages they do not expect. Reports from other users about this email. The sender ID. The reason a message was allowed through without checking. This is usually because the message is from a sender in the same domain as the recipient. Auditing 121

122 Dell SonicWALL Email Security Administrator Guide

Chapter 8 Policy & Compliance Dell SonicWALL Email Security s Policy Management feature enables you to write policies to filter messages and their contents as they enter or exit your organization. Policies can be defined only by an administrator. Typical use of policies include capturing messages that contain certain business terms, such as trademarked product names, company intellectual property, and dangerous file attachments. Email Security and Mail Threats Dell SonicWALL Email Security determines that an email fits only one of the following threats: Spam, Likely Spam, Phishing, Likely Phishing, Virus, Likely Virus, Policy Violation, or Directory Harvest Attack (DHA). It uses the following precedence order when evaluating threats in email messages: Virus Likely Virus Policy Filters Phishing Likely Phishing Spam Likely Spam For example, if a message is both a virus and a spam, the message will be categorized as a virus since virus is higher in precedence than spam. If Dell SonicWALL Email Security determines that the message is not any of the above threats, it is delivered to the destination server. Policy & Compliance 123

Standard Module vs. Compliance Module The Email Security Policy & Compliance Module is divided into two subsections: Standard Module This module comes activated through the Email Security Base License Key that deploys with Email Security and includes access to the following features in the left-hand navigation menu: Managing Filters on page 135 Policy Groups on page 138 Compliance Module This module is accessible through the optional purchase of a Compliance Subscription License Key. The module contains the following features in the left-hand navigation menu: Dictionaries on page 140 Approval Boxes on page 141 Encryption on page 143 Record ID Definitions on page 143 Archiving on page 144 Basic Concepts for Policy Management Policy Management enables you to filter email based on message contents and attachments. You can filter for specific terms that you want, such as terms in your product or terms you do not want in your organization s email. You manage policy by creating filters in which you specify the words to search for in content, senders, or other parts of the email. After filtering for specified characteristics, you can choose from a list of actions to apply to the message and its attachments. Note that any of the policies configured in the Policy section takes precedence over any configurations made in the Allowed List entries. Defining Word Usage In the context of Policy Management, a word is a series of alphabetic characters and numbers with no spaces. Punctuation Character Example Slash / http://example.com Punctuation allowed as first or last character but not in the middle. Character value Example Dollar sign $ $100 Percent sign % 100% Punctuation allowed in the middle but not as first or last character Period Character value. Example http://example.com is allowed..mail or mail. are not allowed. 124 Dell SonicWALL Email Security Administrator Guide

Punctuation Character Example at sign @ ktran@sonicwall.com Ampersand & AT&T Colon : http://example.com Hyphen - xxx-yyy All other punctuation is used as word separators to split words. Punctuation included in this category includes the following characters: ~! # ^ * + = { } [ ] ; " < >,? \ `()" For example, X~Y is treated as two words, X and Y. Defining Email Address Matching Policy Management can do intelligent matching for email addresses in the From and To/CC/BCC fields. Address field Matching strings jdoe company.com jdoe@company.com jdoe@company.com Match Match Match asmith@company.com No Match Match No Match jdoe@yahoo.com Match No Match No Match Defining Intelligent Email Attachment Matching When you create a policy to detect attachments based on file extension, by default, Email Security will do simple matching based on the specified file extension. If the attachment has been renamed to have a different file extension, this simple matching will not detect that. To accurately detect attachments without relying on the file extension, select Intelligent Attachment Matching checkbox. For example, an executable attachment renamed to.txt extension can be matched as an executable. Email Security supports Intelligent Attachment Matching for the following file extensions. File Format Bitmap format FITS format GIF format Graphics Kernel System IRIS rgb format ITC (CMU WM) format JPEG File Interchange Format NIFF (Navy TIFF) PM format Extension.bmp.fits.gif.gks.rgb.itc.jpg.nif.pm Policy & Compliance 125

File Format PNG format Postscript format Sun Rasterfile Targa format TIFF format (Motorola - big endian) TIFF format (Intel - little endian) X11 Bitmap format XCF Gimp file structure Xfig format XPM format Bzip.png.[e]ps.ras.tga.tif.tif.xbm.xcf.fig.xpm.bz Compress.Z gzip format pkzip format TAR (pre-posix) TAR (POSIX) MS-DOS, OS/2 or MS Windows Unix elf pgp public ring pgp security ring pgp security ring pgp encrypted data Extension.gz.zip.tar.tar.exe Defining Disguised Text Identification Dell SonicWALL Email Security provides disguised text identification to prevent users in your organization from sending or receiving messages with unwanted words with substituted, inserted, constructed, or deleted characters. Using traditional word matching or spell checking finds exact matches or known frequent misspellings, such as hte for the. Disguised text identification is as simple and intuitive as traditional word matching; and is more powerful than using regular expressions to find specific words or terms. In addition, it is far easier to use and less potentially dangerous than regular expressions. Disguised text identification provides the following types of matches: Variations Constructed characters Inserted characters Substituted characters Resulting Words or Phrases \ / for V, or \./\/ for W, for example, \/\/ork at home - or _, for example, c-o-m-m-e-n-t or f_e_e_s @ for a or 1 for i, for example, p@ntyhose or Sat1sfact10n 126 Dell SonicWALL Email Security Administrator Guide

Variations Deleted characters Imaginative spelling Resulting Words or Phrases wnderful opprtunty Purrfection or garunteeed suxess Note Disguised text identification might result in false positives due to unexpected conditions, and can be computationally intensive. Disguised text identification is not meant to be a spam catcher. Email Security has developed extensive heuristic statistical techniques for catching spam. Instead, this feature allows you to detect terms that are important to your organization and build policies based on them. You can use this feature to capture specific terms, for example, route incoming messages with your product s name with appropriate trademarks for your sales departments. It can also be used to filter outgoing mail. As an example, if your organization prohibits sending source code outside of the company, you could use various programming keywords as search terms and route messages with those terms to the appropriate manager. Policy & Compliance 127

Inbound vs. Outbound Policy Filters Organizations can create policies to deal with both inbound and outbound messages. To create inbound policies, select Inbound tab and click on Add New Filters. Policies created on the inbound path can not be shared with the outbound path and vice versa. To create outbound policies, select Outbound tab and click on Add New Filter. See Managing Filters on page 135 for examples of adding inbound and outbound policies. Preconfigured Inbound Filters New installations of Dell SonicWALL Email Security ship with preconfigured filters. These preconfigured filters are not enabled by default. Junk Emails with Attachments over 4MB This filter, Junk Emails with Attachments Over 4MB, stores all incoming email messages over 4MB in size in the Junk Box. Strip Potentially Dangerous File Attachments This filter, Strip Potentially Dangerous File Attachments, strips all attachments from the incoming email messages that triggered the filter conditions. Enable and edit this rule if you want to allow some of these attachments and not others. PGP: Decrypt This filter, PGP: Decrypt, sends encrypted inbound messages to the PGP Universal Server for decryption. PGP is often used for signing, encrypting, and decrypting texts, emails, files, and directories. 128 Dell SonicWALL Email Security Administrator Guide

Strip Picture and Movie Attachments This filter, Strip Picture and Movie Attachments, strips all attachments from the incoming email messages that triggered the filter conditions. Enable and edit this rule if you want to allow some of these attachments and not others. Detect Personal Health Information (PHI) Records in Inbound Mails This filter, Detect Personal Health Information (PFI) Records in Inbound Mails, detects personal health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying tool. Detect Corporate Financial Information in Inbound Mails This filter, Detect Corporate Financial Information in Inbound Mails, detects corporate financial information in the subject line or body of an email by utilizing the Financial Terms predefined dictionary as an identifying tool. Detect Personal Financial Information (PFI) Records in Inbound Mails This filter, Detect Personal Financial Information (PFI) Records in Inbound Mails, detects personal financial information by using the Record ID definitions feature as an identifying tool looking for mails that match Social Security Number and Credit Card Number formats. PGP: Decrypted by PGP This filter, PGP: Decrypted by PGP, delivers messages decrypted by the PGP server to the internal mail server. Preconfigured Outbound Filters New installations of Dell SonicWALL Email Security ship with preconfigured filters. These preconfigured filters are not enabled by default. Policy & Compliance 129

Detect Personal Financial Information (PFI) Records in Outbound Mails This filter, Detect Personal Financial Information (PFI) Records in Outbound Mails, detects personal financial information by using Record ID definitions feature as an identifying tool looking for mails that match Social Security Number and Credit Card Number formats. Detect Personal Health Information (PHI) Records in Outbound Mails This filter, Detect Personal Health Information (PFI) Records in Outbound Mails, detects personal health information by utilizing the Medical Drug Names pre-defined dictionary as an identifying tool. PGP: Deliver Encrypted Msg This filter, PGP: Deliver Encrypted Msg, delivers the encrypted message to the external recipient. PGP: Encrypt This filter, PGP: Encrypt, sends outbound messages to the PGP Universal Server for encryption. PGP is often used for signing, encrypting, and decrypting texts, emails, files, and directories. Send Secure Mail: Deliver Message via SecureMail Server This filter, Send Secure Mail: Deliver Message via SecureMail Server, delivers messages using the SecureMail Server. Detect Corporate Financial Information in Outbound Mails This filter, Detect Corporate Financial Information in Outbound Mails,detects corporate financial information in the subject line or body of an email by utilizing the Financial Terms predefined dictionary as an identifying tool. Send Secure Mail: Deliver Message via Encryption Service This filter, Send Secure Mail: Deliver Message via Encryption Service, delivers messages using the Encryption Service. Adding Filters A Policy Filter is an action or actions you want Email Security to take on messages that meet the conditions you define.dell SonicWALL s Policy Management module enables you to filter email as it enters or exits your organization. Note that Policy Management is a tool only for administrators; policies cannot be managed individually and are not user-configurable. To create and manage policy filters, follow the procedures listed. 1. Navigate to the Policy & Compliance > Filters page. 2. Select the Inbound or Outbound tab to create filters for inbound or outbound email messages, respectively. 130 Dell SonicWALL Email Security Administrator Guide

3. Click the Add New Filter button. The Add Filter window displays. Note The fields in the window change based on the action you choose. 4. The Enable this Filter checkbox is checked by default. Uncheck the checkbox to create rules that do not go into effect immediately. 5. Choose whether the filter matches All of the conditions or Any of the conditions All Causes email to be filtered when all of the filter conditions apply (logical AND) Any Causes email to be filtered when any of the conditions apply (logical OR) 6. Choose the parts of the message to filter. Select Judgement From To/Cc/Bcc Subject Body Subject or Body Definition The server s assessment of a categorized message threat Filter by the sender s name Filter by the names in the To: cc: or bcc: fields Filter by words in the subject Filter based on information in the body of the email Filter based on information in the subject and body of the email Policy & Compliance 131

Select Subject, Body, or Attachments Message header Attachment name Attachment contents Size of message Number of recipients RFC 822 Byte Scan Definition Filter based on information in the subject, body, and attachments of the email Filter by the RFC822 information in the message header fields, which includes information including the return path, date, message ID, received from, and other information Filter attachments by name Filter based on information in the email attachments Filter messages based on the size of the message Filter messages based on the number of recipients Scan the entire email message 7. Choose the matching operation. The choices for matching operation vary with the message part being matched against. The following table describe the matching operations available. Type Explanation Example With Specific Word Without Specific Word With Specific Phrase Without Specific Phrase Starts With Ends With Is Is Not Equivalent to Find the whole word only Not equivalent to Find the whole word only Equivalent to Find complete phrase Not equivalent to Find complete phrase The message part being searched for should start with the search value The message part being searched for should end with the search value Only the search criteria should exist (exact match). Only the search criteria should not exist Search for the word Mail from the subject line This is Mail will match. Search for the word Mail from the subject line This is MailFrontier will not match. Search for the words is Mail from the subject line This is Mail will match. Search for the word is Mail from the subject line This is MailFrontier will not match. Search for This from the subject line This is Mail will match. Search for is Mail from the subject line This is Mail will match. Search for the word Mail from the subject line This is Mail will not match. Search for is Mail from the subject line is Mail will match. Search for the phrase is Mail from the subject line This is MailFrontier, will match. Contains Substring search Search for is Mail from the subject line This is Mail will match. Does not Contain Substring search does not match 132 Dell SonicWALL Email Security Administrator Guide

8. Enter the words or phrase that you want to filter in the Search Value text box. Select the appropriate check boxes. Match Case Filters a word or words sensitive to upper and lower case. Intelligent Attachment Matching Filters attachment names, such as.exe or.zip. Disguised Text Identification Filters disguised words through the sequence of its letters, for example Vi@gr@. Note Disguised Text Identification cannot be used together with Match Case and can be selected only for Body and Subject message parts. If the Compliance Module is active, the administrator has additional filtering conditions that can be set. The Use Dictionary option of using terms from a dictionary can be selected, as well as the Use Record Match option which looks for numbers such as telephone numbers or social security numbers. 1. Click the plus sign (+) to add another layer of filtering. See Junk Emails with Attachments over 4MB on page 128. You can add up to 20 filters. Filters are similar to rock sifters: Each additional filter adds further screens that test email for additional conditions. 2. Choose the response action from the Action drop-down list. Action Log as event Permanently delete Store in Junk Box Store in Approval Box Bounce back to sender Deliver and bounce Deliver and skip Spam and Phishing Analysis Route to Deliver and route to Effect The email message is logged. No further processing in Policy management occurs (default). This option stores a log of all messages so that the administrator has a record and can analyze traffic patterns. The log is in the mfe log. NOTE: Policy management logs all messages as events regardless of the action specified. The email message is permanently deleted and no further processing occurs in any Dell SonicWALL Email Security module occurs. This option does not allow the user to review the email and can cause good email to be lost. The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. The user has the option of unjunking the email. The email message is stored in the Approval Box. It will not be delivered until an administrator approves it for delivery. The message is returned to sender with an optional message indicating that it was not deliverable. The message is delivered to the recipient and is bounced back to the sender with an optional message. The message is delivered without spam or phishing analysis. The message is routed to the specified email address. The message can be routed to only one email address. Deliver to the recipients and also route to the specified email address. The message can be routed to only one email address Policy & Compliance 133

Action Tag subject with Strip all attachments Append text to message Issue email notification Add X-header to message Remove X-header from message Route to IP Deliver and Route to IP Route Copy to Archive Encrypt Decrypt Effect The subject of the email is tagged with a the specified term. Remove all the attachments from the email. The specified text is appended to the message body. Sends an email notification to the recipients of the email that triggered the rule. Adds an X-header to the email. Removes an X-header from an email. The message is routed to the specified IP address. The message can be routed to only one IP address. Deliver to the recipients and also route to the specified IP address. The message can be routed to only one IP address A copy of the message is routed to the archive. Message is sent to the encryption center for encryption. This action is used for outbound messages. The administrator must provide a name or IP address of SMTP server for encryption at the Policy & Compliance > Compliance Module > Encryption page. Message is sent to the decryption center for decryption. This action is used for inbound messages. The administrator must provide a name or IP address of SMTP server for encryption at the Policy & Compliance > Compliance Module > Encryption page. When no additional filtering is required on a message, select the Stop processing policy filters checkbox. This checkbox is automatically selected and grayed out when you have selected a terminal action. If additional actions need to be performed on the same message, select the plus sign (+) to the right. You cannot add the same action more than once to a specific filter rule. As a result, once an action has been selected, it will not be available in the drop-down list for further selection within the current filter rule. 3. Type a descriptive name in the Filter Name text box. 4. Select a policy group you want to apply this filter to. By default, All Groups will be selected and this filter will apply to all email messages. 5. Click the Save This Filter button. Language Support Policy management supports filtering messages based on non-english terms in the Search Value. For example, you can search for a Japanese word or phrase in the body of a message. However, Dell SonicWALL Email Security does not support adding text strings to email messages in languages other than English and does not support foreign language filter names. Note To view messages in Asian languages, you might need to install East Asian Language Packs on the server where you run Email Security (for Windows only). This applies to deployments using the Dell SonicWALL Email Security Software Edition. 134 Dell SonicWALL Email Security Administrator Guide

Managing Filters The main Policy Management page lists all the filters created in the system for the Inbound and Outbound path. From this view, you can Add New Filter, Change the order of filters, Edit or Delete filters. Filters that have been enabled are indicated with a green tick mark. Editing a Filter To change a filter that has been saved, follow the procedures below: 1. Click the Edit button adjacent to the filter to be changed. 2. Change any of the filter conditions. 3. Click Save This Filter. Deleting a Filter To delete a filter, click the Delete button adjacent to the filter. Changing Filter Order Filters are processed in the order they appear. To change the order of the filters, use the up and down arrow icons to the left of the filters. Advanced Filtering Creating a Multi-Layered Filter You can create filters with multiple conditions chained together and multiple actions to be performed on the message, if the specified conditions are met. For an example, if the email message is sent from NASA and the body contains the word Mars then take the following actions: Tag the subject with the term [Mars Update from NASA] and Route the message to engineering. To create a multi-layered filter, follow the procedures below: Policy & Compliance 135

1. Click the Add New Filter button from the Policy & Compliance > Filters > Inbound module. 2. Select All conditions to be met 3. With Specific Words operation, search for nasa.org in the message part From. 4. Select the + button to the right to add another condition 5. With Specific Words operation, search for Mars in the message part Body. Enable Match Case to get an exact case match. 6. Select the action Tag Subject With. Set the Tag field to [Mars Update from NASA]. Make sure and stop processing policy filters checkbox is not enabled. 7. Select the + button to the right to add another action 8. Select the action Route To and set the To field to engineering@company.com. Select and Stop Processing Policy Filters checkbox to stop further policy filtering on this message. 9. Select the Save This Filter button. Configuring a Policy Filter for Outbound Email to Include a Company Disclaimer Message To add a company disclaimer to the end of each outgoing message from your organization, you would set the policy filter in this way. If an email is sent from anyone at sonicwall.com, then take the following actions: Append text to the end of the message, This is my company disclaimer To create the outbound policy filter, perform the following steps: 1. In the Email Security management interface, browse to the Policy & Compliance > Filters screen, and click the Outbound tab. 2. Click the Add New Filter button. 3. Select All conditions to be met. 4. Select From in the Select drop-down list, and select Contains in the Matching drop-down list. 5. In the Search Value field, type sonicwall.com. 6. To protect against internal spammers or zombies, click the plus sign icon to add another condition. 7. Select Judgement in the Select drop-down list, and select is good in the Matching dropdown list. 8. Select the action Append text to message. 9. In the Message text write: This is my company disclaimer. 10. Name the filter Outbound Disclaimer. 11. Select Apply to Everyone from the dropdown menu in the Apply this filter to: section. 12. Click the Save This Filter button. 136 Dell SonicWALL Email Security Administrator Guide

Configuring a Policy Filter for Inbound Email To filter email messages sent to your organization that are not judged as spam but contain the words job application in the subject or body of the email message you would set the policy filter this way: If an email is Not judged as spam The subject or body of the email contains the words job application then take the following actions: route the email to hr@sonicwall.com To create the inbound policy filter, follow the procedures listed: 1. Select Add New Inbound Filter button. 2. Select All conditions to be met. 3. Judgement operation, matching is not spam. 4. Select the + button to the right to add another condition. 5. With specific phrase operation, search for job application in the message part Subject or Body. 6. Select the action Route to and enter the email address hr@sonicwall.com in the To: field. 7. Name the filter Resume Routing. 8. Select Apply to Everyone from the dropdown menu in the Apply this filter to: section. 9. Select the Save This Filter button. Exclusive Actions The action named Permanently delete is an exclusive action and is terminal in nature and no further policy filtering will be possible after this action has been performed. The Stop Processing Policy Filters checkbox will be automatically enabled and grayed out if an exclusive action is selected. Parameterized Notifications Dell SonicWALL Email Security supports parameterized notifications wherein you can use predefined parameters in the text fields for the Issue Email Notification action. These parameters will get substituted with corresponding values when the message is processed. You can use these parameters in either the Subject or Message Text fields of the Issue Email Notification action. The parameters can be used multiple times and are substituted each time they are used. Each parameter entered should start and end with % symbol. Parameter %SUBJECT% %FROM% %ATTACHMENT_NAMES % Value the Subject: content from the triggering email the From: content from the triggering email a comma-separated list of attachment names from the triggering email Policy & Compliance 137

Parameter %FILTER_NAME% %MATCHED_RECORDID % %MATCHED_TERM% Value the name of the policy filter which took the action on the triggering email the Record ID file name which has a matching pattern in the triggering email the Dictionary term which matched in the triggering email Policy Groups In some cases, it may be appropriate to associate a policy filter to a group of users rather than the entire organization. For example, you may want a policy filter to be applied to all incoming email messages sent to your sales team and no one else in your organization. If you want policy filters you create to be applied to particular group of users, you first have to create policy groups from LDAP. Policy groups, once created, can be associated with either inbound or outbound policies. To manage policy groups, select Policy Groups link under Policy & Compliance module. From this screen, you can manage all policy groups for your Dell SonicWALL Email Security setup. To add a new policy group, select the Add New Group button. From the pull down menu, select one of three methods to locate a desired group equal to (fast) starting with (medium) containing (slow) search using the actual name search using the first few characters search using a substring of characters Once the list of group names is displayed, select the checkbox of the group you wish to add. Click on the Add Group button. To remove a group, check the group(s) to be removed and select the Remove Group button. You can view the members of a group by selecting that group and clicking on the List Group Members button. If a user is present in more than one group, that user is treated to be a member of the group that is listed highest in the list. You can change group ordering, by clicking on the arrows to the left of listed groups. To change the order in which groups are listed, use the up and down arrow icons to the left of the groups. For example in the above illustration, if jdoe@company.com is listed under both SalesEngineering and Sales, the policy filter that is associated with SalesEngineering will be applied to email messages for jdoe@company.com. 138 Dell SonicWALL Email Security Administrator Guide

Multiple LDAP Groups Email Address Rewriting To manage policy groups from multiple LDAP servers, follow the procedures listed: 1. Navigate to the Policy & Compliance > Policy Groups page. 2. Select the LDAP source and click the Go button. You are connected to that LDAP server. 3. Click the Add Group button. The groups on that LDAP server are retrieved and presented. 4. Choose the groups you want to add policies to. 5. When you have selected the groups, click the Add Group button. Your groups are added. 6. You can now apply policies to these groups. If a user is a member of more than one group, actions will only be taken on the first group the system reads. In a multiple LDAP server environment, administrators can map incoming or outbound email addresses to new apparent domains. This feature also allows you to expand an email list into its constituent members. To configure Email Address Rewriting on a per-ldap basis, perform the following procedures: 1. Log in as the Email Security administrator. 2. Navigate to the System > Network Architecture page. 3. Click the Add New Rewrite Operation button. 4. In Type of Operation, choose LDAP Rewrite to Primary. If you are on the Inbound tab, you could also choose LDAP Email List Expansion. 5. Enter the information for the operation you have chosen. 6. Enter a name for the rewrite operation. 7. Click Save This Rewrite Operation. Policy & Compliance 139

Compliance Module This module is accessible through the optional purchase of a Compliance Subscription License Key and enables organizations to make efforts in ensuring that email complies with relevant regulations and/or corporate policies. Once the Compliance Module is activated, the network administrator has access to the new Encryption and Archiving features in addition to features such as additional filtering tools that enhance the Standard Module. Note When the Compliance Module license expires, filters that were created during the valid license period will continue to work, taking advantage of the advanced features. However, the administrator will not be able to add any new filters to use licensed features until a license to the module is obtained. Dictionaries A dictionary is a convenient collection of set of words or phrases that you can group together for use in policy filters. A dictionary can be specified as a search value in a policy filter. Dictionaries can be created or modified either manually or by importing from a file in the file system. A predefined dictionary is a group of words or phrases all belonging to a specific theme such as medical or financial terms, which can be used as a database of words that filters can look for. By default, Email Security provides two pre-installed dictionaries: Medical Drug Names PGP_AnyPartMsg_SpecificPhrase PGP_EmailHeader_SpecificWord Financial Terms PGP_AnyPartMsg_SpecificWords These dictionaries may be modified by clicking the edit button. Add New Dictionary To manually add a dictionary, follow the procedures listed below: 1. Click on the Add New Dictionary button. 140 Dell SonicWALL Email Security Administrator Guide

2. Enter a word or phrase under Dictionary Terms and click Add Term. Repeat for all the terms you want to add to the dictionary. 3. Give your dictionary a name. 4. Click Save Dictionary. You will automatically be returned to the Policy & Compliance > Compliance > Dictionaries module. Import Dictionary To import a dictionary from a file on the file system, follow the procedures listed: 1. Click on the Import Dictionary button. 2. Choose to name a new dictionary or to replace an existing dictionary by selecting the appropriate radio button next to your selection. 3. Find the import file by browsing to the correct location. The imported file should contain one word or phrase per line and each line should be separate by <CR>. 4. Click the Import button. Approval Boxes An Approval Box is a list of stored email messages that are waiting for an administrator to take action. They will not be delivered until an administrator approves them for delivery. The View Approval Box drop-down list allows you to have two different views of Approval Boxes: The Manager view and the individual approval box view. Policy & Compliance 141

To see a list of the Approval Boxes that have been created, select Approval Box Manager from the pull-down menu in the View box from this list. The Approval Box Manager view allows you to edit or delete existing Approval Boxes, and to create new Approval Boxes. To see the contents of a particular Approval Box, choose the desired Approval Box name from the View Approval Box for drop-down list. This page allows you to search the messages stored in that Approval Box and to take action on any of those messages. Note Only users who have administrative rights can see the contents of an approval box. See Users, Groups & Organizations on page 159for managing user rights and privileges. To store messages in an Approval Box, follow the procedures listed: 1. Create the Approval Box by clicking the Add New Approval Box button in the Policy & Compliance > Compliance Module > Approval Boxes page. 2. Enter a name for this Approval Box. This name appears in the page that shows the list of approval boxes and in the drop-down list that allows you to select the detailed view of individual approval boxes. 3. From the Default action pull-down menu, select an action to be taken. This action will automatically be taken on the message waiting for approval if the administrator does not respond to the notification within the period of time specified. None Approve & Deliver Delete Bounce Back to Sender No action is taken. The email remains in the Approval Box. The email is passed to the recipient. The email is deleted. The email is automatically bounced back to the sender and removed from the Approval Box after the specified length of time elapses. 4. Enter a list of Notification recipients in the text box. Separate multiple email addresses with a carriage return. Note Make sure that the email recipients you enter are users that have administrative rights to the Email Security appliance. If they do not have administrative access, they will not be able to view the approval boxes when they receive email notification. 5. Select a Frequency of notifications value from the dropdown list for this approval box. Approval box notification emails for this approval box will be sent according to the schedule you choose here. 6. Write the Email subject line for this notification. 7. Click the Apply Changes button to save your changes to this approval box notification. 142 Dell SonicWALL Email Security Administrator Guide

8. Go to the Policy & Compliance > Filters page and create a policy filter that has the Action as Store in Approval Box. Then, choose the desired Approval Box for email messages caught by that filter. Encryption The Policy & Compliance > Compliance Module > Encryption section is used to configure the servers used to encrypt and decrypt messages. Once configured, you may create a policy filter for which the action is to encrypt or decrypt messages. A policy action of encrypt can be used to direct confidential outbound messages to the encryption server. A policy action of decrypt can be used to direct confidential inbound messages to the decryption server. Record ID Definitions A Record ID Definition can be used to detect specific IDs described by a series of generic patterns. The Policy & Compliance > Compliance Module > Record ID Definitions section allows the administrator to predefine a cluster or clusters of letters and numbers into logical sets of groups such as social security numbers, patient medical record numbers, or credit card Policy & Compliance 143

numbers. When these patterns are discovered, compliance actions can be taken to ensure that the organization's privacy and security regulations are met. The filter will stop processing a message after it finds the first matching Record ID Definition. By default, Dell SonicWALL Email Security provides the following Record ID Definitions preinstalled: ABA Bank Routing Number Canadian Social Security Number Credit Card Number Date Phone Number Social Security Number Zip Code Adding a New Record ID Definition 1. Click the Add New Record ID Definition button. The following window displays: 2. Enter a name in the Record Definition Name field. 3. Enter a term including correct spacing, dashes or other symbols. Use the key to set values to the sets of characters 4. Click Add Pattern to add the term to the Record ID. Repeat this step for each Record ID as necessary. 5. Click Save Definition when finished. The new Record ID Definition displays on the Policy & Compliance > Compliance Module > Record ID Definitions screen. Archiving The Policy & Compliance > Compliance > Archiving section is used to configure how messages are archived. Once configured, you may create a policy filter for which the action is Route copy to archive. Messages can be archived either to a remote archive server or to a file system. 144 Dell SonicWALL Email Security Administrator Guide

Archiving to a Remote Server To have messages archived to a remote server, click the External SMTP Server radio button. Then, enter the IP address of the server to which email messages should be routed for archiving in the IP address of archive server field. Archiving to a File System To have messages archived to a file system, click the File system radio button. 1. Select the archive settings for both inbound and outbound emails. The following options are available: Do not archive emails Email messages are not archived. Archive emails that are delivered to users in your organization Email messages that are delivered are archived. Quarantined email messages are not archived. Archive all inbound emails All emails are archived, including those that are quarantined in the Junk Box. 2. Select a length of time for emails to be archived. 3. Click the Apply Changes button. Policy & Compliance 145

146 Dell SonicWALL Email Security Administrator Guide

Chapter 9 Encryption Service The Encryption Service feature works in tandem with Dell SonicWALL Email Security as a Software-as-a-Service (SaaS), which provides secure mail delivery solutions. The mail messages that have [SECURE] as part of the Subject will be encrypted and securely delivered to the recipient via the Encryption SaaS. Important notes: It is the customer's responsibility to protect user passwords and use care in spelling email addresses when sending emails, especially emails containing sensitive information. Encrypted emails automatically expire after 30 days and are not recoverable. The subject lines of email messages are not encrypted and should not include electronic protected health information (ephi) or confidential information. This chapter contains the following sections: How Encryption Service Works on page 147 Enabling the Secure Mail Policy on page 148 Licensing Email Encryption Service on page 149 Configuring Encryption Service on page 150 Whitelisting IP Addresses on page 151 Users in Encryption Service on page 151 Sending Secure Mail Messages on page 158 How Encryption Service Works The Encryption Service works with both outbound and inbound email messages. The Encryption Service must first be licensed through the System > License Management page. The administrator will then enable the default policy filter that enables sending secure email via Encryption Service 147

the Encryption Service. After adding the necessary sender domains and public IP addresses, the administrator can then add users that are licensed to use Encryption Service. Outbound Messages Outbound messages flow in the following order: 1. A user in an organization sends a secure email message. It is sent through the exchange email server of the organization. 2. The message is then processed by the Dell SonicWALL Email Security appliance. The Email Security appliance will be able to recognize the message as Secure Mail based on the auto sender domains or any other policy set to Route to Encryption Service. 3. The message is sent from the Dell SonicWALL Email Security appliance via TLS to the Dell SonicWALL Email Encryption Cloud. The Email Encryption Cloud will be able to determine this is a secure message based on the auto sender domains or any other policy set to Route to Encryption Service. 4. The Email Encryption Cloud then sends a notification email to the recipient. This email includes a URL to the secure message. 5. The Secure Mail recipient clicks the URL and is required to log into the Email Encryption Cloud to retrieve the message. Once the recipient views the message, the sender gets a notification mail from Email Encryption Cloud indicating that the secure message has been viewed. Enabling the Secure Mail Policy In order to begin using the Secure Mail Service, you must first enable the default outbound policy to Send Secure Mail. Follow the procedures listed below to successfully enable the Secure Mail policy. To enable Outbound Secure Mail: 1. Navigate to the Policy & Compliance > Filters page of your Email Security appliance. 2. Click the Outbound tab. 3. Locate the Send Secure Mail: Deliver Message via Encryption Service filter, and click the Edit button. The Edit Filter screen displays. 4. Click the Enable this filter checkbox. You can either keep the default settings or edit the settings for this filter. When finished, click Save This Filter. 148 Dell SonicWALL Email Security Administrator Guide

Note The Policy & Compliance > Filters page allows you to drag-and-drop filters, changing the precedence order of policies, which may be useful for your specific corporate needs. Licensing Email Encryption Service Because Encryption Service is a subscription service, you must purchase a license by logging in to your MySonicWALL account or by contacting your Dell SonicWALL reseller. Note The Encryption Service subscription license must match the Email Protection Subscription (Anti-Spam and Anti-Phishing) user count. If not, you will receive an error message. To license the Secure Email Encryption Service, follow the procedures listed: 1. Navigate to the System > Licence Management page of your Email Security appliance, and click the Activate link for Secure Email Encryption Service. 2. Enter the information required on the Email Encryption Service Subscription page: Email Encryption Service Activation Keys Enter the Encryption Service Activation Key(s) provided upon purchase on MySonicWALL or by your Dell SonicWALL reseller. For multiple activation keys, separate each key by using a comma. Encryption Service 149

Data Center nearest to you Select your respective Data Center from the drop down list. The Data Center is the location of the Encryption Service servers. Company Name Enter the company name associated with the Encryption Service. Admin Email Address Enter the email address of the designated Secure Mail administrator. This administrator is responsible for adding, editing, or deleting Secure Mail users. Note that you will be able to add/designate multiple administrators in another screen. Auto Sender Domains Enter the list of domains that Secure Mail users will be sending email messages from, for example dell.com. Messages from the listed domains are auto-provisioned as Secure Mail senders. For multiple domains, separate each domain by using a comma. 3. Click Submit. Configuring Encryption Service Once you have successfully enabled the Secure Mail outbound policy and licensed the Email Encryption Service through the License Management screen, you can begin configuring settings for the service. 1. Navigate to the Encryption Service page on your Dell SonicWALL Email Security appliance. 2. The Company Name field auto-populates with the name specified in Licensing Email Encryption Service on page 149. Edit the Company Name, if needed. 3. Enter the Auto Sender Domains in the space provided, if needed. The Auto Sender Domains field auto-populates with the domains specified in Licensing Email Encryption Service on page 149. 4. Enter the list of public IP addresses to be Whitelisted from the Email Encryption Service in the field provided. Once added to the whitelisted IP address list, Email Encryption Service will accept mail from your organization, originating from these IP addresses. 150 Dell SonicWALL Email Security Administrator Guide

5. Select the checkbox to enable the use of TLS for secure mail sent from the Encryption Service to your organization. If you decide to enable this feature, verify that all your inbound paths have TLS enabled, located in the Network Architecture > Server Configuration page. 6. Click Apply Changes when finished. Whitelisting IP Addresses The Encryption Service also supports whitelisting IP addresses. You can enter a list of public IP addresses that are responsible for delivering outgoing mail recognized as Secure. Then, you can enter the IP address and any associated domain that is responsible for receiving incoming mail messages from the Encryption Service. If no inbound addresses are specified, the MX Records are used instead to deliver mail messages to your organization. Users in Encryption Service Dell SonicWALL recommends that the administrator should add users to the Encryption Service. If any mail messages are sent to the Email Encryption Cloud from a sender account not already created, the Email Encryption Cloud will automatically create a Secure Mail sender account, as long as the domain in the email address is one of the Auto Sender domains. Adding a New User To add a new user to the Secure Mail Encryption Service, follow the directions listed below: 1. Navigate to the Encryption Service page on the Dell SonicWALL Email Security appliance. 2. Scroll down to the User View Setup section, and click the Add button. 3. Enter the following fields: Email Address Enter the email address for the user. First Name Enter the first name of the user. Last Name Enter the last name of the user. Role Select the role of the user from the drop down list. The available options are User or Admin. 4. Click Add to finish. The new user displays in the User View Setup list. Encryption Service 151

Note You may need to click the Refresh button to synchronize user accounts and settings from the Secure Email Encryption server if it does not automatically display. Updating an Existing User To update the information of an existing user, follow the directions below: 1. Select the checkbox corresponding to the user you want to update. 2. Click the Update button. The Update User account screen displays. 3. Edit the First Name, Last Name, or Role. Note that you cannot update the User Email Address. 4. Click Update to save changes made and update the user information. Adding an Existing User If you have LDAP configured, you can add existing users to the Secure Email Encryption Service. To add existing users, follow the directions below: 1. Navigate to the Encryption Service page on the Dell SonicWALL Email Security appliance. 2. Click the Add Existing Users button. 3. A list of users displays based on what you have configured for your LDAP directory. You can search for an existing user by email address in the search field. 4. Select the user you wish to add, then click the Add button. The new user displays in the User View Setup list. Importing Users If there are multiple users you would like to add, you can import a.txt list of users to be added to the Secure Email Encryption Service. 152 Dell SonicWALL Email Security Administrator Guide

The.txt file must use a <TAB> delimiter between the primary email address, first name, last name, and role of each user. You must use <CR> to separate entries. See the following example: primary_email@company.com<tab>firstname<tab>lastname<tab>admin<cr> primary_email@company.com<tab>firstname<tab>lastname<tab>user<cr> Note that the Primary email address is mandatory, while the other fields are optional. To import users, follow the directions below: 1. Navigate to the Encryption Service page on the Dell SonicWALL Email Security appliance. 2. Click the Import Users button. 3. Click the Choose File button to select the file containing the list of users. 4. Click Import. Exporting Users You can export the list of Secure Email Encryption Service users by performing the following steps: 1. Navigate to the Encryption Service page on the Dell SonicWALL Email Security appliance. 2. Click the Export Users button. The list exports a.txt file and saves to your local system. Cobrand and Reporting The Secure Email Encryption Service allows you the option to customize features on the management console. You can also customize reports from the Secure Email Encryption Service. The following are Cobrand and Reporting settings you can configure through the Secure Email Encryption server portal: Company and User Type Properties on page 153 Cobrand Management Console on page 154 Message Tracking Report on page 155 User Logon Report on page 155 User Reports by Message Size, Volume, Date, and Summary on page 156 Total View Report on page 157 Company and User Type Properties The Company Configuration > Company Information page allows you to edit your organization s information. The following fields are editable: Company Name This is the Company Name specified in the Dell SonicWALL Email Security System > License Management page upon licensing the Encryption Service. Email Address This is the Admin Email Address specified in the Dell SonicWALL Email Security System > License Management page upon licensing the Encryption Service. Encryption Service 153

The Company Configuration > Company Properties page allows you to edit the Automatically Create Sender Accounts setting. Select one of the following options: Off, On, or Off Send Plain Text. Cobrand Management Console The Cobrand Management Console page allows you to edit your organization s existing cobrand settings or create a new cobrand. Perform the following steps: 1. Under the Cobrand Information section, select (Create a New Cobrand) from the drop down list to create a new cobrand. To edit an existing cobrand, select it from the drop down list. 2. Specify the following cobrand settings: Company Name A descriptive name that is associated with the cobrand and will be displayed in the drop down list for editing. Default URL The URL where users are directed when they click the cobrand image. Note that you must include the protocol/scheme ( http:// ) in the URL. Cobrand Color The web color used for the login panel, top and bottom ribbon bars (menu and status bars) for Webpages on the server portal. The web color is identified with 6-character hexadecimal number, commonly used with HTML, CSS, and other applications. You can also identify the cobrand color using the Color Selector box that displays upon editing the hexadecimal number. Top HTML (Optional) Allows you to specify a block of HTML coding to be used in place of the cobrand image in the page header. The HTML can contain text, links, graphics, and columns, or follow an HTML style sheet. Note that if the Top HTML field contains boilerplate code, do not delete it unless you intend to replace it with customized HTML. Loaded Image (Optional) Displays the database server path and internal filename for the uploaded cobrand image. Click the Clear Image button to immediately remove the image from the cobrand. Allow users to stay signed in Select the checkbox to enable, and then specify the amount of time for users to stay signed in. 3. Filter Messages Allows you to limit the messages that users see in their mailbox to messages related to the cobranded company. If enabled, the Secure Mail recipient s mailbox only displays messages from or to the cobranded company, as long as the recipient accesses the server using the notification email link. 4. Select Image Select a cobrand image, such as an organization or company logo, that displays at the top of all the server portal pages. This is an efficient and easy way to create professional branding without requiring the use of HTML. Click the Choose File button to select the image you want assigned to the cobrand. 154 Dell SonicWALL Email Security Administrator Guide

5. Click the Save button to save your changes and apply the cobrand to your organization. Message Tracking Report The Message Tracking Report enables you to search through email addresses and subject lines of Secure Mail messages (message bodies are not included in the search). To generate a Message Tracking Report: 1. Click the Message Tracking Report link from the Secure Mail Encryption Service portal. 2. Enter the search parameters into the Email Address or Pattern, Start Date, and End Date fields. The To/From drop down list specifies whether to search for the parameters in the To or From field of email messages. 3. Click Generate Report link. The report displays all messages matching the specified criteria. User Logon Report The User Logon Report generates reports about user log on activity. You can search activity based on specific users, defined timeframes, and also how the user logged into the service. To generate a User Logon Report: 1. Click the User Logon Report link from the Secure Mail Encryption Service portal. Encryption Service 155

2. Enter the search parameters into the Email Address or Pattern, Start Date, and End Date fields. The Logon Source drop down list specifies which service the user accessed. The default is All, which includes every service the user may have used. 3. Click the Generate Report link. The report generates all log on events for the user, based on the specified criteria. User Reports by Message Size, Volume, Date, and Summary There are several types of user reports, each of which can be filtered for sent or received messages (or both) for each user. These reports are summaries of user statistics, differing from the more detailed reports such as the Message Tracking Report. The following types of reports can be generated: Report Type Message Size Statistics Message Date Statistics Message Volume Statistics Message Summary Data Description Shows the size of messages sent and received by each user Shows when messages have been sent by the users (first and last messages for each user) Shows the number of messages sent/received by the user Shows the fields of the other statistics reports on one screen. To access any User Report: 1. Click the User Reports by Message Size, Volume, Date, and Summary link from the Secure Mail Encryption Service portal. 156 Dell SonicWALL Email Security Administrator Guide

2. Click on the Report to view the information. Total View Report The Total View Report provides complete tracking of all messages sent through the Secure Mail system. The report contains a record of every messages sent along with the tracking data for the message (and attachments) in a single report. This report is provided as a CSV file. The Total View Report includes the following fields: Message ID Date From Email To Email Subject Notification Timestamp Message Status (Opened / Not Opened) Message Open Time Attachment Name Attachment (Accessed /Not Accessed) Attachment Open Time Note Each message and every attachment within a message is reported separately. For example, a message to two recipients with two attachments will generate four rows of data: Two for each recipient, with one attachment listed on each line per recipient. To generate a Total View Report: 1. Click the Total View Report link from the Secure Mail Encryption Service portal. 2. Specify the Date range for the report. For more efficiency, you can click one of the quick links: Last day, 30 days, or 60 days. This will automatically select the specified time period. 3. Click the Generate Report link. Encryption Service 157

4. Click the Download Report link to save the CSV file to your local system. Click Select Different Dates to return to the previous screen and conduct a new search with different dates. Sending Secure Mail Messages To send a Secure Mail message from your organization s exchange email server, you must first download the plug-in for the Secure Mail button. Note The Secure Mail button plug-in is currently available for Microsoft Outlook (32 and 64-bit). To download the plug-in, follow the instructions listed: 1. Navigate to the Downloads page of the Email Security interface. 2. Click the link for Secure Mail Outlook plugin that applies to your version of Outlook (32- bit or 64-bit). This will begin a download to your local system. 3. Run the installer to complete installation. 4. Once the plug-in is successfully installed, launch Outlook and click New E-mail to compose a new message. The Secure Mail button now appears in place of the Send button. 158 Dell SonicWALL Email Security Administrator Guide

Chapter 10 Users, Groups & Organizations The Users, Groups, and Organizations management function allows you to: Manage the list of users who can log in to the Email Security product Assign roles to individual users or groups of users Set spam blocking options for groups of users This chapter also describes how to assign a delegate to manage your Junk Box. For more information, see Junk Box Settings on page 183. Note To manage users and groups from within this module, you need to have configured your Email Security setup to synchronize with your organization s LDAP server. You can configure LDAP settings and queries on the System > LDAP Configuration page. This chapter contains the following sections: Working with Users on page 159 Working with Groups on page 163 Working with Organizations on page 172 Email Security User Roles on page 174 Users and Groups in Multiple LDAP on page 175 Working with Users To manage users in Email Security, navigate to the Users, Groups & Organizations > Users page. From this screen, you can sign in as any user, set their message management settings to corporate default, and edit their privileges in the system. Select the Source to use from the dropdown list, then click Go. Finding All Users If there are too many users to display in a window, you can conduct a search using the Find all users in column section. 1. Select from the dropdown list to do a search by User Name or Primary Email. 2. Next, select from the next dropdown list if the search parameter is equal to, starts with, or contains. Note that each of these fields determines the speed of the search, where equal to is the fastest type of search and contains is the slowest. 3. Select if you want the search to Show LDAP entries or Show non-ldap entries by selecting the checkboxes next to either option. 4. Enter the search parameter in the blank field, and click Go. Users, Groups & Organizations 159

Sort To sort the list of users by that column, click the User Name or Primary Email heading. Signing In as a User Administrators can sign in as any user, see their Junk Box, and change the settings for that user. In addition, you can sign in as a particular user to manage their delegates for them. Click the checkbox next to the User Name, then click the Sign In as User button. Edit User Rights Administrators can assign different privileges to different users in the system by assigning them pre-defined roles. To assign a role to a user, select the user and click on Edit User Rights button. Select which role to assign to a user, then click Apply Changes. For information regarding User Roles, see the Email Security User Roles on page 174. Resetting User Message Management Setting to Default Select one or more users and click Set Message Management to Default to restore all settings to the defaults. Be aware that this overrides all individual user preferences the user might have set. 160 Dell SonicWALL Email Security Administrator Guide

Add The administrator can add individual non-ldap users. Fill out the Primary Address and Alias fields, then click Add. Add an existing user with an alias and the user will have that alias added to them. This is not dependent on LDAP status. Note Users added in this way remain non-ldap users. Their User Rights cannot be changed. Their source will be listed as Admin. Users can edit their Junk Box setting only if the administrator sets the Junk Box setting: Enable Single Click viewing of messages to Full Access in the System > Junk Box Summary page. Remove The administrator can remove individual non-ldap users. First select a non-ldap user by using the checkbox in front of the name, then click the Remove button to delete the name from the list. Users, Groups & Organizations 161

Import The administrator can add multiple non-ldap users by importing a list of names. The list is made up of the primary addresses followed by the corresponding aliases of the users. The imported file can be appended to the existing names, or overwrite them. The format of the file is tab-delimited. One may use an Excel spreadsheet to generate a user list and save it as a tabdelimited file. To import the list, click the browse button to locate the file and click Import. Export The administrator can download a tab-delimited list by clicking this button. The file generated lists multiple non-ldap users and can later be imported using the Import feature. 162 Dell SonicWALL Email Security Administrator Guide

Working with Groups Navigate to the Users, Groups & Organizations > Groups page to manage Group settings. Note that the settings on this page are optional. About LDAP Groups This section describes how the Email Security lets you query and configure groups of users managed by an LDAP server. Most organizations create LDAP groups on their Exchange server according to the group functions. For example, a group configured on their Exchange server called support represents the technical support groups in Exchange. Configure LDAP groups on your corporate LDAP server before configuring the rights of users and groups on Email Security in the LDAP Configuration screen. Dell SonicWALL Email Security allows you to assign roles and set spam-blocking options for user groups. Though a user can be a member of multiple groups, Email Security assigns each user to the first group it finds when processing the groups. Each group can have unique settings for the aggressiveness for various spam prevention. You can configure each group to use the default settings or specify settings on a per-group basis. Updates to groups settings in this section do not get reflected immediately. The changes will be reflected the next time Email Security synchronizes itself with your corporate LDAP server. If you want to force an update, click on the Refresh Users & Groups button. Add a New Group To add a new group, click the Add New Group button. The Add Group window appears with a list of all the groups to which you can assign roles. You can also add new groups in this window. Users, Groups & Organizations 163

Finding a Group 1. From the Add Group screen, search for the group you want by entering the name in the text box. Choose the search mechanism and search speed: equal to (fast), starts with (medium), or contains (slow). Click Go to begin the search. OR Scroll through the list of groups to locate the group you want to add. 2. Click the checkbox to include the group. 3. Click Add Group. A message appears stating that the group was added successfully. Removing a Group 1. Click the checkbox adjacent to the group(s) to remove. 2. Click the Remove Group button. A success message appears. Listing Group Members 1. Click the checkbox adjacent to the group to list. 2. Click the List Group Members button. Users belonging to that group will be listed in a pop-up window. Setting an LDAP Group Role All members of a group are also given the role assigned to the group. To set the role of a group, follow the procedures listed: 1. Click the checkbox adjacent to the group to edit. 2. Click Edit Role. A window appears with the group s name and current role. 3. Click the radio button for the appropriate role that you want to assign to the group. 4. Click Apply Changes. A message appears stating that the group was changed successfully. 164 Dell SonicWALL Email Security Administrator Guide

Note Email Security queries your corporate LDAP server every hour to update users and groups. Changes made to some settings in this section may not be reflected immediately on Email Security, but are updated within an hour. User View Setup This controls what options are available to the users in this group when they login to server using their user name and password. You can change the settings on the following items: Login Enabled Enables users in this group to log into their Junk Box. Anti-Spam Techniques Allows or blocks specified people, companies, lists, aggressiveness, foreign languages. Full user control over anti-spam aggressiveness settings Allows users full access to configuring Anti-Spam aggressiveness settings. Reports Allow users in this group to look at their Spam reports. Settings Enables users in this group to view their settings. Junk mail management Allows users access to junk mail management settings. Quarantined Junk Mail Preview Settings Click the Users in this group are allowed to preview quarantined junk mail checkbox to enable this setting for users. Click Apply Changes. Users, Groups & Organizations 165

Anti-Spam Aggressiveness You can configure Anti-Spam Aggressiveness settings for this group. 1. Choose the appropriate Grid Network Aggressiveness level for this group. Note that selecting a stronger setting will make Email Security more responsive to other users who mark a message as spam. 2. Choose the appropriate Adversarial Bayesian Aggressiveness level for this group. Note that selecting a stronger setting will make Email Security more likely to mark a message as spam. 3. Select the checkbox to Allow users to unjunk spam. If the checkbox is unchecked, users are not able to unjunk spam messages. 4. For each category of spam, determine level and whether members of the group are allowed to unjunk their Junk Boxes. 5. Click Apply Changes. 166 Dell SonicWALL Email Security Administrator Guide

Languages You can determine the foreign language emails that groups can receive. Select Allow All to allow all users in a group to receive email in the specified language. Select Block All to block all users in a group from receiving email in the specified language. Click No opinion to permit email to be subject to the spam and content filtering of Dell SonicWALL Email Security. Click Apply Changes. Users, Groups & Organizations 167

Junk Box Summary You can manage the way in which you receive the Junk Box summary of emails. To configure settings for the Junk Box for groups: 1. Select the Frequency of Summaries sent to users. 2. Select the Time of Day users receive junk summary emails. 3. Select the Day of the Week users receive junk summary emails. 4. Select if the Summaries include All Junk Messages or Only Likely Junk. 5. Select from the dropdown list the Language of Summary Email. 6. Choose to send Plain Summary or Graphic Rich Summary. 7. Select the checkbox to Send Junk Box Summary to Delegates. Note that when this checkbox is selected, the summary email is sent to the delegate, not to the original recipient. 8. Click Apply Changes. 168 Dell SonicWALL Email Security Administrator Guide

Spam Management You can manage how groups deal with spam through the Spam Management window. To manage messages marked as Definite Spam or Likely Spam for this group: Choose what you want done with messages: Spam Filtering Off Passes all messages to users without filtering. Permanently Delete If determined Definite or Likely Spam, messages are permanently deleted. Bounce back to sender Messages are sent back to the sender. Caution: In cases of self-replicating viruses that engage the sender s address book, this can inadvertently cause a denial-of-service to a non-malicious user. Send to Specify an email address for the recipient. Tag with Label the email to warn the user. The default is [SPAM] or [LIKELY_SPAM]. Select the checkbox This Group accepts automated Allowed Lists if you want automated Allowed Lists to apply to this group. Click Apply Changes. Users, Groups & Organizations 169

Phishing Management The phishing management window gives you the option of managing phishing and likely phishing settings at a group level. Just like Spam Management options, it allows to you deal with phishing differently for different groups. However, unlike Spam Management options, these settings cannot be altered for individual users. 170 Dell SonicWALL Email Security Administrator Guide

Virus Management The virus management window gives you the option to manage Definite Virus and Likely Virus settings at a group level. Just like Spam Management options, it allows to you deal with viruses and likely viruses differently for different groups. However, unlike Spam Management options, these settings can not be altered for individual users. Forcing All Members to Group Settings Select the checkbox next to the Group(s) you want to adhere to Group Settings. Then, click the Force All Members to Group Settings button. All individual settings are overwritten by the Group Settings. Users, Groups & Organizations 171

Assigning Delegates Delegates are people who have full access to your individual Junk Box. This includes the ability to change your Junk Box settings and manage the messages in your Junk Box. The most common use of delegates is for an administrative assistant to act as a delegate of the CEO of a company. The assistant frequently has access to all of the CEO's email, so the assistant now would have access to the CEO's Junk Box and Junk Box settings as well. To assign a delegate to manage your Junk Box, follow the procedures listed: 1. Sign in to your individual user account; click the Sign in as any user link at the bottom of most Email Security windows and sign in with your username and password. 2. Go to Settings > Delegate. 3. To add a delegate, click the Add button. The Add New Delegate screen appears. 4. Enter the email address of the delegate in the text box. 5. Click Go. A group of people who match the email address appears. 6. Click the checkbox adjacent to the preferred delegate. 7. Click Add Delegate. To remove a delegate, click the Remove button on the Delegate window. Working with Organizations The Users, Groups & Organizations > Organizations page lists the available Organizational Units paired with the Email Security solution. Organizations are a smaller group of domains set by the Global Administrator as an efficient way of managing an entire enterprise-sized Email Security system setup. These subset groups, also known as an Organizational Unit (OU), are managed by a sub-administrator, called the OU Administrator. The OU Administrator role has full administrative rights to the OU he has been assigned to by the Global Administrator. The OU Admin can log in as any other user within the group of domains assigned to edit a user s individual settings, edit group settings for groups within their OU, and manage Junk Boxes, and view Reports. The OU Admin is not able to add or remove domains from an Organization, regardless if he is the OU Admin of that Organization; only the Global Administrator has the ability to perform these tasks. To add an organization, follow the procedures listed: 1. From the Users, Groups & Organizations > Organizations page, click the Add Organization button. 2. Enter the Primary Domain. Acceptable domains follow the form of domain.com or sub.domain.com. The Organization Admin Login ID is automatically populated based on what is entered as the Primary Domain. 3. Enter the Organization Admin Password. 4. Type the Domain(s) in the provided space, separating multiple domains with a comma. 172 Dell SonicWALL Email Security Administrator Guide

5. Then, click the Add button. A notification appears, stating that old data will now be migrated to the organization level. Acknowledge the notification by clicking OK. Note the following when creating a new organization: User settings are migrated to the newly created organization. LDAP configured at the Global Administrator level is not automatically migrated when creating a new organization. The OU Admin needs to reconfigure the LDAP for his organization. Neglecting to configure the LDAP can potentially break user authentication for domains of that organization. Group Settings configured at the Global Administrator level are not automatically migrated when creating a new organization. The OU Admin needs to reconfigure the Group Settings for his organization. User Rights configured at the Global Administrator level is not automatically migrated when creating a new organization. The OU Admin needs to reconfigure the User Rights for the users in his organization. Group Roles configured at the Global Administrator level are not automatically migrated when creating a new organization. The OU Admin needs to reconfigure the Group role for the groups in his organization. Note Any domains added in the Create Organization screen that are not already listed in the Network Architecture > Server Configuration page are not automatically added to the server. The Global Administrator needs to add these domains to the Network Architecture path separately. Signing In as an OU Admin As a Global Administrator, you can sign in to any Organization as an OU Admin. Click the Sign in as OU Admin icon. You are automatically directed as the OU Admin to the respective OU in a new window. Click the Log Out icon to log out as the OU Admin. Configuring OU Settings As a Global Administrator, you can also elect to subscribe to alerts for a specific Organization so that you are notified about updates and changes made to this Organization. Click the Settings icon of the Organization you want alerts for. Then, click the Subscribe to alerts checkbox, and click Save. Users, Groups & Organizations 173

Removing an Organization To delete an Organization, click the Remove button of the Organization you wish to delete. Email Security User Roles Roles are a set of privileges that you can grant any individual user or group of users in the Email Security system. The possible roles that can be assigned to any user or groups are: OU Administrator The Organizational Unit (OU) Administrator role has full administrative rights to a specific list of domains the Global Administrator specifies. Typically, the Global Administrator of an enterprise-sized organization may wish to delegate the management of a smaller group of domains, or Organizational Units, between several users requiring administrative rights for successful management of these OUs. The OU Admin can log in as any other user within the group of domains assigned to change a user s individual settings, view and manage Junk Boxes, and configure other areas of the Email Security system. For more information regarding OU Administrators and Organizational Units, refer to the Working with Organizations on page 172. Help Desk A user assigned as Help Desk has access to the corporate Junk Box and can unjunk items. This role also allows the user to log in as any user to change that user s individual settings and view Junk Boxes. The Help Desk role does not allow the user to change global settings or other server configurations. Group Admin A group administrator role is similar to the Help Desk role except that this role s privileges are limited to users for the group that they are specified to administer. The Group Admin role is always associated with one or more groups added to the Spam Blocking Options for Groups section. Manager A user assigned as Manager has access to corporate Reports and Monitoring screens. The user cannot change any configuration settings, nor are they able to sign in as any other user. User A user role is only allowed to log in to the Email Security system, has access to his own individual user settings, and can only customize his own settings. Adhere to Group rights If the user is part of a group, selecting this option forces the user to inherit the rights assigned to the members of that group. 174 Dell SonicWALL Email Security Administrator Guide

Users and Groups in Multiple LDAP The administrators of each organization can create a master LDAP group that encompasses all their users and groups. That master group can then be used to administer Email Security settings across the organization, even if there are multiple domains. With a group that contains all the members of the LDAP, the administrator effectively administers the LDAP. Users When an administrator logs in and views the Users, Groups & Organizations > Users page, she sees all the email addresses that exist on that instance of Email Security. The administrator can then narrow the view to only the entries from that LDAP. Note The Using Source selection allows administrators to access users who were added directly to Email Security, and did not come in through an LDAP entry. These entries will not be deleted with an LDAP deletion. This section contains the following subsections: Filtering through User View Setup on page 175 Finding a Specific User on page 176 Adding a New User on page 176 Deleting a User on page 176 Filtering through User View Setup To filter the user view setup by source, follow the procedures listed: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then Users. 3. Scroll down to User View Setup. 4. From the Using Source drop-down menu, choose the LDAP source associated with the users you want to view. Click Go. You will see only the users associated with that LDAP source. The list of users can be sorted by user name, primary email address, user rights, or source. If you have already filtered by source, sorting by source will not retrieve anything outside the filter. To sort a list of users, click on the column heading that describes the sort type. Click again to sort in reverse order. Each LDAP user record has a checkbox next to it. To edit a user or users, select the box. If you select one user, you can log in as that user or edit that user s rights, for example, to elevate them to group admin or help desk-level rights. If you select more than one user, you can only change their message management style to the default style. Users, Groups & Organizations 175

Finding a Specific User Adding a New User Deleting a User Because there are usually many records in an LDAP source, Email Security has provided several ways of looking for a specific user. To find a specific user, follow the procedures listed: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then click Users. 3. Scroll down to User View Setup. 4. From the Find all users in column drop-down menu, choose either the username or the primary email address to search on. 5. Choose which type of search you want. Exact matches are the fastest, but matches contain your search term may help you more if you cannot remember the exact username or address you are looking for. 6. Enter your search term. 7. Click Go. You will see the users who mach your search criteria. If you want to add a user who does not appear in the automatically-generated list from your LDAP, you can choose to manually add an account. If an LDAP is not provided, the user will be added to the default LDAP source. You cannot add users to your LDAP from the Dell SonicWALL Email Security interface. To add a user, follow the procedures listed: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then click Users. 3. Scroll down to User View Setup. 4. Click Add. 5. Enter the user s fully-qualified email address, choose a source (if any), and any aliases you wish to associate with the user. To delete a user, follow the procedures listed: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then Users. 3. Scroll down to User View Setup. 4. Select the user you wish to delete. Deleting a user will not remove the user s LDAP entry, only the entry in the Email Security system. 5. Click Add. 176 Dell SonicWALL Email Security Administrator Guide

Groups Use the Users, Groups & Organizations > Groups page to incorporate or extend existing LDAP groups. You can also change a group s security role in the Email Security system and view the membership of a group. This section contains the following subsections: Filtering through the Group View on page 177 Changing a Group s Role on page 177 Viewing Members of a Group on page 178 Setting Junk Blocking by Group on page 178 Filtering through the Group View Changing a Group s Role To filter the group view by source, follow the procedures: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. From the Using Source drop-down menu, choose the LDAP source associated with the groups you want to view. Click Go. 5. If you do not see the group you want, click the Add Group button. You can choose an existing group from one of your sources. You cannot create a group that does not exist. You can change each group s role in Email Security. Email Security roles determine a user s permissions to changeemail Security settings, including user settings. To change a group s role, follow the procedures listed: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. Select the box next to the group you want to change. 5. Click Edit Role. 6. In the pop-up window, choose the role you want that group to have. You can choose only one role per group. If a user is in multiple groups, permissions are granted in the order in which the groups are listed in the user s profile. 7. Click Apply Changes. You will see a status update at the top of the page. Users, Groups & Organizations 177

Viewing Members of a Group You can view the members of a group in Email Security. To view the members of a particular group, follow the procedures listed: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then Groups. 3. Scroll down to Assign Roles to Groups Found in LDAP. 4. Select the box next to the group you want to see the membership of. 5. Click List Members. A pop-up window displays that lists the group s membership by primary email address. Setting Junk Blocking by Group You can use the existing LDAP groups to configure the filtering sensitivity for different user groups. For example, your sales group might need to receive email written in foreign languages. To set junk blocking by group, follow the procedures below: 1. Log in as the Email Security administrator. 2. Click Users, Groups & Organizations, and then Groups. 3. Scroll down to Set Junk Blocking Options for Groups Found in LDAP. 4. Under Using LDAP, select your LDAP. 5. Select a group to edit. 6. Click Edit Junk Blocking Options. The Group Junk Blocking Options window displays. Follow the recommendations described in Chapter 4, Anti-Spam. 178 Dell SonicWALL Email Security Administrator Guide

Chapter 11 Junk Box Management The Junk Box chapter contains the following sections: Junk Box Simple View on page 180 Junk Box Advanced View on page 180 Supported Search in Audit and Junkbox on page 182 Junk Box Settings on page 183 Junk Box Summary on page 184 The Junk Box allows you to review and process email messages that have been flagged as spam, virus-infected, organization policy violations, or phishing. You can unjunk or release a falsely identified message. When you or the recipient unjunks an incoming message, Email Security adds the sender of the message to the recipient s Allowed list and delivers the email to the recipient. The size of the junk box can grow rapidly. By default, the messages are stored in the junk box for 30 days and deleted after that. You may need to customize this setting depending on your organization s policies and storage capacity on the shared data directory for messages are stored. To change this setting, go to Junk Box Management > Junk Box Settings > Number of days to store in Junk Box before deleting, and choose a value between 1 and 180 days. Messages in junk box can be quickly sorted and viewed by threat types. Messages that contain definite spam, phishing, and viruses have red asterisks (*) adjacent to them. Messages that contain likely spam, phishing, and viruses do not have any marks. Type of Message Spam (definite) Likely Spam Phishing (definite) Likely Phishing Virus (definite) Likely Virus Display *Spam Spam *Phishing Phishing *Virus Virus Junk Box Management 179

Junk Box Simple View The Junk Box Management > Junk Box window displays all the messages that have been categorized as the selected threats. You can also: Search for messages containing specific strings in the following fields: Subject, From, To, or Unique Message ID. Search is not case sensitive. Select a specific date to search on any particular date. Junk Box Advanced View Additional search capabilities give administrators the ability to support users more effectively, audit more selectively, and dispose of unwanted messages with more granularity. To use Advanced Search, follow the procedures below: 1. On the Junkbox Management > Junk Box page, click the Advanced View button. 180 Dell SonicWALL Email Security Administrator Guide

2. To search for specific email threat types, select the checkboxes in the Threats section. 3. Click Search. Messages matching your search criteria are displayed. To move quickly through results pages, click in the field that says Page 1 of 4814641 and type the result page you want to view. You can also change the number of messages displayed on each page. As an example, suppose you wanted to see only messages that were Spam or Likely Spam. Clear all the checkboxes except the Show Spam and Show Likely Spam checkboxes. Leave all the locations selected and click Search. Outbound Messages Stored in Junk Box To display the outbound messages in junk box, navigate to the Junk Box Management > Junk Box page and click on the Outbound tab. Outbound message management detects messages sent by users in your organization that contain viruses, likely viruses, and message that trigger policy alerts. Outbound message management also quarantines outbound spam, phishing, and UAS. Note Messages stored in the Outbound Junk Box cannot be reviewed by the senders. The senders will not see their messages in their Junk Box Summary notifications. Only administrators can review and process messages quarantined in the Outbound Junk Box. Messages in the Junk Box are deleted after the number of days shown at the top of the Junk Box page. This setting can be changed in the Junk Box Management > Junk Box Settings page. Junk Box Management 181

Supported Search in Audit and Junkbox The following types of search can be performed in the To, From, or Subject field: Boolean Search OR Operator This is the default search. Add OR in between search words. The results will contain any of these search words. AND Operator Add + before the search word (or) AND in between search words. Each result must contain these words. NOT Operator Add - before the search words (or) NOT in between search words. The results must not contain these search words. Wildcard Search * operator Add * to the middle or end of the word. This substitutes more than one character to the search word, and attempts to perform a search on all possible words.? operator Add? to the middle or end of the word. This substitutes one character and will find the match for the word. Note Wildcard operators should be added to the middle or end of the text, rather than at that beginning. Phrase Search A phrase is a group of words surrounded by quotes. The exact phrase will be searched. Fuzzy Search Add ~ to the end of the word to search for the closest possible match. This search is useful when search words have an error, or the exact spelling for the text is unknown. Proximity Search This searches for words closer to each other. The syntax is word 1 word2 ~distance. 182 Dell SonicWALL Email Security Administrator Guide

Junk Box Settings The Junk Box Management > Junk Box Settings screen contains the General, Action, Miscellaneous Message Settings sections, which enable the administrator to set default settings for users messages. General Settings Action Settings Miscellaneous The General Message Settings window allows you to choose default settings for messages that contain spam, phishing, virus, and policy management issues. Choose the Number of Junk Box days from the drop-down list. Set the enterprise-wide policy for the number of days email messages will remain in the Junk Box before being automatically deleted. The maximum number of days is 180. This can be adjusted for an individual user by an administrator or the user, if you allow it (See Configuring the User View Setup on page 165.) Choose the Number of items to display in the Message Center from the drop-down list. Select one of the following for When a user unjunks a message: Automatically add the sender to the recipient s Allowed List Ask the user before adding the sender to the recipient s Allowed List Do not add the sender to the recipient s Allowed List The Action Message Settings define conditions for tagging messages delivered to users inboxes. Review the four check box options that allow the user to define conditions for tagging messages incoming to their inbox. Each of the tags below will be prefixed to the subject line of the message. To tag unjunked messages, check the Tag unjunked messages with this text added to the subject line checkbox, and input word(s) to be used for tagging. To tag messages which were considered as junk but will be delivered because the sender s domain is on the user s Allow list, check the Tag messages considered junk, but delivered because sender/domain/list is in Allowed list with the text added to the subject line checkbox, and input word(s) to be used for tagging. To tag messages which were considered as junk but will be delivered because of a Policy action in effect, check the Tag messages considered junk, but delivered because of a Policy action with the text added to the subject line checkbox, and input word(s) to be used for tagging. To tag all those messages that are processed by Email Security Server for testing, check Tag all messages processed by Email Security for initial deployment testing with this text added to the subject line checkbox, and input word(s) to be used for tagging. The Miscellaneous Message Settings provide links that direct you to configure message management for the Anti-Spam, Anti-Virus, Anti-Phishing, and Policies modules. By clicking the Click here links, you are directed away from the Junk Box Management > Junk Box Settings screen. Junk Box Management 183

Click the Apply Changes button. Junk Box Summary Both administrators and users receive Junk Box summaries listing the incoming email that Email Security has classified as junk. From these email messages, users can choose to view or unjunk an email if the administrator has configured these permissions. From the Junk Box Management > Junk Box Summary window, users can determine the language, frequency, content, and format of Junk Box summaries. Configure the following for Junk Box Summaries: Frequency Settings Select the Frequency of summaries from the dropdown list Select the Time of day to send summary. You can select Any time of day or specify an hour to send. Select the Day of week to send summary. You can select Any day of the week or specify a day. Specify the Time Zone for the Email Security system. 184 Dell SonicWALL Email Security Administrator Guide

Message Settings Select to include All Junk Messages or Only likely junk (hide definite junk) in Junk Box Summaries. Note that if All Junk Messages is selected, both definite and likely junk messages are included. If Only likely junk is selected, only likely junk messages are included in the summary. Select the Language of summary email from the dropdown list. Send plain summary Select this checkbox to send junk box summaries without graphics. The following image shows a Plain Summary: Junk Box Management 185

The following image shows a Graphic Summary: Select the Display junk statistics in summary email checkbox if you prefer to have junk statistics included in the Junk Box Summary. Miscellaneous Settings Select the Send Junk Box Summary to delegates checkbox to have summary emails sent directly to a user s delegates. With this option enabled, users with delegates no longer receive summary emails. Select the radio button next to the Enable single click viewing of messages setting. You can select from the following: Off The single click viewing of messages setting is not enabled. View messages only Users are able to preview messages without having to type their name or password. Full Access Users can click any link in a Junk Box Summary and are granted full access to the particular user s settings. 186 Dell SonicWALL Email Security Administrator Guide

Select the Enable Authentication to Unjunk checkbox to require authentication for unjunking messages in the Junk Box Summary. Select the Only send Junk Box Summary emails to users in LDAP checkbox to only include LDAP users as recipients of the Junk Box Summary emails. With this setting selected, users not associated with the LDAP do not receive Junk Box Summary emails. To enable authentication for non-ldap users, click the link. You are automatically directed to the Users, Groups & Organizations > Users screen. For more information regarding LDAP and non-ldap users, refer to the Working with Users on page 159. Other Settings Specify the Email address from which summary is sent. Select from the following: Send summary from recipient s own email address Send summary from this email address. Specify the email address in the space provided. Specify the Name from which summary is sent in the space provided. Specify the Email Subject in the space provided. Specify the URL for User View in the space provided. The Junk Box Summary includes this URL for User View to allows users to easily view quarantined emails, unjunk quarantined emails, and to log in to the Email Security system. Click the Test Connectivity button to verify the URL specified in the URL for User View field properly connects. Junk Box Management 187

188 Dell SonicWALL Email Security Administrator Guide

Chapter 12 Reports and Monitoring Dell SonicWALL Email Security allows you to view system status and data through the Reports & Monitoring screen. You can view statistics for different time periods on the local system or the mail transfer agent (MTA). Monitor the flow of email traffic passing through the Email Security system in real time. The Reports & Monitoring screen also allows you to use SNMP to send information to a monitoring agent. This chapter contains the following sections: Monitoring Methods on page 189 Reporting in Email Security on page 194 Overview Reports on page 195 Anti-Spam Reports on page 199 Anti-Phishing Reports on page 199 Anti-Virus Reports on page 200 Policy Management Reports on page 200 Compliance Reports on page 201 Directory Protection on page 203 Connection Management Reports on page 203 Scheduled Reports on page 206 Monitoring Methods For a description of the different monitoring methods available in Email Security, see the following sections: System Status on page 189 MTA Status on page 190 Real-Time System Monitor on page 191 Performance Monitoring on page 191 System Status The Monitoring > System Status window shows the status of the Email Security system and the status of connections with other systems that Email Security needs to communicate with. A green check icon indicates the system is functioning as expected, while a red X icon indicates the system is not. Reports and Monitoring 189

The lower half of the System Status window in the Control Center Status section shows system statistics, including the disk space used by the Junk Box, free disk space on the data drive, and free disk space on the install drive. MTA Status The Monitoring > MTA Status page gives details on the status of the mail transfer agent (MTA) if one or more paths have been configured to act as MTAs. MTA Status One or more paths are configured to be MTAs This option is set to Yes if one or more paths have been configured to act as MTAs; if not, this option is set to No. MlfMTA service is running If the MTA is running as expected, this field will show a green circle with a check mark icon. If the MTA is not running as expected, the field will show a red circle with an X icon. MTA Totals by Host If one or more paths are configured to act as MTAs, this section provides additional information about their host. Host This column shows the name of the host(s). Number of messages delivered in last hour This column shows the number of messages delivered by the MTA in the last hour. Number of messages in all queues combined This column shows the sum of messages in the queues of all the MTAs. Number of message recipients in all queues combined This column shows the sum of the messages in the queues of all the MTAs. 190 Dell SonicWALL Email Security Administrator Guide

MTA Status on Inbound/Outbound Paths If one or more paths are configured to act as MTAs, these two sections will provide additional information about the paths. The columns and the values they represent are: Host (src/listen/dest) This column shows the various paths you configured in the Network Architecture section. src is the source IP contacting path; the IP address of a machine that is allowed to connect to and relay email through this path. listen is the IP address and port on which this path listens for connections. dest is the destination to which this path routes email. Path is configured to be an MTA This column shows whether the listed path is configured to be a proxy or an MTA. Number of message recipients in queue This column lists the number of messages in the queue if the path is an MTA. If it is a proxy, messages are not queued and this column will indicate N/A. To see details about the messages in a queue, click the Show Details link for that queue. To see details for messages on a particular server, you must log in to the Dell SonicWALL appliance on that server. Real-Time System Monitor The Monitoring > Real-Time System Monitor page provides real-time information on the flow of email passing through the Dell SonicWALL Email Security system. The Message Throughput History graph shows the number of emails processed by this server per second. The Message Bandwidth History graph shows the total bandwidth used for email in bytes per second. The bandwidth is the sum of the sizes of all the messages passing through this Dell SonicWALL Email Security server per second. Performance Monitoring The Monitoring > Performance Monitoring page allows administrators to view and compare performance metrics with the Email Security interface without downloading and formatting CVS files. The performance monitoring section displays data that has always been collected by Dell SonicWALL Email Security. Performance monitoring allows administrators to monitor a single metric over a period of time, or to compare two metrics. Once an administrator creates a graph, the graph can be saved or emailed to share with others who do not have administrator privileges. Reading Performance Monitoring There are two ways of viewing the data: By viewing multiple metrics for a given date, or by comparing data of the same process metric across several days. The Performance Graph for Multiple Metrics option creates a graph which contains one or two process metrics for a given date. If there are two metrics, a second y-axis scale will appear at the right-hand side of the graph for the interpretation of the second metric. Reports and Monitoring 191

The Performance Graph for Multiple Days option creates a graph for a single process metric across multiple days. Each day's worth of data is a line of a different color. Up to six data files can be displayed. Graphs are shown for a 24-hour period starting and ending at midnight GMT+0. Once a graph is specified, it will not display or redraw until the Refresh button is clicked. To view the raw data files used to build a particular graph, click either the Download or the Email To... buttons and a ZIP file containing the data files and the bitmap will be provided accordingly. Creating a Performance Monitoring Graph Monitored Metrics To create a performance monitoring graph, complete the following procedures: 1. Log into your Email Security system as an administrator. 2. Navigate to the Reports & Monitoring > Monitoring > Performance Monitoring page. 3. Choose the type of performance graph you want. 4. For the multiple metrics graph: Select the date you want information on from the select data file dropdown box. Click in the first select process box and choose a process. Click in the first select metric box and choose a metric of the selected process. If you want to compare a second metric, repeat the process with the second set of dropdown boxes. Click the Refresh button. You will see the performance graph for those metrics on that day. 5. For the multiple days graph: Select the process and metric you want information on. Select your dates from the data file dropdown boxes. Click the Refresh button. You will see the performance graph for that metric on those days. The following processes are currently monitored and available as data files. These data files have always existed, but the information is now more readily accessible. Monitoring Service Tomcat Service Replicator Service SMTP Server Thumb Updater Service Database Service Operating System MTA Service Message Statistics 192 Dell SonicWALL Email Security Administrator Guide

Metrics List These are the process metrics that are being tracked and stored in the data files. Most of these metrics exist in each process. The most common metrics appear in the table below. Metrics not shown in the list are usually System process monitoring. Process Metric DHA Msgs %Disk Time Fraud Msgs Good Msgs Likely Fraud Likely Spam Likely Virus Policy Msgs Spam Msgs Total Msgs Virus Msgs %Processor Time Available Bytes Description Number of messages classified as directory harvest attacks. DHA messages are addressed to invalid users at your domain. The percentage of elapsed time that the selected disk drive was busy servicing read or write requests. Number of messages identified as fraudulent and delivered to the junk box. Number of messages which were delivered without any noted problems. Number of messages which are delivered but marked as probable fraud. Number of messages which are delivered but marked as probable spam. Number of messages which are delivered but marked as probably virus-infected. Number of messages with triggered a policy action. Number of messages sent to the junk box as spam. Total number of messages processed by Dell SonicWALL Email Security Number of messages with a virus attached. The percentage of elapsed time that all of process threads used to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code is executed to handle some hardware interrupts and trap conditions The amount of physical memory, in bytes, available to processes running on the computer. This is calculated by adding the amount of space on the Zeroed, Free, and Standby memory lists. Free memory is ready for use; zeroed memory consists of pages of memory filled with zeros to prevent subsequent processes from seeing data used by a previous process; standby memory is memory that has been removed from a process' working set, but is still available to be recalled. This counter displays the last observed value only; it is not an average. Avg. Disk Bytes/Transfer Avg. Disk Queue Length Buffer Bytes Cache Bytes The time, in seconds, of the average disk transfer. The average number of read and write requests queued for the selected disk during the sample interval. Used in Linux systems. Buffer Bytes is the number of bytes consumed by the kernel. The sum of the Memory\\System Cache Resident Bytes, Memory\\System Driver Resident Bytes, Memory\\System Code Resident Bytes, and Memory\\Pool Paged Resident Bytes counters. This counter displays the last observed value only; it is not an average. Reports and Monitoring 193

Process Metric Committed Bytes Connections Established Connection Failures Connections Reset Handle Count Install Dir Free Space Private Bytes Segments Retransmitted/sec Segments/sec Swap Available Bytes Thread Count Virtual Bytes Description The amount of committed virtual memory, in bytes. Committed memory is the physical memory which has space reserved on the disk paging file(s). There can be one or more paging files on each physical drive. This counter displays the last observed value only; it is not an average. The number of TCP connections for which the current state is either ESTABLISHED or CLOSE-WAIT. The number of times TCP connections have made a direct transition to the CLOSED state from the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state. The number of times TCP connections have made a direct transition to the CLOSED state from either the ESTABLISHED state or the CLOSE- WAIT state. The total number of handles this process currently has open. This number is the sum of the handles currently open by each thread in this process. For Windows, the number of bytes remaining free on the installation drive. Private Bytes is the current size, in kilobytes, of memory that this process has allocated which cannot be shared with other processes. The rate at which segments are retransmitted, that is, segments transmitted containing one or more previously transmitted bytes. The rate at which TCP segments are sent or received using the TCP protocol. Used in Linux systems. Swap Available Bytes is "Swap space which is still free to use". The number of threads currently active in this process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. Every running process has at least one thread. The current size, in kilobytes, of the virtual address space the process is using. Use of virtual address space does not imply corresponding use of either disk or main memory pages. Virtual space is finite, and the process can limit its ability to load libraries. Reporting in Email Security Dell SonicWALL Email Security provides many types of reports. All reports allow you to optionally download the data in CSV or HTML format. You can also create custom reports by specifying a time period for the data, and download the report for analysis or email the report. Per-domain reports are available for custom and scheduled reports. Dell SonicWALL Email Security also provides several reports for Managed Service Provider (MSP) related data, including the following: Email breakdown (custom/scheduled report only) Bandwidth (custom/scheduled report only) Good v Junk per domain (custom/scheduled report only) 194 Dell SonicWALL Email Security Administrator Guide

Note Dell SonicWALL Email Security uses the Firebird Database Engine to generate reports. Make sure that there is no other installation of the Firebird Database Engine on the same server as Email Security. By default, Dell SonicWALL Email Security retains 366 days of reporting information in the database. You can change this setting in System > Advanced > Reports data will be deleted when older than field. Lowering this number means less disk space will be used, but you will not have report data older than the number of days specified. If your organization's email volume is very high, you may want to consider lowering this number. For descriptions of the different report types, see the following sections: Anti-Spam Reports on page 199 Anti-Phishing Reports on page 199 Anti-Virus Reports on page 200 Directory Protection on page 203 Scheduled Reports on page 206 Generating Per-Domain Reports When Email Security is being used as an email server for several different organizations, you can generate reports that are specific to each domain. This is especially useful in a Managed Service Provider (MSP) environment. For example, you could generate reports that show data only for sonicwall.com or only for mailfrontier.net. Email Security provides a way for administrators to specify the domain for which data should be displayed. Only administrators can configure the per-domain setting. It is disabled for managers or other roles. Per-domain reporting is supported for the following seven report types: Inbound Good versus Junk Junk Email Breakdown Spam Caught Messages Identified as Phishing Inbound Viruses Caught Inbound Policy Messages Filtered Number of Attacks Per-domain reporting is not available for dashboard reports or static reports. In per-domain reporting, sub-domains are not considered to be separate domains. For example, email sent to matthew@sales.sonicwall.com, brian@engr.sonicwall.com, and casey@sonicwall.com will all be included in reports for sonicwall.com. Overview Reports The following report types are available in the Overview Reports section of the Email Security management interface. See the following sections: Dashboard on page 196 Inbound Good vs Junk on page 198 Outbound Good vs Junk on page 198 Reports and Monitoring 195

Spam Caught on page 199 Top Spam Domains on page 199 Dashboard The Overview Reports > Dashboard provides a lot of information about Dell SonicWALL Email Security at a glance. These charts are updated hourly and display the statistics for the last 24 hours. Click the Refresh Reports button to update the data in the reports with the most current data. Good Email vs Junk Email Displays the number of Good Email messages in comparison to the Junk messages received. The Junk Email messages include spam, likely spam, phishing, likely phishing, viruses, likely viruses, Directory Harvest Attacks (DHA), and messages that trigger policy events. The information in this chart can also be found in the Reports & Monitoring > Overview Reports > Inbound Good vs. Junk report. Spam Caught Displays the number of email messages that are Definite Spam compared to the number of messages that are Likely Spam. The information on this chart can also be found in the Anti- Spam Reports > Spam Caught report. Junk Email Breakdown Inbound vs. Outbound Email Displays the number of Junk messages, classified into the following categories: Spam (Definite Spam and Likely Spam) Phishing (Definite Phishing and Likely Phishing) Virus (Definite Virus and Likely Virus) Policy Directory Harvest Attack (DHA) Connection Management (CM) You can also find this information in the Reports & Monitoring > Overview Reports > Junk Email Breakdown report page. Displays the number of inbound emails compared to the number of outbound email messages. You can also find this information in the Reports & Monitoring > Overview Reports > Inbound vs Outbound Email report. System Load Average (15 min) Displays the system load as sampled every fifteen minutes. This chart is incremented in thousands of messages. Use this chart to judge your peak system load, and your loads through the day. If you are viewing a Remote Analyzer, this is one of the available charts. 196 Dell SonicWALL Email Security Administrator Guide

System % Processor Time (15 min) Displays what percentage of the processor is used, as sampled every fifteen minutes. This chart is incremented in processor percentage. Use this chart to judge whether you have sufficient processor power for your needs. If you are viewing a Remote Analyzer, this is one of the available charts. Top Spam Recipients Displays the volume of spam received by the Top 12 Recipients in your organization within the last 24 hours. This information is also available in the Reports & Monitoring > Overview Reports > Top Spam Recipients report. Top Outbound Email Senders Displays the number of outbound email messages sent by the top 12 senders in your organization in the last 24 hours. This information is also available in the Reports & Monitoring > Overview Reports > Top Outbound Email Senders report. Return on Investment Dell SonicWALL Email Security provides a tool to help determine the Return on Investment (ROI) for your organization s investment in Email Security. You can customize this tool to reflect your organization s costs of doing business. Determine your organization s return on investment on a daily, weekly, or monthly basis by using the Dell SonicWALL Email Security product. ROI numbers are computed from a formula and data accumulated by Email Security s mlfupdater and the usermap.xml file is input into the formula. Determining the ROI for Your Organization To determine the savings from preventing unwanted email, click Change Assumptions to enter figures that reflect your organization. An input window appears with default values. To change the values so that they match your organization s experience: 1. Enter the appropriate values for your organization for salary, number of users, and other factors that contribute to the cost of dealing with unwanted email. 2. Click the Recalculate Report button after you enter your values; a revised ROI report appears. Bandwidth Savings The Bandwidth Savings report displays the number of megabytes of bandwidth that Email Security saves your organization. Dell SonicWALL Email Security lowers your organization's network costs through the following actions: Removing the high volume of junk messages that go through your network. Quarantining junk messages in the Junk Box. Deleting junk messages before they enter your network. Reports and Monitoring 197

Inbound Good vs Junk This page displays the total number of inbound messages processed by Dell SonicWALL Email Security along with the total number of junk messages versus good messages. You can view the Inbound Good messages versus Junk messages by specific time periods. Click the Hourly, Daily, or Monthly tabs to view data for each period. By default, the Daily tab displays. Outbound Good vs Junk This report displays the total number of outbound messages processed by Email Security along with the total number of junk messages and good messages. You can view the Outbound Good versus Junk by specific time periods. Click the Hourly, Daily, or Monthly tabs to view data for each period. By default, the Daily tab displays. Inbound vs Outbound Email The number of inbound and outbound messages processes by Email Security. Note that this report is available only if the outbound email module is licensed. You can view the Inbound versus Outbound Email by specific time periods. Click the Hourly, Daily, or Monthly tabs to view data for each period. By default, the Daily tab displays. Top Outbound Email Senders The number of outbound email messages sent by the top 12 senders in your organization. This report is available only if outbound module is licensed. You can view the Top Outbound Email Senders by specific time periods. Click the Today, This Month, or This Year tabs to view data for each period. By default, the This Month tab displays. Junk Email Breakdown Report This report gives a percentage and numeric breakdown of the various categories of junk received, including Spam, Likely Spam, Viruses, Likely Viruses, Phishing, Likely Phishing, Policy Events, Directory Harvest Attacks (DHA), and Connection Management (CM). You can view the Junk Email Breakdown by specific time periods. Click the Hourly, Daily, or Monthly tabs to view data for each period. By default, the Daily tab displays. 198 Dell SonicWALL Email Security Administrator Guide

Anti-Spam Reports Dell SonicWALL Email Security provides the following reports specific to the category of Anti- Spam: Spam Caught, Top Spam Domains, and Top Spam Recipients. Spam Caught The Spam Caught report displays the number of messages filtered by Dell SonicWALL Email Security that are definitely Spam compared to the amount that are Likely Spam. This report also gives a percentage breakdown. You can view the Spam Caught report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view data for each period. By default, the Daily tab displays. Top Spam Domains The Top Spam Domains report presents the domains or IP addresses that send the most spam to your organization. Note that this report only contains useful information if your Email Security server is running as first touch. If your server is not first touch, the IP addresses displayed are those of the server that routes mail to the Email Security server. You can view the Top Spam Domains by specific time periods. Click the Today, This Month, or This Year tabs to view data for each period. By default, the This Month tab displays. Top Spam Recipients The Top Spam Recipients report lists the email addresses in your organization that receive the most spam. You can view the Top Spam Recipients report by specific time periods. Click the Today, This Month, or This Year tabs to view data for each period. By default, the This Month tab displays. Anti-Phishing Reports Phishing Messages are an especially pernicious form of fraud that use email with fraudulent content to steal consumers personal identity data and financial account credentials. Phishing Messages This report displays the number of messages that were identified as Phishing Attacks and Likely Phishing Attacks. You can view the Phishing Messages by specific time periods. Click the Daily, Weekly, and Monthly tabs to view the data for each period. By default, the Weekly tab displays. Reports and Monitoring 199

Anti-Virus Reports The Anti-Virus Report allows you to view the number of viruses detected by the Dell SonicWALL Email Security. Inbound Viruses Caught The Inbound Viruses Caught report displays the number of viruses caught in inbound email traffic. You can view the Inbound Viruses Caught by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Top Inbound Viruses The Top Inbound Viruses report lists the names of the viruses that have been detected most often in inbound email traffic sent through Email Security and the amount of times each virus has been detected. You can view the Top Inbound Viruses by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. Outbound Viruses Caught The Outbound Viruses Caught report displays the number of viruses caught in outbound email traffic. You can view the Outbound Viruses Caught by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Top Outbound Viruses The Top Outbound Viruses report lists the names of the viruses that have been detected most often in outbound email traffic sent through Email Security and the amount of times each virus has been detected. You can view the Top Outbound Viruses by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. Policy Management Reports If you have created policy filters in Email Security to manage email traffic, the following policy reports provide statistics on messages that trigger the policy filters. Inbound Policies Filtered The Inbound Policies Filtered report displays the total number of inbound email messages that Email Security has filtered based on policies that you have configured. 200 Dell SonicWALL Email Security Administrator Guide

You can view the Inbound Policies Filtered by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Top Inbound Policies The Top Inbound Policies report displays the policy filter names that are triggered most often in inbound email traffic sent through Email Security and the amount of times each policy has been triggered. Policies are triggered when the contents or attachments of a message contain information that you have configured as a policy filter to detect. You can view the Top Inbound Policies report by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. Outbound Policies Filtered The Outbound Policies Filtered report displays the total number of outbound email messages that Email Security has filtered based on policies that you have configured. You can view the Outbound Policies Filtered by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays Top Outbound Policies The Top Outbound Policies report displays the policy filter names that are triggered most often in outbound email traffic sent through Email Security and the amount of times each policy has been triggered. You can view the Top Outbound Policies report by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. Compliance Reports The set of Compliance Reports are accessible upon licensing of the Compliance Module. Inbound Messages Decrypted The Inbound Messages Decrypted report lists the number of inbound messages decrypted. You can view the Inbound Messages Decrypted report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Inbound Messages Archived The Inbound Messages Archived report lists the total number of inbound messages that were archived. These messages triggered a policy filter that, as a result, routed them for archiving. Reports and Monitoring 201

You can view the Inbound Messages Archived report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Top Inbound Approval Boxes The Top Inbound Approval Boxes report lists the Approval Boxes in which inbound email messages sent through Email Security are stored most often, and the amount of messages that have been stored in each one. Note that the messages may have been released from the Approval Boxes since they were first stored there. These messages triggered a policy filter that, as a result, stored them in an Approval Box. You can view the Top Inbound Approval Boxes report by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. Outbound Messages Encrypted The Outbound Messages Encrypted report lists the number of outbound messages encrypted. You can view the Outbound Messages Encrypted report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Outbound Messages Archived The Outbound Messages Archived report lists the total number of inbound messages that were archived. These messages triggered a policy filter that, as a result, routed them for archiving. You can view the Outbound Messages Archived report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Top Outbound Approval Boxes The Top Outbound Approval Boxes report lists the Approval Boxes in which outbound email messages sent through are stored most often, and the amount of messages that have been stored in each one. Note that the messages may have been released from the Approval Boxes since they were first stored there. These messages triggered a policy filter that, as a result, stored them in an Approval Box. You can view the Top Outbound Approval Boxes report by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. 202 Dell SonicWALL Email Security Administrator Guide

Directory Protection Dell SonicWALL Email Security provides protection against directory attacks. Following directory protection reports are available to give more information on the directory attacks targeted towards your organization. Number of Directory Harvest Attacks (DHA) This report displays the number of messages with invalid email addresses that were sent to your organization. If this number is large, your organization may be experiencing one or more Directory Harvest Attacks (DHA), in which spammers try to harvest a list of all your email addresses. You can view the Number of DHA Attacks by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Top DHA Domains Use the Top DHA Domains page to view the IP addresses from which the most frequent Directory Harvest Attacks (DHA) originate, and the number of invalid recipient addresses in those attacks. You can view the Top DHA Domains report by specific time periods. Click the Today, This Month, or This Year tabs to view the data for each period. By default, the This Month tab displays. Connection Management Reports Dell SonicWALL Email Security provides connection management to reduce the traffic your system must analyze and automatically reject connections from bad IP addresses. You can configure which IP address to ignore and also use the GRID network to add bad IP addresses to the Blocked Connection list. Allowed vs Blocked Connections The Allowed versus Blocked Connections report displays the number of SMTP connections that were allowed versus those that were blocked, deferred, or throttled as a result of the Connection Management settings. You can view the Allowed vs Blocked Connections report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Blocked Connection Breakdown The Blocked Connection Breakdown report displays the SMTP connections that have been blocked, deferred, or throttled as a result of the Connection Management settings. The following list contains the description of the blocked connection: Grid Network IP Reputation (REPTN) Reports and Monitoring 203

Blocked Deferred Greylisted Throttled based on connections (TCNXN) Throttled based on messages (TMSGS) Throttled based on recipient commands (TRCPT) You can view the Allowed vs Blocked Connections report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. Greylisted Connections The Greylisted Connections report displays the number of SMTP connections that were blocked due to the Greylisting component of your Connection Management settings versus the number of connections that were later retired and allowed. You can view the Greylisted Connections report by specific time periods. Click the Hourly, Daily, or Monthly tabs to view the data for each period. By default, the Daily tab displays. DMARC Reporting The following report types are available in the DMARC Reports section of the Email Security management interface: DMARC Reports and Configure Known Networks. DMARC Reports When the Email Security Mail Server plays the role as email sender and RUA receiver, it extracts and aggregates daily RUA files from the email receiver and from RUA providers, such as Google, Yahoo, etc. The DMARC Reporting Scheduler then imports the RUA files hourly into its database. Based on date range and data filter, you can obtain five different types of reports: One report is graphic chart. The other four are tabulated reports. The Reports include: DMARC Statistic Report (Graphic Chart) DMARC Master Detail Report Source IP Aggregation Report Provider Aggregation Report Source IP and Provider Aggregation Report All five reports are able to be rendered in HTML format and downloadable PDF file. (HTML reports allow you to mouse over 'Alignment' value to see alignment reason description.) Dell SonicWALL recommends that the administrator enters the IP addresses of 'my server' on the 'Configure Known Networks' page before users (admin or manager role) view DMARC Reports because it retrieves reports data associated with those IP addresses by default. Select Date Range Last x days Click the radio button for Last and select from the drop-down list of values. Last x days means the number of day(s) before the latest date of imported data. 204 Dell SonicWALL Email Security Administrator Guide

Start Date and End Date Click the radio button to specify the dates. If no RUA data is in the database, the pop-up calendar displays the current date. If RUA data exists in the database, the calendar dates before the minimum date and after the maximum date display. Only data available on those available dates can be selected. Set Filter Filter Click this button to create a new filter. If a filter already exists, clicking this button allows you to edit the filter. See the Set Filter page for more information. Save After creating a new filter, click this button to save the newly configured settings. Clear Clears all settings of the current filter. Apply Filter Select from a drop-down list of the available filters. When selected, its bulleted settings display in the Filter section. Delete To delete a filter, select it from the Apply Filter drop-down list and click this button. Bullet icons Each bullet icon represents a filter condition. Click the condition to open the Set Filter dialog box, or click the small 'x' symbol on bullet to delete the condition from the filter. Select Report list Select a type of report from the drop-down list. The available reports include: DMARC Statistic Report, DMARC Master Detail Report, Source IP Aggregation Report,Provider Aggregation Report, Source IP and Provider Aggragation Report. Generate After selecting a report from the drop-down list, click this button to generate a report. Note: Some reports may take a few minutes to generate. Reports will be shown in a window below the 'Set Filters' section. For the statistic report, it will display either horizontally or vertically, depending on the date range. If days of selected date range are less than 15 days, three (3) bar charts will be horizontally display. If the date range is greater than 15 days, the bar charts will vertically display. For tabulated reports, scrolling the mouse over the 'Alignment' value displays the Alignment Reason. For example, if the 'Alignment' is 'No', moving the mouse over this 'No' makes the Title Box show: "No DKIM and SPF is passed, On SPF Relaxed, SPF Organization Domain(sina.com) Not Matched From Header Domain(sonicwall.com)" This message will be useful for DMARC troubleshooting. Download PDF Report Click this button to download a PDF report once the HTML report is generated. The PDF report name includes the Report Name and a time stamp. Configure Known Networks There are two types of Known Networks you can configure: My Servers and External Trusted Servers. My Servers This is usually the list of company-owned IP addresses, labeled in the server group as 'my servers.' When setting the filter to generate a DMARC report, you have the option to select My Servers from the Known Network group. By default, all the IP addresses in the My Servers group are Included for the filter. Select Exclude to exclude the IP addresses in the My Servers group. If you choose not to use My Servers, you can set the filter to Source IP, and will have to manually enter the Source IP addresses to include in the report. Reports and Monitoring 205

External trusted servers This is the list of IP addresses of company-trusted external servers and customers, labeled as 'external trusted servers.' Note that this is not a default condition. When setting the filter to generate a DMARC report, you can select External trusted servers from the Known Network group. Using include or exclude, you can select which IP addresses to view for the filter. Add Add a new server group and its respective IP addresses. You can add either 'My servers' or 'External trusted servers.' Edit Edit the Server Group label and its respective IP addresses. Delete Delete the Server Group label and its respective IP addresses. Scheduled Reports Dell SonicWALL Email Security allows you to schedule email delivery of reports. You can choose the type of report, a time span the data covers, the list of recipients, etc. Data in scheduled reports is displayed in the time zone of the server on which Email Security stores email data (either an All in One or a Control Center), just like the reports in the Reports & Monitoring section. Scheduled report emails are sent according to the time zone on that computer as well. Customize a Report Clicking the Customize button on any Report screen brings up the Custom Reports dialog box. You can generate a report based on the following settings: Which Report Select from the dropdown list the report you want to generate. Date Range Specify the period of dates you want to report to include. List Results By Select for the results to be listed by Hour, Day, Week, or Month. Delivery Select if you want the report to Display (in a separate window) or if you want the report Emailed To the specified email address. Name from which report is sent The sender of the report. This field defaults to admin. Email address from which report is sent The email address of the sender. This field defaults to postmaster. Subject Add a subject name for the report. 206 Dell SonicWALL Email Security Administrator Guide

Enter all the specifications for a report, then click the Generate This Report button. Note The Custom Reports page displays the generated report in a new window. If you have configured a popup blocker for your web browser, it may interfere with displaying the window with the data. Configure your browser to allow popup windows from your organization's Dell SonicWALL Email Security site. Add Scheduled Report You can add a Scheduled Report by clicking the Add New Scheduled Report button. A dialog window displays where you can specify the following settings: Which Report Select from the dropdown list of reports. Frequency of Report Email Select from the dropdown list how frequent the chosen report is sent. Time of Day to Send Report Select either to send the report at Any time of day or Within an hour of the time you specify. Day of Week to Send Report Select either to send the report Any day of the week or Send report on the day you specify. Language of Report Email Select the language for the report. Report has Data for the Last Select the period of how many days to include in the report. Report Lists Results By Select for the results to be listed by Day, Week, or Month. Name From Which Report is Sent Type in the name from which the report is sent (i.e. Admin). Reports and Monitoring 207

Email Address From Which Report is Sent Type in the email address from which the report is sent (i.e. admin@easypaymail.com). Recipients of Report Email Type in the email address(es) of who receives the report email. Report Name Specify the name of the report. Click Save Scheduled Report when finished. Download Report You can instantly download all reports from the Reports & Monitoring page to your local system. Click the Download Report button, then click Open or Save to view the report. 208 Dell SonicWALL Email Security Administrator Guide

Chapter 13 Downloads This chapter provides information about the tools available for you to download to enhance your spam-blocking experience. Select one of the following to download and install to your local component. Anti-Spam Desktop for Outlook The Anti-Spam Desktop for Outlook and Outlook Express link is a trial version of the Dell SonicWALL Anti-Spam Desktop feature. This download provides Junk and Unjunk buttons for you to help customize your own Email Security solution. Junk Button for Outlook The Junk Button for Outlook link provides a Junk button for you to install on your own Microsoft Outlook program, which helps to customize your own Email Security solution. Send Secure for Outlook The Send Secure button for Outlook link provides a button for you to install on your own Microsoft Outlook program. This button allows you to send Secure messages using the Encryption Service. For more information regarding Encryption Service, see Encryption Service on page 147. Downloads 209

210 Dell SonicWALL Email Security Administrator Guide

211