Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
M1000, M2000, M3000<br />
<strong>ePrism</strong> <strong>User</strong> <strong>Guide</strong>
Preface 5<br />
CHAPTER 1 <strong>ePrism</strong> Overview 7<br />
What’s New in <strong>ePrism</strong> 5.0 8<br />
<strong>ePrism</strong> Overview 10<br />
<strong>ePrism</strong> Deployment 17<br />
How Messages are Processed by <strong>ePrism</strong> 19<br />
CHAPTER 2 Administering <strong>ePrism</strong> 23<br />
Connecting to <strong>ePrism</strong> 24<br />
Configuring the Admin <strong>User</strong> 28<br />
Web Server Options 31<br />
Customizing the <strong>ePrism</strong> Interface 32<br />
CHAPTER 3 Configuring Mail Delivery Settings 33<br />
Network Settings 34<br />
Static Routes 38<br />
Mail Routing 39<br />
Mail Delivery Settings 41<br />
Mail Aliases 46<br />
Mail Mappings 48<br />
Virtual Mappings 50<br />
CHAPTER 4 Directory Services 53<br />
Directory Service Overview 54<br />
Directory Servers 56<br />
Directory Groups 58<br />
Directory <strong>User</strong>s 61<br />
LDAP Aliases 65<br />
LDAP Mappings 67<br />
LDAP Recipients 69<br />
LDAP Relay 71<br />
LDAP Routing 74<br />
CHAPTER 5 Configuring Email Security 77<br />
SMTP Mail Access 78<br />
Anti-Virus 80<br />
1
Malformed Messages 83<br />
Attachment Control 85<br />
SPF (Sender Policy Framework) 88<br />
Encryption and Certificates 90<br />
CHAPTER 6 Anti-Spam Features 97<br />
Anti-Spam Feature Overview 98<br />
Email Spam Processing 99<br />
<strong>ePrism</strong> Anti-Spam Controls 102<br />
Specific Access Patterns 104<br />
Pattern Based Message Filtering 107<br />
Objectionable Content Filtering 115<br />
RBL (Real-time Blackhole List) 117<br />
DCC (Distributed Checksum Clearinghouse) 119<br />
STA (Statistical Token Analysis) 123<br />
Trusted Senders 133<br />
Spam Quarantine 136<br />
Spam Options 141<br />
CHAPTER 7 <strong>User</strong> Accounts and Remote Authentication 143<br />
POP3 and IMAP Access 144<br />
Local <strong>User</strong> Mailboxes 145<br />
Mirror Accounts 147<br />
Strong Authentication 148<br />
Remote Accounts and Directory Authentication 150<br />
Relocated <strong>User</strong>s 153<br />
Vacation Notification 154<br />
Tiered Administration 157<br />
CHAPTER 8 Secure WebMail and <strong>ePrism</strong> Mail Client 159<br />
Secure WebMail 160<br />
<strong>ePrism</strong> Mail Client 164<br />
CHAPTER 9 Policy Management 167<br />
Policy Overview 168<br />
Creating Policies 171<br />
2
CHAPTER 10 System Management 177<br />
System Status and Utilities 178<br />
Mail Queue Management 181<br />
Quarantine Management 182<br />
License Management 184<br />
Software Updates 186<br />
Security Connection 187<br />
Reboot and Shutdown 188<br />
Backup and Restore 189<br />
Centralized Management 197<br />
Problem Reporting 202<br />
CHAPTER 11 HALO (High Availability and Load Optimization) 203<br />
HALO Overview 204<br />
Configuring Clustering 206<br />
Cluster Management 212<br />
Configuring the F5 Load Balancer 216<br />
Queue Replication 217<br />
CHAPTER 12 Reporting 221<br />
Viewing and Generating Reports 222<br />
Viewing the Mail History Database 231<br />
Viewing the System History Database 234<br />
Report Configuration 237<br />
CHAPTER 13 Monitoring System Activity 239<br />
Activity Screen 240<br />
System Log Files 242<br />
SNMP (Simple Network Management Protocol) 245<br />
Alarms 248<br />
CHAPTER 14 Troubleshooting Mail Delivery 251<br />
Troubleshooting Mail Delivery 252<br />
Troubleshooting Tools 253<br />
Examining Log Files 254<br />
Network and Mail Diagnostics 258<br />
Troubleshooting Content Issues 263<br />
3
APPENDIX A Using the <strong>ePrism</strong> System Console 265<br />
APPENDIX B Restoring <strong>ePrism</strong> to Factory Default Settings 269<br />
APPENDIX C Message Processing Order 271<br />
APPENDIX D Customizing Notification and Annotation Messages 273<br />
APPENDIX E Performance Tuning 275<br />
Setting Default Performance Settings 276<br />
Advanced Settings 277<br />
APPENDIX F SNMP MIBS 283<br />
MIB Files Summary 283<br />
MIB OID Values 287<br />
APPENDIX G Third Party Copyrights and Licenses 291<br />
4
Preface<br />
Preface<br />
This <strong>ePrism</strong> <strong>User</strong> <strong>Guide</strong> provides detailed information on how to configure and manage your<br />
<strong>ePrism</strong> Email Security Appliance, and contains the following topics:<br />
• Chapter 1 — “<strong>ePrism</strong> Overview” on page 7<br />
• Chapter 2 — “Administering <strong>ePrism</strong>” on page 23<br />
• Chapter 3 — “Configuring Mail Delivery Settings” on page 33<br />
• Chapter 4 — “Directory Services” on page 53<br />
• Chapter 5 — “Configuring Email Security” on page 77<br />
• Chapter 6 — “Anti-Spam Features” on page 97<br />
• Chapter 7 — “<strong>User</strong> Accounts and Remote Authentication” on page 143<br />
• Chapter 8 — “Secure WebMail and <strong>ePrism</strong> Mail Client” on page 159<br />
• Chapter 9 — “Policy Management” on page 167<br />
• Chapter 10 — “System Management” on page 177<br />
• Chapter 11 — “HALO (High Availability and Load Optimization)” on page 203<br />
• Chapter 12— “Reporting” on page 221<br />
• Chapter 13 — “Monitoring System Activity” on page 239<br />
• Chapter 14 — “Troubleshooting Mail Delivery” on page 251<br />
The following Appendices contain supplemental information for <strong>ePrism</strong>:<br />
• Appendix A — “Using the <strong>ePrism</strong> System Console” on page 265<br />
• Appendix B — “Restoring <strong>ePrism</strong> to Factory Default Settings” on page 269<br />
• Appendix C — “Message Processing Order” on page 271<br />
• Appendix D — “Customizing Notification and Annotation Messages” on page 273<br />
• Appendix E — “Performance Tuning” on page 275<br />
• Appendix F — “SNMP MIBS” on page 283<br />
• Appendix G — “Third Party Copyrights and Licenses” on page 291<br />
Related Documentation<br />
If release notes are included with your product package, please read them for the latest<br />
information on installing and managing your <strong>ePrism</strong>.<br />
The following documents are included as part of the <strong>ePrism</strong> documentation set:<br />
• Release Notes — Provides up to date information on the product, including any known<br />
issues. If instructions in the release notes differ from the Installation <strong>Guide</strong> or <strong>User</strong> <strong>Guide</strong>,<br />
use the instructions in the Release Notes.<br />
5
• <strong>ePrism</strong> Installation <strong>Guide</strong> — Provides instructions on how to install and provide the initial<br />
configuration for the <strong>ePrism</strong> Email Security Appliance.<br />
• <strong>ePrism</strong> <strong>User</strong> <strong>Guide</strong> — Provides detailed information on how to configure and administer the<br />
<strong>ePrism</strong> Email Security Appliance.<br />
Contacting Technical Support<br />
St. Bernard Software telephone support is available Monday-Friday<br />
07:00am to 4:00pm (Pacific Standard Time)<br />
08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST)<br />
15015 Avenue of Science<br />
San Diego, CA 92128<br />
Main: 858.676.2277<br />
FAX: 858.676.2299<br />
Technical Support: 858.676.5050<br />
Technical Support Email: <strong>ePrism</strong>-support@stbernard.com<br />
Europe, Asia, Africa (UTC)<br />
Unit 4, Riverside Way<br />
Watchmoor Park, Camberley<br />
Surrey, UK<br />
GU15 3YQ<br />
Main: 44.1276.401.640<br />
FAX: 44.1276.684.479<br />
Technical Support: 44.1276.401.642<br />
Technical Support Email: support@uk.stbernard.com<br />
Copyright Information<br />
© 2003-2005 St. Bernard Software, Inc. All rights reserved.<br />
St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered<br />
trademarks are hereby acknowledged.<br />
Information in this document is subject to change without notice.<br />
6
CHAPTER 1<br />
<strong>ePrism</strong> Overview<br />
This chapter provides an overview of the architecture and features of the <strong>ePrism</strong> Email Security<br />
Appliance, and contains the following topics:<br />
• “What’s New in <strong>ePrism</strong> 5.0” on page 8<br />
• “<strong>ePrism</strong> Overview” on page 10<br />
• “<strong>ePrism</strong> Deployment” on page 17<br />
• “How Messages are Processed by <strong>ePrism</strong>” on page 19<br />
7
<strong>ePrism</strong> Overview<br />
What’s New in <strong>ePrism</strong> 5.0<br />
The <strong>ePrism</strong> Email Security Appliance 5.0 release contains the following new features and<br />
improvements:<br />
New <strong>User</strong> Interface<br />
The <strong>ePrism</strong> user interface has been redesigned for easier navigation and more efficient<br />
administration of <strong>ePrism</strong>’s powerful features.<br />
Improved Performance<br />
<strong>ePrism</strong> 5.0 improves its current performance with a 30% or greater improvement in mail<br />
processing. <strong>ePrism</strong>'s security and spam filtering techniques have been improved to provide greater<br />
mail processing efficiency.<br />
Directory Services Improvements<br />
<strong>ePrism</strong> 5.0 adds significant improvements to its Directory Services integration, enhancing support<br />
for OpenLDAP, iPlanet, and Active Directory LDAP implementations. The following new features<br />
have been added:<br />
• LDAP Recipients — This feature is used in conjunction with the Reject on Unknown Recipient<br />
Anti-Spam feature. LDAP Recipients performs real-time direct LDAP lookups to verify the<br />
existence of recipients.<br />
• LDAP Domain Routing — This feature is used to perform an LDAP search to find the mail<br />
route host for a domain. This is a preferred method for mail routing for organizations with a<br />
large amount of domains.<br />
• LDAP SMTP Relay Authentication — This feature is used in conjunction with the SMTP<br />
Relay Authentication to allow clients to be authenticated via LDAP for SMTP relay purposes.<br />
Select Basic Config -> Directory Services on the menu to configure all LDAP directory features.<br />
OCF (Objectionable Content Filter)<br />
The Objectionable Content Filter defines a list of key words that will cause a message to be<br />
blocked if any of those words appear in the message. This feature is useful for organizations that<br />
need to manage their email in accordance with regulatory requirements. The Objectionable<br />
Content Filter provides enhanced content filtering functionality and flexibility, allowing users to<br />
restrict content of any form including objectionable words or phrases, offensive content and/or<br />
confidential information.<br />
The OCF list can be updated and customized to meet the specific needs of any organization.<br />
Rules can also be applied to both inbound and outbound messages preventing unwanted content<br />
8
What’s New in <strong>ePrism</strong> 5.0<br />
from entering an organization and prohibiting the release of sensitive information. OCF can be<br />
configured via Mail Delivery -> Anti-Spam -> OCF.<br />
Large MTU Support<br />
In Basic Config -> Network, in the Network Interface section, you can enable the Large MTU<br />
(Maximum Transfer Unit) parameter which sets the MTU of the interface to 1500. This may<br />
improve performance connecting to servers on a local network. The default MTU is 576.<br />
Configurable Content Reject Message (SMTP)<br />
In Mail Delivery -> Delivery Settings -> Advanced, there is a new option to configure the<br />
content rejection message that appears in the SMTP 552 error message.<br />
9
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> is a dedicated Mail Firewall designed for deployment between internal mail servers and the<br />
Internet. <strong>ePrism</strong> supports the standard mail protocols for processing email messages, while<br />
offering a secure method for their processing and delivery. <strong>ePrism</strong> has been designed specifically to<br />
resist operating system attacks and protect your mail servers from direct SMTP and HTTP<br />
connections.<br />
Firewall-Level Network and System Security<br />
<strong>ePrism</strong> delivers the most complete security available for email systems. <strong>ePrism</strong> runs on<br />
S-Core, St. Bernard’s customized and hardened Unix operating system. S-Core is field tested for<br />
over 10 years as the operating system for the St. Bernard Firewall Server. S-Core does not allow<br />
uncontrolled access to the system. There is no command line access and the system runs as a<br />
"closed" system, preventing accidental or deliberate misconfiguration by administrators, which is a<br />
common cause of security vulnerabilities.<br />
<strong>ePrism</strong> has been awarded Common Criteria EAL 4+ certification. EAL 4+ indicates that <strong>ePrism</strong><br />
has passed all of the requirements needed to gain Evaluation Assurance Level 4 (EAL 4) and has<br />
passed some additional modules that elevate the certification above the standard EAL4 to include<br />
EAL5 vulnerability testing.<br />
10
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> Deployment<br />
<strong>ePrism</strong> is generally configured to accept all mail for a domain or sub-domain, store and process<br />
mail according to specified policies, and deliver the mail to one or more internal mail servers for<br />
collection by users.<br />
<strong>ePrism</strong> is ideally suited for deployment in parallel with an existing firewall, on a DMZ, or on an<br />
internal network.<br />
See “<strong>ePrism</strong> Deployment” on page 17 for more detailed information on deploying <strong>ePrism</strong>.<br />
Mail Delivery Security<br />
<strong>ePrism</strong> has a sophisticated mail delivery system with several security features and benefits to<br />
ensure that the identifying information about your company's email infrastructure remains private.<br />
• For a company with multiple domain names, <strong>ePrism</strong> can accept, process and deliver mail to<br />
private email servers.<br />
• For a company with multiple private email servers, the <strong>ePrism</strong> can route mail based on the<br />
domain or subdomain to separate groups of email users.<br />
• Security features such as mail mappings and address masquerading allow the ability to hide<br />
references to internal host names.<br />
Content Filtering<br />
<strong>ePrism</strong> implements attachment controls and content filtering based on pattern and text matching.<br />
These controls prevent the following issues:<br />
• Breaches of confidentiality<br />
• Legal liability from offensive content<br />
• Personal abuse of company resources<br />
Attachment controls are based on the following characteristics:<br />
• File Extension Suffix — The suffix of the file is checked to determine the attachment type,<br />
such as .exe, or .jpg.<br />
• MIME Content Type — MIME (Multipurpose Internet Mail Extensions) can be used to<br />
identify the content type of the message.<br />
• Content Analysis — The file is analyzed from the beginning to look for characteristics that<br />
can identify the file type. This analysis ensures that the attachment controls are not<br />
circumvented by simply renaming a file.<br />
11
<strong>ePrism</strong> Overview<br />
Virus Scanning<br />
The <strong>ePrism</strong> Email Security Appliance features optional virus scanning based on Kaspersky Anti-<br />
Virus. Messages in both inbound and outbound directions can be scanned for viruses and<br />
malicious programs. <strong>ePrism</strong>’s high performance virus scanning provides a vital layer of protection<br />
against viruses for your entire organization. Automatic pattern file updates ensure that the latest<br />
viruses are detected.<br />
Malformed Message Protection<br />
Similar to malformed data packets used to subvert networks, malformed messages allow viruses to<br />
avoid detection, crash systems, and lock up mail servers. <strong>ePrism</strong> ensures that only correctly<br />
formatted messages are allowed into your mail systems. Message integrity checking protects your<br />
mail servers and clients, and improves the effectiveness of existing virus scanning implementations.<br />
Anti-Spam Features<br />
The <strong>ePrism</strong> Email Security Appliance provides a complete and robust set of anti-spam features<br />
specifically designed to protect against the full spectrum of current and evolving spam threats.<br />
<strong>ePrism</strong>’s anti-spam features are based on the following features:<br />
<strong>ePrism</strong>’s Anti-Spam Features<br />
• Realtime Blackhole Lists (RBL) to reject known spam sources<br />
• Distributed Checksum Clearinghouse (DCC) to control bulk mail<br />
• Statistical Token Analysis (STA) for advanced statistical analysis<br />
Trusted Senders List<br />
This feature, accessed via WebMail/<strong>ePrism</strong> Mail Client, allows users to create their own personal<br />
Trusted Senders List based on a sender’s email address. These email addresses will be exempt from<br />
<strong>ePrism</strong>’s spam controls.<br />
Spam Quarantine<br />
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual<br />
user. <strong>User</strong>s will be able to connect to <strong>ePrism</strong> to view and manage their own quarantined spam.<br />
Messages can be deleted, or moved to the user's local mail folders. Automatic notification emails<br />
can be sent to end users notifying them of the existence of messages in their personal quarantine<br />
area.<br />
12
<strong>ePrism</strong> Overview<br />
Secure WebMail<br />
<strong>ePrism</strong>’s Secure WebMail provides remote access support for internal mail servers. With Secure<br />
WebMail, users can access their mailboxes using email web clients such as Outlook ® Web Access,<br />
Lotus iNotes, or <strong>ePrism</strong>’s own web mail client, <strong>ePrism</strong> Mail Client.<br />
<strong>ePrism</strong> addresses the security issues currently preventing deployment of web mail services by<br />
providing the following protection:<br />
• Strong authentication (including integration with Active Directory)<br />
• Encrypted sessions<br />
• Advanced session control to prevent information leaks on workstations<br />
Authentication<br />
<strong>ePrism</strong> supports the following authentication methods for administrators, WebMail users, Trusted<br />
Senders List, and Spam Quarantine purposes:<br />
• <strong>User</strong> ID and Password<br />
• RADIUS and LDAP<br />
• RSA SecurID ® tokens<br />
• SafeWord tokens<br />
• CRYPTOCard tokens<br />
Encryption<br />
All mail delivered to and from <strong>ePrism</strong> can be encrypted using TLS (Transport Layer Security). This<br />
includes connections to remote systems, local internal mail systems, or internal mail clients.<br />
Encrypted messages are delivered with complete confidentiality both locally and remotely.<br />
Encryption can be used for the following:<br />
• Secure mail delivery on the Internet to prevent anyone from viewing your email while in transit.<br />
• Secure mail delivery across your LAN to prevent malicious users from viewing email other than<br />
their own.<br />
• Create policies for secure mail delivery to branch offices, remote users and business partners.<br />
<strong>ePrism</strong> supports TLS/SSL encryption for all user and administrative sessions. TLS/SSL may also<br />
be used to encrypt SMTP sessions, effectively preventing eavesdropping and interception.<br />
13
<strong>ePrism</strong> Overview<br />
HALO (High Availability and Load Optimization)<br />
All systems can be clustered together to increase additional capacity, throughput, or provide load<br />
balancing and optional high availability.<br />
<strong>ePrism</strong> is the first email firewall to provide enterprises with a carrier-grade failsafe clustering<br />
architecture for high availability. HALO ensures email is never lost due to individual system failure<br />
through its unique security, cluster management, load balancing and optimization, and "stateful<br />
failover" queue replication capabilities.<br />
Cluster Management<br />
The cluster management feature allows administrators to manage <strong>ePrism</strong> clusters and to<br />
synchronize configuration settings across all systems in the cluster. Combined reports and email<br />
database searches may be derived from clustered systems. Specific features include:<br />
• Configuration Cloning — This function allows systems to be added to clusters and to assume<br />
the configuration of a defined "master" Cluster Console system.<br />
• Cluster Synchronization — Systems within a cluster can be synchronized to the defined<br />
"master" system. Any changes to the configuration of the Cluster Console master are reflected<br />
in the configuration of all systems in the cluster.<br />
• Cluster Reporting — <strong>ePrism</strong> reports can be generated for a single system or for all systems in<br />
a cluster. The email database can be searched by system or by cluster. The history and status of<br />
any message can be instantly retrieved regardless of which system processed the message.<br />
Load Balancing and Optimization<br />
A basic requirement of high availability is to have an automated or semi-automated mechanism for<br />
switching the mail stream between available systems in the cluster, depending on their individual<br />
availability or health.<br />
Utilizing DNS round-robin techniques, or dedicated load balancing hardware, email can be directed<br />
to <strong>ePrism</strong> systems in a cluster depending on their availability and current load.<br />
Queue Replication<br />
To prevent the loss of email messages during a system failure, <strong>ePrism</strong> has created a unique solution<br />
to this problem with "stateful failover" queue replication technology that replicates queues and<br />
intelligently synchronizes messages to a defined mirror system within a cluster. If a system in a<br />
cluster should fail, and there exists undelivered mail in its queue, a mirror system can take<br />
ownership of that queue’s messages and successfully process and deliver them.<br />
14
<strong>ePrism</strong> Overview<br />
Policy Controls<br />
Policy-based controls allow settings for annotations, anti-spam, anti-virus, and attachment control<br />
to be customized and applied based on the group or domain membership of the recipient.<br />
<strong>User</strong> groups can be imported from an LDAP-based directory, and then policies can be created to<br />
apply customized settings to these groups.<br />
For example, you can set up an Attachment Control Policy to allow your Development group to<br />
accept and send executable files (.exe), while configuring your attachment control settings for all<br />
your other departments to block this file type to prevent the spread of viruses among the general<br />
users.<br />
LDAP Directory Service Support<br />
<strong>ePrism</strong> integrates with LDAP (Lightweight Directory Access Protocol) directory services such as<br />
Active Directory, OpenLDAP, and iPlanet, allowing you to perform the following:<br />
• LDAP lookup prior to internal delivery — You can configure <strong>ePrism</strong> to check for the<br />
existence of an internal user via LDAP before delivering a message. This feature allows you to<br />
reject mail to unknown addresses in relay domains, reducing the number of attempted deliveries<br />
of spam messages for unknown local addresses.<br />
• Group/<strong>User</strong> Imports — An LDAP lookup will determine the group membership of a user<br />
when applying policy-based controls. LDAP users can also be imported and mirrored on<br />
<strong>ePrism</strong> to be used for services such as the Spam Quarantine.<br />
• Authentication — LDAP can be used for authenticating IMAP access, user mailbox, and<br />
WebMail logins.<br />
• SMTP Relay Authentication — LDAP can be used for authenticating clients for SMTP Relay.<br />
• Mail Routing — LDAP can be used to lookup Mail Routes for a domain to deliver mail to its<br />
destination server.<br />
Local <strong>User</strong> Mailboxes<br />
<strong>ePrism</strong> can host user mailboxes and act as a fully functioning mail server for small offices. <strong>ePrism</strong><br />
fully supports POP3 and IMAP (including their secure versions) and SMTP protocols for<br />
retrieving and sending mail.<br />
Manageability<br />
<strong>ePrism</strong> provides a complete range of monitoring and diagnostics tools to monitor the system and<br />
troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional security, and<br />
comprehensive logs record all mail activity.<br />
• Web Browser-based Management — The web browser management interface displays a live<br />
view of system activity and traffic flows. The management interface can be configured to<br />
15
<strong>ePrism</strong> Overview<br />
display this information for one or many systems, either systems in a local cluster or systems<br />
that are being centrally managed.<br />
• Reporting and Auditing — The reporting and audit features deliver a comprehensive set of<br />
statistics that may be generated at any time or scheduled for automatic delivery. <strong>ePrism</strong> includes<br />
a wide range of predefined reports, including information on system health, mail processing,<br />
spam, virus filtering statistics, and user mail volumes. Administrators can easily create<br />
customized reports.<br />
• Enterprise integration with SNMP — Using SNMP (Simple Network Management<br />
Protocol), <strong>ePrism</strong> can generate both information and traps to be used by tools like HP<br />
OpenView, Tivoli, BMC Patrol and CA Unicenter. This extends the administrator’s view of<br />
<strong>ePrism</strong> and allows an instant view of significant system events, including traffic flows and<br />
system failures.<br />
• Alarms — <strong>ePrism</strong> can generate system alarms that can automatically notify the administrator<br />
via email and console alerts of a system condition that requires attention.<br />
Security Connection<br />
Unique to St. Bernard, the Security Connection provides an automated software update service. By<br />
enabling the Security Connection, you are automatically notified of any new patches and updates.<br />
St. Bernard continuously monitors for new vulnerabilities and issues new updates to defend against<br />
them, ensuring that you have them as soon as they are available.<br />
Internationalization<br />
<strong>ePrism</strong> supports internationalization for annotations, notification messages, and mail database<br />
views.<br />
16
<strong>ePrism</strong> Deployment<br />
<strong>ePrism</strong> Deployment<br />
<strong>ePrism</strong> is designed to be situated between your mail servers and the Internet so that there are no<br />
direct SMTP (Simple Mail Transport Protocol) connections between external and internal servers.<br />
<strong>ePrism</strong> is typically installed in one of three locations:<br />
• In parallel with the firewall<br />
• On your DMZ (Demilitarized Zone)<br />
• Behind the existing firewall on the Internal network<br />
SMTP port 25 traffic is redirected from either the external interface of the firewall, or from the<br />
external router to <strong>ePrism</strong>. When the mail is accepted and processed, <strong>ePrism</strong> initiates an SMTP<br />
connection to the internal mail server to deliver the mail.<br />
<strong>ePrism</strong> in Parallel with the Firewall<br />
The preferred deployment strategy for <strong>ePrism</strong> is to be situated in parallel with an existing network<br />
Firewall. <strong>ePrism</strong>'s inherent firewall security architecture eliminates the risk associated with<br />
deploying an appliance on the perimeter of your network. This parallel deployment eliminates any<br />
mail traffic on the firewall and decreases its overall load.<br />
17
<strong>ePrism</strong> Overview<br />
<strong>ePrism</strong> on the DMZ<br />
Deploying <strong>ePrism</strong> on the DMZ is an equally secure method of deployment configuration. This<br />
type of deployment prevents any direct connection from the Internet to the internal servers, but<br />
does not ease the existing load on the firewall.<br />
<strong>ePrism</strong> on the Internal Network<br />
You can also deploy <strong>ePrism</strong> on the Internal Network. Although this configuration allows a direct<br />
connection from the Internet into the internal network, it is a perfectly legitimate configuration<br />
when dictated by existing network resources.<br />
18
How Messages are Processed by <strong>ePrism</strong><br />
How Messages are Processed by <strong>ePrism</strong><br />
The following sections describe the sequence in which the various <strong>ePrism</strong> security features are<br />
applied to any inbound mail messages and how these settings affect their delivery.<br />
SMTP Connection<br />
An SMTP connection request is made from another system. <strong>ePrism</strong> accepts the connection<br />
request unless one of the following checks (if enabled) is triggered:<br />
• Reject on unauthorized SMTP pipelining — Rejects mail when the client sends SMTP<br />
commands ahead of time without knowing that the mail server actually supports SMTP<br />
command pipelining. This stops messages from bulk mail software that use SMTP command<br />
pipelining improperly to speed up deliveries.<br />
• Reject on unknown sender domain — Rejects mail when the sender mail address has no<br />
DNS A or MX record.<br />
• Reject on missing reverse DNS — Rejects mail from hosts where the host IP address has no<br />
PTR (address to name) record in the DNS, or when the PTR record does not have a matching<br />
A (name to address) record. This setting is rarely used because many servers on the Internet do<br />
not have valid reverse DNS records, and enabling it may result in rejecting mail from legitimate<br />
sources.<br />
• Reject on non-FQDN sender — Rejects mail when the address in the client MAIL FROM<br />
command is not in fully-qualified domain form (FQDN).<br />
• Reject on Unknown Recipient — Rejects mail if the specified recipient does not exist. The<br />
system will perform an LDAP lookup on the recipient's address to ensure they exist before<br />
delivering the message.<br />
• Specific Access Pattern (Reject) — The server address or other envelope field matches a<br />
Specific Access Pattern that is set to reject the message.<br />
Mail Header and Message Properties<br />
The connection is now accepted. The message will be accepted for processing unless one of the<br />
following occurs:<br />
• Reject on missing addresses — Rejects mail when no recipients in the To: field, or no<br />
senders in the From: field were specified in the message headers.<br />
• Maximum number of recipients — Rejects mail if the number of recipients exceeds the<br />
specified maximum (default = 1000).<br />
• Maximum message size — Rejects mail if the message size exceeds the maximum.<br />
19
<strong>ePrism</strong> Overview<br />
Malformed Content, Virus Checking, and Attachment Control<br />
Messages are scanned for malformed messages, viruses, and specific attachments. If there is a<br />
problem, <strong>ePrism</strong> can be configured with a variety of actions, such as sending the message to a<br />
Quarantine folder.<br />
OCF (Objectionable Content Filter)<br />
Messages are scanned for objectionable content and a configurable action is taken.<br />
Pattern Based Message Filters and Specific Access Patterns<br />
The messages are scanned to see if they match any existing Pattern Based Message Filters (PBMF),<br />
or Specific Access Patterns (SAP) set to Trust or Allow Relaying. Senders in the Trusted Sender list<br />
are excluded from processing (for low priority PBMFs only.)<br />
SPF (Sender Policy Framework)<br />
If enabled, the message is checked to see if it passes an SPF DNS lookup.<br />
Anti-Spam Processing<br />
If the message arrives from an "untrusted" source, it will be processed for spam as follows:<br />
• If RBL is enabled, rejects mail if the server address is in an RBL. This can be overridden with a<br />
Pattern Based Message Filter.<br />
• If DCC is enabled, the message will be examined for identification as "bulk" mail.<br />
• If STA is enabled, the message will be examined for identification as "spam" mail.<br />
Mail Mappings<br />
The message is now accepted for processing, and the following occurs:<br />
• If the recipient address is not for a domain or sub-domain for which <strong>ePrism</strong> is configured to<br />
accept mail (either as an inbound mail route or a virtual domain) then the message is rejected.<br />
• If the recipient address is mapped in the Mail Mappings table, then the "To" field in the message<br />
header will be modified as required.<br />
Virtual Mappings<br />
The message is now examined for a match in the Virtual Mapping table. If such a mapping is<br />
found, the envelope-header recipient field will be modified as required. LDAP virtual mappings<br />
will then be processed.<br />
Virtual mappings are useful for the following:<br />
20
How Messages are Processed by <strong>ePrism</strong><br />
• Acting as a wildcard mail mapping, such as everything for example.com goes to<br />
exchange.example.com. You can create exceptions to this rule in the mail mappings for<br />
particular users.<br />
• ISPs who need to accept mail for several domains and the envelope-header recipient field needs<br />
to be rewritten for further delivery.<br />
• To deliver to internal servers, use Mail Delivery -> Mail Routing.<br />
Note: In all cases, mappings rely on successful DNS lookups for an MX record.<br />
Relocated <strong>User</strong>s<br />
When mail is sent to an address that is listed in the relocated user table, the message is bounced<br />
back with a message informing the sender of the relocated user's new contact information.<br />
Mail Aliases<br />
When mail needs to be delivered locally, the local delivery agent runs each local recipient name<br />
through the aliases database. An alias results in the creation of a new mail message to be created<br />
for the named address or addresses. This mail message is then entered back into the system to be<br />
mapped, routed, and so on. This process also occurs with local user accounts for whom a<br />
"forwarder address" has been configured. Local user accounts will be treated like aliases in this<br />
case.<br />
Local aliases are typically used to implement distribution lists or to direct mail for standard aliases<br />
such as mail to the "postmaster" account.<br />
LDAP aliases are then processed. LDAP functionality can be used to search for mail aliases on<br />
directory services such as Active Directory.<br />
Mail Routing<br />
During the mail routing process, there is no modification made to the mail header or the envelope.<br />
A mail route specifies two things:<br />
• Which domains <strong>ePrism</strong> will accept mail for (other than itself).<br />
• Which hosts the mail should be delivered to.<br />
The message is now delivered to its destination.<br />
See “Message Processing Order” on page 271 for a summary of the message processing order.<br />
21
<strong>ePrism</strong> Overview<br />
22
CHAPTER 2<br />
Administering <strong>ePrism</strong><br />
This chapter describes how to administer and configure basic settings for the <strong>ePrism</strong> Email<br />
Security Appliance, and contains the following topics:<br />
• “Connecting to <strong>ePrism</strong>” on page 24<br />
• “Configuring the Admin <strong>User</strong>” on page 28<br />
• “Web Server Options” on page 31<br />
• “Customizing the <strong>ePrism</strong> Interface” on page 32<br />
23
Administering <strong>ePrism</strong><br />
Connecting to <strong>ePrism</strong><br />
Web Browser Administrative Interface<br />
To administer <strong>ePrism</strong> using the web browser administrative interface, launch a web browser on<br />
your computer and enter the IP address or hostname for <strong>ePrism</strong> as the URL in the location bar.<br />
Your system must be listed in your DNS server to be able to connect via the hostname.<br />
Supported web browsers:<br />
• Microsoft Internet Explorer 6 and greater<br />
• Firefox 1.0 and greater<br />
• Mozilla 1.0 and greater<br />
• Netscape 6.0 and greater<br />
• Safari 1.0 and greater<br />
The login screen will then appear. Enter your admin ID and password.<br />
When logged in, the main <strong>ePrism</strong> Email Security Appliance Activity screen and main menu will<br />
appear.<br />
24
Connecting to <strong>ePrism</strong><br />
Navigating the Main Menu<br />
The main menu consists of the following main categories:<br />
Activity — The Activity screen provides you with a variety of information on mail processing<br />
activity, such as the number of messages in the mail queue, the number of different types of<br />
messages received and sent, and current message activity. If you are running a HALO cluster, you<br />
will also have a Cluster Activity option that will show you the activity statistics for the entire<br />
cluster.<br />
Basic Config — The Basic Config menu allows you to configure some of the basic settings for<br />
<strong>ePrism</strong> including:<br />
• Admin Account<br />
• Alarms<br />
• Customization<br />
• Directory Services (LDAP)<br />
• Network settings<br />
• Performance settings<br />
• Static Routes<br />
• SNMP Configuration<br />
• Web Server Configuration<br />
Mail Delivery — The Mail Delivery menu allows you to configure the features that affect mail<br />
delivery, including all mail security and anti-spam settings. It includes the following features:<br />
• Anti-Spam<br />
25
Administering <strong>ePrism</strong><br />
• Anti-Virus<br />
• Attachment Control<br />
• Delivery Settings<br />
• Mail Access Filtering<br />
• Mail Aliases<br />
• Mail Mapping<br />
• Mail Routing<br />
• Malformed Mail<br />
• Policy Settings<br />
• Relocated <strong>User</strong>s<br />
• SMTP Security<br />
• SPF<br />
• Vacation Notifications<br />
• Virtual Mappings<br />
<strong>User</strong> Accounts — The <strong>User</strong> Account menu allows you to create local accounts on the <strong>ePrism</strong> and<br />
enable POP and IMAP access. Management of mirrored user accounts created by LDAP, Remote<br />
Authentication, and Secure WebMail/<strong>ePrism</strong> Mail Client are also configured here. It includes the<br />
following features:<br />
• Local Accounts<br />
• Mirrored Accounts (Only displayed if mirrored accounts exist)<br />
• Remote Authentication<br />
• POP3 and IMAP<br />
• Secure WebMail<br />
• SecureID Configuration<br />
HALO — The HALO (High Availability and Load Optimization) screen is used to configure and<br />
manage clustered <strong>ePrism</strong> systems, and includes the following features:<br />
• Cluster Administration<br />
• Queue Replication<br />
• F5 Integration<br />
Status/Reporting — The Status/Reporting menu allows you to view the current status of system<br />
services, and manage your mail queue and the quarantine area. The Reporting and logging features<br />
of <strong>ePrism</strong> are also configured here. The menu includes the following features:<br />
• Status & Utility<br />
• Mail Queue<br />
• Quarantine<br />
26
Connecting to <strong>ePrism</strong><br />
• Reporting<br />
• System Logs<br />
Management — The Management menu contains options for various <strong>ePrism</strong> system<br />
administration tasks such as backup and restore, license management, and software updates. The<br />
menu includes the following features:<br />
• Backup & Restore<br />
• Centralized Management<br />
• Daily Backup<br />
• License Management<br />
• Problem Reporting<br />
• Reboot & Shutdown<br />
• Software Updates<br />
• Security Connection<br />
• SSL Certificates<br />
<strong>ePrism</strong> System Console<br />
You can access the <strong>ePrism</strong> system console by connecting a monitor and keyboard to <strong>ePrism</strong>. The<br />
system console provides a limited subset of administrative tasks, and is only recommended for use<br />
during initial installation and network troubleshooting. Routine administration should be<br />
performed via the web browser administration interface. When accessing the system console, you<br />
will be prompted for the <strong>User</strong>ID and Password for the administrative user.<br />
See “Using the <strong>ePrism</strong> System Console” on page 265 for more detailed information on using the<br />
system console.<br />
27
Administering <strong>ePrism</strong><br />
Configuring the Admin <strong>User</strong><br />
The primary admin account is created during the <strong>ePrism</strong> installation. Select Basic Config -><br />
Admin Account from the menu to modify the password or strong authentication methods for the<br />
admin user.<br />
Note: It is recommended that you create additional admin users and use those accounts to<br />
manage <strong>ePrism</strong> instead of the primary admin account. The primary admin account<br />
password should then be written down and stored in a safe and secure place.<br />
Strong Authentication<br />
You can also configure strong authentication for the admin user. These methods of authentication<br />
require a hardware token that provides a response to the login challenge.<br />
You can choose between the following types of secure authentication tokens:<br />
• CRYPTOCard<br />
• SafeWord<br />
• SecurID<br />
Once selected, a configuration wizard will guide you through the steps to configure the token for<br />
the specified authentication method.<br />
See “Strong Authentication” on page 148 for more information on strong authentication methods.<br />
28
Configuring the Admin <strong>User</strong><br />
Adding Additional Administrative <strong>User</strong>s<br />
There is only one primary admin user account, but you can add additional administrative users via<br />
Tiered Administration. This allows you to configure another user with Full Admin rights, or with<br />
granular permissions that only give admin rights to certain <strong>ePrism</strong> options. For example, you may<br />
want to add a user who can administer reports or vacation notifications, but not have any other<br />
admin access.<br />
Granting full or partial admin access to one or more user accounts allows actions taken by<br />
administrators to be logged because they have an identifiable <strong>User</strong>ID that can be tracked by the<br />
system.<br />
Note: A user with Full Admin privileges cannot modify the profile of the Admin user. They<br />
can, however, edit others users with Full Admin privileges.<br />
Add an administrative user as follows:<br />
1. From the Basic Config -> Admin Account screen, click the Add Admin <strong>User</strong> button.<br />
2. Enter a <strong>User</strong>ID, an optional email address to forward mail to, and a password. You can also set<br />
strong authentication methods, if required.<br />
3. At the bottom of the Add a New <strong>User</strong> screen is a section for Administrator Privileges.<br />
29
Administering <strong>ePrism</strong><br />
4. Select the required administrative access for the user:<br />
• Full Admin — The user has administrative privileges equivalent to the admin user.<br />
• Administer Aliases — The user can add, edit, remove, upload and download aliases (not<br />
including LDAP aliases.)<br />
• Administer Filter Patterns — The user can add, edit, remove, upload and download<br />
Pattern Based Message Filters and Specific Access Patterns.<br />
• Administer Mail Queue — The user can administer mail queues.<br />
• Administer Quarantine — The user can view, delete, and send quarantined files.<br />
• Administer Reports — The user can view, configure and generate reports, and view system<br />
activity.<br />
• Administer <strong>User</strong>s — The user can add, edit, and relocate user mailboxes (except the Full<br />
Admin users), including uploading and downloading user lists. <strong>User</strong> vacation notifications<br />
can also be configured.<br />
• Administer Vacations — The user can edit local user’s vacation notification settings and<br />
other global vacation parameters.<br />
• View Activity — The user can view the Activity page and start and stop mail services.<br />
Individual emails can only be viewed if View Email Database is also enabled.<br />
• View Email Database — The user can view the email database history.<br />
• View System Logs — The user can view all system logs files.<br />
See “Tiered Administration” on page 157 for more information on configuring admin access.<br />
Note: WebMail access must be enabled on the network interface that will be used by tiered<br />
administration users. This is set in the Basic Config -> Network screen.<br />
30
Web Server Options<br />
Web Server Options<br />
The <strong>ePrism</strong> Web Server Options screen defines the settings used for connecting to <strong>ePrism</strong> via the<br />
web browser administrative interface. By default, <strong>ePrism</strong>’s web server uses port 80 for HTTP<br />
request and port 443 for HTTPS requests. For secure WebMail and administration sessions, it is<br />
recommended that you leave the default SSL encryption enabled to force a connecting web<br />
browser to use HTTPS.<br />
Select Basic Config -> Web Server on the menu to configure your web server settings.<br />
• Admin HTTP Port — The default port for HTTP requests. The default port 80 can be<br />
changed via the system console.<br />
• Admin HTTPS Port — The default port for HTTPS requests. The default port 443 can be<br />
changed via the system console.<br />
• Require SSL encryption — Requires SSL encryption for all user and administrator web<br />
sessions.<br />
• Allow low-grade encryption — Allow the use of low-grade encryption, such as DES ciphers<br />
with a key length of 64 bits, for encrypted user and administrator web sessions.<br />
• Enable SSL version 2 — Enables SSL version 2 protocol. Note that SSL version 2 contains<br />
known security issues.<br />
• Enable SSL version 3 — Enable SSL version 3 protocol. This is the default setting.<br />
• Enable TLS version 1 — Enable TLS version 1 protocol. This is the default setting.<br />
• Character set encoding — Select the type of character encoding used for HTML data.<br />
31
Administering <strong>ePrism</strong><br />
Customizing the <strong>ePrism</strong> Interface<br />
The <strong>ePrism</strong> interface logos can be easily customized by uploading your own company’s custom<br />
logos to replace the <strong>ePrism</strong> logo on the main login screen, the administration screen logo, and the<br />
<strong>ePrism</strong> Mail Client logo.<br />
Customize a logo as follows:<br />
1. Select Basic Config -> Customization on the menu to customize the <strong>ePrism</strong> logos.<br />
2. Click Browse to choose a file, and then click Next to upload the file.<br />
You can always revert to the <strong>ePrism</strong> graphic by selecting the Default Logo button.<br />
Most graphic formats are supported, but it is recommended that you use graphics suitable for web<br />
page viewing, such as GIF and JPEG. The maximum file size is 32k.<br />
TABLE 1. Recommended Image Sizes<br />
Logo Type<br />
Main Screen Logo<br />
Admin Screen Small Logo<br />
<strong>ePrism</strong> Mail Client Logo<br />
Size in Pixels<br />
285 x 85 pixels<br />
191 x 57 pixels<br />
94 x 28 pixels<br />
32
CHAPTER 3<br />
Configuring Mail Delivery<br />
Settings<br />
This chapter describes how to configure network and mail delivery settings for the <strong>ePrism</strong> Email<br />
Security Appliance, and contains the following topics:<br />
• “Network Settings” on page 34<br />
• “Static Routes” on page 38<br />
• “Mail Routing” on page 39<br />
• “Mail Delivery Settings” on page 41<br />
• “Mail Aliases” on page 46<br />
• “Mail Mappings” on page 48<br />
• “Virtual Mappings” on page 50<br />
33
Configuring Mail Delivery Settings<br />
Network Settings<br />
The basic networking information to get <strong>ePrism</strong> up and running on the network is configured<br />
during installation time. To perform more advanced network configuration and to configure other<br />
network interfaces, you must use the Basic Config -> Network settings screen.<br />
From the network settings screen you can modify the following items:<br />
• Hostname and Domain information<br />
• Default Gateway<br />
• Syslog Host<br />
• DNS and NTP servers<br />
• Network Interface IP Address and feature access settings<br />
• Clustering and Queue Replication interface configuration<br />
• Support Access settings<br />
Note: If you make any modifications to your network settings, you must reboot <strong>ePrism</strong>.<br />
The system will prompt you to restart after clicking the Apply button.<br />
Configuring Network Settings<br />
Select Basic Config -> Network on the menu to configure <strong>ePrism</strong>'s network settings.<br />
• Hostname — Enter the hostname (not the full domain name) of the <strong>ePrism</strong> Email Security<br />
Appliance, such as mail in the domain name mail.example.com.<br />
• Domain — Enter the domain name, such as example.com.<br />
34
Network Settings<br />
• Gateway — Enter the IP address of the default route for <strong>ePrism</strong>. This is typically the external<br />
router connected to the Internet.<br />
• Syslog Host — <strong>ePrism</strong> can log to a specific syslog host. A syslog host collects and stores log<br />
files from many sources. Enter the IP address of the syslog server that will receive all logs from<br />
<strong>ePrism</strong>.<br />
• Name Server — At least one DNS name server must be configured for hostname resolution,<br />
and it is recommended that secondary name servers be specified in the event the primary DNS<br />
server is unavailable.<br />
• NTP Server — NTP is critical for accurate timekeeping for the <strong>ePrism</strong> Email Security<br />
Appliance. Entering a valid NTP server will ensure that the server time is synchronized. It is<br />
recommended that secondary NTP servers be specified in the event the primary NTP server is<br />
unavailable.<br />
Network Interfaces<br />
Enter the required settings for each network interface. You can enter information for up to four<br />
interfaces.<br />
• IP Address — Enter an IP address for this interface, such as 192.168.1.104.<br />
• Netmask — Enter the netmask for this interface, such as 255.255.255.0.<br />
• Media — Select the type of network card. Use Auto select for automatic configuration.<br />
• Large MTU — Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve<br />
performance connecting to servers on the local network. The default is 576 bytes.<br />
35
Configuring Mail Delivery Settings<br />
• Respond to Ping — Allows ICMP ping requests to this interface. This will allow you to<br />
perform network connectivity tests to this interface, but will cause this interface to be more<br />
susceptible to denial of service ping attacks.<br />
• Trusted Subnet — If selected, all hosts on this subnet are considered trusted for relaying and<br />
anti-spam processing.<br />
• Admin Login — Allows access to this interface for administrative purposes.<br />
• WebMail — Allows access to WebMail via this interface.<br />
• IMAPS Server — Allows secure access to <strong>ePrism</strong>’s internal IMAP server via this interface.<br />
• IMAP Server — Allows access to <strong>ePrism</strong>’s internal IMAP server via this interface.<br />
• POP3S Server — Allows secure access to <strong>ePrism</strong>’s internal POP3 server via this interface.<br />
• POP3 Server — Allows access to <strong>ePrism</strong>’s internal POP3 server via this interface.<br />
Note: POP and IMAP settings are only displayed if enabled in <strong>User</strong> Accounts -> POP3<br />
and IMAP.<br />
• SNMP Agent — Allows access to the SNMP agent via this interface.<br />
Advanced Parameters<br />
The following advanced networking parameters are TCP extensions that improve the performance<br />
and reliability of communications.<br />
• Enable RFC 1323 — Enable TCP extensions to improve performance and to provide reliable<br />
operations of high-speed paths. This is enabled by default, and should only be disabled if you<br />
experiencing networking problems with certain hosts.<br />
• Enable RFC 1644 — Enable an experimental TCP extension for efficient transaction oriented<br />
(request/response) service.<br />
Clustering<br />
The Clustering section is used to enable clustering on a specific network interface. See “HALO<br />
(High Availability and Load Optimization)” on page 203 for more information on configuring<br />
clustering.<br />
• Enable Clustering — Select the check box to enable clustering on this <strong>ePrism</strong> system.<br />
• Cluster Interface — Select the interface to enable clustering on.<br />
36
Network Settings<br />
Support Access<br />
Enable Support Access, if required, which allows St. Bernard Technical Support to connect to this<br />
system from the specified IP address. This setting does not need to be enabled during normal<br />
usage, and should only be enabled if requested by St. Bernard Technical Support.<br />
Note: This option only appears if you have installed the Support Access patch in<br />
Management -> Software Updates.<br />
For security reasons, Support Access communications use SSH (Secure Shell) to establish a secure<br />
connection via PKI (Public Key Infrastructure) encryption on a non-standard network port.<br />
Support Access will only allow a connection to be made from the St. Bernard network.<br />
37
Configuring Mail Delivery Settings<br />
Static Routes<br />
Static routes are required if the mail servers to which mail must be relayed are located on another<br />
network, such as behind an internal firewall or accessed via a VPN.<br />
Select Basic Config -> Static Routes to configure your static routes.<br />
To add a new static route, enter the network address, netmask and gateway for the route, and then<br />
click New Route.<br />
38
Mail Routing<br />
Mail Routing<br />
<strong>ePrism</strong>, by default, accepts mail addressed directly to it and delivers it to local <strong>ePrism</strong> mailboxes.<br />
You can configure additional domains for <strong>ePrism</strong> to accept and route mail for using the Mail<br />
Routing menu.<br />
Select Mail Delivery -> Mail Routing from the menu to set up mail routes.<br />
• Sub — Select this check box to accept and relay mail for subdomains of the specified domain.<br />
• Domain — Enter the domain for which mail is to be accepted, such as example.com.<br />
• Route-to — Enter the address for the server to which mail will be delivered.<br />
• MX — (Optional) Select the MX check box if you need to look up the mail routes in DNS<br />
before delivery. If this is not enabled, MX records will be ignored. Generally, you do not need<br />
to select this item unless you are using multiple mail server DNS entries for load balancing/<br />
failover purposes. By checking the MX record, DNS will be able to send the request to the next<br />
mail server in the list.<br />
• KeepOpen — (Optional) Select the KeepOpen check box to ensure that each mail message to<br />
the domain will not be removed from the active queue until delivery is attempted, even if the<br />
preceding mail failed or was deferred. This setting ensures that local mail servers receive high<br />
priority. Note: The KeepOpen option should only be used for domains that are usually<br />
very reliable. If the domain is unavailable, it may cause system performance problems<br />
due to excessive error conditions and deferred mail.<br />
A list of domains can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[domain],[route],[port],[ignore_mx],[subdomains_too],[keep_open]<br />
For example:<br />
example.com,10.10.1.1,25,on,off,off<br />
The file (domains.csv) should be created in csv file format using Excel, Notepad or other<br />
Windows text editor. It is recommended that you download the domain file first by clicking<br />
Download File, editing it as required, and uploading it using the Upload File button.<br />
39
Configuring Mail Delivery Settings<br />
LDAP Routing<br />
Click the LDAP Routing button to define mail routes using an LDAP directory server. This is the<br />
preferred method for mail routing for organizations with a large amount of domains.<br />
See “LDAP Routing” on page 74 for more detailed information on using LDAP for mail routing.<br />
40
Mail Delivery Settings<br />
Mail Delivery Settings<br />
The Mail Delivery settings screen allows you to configure parameters related to accepting, relaying<br />
and delivery mail messages.<br />
Select Mail Delivery -> Delivery Settings on the menu to configure the following parameters.<br />
Delivery Settings<br />
• Maximum time in mail queue — Enter the number of days for a message to stay in the<br />
queue before being returned to the sender as "undeliverable".<br />
• Time before delay warning — Number of hours before issuing the sender a notification that<br />
mail is delayed.<br />
• Time to retain undelivered MAILER-DAEMON mail — The number of hours to keep<br />
undelivered mail addressed to MAILER-DAEMON.<br />
Gateway Features<br />
• Masquerade Addresses — Masquerades internal hostnames by rewriting headers to only<br />
include the address of the <strong>ePrism</strong>.<br />
• Strip Received Headers — Strip all Received headers from outgoing messages.<br />
41
Configuring Mail Delivery Settings<br />
Default Mail Relay<br />
• Relay To — (Optional) Enter an optional hostname or IP address of a mail server (not this<br />
<strong>ePrism</strong> system) to relay mail to for all email with unspecified destinations. A recipient’s email<br />
domain will be checked against the Mail Routing table, and if the destination is not specified the<br />
email will be sent to the Default Mail Relay server for delivery. This option is usually used when<br />
the <strong>ePrism</strong> cannot deliver email directly to remote mail servers.<br />
If you are setting up this mail server as a dedicated <strong>ePrism</strong> Mail Client system, and all mail<br />
originating from this system should be forwarded to another mail server for delivery, then<br />
specify the destination mail server here. Do NOT enter the name of your <strong>ePrism</strong> system.<br />
• Ignore MX record — Enable this option to prevent an MX record lookup for this host to<br />
force relay settings.<br />
• Enable Client Authentication — Enable client SMTP authentication for relaying mail to<br />
another mail server. This option is only used in conjunction with the default mail relay feature.<br />
This allows <strong>ePrism</strong> to authenticate to a server that it is using to relay mail. With this<br />
configuration, connections to the default mail relay are authenticated, while connections to<br />
other mail routes are not.<br />
• <strong>User</strong> ID — Enter a <strong>User</strong> ID to login to the relay mail server.<br />
• Password — Enter and confirm a password for the specified <strong>User</strong> ID.<br />
BCC All Mail<br />
<strong>ePrism</strong> offers an archiving feature for organizations that require storage of all email that passes<br />
through their corporate mail servers. This option sends a blind carbon copy (BCC) of each<br />
message that passes through <strong>ePrism</strong> to the specified address. This address can be local or on any<br />
other system. Once copied, the mail can be effectively managed and archived from this account.<br />
You must also specify an address that will receive error messages if there are problems delivering<br />
the BCC mail.<br />
42
Mail Delivery Settings<br />
Annotations and Delivery Warnings<br />
In the Annotations section, you can enable Annotations that are appended to all emails, and<br />
customize Delivery Failure and Delivery Delay warning messages.<br />
Note: Separate annotations can be enabled for different groups and domains of users<br />
using LDAP and policies. See “Policy Management” on page 167 for information on<br />
creating policies and configuring separate group and domain annotations.<br />
The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system settings that<br />
are automatically substituted at the time the message is sent. See “Customizing Notification and<br />
Annotation Messages” on page 273 for a full list of variables that can be included.<br />
Note: Some mail clients will display notifications and annotations as attachments to a<br />
message rather than in the message body.<br />
43
Configuring Mail Delivery Settings<br />
Advanced Delivery Options<br />
Click the Advanced button on the Mail Delivery -> Delivery Settings screen to reveal advanced<br />
options for Advanced SMTP Settings, SMTP notifications, and actions for Very Malformed Mail<br />
messages.<br />
Advanced SMTP Settings<br />
The following settings are used to disable advanced SMTP delivery functions.<br />
• SMTP Pipelining — Select the check box to disable SMTP Pipelining when delivering mail.<br />
Some mail servers may experience problems with SMTP command pipelining, and you may<br />
have to disable this feature if required.<br />
• ESMTP — Select the check box to disable ESMTP (Extended SMTP) when delivery mail.<br />
Some mail servers may not support ESMTP, and you may have to disable this option if<br />
experiencing problems. Disabling ESMTP will disable TLS encryption on outgoing<br />
connections.<br />
• HELO required — Enable this option to require clients to initiate their SMTP session with a<br />
standard HELO/EHLO sequence. It is recommended that you leave this feature enabled.<br />
It should only be disabled when experiencing problems with sending hosts that do not use a<br />
standard HELO message.<br />
• Content Reject Message — This is the text part of the SMTP 552 error message reported to<br />
clients when message content is rejected.<br />
44
Mail Delivery Settings<br />
SMTP Notification<br />
In this section, you can select the type of notifications that are sent to the postmaster account.<br />
Serious problems such as Resource or Software issues are selected by default for notification.<br />
• Resource — Mail not delivered due to resource problems, such as queue file write errors.<br />
• Software — Mail not delivered due to software problems.<br />
• Bounce — Send postmaster copies of undeliverable mail. If mail is undeliverable, a single<br />
bounce message is sent to the postmaster with a copy of the message that was not delivered.<br />
For privacy reasons, the postmaster copy is truncated after the original message headers. If a<br />
single bounce message is undeliverable, the postmaster receives a double bounce message with<br />
a copy of the entire single bounce message.<br />
• Delay — Inform the postmaster of delayed mail. In this case, the postmaster receives message<br />
headers only.<br />
• Policy — Inform the postmaster of client requests that were rejected because of (UCE) policy<br />
restrictions. The postmaster will receive a transcript of the entire SMTP session.<br />
• Protocol — Inform the postmaster of protocol errors (client or server), or attempts by a client<br />
to execute unimplemented commands. The postmaster will receive a transcript of the entire<br />
SMTP session.<br />
• Double Bounce — Send double bounces to the postmaster.<br />
Very Malformed Mail<br />
Specify the action to be performed when a very malformed message is detected by the system. A<br />
very malformed message may cause scanning engine latency.<br />
Possible actions:<br />
• Just log — Log the event and take no further action.<br />
• Quarantine mail — The message is placed into quarantine.<br />
• Temporarily Reject Mail — Returns an error to the sending server and doesn't accept the<br />
mail. The mail delivery can be attempted again after a period of time.<br />
• Reject mail — The message is rejected with notification to the sending system.<br />
• Discard mail — The message is discarded without notification to the sending system.<br />
Select the Notify check box to allow notifications using the malformed notification settings when<br />
the action specified above is triggered (except for Just log.)<br />
Caution: Mail that is very malformed has not been virus scanned, or filtered for<br />
attachments and spam.<br />
45
Configuring Mail Delivery Settings<br />
Mail Aliases<br />
When mail is to be delivered locally, the local delivery agent runs each local recipient name through<br />
the aliases database. If an alias exists, a new mail message will be created for the named address or<br />
addresses. This mail message will be returned to the delivery process to be mapped, routed, and so<br />
on. This process also occurs for local user accounts with a specified "forwarder address". Local<br />
user accounts are treated as aliases in this case.<br />
Local aliases are typically used to implement distribution lists, or to direct mail for standard aliases<br />
such as postmaster to real user mailboxes.<br />
For example, the alias postmaster could resolve to the local mailboxes admin1@example.com, and<br />
admin2@example.com. For distribution lists, an alias called sales@example.com can be created<br />
that points to all members of the sales organization of a company.<br />
Configuring Mail Aliases<br />
Click Mail Delivery -> Mail Aliases on the menu to configure aliases. Click on an entry to edit a<br />
current alias.<br />
Adding a Mail Alias<br />
Click the Add Alias button to add a new alias.<br />
46
Mail Aliases<br />
The specified alias name must be a valid local mailbox on this <strong>ePrism</strong> system. Enter the<br />
corresponding mail address for the alias. Click the Add More Addresses button to enter multiple<br />
addresses for this alias.<br />
Uploading Alias Lists<br />
A list of aliases can also be uploaded in one text file. The file must contain comma or tab separated<br />
entries in the form:<br />
[alias],[mail_address]<br />
For example:<br />
sales,fred@example.com<br />
info,mary@example.com<br />
The file (alias.csv) should be created in csv file format using Excel, Notepad or other Windows<br />
text editor. It is recommended that you download the mail alias file first by clicking Download<br />
File, editing it as required, and uploading it using the Upload File button.<br />
LDAP Aliases<br />
Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you<br />
to search LDAP-enabled directories such as Active Directory for mail aliases.<br />
See See “LDAP Aliases” on page 65 for more information on LDAP Aliases.<br />
47
Configuring Mail Delivery Settings<br />
Mail Mappings<br />
Mail Mappings are used to map an external address to a different internal address and vice versa.<br />
This is useful for hiding internal mail server addresses from external users. For mail originating<br />
externally, the mail mapping translates the address in the To: and CC: mail header field into a<br />
corresponding internal address to be delivered to a specific internal mailbox.<br />
For example, mail addressed to joe@example.com can be redirected to the internal mail address<br />
joe@chicago.example.com. This enables the message to be delivered to the user’s preferred<br />
mailbox.<br />
Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender:<br />
header modified by a mail mapping so it appears to have come from the preferred external form of<br />
the mail address, joe@example.com.<br />
Configuring Mail Mappings<br />
Click Mail Delivery -> Mail Mapping on the menu to configure mail address mappings. Click on<br />
an entry to edit a current mapping.<br />
Adding a New Mapping<br />
Click the Add button from the Mail Mappings screen to add a new mapping.<br />
48
Mail Mappings<br />
• External mail address — Enter the external mail address that you want to be converted to the<br />
specified internal email address for incoming mail. The specified internal address will be<br />
converted to this external address for outgoing mail.<br />
• Internal mail address — Enter the internal mail address that you want external addresses to<br />
be mapped to for incoming mail. The internal address will be converted to the specified<br />
external address for outgoing mail.<br />
• Extra internal addresses — Enter any additional internal mappings which will be included in<br />
the outgoing mail conversion. Click the Add button for each entry.<br />
When you have completed entering your addresses, click Apply to create the mail mapping.<br />
Uploading Mapping Lists<br />
A list of mappings can also be uploaded in one text file. The file must contain comma or tab<br />
separated entries in the form:<br />
[type ("sender" or "recipient")],[map_in],[map_out],[value ("on" or "off")]<br />
For example:<br />
sender,joe@chicago.example.com,joe@example.com,on<br />
The file (mailmapping.csv) should be created in csv file format using Excel, Notepad or other<br />
Windows text editor. It is recommended that you download the mail mapping file first by clicking<br />
Download File, editing it as required, and uploading it using the Upload File button.<br />
Access Control via Mail Mappings<br />
You can configure <strong>ePrism</strong> to block all incoming and outgoing mail messages that do not match a<br />
configured mail mapping. Mail Mappings are used to map an external address to an internal<br />
address and vice versa.<br />
Click the Preferences button to enable Mail Mapping Access Control.<br />
Note: If this feature is enabled, all incoming and outgoing mail will be blocked unless the<br />
user has a mapping listed in the mail mappings table.<br />
49
Configuring Mail Delivery Settings<br />
Virtual Mappings<br />
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This<br />
process is performed without modifying the To: and From: headers in the mail, as virtual mappings<br />
modify the envelope-recipient address.<br />
For example, <strong>ePrism</strong> can be configured to accept mail for the domain @example.com and deliver it<br />
to @sales.example.com. This allows <strong>ePrism</strong> to distribute mail to multiple internal servers based<br />
on the Recipient: address of the incoming mail.<br />
Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for example.com<br />
is sent to exchange.example.com. You can create exceptions to this rule in the Mail Mappings<br />
for particular users. Virtual mappings are also useful for ISPs who need to accept mail for several<br />
domains, and situations where the envelope-recipient header needs to be rewritten for further<br />
delivery.<br />
Note: You should review the use of Mail Routes before setting anything in Virtual<br />
Mappings, as they may be more appropriate for delivering mail to internal mail servers.<br />
Configuring Virtual Mappings<br />
Click on Mail Delivery -> Virtual Mapping on the menu to configure mappings. Click on an<br />
entry to edit a current mapping.<br />
50
Virtual Mappings<br />
Adding a Virtual Mapping<br />
Click the Add Virtual Mapping button from the Virtual Mappings screen to add a new mapping.<br />
First, enter the domain or address to which incoming mail is directed in the Input box, such as<br />
@example.com. Then enter the domain or address to which mail should be redirected to, such as<br />
@sales.example.com in the Output box.<br />
Uploading Virtual Mapping Lists<br />
A list of virtual mappings can also be uploaded in one text file. The file must contain comma or<br />
tab separated entries in the form:<br />
[map_in],[map_out]<br />
For example:<br />
user@example.com,user<br />
user@example.com,user@sales.example.com<br />
@example.com,@sales.example.com<br />
The file (virtmap.csv) should be created in csv file format using Excel, Notepad or other<br />
Windows text editor. It is recommended that you download the virtual mapping file first by<br />
clicking Download File, editing it as required, and uploading it using the Upload File button.<br />
Note: The domain being virtually mapped or redirected must be defined via an "internal"<br />
DNS MX record to connect to this <strong>ePrism</strong> Email Security Appliance.<br />
LDAP Virtual Mappings<br />
Click the LDAP Virtual Mappings button to configure and search for virtual mappings using<br />
LDAP. This allows you to search LDAP-enabled directories such as Active Directory for virtual<br />
mappings. See “LDAP Mappings” on page 67 for more information on configuring LDAP virtual<br />
mappings.<br />
51
Configuring Mail Delivery Settings<br />
52
CHAPTER 4<br />
Directory Services<br />
This chapter describes how to integrate your existing directory services such as LDAP with<br />
<strong>ePrism</strong>, and contains the following topics:<br />
• “Directory Service Overview” on page 54<br />
• “Directory Servers” on page 56<br />
• “Directory Groups” on page 58<br />
• “Directory <strong>User</strong>s” on page 61<br />
• “LDAP Aliases” on page 65<br />
• “LDAP Mappings” on page 67<br />
• “LDAP Recipients” on page 69<br />
• “LDAP Relay” on page 71<br />
• “LDAP Routing” on page 74<br />
53
Directory Services<br />
Directory Service Overview<br />
<strong>ePrism</strong> can utilize LDAP (Lightweight Directory Access Protocol) services for accessing directories<br />
(such as Active Directory, OpenLDAP, and iPlanet) for user and group information. LDAP can be<br />
used with <strong>ePrism</strong> for mail routing, group lookups for policies, user lookups for mail delivery, alias<br />
and virtual mappings, and the Spam Quarantine.<br />
LDAP was designed to provide a standard for efficient access to directory services using simple<br />
data queries. Most major directory services such as Active Directory support LDAP, but each<br />
differs in their interpretation and naming convention syntax. Other types of supported LDAP<br />
services include OpenLDAP and iPlanet.<br />
Naming Conventions<br />
The method for which data is arranged in the directory service hierarchy is a unique Distinguished<br />
Name. The following is an example of a Distinguished Name in Active Directory:<br />
In this example, "cn" represents the Common Name, and "dc" is the Domain Component. The<br />
user, jsmith, is in the users container. The domain component is analogous to the FQDN domain<br />
name, in this case, example.com.<br />
Note: For all LDAP Directory features, you must ensure you enter values specific to your<br />
LDAP environment and schema.<br />
54
Directory Service Overview<br />
Active Directory LDAP Results Limit<br />
Active Directory has a default limit of 1000 entries that can be returned from an LDAP query.<br />
With large queries, the results may be truncated. It is recommended that you modify the default<br />
maximum page size to ensure that LDAP Group and <strong>User</strong> imports will work successfully.<br />
Use the following procedure to modify the default maximum page size limit in Active Directory:<br />
1. Login to the Active Directory system as an administrator.<br />
2. Open a command prompt, and enter the following commands (in bold):<br />
c:\>ntdsutil.exe<br />
ntdsutil: ldap policies<br />
ldap policy: connections<br />
server connections: Connect to server [Servername]<br />
Binding to [Servername] ...<br />
Connected to [Servername] using credentials of locally logged on user<br />
server connections: q<br />
ldap policy: Show Values<br />
Policy<br />
Current(New)<br />
MaxPoolThreads 8 MaxDatagramRecv 1024<br />
MaxReceiveBuffer 10485760 InitRecvTimeout 120<br />
MaxConnections 5000 MaxConnIdleTime 900<br />
MaxActiveQueries 20 MaxPageSize 1000<br />
MaxQueryDuration 120 MaxTempTableSize 10000<br />
MaxResultSetSize 262144 MaxNotificationPerConn 5<br />
ldap policy: set Maxpagesize to 50000<br />
ldap policy: commit Changes<br />
ldap policy: q<br />
ntdsutil: q<br />
Disconnecting from [Servername]<br />
55
Directory Services<br />
Directory Servers<br />
The first step in configuring Directory Services on <strong>ePrism</strong> is to define and configure your<br />
Directory Servers.<br />
Select Basic Config -> Directory Services -> Directory Servers on the menu to configure your<br />
LDAP servers that will be used for <strong>ePrism</strong>’s LDAP functions such as user and group membership<br />
lookups, authentication, routing, and so on.<br />
Click Add to configure a new LDAP server, or click Edit to modify an existing server:<br />
• Server URI — Enter the server URI (Uniform Resource Identifier) address, such as ldaps://<br />
10.10.4.84.<br />
• Label — An optional label or alias for the LDAP server.<br />
56
Directory Servers<br />
• Type — Select the type of LDAP server, such as Active Directory, or choose Others for<br />
OpenLDAP or iPlanet.<br />
• Bind — Select this check box to bind to the LDAP server with the Bind DN and password<br />
below.<br />
• Bind DN — Enter the DN (Distinguished Name) for the user to bind to the LDAP server,<br />
such as cn=Admin,cn=users,dc=example,dc=com.<br />
• Bind Password — Enter the bind password for the LDAP server.<br />
• Search Base — Specify a default starting point for lookups, such as dc=example,dc=com.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
• Chase Referrals — Specifies how alias dereferencing is performed during a search:<br />
Never: Aliases are never dereferenced.<br />
Searching: Aliases are dereferenced in subordinates of the base object, but not in locating the<br />
base object of the search.<br />
Finding: Aliases are only derferenced when locating the base object of the search.<br />
Always: Aliases are dereferenced when searching and locating the base object of the search.<br />
Click the Test button to test your LDAP settings and send a test query to the LDAP server.<br />
When finished, click the Apply button to add the LDAP server.<br />
57
Directory Services<br />
Directory Groups<br />
When you have a Directory server configured, you can import group membership information<br />
from the server to <strong>ePrism</strong>. Importing user’s group membership information is used for<br />
determining membership for group policies. See “Policy Management” on page 167 for more<br />
information on configuring Policies.<br />
Note: Policies must be enabled before Groups can be imported. LDAP Groups has been<br />
tested only with Active Directory. Examples used are for Active Directory<br />
implementations.<br />
Configuring Directory Groups<br />
Select Basic Config -> Directory Services -> Directory Groups on the menu.<br />
Directory Group<br />
• Directory Server — Select an directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Query Filter — Enter the appropriate query filter, such as (objectCategory=group) for<br />
Active Directory LDAP implementations.<br />
58
Directory Groups<br />
To specify one specific group, use (&(objectCategory=group)(name=groupname)),<br />
inserting the group you are using for "groupname".<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Result Attributes<br />
This section specifies the fields to return during the LDAP query. LDAP queries can return a lot<br />
of information that is not required, and the Result Attributes are used to filter only the data<br />
needed.<br />
• Group name attribute — Enter the appropriate group name attribute, such as name for Active<br />
Directory LDAP implementations, that identifies the group name.<br />
• Group display name attribute — Enter the appropriate group display name attribute, such as<br />
displayName for Active Directory implementations.<br />
Click the Test button to test your directory server group settings. Click Apply when finished.<br />
Import Settings<br />
You can configure <strong>ePrism</strong> to automatically import LDAP group data on a scheduled basis.<br />
This allows you to stay synchronized with the LDAP directory.<br />
To import LDAP groups:<br />
Click the Import Settings button in the Basic Config -> Directory Services -> Directory<br />
Groups screen.<br />
• Import Group Data — Select the check box to enable automatic import of LDAP group data.<br />
Enabling automatic import ensures that your imported LDAP data remains current with the<br />
information on the LDAP directory server.<br />
• Frequency — Select the frequency of LDAP imports. You can choose between Hourly, Every 3<br />
Hours, Daily, Weekly, and Monthly.<br />
59
Directory Services<br />
• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to<br />
schedule an import at 11pm for the period specified in the Frequency field.<br />
Click Apply to save the settings. Click Import Now to immediately begin the import of LDAP<br />
groups.<br />
View the progress of LDAP imports via Status/Reporting -> System Logs -> Messages<br />
60
Directory <strong>User</strong>s<br />
Directory <strong>User</strong>s<br />
The Directory <strong>User</strong>s screen is used to import user account data from LDAP-based directory servers.<br />
This information is used provide LDAP lookups for valid email addresses for the Reject on<br />
Unknown Recipient anti-spam option.<br />
Local mirror accounts can also be created to allow directory-based users to log in locally to <strong>ePrism</strong><br />
to view quarantined mail for the Spam Quarantine feature.<br />
Select Basic Config -> Directory Services -> Directory <strong>User</strong>s to import users from a<br />
directory.<br />
Click the Add button to add a new directory user import configuration.<br />
• Directory Server — Select an directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
61
Directory Services<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Query Filter — Enter the appropriate query filter, such as<br />
(|(objectCategory=group)(objectCategory=person)) for Active Directory LDAP<br />
implementations.<br />
If you use Exchange public folders for email, include the following to your query filter:<br />
(objectCategory=publicFolder)<br />
For example,<br />
(|(|(objectCategory=group)(objectCategory=person))(objectCategory=publicF<br />
older))<br />
For iPlanet and OpenLDAP, use:<br />
(objectClass=person).<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Result Attributes<br />
This section specifies the fields to return during the LDAP query. LDAP queries can return a lot of<br />
information that is not required, and the Result Attributes are used to filter only the data needed.<br />
• Email attribute — The name of the attribute that identifies the user’s email address. For Active<br />
Directory, iPlanet, and OpenLDAP, use mail.<br />
• Email alias attribute — The name of the attribute that identifies the user’s alternate email<br />
addresses. In Active Directory, the default is proxyAddresses. For iPlanet, use Email. For<br />
OpenLDAP, leave this attribute blank.<br />
• Member of attribute — The name of the attribute that identifies the group(s) that the user<br />
belongs to. This information is used for Policy controls. In Active Directory, the default is<br />
memberOf. For iPlanet, use Member. For OpenLDAP, leave this blank.<br />
• Account Name attribute — This is the name of the attribute that identifies a user’s account<br />
name for login. In Active Directory, the default is sAMAccountName. For iPlanet, use uid. For<br />
OpenLDAP, use cn.<br />
Click the Test button to test your LDAP settings. Click Apply when finished.<br />
62
Directory <strong>User</strong>s<br />
Import Settings<br />
You can configure <strong>ePrism</strong> to automatically import LDAP user data on a scheduled basis. This<br />
allows you to stay synchronized with the LDAP directory.<br />
To import LDAP users:<br />
Click the Import Settings button in the Basic Config -> Directory Services -> Directory<br />
<strong>User</strong>s screen.<br />
• Import <strong>User</strong> Data — Select the check box to enable automatic import of LDAP user data.<br />
Enabling automatic import ensures that your imported LDAP data remains current with the<br />
information on the LDAP directory server.<br />
• Frequency — Select the frequency of LDAP imports. You can choose between Hourly, Every 3<br />
Hours, Daily, Weekly, and Monthly.<br />
• Start Time — Specify the start time for the import in the format hh:mm, such as 23:00 to<br />
schedule an import at 11pm for the period specified in the Frequency field.<br />
Click Apply to save the settings. Click Import Now to immediately begin the import of users.<br />
View the progress of LDAP imports via Status/Reporting -> System Logs -> Messages<br />
63
Directory Services<br />
Mirror LDAP Accounts as Local <strong>User</strong>s<br />
To provide local account access for the Spam Quarantine feature, you can mirror the LDAP<br />
accounts which creates a local account on <strong>ePrism</strong> for each user imported. This provides a simple<br />
method for allowing directory-based users to log in to the <strong>ePrism</strong> to view quarantined messages if<br />
you have enabled the Spam Quarantine feature.<br />
Note: These local mirror accounts cannot be used as local mail accounts. They can only be<br />
used for the Spam Quarantine.<br />
See “Spam Quarantine” on page 136 for more information on configuring the user-based Spam<br />
Quarantine.<br />
To create mirrored LDAP users:<br />
1. Select the Mirror accounts option.<br />
2. Choose an Expiry period for the mirrored accounts. If the user no longer exists in the LDAP<br />
directory for the specified period of time, the local mirrored account will be deleted. Note that<br />
this only applies to a local mirrored account, not accounts used for the Reject on Unknown<br />
Recipients feature.<br />
Click Apply to save the settings. Click Import Now to immediately begin the import of users and<br />
create mirrored accounts.<br />
View the progress of LDAP imports via Status/Reporting -> System Logs -> Messages.<br />
Mirrored accounts can be viewed via <strong>User</strong> Accounts -> Mirrored Accounts on the menu.<br />
64
LDAP Aliases<br />
LDAP Aliases<br />
LDAP Aliases are used to search LDAP-enabled directories for mail aliases of a user. If an alias<br />
exists, a new mail message will be created for the named address or addresses. This mail message<br />
will be returned to the delivery process to be mapped, routed, and so on.<br />
Note: LDAP Aliases have been tested with Active Directory only, and the examples shown<br />
are for Active Directory LDAP implementations.<br />
See “Mail Aliases” on page 46 for more information on Mail Aliases.<br />
Select Basic Config -> Directory Services -> LDAP Aliases to configure LDAP Aliases.<br />
Click the Add button to add a new LDAP alias search.<br />
• Directory Server — Select an directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
65
Directory Services<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Alias Attribute — Enter the Alias Attribute that defines the alias mail addresses for a user, such<br />
as (proxyAddresses=smtp:%s@*) for Active Directory implementations.<br />
• EMail — Enter the attribute that returns the user’s email address, such as mail for Active<br />
Directory implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP alias configuration. Click Apply to save the<br />
settings.<br />
66
LDAP Mappings<br />
LDAP Mappings<br />
LDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user.<br />
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This<br />
process is performed without modifying the To: and From: headers in the mail, as virtual<br />
mappings modify the envelope-recipient address.<br />
Note: LDAP Virtual Mappings have been tested with Active Directory only, and the<br />
examples shown are for Active Directory LDAP implementations.<br />
See “Virtual Mappings” on page 50 for more information on Virtual Mappings.<br />
Select Basic Config -> Directory Services -> LDAP Mappings to configure LDAP Virtual<br />
Mappings.<br />
Click the Add button to add a new LDAP Virtual Mapping search.<br />
• Directory Server — Select an directory server to perform the search.<br />
67
Directory Services<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Alias Attribute — Enter the Incoming Address attribute that defines the virtual mapping for a<br />
user, such as (proxyAddresses=smtp:%s) for Active Directory implementations.<br />
• EMail — Enter the attribute that returns the user’s email address, such as mail for Active<br />
Directory implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP virtual mapping configuration. Click Apply to<br />
save the settings.<br />
68
LDAP Recipients<br />
LDAP Recipients<br />
The LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient feature<br />
configured in Mail Delivery -> Anti-Spam. You must have Reject on Unknown Recipient enabled for<br />
this feature to work.<br />
When a mail message is received by <strong>ePrism</strong>, this feature searches an LDAP directory for the<br />
existence of a recipient’s email address. If that user address does not exist in the LDAP directory,<br />
the mail is rejected.<br />
This feature differs from the LDAP <strong>User</strong>s lookup option which searches for a user using the<br />
imported locally-cached LDAP users database. The LDAP recipients feature performs a direct<br />
lookup on a configured LDAP directory server for each address.<br />
If both LDAP <strong>User</strong>s and LDAP Recipients are enabled with Reject on Unknown Recipient, the system<br />
will lookup the local and mirrored LDAP <strong>User</strong>s first, and then use the direct query to an LDAP<br />
server.<br />
Select Basic Config -> Directory Services -> LDAP Recipients on the menu to configure<br />
your LDAP recipient lookups.<br />
Click Add to add a new LDAP Recipients search.<br />
69
Directory Services<br />
• Directory Server — Select an directory server to perform the search.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Query Filter — Enter the Query Filter for the LDAP Recipients lookup, such as<br />
(&(objectClass=person)(mail=%s)) for Active Directory implementations.<br />
For OpenLDAP and iPlanet, use (&(objectClass=person)(uid=%s)).<br />
• Result Attribute — Enter the attribute that returns the user’s email address, such as mail for<br />
Active Directory implementations. For OpenLDAP, and iPlanet, you can also use mail.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP recipients configuration. Click Apply to save<br />
the settings.<br />
70
LDAP Relay<br />
LDAP Relay<br />
The LDAP SMTP Authenticated relay feature allows authenticated clients to use this <strong>ePrism</strong> as an<br />
external mail relay for sending mail. For example, you may have remote users that need to send<br />
mail via this <strong>ePrism</strong> system.<br />
These client systems must use a login and password to authenticate to the system before being<br />
allowed to relay mail. These accounts can be set up locally, but you can also use LDAP relay<br />
authentication to authenticate the user to an LDAP directory server.<br />
Configuring LDAP Authenticated SMTP Relay<br />
1. Select Mail Delivery -> Mail Access on the menu.<br />
2. Enable the Permit SMTP Authenticated Relay check box, and also the LDAP<br />
Authenticated Relay check box.<br />
71
Directory Services<br />
3. Select Basic Config -> Directory Services -> LDAP Relay on the menu.<br />
There are two different ways to provide LDAP support for SMTP authentication, using Bind, or<br />
querying the LDAP server directly.<br />
Note: The Bind method will only work with Active Directory and iPlanet implementations.<br />
The Query Direct method will only work with OpenLDAP.<br />
• Bind — The Bind method will use the <strong>User</strong> ID and password to authenticate on a successful<br />
bind. The Query Filter must specify the <strong>User</strong> ID with a %s variable, such as<br />
(sAMAccountName=%s) for Active Directory. The Result Attribute must be a <strong>User</strong> ID such as<br />
sAMAccountName. Enter corresponding values specific to your LDAP environment.<br />
For iPlanet, use uid=%s for Query Filter, and mail for Result Attribute.<br />
• Query Directly — The Query Direct method will query the LDAP server directly to<br />
authenticate a user ID and password. The Query Filter must specify the user ID, and the Result<br />
Attribute must specify the password.<br />
For OpenLDAP, use uid=%s for Query Filter, and userPassword for Result Attribute.<br />
For either method, the relay will be refused if the LDAP server direct query or bind attempt fails<br />
for any reason, such as an invalid user name or password, bad query, or if the LDAP server is not<br />
responding.<br />
Select a method, and then click Add to add an entry.<br />
Note: You can only use one method, Bind or Query Direct, for all defined LDAP servers.<br />
You cannot use both at the same time.<br />
72
LDAP Relay<br />
• Directory Server — Select an directory server to perform the search.<br />
• Search Base — The Search Base is derived from the Search Base setting in Basic Config -><br />
Directory Services -> Directory Servers. You must ensure that you complete the Search<br />
Base string with information specific to your LDAP hierarchy, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Query Filter — Enter the Query Filter for the LDAP lookup, such as (sAMAccountName=%s)<br />
for Active Directory implementations.<br />
• Result Attribute — Enter the attribute that returns the user’s account, such as<br />
sAMAccountName for Active Directory implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP relay configuration. Click Apply to save the<br />
settings.<br />
73
Directory Services<br />
LDAP Routing<br />
LDAP mail routing allows a mail route for a recipient to be queried on a specified LDAP server.<br />
The destination mail server for that domain will be returned and the message will then be routed to<br />
that server. This is the preferred method for mail routing for organizations with a large amount of<br />
domains. Any locally defined mail routes in Mail Delivery -> Mail Routing will be resolved<br />
before LDAP routing.<br />
Note: LDAP routing has been tested only with iPlanet implementations, but the examples<br />
provided should work with OpenLDAP depending on your LDAP schema.<br />
Select Basic Config -> Directory Services -> LDAP Routing to configure your LDAP routing<br />
settings.<br />
Click Add to add a new LDAP route search.<br />
• Directory Server — Select an directory server to perform the search.<br />
• Search Base — The Search Base is derived from the Search Base setting in Basic Config -><br />
Directory Services -> Directory Servers. You must ensure that you complete the Search Base<br />
74
LDAP Routing<br />
string with information specific to your LDAP hierarchy, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search. Options are Base, One Level, and Subtree.<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Query Filter — Enter the Query Filter that will search for the Mail Domain of a recipient,<br />
such as (&(cn=Transport Map)(uid=%s)) for OpenLDAP implementations.<br />
• Result Attribute — Enter the attribute that returns the domain’s mail host, such as mailHost<br />
for OpenLDAP implementations.<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
Use the Test button to perform a test of the LDAP routing configuration. Click Apply to save the<br />
settings.<br />
75
Directory Services<br />
76
CHAPTER 5<br />
Configuring Email<br />
Security<br />
This chapter describes how to configure the mail security features of your <strong>ePrism</strong> Email Security<br />
Appliance, and contains the following topics:<br />
• “SMTP Mail Access” on page 78<br />
• “Anti-Virus” on page 80<br />
• “Malformed Messages” on page 83<br />
• “Attachment Control” on page 85<br />
• “SPF (Sender Policy Framework)” on page 88<br />
• “Encryption and Certificates” on page 90<br />
77
Configuring Email Security<br />
SMTP Mail Access<br />
The Mail Access screen allows you to configure features that provide security when <strong>ePrism</strong> is<br />
accepting mail during an SMTP connection.<br />
Select Mail Delivery -> Mail Access to configure your SMTP mail access settings.<br />
• Specific Access Patterns — This feature can be used to search for patterns in a message for<br />
filtering during the SMTP connection. See “Specific Access Patterns” on page 104 for detailed<br />
information on configuring these filters.<br />
• Pattern Based Message Filtering — Enable this option to use Pattern Based Message<br />
Filtering to reject or accept mail based upon matches in the message envelope, header, or body.<br />
See “Pattern Based Message Filtering” on page 107 for detailed information on configuring<br />
Pattern Based Message Filters.<br />
• Maximum recipients per message — Set the maximum number of recipients accepted per<br />
message. A very large amount of recipients means the message is more likely to be spam or bulk<br />
mail.<br />
• Maximum message size — Set the maximum message size that will be accepted by <strong>ePrism</strong>.<br />
Note: When attachments are sent with most email messages, the message size grows<br />
considerably due to the encoding methods used. The maximum message size should be<br />
set accordingly to accommodate attachments.<br />
78
SMTP Mail Access<br />
SMTP Authenticated Relay<br />
This feature allows authenticated clients to use <strong>ePrism</strong> as an external mail relay for sending mail.<br />
For example, you may have remote users that need to send mail via this <strong>ePrism</strong> system.<br />
Client systems must use a login and password to authenticate to the system before being allowed<br />
to relay mail. These accounts can be local or they can be authenticated via LDAP.<br />
Select Mail Delivery -> Mail Access on the menu to enable SMTP Authenticated Relay.<br />
LDAP SMTP Authentication<br />
SMTP authentication can also be performed via an LDAP directory server. Select the check box to<br />
enable LDAP Authenticated Relay, and select the link to configure. This feature can also be<br />
configured via Basic Config -> Directory Services -> LDAP Relay.<br />
See “LDAP Relay” on page 71 for detailed information on configuring LDAP Authenticated<br />
Relay.<br />
SMTP Banner<br />
The SMTP banner is exchanged during the HELO session of an SMTP connection. This banner<br />
contains identifying information for your mail server which can be used as information to launch<br />
attacks against the server. This option allows you to customize the SMTP banner, and also remove<br />
<strong>ePrism</strong>’s hostname by using the Domain only option.<br />
79
Configuring Email Security<br />
Anti-Virus<br />
<strong>ePrism</strong> provides an optional virus scanning service. When enabled, all messages (inbound and<br />
outbound) passing through the <strong>ePrism</strong> Email Security Appliance can be scanned for viruses.<br />
<strong>ePrism</strong> integrates the Kaspersky Anti-Virus engine, which is one of the highest rated virus<br />
scanning technologies in the world. Virus scanning is tightly integrated with the mailer for<br />
maximum efficiency.<br />
Viruses can be selectively blocked depending on whether they are found in inbound or outbound<br />
messages, and attachments are recursively disassembled to ensure that viruses cannot be concealed.<br />
When a virus-infected message is received, it can be deleted, quarantined, or the event can be<br />
simply logged. Quarantined messages may be viewed, forwarded, downloaded, or deleted.<br />
Quarantined messages can also be automatically deleted based on age.<br />
By default, any email attachments that cannot be opened and examined by the mail scanner<br />
because of password-protection are quarantined. This feature prevents password-protected zip files<br />
that contain viruses or worms from being passed through the system.<br />
Virus pattern files are automatically downloaded at regular intervals to ensure that they are always<br />
up to date. Notification messages can be sent to the sender, recipient, and mail administrator when<br />
an infected message is received.<br />
Licensing Anti-Virus<br />
To enable virus scanning after the 30-day evaluation period, you must purchase and install a license<br />
for each system. See “License Management” on page 184 for more information on adding licenses.<br />
80
Anti-Virus<br />
Configuring Anti-Virus Scanning<br />
Select Mail Delivery -> Anti-Virus from the menu to configure virus scanning.<br />
• Enable Kaspersky virus scanning — Enable or disable virus scanning by selecting the check<br />
box.<br />
• Quarantine unopenable attachments — This option is enabled by default to quarantine<br />
attachments that are password-protected and flag them in the logs as "suspicious". This feature<br />
prevents password-protected zip files that contain viruses or worms from being passed through<br />
the system.<br />
It is recommended that customers use Attachment Control for similar protection against<br />
encrypted files, such as S/MIME, and PGP. For example, for S/MIME encrypted attachments<br />
you should add the "application/x-pkcs7-mime" MIME type to the list of attachment types and<br />
set the action to Quarantine mail. See “Attachment Control” on page 85 for more detailed<br />
information.<br />
Note: This option will only take effect if the Anti-Virus action is set to Quarantine mail.<br />
• Action — Configure the action to take for both inbound and outbound mail. Possible actions<br />
include:<br />
Just log: Log the event and take no further action.<br />
Quarantine mail: The message is placed into quarantine.<br />
Reject mail: The message is rejected with notification to the sending system.<br />
Discard mail: The message is discarded without notification to the sending system.<br />
• Notification — A notification email can be sent to the recipients and sender of an email, and<br />
also the mail system administrator. Select the required check box for both inbound and<br />
81
Configuring Email Security<br />
outbound mail. In the Inbound Notification and Outbound Notification text boxes, enter the content<br />
for the response message.<br />
Updating Pattern Files<br />
Virus pattern files must be continuously updated to ensure that you are protected from new virus<br />
threats. The frequency of virus pattern file updates can be configured from the Virus Pattern Files<br />
section.<br />
• Update interval (mins) — Select the time interval to configure how often to check for pattern<br />
file updates. Options include 15, 30, and 60 minutes.<br />
• Proxy — If you access the Internet through a proxy server, you must enter its hostname and<br />
port number, such as proxy.example.com:80, for updates to succeed.<br />
• Manual Update — Pattern files can be updated manually by clicking the Get Pattern Now<br />
button.<br />
• Status — Shows the date and time of the last update.<br />
82
Malformed Messages<br />
Malformed Messages<br />
Many viruses try to elude virus scanners by concealing themselves in malformed messages.<br />
The scan engines cannot detect the attachment and pass the complete message through to an<br />
internal server. Some mail clients try to rebuild malformed messages and may rebuild or activate a<br />
virus-infected attachment. Other types of malformed messages are designed to attack mail servers<br />
directly. Most often these types of messages are used in denial-of-service (DoS) attacks.<br />
<strong>ePrism</strong> analyzes each message with very extensive integrity checks. Malformed messages are<br />
quarantined if they cannot be processed.<br />
Select Mail Delivery -> Malformed Mail on the menu to enable and configure malformed email<br />
scanning.<br />
• Enable malformed scanning — Select this option to enable scanning for malformed emails.<br />
• Enable NULL Character Detect — Select this option to enable null character detection.<br />
Any messages with null characters in them (a byte value of 0) will be considered a malformed<br />
message.<br />
• Action — Select an action to be performed. Options include:<br />
Just log: Log the event and take no further action.<br />
Quarantine mail: The message is placed into quarantine.<br />
83
Configuring Email Security<br />
Reject mail: The message is rejected with notification to the sending system.<br />
Discard mail: The message is discarded without notification to the sending system.<br />
• Notifications — Notifications for inbound and outbound messages can be enabled for all<br />
recipients, the sender, and the administrator. Enter the content for the notification message.<br />
See “Customizing Notification and Annotation Messages” on page 273 for information on<br />
variables such as %SENDER% and %RECIPIENT%.<br />
84
Attachment Control<br />
Attachment Control<br />
Attachment filtering can be used to control a wide range of problems originating from both<br />
inbound and outbound attachments, including the following:<br />
• Viruses — Attachments carrying viruses can be blocked.<br />
• Offensive Content — <strong>ePrism</strong> blocks the transfer of images which reduces the possibility that<br />
an offensive picture will be transmitted to or from your company mail system.<br />
• Confidentiality — Prevents unauthorized documents from being transmitted through the<br />
<strong>ePrism</strong> Email Security Appliance.<br />
• Productivity — Prevents your systems from being abused by employees.<br />
Configuring Attachment Control<br />
Select Mail Delivery -> Attachment Control to configure attachment filtering for inbound and<br />
outbound messages.<br />
• Default action — This value sets the default action for attachment control for items not<br />
specifically listed in the Attachment Types list. The default is Pass, which allows all attachments.<br />
Any file types defined in the Attachment Types list will override the default setting.<br />
• Attachment Control — Enable the feature for inbound and outbound mail.<br />
• Attachment Types — Click Edit to configure the attachment types to control.<br />
85
Configuring Email Security<br />
• Action — Select an action to be performed. Options include:<br />
Just log: Log the event and take no further action.<br />
Quarantine mail: The message is placed into quarantine.<br />
Reject mail: The message is rejected with notification to the sending system.<br />
Discard mail: The message is discarded without notification to the sending system.<br />
• Notifications — Notifications for inbound and outbound messages can be enabled for all<br />
recipients, the sender, and the administrator. Enter the content for the Inbound and Outbound<br />
notification.<br />
Editing Attachment Types<br />
Click the Edit button to edit your attachment types. You can add file extensions (.mp3), or MIME<br />
content types (image/png). For each attachment type, choose whether you want to "BLOCK" or<br />
"Pass" the attachment.<br />
Select the DS (Disable Content Scan) check box if you want to disable content scanning for<br />
attachments with the specified extension. The attachment will still be checked for viruses if the<br />
Disable Content Scan option is selected.<br />
Click the Add Extension button to add a file extension or MIME type to the list.<br />
86
Attachment Control<br />
• Extension — Enter a specific attachment type extension or MIME type, such as "image/<br />
png".<br />
• Disable Content Scan — Select this option if you want to disable content scanning for<br />
attachments with the specified extension. The attachment will still be checked for viruses if the<br />
Disable Content Scan option is selected.<br />
Note: If an archive file, such as .zip, contains a file type that is blocked, the archive file will<br />
be blocked, even if it is set to "Pass". Set the Disable Content Scan (DS) option if you do<br />
not want to scan the content of the archive file.<br />
87
Configuring Email Security<br />
SPF (Sender Policy Framework)<br />
<strong>ePrism</strong>’s SPF support prevents spammers from spoofing mail headers and impersonating a<br />
legitimate email user or domain. Unsuspecting users may reply to these seemingly legitimate<br />
addresses with personal and confidential information.<br />
Sender Policy Framework (SPF) provides a means for authenticating the source of an email by<br />
querying the sending domain’s DNS records. The SPF protocol allows server administrators to<br />
describe their email servers in their DNS records. By comparing the headers of the email with the<br />
SPF value, the receiving host can verify that the email is originating from the legitimate mail server<br />
for that domain. This prevents spammers from sending forged emails.<br />
<strong>ePrism</strong>’s SPF actions only apply to incoming mail messages that have failed an SPF check, which<br />
means that the email message does not match the corresponding published SPF record. If a<br />
specific mail server does not have an existing SPF record then the message is processed normally.<br />
It is possible, however, that administrators may misconfigure their DNS SPF records, resulting in<br />
false positives and legitimate hosts being blocked from sending you mail.<br />
SPF is an emerging anti-fraud and anti-phishing technology that is designed primarily as a<br />
mechanism to prevent forged emails rather than an anti-spam measure. It is dependent on network<br />
administrators publishing their legitimate email servers in their DNS records and ensuring these<br />
records are properly configured. St. Bernard encourages customers that use SPF in their DNS<br />
infrastructure to review their own SPF records to ensure they are accurate.<br />
Note: St. Bernard recommends that if you enable SPF, you should set the action to modify<br />
the subject header rather than reject the message to ensure that false positives due to<br />
sending system misconfiguration are not completely rejected.<br />
Select Mail Delivery -> SPF on the menu to configure Sender Policy Framework settings:<br />
• Enable SPF — Select the check box to enable SPF verification. The SPF action will only apply<br />
to messages that fail an SPF check.<br />
88
SPF (Sender Policy Framework)<br />
• Strip incoming SPF headers — This option removes any "Received-SPF" header from<br />
incoming messages. Spammers may attach their own forged SPF headers to create the<br />
impression that the email is from a legitimate source<br />
• Add outgoing SPF header — This option adds an SPF header to the outgoing message.<br />
• Action — Specify one of the following actions:<br />
Just log: An entry is made in the log, and no other action is taken.<br />
Modify Subject Header: The text specified in Action Data will be inserted into the message<br />
subject line.<br />
Add header: An "X" mail header will be added as specified in the Action Data.<br />
Redirect to: The message will be delivered to the mail address specified in Action Data.<br />
Reject mail: The mail will not be accepted, and the connecting mail server is forced to return<br />
it.<br />
BCC: The message will be copied to the mail address specified in Action Data.<br />
• Action data — Depending on the specified action:<br />
Modify Subject Header: The specified text will be inserted into the subject line, such as<br />
[SPF].<br />
Add header: A message header will be added with the specified text, such as [SPF].<br />
Redirect to: Send the message to a mailbox such as spam@example.com. You can also specify<br />
a domain such as spam.example.com.<br />
89
Configuring Email Security<br />
Encryption and Certificates<br />
<strong>ePrism</strong> uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption to protect<br />
browser sessions and mail delivery. This encryption is enabled by default.<br />
There are two categories of browser sessions:<br />
• Administration sessions — Access to the browser administrative interface.<br />
• <strong>ePrism</strong> Mail Client and Secure WebMail — Access to WebMail.<br />
Configuring Web Server Encryption<br />
Select Basic Config -> Web Server from the menu to configure encryption. The default settings<br />
are recommended.<br />
• Admin HTTP Port — The default port for HTTP requests. The default port 80 can be<br />
changed via the system console.<br />
• Admin HTTPS Port — The default port for HTTPS requests. The default port 443 can be<br />
changed via the system console.<br />
• Secure SSL encryption — Requires SSL encryption for all user and administrator web<br />
sessions.<br />
• Allow low-grade encryption — Allow the use of low-grade encryption, such as DES ciphers<br />
with a key length of 64 bits, for encrypted user and administrator web sessions.<br />
• Enable SSL version 2 — Enables SSL version 2 protocol. Note that SSL version 2 contains<br />
known security issues.<br />
• Enable SSL version 3 — Enable SSL version 3 protocol. This is the default setting.<br />
90
Encryption and Certificates<br />
• Enable TLS version 1 — Enable TLS version 1 protocol. This is the default setting.<br />
• Character set encoding — Select the type of character encoding used for HTML data.<br />
Encrypted Mail Delivery<br />
<strong>ePrism</strong> offers a simple mechanism for encrypting mail delivery via SSL/TLS support. A flexible<br />
policy can be implemented to allow other servers and clients to establish encrypted sessions with<br />
<strong>ePrism</strong> to send and receive mail.<br />
The following types of traffic can be encrypted:<br />
• Server to Server — Used to create an email VPN (Virtual Private Network) and protect<br />
company email over the Internet.<br />
• Client to Server — Many email clients, such as Outlook, support TLS for sending and<br />
receiving mail. This allows email messages to be sent with complete confidentiality from<br />
desktop to desktop, but without the difficulties of implementing other encryption schemes.<br />
Encryption can be enforced between particular systems, such as setting up an email VPN between<br />
two <strong>ePrism</strong> Email Security Appliances at remote sites. Encryption can also be set as optional so<br />
that users who are concerned about the confidentiality of their messages on the internal network<br />
can specify encryption in their mail client when it communicates with <strong>ePrism</strong>.<br />
<strong>ePrism</strong> supports the use of certificates to initiate the negotiation of encryption keys.<br />
<strong>ePrism</strong> can generate its own site certificates, and can also import Certificate Authority (CA) signed<br />
certificates.<br />
91
Configuring Email Security<br />
Select Mail Delivery -> SMTP Security from the menu to enable email encryption.<br />
Incoming TLS Mail<br />
• Accept TLS — Enable this option to accept SSL/TLS for incoming mail connections.<br />
• Require TLS for SMTP AUTH — This value is used to require SSL/TLS when accepting<br />
mail for authenticated relay. See “SMTP Authenticated Relay” on page 79 for more detailed<br />
information.<br />
Default TLS Policy<br />
• Offer TLS — Enable this option to offer remote mail servers the option of using SSL/TLS<br />
when sending mail.<br />
• Enforce TLS — Enabling this option will require the validation of a CA-signed certificate when<br />
delivering mail to a remote mail server. Failure to do so will result in mail delivery failure.<br />
Specific Site Policy<br />
This option supports the specification of exceptions to the default settings for TLS/SSL. For<br />
example, you may need to exempt a mail server from using TLS/SSL because of lack of TLS<br />
support.<br />
To exempt a system, specify the IP Address or FQDN (Fully Qualified Domain Name) of the<br />
remote mail server in the Add/Update Site field. Select Don't Use TLS from the dropdown box<br />
and click the Update button. The exempted mail server will be listed under the Specific Site Policy.<br />
92
Encryption and Certificates<br />
TLS options include the following:<br />
• Don't Use TLS — TLS Mail Delivery is never used with the specified system.<br />
• May Use TLS — Use TLS if the specified system supports it.<br />
• Enforce TLS — Deliver to the specified system only if a TLS connection with a valid CAsigned<br />
certificate can be established.<br />
• Loose TLS — Similar to Enforce TLS but will accept a mismatch between the specified server<br />
name and the Common Name in the certificate.<br />
SSL Certificates<br />
A valid SSL certificate is required to support the encryption services available on <strong>ePrism</strong>.<br />
The SSL encrypted channel from the server to the web browser (such as when using a URL that<br />
begins with https), requires a valid digital certificate. You can use self-signed certificates generated<br />
by <strong>ePrism</strong>, or import certificates purchased from commercial vendors such as Verisign.<br />
A certificate binds a domain name to an IP address by means of the cryptographic signature of a<br />
trusted party. The web browser can warn you of invalid certificates that undermine secure,<br />
encrypted communications with a server.<br />
The disadvantage of self-signed certificates is that web browsers will display warnings that the<br />
"company" (in this case, the <strong>ePrism</strong> Email Security Appliance) issuing the certificate is untrusted.<br />
When you purchase a commercial certificate, the browser will recognize the company that signed<br />
the certificate and will not generate the warning messages.<br />
A web server digital certificate can only contain one domain name, such as<br />
server.example.com, and a limitation in the SSL protocol only allows one certificate per IP<br />
address. Some web browsers will display a warning message when trying to connect to any domain<br />
on the server that has a different domain name than the server specified in the single certificate.<br />
Digital certificates eventually expire and are no longer valid after a certain period of time, and need<br />
to be renewed before the expiry date.<br />
93
Configuring Email Security<br />
Install a commercial certificate on the <strong>ePrism</strong> Email Security Appliance as follows:<br />
1. Select Management -> SSL Certificates on the menu.<br />
2. Create a new certificate using the Generate a 'self-signed' certificate button.<br />
3. Click Apply to reboot the system to install the new certificate.<br />
4. After the reboot, the current certificate and certificate request that was signed by the on-board<br />
Certificate Authority will be displayed. To obtain a commercial certificate, send this certificate<br />
request information to the commercial Certificate Authority (CA) of your choice (such as<br />
Verisign, Entrust, and so on) for signing.<br />
Note: Ensure that the certificate is an Apache type of certificate for a mail server.<br />
5. When received from the CA, install the commercial certificate using the Load site certificate<br />
button.<br />
94
Encryption and Certificates<br />
SSL Certificate<br />
Enter the PEM encoded certificate information from the signed SSL certificate by copying and<br />
pasting the text into the specified field.<br />
Private Key<br />
Select the Use this Private Key for SSL Certificate check box to use the supplied private key.<br />
Copy and paste the PEM encoded private key into the required field.<br />
Do not enable this option and leave the field blank if the certificate was generated by request from<br />
this <strong>ePrism</strong> system.<br />
Note: Generating a new self-signed certificate after you have installed a commercial<br />
certificate will overwrite the private key associated with the installed commercial<br />
certificate, making it invalid.<br />
95
Configuring Email Security<br />
Intermediate Certificate<br />
Some commercial certificates require you to upload an intermediate certificate in addition to the<br />
commercial certificate and the private key. Enter this information into the Intermediate Certificate<br />
section.<br />
96
CHAPTER 6<br />
Anti-Spam Features<br />
This chapter describes how to configure the anti-spam features of your <strong>ePrism</strong> Email Security<br />
Appliance, and contains the following topics:<br />
• “Anti-Spam Feature Overview” on page 98<br />
• “Email Spam Processing” on page 99<br />
• “<strong>ePrism</strong> Anti-Spam Controls” on page 102<br />
• “Specific Access Patterns” on page 104<br />
• “Pattern Based Message Filtering” on page 107<br />
• “Objectionable Content Filtering” on page 115<br />
• “RBL (Real-time Blackhole List)” on page 117<br />
• “DCC (Distributed Checksum Clearinghouse)” on page 119<br />
• “STA (Statistical Token Analysis)” on page 123<br />
• “Trusted Senders” on page 133<br />
• “Spam Quarantine” on page 136<br />
• “Spam Options” on page 141<br />
97
Anti-Spam Features<br />
Anti-Spam Feature Overview<br />
The following sections provide an overview of <strong>ePrism</strong>’s Anti-Spam features.<br />
<strong>ePrism</strong>’s Anti-Spam Tools<br />
<strong>ePrism</strong> contains built-in spam controls that have been developed to take advantage of its extensive<br />
mail control features. <strong>ePrism</strong> provides flexible tools for creating local exceptions, managing<br />
whitelists and blacklists, and controlling undesirable content.<br />
<strong>ePrism</strong>’s anti-spam controls include the following features:<br />
• RBL (Realtime Blackhole Lists) to reject known spam sources.<br />
• DCC (Distributed Checksum Clearinghouse) to control bulk mail.<br />
• STA (Statistical Token Analysis) for advanced statistical analysis.<br />
<strong>ePrism</strong> works by applying increasing levels of filtering as follows:<br />
1. Filter message based on the server sending the initial connection request.<br />
2. Filter message based on message envelope contents.<br />
3. Look up the source server in the RBL lists.<br />
4. Determine if the message is bulk-mail via DCC.<br />
5. Apply sophisticated analysis to the content via STA.<br />
Flexible dispositions enable the filtered mail to be quarantined, rejected, or classified in the subject<br />
header to be captured by the mail client.<br />
See “<strong>ePrism</strong> Anti-Spam Controls” on page 102 for detailed information on configuring <strong>ePrism</strong>’s<br />
built-in anti-spam features.<br />
98
Email Spam Processing<br />
Email Spam Processing<br />
<strong>ePrism</strong> applies a series of filters to messages beginning with the simplest and proceeding to the<br />
most complex. The sequence is as follows:<br />
1. Various SMTP connection checks are performed for items such as unauthorized pipelining<br />
commands, non-FQDN senders, unknown sender domains, and so on.<br />
2. The source of the message is compared against a locally specified Specific Access Pattern.<br />
If found, it may be "rejected" or "accepted" for immediate delivery or relay.<br />
3. <strong>ePrism</strong> will apply locally specified attachment, malformation, and virus checks on the contents<br />
of the message.<br />
4. The message is passed through the OCF (Objectionable Content Filter) which searches for<br />
objectionable text within a message.<br />
5. The message is passed through Pattern Based Message Filters that look for a text or pattern<br />
match against a specified part of the message. If a filter rule is triggered, an associated action is<br />
executed such as "reject" or "accept" for immediate delivery. Any defined Trusted Senders will<br />
allow mail to bypass the rest of the spam controls.<br />
6. Mail is processed for spam only if it arrives from an "untrusted" source. This is defined as any<br />
system not on the local network or not specifically "trusted" by the administrator.<br />
7. The source of the message is checked to see it is listed on an RBL (Real-time Blackhole List), if<br />
enabled. The message may be rejected, quarantined, or tagged and delivered as required.<br />
8. The message is checked by DCC, if enabled, which reports if the message is "bulk" or has been<br />
reported on the Internet a certain number of times to be classified as "bulk". If this value<br />
exceeds the local threshold, the message may be rejected, quarantined, or tagged and delivered<br />
as required.<br />
9. The message is checked by STA, if enabled, to see if its contents exceed a locally specified<br />
threshold for spam. If so, the message may be rejected, quarantined, or tagged and delivered as<br />
required.<br />
10. Prior to delivery, <strong>ePrism</strong> will check to see if this message was relayed.<br />
See “Message Processing Order” on page 271 for a summary of the message processing order.<br />
99
Anti-Spam Features<br />
Anti-Spam Strategy<br />
To use <strong>ePrism</strong>’s spam controls to their fullest extent, consider the following:<br />
• Identify which systems will be "trusted". If these systems are on different internal networks,<br />
<strong>ePrism</strong> must know that they can be trusted. Also note any external systems that may need to<br />
relay via <strong>ePrism</strong>.<br />
• Plan to enable RBL lists, DCC and STA. These tools require little configuration and<br />
maintenance once they are setup and will provide your main defense against spam. You can<br />
selectively enable or disable any one of these tools, however, if you plan to use STA, you almost<br />
certainly should use DCC as well.<br />
• Learn how to whitelist or blacklist sources and types of mail. This is essential for obtaining a<br />
good result with few false positives. Use whitelists to exempt mail that is wrongly classified as<br />
bulk such as valid mailing lists. Use blacklists to catch any spam that eludes the other defenses.<br />
• Educate your local user community on these tools. <strong>User</strong>s need to know why messages are being<br />
classified as they are and how to provide feedback on how well the system is performing.<br />
Appropriate feedback can help identify the thresholds in DCC and STA, as well as provide input<br />
for building the whitelists and blacklists.<br />
Trusted and Untrusted Mail Sources<br />
You must ensure that <strong>ePrism</strong> is properly configured for interaction with local and remote mail<br />
servers. <strong>ePrism</strong> only processes mail through the spam filters when a message originates from an<br />
"untrusted" source. Trusted sources bypass the spam controls.<br />
There are two ways to control how sources of mail are identified:<br />
1. The network interface the mail arrives on<br />
2. A specified IP address (or address block), or server or domain name<br />
100
Email Spam Processing<br />
Mail that arrives on a particular network interface from the same subnet is "trusted". To change<br />
this setting, perform the following steps:<br />
1. Select Basic Config -> Network on the menu.<br />
2. For the specified interface, uncheck Trusted Subnet.<br />
To add a system to the filters and mark it as "Trusted", perform the following steps:<br />
1. Select Mail Delivery -> Anti-Spam -> PBMF on the menu.<br />
2. Click Add.<br />
3. Select Client IP or Client Host in the From field.<br />
4. Select Contains.<br />
5. Enter the IP address or hostname of the system depending on your selection in step 3.<br />
6. Under Action, select Trust, and then click Apply to add the rule.<br />
101
Anti-Spam Features<br />
<strong>ePrism</strong> Anti-Spam Controls<br />
<strong>ePrism</strong> contains built-in anti-spam controls that have been developed to take advantage of its<br />
extensive mail control features. <strong>ePrism</strong> provides a flexible tool for creating local exceptions,<br />
managing whitelists and blacklists, and controlling undesirable content.<br />
<strong>ePrism</strong> provides the following tools for controlling spam:<br />
Locally Specified Filters<br />
These filters can be used to define exceptions, overrides, whitelists, and blacklists. These tools<br />
avoid the problems that result from over-reliance on automated methods. It is inevitable that some<br />
spam will not be caught by these tools. It is also inevitable that some legitimate mail will be<br />
classified as spam, such as mailing lists marked as "bulk".<br />
Locally-specified filters include:<br />
• Specific Access Patterns<br />
• Pattern Based Message Filtering<br />
Rules-based Tools<br />
These tools provide automated protection. Used properly, these tools will handle the majority of<br />
spam. These tools include:<br />
• RBL (Realtime Blackhole Lists)<br />
• DCC (Distributed Checksum Clearinghouse)<br />
• STA (Statistical Token Analysis)<br />
<strong>User</strong>-Based Options<br />
Other anti-spam options can be enabled on a user level to allow them to create Trusted Senders<br />
Lists to whitelist known senders, and manage their own spam quarantine area:<br />
• Trusted Senders List<br />
• Spam Quarantine<br />
102
<strong>ePrism</strong> Anti-Spam Controls<br />
Anti-Spam Strategy<br />
The recommended anti-spam strategy is as follows:<br />
• Plan to implement RBL, DCC, and STA.<br />
• Use the least aggressive settings for DCC and STA, such as simply marking the mail as "spam"<br />
so that users can see the mail and apply filters on their mail clients.<br />
• Ensure that your user community is aware of these tools and how it will impact their mail.<br />
• Prepare for exceptions and understand how to apply filters that can effectively whitelist and<br />
blacklist messages.<br />
Configuring Spam Controls<br />
Select Mail Delivery -> Anti-Spam to enable and configure <strong>ePrism</strong>’s built-in spam controls.<br />
To enable any one or more of the Spam Filters, select the Enable check box, select the spam<br />
feature to review the default settings, and then click the Update button.<br />
103
Anti-Spam Features<br />
Specific Access Patterns<br />
Specific Access Patterns (SAP) can be used to either accept or reject mail. These rules overrule all<br />
others, allowing them to be used for special cases to allow email where it would be otherwise<br />
blocked, or to block email when it would otherwise be allowed. Specific access patterns allow an<br />
administrator to respond to local filtering requirements such as the following:<br />
• Allowing other systems to relay mail through <strong>ePrism</strong><br />
• Rejecting all messages from specific systems<br />
• Allowing all messages from specific systems (effectively whitelisting the mail)<br />
It is recommended that you use Pattern Based Message Filtering for anti-spam control and white/<br />
black listing. See “Pattern Based Message Filtering” on page 107 for more detailed information.<br />
Configuring Specific Access Patterns<br />
Select Mail Delivery -> Anti-Spam -> SAP on the menu to configure specific access patterns.<br />
• Pattern Based Message Filtering — Enable this option to use Pattern Based Message<br />
Filtering to reject or accept mail based upon matches in the message envelope, header, or body.<br />
This type of filtering is explained in more detail in the next section.<br />
• Maximum recipients per message — Set the maximum number of recipients accepted per<br />
message. A large amount of recipients can indicate a spam or bulk message.<br />
104
Specific Access Patterns<br />
• Maximum message size — Set the maximum message size that will be accepted by <strong>ePrism</strong>.<br />
Ensure that the specified size can accommodate email attachments.<br />
To configure Specific Access Patterns, click the Add Pattern button.<br />
• Pattern — Enter a mail address, host or domain name.<br />
• Client Access — Specify a domain, server name, or IP address. This item is reliable and may<br />
be used to block spam as well as whitelist.<br />
Note: Only the Client Access parameter can be relied upon, since spammers can easily<br />
forge all other message properties. These parameters, however, are useful for<br />
whitelisting.<br />
• HELO Access — Specify either a domain or server name. It is not reliable as spammers can<br />
fake this property.<br />
• Envelope-From Access — Specify a valid email address. It is not reliable as spammers can<br />
fake this property.<br />
• Envelope-To Access — Specify a valid email address. It is not reliable as spammers can fake<br />
this property.<br />
• If Pattern Matches:<br />
Reject: The connection will be dropped<br />
Allow relaying: Messages from this address will be relayed and processed for spam<br />
Trust: Messages from this address will be relayed and not processed for spam<br />
105
Anti-Spam Features<br />
Matching Rules<br />
SAP rules are slightly different from those used in the Pattern Based Message Filtering. When you<br />
specify a rule in this section, it can take the following forms:<br />
• IP Address — <strong>ePrism</strong> will match the IP address such as, 192.168.1.10, or you can use a more<br />
general address form such as 192.168 that will match anything in that address space.<br />
• Domain Name — <strong>ePrism</strong> will match the supplied domain name, such as example.com, with<br />
any subdomain such as mail.example.com, sales.mail.example.com and so on.<br />
• Address — <strong>ePrism</strong> will match an exact email address, such as user@example.com, or a more<br />
general rule such as @example.com.<br />
106
Pattern Based Message Filtering<br />
Pattern Based Message Filtering<br />
Pattern Based Message Filtering is the primary tool for whitelisting and blacklisting messages.<br />
An administrator can specify that mail is rejected or whitelisted according to the contents of the<br />
message header, including the sender, recipient, subject, and body text.<br />
Pattern Based Message Filtering has the following main characteristics:<br />
• Filters can be specified using simple English terms such as "contains" and "matches" or using<br />
POSIX regular expressions<br />
• Filters are processed in the order of their priority<br />
• The actions can be used to modify the behavior of the STA spam filter<br />
For example, you can create a simple text filter that specifies to check messages for the word<br />
"FREE" in the subject. These types of filters can be helpful in correcting obvious disadvantages in<br />
the other spam filters, but they can create problems of long term maintenance.<br />
St. Bernard recommends that you use Pattern Based Message Filtering sparingly for anti-spam<br />
purposes because it has three main disadvantages:<br />
• Time required to specify and then maintain the rules<br />
• Ease with which spammers can circumvent simple word matches<br />
• Spammers fake the contents of the message headers<br />
107
Anti-Spam Features<br />
Email Message Structure<br />
The following is an example of a typical mail message:<br />
Message Envelope<br />
The information in the message envelope, such as HELO, MAIL FROM, and RCPT TO, are<br />
parameters not visible to the user. They are the "handshake" part of the SMTP protocol. You will<br />
need to look for these in the transport logs or have other knowledge of them.<br />
Message Header<br />
The message header includes the following fields:<br />
• Received from — Indicates the final path that the message followed to get to its destination. It<br />
arrived from "mail.example.com", which delivered it to "server.example.com" to be put in the<br />
mailbox of "user@server.example.com."<br />
• Received by — This indicates a previous "hop" that the message followed. In this case, the<br />
message came via "mail.example.com" which accepted the message addressed to<br />
"user@example.com".<br />
• Delivered-To — The user to be delivered to, in this case "user@example.com".<br />
108
Pattern Based Message Filtering<br />
• Received from — This marks the origin of the message. Note that it is not necessarily the<br />
same as the actual system that originated the message.<br />
• Subject — This is a free form field and displayed by a typical mail client.<br />
• To — This is a free form field and displayed by a typical mail client. It does not need to be<br />
accurate and may be different from the destination address in the Received headers or from the<br />
actual recipient.<br />
• From — This is a free form field and is displayed by a typical mail client. It does not need to be<br />
accurate and may be different from the From address in the Received headers. It is typically<br />
faked by spammers.<br />
• Message-ID — This is added by the mail server and is often faked by spammers.<br />
Other header fields include Reply-to, Sender and so on. These fields can be forged by spammers<br />
because they do not affect how the mail is delivered.<br />
Message Body<br />
Following the header is the text or content of the message. This content can be formatted or<br />
encoded in many different ways, but in this example, it is displayed as plain text.<br />
Configuring Pattern Based Message Filtering<br />
Select Mail Delivery -> Anti-Spam, and select Pattern Based Message Filtering on the menu.<br />
Click the Add button to add a new pattern to the filter list.<br />
109
Anti-Spam Features<br />
Select the Message Part you want to filter on. <strong>ePrism</strong> allows you to filter on the following parameters:<br />
Message Envelope Parameters<br />
These parameters will not be visible to the user. They are the "handshake" part of the SMTP<br />
protocol. You will need to look for these in the transport logs or have other knowledge of them.<br />
• — This parameter allows for a match on any part of the message<br />
envelope which includes the HELO, Client IP and Client Host.<br />
• HELO — This field is easily faked, and is not recommended for use in spam control. It may be<br />
useful in whitelisting a source of mail. Example: mail.example.com.<br />
• Client IP — This field will be accurately reported and may be reliably used for both blacklisting<br />
and whitelisting. It is the IP address of the system initiating the SMTP connection. Example:<br />
192.168.1.200.<br />
• Client Host — This field will be accurately reported and may be reliably used for both<br />
blacklisting and whitelisting. Example: mail.example.com.<br />
The following envelope parameters (Envelope Addr, Envelope To and Envelope From) may be visible if<br />
your client supports reading the message source, such as with <strong>ePrism</strong> Mail Client. They can also be<br />
found in the transport logs. Other header fields may be visible as supported by the mail client.<br />
• Envelope Addr — This matches on either the Envelope To or Envelope From. These fields are<br />
easily faked, and are not recommended for use in spam control. They may be useful in<br />
whitelisting a source of mail. Example: fred@example.com.<br />
• Envelope To — This field is easily faked, and is not recommended for use in spam control. It<br />
may be useful in whitelisting a source of mail. Example: fred@example.com.<br />
• Envelope From — This field is easily faked, and is not recommended for use in spam control.<br />
It may be useful in whitelisting a source of mail. Example: fred@example.com.<br />
Message Header Parameters<br />
Spammers will typically enter false information into these fields and, except for the Subject field,<br />
they are usually not useful in controlling spam. These fields may be useful in whitelisting certain<br />
users or legitimate source of email.<br />
• — This parameter allows for a match on any part of the message header.<br />
• — This parameter matches the To: or CC: fields.<br />
• CC:<br />
• From:<br />
• Message-ID:<br />
• Received:<br />
• Reply-to:<br />
• Sender:<br />
• Subject:<br />
110
Pattern Based Message Filtering<br />
• To:<br />
There are other header fields that are commonly used, such as List-ID, as well as those added by<br />
local mail systems and clients. You must use Regular Expressions (described below) to specify<br />
these.<br />
Message Body Parameters<br />
• — This parameter allows for a match on any part of the encoded<br />
message body. This encoded content includes Base64, MIME, and HTML. Since messages are<br />
not decoded, a simple text match may not work. Use for text matching on<br />
the decoded content.<br />
• — This parameter allows for a match on the visible decoded message<br />
body.<br />
STA Token<br />
STA tokens can also be selected for pattern based message filters. This allows you to match<br />
patterns for common spam words that could be hidden or disguised with fake or invisible HTML<br />
text comments, which would not be caught by a normal pattern filter. For example, STA extracts<br />
the token "viagra" from the text "viagra" and "v.i.a.g.r.a.".<br />
Match Option<br />
Matching looks for the specified text in each line. You can specify one of the following:<br />
• Contains — Looks for the text to be contained in a line or field. This allows for spaces or<br />
other characters that may make an exact match fail.<br />
• Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on,<br />
between the text and the non-printed end-of-line character.)<br />
• Matches — The entire line or field must match the text.<br />
• Starts with — Looks for the text at the start of the line or field (no characters between the text<br />
and the start of line.)<br />
Pattern<br />
Enter the pattern you wish to search for. You may also use Regular Expressions which allow you<br />
to specify match rules in a more flexible and granular way. They are based on the standard POSIX<br />
specification for Regular Expressions.<br />
For example, to search for a "blank" message field, use the following:<br />
^subject:[[:blank:]]*$<br />
111
Anti-Spam Features<br />
Note: Although the Regular Expression feature is supported, St. Bernard cannot help with<br />
devising or debugging Regular Expressions because they have an infinite variety and can<br />
be very complex. Using Regular Expressions is not recommended unless you have<br />
advanced knowledge of their use.<br />
Priority<br />
Select a priority for the filter (High, Medium, Low). The entire message is read before making the<br />
decision. If a message matches multiple filters, the filter with the highest priority will be used.<br />
If more than one matched filter has the highest priority, the filter with the strongest action will be<br />
used, in order, from highest priority to lowest (Spam, Reject, Trust, Relay, Valid, Accept). If more than<br />
one matched rule has the highest priority and highest action, then the filter with the highest rule<br />
number will be used.<br />
Action<br />
When a rule has been triggered, the specified action is carried out:<br />
• Reject — Mail is received, then rejected before the close of an SMTP session.<br />
• Spam — Mail is received, then trained as spam for STA, and then rejected.<br />
• Accept — Mail is delivered normally and not trained by STA, or marked as spam or bulk.<br />
Attempted relays are rejected.<br />
• Valid — Mail is delivered normally and trained as valid by STA. Attempted relays are rejected.<br />
• Relay — Relay is enabled for this mail. Mail is not trained by STA.<br />
• Trust — Relay is enabled for this mail. Mail is trained as valid by STA.<br />
• Do Not Train — Do not use the message for STA training purposes.<br />
• BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option<br />
only appears if you have a BCC Email Address set up in the Preferences section.<br />
• Just Log — Take no action, but log the occurrence. Just Log can be used to override other lower<br />
priority PBMFs to test the effect of PBMFs without an action taking place.<br />
Note: The "Relay" or "Trust" action can only be used with an Envelope message part<br />
because attempted relays must be rejected immediately after the envelope transaction.<br />
Upload and Download of PBMF Rules<br />
You can create a list of PBMF rules and upload them together in one file. The file must contain<br />
comma or tab separated entries in the form:<br />
[Section],[type],[pattern],[action],[priority(sequence)],[rulenumber]<br />
For example:<br />
to:,contains,friend@example.com,reject,medium,1<br />
112
Pattern Based Message Filtering<br />
The file (pbmf.csv) should be created in csv file format using Excel, Notepad or other Windows<br />
text editor. It is recommended that you download the PBMF file first by clicking Download File,<br />
edit it as required, and upload it using the Upload File button.<br />
PBMF Preferences<br />
Select the Preferences button to configure actions for spam pattern based message filters. These<br />
actions allow you to process the spam message with an additional action such as Redirect To or<br />
Modify Subject Header. You can also train the PBMF spam mail for STA purposes.<br />
• Train as STA Spam — Select this option to allow any mail that triggers an action to be trained<br />
as spam for STA purposes.<br />
• Action — Specify one of the following actions:<br />
Just log: An entry is made in the log, and no other action is taken.<br />
Modify Subject Header: The text specified in Action Data will be inserted into the message<br />
subject line.<br />
Add header: An "X-" mail header will be added as specified in the Action Data.<br />
Redirect to: The message will be delivered to the mail address specified in Action Data.<br />
Reject mail: The mail will not be accepted, and the connecting mail server is forced to return<br />
it.<br />
BCC: Send a blind carbon copy mail to the mail address specified in Action Data.<br />
• Action data — Depending on the specified action:<br />
Modify Subject Header: The specified text will be inserted into the subject line, such as<br />
[PBMF_SPAM].<br />
Add header: A message header will be added with the specified text, such as [PBMF_SPAM].<br />
Redirect to: Send the message to a mailbox such as spam@example.com. You can also specify<br />
a domain such as spam.example.com.<br />
• PBMF BCC Action — Send a blind carbon copy of the message to the address specified. This<br />
is a separate action from the PBMF spam actions.<br />
113
Anti-Spam Features<br />
114
Objectionable Content Filtering<br />
Objectionable Content Filtering<br />
The Objectionable Content Filter defines a list of key words that will cause a message to be<br />
blocked if any of those words appear in the message.<br />
The Objectionable Content Filter provides enhanced content filtering functionality and flexibility,<br />
allowing users to restrict content of any form including objectionable words or phrases, offensive<br />
content and/or confidential information.<br />
This list is end user manageable, and can be updated and customized to meet the specific needs of<br />
any organization. Rules can also be applied to both inbound and outbound messages preventing<br />
unwanted content from entering an organization and prohibiting the release of sensitive<br />
information.<br />
OCF words can be extracted from messages that disguise the words with certain techniques.<br />
For example, OCF will detect the word "spam", even if it is disguised as "sp@m" or "s_p_a_m".<br />
Select Mail Delivery -> Anti-Spam -> OCF to configure the objectionable content filter.<br />
Actions<br />
You can set actions for both inbound and outbound messages. The following actions can be set:<br />
• Just log — Log the event and take no further action.<br />
115
Anti-Spam Features<br />
• Reject mail — The message is rejected with notification to the sending system.<br />
• Quarantine mail — The message is placed into quarantine.<br />
• Discard mail — The message is discarded without notification to the sending system.<br />
Notifications<br />
Notifications for inbound and outbound messages can be enabled for all recipients, the sender, and<br />
the administrator. The content for the Inbound and Outbound notification can be customized.<br />
See “Customizing Notification and Annotation Messages” on page 273 for a full list of system<br />
variables that can be used in the notification.<br />
Upload and Download Filter List<br />
A predefined list of objectionable words is included with the <strong>ePrism</strong> Email Security Appliance.<br />
To customize the list and to add or remove words, click Download File to download the list to a<br />
local system.<br />
Use a text editor to edit the file using one word or phrase per line. When finished, upload the file by<br />
clicking the Upload File button.<br />
116
RBL (Real-time Blackhole List)<br />
RBL (Real-time Blackhole List)<br />
RBLs contain the addresses of known sources of spam and are maintained by both commercial<br />
and non-commercial organizations. The RBL mechanism is based on DNS. Every server that<br />
attempts to connect to <strong>ePrism</strong> will be looked up on the specified RBL servers using DNS. If the<br />
server is blacklisted, then a configurable action can be taken, such as rejecting the mail, or flagging<br />
the message in its header or subject.<br />
Note the following considerations when using RBL:<br />
• If the RBL server is not available, the DNS request times out. This may affect performance and<br />
requires monitoring for timed-out connections. Remove any servers which you do not use to<br />
prevent time-outs.<br />
• If a message that you want to receive is blocked by an RBL, add an item to the Pattern Based<br />
Message Filtering list to "Trust" (to train for STA) or "Accept" (not train for STA) this<br />
message.<br />
• Choose your RBLs carefully. St. Bernard provides a default server, but we recommend you<br />
review RBL providers (both commercial and free) as some servers are more reliable than<br />
others, while some may not exist after a certain period of time. It is recommended for stability<br />
and accuracy that a commercial RBL service be used.<br />
Caution: The default RBL server in <strong>ePrism</strong> (rbl-plus.mail-abuse.org) is a commercial<br />
RBL provider. To work properly, you must purchase a subscription to this service.<br />
Configuring RBLs<br />
Select Mail Delivery -> Anti-Spam from the menu. Click Realtime Blackhole List (RBL) to<br />
configure RBLs.<br />
117
Anti-Spam Features<br />
• Enable RBLs — Select this check box to enable RBLs.<br />
• Check Relays — The Check Relays setting deals with spammers who are relaying their messages,<br />
usually illegally, through an intermediate server. The information about the originating server is<br />
carried in the headers of the message which is checked by <strong>ePrism</strong> against the RBL. For example,<br />
set Check Relays to "2" for <strong>ePrism</strong> to look for the last two relays.<br />
• Action — Specify one of the following actions:<br />
Just log: An entry is made in the log, and no other action is taken.<br />
Modify Subject Header: The text specified in Action Data will be inserted into the message<br />
subject line.<br />
Add header: An "X-" mail header will be added as specified in the Action Data.<br />
Redirect to: The message will be delivered to the mail address specified in Action Data.<br />
Reject mail: The mail will not be accepted, and the connecting mail server is forced to return it.<br />
BCC: The message will be copied to the mail address specified in Action Data.<br />
• Action data — Depending on the specified action:<br />
Modify Subject Header: The specified text will be inserted into the subject line, such as [RBL].<br />
Add header: A message header will be added with the specified text, such as [RBL].<br />
Redirect to: Send the message to a mailbox such as spam@example.com. You can also specify<br />
a domain such as spam.example.com.<br />
Note: The Add header field can be left blank, if required. If you specify a header such as<br />
[RBL], the header will be written as "X-Reject: [RBL]". If you use the form<br />
RBL:[RBL_List], the header will be written as "X-RBL:[RBL_List]".<br />
RBL Domains<br />
Click Edit to modify the list of your RBL domain serves. Click Update when finished.<br />
Caution: The default RBL server in <strong>ePrism</strong> (rbl-plus.mail-abuse.org) is a commercial RBL<br />
provider. To work properly, you must purchase a subscription to this service.<br />
118
DCC (Distributed Checksum Clearinghouse)<br />
DCC (Distributed Checksum Clearinghouse)<br />
DCC is based on a number of servers that maintain databases of message checksums derived from<br />
numeric values that uniquely identify a message. DCC provides a simple but very effective way to<br />
successfully identify spam and control its disposition while updating its database with new spam<br />
message types.<br />
Mail users and ISPs all over the world submit checksums of all messages received. The database<br />
records how many of each message is submitted. If requested, the DCC server can return a count<br />
of how many instances of a message have been received. <strong>ePrism</strong> uses this count to determine the<br />
disposition of a message.<br />
A DCC server receives no mail, address, headers, or any similar information, but only the<br />
cryptographically secure checksums of such information. A DCC server cannot determine the text<br />
or other information that corresponds to the checksums it receives. It only acts as a clearinghouse<br />
of counts of checksums computed by clients.<br />
DCC interacts with <strong>ePrism</strong>’s other spam controls as follows:<br />
• Mail is checked by DCC after it has been filtered by Specific Access Patterns and Pattern Based<br />
Message Filters. Messages that trigger an "accept" rule will not be processed by DCC.<br />
• All messages classified as "bulk" by DCC (those that exceed the locally set threshold) are passed<br />
to the STA engine for analysis as spam unless the specified action is "reject".<br />
Note: You must allow a connection on UDP port 6277 on your firewall or router to allow<br />
communications with a DCC server. If this port is not available, DCC server calls will fail<br />
and slow down mail delivery.<br />
DCC Considerations<br />
When implementing DCC, consider the following:<br />
• Educate your user community about this tool and request them to submit mailing lists and<br />
other bulk mail sources that need to be whitelisted. This step is crucial if DCC and STA are to<br />
work properly.<br />
• Configure your initial disposition for bulk mail to be Modify Subject Header. <strong>User</strong>s will see all the<br />
bulk mail and will quickly identify any sources of mail they want to whitelist. <strong>User</strong>s can also<br />
create local filter rules in their mail clients to put all tagged mail into a folder.<br />
119
Anti-Spam Features<br />
Configuring DCC<br />
Select Mail Delivery -> Anti-Spam on the menu, and then DCC to configure Distributed<br />
Checksum Clearinghouse.<br />
Threshold Settings<br />
The threshold is used to determine what should happen to mail when it has been classified.<br />
• If bulk exceeds — DCC returns a number showing how many times the message has been<br />
identified. This can be zero (unique and therefore not bulk) or another number, such as 1352,<br />
indicating that the message has been reported 1351 prior times.<br />
It may also return the value "many". This is a special DCC value returned when DCC has seen a<br />
certain message in such volumes and in such a frequency that it is most certainly considered<br />
"bulk".<br />
For DCC to be useful, you need to specify a threshold that will trigger an action. It is<br />
recommended that you enter either "many" or a value of 50 or 100.<br />
Body1, Fuz1, and Fuz2 are settings that specify which checksums will be calculated and sent in.<br />
It is recommended that you leave the default settings. These settings effectively counter the<br />
efforts of spammers to randomize message content and evade detection as bulk. Results of the<br />
various counts can be viewed in the transport logs.<br />
Click the Advanced button to reveal additional settings such as From, ID, and IP. The selected<br />
checksums must be supported by the DCC server to work properly and it is recommended that<br />
you use the default settings. These additional settings should be used with caution, as they<br />
may increase the risk of false positives.<br />
120
DCC (Distributed Checksum Clearinghouse)<br />
• Action — The action can be one of the following:<br />
Just log: An entry is made in the log, and no other action is taken.<br />
Modify Subject Header: The text specified in Action Data will be inserted into the message<br />
subject line.<br />
Add header: An "X-" mail header will be added as specified in the Action Data.<br />
Redirect to: The message will be delivered to the mail address specified in Action Data.<br />
Reject mail: The mail will not be accepted, and the connecting mail server is forced to return<br />
it.<br />
BCC: The message will be copied to the mail address specified in Action Data.<br />
• Action data — Depending on the specified action:<br />
Modify Subject Header: The specified text will be inserted into the subject line, such as<br />
[DCC_BULK].<br />
Add header: A message header will be added with the specified text, such as [DCC_BULK].<br />
Redirect to: Send the message to a mailbox such as spam@example.com. You can also specify<br />
a domain such as spam.example.com.<br />
Note: The Add header field can be left blank, if required. If you specify a header such as<br />
[DCC_BULK], the header will be written as "X-Reject: [DCC_BULK]". If you use the<br />
form DCC_REJECT:[BULK], the header will be written as "X-DCC_REJECT:[BULK]".<br />
DCC Trusted and Blocked List<br />
You can create exceptions to DCC’s bulk classifications by using the Trusted and Blocked List. In<br />
many cases, it may be easier to specify such exceptions using Pattern Based Message Filters, in<br />
which case the mail bypasses both DCC and STA.<br />
Note: In most cases, use the Pattern Based Message Filter menu for creating exceptions.<br />
The DCC trusted and blocked list feature is useful for removing legitimate bulk mail, such<br />
as mailing lists, from consideration as bulk while letting it be scanned by STA for spam<br />
characteristics.<br />
Click Edit to add entries to the Trusted and Block lists<br />
.<br />
121
Anti-Spam Features<br />
DCC Servers<br />
The default DCC servers supplied will cover most cases and should not be changed without careful<br />
consideration.<br />
Click Edit in the DCC Servers section to configure your DCC server settings, if required.<br />
Note: You must allow a connection on UDP port 6277 on your firewall or router to allow<br />
communications with a DCC server. If this port is not available, DCC server calls will fail<br />
and slow down mail delivery.<br />
122
STA (Statistical Token Analysis)<br />
STA (Statistical Token Analysis)<br />
STA is a sophisticated method of identifying spam based on statistical analysis of mail content.<br />
Simple text matches can lead to false positives because a word or phrase can have many meanings<br />
depending on the context. STA provides a way to accurately measure how likely any particular<br />
message is to be spam without having to specify every word and phrase.<br />
STA achieves this by deriving a measure of a word or phrase contributing to the likelihood of a<br />
message being spam. This is based on the relative frequency of words and phrases in a large<br />
number of spam messages. From this analysis, it creates a table of "discriminators" (words<br />
associated with spam) and associated measures of how likely a message is spam.<br />
When a new incoming message is received, STA analyzes the message, extracts the discriminators<br />
(words and phrases), finds their measures from the table, and aggregates these measures to<br />
produce a spam metric for the message.<br />
STA uses three sources of data to build its run-time database:<br />
• The initial tables supplied by St. Bernard based on analysis of known spam.<br />
• Tables derived from an analysis of local legitimate mail. This is referred to as "local learning" or<br />
"training".<br />
• Mail identified as "bulk" by DCC is also analyzed to provide an example of local spam.<br />
How STA Works<br />
Consider the following simple message:<br />
---------------------------------------------------------------<br />
Subject: Get rich quick!!!!<br />
Click on http://getrichquick.com to earn millions!!!!!<br />
----------------------------------------------------------------<br />
STA will break the message down into the following tokens:<br />
Get<br />
rich<br />
quick!!!<br />
Click<br />
on<br />
http://getrichquick.com<br />
to<br />
123
Anti-Spam Features<br />
earn<br />
millions!!!!!<br />
Each token is looked up in the database and a metric is retrieved. The token "Click" has a high<br />
measure of 91, whereas the word "to" is neutral (indicating neither spam nor legitimate.)<br />
These measures are aggregated using statistical methods to give the overall score for the message<br />
of 98. Based on the resulting cumulative score, the message can then be rejected, quarantined,<br />
annotated, or forwarded according to how the local threshold is set.<br />
STA Considerations<br />
Several factors can affect the accuracy of STA:<br />
• Is STA seeing all local mail? — The more local or outbound mail that STA sees, the more<br />
accurate it will be. It is recommended that <strong>ePrism</strong> should process all inbound and outbound<br />
mail.<br />
• "Trusted" and "Untrusted" mail must be properly identified — If STA treats a local<br />
source of mail as "untrusted", it will not be used for training. Treating an external unknown<br />
source of mail as "trusted" will exempt this mail from spam processing. Similarly, using<br />
"untrusted" mail for training may insert spam into the STA database.<br />
• Add your own definitions of "valid" or "spam" mail — Instead of simply creating a Pattern<br />
Based Message Filtering rule that rejects mail, you can label it as "spam" which sends the<br />
message to STA for training before rejecting it. Trusted external sources of mail can be labeled<br />
as "trusted" which sends the message to STA for training before delivery. STA’s advanced<br />
features allow you to upload your own lists of neutral words, spam, and legitimate mail.<br />
124
STA (Statistical Token Analysis)<br />
Configuring STA<br />
Select Mail Delivery -> Anti-Spam on the menu, and then select STA to configure Statistical<br />
Token Analysis.<br />
STA can be enabled to filter spam immediately after installation. It is recommended that you start<br />
STA by running in "Training Only" mode to gather an initial sample of legitimate mail and spam.<br />
When enabled, STA will always run in training mode and analyze all local mail. Local mail is<br />
assumed to be not spam and the frequency of the words found in this mail may therefore be used<br />
to modify the values supplied by St. Bernard’s master list. For example, a mortgage company may<br />
use the word "refinance" quite frequently in its regular mail. The likelihood of this word suggesting<br />
spam would therefore be reduced.<br />
• Training Only — STA will analyze local mail but will NOT classify incoming mail.<br />
• Scanning and Training — STA will analyze local mail AND will classify incoming mail.<br />
When a sufficient number of local messages have been analyzed (minimum of 48 hours, 4-5 days<br />
recommended), switch to Scanning and Training to start classifying incoming mail.<br />
125
Anti-Spam Features<br />
Setting Thresholds<br />
STA measures the likelihood of spam for each message it processes. This likelihood is represented<br />
by a number between 0 and 100. The closer to 100, the more likely the message is to be spam. You<br />
can set both an Upper and Lower Threshold. Leave the field blank to disable the action.<br />
It is recommended that you initially set the Upper Threshold to a high value, such as 95, and then<br />
slowly lower it as the training improves. Then set the Lower Threshold, if required.<br />
Messages typically fall into three groups:<br />
• Over 90 — Almost certainly spam.<br />
• Between 55 and 90 — Possibly spam.<br />
• Less than 55 — Almost certainly legitimate mail.<br />
<strong>ePrism</strong> provides an upper and lower threshold to manage the mail that has been classified.<br />
For each threshold, the range of available actions is as follows:<br />
• Action — The action can be one of the following:<br />
Just log: An entry is made in the log, and no other action is taken.<br />
Modify Subject Header: The text specified in Action Data will be inserted into the message<br />
subject line.<br />
Add header: An "X-" mail header will be added as specified in the Action Data.<br />
Redirect to: The message will be delivered to the mail address specified in Action Data.<br />
Reject mail: The mail will not be accepted, and the connecting mail server is forced to return it.<br />
BCC: The message will be copied to the mail address specified in Action Data.<br />
• Action data — Depending on the specified action:<br />
Modify Subject Header: The specified text will be inserted into the subject line, such as<br />
[STA_SPAM].<br />
Add header: A message header will be added with the specified text, such as [STA_SPAM].<br />
Redirect to: Send the message to a mailbox such as spam@example.com. You can also specify<br />
a domain such as spam.example.com.<br />
Note: The header field can be left blank, if required. If you specify a header such as<br />
[STA_SPAM], the header will be written as "X-Reject: [STA_SPAM]". If you use the form<br />
STA_REJECT:[SPAM], the header will be written as "X-STA_REJECT:[SPAM]".<br />
Rebuild STA<br />
Click the Rebuild STA button to rebuild the STA database. The STA run-time engine is built and<br />
rebuilt at 12 hour intervals using several sources such as the supplied spam data, the DCC spam (if<br />
126
STA (Statistical Token Analysis)<br />
enabled), and local training. Since the database is not built for the first time until 12 hours after<br />
installation, you can use this option to immediately rebuild the STA database.<br />
Delete Training<br />
Click the Delete Training button to remove all training material. You should delete all training<br />
material if your <strong>ePrism</strong> system has been misconfigured and starts to treat "trusted" mail as<br />
"untrusted" or vice versa.<br />
STA Advanced Options<br />
Click the Advanced button to reveal additional STA options. These options are for advanced STA<br />
configuration only, and it is highly recommended that the default values be used. Modifications to<br />
the default values may decrease STA accuracy and should be used with care.<br />
Neutral Words<br />
Neutral words are words that may or may not indicate spam. For example, a mortgage company<br />
may want to build a neutral word list that includes "refinance" or "mortgage" because these words<br />
show up quite frequently in spam mail. By adding them to the neutral word list, the likelihood of<br />
this word suggesting spam would therefore be reduced to a neutral value.<br />
• Default Neutral Words — Select the check box to enable the St. Bernard neutral words list.<br />
This list helps prevent pollution of the STA database. It is recommended that you leave this<br />
option enabled.<br />
• Uploaded Neutral Words — Enables use of the uploaded neutral words list.<br />
You must upload a file using the Upload Neutral Words button. The file must be in text format,<br />
and contain a list of neutral words with one word per line. Uploading a new list will replace the<br />
previous neutral words list.<br />
127
Anti-Spam Features<br />
Note: During the upload of a neutral words list, the system will automatically rebuild the<br />
STA database. This process may take some time to complete.<br />
STA and Languages<br />
The STA spam database is based on English language spam. As a result, it may not be initially<br />
responsive to spam created in other languages. STA’s ability to learn means that it can readily adapt<br />
to other languages. Ensure that DCC is enabled because all mail identified as "bulk" by DCC will<br />
be used by STA to train as spam. Assuming that some of these messages are in the local language,<br />
STA will build a database that reflects that language. STA will train on local legitimate mail from<br />
the moment the system is started. This will help properly characterize the local language use and<br />
prevent it from being classified as spam.<br />
It is recommended that you use the "spam" action in Pattern Based Message Filters (PBMF), and<br />
select "Train as STA Spam" in the PBMF Preferences. Messages specified as "spam" will be<br />
forwarded to STA and will increase its database of local language words.<br />
• Japanese Language — STA can process Japanese language messages to ensure they are not<br />
automatically classified as spam.<br />
Default — All Japanese content is processed by STA. If you receive legitimate Japanese mail,<br />
this may result in false positives.<br />
No STA Scan — STA scanning will be turned off for all messages containing Japanese<br />
characters.<br />
Lenient STA Scan — STA scanning will be turned off for only the parts of the message<br />
containing Japanese characters. The rest of the message will be processed normally. If there are<br />
20 or fewer non-Japanese tokens in the message, the STA scan will be skipped for that message.<br />
Diagnostics<br />
• Enable X-STA Headers — This setting inserts X-STA headers into all messages. These are not<br />
visible to the user (although they can be filtered in most mail clients), but can be used to gather<br />
information on why mail is processed in a particular way.<br />
The following headers will be inserted:<br />
X-STA-Metric — The "score" assigned by STA, such as 95, which would indicate a spam<br />
message.<br />
X-STA-NotSpam — Indicates the words with the highest non-spam value found in the<br />
message.<br />
X-STA-Spam — Indicates the words with the highest spam value found in the message.<br />
• Enable Monitoring — Select the check box to enable the monitoring of messages received by<br />
the specified email address.<br />
• Monitor email for — Enter an email address that you would like to monitor.<br />
• Copy to — Copy messages and the STA diagnostic to this email address.<br />
128
STA (Statistical Token Analysis)<br />
STA Training<br />
The following sections allow you to define advanced parameters for STA training, such as<br />
legitimate and spam mail training settings.<br />
Legitimate Mail Settings<br />
The following settings are advanced options for the handling of legitimate mail:<br />
• Local Training — Enable this option to train mail from local users (on the trusted network) as<br />
valid mail.<br />
• Local Limit — Enter the maximum number of messages from local users that can be used for<br />
STA training. When the limit is reached, older training messages are deleted as new messages<br />
arrive.<br />
• Local Threshold — Set the threshold for messages from local users to be used for training.<br />
If the STA classification for the message is greater than or equal to the specified number, the<br />
message will be used for training.<br />
• Source Weighting % — For STA to be useful and efficient, the training must be based on well<br />
selected data. The initial database supplied by St. Bernard represents well selected data, and is<br />
therefore highly weighted, compared to uploaded legitimate mail, or legitimate mail from the<br />
trusted network.<br />
Default — Enter a percentage for the weight of the default maintained STA database of valid<br />
mail.<br />
129
Anti-Spam Features<br />
Uploaded — Enter the weight of locally uploaded valid mail. Legitimate mail can be uploaded<br />
by clicking the Upload Legitimate Mail button. The mail must be in plain-text Unix mbox<br />
format. A minimum of ten messages should be uploaded to be effective.<br />
Trusted-net — Enter the weight of mail from trusted networks that are automatically trained as<br />
valid mail.<br />
Note: When uploading mail, it is recommended that you set the weighting to 60% for<br />
Default, 20% for Upload, and 20% for Trusted. Significant changes to the source weighting<br />
may decrease STA accuracy.<br />
Spam Settings<br />
The following settings are advanced options for the handling of spam mail:<br />
• DCC Training — Select the check box to enable the training of mail marked as "bulk" by DCC<br />
as spam.<br />
• Spam Limit — Enter the maximum number of spam messages used for training.<br />
• Spam Training Threshold — Set the threshold for spam messages to be used for training.<br />
If the STA classification for the message is less than or equal to the specified number, the<br />
message will be used for training.<br />
• Source Weighting — For STA to be useful and efficient, the training must be based on well<br />
selected data. The initial database supplied by St. Bernard represents well selected data, and is<br />
therefore highly weighted, compared to uploaded spam mail, or bulk mail from DCC.<br />
Default — Enter a percentage for the weight of the default maintained STA database of spam<br />
mail.<br />
Uploaded — Enter the weight of locally uploaded spam mail. Spam mail can be uploaded by<br />
clicking the Upload Spam Mail button. The mail must be in plain-text Unix mbox format.<br />
A minimum of ten messages should be uploaded to be effective.<br />
DCC Bulk — Enter the weight of mail marked as "bulk" by DCC that is automatically trained<br />
as spam.<br />
Note: When uploading mail, it is recommended to set the weighting to 60% for Default,<br />
20% for Upload, and 20% for DCC Bulk. Significant changes to the source weighting may<br />
decrease STA accuracy.<br />
130
STA (Statistical Token Analysis)<br />
Dictionary Spam Count<br />
Recent changes to the way that spammers compose their messages have reduced the effectiveness<br />
of the basic Bayesian filter. By introducing large numbers of normal words into their spam<br />
messages, they can hide their content because the normal words outweigh the spam words and<br />
result in a low spam count. More aggressive settings may result in more false positives.<br />
<strong>ePrism</strong> counters this in two ways:<br />
1. All words in the <strong>ePrism</strong> dictionary are now assigned a base level of how likely they are to be<br />
spam. In a normal message, this increased level will not result in a false positive, since the<br />
overall count is low. In a spam message, the result is different; the normal words will not<br />
counteract the spam content, and the message is correctly identified as spam.<br />
2. Training on local mail now works to reduce this base level closer to zero. This further reduces<br />
the likelihood of a false positive.<br />
The Dictionary Count is set to one "1" by default. This should be sufficient for most situations. It is<br />
recommended that you only change the default value if the following conditions occur:<br />
• If there are too many false positives and this is not alleviated by training, then the Dictionary<br />
Count should be set to zero "0", disabling this feature.<br />
• If too much spam is passing, then the Dictionary Count can be increased. Try increasing the value<br />
to ten "10". If this results in too many false positives, reduce it to five "5".<br />
Note: This setting should only be considered for modification if other measures (training,<br />
threshold changes, uploading spam and/or legitimate mail) have been tried and have not<br />
provided the desired result.<br />
STA Mail Transport Log Entries<br />
STA log entries which indicate the metric for each message can be viewed in the Transport logs.<br />
Select Status/Reporting -> System Logs, and then select Mail Transport to view the<br />
Transport logs.<br />
For example:<br />
Apr 4 17:58:50 mail postfix/qmgr[64521]: BAFB2D2DDD: from=,<br />
size=3401, nrcpt=1 (queue active)<br />
Apr 4 17:58:50 mail postfix/smtpd[76468]: disconnect from<br />
mx2.freebsd.org[216.136.204.119] Apr 4 17:58:50 mail postfix/qmgr[64521]:<br />
BAFB2D2DDD: STA: spam_metric=12<br />
131
Anti-Spam Features<br />
Troubleshooting STA<br />
STA is a very effective anti-spam tool which provides the mail administrator with a variety of<br />
options to finely tune STA for their particular environment. With these advanced controls, there is<br />
a greater chance of creating a configuration that may result in excessive false positives (mail marked<br />
as spam when they are legitimate) or false negatives (mail not marked as spam when they are spam.)<br />
The following are some considerations when troubleshooting issues with STA:<br />
• For excessive false positives<br />
— Ensure that the system has gone through a cycle of training.<br />
— Ensure that any mailing lists that the organization sends out are whitelisted (via PBMF) as<br />
"accept".<br />
— Check for STA tokens that may be words used by the organization for their regular business.<br />
For example, a financing company would want the words "mortgage" or "refinance" to be<br />
allowed as legitimate tokens.<br />
• For excessive false negatives<br />
— If DCC is enabled, ensure that it is working properly and it is using STA for training.<br />
— Check that any mailing lists received by the users are whitelisted (via PBMF) as "accept". If<br />
the action is set to "valid", any spam in the mailing lists can alter the STA values.<br />
132
Trusted Senders<br />
Trusted Senders<br />
The Trusted Senders List allows users to create their own lists of users who they want to receive<br />
mail from to prevent them from being blocked by <strong>ePrism</strong>’s spam filters. <strong>User</strong>s can utilize the<br />
WebMail/<strong>ePrism</strong> Mail Client interface to create their own Trusted Sender’s List based on a<br />
sender’s email address.<br />
The Trusted Senders List only applies to actions related to RBL, STA, DCC, and PBMF spam<br />
(Low priority) messages. If the message is rejected for other reasons, such as viruses or attachment<br />
controls, the Trusted Senders List will have no effect.<br />
The Trusted Senders List overrides the following actions:<br />
• Modify Subject Header<br />
• Add Header<br />
• Redirect<br />
The following rules also apply for the Trusted Senders List:<br />
• A Reject action will reject the message regardless of the settings in the Trusted Senders List.<br />
• If the action is set to Just Log or BCC, the trusted message will pass through, but will still be<br />
logged or BCC’d by <strong>ePrism</strong>.<br />
• PBMF spam actions set to Medium or High priority cannot be whitelisted, allowing<br />
administrators to ensure that a strong security policy is enforced.<br />
Enabling Trusted Senders<br />
The Trusted Senders List must be enabled globally by the administrator to allow users to configure<br />
their own trusted senders.<br />
Enable the Trusted Senders List globally as follows:<br />
1. Select Mail Delivery -> Anti-Spam -> Trusted Senders.<br />
2. Select the Permit Trusted Senders List check box to enable the feature globally for all users.<br />
3. Configure the domain part of the email address appended to local user names.<br />
133
Anti-Spam Features<br />
WebMail access must enabled on a network interface in Basic Config -> Network to allow users<br />
to login to <strong>ePrism</strong> via <strong>ePrism</strong> Mail Client/WebMail to manage their Trusted Senders List.<br />
In <strong>User</strong> Acounts -> Secure WebMail, you must also enable the Trusted Senders controls for<br />
the end user when they login to the <strong>ePrism</strong> Mail Client/WebMail interface.<br />
Configuring Trusted Senders<br />
To create their own Trusted Senders List, the end user must login to their <strong>ePrism</strong> <strong>ePrism</strong> Mail<br />
Client/WebMail account, and select Trusted Senders from the left menu.<br />
Note: <strong>User</strong>s do not need a local account on the system. Logins can be authenticated via<br />
RADIUS or LDAP to an authentication server such as Active Directory. The user’s Trusted<br />
134
Trusted Senders<br />
Senders List is saved locally on the system. See “Remote Accounts and Directory<br />
Authentication” on page 150 for more detailed information on setting up user<br />
authentication.<br />
The Trusted Senders List is based on a sender’s email address. Enter an email address and click the<br />
Add button.<br />
135
Anti-Spam Features<br />
Spam Quarantine<br />
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user<br />
or to a single user. This allows users to view and manage their own quarantined spam by giving<br />
them the ability to view, release the message to their inbox, or delete the message.<br />
Spam Quarantine summary notifications can be sent to users notifying them of existing mail in<br />
their quarantine. The email notification itself can contain links to take action on messages without<br />
having to login to the quarantine.<br />
To quarantine mail in each anti-spam feature, such as STA and DCC, select Redirect To as an action,<br />
and set the action data to the FQDN (Fully qualified domain name) of the <strong>ePrism</strong> system (to host<br />
the quarantine on the current system) or another <strong>ePrism</strong> running the spam quarantine feature.<br />
Note: The Spam Quarantine must be enabled on the destination system if you choose to<br />
quarantine mail on a separate <strong>ePrism</strong>.<br />
Local Spam Quarantine Account<br />
To access quarantined mail, a local account must exist for each user. This account can be created<br />
locally, or you can use the LDAP Mirrored <strong>User</strong>s feature to import user accounts from an LDAP<br />
compatible directory (such as Active Directory) and mirror them on the local system.<br />
See “Directory <strong>User</strong>s” on page 61 for more information on importing and mirroring LDAP user<br />
accounts.<br />
136
Spam Quarantine<br />
Configuring the Spam Quarantine<br />
Select Mail Delivery -> Anti-Spam on the menu, and then select Spam Quarantine.<br />
• Enable Spam Quarantine — Select the check box to enable the spam quarantine.<br />
• Expiry Period — Select an expiry period for mail in each quarantine folder. Any mail<br />
quarantined for longer than the specified value will be deleted.<br />
• Folder Size Limit — Set a value, in megabytes, to limit the amount of stored quarantined mail<br />
in each quarantine folder.<br />
• Enable Summary Email — Select the check box to enable a summary email notification that<br />
alerts users to mail that has been placed in their quarantine folder.<br />
Note: Notifications can only be sent to accounts the <strong>ePrism</strong> is aware of, such as local<br />
accounts or LDAP mirrored user accounts.<br />
• Limit # of message headers sent — Specify the maximum number of headers to be sent in<br />
the notification message. Set to "0" for all messages.<br />
• Notification Domain — Enter the domain for which notifications are sent to. This is typically<br />
the Fully Qualified Domain Name of the email server. Note: The Spam Quarantine only<br />
supports one domain.<br />
• Notification Days — Select the specific days to send the summary.<br />
• Notification Times — Select the time of day to send the summary notifications.<br />
• Spam Folder — Indicate the Spam Folder name. This must be an RFC821 compliant mail box<br />
name. This folder will appear in a user’s mailbox when they have received quarantined spam.<br />
• Mail Subject — Enter a subject for the notification email.<br />
137
Anti-Spam Features<br />
• Allow releasing of email — Inserts a link in the notification summary to allow the user to<br />
release it to their inbox.<br />
• Allow white listing — Inserts a link in the notification summary to allow the user to add the<br />
sender to their Trusted Senders List.<br />
• Allow reading of message — Inserts a link in the notification summary to allow the user to<br />
read the original message.<br />
Note: Notifications for the Spam Quarantine can only be sent to local or LDAP mirrored<br />
user accounts.<br />
Setting Spam Options<br />
In each anti-spam feature with which you want to quarantine spam mail to the Spam Quarantine,<br />
you must set the action to Redirect to and set the action data to the FQDN of the spam quarantine<br />
server.<br />
For example, to set DCC to send quarantine mail to the spam quarantine, use the following<br />
procedure:<br />
1. Go to Mail Delivery -> Anti-Spam -> DCC from the menu.<br />
2. Set the Action to Redirect to.<br />
3. Set the Action data to the FQDN of the spam quarantine (either this <strong>ePrism</strong>, or another <strong>ePrism</strong><br />
system running the quarantine) such as spam.example.com.<br />
138
Spam Quarantine<br />
Accessing Quarantined Spam<br />
The quarantined spam folder can be viewed using the <strong>ePrism</strong> Mail Client/WebMail interface.<br />
<strong>User</strong>s can log in to their local or mirrored account on <strong>ePrism</strong> and view their own quarantine<br />
folder.<br />
If you do not require or do not want the end users to log in locally to <strong>ePrism</strong> to retrieve these<br />
messages, they can simply use the linked actions contained in the spam quarantine summary<br />
notification to manage quarantined messages.<br />
Note: WebMail access must be enabled on a network interface in Basic Config -><br />
Network to allow users to log into <strong>ePrism</strong> locally or use the linked actions in the spam<br />
quarantine summary notification.<br />
<strong>User</strong>s can also use IMAP to access the quarantine folders. You must enable IMAP globally and on<br />
your trusted network interfaces as required. This allows users to connect to the system via IMAP<br />
and move spam messages out of the quarantine into their own folders.<br />
Accessing the Quarantine Folder via IMAP<br />
To enable access to the quarantine folder via IMAP:<br />
1. Select <strong>User</strong> Accounts -> POP3 and IMAP to enable IMAP globally.<br />
2. Select Basic Config -> Network to enable IMAP on a specific network interface.<br />
3. Connect from a client using IMAP to view the "spam_quarantine" folder.<br />
To retrieve false positives (messages that are not spam) from the quarantine, configure the client<br />
email application with two separate accounts, one for their normal account, and one for the spam<br />
quarantine. With this configuration you can drag and drop message from the quarantine to your<br />
mail account.<br />
Enabling WebMail and Spam Quarantine Access<br />
In Basic Config -> Network, enable the WebMail check box for a specific network interface to<br />
allow users to login to WebMail.<br />
139
Anti-Spam Features<br />
In <strong>User</strong> Accounts -> Secure WebMail, enable the Personal Quarantine Controls option to provide<br />
users with the spam quarantine controls in the <strong>ePrism</strong> Mail Client/WebMail interface.<br />
Accessing the Quarantine folder using <strong>ePrism</strong> Mail Client/WebMail<br />
To access the quarantine folder via <strong>ePrism</strong> Mail Client/WebMail:<br />
1. Log into your <strong>ePrism</strong> WebMail account.<br />
2. Select Spam Quarantine from the left menu.<br />
Click the Release link to release the message back into your inbox.<br />
Click the Trusted Sender link to automatically add the sender to your Trusted Sender List.<br />
140
Spam Options<br />
Spam Options<br />
The following options are other anti-spam settings that can be configured from the Mail Delivery<br />
-> Anti-Spam menu.<br />
• Anti-Spam Header — Anti-spam headers are provided for diagnostic purposes and contain<br />
data on the spam processing applied to the message and its metrics. Enable this option to<br />
include the header.<br />
The header output is similar to the following:<br />
X-BTI-AntiSpam: sta:false/0/020,dcc:off,rbl:off,wlbl:none<br />
Client Access Restrictions<br />
The following client access restrictions are configured in this section:<br />
• Reject on unknown recipient — This option rejects mail if the intended recipients do not<br />
exist in an LDAP directory. This option is used in conjunction with LDAP <strong>User</strong>s and the LDAP<br />
Recipients feature. <strong>ePrism</strong> will perform an LDAP lookup to see if the user exists, either in the<br />
local database of imported LDAP <strong>User</strong>s, or lookup a user on an LDAP user directory with the<br />
LDAP Recipients feature.<br />
Configure LDAP <strong>User</strong>s and LDAP Recipients in the Basic Config -> Directory <strong>User</strong>s menu.<br />
See “Directory <strong>User</strong>s” on page 61 for more information on importing LDAP users for user<br />
lookups and configuring the LDAP Recipients feature.<br />
Note: Override Reject on unknown recipient by using a Specific Access Pattern (Allow<br />
relaying and Trust), or a Pattern Based Message Filter based on the message Envelope.<br />
• Reject on unknown sender domain — Rejects mail when the sender’s mail address does not<br />
appear in the DNS as an A or MX record. This option applies to "untrusted" mail only.<br />
• Reject on non FQDN sender — Rejects mail when the client MAIL FROM command is not<br />
in the form of an FQDN (Fully Qualified Domain Name) such as mail.example.com.<br />
This option applies to "untrusted" mail only.<br />
141
Anti-Spam Features<br />
• Reject on unauth pipelining — Rejects mail when SMTP commands are sent ahead of the<br />
message even though the SMTP server supports pipelining.<br />
Advanced Options<br />
Click the Advanced button to configure advanced client restrictions. These options are for<br />
advanced users only because they can have adverse affects on your mail delivery if not used<br />
carefully.<br />
• Reject on missing addresses — Reject mail when no recipients (To:) or sender (From:) were<br />
specified in the message headers. These fields are the optional To: and From: fields, not the<br />
corresponding Envelope fields.<br />
• Reject on missing reverse DNS — Reject mail from a host when the host IP address has no<br />
PTR (address to name) record in the DNS, or when the PTR record does not have a matching A<br />
(name to address) record.<br />
Caution: Many mail servers on the Internet do not have valid Reverse DNS records. Setting<br />
this option may result in rejecting mail from legitimate sources. Enabling this option is not<br />
recommended.<br />
142
CHAPTER 7<br />
<strong>User</strong> Accounts and Remote<br />
Authentication<br />
This chapter describes how to setup and administer local and remote user accounts and<br />
POP/IMAP access on your <strong>ePrism</strong> Email Security Appliance, and contains the following topics:<br />
• “POP3 and IMAP Access” on page 144<br />
• “Local <strong>User</strong> Mailboxes” on page 145<br />
• “Mirror Accounts” on page 147<br />
• “Strong Authentication” on page 148<br />
• “Remote Accounts and Directory Authentication” on page 150<br />
• “Relocated <strong>User</strong>s” on page 153<br />
• “Vacation Notification” on page 154<br />
• “Tiered Administration” on page 157<br />
143
<strong>User</strong> Accounts and Remote Authentication<br />
POP3 and IMAP Access<br />
<strong>ePrism</strong> fully supports local user mailboxes. Mail is delivered to <strong>ePrism</strong> mailboxes after the same<br />
processing that applies to all other destinations. <strong>User</strong>s can use any POP or IMAP-based mail client<br />
(such as Outlook, Netscape, Eudora, and so on) to download their messages. <strong>User</strong>s can also be<br />
configured to access these mailboxes using St. Bernard’s webmail client.<br />
Note: It is recommended that you use the secure versions of POP and IMAP to ensure<br />
passwords are not transmitted in clear text.<br />
Select <strong>User</strong> Accounts -> POP3 and IMAP on the menu to enable or disable POP and/or IMAP<br />
mailboxes.<br />
You must also enable POP3 and IMAP access (and their secure versions) on your network<br />
interfaces via the Basic Config -> Network menu.<br />
144
Local <strong>User</strong> Mailboxes<br />
Local <strong>User</strong> Mailboxes<br />
Select <strong>User</strong> Accounts -> Local Accounts on the menu to add new users and configure local user<br />
mail profile settings.<br />
Click the Add a New <strong>User</strong> button to begin the new user configuration:<br />
• <strong>User</strong> ID — Enter an RFC821 compliant mail box name for the user.<br />
• Forward email to — Enter an optional address to forward all mail to.<br />
• Set and Confirm Password — Enter and confirm the user’s password. The user should<br />
change this password the first time they log in.<br />
• Strong Authentication — Select a strong authentication method, if required. Strong<br />
authentication is explained in more detail in the next section.<br />
• Disk Space Quota — Enter an optional user disk space quota in megabytes (MB). Enter "0"<br />
for no quota.<br />
145
<strong>User</strong> Accounts and Remote Authentication<br />
• Accessible IMAP/WebMail Servers — Select the available IMAP and WebMail servers that<br />
this user can access.<br />
Upload and Download <strong>User</strong> Lists<br />
You can upload lists of users using comma or tab separated text files. You can specify the login ID,<br />
password, email address, and disk quota in megabytes. Use the following format:<br />
[login],[password],[email address],[quota]<br />
For example,<br />
user1,ajg7rY,user1@example.com,0<br />
The file (user.csv) should be created in csv file format using Excel, Notepad or other Windows<br />
text editor. It is recommended that you download the user list file first by clicking File Download,<br />
editing it as required, and then uploading it using the File Upload button.<br />
Mailbox Options<br />
Click the Options button to set the maximum mailbox size (in bytes) for all local mailboxes. Set<br />
this value to 0 to disable the limit.<br />
Note: The value must not be smaller than the Maximum message size limit set in Mail<br />
Delivery -> Mail Access. If you set this value to 0, users will be able to send any size of<br />
message.<br />
146
Mirror Accounts<br />
Mirror Accounts<br />
LDAP user accounts can be imported from an LDAP directory server and mirrored on the local<br />
<strong>ePrism</strong> system. This allows you to create local accounts based on the LDAP account to allow these<br />
users to login locally for the Spam Quarantine feature.<br />
Note: These mirror accounts are not local accounts that can accept mail, they are only<br />
used for the Spam Quarantine feature.<br />
See “Directory <strong>User</strong>s” on page 61 for more detailed information on creating mirror accounts.<br />
If you have imported LDAP user accounts via Basic Config -> Directory Services -><br />
Directory <strong>User</strong>s, a new option will appear in the Local Accounts menu called Mirror Accounts<br />
that displays all mirrored user accounts.<br />
You can remove selected user’s mirror accounts, or remove all of them by clicking the Remove All<br />
button.<br />
Note: When using the Remove All button, users are removed as a background process and<br />
if you have many pages of users, it may take several minutes for the operation to complete.<br />
147
<strong>User</strong> Accounts and Remote Authentication<br />
Strong Authentication<br />
By default, user authentication is based on <strong>User</strong>ID and password. <strong>ePrism</strong> also supports strong<br />
authentication methods such as CRYPTOCard, SafeWord, and RSA SecurID. These hardware<br />
token devices provide an additional authentication key that must be entered in addition to the<br />
<strong>User</strong>ID and password.<br />
You can select a strong authentication type in the Strong Authentication drop-down menu of the<br />
user’s profile.<br />
CRYPTOCard<br />
The CRYPTOCard option is supported by a local authentication server and requires no external<br />
system for authentication. When CRYPTOCard is selected, you will be prompted to program the<br />
card at that time using the token configuration wizard.<br />
Note: Only manually programmable CryptoCard RB-1 tokens are supported.<br />
SafeWord<br />
SafeWord Platinum and Gold tokens are supported by a local authentication server, and require no<br />
external system for authentication. When SafeWord is selected, you will be prompted to program<br />
the card at that time using the token configuration wizard.<br />
Note: Only manually programmable SafeWord tokens are supported.<br />
148
Strong Authentication<br />
SecurID<br />
To configure RSA SecurID, you must set up the system as a valid client on the ACE Server, and<br />
create an sdconf.rec (ACE Agent version 4.x) file and upload it to <strong>ePrism</strong>.<br />
Note: The sdconf.rec file must be for version 4.x of the ACE Agent. Versions greater than<br />
4.x generate a different format of this file.<br />
Select <strong>User</strong> Accounts -> SecurID on the menu to configure SecurID.<br />
Click the Browse button to find and load a sdconf.rec file. Click Upload when finished.<br />
After enabled SecureID via <strong>User</strong> Accounts -> SecurID, it must also be enabled for a network<br />
interface in the Basic Config -> Network screen.<br />
Note: Ensure that <strong>ePrism</strong>’s domain name is listed in your DNS server.<br />
SecurID authentication may not work properly if a DNS record does not exist.<br />
149
<strong>User</strong> Accounts and Remote Authentication<br />
Remote Accounts and Directory Authentication<br />
Directory authentication allows users to be authenticated without having a local <strong>ePrism</strong> account.<br />
When an unknown user logs in, <strong>ePrism</strong> will send the <strong>User</strong>ID and password to the specified LDAP<br />
or RADIUS server. If the user is authenticated, <strong>ePrism</strong> logs them in and provides access to the<br />
specified server or servers.<br />
LDAP and RADIUS are widely supported, and provide a convenient way of providing access to<br />
internal mail servers or web mail servers such as Outlook Web Access. <strong>User</strong>s who login locally to<br />
an Exchange server based on an Active Directory identity can use the same identity to use Outlook<br />
Web Access using <strong>ePrism</strong>’s Secure WebMail service.<br />
Note: If both LDAP and RADIUS services are defined, the system will try to authenticate<br />
via RADIUS first, and then LDAP if the RADIUS authentication fails.<br />
Configuring Directory Authentication<br />
Select <strong>User</strong> Accounts -> Remote Auth from the menu to configure LDAP and RADIUS<br />
authentication.<br />
If you want to use LDAP for authentication, click the New button in the LDAP Sources section to<br />
define a new LDAP source.<br />
150
Remote Accounts and Directory Authentication<br />
• Directory Server — Select a configured LDAP directory server for authentication.<br />
• Search Base — Enter the starting base point to start the search from, such as<br />
cn=users,dc=example,dc=com.<br />
• Scope — Enter the scope of the search such as Subtree, One Level, or Base.<br />
Base: Searches the base object only.<br />
One Level: Searches objects beneath the base object, but excludes the base object.<br />
Subtree: Searches the entire subtree of which the base distinguished name is the topmost<br />
object, including that base object.<br />
• Query Filter — Enter a specific query filter to search for a user in your LDAP directory<br />
hierarchy. For Active Directory implementations, use (ObjectClass=user).<br />
• Timeout — The maximum interval, in seconds, to wait for the search to complete.<br />
• Account name attribute — Enter the account name result attribute that identifies a user’s<br />
login or account name, such as sAMAccountName for Active Directory implementations.<br />
Note: You will need to enter the appropriate Query Filter and Account name attribute for<br />
your particular LDAP infrastructure if you use another LDAP service such as OpenLDAP<br />
and iPlanet.<br />
151
<strong>User</strong> Accounts and Remote Authentication<br />
RADIUS<br />
Complete the following fields to use a RADIUS server for authentication.<br />
• Server — Enter the FQDN or IP address of the RADIUS server.<br />
• Shared Secret — Enter the shared secret for the RADIUS server. A shared secret is a text<br />
string that acts as a password between a RADIUS server and client. Choose a secure shared<br />
secret of at least 8 characters in length, and include a mixture of upper and lowercase alphabetic<br />
characters, numbers, and special characters such as the "@" symbol.<br />
Note: When you add a RADIUS server, the administrator of the RADIUS server must<br />
also list this <strong>ePrism</strong> Email Security Appliance as a client using the same shared secret.<br />
All listed RADIUS servers must contain the same users and credentials.<br />
• Timeout — Enter a timeout value to contact the RADIUS server.<br />
• Retry — Enter the retry interval to contact the RADIUS server.<br />
The server "This <strong>ePrism</strong> Email Security Appliance" will only be made accessible for mirror users.<br />
See “Directory <strong>User</strong>s” on page 61 for more information on settings up mirrored accounts.<br />
The other servers listed in the Accessible Servers option are configured via <strong>User</strong> Accounts -><br />
Secure WebMail. See “Secure WebMail” on page 160 for more detailed information on<br />
configuring this feature.<br />
152
Relocated <strong>User</strong>s<br />
Relocated <strong>User</strong>s<br />
Use the Relocated <strong>User</strong>s screen to return information to the sender of a message on how to reach<br />
users that no longer have an account on the <strong>ePrism</strong> system. A full domain can also be specified if<br />
the address has changed for a large number of users.<br />
Select Mail Delivery -> Relocated <strong>User</strong>s on the menu to configure the relocation information.<br />
Click the Add button to add a new relocated user.<br />
Enter a user or domain name in the <strong>User</strong> field, such as user, user@example.com, or<br />
@example.com to specify an entire domain.<br />
In the "<strong>User</strong> has moved to…" field, enter any appropriate contact information for the relocated<br />
user, such as their new email address, street address, or phone number.<br />
153
<strong>User</strong> Accounts and Remote Authentication<br />
Vacation Notification<br />
When a user will be out of the office, they can enable Vacation Notification which sends an<br />
automated email reply to incoming messages. The reply message is fully configurable, allowing a<br />
user to personalize the vacation notification message.<br />
Note: Vacation Notifications are processed after mail aliases and mappings. You must<br />
create notifications for a specific end user and not for an alias or mapping.<br />
The process for configuring Vacation Notification includes the following steps:<br />
1. The administrator enables Vacation Notification globally.<br />
2. Individual settings can be configured as follows:<br />
The administrator configures Vacation Notification for the user via <strong>User</strong> Accounts.<br />
The user configures Vacation Notification via WebMail.<br />
Select Mail Delivery -> Vacations from the menu to enable Vacation Notification globally.<br />
• Enable Vacation Notification — Enable or disable the service globally for all users.<br />
• Domain Part of Email Address — Enter the domain name to be appended to local user<br />
names. This value will be used for all local users.<br />
• Interval Before Re-sending — The number of days after a previous notification was sent to<br />
send another reply if a new email arrives from the original sender.<br />
154
Vacation Notification<br />
Default Vacation Notification Profile<br />
Enter the subject and contents for the default notification message. <strong>User</strong>s will be able to change<br />
the subject and message from their own user profile.<br />
Click the Edit Vacations button to see all Vacation Notification settings and to add arbitrary<br />
notifications for non-local users.<br />
Click on an Email address to edit the user’s vacation notification settings.<br />
From this screen, an administrator can configure the notification settings, including the address<br />
that incoming mail will receive a vacation response from.<br />
155
<strong>User</strong> Accounts and Remote Authentication<br />
<strong>User</strong> Vacation Notification Profile<br />
Vacation notification settings can be configured for individual users via their user profile in the<br />
<strong>User</strong> Accounts menu. <strong>User</strong>s can configure their own Vacation Notification settings in their profile<br />
via the <strong>ePrism</strong> Mail Client.<br />
To configure Vacation Notification:<br />
1. Login to the <strong>ePrism</strong> Mail Client.<br />
2. Set the Vacation Start Date by selecting the required date on the left calendar.<br />
3. Set the Return to Work Date on the right calendar. The vacation notices will be sent out<br />
automatically during this time.<br />
4. Modify the default subject and contents of the response message.<br />
5. Click Save <strong>User</strong> Profile.<br />
Note: Vacation notifications are not sent to emails marked as bulk, such as mailing lists<br />
and system generated messages. Notifications are also not sent to messages identified as<br />
spam.<br />
156
Tiered Administration<br />
Tiered Administration<br />
Tiered Administration allows an administrator to assign additional administrative access<br />
permissions on a per-user basis. For example, the administrator can designate another user as an<br />
alternate administrator by selecting the Full Admin option in their user profile.<br />
To enable administrator permissions, select a user profile from the <strong>User</strong> Accounts -> Local<br />
Accounts menu. Enable each administrative option as required for that user by selecting the<br />
corresponding check box.<br />
Note: WebMail access must be enabled on the network interface that will be used by<br />
tiered administration users. This is set in the Basic Config -> Network screen.<br />
To distribute administrative functions, the administrator can configure more selective permissions<br />
to authorize a user only for certain tasks such as administering users and reports, configuring antispam<br />
filter patterns, or viewing the email database.<br />
• Full Admin — The user has administrative privileges equivalent to the admin user.<br />
• Administer Aliases — The user can add, edit, remove, upload and download aliases (not<br />
including LDAP aliases.)<br />
• Administer Filter Patterns — The user can add, edit, remove, upload and download Pattern<br />
Based Message Filters and Specific Access Patterns.<br />
• Administer Mail Queue — The user can administer mail queues.<br />
• Administer Quarantine — The user can view, delete, and send quarantined files.<br />
• Administer Reports — The user can view, configure and generate reports, and view system<br />
activity.<br />
• Administer <strong>User</strong>s — The user can add, edit, and relocate user mailboxes (except the Full<br />
Admin users), including uploading and downloading user lists. <strong>User</strong> vacation notifications can<br />
also be configured.<br />
• Administer Vacations — The user can edit local user’s vacation notification settings and other<br />
global vacation parameters.<br />
• View Activity — The user can view the Activity page and start and stop mail services.<br />
Individual emails can only be viewed if View Email Database is also enabled.<br />
157
<strong>User</strong> Accounts and Remote Authentication<br />
• View Email Database — The user can view the email database.<br />
• View System Logs — The user can view all logs.<br />
Granting full or partial admin access to one or more user accounts allows actions taken by<br />
administrators to be logged because they have an identifiable <strong>User</strong>ID that can be tracked by the<br />
system.<br />
Note: A user with Full Admin privileges cannot modify the profile of the Admin user.<br />
They can, however, edit other users with Full Admin privileges.<br />
Logging in with Tiered Admin Privileges<br />
When tiered administrative privileges have been assigned to a user, they can access them via the<br />
<strong>ePrism</strong> mail client interface by logging in locally to <strong>ePrism</strong>.<br />
Select the type of feature you want to administer via the top-left drop down menu.<br />
158
CHAPTER 8<br />
Secure WebMail and<br />
<strong>ePrism</strong> Mail Client<br />
This chapter describes how to setup Secure WebMail and <strong>ePrism</strong> Mail Client on your <strong>ePrism</strong><br />
Email Security Appliance, and contains the following topics:<br />
• “Secure WebMail” on page 160<br />
• “<strong>ePrism</strong> Mail Client” on page 164<br />
159
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
Secure WebMail<br />
The Secure WebMail feature provides a highly secure mechanism for accessing webmail services<br />
such as Microsoft OWA (Outlook Web Access), Lotus iNotes, and IMAP servers.<br />
Webmail services provide an attractive, easy to use remote interface for users to access their mail<br />
server mailboxes remotely via a web browser.<br />
As these webmail services are accessible from the Internet, they present a number of security<br />
challenges. The Secure WebMail feature is designed to support the use of webmail service use while<br />
protecting them from Internet attacks. The connection is managed using a full application proxy.<br />
<strong>ePrism</strong> completely recreates all HTTP/HTTPS requests made by the external client to the internal<br />
webmail server.<br />
Configuring Secure WebMail and <strong>ePrism</strong> Mail Client<br />
Select Basic Config -> Network, and then select the WebMail check box to enable WebMail<br />
access on a network interface.<br />
160
Secure WebMail<br />
Select <strong>User</strong> Accounts -> Secure WebMail to configure Secure WebMail and <strong>ePrism</strong> Mail Client<br />
options.<br />
Access Types<br />
The following options enable controls in the WebMail interface for features such as the Spam<br />
Quarantine, Trusted Senders, and administrative access.<br />
• Administrative Access — Enables access to administrative functions if the user has<br />
administrative privileges, such as via Tiered Administration.<br />
• Local Mail — Enables access to IMAP servers on the local network.<br />
• Proxy Mail — Enable proxy mail access to other IMAP servers.<br />
• Personal Quarantine Controls — Enables the Spam Quarantine controls. The Spam<br />
Quarantine must be enabled globally via Mail Delivery -> Anti-Spam -> Spam Quarantine.<br />
• Trusted Senders — Enables the Trusted Senders List controls. Trusted Senders must be<br />
enabled globally via Mail Delivery -> Anti-Spam -> Trusted Senders.<br />
For organizations that only want to use local mailboxes for the Spam Quarantine controls or<br />
Trusted Senders, it is recommended that you disable Local Mail and Proxy Mail access, while<br />
enabling Personal Quarantine Controls and Trusted Senders. This displays only those functions to the<br />
end user when they log into the <strong>ePrism</strong> Mail Client/WebMail account.<br />
Caution: At least one of these options must be enabled to allow WebMail access on a<br />
specified interface in Basic Config -> Network. If all of these access options are disabled,<br />
the WebMail access option on an interface will be disabled.<br />
161
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
Servers<br />
Click the Add Server button to add an internal server to be accessed. The servers must be running<br />
one of the following: IMAP, Outlook Web Access (OWA), or Lotus iNotes.<br />
• Cached server passwords — This option, when enabled, will keep a copy of the user’s<br />
password until they explicitly log out. If a user switches servers, they will not need to re-enter<br />
their password.<br />
• Upload Maximum File Size — Enter the maximum file size allowed in megabytes.<br />
• Address — Enter the IP address, hostname, or URL of the server. Add users to this server by<br />
selecting the corresponding check box for that user.<br />
• Label — Enter an optional label to describe this server.<br />
• <strong>User</strong>s who may access this server — Select the users who will be able to access this server.<br />
• Automatic Server Login — Select this option to try the user’s WebMail ID/Login first before<br />
prompting for an ID and password. Leave this option disabled to force a login prompt for each<br />
new server.<br />
Note: This option should be disabled if the server is set to expire passwords after three<br />
failed attempts.<br />
• Use Most Recent — Select this option to try the most recently used credentials first when<br />
changing servers.<br />
162
Secure WebMail<br />
• Force Compatibility — Select this option to ensure support for Outlook Web Access 2000<br />
and limited support for OWA 2003.<br />
• Make Invisible — Use this option to make the server invisible to users in the Secure WebMail<br />
server dropdown list.<br />
• Keep Alive — The frequency of messages sent to the server to keep the connection alive.<br />
163
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
<strong>ePrism</strong> Mail Client<br />
<strong>ePrism</strong> Mail Client is the native webmail client for the <strong>ePrism</strong> Email Security Appliance. Using<br />
<strong>ePrism</strong> Mail Client, you can access local mailboxes, IMAP Servers, administrative access, the Spam<br />
Quarantine, and the Trusted Senders List.<br />
From a web browser, enter the hostname or IP address of the <strong>ePrism</strong> system running <strong>ePrism</strong> Mail<br />
Client. Login with your local user ID and password. (The login may also be authenticated using<br />
LDAP or RADIUS.)<br />
When successfully logged in, the <strong>ePrism</strong> Mail Client interface will be displayed.<br />
Configuring <strong>ePrism</strong> Mail Client Options<br />
In the <strong>User</strong> Accounts -> Secure Webmail -> <strong>ePrism</strong> Mail Client Options screen, you can<br />
configure popup options, the sent mailbox folder, and other <strong>ePrism</strong> Mail Client features.<br />
Note: To see popup windows, your web browser must have popups enabled.<br />
• New Mail Popup — Enable a popup window for new mail notifications.<br />
164
<strong>ePrism</strong> Mail Client<br />
• Minimize Popups — Minimize the use of new popup browser windows by using the main<br />
frame.<br />
• Enable Inline HTML-mail Viewing — Enables the viewing of HTML mail. For security<br />
reasons, any scripts and fetches for external objects are filtered out.<br />
• Save Sent Mail — Enables saving of sent mail in the user’s mailbox.<br />
• Sent Mail-box — The name of the sent mail folder if enabled.<br />
• Editable From — Enables a user to edit the From: field when composing mail.<br />
165
Secure WebMail and <strong>ePrism</strong> Mail Client<br />
166
CHAPTER 9<br />
Policy Management<br />
This chapter describes how to use and configure Policy controls for user groups and domains,<br />
and contains the following topics:<br />
• “Policy Overview” on page 168<br />
• “Creating Policies” on page 171<br />
167
Policy Management<br />
Policy Overview<br />
<strong>ePrism</strong>’s Policy controls allow settings for annotations, anti-spam, anti-virus, and attachment<br />
control to be customized and applied to different groups or domains of users. Domains can be<br />
added manually, while user groups and users can be imported from LDAP-compatible directories.<br />
Policies can then be applied to apply customized settings to these groups and domains.<br />
Policies can be configured for the following items:<br />
• Annotations<br />
• Anti-Virus<br />
• Inbound and Outbound Attachment Control<br />
• DCC<br />
• STA<br />
Note: Anti-Virus scanning must be licensed to be able to use them with policy controls.<br />
Policy Scenarios<br />
The following describes some examples of how you can use policies to provide customized settings<br />
to different groups or domains of users in your organization.<br />
• Annotations — You may want your Technical Support and Marketing departments to have<br />
different annotations appended to their outgoing messages. You can set up your group policy to<br />
provide an annotation emphasizing technical services for the Technical Support department,<br />
and a sales and promotional annotation for the Marketing department. Other users may only<br />
require a company-wide disclaimer to be appended to their emails.<br />
• Attachment Control — You can set up group policies to allow your Development group to<br />
accept and send executable files (.exe) to each other, while configuring your attachment control<br />
settings for all your other departments to block this file type to prevent the spread of viruses<br />
among the general users. The Development group will be allowed to use these files because they<br />
may need to send compiled code to each other.<br />
• Anti-Spam — When using the STA (Statistical Token Analysis) anti-spam tool, you may want to<br />
use or evaluate it with only one particular domain. Domain policies allow you to enable and<br />
configure STA for only certain domains, while disabling it for all other domains.<br />
Global and Default Policies<br />
You do not have to create separate policies for each and every user group or domain. Global and<br />
Default templates can be used to easily apply the same policy to several groups or domains.<br />
The Global Policy is the master policy that can be inherited by the Default or individual group or<br />
domain policies. You can enable or disable each feature globally, and then select the feature to<br />
configure it. For the Default Policy, you can choose to use the Global Policy value, or enable and<br />
168
Policy Overview<br />
customize each configuration item individually. For each individual user group or domain, you can<br />
use the Default Policy, or customize each group or domain individually.<br />
Multiple Group Membership<br />
In the event users are members of multiple groups, and different policies apply for these groups,<br />
the following rules apply. In general, the least restrictive policy is applied when multiple group<br />
membership policies apply.<br />
Note: If a recipient or sender belongs to a group that does not have a policy defined, then<br />
the Default Policy is used. In the situation where multiple policies are in effect, the least<br />
restrictive policy will apply. If the Default Policy is the least restrictive, it will be the policy<br />
in effect. It is a recommended best practice to make the Default Policy more restrictive<br />
than the individual group policies.<br />
Attachment Control<br />
If a user is a member of more than one group when using attachment control, a setting of PASS<br />
for any of the group policies will result in the attachment being passed though.<br />
• Group A: Attachment Control is set to PASS<br />
• Group B: Attachment Control is set to BLOCK<br />
Result: The attachment will PASS.<br />
Anti-Virus<br />
• Group A: Anti-Virus ON<br />
• Group B: Anti-Virus OFF<br />
Result: The messages for the user will not be scanned for viruses.<br />
Anti-Spam Scenario 1<br />
• Group A: STA/DCC ON<br />
• Group B: STA/DCC ON<br />
Result: The message will always be flagged with an STA metric or DCC value for the mail<br />
transport logs, and the specified action (such as Modify Subject Header) will take place.<br />
169
Policy Management<br />
Anti-Spam Scenario 2<br />
• Group A: STA/DCC ON<br />
• Group B: STA/DCC OFF<br />
Result: The message will always be flagged with an STA metric or DCC value for the mail transport<br />
logs, but no action will be taken.<br />
Annotations<br />
• Group A: Configured with Annotation "A"<br />
• Group B: Configured with Annotation "B"<br />
Result: The annotation that is applied is determined by the order in which the groups were<br />
imported in the system. If Group B was imported first, then annotation "B" will apply.<br />
170
Creating Policies<br />
Creating Policies<br />
To configure group policies, you must follow these general steps:<br />
1. Configure an LDAP server.<br />
2. Perform an initial import of LDAP users and groups, and then define domains manually if<br />
required.<br />
3. Configure and customize the Default policy.<br />
4. Apply the Default policy to your imported groups or defined domains, or customize each<br />
policy individually.<br />
5. Enable the required policy features in the Global settings.<br />
6. Enable Policy controls.<br />
Step 1: Adding an LDAP Server<br />
You must first ensure you have defined a valid LDAP server in the Basic Config -> Directory<br />
Services -> Directory Servers. See “Directory Servers” on page 56 for more information on<br />
adding LDAP servers.<br />
Step 2: Import and Define Groups and Domains<br />
Once you have an LDAP directory server defined, you can import your user and group<br />
membership information. Select Basic Config -> Directory Services -> Directory <strong>User</strong>s to<br />
import users from the LDAP directory. Select Basic Config -> Directory Services -> Directory<br />
Groups to import groups. See “Directory Groups” on page 58 for more information on<br />
importing LDAP users and groups.<br />
When your group membership information has been imported from an LDAP directory, click the<br />
Add Group button on the Policy screen. For Domains, click the Add Domain button on the<br />
Policy screen.<br />
171
Policy Management<br />
Enter the domain name, such as example.com, and then for each feature, choose whether you<br />
want to use the Default Policy, or customize the feature for this domain.<br />
Click Add when finished to add the Domain policy.<br />
Step 3: Customize the Default Policy<br />
Select Mail Delivery -> Policy on the main menu to enter the policy configuration screen.<br />
Select the Default Policy to configure the default policy setting that will be applied to all groups<br />
and domains. When Policies are enabled, this policy will be applied to users that do not belong to<br />
any group.<br />
You can use the Global value (current status shown in the Global column on the right side), or<br />
enable/disable each policy feature as required.<br />
172
Creating Policies<br />
Select a feature, such as Annotation, to customize its properties for the Default policy.<br />
Step 4: Configure Individual Group and Domain Policies<br />
Select the name of the Group or Domain to configure the Policy for each individual user group.<br />
For each group or domain, you can use the Default policy, or enable/disable and customize each<br />
policy feature as required.<br />
Select a feature, such as Annotations, to configure its properties for the individual group or<br />
domain.<br />
173
Policy Management<br />
Step 5: Configure the Global Policy Settings<br />
The Global settings define which policy features are enabled globally. Select Mail Delivery -><br />
Policy on the main menu to enter the policy configuration screen.<br />
Select Global to configure your global policy settings. This step enables or disables these features<br />
globally, and the current state will become immediately active.<br />
You must configure your Default Policy and individual Group and Domain policies first before<br />
enabling these features globally.<br />
Select the check box beside each feature you want to enable globally for policy controls.<br />
174
Creating Policies<br />
Click on an individual feature, such as Annotation, to customize it for global policy controls.<br />
Step 6: Enable Group Policy<br />
When you have all your policy settings configured, you must click the Enable Policy button in the<br />
Mail Delivery -> Policy screen.<br />
Note: To Disable policies globally, you must click on Global and then click the Disable<br />
Policy button.<br />
175
Policy Management<br />
176
CHAPTER 10<br />
System Management<br />
This chapter describes the tools used to administer the <strong>ePrism</strong> Email Security Appliance and<br />
contains the following topics:<br />
• “System Status and Utilities” on page 178<br />
• “Mail Queue Management” on page 181<br />
• “Quarantine Management” on page 182<br />
• “License Management” on page 184<br />
• “Software Updates” on page 186<br />
• “Security Connection” on page 187<br />
• “Reboot and Shutdown” on page 188<br />
• “Backup and Restore” on page 189<br />
• “Centralized Management” on page 197<br />
• “Problem Reporting” on page 202<br />
177
System Management<br />
System Status and Utilities<br />
The Status/Reporting -> Status & Utility screen provides the following information:<br />
• A snapshot of the system status, including information on uptime, load average, amount of swap<br />
space, current date and time, disk usage, RAID status, NTP status, and Anti-Virus pattern file<br />
status.<br />
• Controls to start and stop the mail systems and flush the mail queues.<br />
• Diagnostic tools such as a DNS lookup function, SMTP Probe, Ping, and Traceroute utilities<br />
that are useful for resolving mail and networking problems.<br />
• System hardware configuration information.<br />
System Status<br />
From the System Status screen, you can view a number of system statistics such as the total system<br />
Uptime, load average, the amount of used swap and disk partition space, RAID status, NTP server<br />
status, and Anti-Virus pattern update status.<br />
178
System Status and Utilities<br />
Utility Functions<br />
The Utility Functions allow you to control the following system services:<br />
• Stop/Start Mail Services — You can stop or start all mail services by clicking on the Stop/<br />
Start Mail System Control option.<br />
• Disable/Enable Sending and Receiving — Alternately, you can also enable or disable only<br />
the Receiving or Sending of mail by clicking the appropriate button. This is useful if you only<br />
want to stop the processing of mail in one direction only. For example, you may want to turn<br />
off the sending of mail to troubleshoot errors with SMTP delivery, while still being able to<br />
receive incoming mail.<br />
• Flush Mail Queue — The Flush button is used reprocess any queued mail in the system.<br />
Only click this button once. If the mail queue does not process, you may be having other types<br />
of delivery problems, and reprocessing the mail queue will only add additional load to the<br />
system.<br />
Diagnostics<br />
The Diagnostics section contains networking and SMTP utilities to help troubleshoot network and<br />
mail delivery issues.<br />
See “Network and Mail Diagnostics” on page 258 for more detailed information on using these<br />
diagnostic tools for troubleshooting.<br />
• Hostname Lookup — Allows you to verify host name resolution by looking up a host on a<br />
DNS name server.<br />
• SMTP Probe — Allows you to send a test email to a remote SMTP server.<br />
• Ping — Ensures network connectivity via ICMP ping<br />
• Traceroute — Ensures routing connectivity by tracing the routes of network data from source<br />
to destination server.<br />
179
System Management<br />
Current Admin and WebMail <strong>User</strong>s<br />
The Current Admin and WebMail <strong>User</strong>s section allows you to see who is logged in via the web admin<br />
interface or through a WebMail session.<br />
Note: If you are using Clustering, an admin login may show up several times on the list<br />
because of additional RPC calls related to clustering communications. In these cases you<br />
will see the Remote IP address as the other <strong>ePrism</strong> systems.<br />
Configuration Information<br />
The Configuration Information section shows you important system information such as the current<br />
version of the system software, the time it was installed, and licensing and hardware information.<br />
180
Mail Queue Management<br />
Mail Queue Management<br />
The Status/Reporting -> Mail Queue screen contains information on mail waiting to be<br />
delivered. You can search for a specific mail message using the search function. Messages that<br />
appear to be undeliverable can be removed by selecting them and then clicking the Remove link.<br />
Any mail messages in the mail queue can also be reprocessed by clicking the Flush Mail Queue<br />
button. Only click this button once. If the mail queue does not process, you may be having other<br />
types of delivery problems and reprocessing the mail queue will only add additional load to the<br />
system.<br />
Note: The Remove All button is used specifically with the search function. You must enter<br />
a search pattern to use with this button. To delete all mail messages in the queue, enter @<br />
in the search field, and then click Remove All.<br />
Display Options<br />
The following options can be appended to the URL of the Mail Queue screen:<br />
• ?limit=n — Sets the total number of items that will be listed to the specified number. The<br />
default is 2000.<br />
• ?ipp=n — Sets the number of items per page.<br />
• ?order=asc — Sorts items by oldest date first to the most recent.<br />
Note: If the query URL already contains a "?" argument, you must use the "&" instead to<br />
add options to the query.<br />
To set the total number of items to be displayed to 100, use the following URL:<br />
https://mx.example.com/ADMIN/mailqueue.spl?limit=100<br />
Use the "&" symbol instead if an "?" option already exists:<br />
https://mx.example.com/ADMIN/mailqueue.spl?action=submit&limit=100<br />
181
System Management<br />
Quarantine Management<br />
Select Status/Reporting -> Quarantine to manage the Quarantine folder. This folder contains<br />
messages that have been blocked because of a virus, malformed message, or an illegal attachment.<br />
You can view the details of a message by clicking on its ID number, or delete the message from<br />
quarantine by clicking the Delete link.<br />
Quarantined messages can also be released and delivered to their original destination by clicking<br />
the Release link.<br />
Use the search field to look for specific messages within the quarantine. For example, you could<br />
search for the name of a specific virus so that any quarantined messages infected with that specific<br />
virus will be displayed.<br />
Note: The Delete All and Release All buttons are used specifically with the search<br />
function. You must enter a specific search pattern before using these controls. It is<br />
recommended that you use the Expiry Options button to clear the quarantine area of all<br />
messages beyond a certain date.<br />
Display Options<br />
The following options can be appended to the URL of the Quarantined Mail screen:<br />
• ?limit=n — Sets the total number of items that will be listed to the specified number. The<br />
default is 2000.<br />
• ?ipp=n — Sets the number of items per page.<br />
• ?order=asc — Sorts items by oldest date first to the most recent.<br />
Note: If the query URL already contains a "?" argument, you must use the "&" instead to<br />
add options to the query.<br />
To set the total number of items to be displayed to 100, use the following URL:<br />
https://mx.example.com/ADMIN/quarantine.spl?limit=100<br />
182
Quarantine Management<br />
Use the "&" symbol instead if an "?" option already exists:<br />
https://mx.example.com/ADMIN/quarantine.spl?action=submit&limit=100<br />
Set Quarantine Expiry<br />
Click the Set Expiry button to configure the expiry settings. An expiry term can be set so that<br />
quarantined messages will be deleted after a certain period of time. You can use this feature to<br />
flush all messages from the quarantine area on a regular basis.<br />
• Expire automatically — Enable this feature to expire messages automatically.<br />
• Days — Enter how many days to keep a quarantined message before deleting it.<br />
• Disk usage (percentage) — Enter a percentage of disk usage that can be used by the<br />
quarantine area. If the quarantine area grows beyond this size, messages will be expired.<br />
Note: The disk partition used by the quarantine is the /var partition.<br />
Click Update to enable the settings for new quarantined messages. Click Update and Expire<br />
Now to apply the settings to all messages in the quarantine area.<br />
183
System Management<br />
License Management<br />
The <strong>ePrism</strong> Email Security Appliance initially starts in evaluation mode which can be used for 30<br />
days. After that time, <strong>ePrism</strong> stops accepting new mail. Incoming mail will receive an SMTP failure<br />
message explaining that no mail is being accepted because the evaluation period has elapsed.<br />
Existing mail in the queue will still be delivered, and mail in mailboxes will still be accessible to<br />
POP3/IMAP and <strong>ePrism</strong> Mail Client users.<br />
Use the information in your License Pack to license and activate <strong>ePrism</strong>. Activating <strong>ePrism</strong> also<br />
activates your support contract which is valid for 12 months from purchase.<br />
Note: Your Support Contract entitles you to all software upgrades and patches, as well as<br />
return-to-factory warranty on the hardware. Failure to activate your system may delay the<br />
delivery of support services.<br />
<strong>ePrism</strong> can be licensed both automatically via the Internet and manually. For automatic licensing,<br />
<strong>ePrism</strong> requires an Internet connection.<br />
Automatic License Activation<br />
License <strong>ePrism</strong> automatically as follows:<br />
1. Ensure that the system can access the Internet so it can connect to the St. Bernard License<br />
server.<br />
2. Select Management -> License Management on the menu.<br />
184
License Management<br />
3. Click theObtain Activation Key button. A new web browser window will open up and display<br />
the St. Bernard licensing activation screen.<br />
4. Enter the serial number found in the Psn field from the License Pack. (This is not the hardware<br />
serial number of the system.)<br />
5. Enter the hardware serial number located on the <strong>ePrism</strong> in the Hsn field.<br />
6. Click Continue to activate the license.<br />
Manual License Activation<br />
To manually activate licenses:<br />
1. From a workstation connected to the Internet, go to St. Bernard’s web site at<br />
activate.stbernard.com to obtain an Activation Key.<br />
2. Select the product you want to license, and then enter the appropriate license information.<br />
3. You will receive an Activation Key that will be used in the following steps.<br />
4. On <strong>ePrism</strong>, select Management -> License Management on the menu.<br />
5. Click the Manual Activation button.<br />
6. Enter the Serial number and Activation Key, and then click Next.<br />
Optional Product Licenses<br />
The following products must be licensed separately. If these options are enabled, they will run in<br />
evaluation mode for 30 days. Use the same licensing procedure described previously to add these<br />
optional licenses.<br />
• Kaspersky Anti-Virus<br />
• HALO Queue Replication<br />
185
System Management<br />
Software Updates<br />
It is important to keep your <strong>ePrism</strong> software updated with the latest patches and upgrades.<br />
A key aspect of good security is responding quickly to new attacks and exposures by updating the<br />
system software when updates are available.<br />
Updates are supplied in special files provided by St. Bernard. These updates can be delivered or<br />
retrieved using a variety of methods, including email, FTP, or from St. Bernard’s support servers.<br />
The Security Connection, if enabled, will download any patches automatically. Security Connection is<br />
discussed in more detail in the next section.<br />
Note: St. Bernard recommends that you backup the current system before performing an<br />
update. See “Backup and Restore” on page 189 for detailed information on the backup and<br />
restore procedure.<br />
Select Management -> Software Updates on the menu to load and apply software updates.<br />
The Software Updates screen shows updates that are Available Updates (loaded onto <strong>ePrism</strong>, but<br />
not applied) and Installed Updates (applied and active.) You can install an available update, or<br />
uninstall a previously installed update.<br />
When these software update files are downloaded to your local system, they can be installed by<br />
clicking Browse, navigating to the downloaded file, and then clicking Upload.<br />
After applying any updates, you must restart the system.<br />
186
Security Connection<br />
Security Connection<br />
The Security Connection is a service running on <strong>ePrism</strong> that polls St. Bernard’s support servers<br />
for new updates, security alerts, and other important information. When new information and<br />
updates are received, an email can be sent to the administrator. It is recommended that you enable<br />
this service.<br />
Note: For security purposes, all Security Connection files are encrypted, and contain an<br />
MD5-based digital signature which is verified after decrypting the file.<br />
• Enabled — Select to enable Security Connection.<br />
• Frequency — Specify how often to run the Security Connection service. Choices are daily,<br />
weekly, and monthly.<br />
• Auto Download — Enable this option to allow software updates to be downloaded<br />
automatically.<br />
• Display Alerts — Enable this option to display any alert messages on the system console.<br />
• Send Email — Enable this option to send an email to the address specified below.<br />
• Notification Mail Address — Specify an email address to receive messages from Security<br />
Connection.<br />
• Support Contract — You must enter a valid Support Contract number. This information is<br />
supplied with your license key at the time of purchase.<br />
Click Update to save your Security Connection configuration.<br />
Click the Connect Now button to run Security Connection immediately.<br />
187
System Management<br />
Reboot and Shutdown<br />
The <strong>ePrism</strong> Email Security Appliance can be safely rebooted or shut down from this menu. Before<br />
shutting down, remove any media from the floppy and CDROM drives.<br />
Click Reboot to shutdown the system and reboot.<br />
Click Shutdown to shutdown the system completely.<br />
See “Restoring <strong>ePrism</strong> to Factory Default Settings” on page 269 for detailed information on<br />
restarting <strong>ePrism</strong> and restoring it to factory default settings.<br />
188
Backup and Restore<br />
Backup and Restore<br />
<strong>ePrism</strong> can backup all data, including the database, quarantined items, mail queues, user mail<br />
directories, uploaded user lists, SSL certificates, reports, and system configuration data.<br />
The <strong>ePrism</strong> Email Security Appliance supports three backup methods:<br />
• Local tape drive (if available)<br />
• FTP server<br />
• Local disk (using browser download)<br />
The restore feature can restore any of these items individually. The <strong>ePrism</strong> system should be<br />
backed up before performing any type of software upgrade or update.<br />
Note: Restoring a clustered system requires a different procedure than outlined in the<br />
next section. See the Cluster Management section starting on page 197 for more<br />
information on backing up and restoring clustered systems.<br />
Restore Considerations<br />
The backup and restore function is primarily intended for product recovery after a re-installation<br />
or upgrade, and it is strongly recommended that all data be restored during a system recovery<br />
rather than individually. Since the size of the reporting database can be quite large, you may want<br />
to restore the reporting database separately after the restoration of the basic system.<br />
Note: You must always restore the system data first before restoring the reporting<br />
database.<br />
If the reporting history number limit parameter is set to a large value, the backup and restore<br />
process may take a long time to complete because of the size of the reporting database.<br />
To reduce the backup and restore time, use the following procedure:<br />
1. Several hours before you backup the system, select Status/Reporting -> Reporting -><br />
Configure. Set the Email History Number Limit to the smallest value (50,000). You will lose any<br />
reporting data beyond the 50,000 item limit, but this will reduce the overall reporting database<br />
size.<br />
2. Perform the backup, upgrade the system, and restore the data.<br />
3. Set the limit back to the original value.<br />
189
System Management<br />
Starting a Backup<br />
You can perform backups on demand, or you can schedule a tape or FTP backup once per day via<br />
the Daily Backup option from the Management menu.<br />
Select Management -> Backup & Restore on the menu to start a backup.<br />
Select the required type of backup and click the Next >> button.<br />
Local Disk (Direct Backup) Options<br />
The following options are for backing up to the local disk:<br />
• Encrypt backup — Select this option to store the backup file in encrypted form.<br />
• Backup system configuration — Select this option to backup all system configuration data,<br />
including mailboxes, STA data, licenses and keys. This option must be enabled if you need to<br />
restore system functionality.<br />
• Backup reporting data — Select this option to include reports, email history, and system event<br />
data in the backup.<br />
190
Backup and Restore<br />
Note: Backing up reporting data can drastically increase the size of the backup file,<br />
resulting in a much longer backup time. Use scheduled FTP backups to prevent your<br />
browser from timing out when this type of backup is taking place.<br />
When you have set your options, click Next >> to continue.<br />
Verify that your options are correct, and then click Create backup now to start the backup.<br />
The system will prompt you for a location to download the file (backup.gz). The backup file is<br />
saved in a Gzip compressed archive.<br />
FTP Backup Options<br />
The following options are for backing up to an FTP server:<br />
• Encrypt backup — Select this option to store the backup file in encrypted form.<br />
191
System Management<br />
• Backup system configuration — Select this option to backup all system configuration data,<br />
including mailboxes, STA data, licenses and keys. This option must be enabled if you need to<br />
restore system functionality.<br />
• Backup reporting data — Select this option to include reports, email history, and system event<br />
data in the backup.<br />
Note: Backing up reporting data can drastically increase the size of the backup file,<br />
resulting in a much longer backup time. Use scheduled FTP backups to prevent your<br />
browser from timing out when this type of backup is taking place.<br />
• FTP server — Enter the host name or IP address of the destination FTP server.<br />
• <strong>User</strong>name — Enter the username for the FTP server.<br />
• Password — Enter the password for the FTP server.<br />
• Directory — Enter the directory on the FTP server for the backup files.<br />
• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.<br />
When you have set your options, click Next >> to continue.<br />
Verify that your options are correct, and then click Create backup now to start the backup.<br />
You can also click Create scheduled backup which will take you to the Daily Backup menu to<br />
create a scheduled FTP backup. The backup file is saved in a Gzip compressed archive.<br />
192
Backup and Restore<br />
Daily Scheduled Backup<br />
You can schedule an automatic FTP or tape backup to be performed every day at a specified time.<br />
Select Management -> Daily Backup on the menu to configure automatic daily backups.<br />
• Tape Backup — Select the check box to enable daily tape backups (if available.)<br />
• FTP Backup — Select the check box to enable daily FTP backups. You must configure the<br />
FTP backup settings separately using the Management -> Backup & Restore screen.<br />
• Start Time — Set the start time for the backup in 24-hour format using the syntax HH:MM, such<br />
as 02:00 for 2:00AM.<br />
Caution: Mail History, System Event History, and Reports cannot be backed up if the<br />
daily backup runs between 12AM and 12:30AM. This is the time period when the reporting<br />
database is processing its rollout information.<br />
FTP Backup Naming Conventions<br />
The naming convention for FTP backups is time stamped as follows:<br />
MX-DATAx.YYMMDDHHMM<br />
Example:<br />
MX-DATA0.0505152245<br />
This indicates that the backup file is from May 15th, 2005 at 10:45PM. When purging old backup<br />
files during routine maintenance, ensure that you examine the timestamps before deleting them.<br />
193
System Management<br />
Restoring from Backup<br />
Select the required type of restore and click the Next >> button.<br />
Restore from Local Disk Options<br />
Enter the local filename that contains your server’s backup data, or click Browse to select the file<br />
from the local drive directory listing. Click Next >> to upload and restore the backup file.<br />
194
Backup and Restore<br />
FTP Restore Options<br />
• FTP server — Enter the host name or IP address of the FTP server where the backup file is<br />
stored.<br />
• <strong>User</strong>name — Enter the username for the FTP server.<br />
• Password — Enter the password for the FTP server.<br />
• Directory — Enter the directory on the FTP server for the backup files.<br />
• Use PASV mode — Sets FTP to use passive mode if you are having problems connecting.<br />
Click Next >> to connect with the FTP server and restore the backup file.<br />
Restore Options<br />
When the backup file has been successfully retrieved, you can choose which aspects of the system<br />
you want to restore. When finished selecting the restore items, click Restore Now.<br />
Note: If you are restoring reporting data separately, it must be performed after the<br />
restoration of the main system information.<br />
195
System Management<br />
You can view the current status of the restore process in the Status section of the Management<br />
-> Backup & Restore menu.<br />
When the restore is complete, you should review and edit your network configuration in the Basic<br />
Config -> Network screen as required, and click Update to reboot. This ensures that all restored<br />
network settings have been applied.<br />
Caution: If you modified the networking information during the system installation<br />
process, and then performed a restore, your new networking information may be<br />
overwritten by the restored data. Ensure that your network settings are correct before<br />
updating and rebooting the system.<br />
196
Centralized Management<br />
Centralized Management<br />
The Centralized Management feature allows you to administer multiple <strong>ePrism</strong> Email Security<br />
Appliances from a single management console. Centralized Management allows you to perform<br />
many routine administrative tasks across all <strong>ePrism</strong> systems configured in the same management<br />
group.<br />
Centralized Management is used to monitor and administer multiple <strong>ePrism</strong> systems, including the<br />
ability to copy configuration items such as mail routes, aliases and mappings, RADIUS and LDAP<br />
settings, and so on, to other systems in the management group.<br />
Note: All management group communications are authenticated and transmitted using<br />
HTTPS.<br />
You can perform the following functions from the Centralized Management console:<br />
• Start and Stop mail services<br />
• Monitor mail queues<br />
• View statistics of incoming and outgoing mail<br />
• Copy configuration settings to other <strong>ePrism</strong> systems<br />
• Perform backups<br />
Centralized Management and Clustering<br />
Centralized Management is very different from <strong>ePrism</strong>’s HALO Clustering features.<br />
Centralized Management is intended for managing multiple <strong>ePrism</strong> systems with different<br />
configurations, while Clustering is used to monitor and manage multiple systems with identical<br />
configurations for redundancy and load balancing purposes.<br />
See “HALO (High Availability and Load Optimization)” on page 203 for more detailed<br />
information on cluster management.<br />
197
System Management<br />
Configuring Centralized Management<br />
Use the following procedure to initialize and configure Centralized Management.<br />
1. Select Basic Config -> Network from the menu.<br />
2. Ensure that Admin Login access is enabled for the specific network interface that will be<br />
communicating with the management group.<br />
3. Select Management -> Centralized Management to configure Centralized Management.<br />
The initialization screen will appear indicating that there are no management groups configured.<br />
4. To create a management group, click Configure. You will need to enter the login and password<br />
of the admin user.<br />
5. Add new members to the management group by clicking the Members button.<br />
198
Centralized Management<br />
6. Enter the group member’s hostname or IP address, an optional name, and the Admin user’s<br />
login and password. Click Add or Update Member.<br />
Once added, click the Close button.<br />
The group member will now appear in the main management console screen.<br />
Note: If the address of a member server changes, the original entry must be removed<br />
before adding a new entry with the new address.<br />
Changing the Centralized Management Console<br />
To change the address of the console you are using, click Edit, enter your new settings, and then<br />
click Add or Update Member. You cannot delete the console you are using from the<br />
management group.<br />
199
System Management<br />
Using the Management Console<br />
From the Centralized Management Console, you can perform a variety of administrative functions.<br />
Group Commands<br />
The following commands are applied to the entire management group:<br />
• Centralized Management Command — From the drop-down box you can select a specific<br />
function to execute across all members of the management group. The options include Refresh,<br />
Stop All Queues, Run (Start) All Queues, and Backup.<br />
• Select Auto Refresh — Select the time, in seconds, for automatic refresh of settings and<br />
statistics for group members. Select Disable if you do not require Auto Refresh.<br />
Member System Commands<br />
The following commands are only applied to the specified group member:<br />
• Start and Stop Services — You can start and stop services for each management group<br />
member. The current status is also displayed.<br />
• Connect — Connect directly to the specified member and open its administration screen.<br />
• Backup — Backup the member server via FTP.<br />
Note: Each group member must have its FTP backup configured individually before<br />
this function will work from the console.<br />
• Copy Configuration — Copy the selected settings from the management console to the<br />
selected member. Each member can be configured individually to receive only certain settings<br />
by selecting the check box of each configuration item.<br />
Click Save to save your selected settings on the management console screen.<br />
200
Centralized Management<br />
Copy Configuration<br />
To copy configuration items from the Centralized Management Console to the group members,<br />
select which items to copy, and then click the Copy button. Click Save to save your settings.<br />
The following configuration settings can be replicated:<br />
• Attachment Control — All items, including Attachment Types, are added to the selected<br />
group member.<br />
• Mail Aliases — All mail aliases will be added to the selected group member.<br />
• Virtual Mappings — All virtual mappings will be added to the selected group member.<br />
• Mail Mapping — All mail mappings will be added to the selected group member.<br />
• Mail Routing — All mail routes will be added to the selected group member.<br />
• Mail Access/Filtering — Message size and patterns settings will be added to the selected<br />
group member.<br />
• Relocated <strong>User</strong>s — The list of relocated users on a group member will be replaced by those<br />
from the management console.<br />
• Pattern Based Filtering — All anti-spam Pattern Based Filtering settings except the default<br />
settings will be added to the selected group member.<br />
• RADIUS/LDAP — All RADIUS and LDAP configuration settings will be added to the<br />
selected group member.<br />
Note: The email queue will be temporarily stopped during the replication process.<br />
201
System Management<br />
Problem Reporting<br />
Problem reporting allows you to send important configuration and logging information to St.<br />
Bernard Technical Support for help with troubleshooting system issues. This feature should be<br />
used in conjunction with an existing support request with technical support.<br />
Select Management -> Problem Reporting to configure your troubleshooting configuration<br />
information.<br />
• Send To — Enter an email address to send the reports. The default is St. Bernard Technical<br />
Support, but you can also put in your own email address so that you can view them before<br />
sending them to St. Bernard.<br />
• Mail Log — Sends the latest daily mail server log.<br />
• Mail Configuration — Sends your current mail configuration file.<br />
• Mail Queue Stats — Sends a snapshot of the latest current mail queue statistics.<br />
• System Log — Sends the latest daily system log file.<br />
Click Update to save the information in the form, and click Send Now to send the information to<br />
the configured email address.<br />
202
CHAPTER 11<br />
HALO (High Availability<br />
and Load Optimization)<br />
This chapter describes the high availability and load optimization features of the <strong>ePrism</strong> Email<br />
Security Appliance and contains the following topics:<br />
• “HALO Overview” on page 204<br />
• “Configuring Clustering” on page 206<br />
• “Cluster Management” on page 212<br />
• “Configuring the F5 Load Balancer” on page 216<br />
• “Queue Replication” on page 217<br />
203
HALO (High Availability and Load Optimization)<br />
HALO Overview<br />
HALO (High Availability Load Optimization), is the fail-safe clustering architecture for high<br />
availability for the <strong>ePrism</strong> Email Security Appliance. HALO enables two or more <strong>ePrism</strong> systems<br />
to act as a single logical unit for processing a mail stream while providing load balancing and high<br />
availability benefits.<br />
HALO ensures that mail messages are never lost due to security vulnerabilities or individual system<br />
failures. The clustering architecture is illustrated in the following diagram.<br />
Cluster Management<br />
The <strong>ePrism</strong> systems participating in the cluster will be grouped together by connecting a network<br />
interface to a separate network called the Cluster Network. The <strong>ePrism</strong> systems will communicate<br />
clustering information with each other via this network. Systems can also be added or removed<br />
from clusters without interruption to mail services. It is recommended that all systems in the<br />
cluster should be running on the same platform (e.g., <strong>ePrism</strong> M3000), and that the cluster network be<br />
separated from the main production network.<br />
One system is configured to be the Cluster Console which is the "master" system where all cluster<br />
administration and configuration will be performed. When an <strong>ePrism</strong> system is added to the<br />
cluster, its configuration will automatically be synchronized with the Cluster Console. Any changes<br />
to the configuration on the Cluster Console will also be replicated to every cluster member.<br />
The <strong>ePrism</strong> cluster will be treated as a logical unit for processing mail and system configuration.<br />
Note: Clustered systems do not support <strong>ePrism</strong> Mail Client/WebMail, and Secure<br />
WebMail proxy.<br />
204
HALO Overview<br />
Load Balancing<br />
Although the <strong>ePrism</strong> cluster will be treated as one system, email is processed independently by<br />
each cluster member, and requires the use of a load balancing system to distribute mail flow<br />
between the systems in the cluster.<br />
Load Balancing via DNS<br />
A DNS round-robin technique can be used to distribute incoming SMTP connections via DNS to<br />
the systems in the cluster, as shown in the following example MX records:<br />
example.com IN MX 10 mail1.example.com<br />
example.com IN MX 10 mail2.example.com<br />
Priority can be given to specific servers by configuring different priority values, as follows:<br />
example.com IN MX 5 mail1.example.com<br />
example.com IN MX 10 mail2.example.com<br />
Using a Load Balancer<br />
You can also use a hardware load balancing device, such as the F5 BIG-IP, Cisco, or other similar<br />
load balancer. The load balancer is configured to send the mail stream to systems in a cluster. If<br />
one of the systems fails, the load balancer will automatically detect this event and distribute the<br />
load between the remaining systems.<br />
The load balancer can be configured to distribute the mail stream connections intelligently across<br />
all systems in the cluster, using techniques such as round-robin, and distribution by system load<br />
and availability.<br />
205
HALO (High Availability and Load Optimization)<br />
Configuring Clustering<br />
The following sections describe how to install and configure a cluster. In these examples, a cluster<br />
of two systems is described. The procedure requires the following steps:<br />
1. Hardware and Licensing — Ensure all systems are of the same hardware, and have the same<br />
software versions and licenses. Ensure the member cluster systems are new installations with no<br />
changes to the default configuration. When they are connected to the cluster, they will receive<br />
their configuration from the Cluster Console.<br />
2. Cluster Network Configuration — Configure a network interface on each system for<br />
clustering.<br />
3. Create the cluster — From the Cluster Console system, create the cluster.<br />
4. Add Cluster members — From the Cluster Console, add the cluster member systems.<br />
Step 1: Hardware and Licensing<br />
All cluster members, including the Cluster Console, should be the same level of hardware (such as<br />
an <strong>ePrism</strong> M3000), and be running the same version of software and update patches.<br />
All cluster members must also have all the same additional features (such as Kaspersky Anti-Virus)<br />
installed and licensed before integration into the cluster. Member systems should be new<br />
installations with no changes to the default configuration except for additional licensed options.<br />
Caution: It is critical that the cluster member systems be new installations with no changes<br />
to the default configuration.<br />
Step 2: Cluster Network Configuration<br />
The following instructions describe how to configure the network settings for two <strong>ePrism</strong> systems<br />
in a cluster.<br />
1. Connect an unused network interface from each <strong>ePrism</strong> to a common network switch, or<br />
connect each interface with a crossover network cable. This will form the "cluster network", a<br />
control network where clustering information will be passed back and forth between the <strong>ePrism</strong><br />
systems that form the cluster.<br />
Note: For security reasons, this network should be isolated on its own, and not be<br />
connected to the main network. For a cluster of two systems, a crossover network cable<br />
can be connected between the selected interfaces providing a secure connection without<br />
the need for a switch.<br />
2. On each <strong>ePrism</strong> system, go to the Basic Config -> Network screen.<br />
206
Configuring Clustering<br />
3. On the network interface that you want to use for clustering, ensure that the Trusted Subnet<br />
and Admin Login check boxes are enabled.<br />
4. In the Clustering section of the Network settings screen, select the Enable Clustering check<br />
box, and choose the network interface that is connected to the cluster control network.<br />
207
HALO (High Availability and Load Optimization)<br />
Step 3: Creating the Cluster<br />
The following instructions describe how to create the cluster and initialize the Cluster Console<br />
system.<br />
1. Select HALO -> Cluster Administration from the menu. Before continuing, ensure that this<br />
is the system that you want to be the Cluster Console system.<br />
2. Click the Configure button to start the cluster configuration process.<br />
3. The system will prompt you for information on setting up the cluster. First, you must enter the<br />
admin user and password for the system that will be configured as the Cluster Console.<br />
208
Configuring Clustering<br />
Click the Add or Update Member button to add the system as the Cluster Console.<br />
Click Close to finish.<br />
4. The Cluster Management console is then displayed.<br />
Step 4: Adding Cluster Members<br />
The following instructions describe how to add other systems to the cluster.<br />
Caution: It is critical that any additions or deletions from the cluster configuration be<br />
performed with only a single administrator logged in. If any changes to the configuration<br />
of the Cluster Console are performed during a cluster configuration change, there is a risk<br />
that initialization of a member will not process correctly.<br />
1. Add cluster members by clicking the Add/Remove button in the Cluster Management<br />
console.<br />
2. Enter the Cluster Member hostname or IP Address, an optional name for the system, and the<br />
Admin login ID and password. Click the Add or Update Member button to add the system.<br />
209
HALO (High Availability and Load Optimization)<br />
3. When systems are added to a cluster, the configuration of the Cluster Console system is<br />
replicated automatically to the new cluster member. This process will take some time to<br />
complete, and the Cluster Management screen will indicate that the cluster member is<br />
initializing.<br />
Caution: It is critical that no other configuration changes are made to the Cluster Member<br />
or Cluster Console while the member is initializing.<br />
When a system is added to the cluster, the configuration of the Cluster Console is replicated to the<br />
new node with the following exceptions:<br />
• Networking settings such as host name and IP address, and network interface specific<br />
settings<br />
• Local users and any WebMail related information<br />
• Any reporting related information<br />
• Centralized management information<br />
• STA databases<br />
• Vacation notification related information is only partially replicated<br />
4. When the initialization of the member is complete, the Cluster Management console will appear,<br />
showing both the Cluster Console and the new cluster member.<br />
210
Configuring Clustering<br />
Troubleshooting Cluster Initialization<br />
The following table describes common issues that occur when configuring a cluster.<br />
TABLE 1. Troubleshooting Cluster Initialization<br />
Issue<br />
Blank 'Address' field when setting up<br />
the cluster console.<br />
Connection check fails<br />
Very slow to display the initialization<br />
screen in the console window for a new<br />
cluster member.<br />
Solution<br />
The interface has not been correctly initialized.<br />
Go to Basic Config -> Network and scroll down to the Clustering<br />
section. Select the Cluster Interface, click Update, and reboot.<br />
The interface on the Console may not be configured correctly.<br />
The target cluster member machine is not running or the interface on the<br />
target node is not configured correctly.<br />
The hardware or software of the cluster sub-net may not be configured<br />
correctly.<br />
Check the cluster subnet between the Console and the target cluster<br />
member.<br />
Try clicking the Refresh now button on the Console screen.<br />
211
HALO (High Availability and Load Optimization)<br />
Cluster Management<br />
The Cluster Management screen, shown below, is accessed on the Cluster Console via HALO -><br />
Cluster Administration, and shows mail processing statistics for each individual cluster member.<br />
All cluster management and configuration must be performed from the Cluster Console system.<br />
Any configuration changes made to the Cluster Console are automatically replicated to the cluster<br />
member servers.<br />
Cluster Commands<br />
The following commands can be performed for the entire cluster or for individual cluster member<br />
systems:<br />
• Queues — Select the appropriate button to Run, Stop, and Flush the mail queues.<br />
• Send — You can Enable or Disable the sending of mail from the cluster or specified system.<br />
• Receive — You can Enable or Disable the receiving of mail for the cluster or specified system.<br />
Activate/Deactivate Members<br />
When member systems are added to a cluster, they are assigned an active state to process mail for<br />
the cluster. If you need to take this system out of the cluster for maintenance purposes, they can be<br />
temporarily deactivated from the cluster by using the Deactivate button. A deactivated cluster<br />
member is still monitored, and can process mail, but its configuration will not be synchronized<br />
with the Cluster Console. The state of the email queue is not changed when a cluster member is<br />
deactivated.<br />
212
Cluster Management<br />
The Cluster Console itself cannot be deactivated. To perform maintenance on the Cluster<br />
Console, you must deactivate all cluster members individually. This, in effect, deactivates the entire<br />
cluster. When your maintenance is completed, reactivate each cluster member.<br />
To reactivate a disabled cluster member, click the Activate button. Activating a cluster member<br />
will synchronize its configuration information by comparing the last time of replication and<br />
update the system with the configuration from the Cluster Console. A complete resynchronization<br />
will be required if the replication times do not exactly match.<br />
A cluster member will be deactivated automatically if the Cluster Console is unable to<br />
communicate with it, and an alarm will be issued when this occurs. Email processing is not<br />
affected by this deactivation.<br />
Start-Up Configuration<br />
Click the Configure button to select then an action to perform when a cluster member system<br />
restarts.<br />
• Wait for Console — The cluster member, after a restart, will wait until it contacts the Cluster<br />
Console system and synchronizes before processing mail. The system will try to contact the<br />
console for five minutes before starting without synchronization.<br />
• Start immediately — The cluster member will start immediately without contacting and<br />
synchronizing its configuration with the Cluster Console system.<br />
213
HALO (High Availability and Load Optimization)<br />
Cluster Activity<br />
When a cluster is activated, a new Cluster Activity option appears on the Activity menu, and<br />
provides an activity screen displaying the combined activity of all cluster members. To see the<br />
activity for just the current system, use the Activity option from the menu.<br />
Cluster Reporting<br />
<strong>ePrism</strong> reports can be generated for a single system or for all systems in a cluster. The email<br />
database can also be searched on a single system or on the entire cluster. The history and status of<br />
any message can be instantly retrieved regardless of which system processed the message.<br />
See “Viewing and Generating Reports” on page 222 for more information on cluster reporting.<br />
Configuring a New Cluster Console<br />
If you need to assign the Cluster Console role to another system in the cluster, you must login to<br />
the cluster member you would like to use as the Cluster Console and reconfigure the cluster from<br />
the HALO -> Cluster Administration menu. This will essentially deactivate the entire cluster,<br />
and you must add the cluster members again to the cluster once the new Cluster Console is<br />
initialized.<br />
Backup and Restore<br />
You should configure the backup for a cluster member with a unique backup directory for each<br />
cluster system, including the Cluster Console. Separate backup directories are required to ensure<br />
that backups do not inadvertently overwrite the backup from another cluster system.<br />
Restoring from a backup is primarily intended for product recovery after a re-installation or<br />
software upgrade. Restoring clustered systems can potentially cause problems with cluster<br />
configuration and communication, and it is recommended that you use the following procedures<br />
when restoring a member of a cluster system.<br />
See “Backup and Restore” on page 189 for more detailed information on the backup and restore<br />
process.<br />
Restoring a Cluster Member<br />
Use the following procedure to perform a restore on a cluster member system (not the Cluster<br />
Console):<br />
1. From the Cluster Console, remove the member system from the cluster.<br />
2. Disconnect the member system from the cluster network via the network cable.<br />
3. Perform the restore procedure, but only restore Quarantined mail, SSL Certificates, STA,<br />
and Reporting Data (optional). The member will automatically synchronize the rest of its<br />
configuration with the Cluster Console when it is reintegrated with the cluster.<br />
214
Cluster Management<br />
4. When the system is restored, disable clustering on the cluster network interface in Basic<br />
Config -> Network. Click the Update button but do not reboot.<br />
5. Re-enable clustering on the network interface. Ensure that the specified interface is the one<br />
connected to the cluster network. Click the Update button but do not reboot.<br />
6. Connect the member system’s network cable to the cluster network.<br />
7. From the Cluster Console, add the system back into the cluster.<br />
Restoring the Cluster Console<br />
On each cluster member system, (not the Cluster Console) clear the cluster configuration as<br />
follows:<br />
1. Disable clustering on the cluster network interface of each cluster member in Basic Config -><br />
Network. Click the Update button but do not reboot. Re-enable clustering on the network<br />
interface. Ensure that the specified interface is the one connected to the cluster network. Click<br />
the Update button but do not reboot.<br />
2. Disconnect the Cluster Console from the cluster network via the network cable.<br />
3. On the Cluster Console, perform a full restore of all configuration items.<br />
4. When the restore is complete, go to the cluster configuration screen in HALO -> Cluster<br />
Administration, and remove all cluster members from the cluster.<br />
5. Reconnect the Cluster Console to the cluster network.<br />
6. Reconfigure the cluster and add the other systems as cluster members.<br />
215
HALO (High Availability and Load Optimization)<br />
Configuring the F5 Load Balancer<br />
As part of <strong>ePrism</strong>’s clustering solution, you can use the BIG-IP F5 iControl load balancer to<br />
control traffic to your clustered systems. <strong>ePrism</strong> includes a configuration screen where you can<br />
configure the BIG-IP load balancer via the iControl administrative connection.<br />
This integration allows you to configure and communicate the <strong>ePrism</strong> cluster system nodes directly<br />
to the BIG-IP device. Information on email content and traffic load can be communicated directly<br />
with the load balancer, resulting in intelligent failover decisions.<br />
Note: See the BIG-IP documentation for more information on configuring the load<br />
balancer.<br />
Select HALO -> F5 Integration from the menu to configure the BIG-IP load balancer.<br />
Click the Config button to setup a new F5 configuration.<br />
• BIG/IP Enabled — Select the check box to enable management of the BIG/IP load balancer<br />
with iControl.<br />
• BIG/IP IP Address — Specify the IP address of the BIG/IP system used for iControl<br />
administrative access.<br />
• Login — Enter the login ID used to configure the load balancer.<br />
• Password — Enter the password for the login ID above.<br />
• Pool — Specify the name of the load balancing pool used for mail flow for the <strong>ePrism</strong> cluster.<br />
216
Queue Replication<br />
Queue Replication<br />
The Queue Replication feature enables mail queue replication and stateful failover between two<br />
<strong>ePrism</strong> systems. In the event that the primary owner of a mail queue is unavailable, the mirror<br />
system can take ownership of the mirrored mail queue for delivery.<br />
Without queue replication, a system with received and queued messages that have not been<br />
delivered may result in lost mail if that system suddenly fails. In large environments, this could<br />
translate into hundreds or thousands of messages.<br />
Queue replication actively copies any queued mail to the mirror system, ensuring that if one<br />
system should fail or be taken offline, the mirror system can take ownership of the queued mail<br />
and deliver it. If the source system successfully delivers the message, the copy of the message on<br />
the mirror server is automatically removed.<br />
In the following diagram, system A and system B are configured to be mirrors of each other’s mail<br />
queues.<br />
When a message is received by system A, it is queued locally, and a copy of the message is also<br />
immediately sent over the failover connection to the mirror queue on system B.<br />
If system A fails, you can go to system B and take ownership of the queued mail to deliver it.<br />
Messages are exchanged between the systems to ensure that the mirrored mail queues are properly<br />
synchronized, which prevents duplicate messages from being delivered when a failed system has<br />
come back online.<br />
217
HALO (High Availability and Load Optimization)<br />
Licensing<br />
HALO Queue Replication must be licensed to use it beyond the evaluation period.<br />
See “License Management” on page 184 for more information on licensing optional components.<br />
Configuring Queue Replication<br />
Select HALO -> Queue Replication from the menu to configure queue replication.<br />
• Enable Queue Replication — Select the check box to enable queue replication on this system.<br />
Replication must be enabled on both the source and mirror hosts in the Basic Config -><br />
Network screen.<br />
• Replication Timeout —Specify the time, in seconds, to contact the host system before timing<br />
out.<br />
• Replicate to Host — The mail queues are automatically updated when a message is first<br />
received, and the queues are also synchronized at regular intervals. Press this button to replicate<br />
the queue to the mirror host system immediately.<br />
• Mirrored Messages — This value indicates the current amount of queued mail that is mirrored<br />
on this <strong>ePrism</strong>.<br />
• Purge Mirrored Messages — Select this button to delete any mail messages in the local mirror<br />
queue. These are the files that we are mirroring for another host server.<br />
• Deliver Mirrored Messages — Select this button to take ownership and process the mail that<br />
we are mirroring for another source system. If the server is still alive, importing and processing<br />
the mirror queue may result in duplicate messages being delivered.<br />
Caution: Do not press this button unless you are certain that the source system is unable<br />
to deliver mail.<br />
• Review Mirrored Messages — Select this button to review any mail in the local mirror queue<br />
that we are mirroring for another source server.<br />
218
Queue Replication<br />
Queue Replication Interface<br />
You must also enable queue replication on a network interface on both the host and client server.<br />
Select Basic Config -> Network from the menu, and then scroll down to the Queue Replication<br />
section.<br />
• Enable Replication — Select the check box to enable queue replication on this system.<br />
• Replication Host — Specify the IP address of the system that will be backing up mail for this<br />
<strong>ePrism</strong>.<br />
• Replication Client — Specify the IP address of the system that will be backing up its mail<br />
queue to this <strong>ePrism</strong>.<br />
• Replication I/F — Select the network interface to use for queue replication. This network<br />
interface should be connected to a secure network. It is recommended that queue replication<br />
and clustering functions be run on their own dedicated subnet.<br />
Note: If you are backing up and restoring configuration information to a different<br />
system than the original, and queue replication is enabled, you will have to reconfigure<br />
Queue Replication to ensure that it will work properly.<br />
219
HALO (High Availability and Load Optimization)<br />
Importing and Processing Mirrored Messages<br />
If you have two systems that are mirroring each other’s mail queues and one of those systems fails,<br />
you must go to the mirror server and import the mirrored mail to ensure that it is processing and<br />
delivered.<br />
Import the mirrored messages as follows:<br />
1. Ensure that the host server has failed. Before importing any mirrored mail, you must ensure that<br />
the host server is not working. If you import and process the mirrored mail on the mirror<br />
server, this may result in duplicate messages if the host server starts functioning again.<br />
2. On the mirror server, select HALO -> Queue Replication from the menu.<br />
3. You may wish to view the current mirrored my mail by clicking the Review button.<br />
4. Click the Deliver button. This <strong>ePrism</strong> will take ownership of any queued mail mirrored from<br />
the source server, and process and deliver it.<br />
220
CHAPTER 12<br />
Reporting<br />
This chapter describes the reporting features of the <strong>ePrism</strong> Email Security Appliance and<br />
contains the following topics:<br />
• “Viewing and Generating Reports” on page 222<br />
• “Viewing the Mail History Database” on page 231<br />
• “Viewing the System History Database” on page 234<br />
• “Report Configuration” on page 237<br />
221
Reporting<br />
Viewing and Generating Reports<br />
<strong>ePrism</strong>’s reporting functionality provides a comprehensive range of informative reports for the<br />
<strong>ePrism</strong> Email Security Appliance, including:<br />
• Traffic Summary<br />
• System Health<br />
• Top Mailbox Disk <strong>User</strong>s<br />
• WebMail Usage<br />
• POP and IMAP Access<br />
• DCC and RBL Lookup Performance<br />
• Spam Statistics<br />
• Virus Reports<br />
The reports are derived from information written to the various systems logs which is then stored<br />
in the database. Reports are stored on the system for online viewing, and can also be emailed<br />
automatically to specified users. Reports can be generated on demand and at scheduled times.<br />
Reports can also be filtered to provide reporting on only mail domains, user groups, or specific<br />
hosts.<br />
Administrators can specify which data is to be included in each report, how it is to be displayed, the<br />
order of data, and the number of entries to report, such as "Top 10 Disk Space <strong>User</strong>s".<br />
Reports can be generated in four different formats: HTML, PDF, CSV (comma separated output)<br />
and Postscript format.<br />
222
Viewing and Generating Reports<br />
Reporting Menu<br />
To generate and view reports, select Status/Reporting -> Reporting.<br />
To view a previously generated report, click on the report name. To configure a report, click on<br />
the Configure button beside the corresponding report name. Click Generate to immediately<br />
generate the specified report.<br />
Viewing Reports<br />
To view a report, click on the report name, such as Full Report.<br />
223
Reporting<br />
Reports that have been previously generated are listed here. Click on an HTML report name, such<br />
as rep1.html, to view the contents within the current browser window. Click on the Finished At<br />
time to view it in a popup window. Click on other formats to save the report to your workstation.<br />
The following illustrates a graph available from the full report.<br />
Configuring Reports<br />
Click the Configure button beside a specific report name to configure that report, or click Add<br />
New Report Type to start a new report.<br />
General Report Configuration Parameters<br />
224
Viewing and Generating Reports<br />
• Report Title — Title to display at the top of the report.<br />
• Email To (HTML, CSV, PDF, PS) — Specify an email address, such as<br />
admin@example.com. Use a comma-separated list if you wish to distribute the report to<br />
multiple users, or assign an alias.<br />
• Paper Size - For PDF and PS formats, select the paper size, such as Letter, A4, or Legal.<br />
• Describe fields in report — Select this option to include a short description of each field in<br />
the report.<br />
• Hosts — If you are running a clustered system, select the specific host you want the report to<br />
apply to.<br />
When running reports in a clustered system, if you select "All" hosts in the report, it will<br />
generate a report for each host individually, and then merge the results into one report.<br />
• Filters — Select a filter, if any, to use with this report. Filters are created from the Status/<br />
Reporting -> Reports -> Report Filters menu.<br />
Automatic Report Generation<br />
You can configure and generate automatic reports from the Report Generation section of the<br />
report configuration screen.<br />
• Enable Auto Generate — Select this check box to automatically generate reports.<br />
• Auto Generate Report at — Select the time to generate the report.<br />
• Auto Generate on Week Days… — Choose the days of the week to generate the report.<br />
• ...and/or Day(s) of Month — Choose specific days of the month to generate the report.<br />
• Timespan Covered — Select the timespan covered for this report.<br />
• Timespan Ends at… — Select the end of the timespan. It is recommended to set the<br />
timespan end time a few hours prior to report generation to allow all deferred mail to be<br />
finalized.<br />
• ...Timespan Offset (Days Ago) — Select the number of days to offset the timespan. This<br />
amount of time is subtracted before setting the timespan.<br />
225
Reporting<br />
Click the Generate Now button to generate a report on demand using the specified settings. This<br />
will also automatically email the report to the specified address.<br />
To generate a report daily at 2.00am for the previous day (up to 11:00pm):<br />
Auto Generate Report at: 02:00<br />
Auto Generate on Week Days: All<br />
Timespan covered: 1 day<br />
Timespan ends at: 23:00<br />
Timespan offset: 0 days<br />
To generate weekly reports on Sunday at 4:00am for the period ending Friday 11:00pm:<br />
Auto Generate Report at: 04:00<br />
Auto Generate on Week Days: Sunday<br />
Timespan covered: 1 week<br />
Timespan ends at: 23:00<br />
Timespan offset: 1 day ago<br />
Report Fields<br />
The Fields section allows you to choose which fields or items of information you wish to include in<br />
the report. The fields provided are static, and the standard reports use fields pre-selected from this<br />
list to satisfy certain requirements. You can include or exclude fields to any one of the reports as<br />
required.<br />
Columns<br />
• Included — Select the check box to include a field.<br />
• Field ID — This is the <strong>ePrism</strong> name for this item.<br />
• Title in Report — Designate a title to appear in the report.<br />
• Order — The higher the value, the higher the field will appear in the report. Any number can be<br />
chosen to position the fields as needed.<br />
226
Viewing and Generating Reports<br />
• Page Break — Choose between no, before, after, and both, to configure page breaks. This option<br />
only applies to PDF and PS format reports.<br />
• Limit — Set a limit for the number of items in a field. For example, enter "10" in the top<br />
viruses field to create a "Top Ten Virus List".<br />
Field Descriptions<br />
The following table describes the fields that appear in the report. Brief descriptions of each field<br />
can be included in the report by configuring it in the general report parameters.<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
System name<br />
Date time<br />
Version<br />
Timespan<br />
Uptime<br />
Filter summary<br />
Head comment<br />
Traffic blocking<br />
Blocking pie chart<br />
Total traffic Received<br />
Total traffic sent<br />
Total received message size<br />
Total sent out message size<br />
Trust traffic<br />
Processing time<br />
Spam metrics<br />
Top virus<br />
Recent virus list<br />
Top PBMFs<br />
Top forbidden attachments<br />
Description<br />
The system host name, such as mxtreme.example.com.<br />
Date and time of report generation.<br />
<strong>ePrism</strong> software revision.<br />
Period covered by report.<br />
How long the <strong>ePrism</strong> system has been running since the last<br />
reboot.<br />
A summary of the filters applied to this report.<br />
Freeform comment that you may enter.<br />
A table showing the number of messages caught by each<br />
method over the preceding hour, day, week, month, and<br />
report timespan.<br />
A pie chart of the same data as the right hand column of<br />
Traffic Blocking (timespan).<br />
Graphs of the number of messages received per hour over<br />
the reporting period (timespan).<br />
Graphs of the number of messages sent per hour over the<br />
reporting period (timespan).<br />
Total message size of incoming messages per hour.<br />
Total message size of outgoing messages per hour.<br />
A table showing the number of messages classified as<br />
"trusted" and "untrusted" and their disposition over the<br />
reporting period.<br />
The average time a message waits between initial<br />
handshake and disposition, including RBL/DCC lookups if<br />
any. Messages that are deferred are not included.<br />
Graph of the number of messages per STA assigned spam<br />
metric (0 - 100).<br />
List of the top viruses found.<br />
List of the most recent viruses found.<br />
List of the top pattern based message filters.<br />
List of the top forbidden attachments caught by attachment<br />
control.<br />
227
Reporting<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
Recent forbidden attachments<br />
Disk usage<br />
Disk load<br />
CPU load<br />
NIC load<br />
Swap usage<br />
Paging<br />
Top mailbox sizes<br />
Webmail<br />
POP<br />
IMAP<br />
Active mail queue<br />
Deferred mail queue<br />
Top senders<br />
Top sending hosts<br />
Top recipients<br />
DCC Servers<br />
Description<br />
List of the most recent forbidden attachments caught by<br />
attachment control.<br />
Shows disk usage by partition.<br />
Graph of average disk load (MB/s) over the reporting<br />
period.<br />
Graph of average CPU load (number of waiting processes)<br />
over the reporting period.<br />
Graph for each active network interface load (Bytes/hour)<br />
for the reporting period.<br />
Swap file usage.<br />
Paging usage.<br />
Lists the top users based on the size of their mailboxes in<br />
MB.<br />
The number of WebMail logins and failed attempts per<br />
hour. This does not include "admin" logins.<br />
Graph showing the number of POP logins and login failures<br />
per hour over the reporting period.<br />
Graph showing the number of IMAP logins and login<br />
failures per hour over the reporting period.<br />
Graph showing number of queued messages (as sampled<br />
every 5 minutes) over the reporting period.<br />
Graph showing maximum number of messages (as sampled<br />
every 5 minutes) in the deferred queue over the reporting<br />
period.<br />
The top sender (judged by envelope from, not header from)<br />
during the report timespan, sorted by number of messages.<br />
If the title contains one or more comma characters, the list<br />
will be restricted to those senders which include any string<br />
after the first comma. The limit parameter in the report<br />
configuration sets the maximum number listed.<br />
The top sending host names (in FQDN format) during the<br />
report timespan, sorted by number of messages. If the title<br />
contains one or more comma characters, the list will be<br />
restricted to those sender FQDNs which include any string<br />
after the first comma. The limit parameter in the report<br />
configuration sets the maximum number listed.<br />
The top recipients during the report timespan, sorted by<br />
number of messages. The sum of the message sizes is also<br />
listed. If the title contains one or more comma characters,<br />
the list will be restricted to those recipients which include<br />
any string after the first comma. The limit parameter in the<br />
report configuration sets the maximum number listed.<br />
Graph showing the average round trip, in seconds, to the<br />
preferred DCC server over the reporting period.<br />
228
Viewing and Generating Reports<br />
TABLE 1. Reporting Field Descriptions<br />
Field<br />
RBL Servers<br />
End comment<br />
Extra comment<br />
Description<br />
Graph showing the round trip, in seconds, to the RBL<br />
servers over the reporting period. The value is averaged<br />
over all enabled RBL servers.<br />
Comment text.<br />
Extra comment text.<br />
Language support<br />
Any text field in the report configuration can use Western (ISO-8859-1) text. For extended<br />
characters (such as accented letters), configure your browser for Western (ISO-8859-1) and set the<br />
character set encoding in Basic Config -> Web Server. You can then use your language specific<br />
keyboard or copy and paste ISO-8859 text into the report configuration fields.<br />
229
Reporting<br />
Creating Report Filters<br />
You can create custom filters to apply when generating reports. When a filter is selected in the<br />
report configuration editor, the applicable report fields are restricted to those values that include<br />
any string in the supplied list. You can filter by mail domain, user groups, and specific hosts.<br />
Filters for specific viruses, encryption, and attachments types can also be created.<br />
Field values can be separated by a space or by starting a new line. Leave a field blank for no<br />
filtering. For domains and email addresses, wildcard characters can be used, such as:<br />
*@example.com<br />
joe@*.example.com<br />
fred@*example*<br />
Select Status/Reporting -> Reporting -> Report Filters to create and edit report filters.<br />
You can filter on the following fields:<br />
• Sender domain or email address<br />
• Recipient domain or email address<br />
• Sending host name or IP<br />
• Encryption from Sender<br />
• Encryption to Recipient<br />
230
Viewing the Mail History Database<br />
• Sender groups<br />
• Recipient groups<br />
• Virus<br />
• Forbidden Attachment<br />
Viewing the Mail History Database<br />
Every message that passes through <strong>ePrism</strong> generates a database entry that records information<br />
about how it was processed, including a detailed journal identifying the results of the mail<br />
processing.<br />
Select Status/Reporting -> Reporting -> Mail History to view the email database.<br />
Columns<br />
• QueueID — Identifies the message in the database.<br />
• Time Received — Time when the message was received by <strong>ePrism</strong>.<br />
• Subject — Contents of the message subject header field.<br />
• Prior — If a message is forwarded because of alias expansion, bounced, vacation notification,<br />
and so on, a new message in the queue will be created. The QueueID number in the Prior<br />
column links to the original message.<br />
• Journal — Shows how the message was processed, including its disposition.<br />
• Auth — Shows SMTP authentication information.<br />
231
Reporting<br />
Search<br />
Search for specific message details using the following search fields:<br />
• Search - Select the specific part of the message you want to search on, such as "sender" or<br />
"subject".<br />
• For - Enter a search string. Use a blank field to match any string.<br />
Advanced Search<br />
Select the Advanced button to perform an advanced search of the email database.<br />
• Search — Select the specific part of the message you want to search on, such as "sender" or<br />
"subject". Use the "and" fields to select an additional message part and search string.<br />
• Date — You can select a time frame to search for received, disposed, or deferred mail.<br />
• Status — Select a message status to search for, such as "malformed", or "virus".<br />
• Hosts — In a clustered system, you can specify a specific host to perform the search on.<br />
• Max — Enter the maximum number of results (up to 10,000) returned in the search.<br />
• Regex — Select this option to define a search using a regular expression.<br />
After performing a search, you can enter more criteria and use the Refine button to search only<br />
within the previous results.<br />
232
Viewing the Mail History Database<br />
Displaying Message Details<br />
Click on a QueueID number to view the details of a message. Dispositions and deferrals, if any, are<br />
listed in the Message Disposition section.<br />
233
Reporting<br />
Viewing the System History Database<br />
Select Status/Reporting -> Reporting -> System History to view the system database.<br />
The system database is a record of system events, such as login failures and disk space usage.<br />
Search<br />
Enter any text to search for an event. You can specify the type of message to narrow the search.<br />
Leave the text area blank to list by event type.<br />
Columns<br />
• Event# — Identifies the event in the database.<br />
• End Time — Time when the event is complete.<br />
• Type — The type of event.<br />
• Device, <strong>User</strong> — The device or user in the event.<br />
• Text — Associated text for the event.<br />
• #1, #2, #3 — Parameters of the event.<br />
234
Viewing the System History Database<br />
Event Types<br />
The following table describes the event types that can appear in the system database.<br />
TABLE 2. System Database Event Types<br />
Event Type Abbreviation Description Parameters<br />
Admin Actions adm Shows administrative functions that<br />
have been performed<br />
AV Updates avup The time of the last update, its<br />
success or failure, and the name of<br />
the new pattern file<br />
CPU Load cpuld The load average for the past 1, 5,<br />
and 15 minutes<br />
DCC Preferred dccpref The round trip time to preferred<br />
DCC server<br />
Disk I/O diskio MB per second transfer, KB per<br />
transfer, transfers per second for a<br />
disk<br />
Disk Usage du Amount of used and total available<br />
disk space for each disk slice<br />
IMAP I/O impio This shows each IMAP based<br />
transfer of email messages<br />
IMAP Logins implin This shows each successful IMAP<br />
authentication. If the connection<br />
used SSL, the string "ssl" follows in<br />
a separate column. Note: IMAP<br />
transfers smaller than 50 bytes are<br />
not recorded<br />
IMAP Failures impfail Shows the number of IMAP login<br />
failures.<br />
Number of processes waiting<br />
for CPU. A very busy system<br />
may have 50 or more<br />
Name of preferred server<br />
<strong>User</strong>ID and IP address<br />
<strong>User</strong>ID and IP address<br />
Logins login A single web based login <strong>User</strong>ID and IP address<br />
Logouts logout A single web based logout (not <strong>User</strong>ID and IP address<br />
including timed-out sessions)<br />
Login failures lifail Login failure <strong>User</strong>ID and IP address<br />
Network I/O nic Amount of data in and out of<br />
network card<br />
Paging page This shows the swap paging activity<br />
(pages in/out) over 5 seconds<br />
POP I/O popio This shows each POP based transfer<br />
of email messages<br />
POP Logins poplin This shows each successful POP<br />
authentication. If the connection<br />
used SSL, the string "ssl" follows<br />
the IP address<br />
Number of emails and bytes<br />
transferred in POP session<br />
<strong>User</strong>ID and IP address<br />
235
Reporting<br />
TABLE 2. System Database Event Types<br />
Event Type Abbreviation Description Parameters<br />
<strong>User</strong>ID and IP address<br />
POP Failures popfail This shows each POP authentication<br />
failure. If the connection used SSL,<br />
the string "ssl" follows the IP<br />
address<br />
Queue Sizes que Number of messages in active and<br />
deferred queues<br />
RBL Response rbldns Average round time to RBL server<br />
with minimum and maximum<br />
values<br />
Swap usage swap This shows the swap usage, and<br />
total swap space available<br />
Active queue size in bytes,<br />
deferred queue size in bytes<br />
RBL server<br />
Used and available swap<br />
space in megabytes<br />
236
Report Configuration<br />
Report Configuration<br />
Select Status/Reporting -> Reporting -> Configure to configure the maximum time email<br />
summaries, system event summaries, and reports are kept on the system, including the maximum<br />
number that are retained.<br />
Email summaries, system events, and reports are included in backups. Each email summary is<br />
about 1,000 bytes in size. For performance reasons, such as backup/restores, searches, and so on,<br />
it is recommended to keep the email message limits no longer than is required, such as 100,000<br />
messages for an <strong>ePrism</strong> M1000, 500,000 messages for an <strong>ePrism</strong> M3000 and so on.<br />
The email message history is trimmed to the expiry date and number limit, whichever is smaller.<br />
System events occupy less than 2 MB per day, and a setting of 3 months is reasonable.<br />
The system purges old data every day after 12:00am, and also within a few minutes of saving the<br />
settings in this menu. The data is rolled out depending on the date/time and number constraints,<br />
whichever is less.<br />
Note: Reports will not be generated while the data is being purged.<br />
237
Reporting<br />
Disabling Reporting<br />
The reporting database is populated with information that is obtained by interpreting the system<br />
log files. You have the option of disabling reporting, which results in no new information being<br />
saved in the reporting database. Note that all log files are still saved, but the reporting engine will<br />
not analyze and interpret them for reports.<br />
Disabling reporting is not recommended, and should only be used if the system is extremely<br />
overloaded, or if you are testing performance levels.<br />
Click the Advanced button on the Status/Reporting -> Reporting -> Configure screen to<br />
reveal an option for disabling the reporting function.<br />
Note: Software upgrades or system restores will re-enable reporting, if disabled.<br />
SQL Logging<br />
For long term storage, you can save all reporting database changes and download the data in SQL<br />
format. Click the Enable SQL logging button to start a SQL log.<br />
This log can be accessed via Status/Reporting -> System Logs -> Reporting SQL where they<br />
can be examined and downloaded, and then imported to SQL database.<br />
238
CHAPTER 13<br />
Monitoring System Activity<br />
This chapter describes how to monitor <strong>ePrism</strong>’s system activity and message processing, and<br />
contains the following topics:<br />
• “Activity Screen” on page 240<br />
• “System Log Files” on page 242<br />
• “SNMP (Simple Network Management Protocol)” on page 245<br />
• “Alarms” on page 248<br />
239
Monitoring System Activity<br />
Activity Screen<br />
The Activity screen provides a variety of system information and utilities all on one screen,<br />
including:<br />
• Mail service stop and start<br />
• Mail queue statistics<br />
• Queue Activity<br />
• System uptime and CPU load<br />
• Message details<br />
• Recent Mail Dispositions<br />
The following describes the queue statistics columns:<br />
• Arrived — The total number of messages processed by <strong>ePrism</strong> (messages accepted). These<br />
include messages that were spam, viruses, attachment control, and so on.<br />
• Sent — The total number of messages sent by <strong>ePrism</strong>, including mailer daemon mail,<br />
quarantine notifications, mail delivery delay notifications, local mail, alarms, reports, and so on.<br />
If a message has multiple recipients, each delivered recipient will be added to the total.<br />
• Spam — The total number of messages considered spam by STA, DCC, and PMBFs with a<br />
spam action.<br />
• Reject — The total number of messages rejected because of client hostname/address<br />
restrictions, SAP rejects, RBLs, and PMBFs with reject action.<br />
240
Activity Screen<br />
• Virus — The total number of messages that contained a virus.<br />
• Clean — The total number of messages that were accepted for delivery inbound and outbound<br />
by <strong>ePrism</strong> and passed all security and spam filters.<br />
Show Dispositions<br />
The Mail Received Recently section displays messages that were received by <strong>ePrism</strong>. Click the Show<br />
Dispositions button to show messages that were fully processed by <strong>ePrism</strong> and their final<br />
dispositions.<br />
Cluster Activity<br />
In a clustered system, an additional Cluster Activity screen is displayed that shows the combined<br />
activity for all clustered systems.<br />
241
Monitoring System Activity<br />
System Log Files<br />
From the Status/Reporting -> System Logs screen you can access the system log files.<br />
The Mail Transport log is the most important log to monitor because it contains a record of all mail<br />
processed by <strong>ePrism</strong>. See “Examining Log Files” on page 254 for more information on<br />
interpreting the Mail Transport logs.<br />
Other logs include:<br />
• Authentication — Contains messages from POP, IMAP, and WebMail logins.<br />
• Web Server Access — A log of access to the web server.<br />
• Web Server Errors — Contains error messages from the web server.<br />
• Web Server Encryption Engine — Contains messages for the web server encryption engine.<br />
• Web Server Encrypted Accesses — A log of SSL web server access.<br />
• Messages — Contains system messages, including file uploads.<br />
• Kernel — A log of kernel generated messages.<br />
Note: It is possible that you may receive errors in the kernel logs regarding partition<br />
slices. If you your system is installed with a manufacturer’s diagnostics partition, this is<br />
the cause of the error and does not indicate a critical condition.<br />
• Archive — This option allows you to view an amalgamation of all the logs.<br />
• Reporting SQL — This option appears when SQL logging is enabled in Status/Reporting -><br />
Reporting -> Configure. The logs can be downloaded in SQL format from this screen.<br />
242
System Log Files<br />
Viewing and Searching Log Files<br />
Click on a specific log to view its entries. You can search for a particular search string by entering a<br />
value in the Search field and then clicking the Refresh/Search button.<br />
The following features can be used to help refine log searches:<br />
• For logical "and" and "or" searches, use the keywords "and", "or", and "not".<br />
• Use \and or \or to search for the actual words such as "and" and "or".<br />
• Use a preceding / to search using Unix-style regular expressions.<br />
You can also download the log to a text file by using the Download button. You can then import<br />
this file into a log analysis application for offline processing.<br />
Note: A maximum of 3MB of data is sent to the browser when viewing a log. If the<br />
specified search returns more than that amount, the list is truncated.<br />
243
Monitoring System Activity<br />
Configuring a Syslog Server<br />
All of <strong>ePrism</strong>’s log files can be forwarded to a syslog server, which is a host which collects and<br />
stores log files from many sources.<br />
The syslog files can then be analyzed by a separate logging and reporting program.<br />
You can define a syslog host in the Basic Config -> Network screen.<br />
244
SNMP (Simple Network Management Protocol)<br />
SNMP (Simple Network Management Protocol)<br />
Simple Network Management Protocol (SNMP) is the standard protocol for network<br />
management. When enabled on <strong>ePrism</strong>, this feature allows standard SNMP monitoring tools, such<br />
as HP Openview, Tivoli, BMC Patrol and CA Unicenter, to connect to the SNMP agent running<br />
on <strong>ePrism</strong> and extract real-time system information.<br />
The information available from the SNMP agent is organized into objects which are described by<br />
the MIB (Management Information Base) files. The information available includes disk, memory,<br />
and CPU statistics, mail queue information, and statistics on the number of spam or virus-infected<br />
emails. An SNMP trap can be sent when the system reboots.<br />
See “SNMP MIBS” on page 283 for detailed information on the objects available in <strong>ePrism</strong>’s MIB<br />
files.<br />
The SNMP agent service is installed and running by default, but it must be enabled specifically for<br />
each interface in the Basic Config -> Network screen. It is strongly advised that the agent only<br />
be configured for the internal (trusted) network.<br />
245
Monitoring System Activity<br />
Configuring SNMP<br />
Select Basic Config -> SNMP Configuration on the menu to configure SNMP.<br />
• Send Trap on Reboot — Enable the check box to send a trap message to your SNMP trap host<br />
whenever the system reboots.<br />
• System Contact — (Required) Enter the email address of the contact person for this system.<br />
• System Location — (Required) Enter the location of the system.<br />
• Read-Only Community — By default, <strong>ePrism</strong> does not allow read/write access to the SNMP<br />
agent. For read access, you must set up a read-only community string on both the agent, and<br />
your SNMP management application for authentication. It is recommended that you change the<br />
default community string "public" to a more secure value.<br />
Note: The community string is case sensitive.<br />
Permitted Clients<br />
To allow access to <strong>ePrism</strong>’s SNMP agent, you must specifically add the client system to the list of<br />
SNMP Permitted Clients. The clients can be specified using a host name, IP address, or network<br />
address (192.168.138.0/24). Typically, you will enter the address of your SNMP management<br />
station, such as an HP Openview system. Click Add to add the permitted client.<br />
246
SNMP (Simple Network Management Protocol)<br />
Trap Hosts<br />
A trap host is an SNMP management station that will be receiving system traps from <strong>ePrism</strong>.<br />
<strong>ePrism</strong> will send an SNMP trap when the system is rebooted.<br />
Enter a list of hosts that will receive trap messages. The hosts can be specified using a host name<br />
or IP address. Click Add to add the trap host.<br />
MIB Files<br />
The SMNP MIB files can be downloaded by clicking the Download MIBs button. These files<br />
must be imported into your SNMP management program. The MIB file contains a list of objects<br />
representing the information that can be extracted from the system’s SNMP agent.<br />
See “SNMP MIBS” on page 283 for detailed information on the contents of the St. Bernard<br />
<strong>ePrism</strong> Email Security Appliance MIB files.<br />
247
Monitoring System Activity<br />
Alarms<br />
<strong>ePrism</strong> implements a variety of system alarms to notify you of exceptional system conditions.<br />
Alarms are currently generated from the HALO, LDAP, and Backup subsystems. For example, you<br />
can receive an alarm notification if your daily FTP backup fails, or if you lose communications with<br />
a cluster member. Errors with LDAP user imports will also trigger an alarm.<br />
You can select the type of alarm notifications to receive, such as Critical, Serious, and Warning events.<br />
These notifications can be sent via:<br />
• Email<br />
• Console Alert<br />
• Activity Screen Alert<br />
The following example shows an alarm appearing on the Activity screen. You must click<br />
Acknowledge to remove the alarm notification.<br />
248
Alarms<br />
Configuring Alarms<br />
Select Basic Config -> Alarms on the menu to configure your alarms and notifications.<br />
• Send Escalation Mail — Select the types of alarms that will trigger an email to be sent to the<br />
Escalation Mail Address specified below.<br />
• Send Alarm Mail — Select the types of alarms that will trigger an email to be sent to the<br />
Alarm Mail Address specified below.<br />
Note: You must have a valid email specified in the Email Addresses section for the alarm<br />
email to be sent.<br />
• Alert to Console — Select the types of alarms that will display an alert on the system console<br />
screen.<br />
• Alert to Activity Page — Select the types of alarms that will display an alert on the main<br />
activity screen.<br />
• Escalation Mail Address — Enter an email address to send escalation emails to.<br />
• Alarm Mail Address — Enter an email address to send alarm mails to.<br />
249
Monitoring System Activity<br />
System Alarms<br />
The following table describes the current system alarms:<br />
TABLE 1. Description of Alarms<br />
Severity Feature Description<br />
Serious FTP Backup FTP Backup Failed [error message]<br />
Serious Clustering Cluster Error connecting to host [member address]<br />
Serious Clustering Cluster Error writing to host [member address]<br />
Serious Clustering Cluster Error closing socket for host [member address]<br />
Serious Clustering Cluster Error Connection to database<br />
Serious Clustering Cluster Error query failed: [query error message]<br />
Serious Clustering Cluster replication Error opening configuration file [file error]<br />
Serious Clustering Error loading cluster configuration file<br />
Serious Clustering Cluster Error loading command at [location in configuration file]<br />
Serious LDAP Import LDAP import, Import of groups failed<br />
Serious LDAP Import LDAP import, Import of users failed<br />
Serious LDAP Import LDAP failed to download users, groups<br />
Critical LDAP Lookup LDAP lookup failed during delivery<br />
Critical LDAP Lookup LDAP lookup: Unable to bind to server [ldaps://xx.xx.xx.xx as<br />
cn=user1,cn=users,dc=example,dc=com]: 81 Can't contact LDAP<br />
server<br />
Critical LDAP Lookup LDAP lookup: Search error 81: Can't contact LDAP server<br />
Critical Queue Replication Cannot connect to mirror<br />
Note: It is recommended that you use SNMP for monitoring of system resources such as<br />
disk space and memory usage. See “SNMP (Simple Network Management Protocol)” on<br />
page 245 for more information.<br />
250
CHAPTER 14<br />
Troubleshooting Mail<br />
Delivery<br />
This chapter describes procedures for troubleshooting mail delivery problems and contains the<br />
following topics:<br />
• “Troubleshooting Mail Delivery” on page 252<br />
• “Troubleshooting Tools” on page 253<br />
• “Examining Log Files” on page 254<br />
• “Network and Mail Diagnostics” on page 258<br />
• “Troubleshooting Content Issues” on page 263<br />
251
Troubleshooting Mail Delivery<br />
Troubleshooting Mail Delivery<br />
When experiencing mail delivery problems, the first step is to examine if the problem is affecting<br />
only incoming mail, outgoing, or both. For example, if you are receiving mail, but not sending<br />
outgoing mail, it is certain that your Internet connection is working properly, or you would not be<br />
receiving mail. In this scenario, you may have issues with the Firewall blocking your outbound<br />
SMTP connections, or some other problem preventing mail delivery.<br />
Problems affecting both inbound and outbound delivery include the following scenarios:<br />
• Network infrastructure and Communications — The most common scenario in which you<br />
are not receiving or sending mail is if your Internet connection is down. This can include<br />
upstream communications with your ISP, your connection to the Internet, or your external<br />
router. You should also check your internal network infrastructure to ensure you can contact<br />
<strong>ePrism</strong> from your router or firewall.<br />
• DNS — If your DNS is not working or configured properly, mail will not be forwarded to your<br />
<strong>ePrism</strong> or you will not be able to lookup external mail sites. Check the DNS service itself to see<br />
if it is running, and check your DNS records for any misconfiguration for your mail services.<br />
Ensure that your MX records are setup properly to indicate the <strong>ePrism</strong> system.<br />
• Firewall — If you are having issues with your Firewall or if it is misconfigured, it may<br />
inadvertently block mail access to and from <strong>ePrism</strong>. For example, SMTP port 25 must be<br />
opened between the Internet and <strong>ePrism</strong> and internally to allow inbound and outbound mail<br />
connections.<br />
• Internal Mail Systems — You may be receiving incoming mail to the <strong>ePrism</strong>, but mail is not<br />
being forwarded to the appropriate internal mail servers. Also, outgoing mail from the internal<br />
servers may not be forwarded to <strong>ePrism</strong> for delivery. In these scenarios, examine your internal<br />
mail server to ensure it is working properly. Check communications between the two systems to<br />
ensure there are no network, DNS, or routing issues. Also check that your internal servers are<br />
configured to send outgoing mail to <strong>ePrism</strong>.<br />
• External Mail Systems — If you have a large amount of mail to a particular destination, and<br />
that mail server is currently down, these messages will queue up in the deferred mail queue to be<br />
retried after a period of time. You can view the Mail Transport logs to see the relevant messages<br />
that may indicate why you cannot connect to that particular mail server. The server could be<br />
down, too busy, or not currently accepting connections.<br />
252
Troubleshooting Tools<br />
Troubleshooting Tools<br />
The following sections describe the built-in tools that can be used on the <strong>ePrism</strong> system to help<br />
troubleshoot mail delivery problems.<br />
Monitoring the Activity Screen<br />
On <strong>ePrism</strong>’s main Activity screen, you will be able to quickly examine if there are any issues with<br />
mail delivery.<br />
Examine the following items:<br />
• Check the mail queue activity (Mail Q) to check the number of Queued, Deferred, and Total<br />
messages in the mail queue. This is a quick indicator of your mail is processing. Click the<br />
Refresh button frequently to ensure that the mail queues are not building up too high.<br />
• In the Mail Received Recently portion of the activity screen, check the timestamps of your most<br />
recent incoming and outgoing mail. If no mail has been processed in a certain period of time,<br />
this may indicate that the inbound, outbound, or both mail directions are not working.<br />
• Check the statistics for your mail queues. You may notice mail system latency if you are<br />
receiving a lot of virus, spam, or message rejects.<br />
253
Troubleshooting Mail Delivery<br />
Examining Log Files<br />
Examine the system log files in the Status/Reporting -> System Logs screen. The Mail Transport<br />
log is the most important, as it provides a detailed description of each message that passes through<br />
the system.<br />
The start of a single message log entry begins with a smtpd "connect" message, and ends with the<br />
"disconnect" message. To ensure that you are looking at the entries for a specific message, check<br />
the message ID, such as 9A51880D88 in the preceding example.<br />
A summary of the actions for this message are included in the log.<br />
Final action: None<br />
RBL: off SPF: off<br />
Anti-Virus: Kaspersky passed<br />
Malformed: no Attachments: passed Message Affirmation: off<br />
PBMF: no match<br />
DCC: off STA: metric=37, spam=yes, threshold=lower OCF: off<br />
Interpreting Text Log Files<br />
Log files can be downloaded as a text file to allow you to analyze the logs offline.<br />
When interpreting Mail Transport log files from the text version, the final message summary appears<br />
as a special analysis string. The analysis string contains a list of action codes that are created by the<br />
logging engine to create the message summary in the log.<br />
254
Examining Log Files<br />
For example, the following analysis string is interpreted as follows:<br />
analysis=rSFFFFTUF099000FFFFFFTK000TFT000TF--50000000F1F-FF<br />
Final action: Redirect, STA Upper<br />
RBL: off SPF: off<br />
Anti-Virus: Kaspersky passed<br />
Malformed: no Attachments: passed Message Affirmation: off<br />
PBMF: no match<br />
DCC: off STA: metric=99, spam=yes, threshold=upper OCF: off<br />
The following table describes each character in the analysis string.<br />
TABLE 1. Analysis Code Descriptions<br />
Analysis Code Description Possible Values<br />
r Final Action (Redirect) D - Reject<br />
A - Accept<br />
V - Valid<br />
S - Spam<br />
T - Trust<br />
R - Relay<br />
H - Modify Header<br />
h - Add Header<br />
Q - Quarantine<br />
d - Discard Mail<br />
L - Just Log<br />
B - Bounce Mail<br />
r - Redirect<br />
C - BCC<br />
z - Temporary Reject<br />
- None<br />
S<br />
Final Action Code (S - STA<br />
Upper)<br />
W - PBMF<br />
w - Trusted Senders List<br />
D - DCC<br />
S - STA Upper<br />
s - STA Lower<br />
V - Anti-virus<br />
C - Attachment Control<br />
M - Malformed<br />
R - RBL<br />
F - OCF<br />
X - Crash (insufficient data)<br />
O - Relay<br />
- None<br />
F Notify Sender? (False) T - True, F - False<br />
F Notify Recipient? (False) T - True, F - False<br />
F Notify Admin? (False) T - True, F - False<br />
F Notify Other? (False) T - True, F - False<br />
255
Troubleshooting Mail Delivery<br />
TABLE 1. Analysis Code Descriptions<br />
Analysis Code Description Possible Values<br />
T STA scanned? (True) T - True, F - False<br />
U STA Spam code (Upper) F - False Character<br />
U - Upper Character<br />
L - Lower Character<br />
F This value not in use. n/a<br />
099 STA Metric (99) 3 digit numeric value<br />
000 This value not in use. n/a<br />
F DCC Scanned? (False) T - True, F - False<br />
F DCC Bulk? (False) T - True, F - False<br />
F RBL Scanned? (False) T - True, F - False<br />
F RBL Reject? (False) T - True, F - False<br />
F This item is not used n/a<br />
F This item is not used n/a<br />
T Anti-Virus Scanned? (True) T - True, F - False<br />
K Anti-Virus Product (K -<br />
Kaspersky)<br />
K - Kaspersky<br />
M - McAfee<br />
000 Viruses detected (0) 3 digit numeric value<br />
T<br />
Malformed Message T - True, F - False<br />
Scanned? (True)<br />
F Malformed message? (False) T - True, F - False<br />
T<br />
Attachment Control<br />
T - True, F - False<br />
scanned? (True)<br />
000 Attachments blocked (0) 3 digit numeric value<br />
T PBMF Scanned? (True) T - True, F - False<br />
F PBMF triggered? (False) T - True, F - False<br />
- PBMF Action (no match) D - Reject<br />
A - Accept<br />
V - Valid<br />
S - Spam<br />
T - Trust<br />
R - Relay<br />
B - BCC<br />
I - Do Not Train for STA<br />
- None<br />
- PBMF Rule Type (no match) S - System<br />
G - Group<br />
P - Personal<br />
- None<br />
5 PBMF Priority (5 - high) 0 - low, 3 - medium, 5 - high<br />
0000000 PBMF Filter number (PBMF<br />
filter number)<br />
F SPF scanned? T True, F - False<br />
This is the number of the filter in your list of<br />
PBMFs.<br />
256
Examining Log Files<br />
TABLE 1. Analysis Code Descriptions<br />
Analysis Code Description Possible Values<br />
1 SPF result Pass = 0<br />
None = 1<br />
Fail = 2,3<br />
Error = 4<br />
Neutral = 5<br />
Unknown = 6<br />
Unknown SPF Mechanism = 7<br />
F<br />
Message Affirmation T True, F - False<br />
scanned?<br />
- Message affirmation result Q - Quarantine<br />
d - Discard Mail<br />
L - Just Log<br />
D - Reject<br />
- None<br />
F OCF Scanned T - True, F - False<br />
F OCF Result T - True, F - False<br />
257
Troubleshooting Mail Delivery<br />
Network and Mail Diagnostics<br />
In the Status/Reporting -> Status & Utility screen there are mail tools and networking<br />
diagnostic tools such as Hostname Lookups, SMTP Probe, Ping, and Traceroute, to help you<br />
troubleshoot possible networking problems and connectivity issues with other mail servers.<br />
Flush Mail Queue<br />
From the Status/Reporting -> Status & Utility screen, and also the main Activity screen, there is<br />
a button that can be used to flush and reprocess all queued mail. You should only use this utility if<br />
you have a high amount of deferred mail that you would like to try and deliver. In environments<br />
with a high amount of deferred mail, this process can take a very long time.<br />
If the deferred mail queue continues to grow, there are other problems that are preventing the<br />
delivery of mail, and the Flush button should not be used again.<br />
Note: This button should only be clicked once because it will reprocess all queued mail.<br />
258
Network and Mail Diagnostics<br />
Hostname Lookup<br />
The Hostname Lookup utility is used to perform DNS host lookups. This ensures that hostname are<br />
being properly resolved by the DNS server.<br />
Enter the FQDN (Fully Qualified Domain Name) of the host you would like to lookup on a name<br />
server, such as mx.example.com. In the Query Type field, select the type of DNS record, such as a<br />
typical "A" name host record, or "MX" for a mail server lookup<br />
Click the Lookup button when ready to test. The name server should provide you with the IP<br />
address for the name you entered. If the result displayed shows "Unknown host", then the name<br />
you entered is not listed in the DNS records.<br />
If the name server cannot be contacted, check your DNS configuration in Basic Config -><br />
Network. To ensure you have network connectivity use the ping and traceroute commands in the<br />
Status & Utility screen to ensure you have a connection to the network and to the DNS server.<br />
259
Troubleshooting Mail Delivery<br />
SMTP Probe<br />
The SMTP (Simple Mail Transport Protocol) Probe is used to test email connectivity with a remote<br />
SMTP server. This allows you to verify that the SMTP server is responding to connection requests<br />
and returning a valid response.<br />
In the SMTP Probe screen, you must enter the destination SMTP server, the envelope header fields<br />
for the sender and recipient (MAIL FROM and RCPT TO), the HELO identifier, and the message<br />
data.<br />
Click the Send Message button to send the test message to the destination SMTP server.<br />
The server should come back with a response.<br />
• SMTP Server — Enter the domain name of the destination SMTP server that you want to test.<br />
• Envelope-from (MAIL FROM) — The MAIL FROM part of the email message identifies the<br />
sender. Enter an email address indicating the sender of the message.<br />
• Envelope-to (RCPT TO) — The RCPT TO part of the email message identifies the recipient<br />
of the email. Enter an email address indicating the intended recipient of the message.<br />
• HELO — The HELO parameter is used to identify the SMTP Client to the SMTP Server. You<br />
can enter any value here, but the sending domain name of the server is usually specified.<br />
• Message to Send (DATA Command) — This contains the actual test message data. You can<br />
enter an optional subject to ensure a blank subject field is not sent.<br />
The response field will show the result of the SMTP diagnostic probe, including the response for<br />
each SMTP command sent:<br />
Sending mail...<br />
Network and Mail Diagnostics<br />
MAIL FROM:sender@example.com<br />
Troubleshooting Mail Delivery<br />
Traceroute Utility<br />
Traceroute is used to see the routing steps between two hosts. If you are losing connectivity<br />
somewhere in between the two hosts, you can use traceroute to see where exactly the packet is losing<br />
its connection.<br />
The traceroute utility will show each network "hop" as it passes through each router to its<br />
destination. If you are experiencing routing issues, you will be able to see in the trace where exactly<br />
the communication is failing.<br />
Click the Traceroute button on the Status & Utility screen to trace the route to the specified host.<br />
Enter the IP address or hostname of the system you want to trace the route to, and then click the<br />
Traceroute button. Use Reset to reset the display.<br />
262
Troubleshooting Content Issues<br />
Troubleshooting Content Issues<br />
If the mail has been delivered to <strong>ePrism</strong> successfully, it will undergo security processing before<br />
delivery to its final destination. Many of the security tools used by <strong>ePrism</strong>, such as anti-spam,<br />
content filtering, anti-virus scanning, attachment control, and so on, will cause the message to be<br />
rejected, discarded, and quarantined, without the message being delivered to the recipient's mail<br />
box.<br />
These tools can often be misconfigured, allowing legitimate messages to be incorrectly rejected or<br />
quarantined. If you find that certain mail messages are being blocked when they should not be,<br />
check the following:<br />
• Is there a Specific Access Pattern or Pattern Based Message Filter rule that applies to the<br />
message?<br />
• Is the attachment type filtered via Attachment Control?<br />
• Are the spam controls (RBL, DCC, and STA) blocking the message?<br />
• Does a word from the OCF (Objectionable Content Filter) appear in the message?<br />
• Is the message over the maximum size limit?<br />
Mail History Database<br />
Every message that passes through <strong>ePrism</strong> generates a database entry that records information<br />
about how it was processed, filtered, quarantined, and so on. To see how the message was handled<br />
by <strong>ePrism</strong>, you can check the Email History Database to see the disposition of the message.<br />
Using this information, you can find out which security processing is blocking the message, and<br />
then check the configuration and rules to ensure that they are set properly.<br />
Select Status/Reporting -> Reports -> Mail History to view processed messages. Examine the<br />
Journal column for full information on how a message was processed and its final disposition.<br />
263
Troubleshooting Mail Delivery<br />
Displaying Message Details<br />
Click on a QueueID number to view the details of a message. Dispositions and deferrals, if any, are<br />
listed below the details table in the Message Disposition section.<br />
264
APPENDIX A<br />
Using the <strong>ePrism</strong> System<br />
Console<br />
The <strong>ePrism</strong> system console provides a limited subset of administrative tasks and is only<br />
recommended for use during initial installation and network troubleshooting.<br />
Routine administration should be performed via the web browser administration interface.<br />
When accessing the system console, you will be prompted for the <strong>User</strong>ID and Password for the<br />
administrative user. When accessing the console for the first time after installation, the default<br />
settings are admin for the <strong>User</strong>ID, and admin for the Password. The password can be changed<br />
from the browser administration interface.<br />
Activity Screen<br />
The console Activity screen provides you with basic activity and statistics information for this<br />
<strong>ePrism</strong> system.<br />
265
Using the <strong>ePrism</strong> System Console<br />
Press any key to log into the console using the admin login.<br />
Admin Menu<br />
The Admin Menu contains the following functions:<br />
• Exit — Exits the console.<br />
• Hardware Information — Displays the processor type, available memory, and network<br />
interface information.<br />
• Configure Interfaces — Modify the host and domain name, IP address, Gateway, DNS and<br />
NTP servers for all network interfaces.<br />
• Security Connection — Enables automatic updates from St. Bernard.<br />
• Shutdown — Shutdown <strong>ePrism</strong>.<br />
• Reboot — Shutdown and restart <strong>ePrism</strong>.<br />
• Switch to Text Mode — Switch from graphical mode to text mode.<br />
Diagnostics Menu<br />
The Diagnostics Menu contains the following functions:<br />
• Activity Display — Displays CPU usage, network traffic and mail message activity.<br />
• Ping — Allows you to test network connectivity to other systems via the ping utility. An IP<br />
address or host name can be used.<br />
• Traceroute — Displays the routing steps between your <strong>ePrism</strong> system and a destination host.<br />
• Reset Network Interface — Resets network interfaces. This function is useful for correcting<br />
connection issues.<br />
• Display Disk Usage — Displays the amount of used and available disk space.<br />
• Display System Processes — Displays information on processes running on the system.<br />
Repair Menu<br />
The Repair Menu contains the following functions:<br />
• Reset SSL Certificates — Sets certificate information back to the factory defaults. Any<br />
uploaded certificates or private keys will be lost.<br />
• Delete Strong Authentication for Admin — Removes strong authentication for the admin<br />
user login to allow you to use the console password.<br />
266
Misc Menu<br />
The Miscellaneous Menu contains the following functions:<br />
• Set Time and Date — Sets the time and date for the system.<br />
• Set Time Zone — Sets your local time zone settings.<br />
• Configure UPS — Configure the link to an Uninterruptible Power Supply (UPS) for automatic<br />
shutdown in the event of a power failure.<br />
• Configure Web Admin — Modify the ports used to access the <strong>ePrism</strong> web browser<br />
administration interface.<br />
• Configure Serial Console — Configure a serial port for using the console over a serial<br />
connection. You must set your terminal program to the following values to use <strong>ePrism</strong>’s serial<br />
console:<br />
VT100 Emulation<br />
Baud Rate: 9600<br />
Data Bits: 8<br />
Parity: None<br />
Stop Bits: 1<br />
Flow Control: Hardware<br />
• Color Settings — Sets the colors for the console.<br />
267
Using the <strong>ePrism</strong> System Console<br />
268
APPENDIX B<br />
Restoring <strong>ePrism</strong> to<br />
Factory Default Settings<br />
<strong>ePrism</strong> can be returned to its factory defaults at any time. You may need to re-initialize the system<br />
if unrecoverable disk errors are found, or if you wish to perform a full restore.<br />
Caution! This procedure should only be used after consultation with St. Bernard<br />
technical support. You will lose ALL your configuration data and stored mail if you have<br />
not backed it up.<br />
Re-initialize the system as follows:<br />
1. Select Management -> Reboot and Shutdown on the menu.<br />
2. Click the Reboot button, and the system will reboot.<br />
3. When the system restarts, go to the system console and press F1 "Restore" to restore the<br />
system to factory defaults.<br />
Note: Press "r" to reinstall if you upgraded to 5.0 from a previous version and are<br />
using an older boot menu.<br />
4. Press Enter to select graphics mode when prompted.<br />
5. An informational screen will appear. Select OK to continue.<br />
6. Select a keyboard type.<br />
7. Select Auto (to auto partition you drives) or Custom and press Enter. Select OK to confirm.<br />
8. Select OK at the information screen: "You can install from CDROM…".<br />
9. Use the arrow keys to select Hard Drive from the options and press Enter.<br />
10. When the procedure is complete, an information message will appear: "St. Bernard’s software<br />
has now been loaded….".<br />
11. Select OK and the system will restart.<br />
269
Restoring <strong>ePrism</strong> to Factory Default Settings<br />
The system will now be restarted with the factory default configuration. Proceed with the<br />
installation and configuration of the system. See the <strong>ePrism</strong> 5.0 Installation <strong>Guide</strong> for detailed<br />
information on the install procedure.<br />
270
APPENDIX C<br />
Message Processing Order<br />
The following list describes the full order in which incoming emails are processed by <strong>ePrism</strong>:<br />
1. Reject on unauth pipelining (Reject)<br />
2. Reject on unknown sender domain (Reject, no other filter check)<br />
3. Reject on missing reverse DNS (Reject, no other filter check)<br />
4. Reject on non FQDN sender (Reject, no other filter check)<br />
5. Reject on Unknown Recipient (Reject)<br />
6. SAP (Specific Access Patterns - Reject)<br />
7. Reject on missing addresses<br />
8. Check if number of recipients exceeds maximum (Reject, no other filter check)<br />
9. Check if message size exceeds maximum (Reject, no other filter check)<br />
10. Very Malformed<br />
11. Anti-Virus<br />
12. Malformed<br />
13. Attachment Control<br />
14. OCF (Objectionable Content Filter)<br />
15. PBMF (Pattern Based Message Filter - High)<br />
16. PBMF (Pattern Based Message Filter - Medium)<br />
17. Trusted Senders List<br />
18. PBMF (Pattern Based Message Filter - Low)<br />
19. SAP (Specific Access Patterns - Trusted/Allow)<br />
20. Messages from the Trusted network<br />
21. SPF (Sender Policy Framework)<br />
22. RBL (Realtime Blackhole List)<br />
271
Message Processing Order<br />
23. DCC (Distributed Checksum Clearinghouse)<br />
24. STA (Statistical Token Analysis - High)<br />
25. STA (Statistical Token Analysis - Low)<br />
272
APPENDIX D<br />
Customizing Notification<br />
and Annotation Messages<br />
The following <strong>ePrism</strong> notifications and annotations can be customized with system variables:<br />
• Message Annotation — Configured via Mail Delivery -> Delivery Settings screen.<br />
• Delivery Failure Notification — Configured via Mail Delivery -> Delivery Settings<br />
screen.<br />
• Delivery Delay Warning — Configured via Mail Delivery -> Delivery Settings screen<br />
• Virus Detection Notification — Configured via Mail Delivery -> Anti-Virus screen.<br />
Messages can be specified for inbound or outbound mail.<br />
• Attachment Control Notification — Configured via Mail Delivery -> Attachment<br />
Control screen. Messages can be specified for inbound or outbound mail.<br />
• Malformed Mail Notification — Configured via Mail Delivery -> Malformed Mail<br />
screen.<br />
• OCF Notification Messages — Configured via Mail Delivery -> Anti-Spam -> OCF<br />
screen. Messages can be specified for inbound or outbound mail.<br />
• Spam Quarantine Notifications — Configured via Mail Delivery -> Anti-Spam -> Spam<br />
Quarantine screen.<br />
• SMTP Banner — Configured via Mail Delivery -> Mail Access.<br />
273
Customizing Notification and Annotation Messages<br />
Message Variables<br />
You can use variables to control the content of messages. <strong>ePrism</strong> will substitute your local settings<br />
for the variables at the time the message is sent. The following variables are available:<br />
TABLE 1. <strong>ePrism</strong> System Variables<br />
Variable Value Example<br />
%PROGRAM% or<br />
%PRODUCT%<br />
%HOSTNAME%<br />
%POSTMASTER_MAIL_ADDR<br />
%<br />
%DELAY_WARN_TIME%<br />
%MAX_QUEUE_TIME%<br />
St. Bernard <strong>ePrism</strong> Email Security<br />
Appliance<br />
Hostname entered on the Network<br />
Settings screen<br />
Email address of the admin user<br />
In Delivery Settings - Time before<br />
Delay Warning<br />
In Delivery Settings - Maximum Time<br />
in Mail Queue<br />
mail.example.com<br />
admin@example.com<br />
4 hours<br />
5 days<br />
%S_YOU% (%SENDER%) "you" Mail address of sender sender@example.com<br />
%R_YOU% (%RECIPIENT%) "you" Mail address of recipient recipient@example.com<br />
%SPAM_FOLDER%<br />
The name of the spam folder for the user spam_quarantine<br />
spam quarantine<br />
%SPAM_EXPIRY%<br />
The number of days before quarantined 30<br />
spam is expired<br />
%SPAM_MESSAGES%<br />
The information for a spam message<br />
(Date,From,Subject)<br />
05/27/04, joe@example.com,<br />
File for you<br />
%DISPN% Disposition or Action quarantined<br />
%WEBMAIL_URL%<br />
The URL of the configured WebMail<br />
server<br />
http://owa.example.com/<br />
exchange/<br />
274
APPENDIX E<br />
Performance Tuning<br />
There are several factors that can affect the performance of your <strong>ePrism</strong> system:<br />
• Network bandwidth<br />
• Number of allowed SMTP connections<br />
• Usage of background processes such as Reporting and <strong>ePrism</strong> Mail Client<br />
• Internet unpredictability: Mail can often arrive in bursts of activity, with only a few messages<br />
arriving one minute, and several hundred the next. In the event of a network outage, such as a<br />
failed router, the amount of queued mail that arrives after the router is back online can be very<br />
large.<br />
• Internet performance: SMTP clients can be very slow at connecting, and the connection may<br />
be disconnected before it is complete.<br />
• The time to process a message is also affected by the size of the email and its attachments.<br />
• Amount of system resources (Processing power, RAM, and disk space)<br />
These factors must be carefully considered when tuning a system for optimal performance. If an<br />
<strong>ePrism</strong> system is optimized for throughput to handle high mail loads, other aspects of the system<br />
may suffer from increased latency issues, such as reporting, WebMail/<strong>ePrism</strong> Mail Client access,<br />
and the possibility of dropped connections by clients who cannot connect to a busy system.<br />
Similarly, allocating too many resources to resolve latency issues will affect mail throughput<br />
performance.<br />
Caution! Modifying certain parameters may affect the performance of other aspects of the<br />
system, and it is recommended that you only change these settings to resolve specific<br />
performance issues with guidance from St. Bernard Technical Support. Do NOT<br />
experiment with these settings, as you may render your system unusable.<br />
275
Performance Tuning<br />
Setting Default Performance Settings<br />
When <strong>ePrism</strong> is installed and initialized, you must select the default profile for your system, such as<br />
an "MX800 with mail scanning only", or an "MX800 with WebMail".<br />
You may need to change your settings if you enable or disable the use of WebMail after your initial<br />
installation.<br />
Select Basic Config -> Performance on the menu to configure your Performance tuning settings.<br />
276
Advanced Settings<br />
Advanced Settings<br />
Click the Advanced button if you need to adjust any of the individual parameters to create a<br />
custom setting.<br />
277
Performance Tuning<br />
Maximum Number of Processes<br />
This parameter specifies the maximum number of concurrent processes that implement Postfix<br />
services. This setting limits the number of connections accepted by smtpd, and the number of<br />
outgoing SMTP connections. If this number is set too large, you may run out of swap space.<br />
TABLE 1. Maximum Number of Processes<br />
System Recommended Value Description<br />
M1000 25 (default) This is the default setting and should not be modified.<br />
M2000 50-100 Set this parameter to 50 for a site using <strong>ePrism</strong> Mail<br />
Client and medium mail traffic load. Select a value<br />
up to 100 for a high mail traffic load.<br />
M3000 100-150 Set to 100 for a site using <strong>ePrism</strong> Mail Client and<br />
medium mail traffic load. Set up to 150 for a high<br />
mail traffic load.<br />
M4000 200-250 Set to 200 for a site using <strong>ePrism</strong> Mail Client and<br />
medium mail traffic load. Set up to 250 for a high<br />
mail traffic load.<br />
Maximum Number of Parallel Deliveries<br />
This parameter specifies the maximum number of outgoing SMTP connections to the same<br />
destination. This setting helps limit the number of outgoing connections. The value must be less<br />
than the maximum number of processes, or performance will be degraded.<br />
TABLE 2. Maximum Number of Parallel Deliveries<br />
System Recommended Value Description<br />
M1000 10 (default) This is the default setting and should not be modified.<br />
M2000 10 You should only increase this value if you are having<br />
problems delivering enough mail to the internal<br />
server<br />
M3000/4000 10<br />
278
Advanced Settings<br />
Maximum Number of Mail Scanners<br />
This parameter specifies the maximum number of mail scanners that can run simultaneously.<br />
This setting limits the overall mail processing and memory footprint. Setting this value too high or<br />
too low may result in reduced performance. Valid settings are from 2 - 20.<br />
TABLE 3. Maximum Number of Mail Scanners<br />
System Recommended Value Description<br />
M1000 4 (default) This is the default setting and should not be modified.<br />
M2000 6 Increase this value to a maximum of 8 only if performance<br />
is an issue.<br />
M3000/4000 6 Increase this value to a maximum of 10 only if performance<br />
is an issue.<br />
Raise Priority of Heavy Weight Processes<br />
Increasing the priority of heavyweight processes can increase performance and <strong>ePrism</strong> Mail Client<br />
response times, but it can reduce the processing resources for other mail processes if it is set too<br />
high. Valid settings are from a default priority of 0 to a maximum priority of 20.<br />
TABLE 4. Raise Priority of Heavy Weight Processes<br />
System Recommended Value Description<br />
M1000 0 (default) This is the default setting and should<br />
not be modified.<br />
M2000 5 Only change this from the default<br />
value if <strong>ePrism</strong> Mail Client is not<br />
being used, and you need to devote<br />
more resources to message handling.<br />
M3000/4000 10 Set this value to 5 if using <strong>ePrism</strong><br />
Mail Client and/or performance is not<br />
an issue.<br />
Number of Heavy Weight Processes<br />
This parameter specifies the maximum number of heavy weight mail scanning processes that can<br />
be run simultaneously.<br />
Valid settings are from 1 (Default) - 6 (maximum processes).<br />
Setting a value greater than 2 will not improve performance, and changing this value from the<br />
default setting is not recommended.<br />
279
Performance Tuning<br />
Number of DB Proxies<br />
This parameter specifies the maximum number of database proxies that can be used by the mail<br />
scanning processes. This value is relative to the Maximum Number of Processes setting, and should<br />
be increased in conjunction with increases in the number of maximum processes.<br />
Valid settings are from 2 (Default) - 12 (maximum processes), however, setting this value above 8<br />
will result in diminishing performance returns.<br />
TABLE 5. Number of DB Proxies<br />
System Recommended Value Description<br />
M1000 4 (default) This is the default setting and should<br />
not be modified.<br />
M2000 4 If increasing Maximum Number of<br />
Processes above 50, then set this<br />
value to 6.<br />
M3000/4000 8 If increasing Maximum Number of<br />
Processes to 150, then set this value<br />
to 10.<br />
SMTP Connect Timeout<br />
This SMTP parameter specifies the amount of time, in seconds, for an SMTP client to complete a<br />
TCP connection before we drop the connection. This value defines how long <strong>ePrism</strong> will wait for a<br />
response before timing out. The default is 0, but there is an overall system timeout of 5 minutes for<br />
SMTP connections. Increasing this value may help with sites which have a slow Internet<br />
connection.<br />
SMTP HELO Timeout<br />
This SMTP parameter specifies the amount of time, in seconds, for receiving the SMTP greeting<br />
banner before we drop the connection. The default is 300 seconds, which means that <strong>ePrism</strong> will<br />
wait 5 minutes to receive the initial SMTP HELO message before timing out. Using a lower<br />
timeout value may increase performance by freeing up more connections. Increasing this value may<br />
help with sites which have a slow Internet connection.<br />
SMTPD Timeout<br />
This SMTP parameter specifies the amount of time, in seconds, to send an SMTP server response<br />
and to receive an SMTP client request before dropping the connection. The default is 300 seconds.<br />
When <strong>ePrism</strong> connects to another mail server to deliver mail, it will drop the connection if it takes<br />
more than 5 minutes to receive a response. A lower value may increase performance by freeing up<br />
connections. Increasing this value may help with sites which have a slow Internet connection.<br />
280
Advanced Settings<br />
Size of Temporary Files Filesystem<br />
Specify the size of the /tmp filesystem at system startup. This setting affects the maximum size of<br />
attachments that may be scanned, and should only be used if you are having problems with<br />
scanning large files. If you increase this setting beyond the amount of physical RAM, system<br />
performance will be degraded due to excessive swapping. You must monitor your system<br />
performance if this setting is used.<br />
Size of Shared Memory block allocated to Database<br />
Specify the size of the shared memory block to make available to the database. Increasing this<br />
value increases the speed of database operations at the cost of having less memory available for<br />
other purposes. Increase this value if you are increasing the number of messages that will be stored<br />
in the email database.<br />
Note: If you change the size of the temp file system or shared memory block, the system<br />
will need to be restarted before these settings takes effect.<br />
281
Performance Tuning<br />
282
APPENDIX F<br />
SNMP MIBS<br />
The following sections describe the statistics available from <strong>ePrism</strong>’s SNMP MIBS. The MIB files<br />
can be downloaded from Basic Config -> SNMP Configuration and clicking the Download<br />
MIBS button.<br />
Note: The MIB files are based on SNMP version 2, and are backwards compatible with<br />
version 1.<br />
MIB Files Summary<br />
The following sections contain a summary of the MIB file entries.<br />
Memory Usage and Reporting<br />
TABLE 1. Memory Usage and Reporting<br />
Object<br />
memTotalSwap<br />
memAvailSwap<br />
memTotalReal<br />
memAvailReal<br />
memTotalSwapTXT<br />
memAvailSwapTXT<br />
memTotalRealTXT<br />
memAvailRealTXT<br />
Description<br />
Total Swap Size configured for the host<br />
Available Swap Space on the host<br />
Total Real/Physical Memory Size on the host<br />
Available Real/Physical Memory Space on the<br />
host<br />
Total virtual memory used by text<br />
Active virtual memory used by text<br />
Total Real/Physical Memory Size used by text<br />
Active Real/Physical Memory Space used by<br />
text<br />
283
SNMP MIBS<br />
TABLE 1. Memory Usage and Reporting<br />
Object<br />
memTotalFree<br />
memMinimumSwap<br />
memShared<br />
memBuffer<br />
memCached<br />
memSwapError<br />
memSwapErrorMsg<br />
Description<br />
Total Available Memory on the host<br />
Minimum amount of free swap required to be<br />
free<br />
Total Shared Memory<br />
Total Buffered Memory<br />
Total Cached Memory<br />
Error flag indicating very little swap space left<br />
Error message describing the Error Flag condition<br />
Disk Information<br />
TABLE 2. Disk Information<br />
Object<br />
dskIndex<br />
dskPath<br />
dskDevice<br />
dskMinimum<br />
dskMinPercent<br />
dskTotal<br />
dskAvail<br />
dskUsed<br />
dskPercent<br />
dskPercentNode<br />
dskErrorFlag<br />
dskErrorMsg<br />
Description<br />
Integer reference number (row number) for the<br />
disk MIB.<br />
Path where the disk is mounted.<br />
Path of the device for the partition<br />
Minimum space required on the disk (in kBytes)<br />
before errors are triggered.<br />
Percentage of minimum space required on the<br />
disk before errors are triggered.<br />
Total size of the disk/partition (kBytes)<br />
Available space on the disk<br />
Used space on the disk<br />
Percentage of space used on disk<br />
Percentage of inodes used on disk<br />
Error flag signaling that the disk or partition is<br />
under the minimum required space configured<br />
for it.<br />
A text description providing a warning and the<br />
space left on the disk.<br />
284
MIB Files Summary<br />
System Statistics<br />
TABLE 3. System Statistics<br />
Object<br />
ssIndex<br />
ssErrorName<br />
ssSwapIn<br />
ssSwapOut<br />
Description<br />
Reference Index for each observed system statistic<br />
The list of system statistic names being counted<br />
Amount of memory swapped in from disk (KB/<br />
s)<br />
Amount of memory swapped to disk (KB/s)<br />
The SNMP agent only implements the following statistics that are supported by the kernel. Not all<br />
of the following objects will be available.<br />
TABLE 4. System Statistics If Supported by Kernel<br />
Object<br />
ssCpuRaw<strong>User</strong><br />
ssCpuRawNice<br />
ssCpuRawSystem<br />
ssCpuRawIdle<br />
ssCpuRawWait<br />
ssCpuRawKernel<br />
ssCpuRawInterrupt<br />
ssIORawSent<br />
ssIORawReceived<br />
ssRawInterrupts<br />
ssRawContexts<br />
Description<br />
<strong>User</strong> CPU time<br />
Nice CPU time<br />
System CPU time<br />
Idle CPU time<br />
IOwait CPU time<br />
Kernel CPU time<br />
Interrupt level CPU time<br />
Number of requests sent to a block device<br />
Number of interrupts processed<br />
Number of requests received from a block<br />
device<br />
Number of context switches<br />
285
SNMP MIBS<br />
Alarm Objects<br />
TABLE 5. Alarm Objects<br />
Object<br />
alTriggerAlarm<br />
alLastChange<br />
alName<br />
alRemoteIpAddr<br />
alDestPort<br />
alAlarm<br />
Description<br />
The flag to trigger an alarm<br />
The time value when the alarm condition occurs<br />
A textual string containing the name of the alarm<br />
Source IP address<br />
Destination port number<br />
The alarm trap<br />
Mail System Objects<br />
Current Mail Data<br />
TABLE 6. Current Mail Data<br />
Object<br />
queuedMessages<br />
deferredMessages<br />
totalMessages<br />
Description<br />
The number of queued mail messages.<br />
The number of deferred mail messages.<br />
The total number of mail messages.<br />
Historical Mail Data<br />
TABLE 7. Historical Mail Data<br />
Object<br />
mailIndex<br />
mailInterval<br />
mailRcvd<br />
mailSent<br />
mailSpam<br />
mailReject<br />
mailVirus<br />
mailClean<br />
Description<br />
The value of this object uniquely identifies each<br />
mail stats entry.<br />
Time interval pertaining to the data in this sequence.<br />
Number of received messages for this interval.<br />
Number of sent messages for this interval.<br />
Number of spam messages for this interval.<br />
Number of rejected messages for this interval.<br />
Number of messages identified as containing a virus<br />
for this interval.<br />
Number of clean messages for this interval.<br />
Traps<br />
<strong>ePrism</strong> will send a SNMP trap on a system reboot<br />
286
MIB OID Values<br />
MIB OID Values<br />
The following describes the SNMP MIB OID values:<br />
.1.3.6.1.4.1.8673 -><br />
.1.1.100.1.0 = bwProducts.bwFirewall.bwAlarm.alTriggerAlarm.0 = INTEGER: 0<br />
.1.1.100.4.0 = bwProducts.bwFirewall.bwAlarm.alLastChange.0 = STRING: 0-1-1,0:0:0.0<br />
.1.1.100.9.0 = bwProducts.bwFirewall.bwAlarm.alName.0 = STRING: None<br />
.1.1.100.10.0 = bwProducts.bwFirewall.bwAlarm.alRemoteIpAddr.0 = IpAddress: 0.0.0.0<br />
.1.1.100.15.0 = bwProducts.bwFirewall.bwAlarm.alDestPort.0 = INTEGER: 0<br />
.1.11.10.1.1.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.1 = STRING: Hour<br />
.1.11.10.1.1.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.2 = STRING: Day<br />
.1.11.10.1.1.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailInterval.3 = STRING: Week<br />
.1.11.10.1.2.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.1 = Counter32: 5<br />
.1.11.10.1.2.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.2 = Counter32: 12<br />
.1.11.10.1.2.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailRcvd.3 = Counter32: 42<br />
.1.11.10.1.3.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.1 = Counter32: 7<br />
.1.11.10.1.3.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.2 = Counter32: 19<br />
.1.11.10.1.3.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSent.3 = Counter32: 50<br />
.1.11.10.1.4.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.1 = Counter32: 0<br />
.1.11.10.1.4.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.2 = Counter32: 0<br />
.1.11.10.1.4.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailSpam.3 = Counter32: 0<br />
.1.11.10.1.5.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.1 = Counter32: 0<br />
.1.11.10.1.5.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.2 = Counter32: 0<br />
.1.11.10.1.5.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailReject.3 = Counter32: 5<br />
.1.11.10.1.6.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.1 = Counter32: 0<br />
.1.11.10.1.6.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.2 = Counter32: 0<br />
.1.11.10.1.6.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailVirus.3 = Counter32: 0<br />
.1.11.10.1.7.1 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.1 = Counter32: 0<br />
.1.11.10.1.7.2 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.2 = Counter32: 3<br />
.1.11.10.1.7.3 = bwProducts.bwMailFirewall.mailTable.mailEntry.mailClean.3 = Counter32: 4<br />
.1.11.10.2.1 = bwProducts.bwMailFirewall.mailTable.mailStatus.queuedMessages = Counter32: 0<br />
287
SNMP MIBS<br />
.1.11.10.2.2 = bwProducts.bwMailFirewall.mailTable.mailStatus.deferredMessages = Counter32: 0<br />
.1.11.10.2.3 = bwProducts.bwMailFirewall.mailTable.mailStatus.totalMessages = Counter32: 0<br />
.4.1.0 = bwSysMemory.memIndex.0 = INTEGER: 0<br />
.4.2.0 = bwSysMemory.memErrorName.0 = STRING: swap<br />
.4.3.0 = bwSysMemory.memTotalSwap.0 = INTEGER: 262016<br />
.4.4.0 = bwSysMemory.memAvailSwap.0 = INTEGER: 260928<br />
.4.5.0 = bwSysMemory.memTotalReal.0 = INTEGER: 104264<br />
.4.6.0 = bwSysMemory.memAvailReal.0 = INTEGER: 46684<br />
.4.11.0 = bwSysMemory.memTotalFree.0 = INTEGER: 46696<br />
.4.12.0 = bwSysMemory.memMinimumSwap.0 = INTEGER: 16000<br />
.4.13.0 = bwSysMemory.memShared.0 = INTEGER: 29000<br />
.4.14.0 = bwSysMemory.memBuffer.0 = INTEGER: 22640<br />
.4.15.0 = bwSysMemory.memCached.0 = INTEGER: 12<br />
.4.100.0 = bwSysMemory.memSwapError.0 = INTEGER: 0<br />
.4.101.0 = bwSysMemory.memSwapErrorMsg.0 = STRING:<br />
.9.1.1.1 = dskTable.dskEntry.dskIndex.1 = INTEGER: 1<br />
.9.1.1.2 = dskTable.dskEntry.dskIndex.2 = INTEGER: 2<br />
.9.1.1.3 = dskTable.dskEntry.dskIndex.3 = INTEGER: 3<br />
.9.1.1.4 = dskTable.dskEntry.dskIndex.4 = INTEGER: 4<br />
.9.1.2.1 = dskTable.dskEntry.dskPath.1 = STRING: /server/mail<br />
.9.1.2.2 = dskTable.dskEntry.dskPath.2 = STRING: /server/ftp/log<br />
.9.1.2.3 = dskTable.dskEntry.dskPath.3 = STRING: /var<br />
.9.1.2.4 = dskTable.dskEntry.dskPath.4 = STRING: /backup<br />
.9.1.3.1 = dskTable.dskEntry.dskDevice.1 = STRING: /dev/ad0s2e<br />
.9.1.3.2 = dskTable.dskEntry.dskDevice.2 = STRING: /dev/ad0s2d<br />
.9.1.3.3 = dskTable.dskEntry.dskDevice.3 = STRING: /dev/ad0s2f<br />
.9.1.3.4 = dskTable.dskEntry.dskDevice.4 = STRING: /dev/ad0s2g<br />
.9.1.4.1 = dskTable.dskEntry.dskMinimum.1 = INTEGER: -1<br />
.9.1.4.2 = dskTable.dskEntry.dskMinimum.2 = INTEGER: -1<br />
.9.1.4.3 = dskTable.dskEntry.dskMinimum.3 = INTEGER: -1<br />
.9.1.4.4 = dskTable.dskEntry.dskMinimum.4 = INTEGER: -1<br />
288
MIB OID Values<br />
.9.1.5.1 = dskTable.dskEntry.dskMinPercent.1 = INTEGER: 10<br />
.9.1.5.2 = dskTable.dskEntry.dskMinPercent.2 = INTEGER: 10<br />
.9.1.5.3 = dskTable.dskEntry.dskMinPercent.3 = INTEGER: 10<br />
.9.1.5.4 = dskTable.dskEntry.dskMinPercent.4 = INTEGER: 10<br />
.9.1.6.1 = dskTable.dskEntry.dskTotal.1 = INTEGER: 2834414<br />
.9.1.6.2 = dskTable.dskEntry.dskTotal.2 = INTEGER: 2834414<br />
.9.1.6.3 = dskTable.dskEntry.dskTotal.3 = INTEGER: 2834414<br />
.9.1.6.4 = dskTable.dskEntry.dskTotal.4 = INTEGER: 2834414<br />
.9.1.7.1 = dskTable.dskEntry.dskAvail.1 = INTEGER: 2607590<br />
.9.1.7.2 = dskTable.dskEntry.dskAvail.2 = INTEGER: 2576054<br />
.9.1.7.3 = dskTable.dskEntry.dskAvail.3 = INTEGER: 2499830<br />
.9.1.7.4 = dskTable.dskEntry.dskAvail.4 = INTEGER: 2607660<br />
.9.1.8.1 = dskTable.dskEntry.dskUsed.1 = INTEGER: 72<br />
.9.1.8.2 = dskTable.dskEntry.dskUsed.2 = INTEGER: 31608<br />
.9.1.8.3 = dskTable.dskEntry.dskUsed.3 = INTEGER: 107832<br />
.9.1.8.4 = dskTable.dskEntry.dskUsed.4 = INTEGER: 2<br />
.9.1.9.1 = dskTable.dskEntry.dskPercent.1 = INTEGER: 0<br />
.9.1.9.2 = dskTable.dskEntry.dskPercent.2 = INTEGER: 1<br />
.9.1.9.3 = dskTable.dskEntry.dskPercent.3 = INTEGER: 4<br />
.9.1.9.4 = dskTable.dskEntry.dskPercent.4 = INTEGER: 0<br />
.9.1.100.1 = dskTable.dskEntry.dskErrorFlag.1 = INTEGER: 0<br />
.9.1.100.2 = dskTable.dskEntry.dskErrorFlag.2 = INTEGER: 0<br />
.9.1.100.3 = dskTable.dskEntry.dskErrorFlag.3 = INTEGER: 0<br />
.9.1.100.4 = dskTable.dskEntry.dskErrorFlag.4 = INTEGER: 0<br />
.9.1.101.1 = dskTable.dskEntry.dskErrorMsg.1 = STRING:<br />
.9.1.101.2 = dskTable.dskEntry.dskErrorMsg.2 = STRING:<br />
.9.1.101.3 = dskTable.dskEntry.dskErrorMsg.3 = STRING:<br />
.9.1.101.4 = dskTable.dskEntry.dskErrorMsg.4 = STRING:<br />
.11.1.0 = systemStats.ssIndex.0 = INTEGER: 1<br />
.11.2.0 = systemStats.ssErrorName.0 = STRING: systemStats<br />
.11.3.0 = systemStats.ssSwapIn.0 = INTEGER: 0<br />
289
SNMP MIBS<br />
.11.4.0 = systemStats.ssSwapOut.0 = INTEGER: 0<br />
.11.7.0 = systemStats.ssSysInterrupts.0 = INTEGER: 233<br />
.11.8.0 = systemStats.ssSysContext.0 = INTEGER: 49<br />
.11.9.0 = systemStats.ssCpu<strong>User</strong>.0 = INTEGER: 1<br />
.11.10.0 = systemStats.ssCpuSystem.0 = INTEGER: 7<br />
.11.11.0 = systemStats.ssCpuIdle.0 = INTEGER: 91<br />
.11.50.0 = systemStats.ssCpuRaw<strong>User</strong>.0 = Counter32: 483<br />
.11.51.0 = systemStats.ssCpuRawNice.0 = Counter32: 0<br />
.11.52.0 = systemStats.ssCpuRawSystem.0 = Counter32: 2859<br />
.11.53.0 = systemStats.ssCpuRawIdle.0 = Counter32: 20860<br />
.11.55.0 = systemStats.ssCpuRawKernel.0 = Counter32: 2752<br />
.11.56.0 = systemStats.ssCpuRawInterrupt.0 = Counter32: 107<br />
.11.59.0 = systemStats.ssRawInterrupts.0 = Counter32: 47574<br />
.11.60.0 = systemStats.ssRawContexts.0 = Counter32: 10795<br />
290
APPENDIX G<br />
Third Party Copyrights<br />
and Licenses<br />
Apache<br />
Apache License<br />
Version 2.0, January 2004<br />
http://www.apache.org/licenses/<br />
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION<br />
1. Definitions.<br />
"License" shall mean the terms and conditions for use, reproduction, and<br />
distribution as defined by Sections 1 through 9 of this document.<br />
"Licensor" shall mean the copyright owner or entity authorized by the copyright<br />
owner that is granting the License.<br />
"Legal Entity" shall mean the union of the acting entity and all other entities that<br />
control, are controlled by, or are under common control with that entity. For the<br />
purposes of this definition, "control" means (i) the power, direct or indirect, to<br />
cause the direction or management of such entity, whether by contract or otherwise,<br />
or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii)<br />
beneficial ownership of such entity.<br />
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions<br />
granted by this License.<br />
"Source" form shall mean the preferred form for making modifications, including but<br />
not limited to software source code, documentation source, and configuration files.<br />
"Object" form shall mean any form resulting from mechanical transformation or<br />
translation of a Source form, including but not limited to compiled object code,<br />
generated documentation, and conversions to other media types.<br />
291
Third Party Copyrights and Licenses<br />
"Work" shall mean the work of authorship, whether in Source or Object form, made<br />
available under the License, as indicated by a copyright notice that is included in or<br />
attached to the work (an example is provided in the Appendix below).<br />
"Derivative Works" shall mean any work, whether in Source or Object form, that is<br />
based on (or derived from) the Work and for which the editorial revisions,<br />
annotations, elaborations, or other modifications represent, as a whole, an original<br />
work of authorship. For the purposes of this License, Derivative Works shall not<br />
include works that remain separable from, or merely link (or bind by name) to the<br />
interfaces of, the Work and Derivative Works thereof.<br />
"Contribution" shall mean any work of authorship, including the original version of<br />
the Work and any modifications or additions to that Work or Derivative Works thereof,<br />
that is intentionally submitted to Licensor for inclusion in the Work by the copyright<br />
owner or by an individual or Legal Entity authorized to submit on behalf of the<br />
copyright owner. For the purposes of this definition, "submitted" means any form of<br />
electronic, verbal, or written communication sent to the Licensor or its<br />
representatives, including but not limited to communication on electronic mailing<br />
lists, source code control systems, and issue tracking systems that are managed by, or<br />
on behalf of, the Licensor for the purpose of discussing and improving the Work, but<br />
excluding communication that is conspicuously marked or otherwise designated in<br />
writing by the copyright owner as "Not a Contribution."<br />
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom<br />
a Contribution has been received by Licensor and subsequently incorporated within the<br />
Work.<br />
2. Grant of Copyright License. Subject to the terms and conditions of this License,<br />
each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, nocharge,<br />
royalty-free, irrevocable copyright license to reproduce, prepare Derivative<br />
Works of, publicly display, publicly perform, sublicense, and distribute the Work and<br />
such Derivative Works in Source or Object form.<br />
3. Grant of Patent License. Subject to the terms and conditions of this License, each<br />
Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge,<br />
royalty-free, irrevocable (except as stated in this section) patent license to make,<br />
have made, use, offer to sell, sell, import, and otherwise transfer the Work, where<br />
such license applies only to those patent claims licensable by such Contributor that<br />
are necessarily infringed by their Contribution(s) alone or by combination of their<br />
Contribution(s) with the Work to which such Contribution(s) was submitted. If You<br />
institute patent litigation against any entity (including a cross-claim or<br />
counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated<br />
within the Work constitutes direct or contributory patent infringement, then any<br />
patent licenses granted to You under this License for that Work shall terminate as of<br />
the date such litigation is filed.<br />
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative<br />
Works thereof in any medium, with or without modifications, and in Source or Object<br />
form, provided that You meet the following conditions:<br />
(a) You must give any other recipients of the Work or Derivative Works a copy of this<br />
License; and (b) You must cause any modified files to carry prominent notices stating<br />
that You changed the files; and (c) You must retain, in the Source form of any<br />
Derivative Works that You distribute, all copyright, patent, trademark, and<br />
attribution notices from the Source form of the Work, excluding those notices that do<br />
not pertain to any part of the Derivative Works; and (d) If the Work includes a<br />
292
"NOTICE" text file as part of its distribution, then any Derivative Works that You<br />
distribute must include a readable copy of the attribution notices contained within<br />
such NOTICE file, excluding those notices that do not pertain to any part of the<br />
Derivative Works, in at least one of the following places: within a NOTICE text file<br />
distributed as part of the Derivative Works; within the Source form or documentation,<br />
if provided along with the Derivative Works; or, within a display generated by the<br />
Derivative Works, if and wherever such third-party notices normally appear. The<br />
contents of the NOTICE file are for informational purposes only and do not modify the<br />
License. You may add Your own attribution notices within Derivative Works that You<br />
distribute, alongside or as an addendum to the NOTICE text from the Work, provided<br />
that such additional attribution notices cannot be construed as modifying the<br />
License.<br />
You may add Your own copyright statement to Your modifications and may provide<br />
additional or different license terms and conditions for use, reproduction, or<br />
distribution of Your modifications, or for any such Derivative Works as a whole,<br />
provided Your use, reproduction, and distribution of the Work otherwise complies with<br />
the conditions stated in this License.<br />
5. Submission of Contributions. Unless You explicitly state otherwise, any<br />
Contribution intentionally submitted for inclusion in the Work by You to the Licensor<br />
shall be under the terms and conditions of this License, without any additional terms<br />
or conditions.<br />
Notwithstanding the above, nothing herein shall supersede or modify the terms of any<br />
separate license agreement you may have executed with Licensor regarding such<br />
Contributions.<br />
6. Trademarks. This License does not grant permission to use the trade names,<br />
trademarks, service marks, or product names of the Licensor, except as required for<br />
reasonable and customary use in describing the origin of the Work and reproducing the<br />
content of the NOTICE file.<br />
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing,<br />
Licensor provides the Work (and each Contributor provides its Contributions) on an<br />
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or<br />
implied, including, without limitation, any warranties or conditions of TITLE, NON-<br />
INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely<br />
responsible for determining the appropriateness of using or redistributing the Work<br />
and assume any risks associated with Your exercise of permissions under this License.<br />
8. Limitation of Liability. In no event and under no legal theory, whether in tort<br />
(including negligence), contract, or otherwise, unless required by applicable law<br />
(such as deliberate and grossly negligent acts) or agreed to in writing, shall any<br />
Contributor be liable to You for damages, including any direct, indirect, special,<br />
incidental, or consequential damages of any character arising as a result of this<br />
License or out of the use or inability to use the Work (including but not limited to<br />
damages for loss of goodwill, work stoppage, computer failure or malfunction, or any<br />
and all other commercial damages or losses), even if such Contributor has been<br />
advised of the possibility of such damages.<br />
9. Accepting Warranty or Additional Liability. While redistributing the Work or<br />
Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance<br />
of support, warranty, indemnity, or other liability obligations and/or rights<br />
consistent with this License. However, in accepting such obligations, You may act<br />
293
Third Party Copyrights and Licenses<br />
only on Your own behalf and on Your sole responsibility, not on behalf of any other<br />
Contributor, and only if You agree to indemnify, defend, and hold each Contributor<br />
harmless for any liability incurred by, or claims asserted against, such Contributor<br />
by reason of your accepting any such warranty or additional liability.<br />
END OF TERMS AND CONDITIONS<br />
Curl, Libcurl<br />
COPYRIGHT AND PERMISSION NOTICE<br />
Copyright (c) 1996 - 2004, Daniel Stenberg, .<br />
All rights reserved.<br />
Permission to use, copy, modify, and distribute this software for any purpose with or<br />
without fee is hereby granted, provided that the above copyright notice and this<br />
permission notice appear in all copies.<br />
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,<br />
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A<br />
PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE<br />
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,<br />
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN<br />
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.<br />
Except as contained in this notice, the name of a copyright holder shall not be used<br />
in advertising or otherwise to promote the sale, use or other dealings in this<br />
Software without prior written authorization of the copyright holder.<br />
Cyrus-SASL<br />
CMU libsasl<br />
Tim Martin<br />
Rob Earhart<br />
Copyright (c) 2000 Carnegie Mellon University. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of<br />
conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list<br />
of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
3. The name "Carnegie Mellon University" must not be used to endorse or promote<br />
products derived from this software without prior written permission. For permission<br />
or any other legal details, please contact Office of Technology Transfer Carnegie<br />
294
Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213-3890 (412) 268-4387, fax:<br />
(412) 268-7395 tech-transfer@andrew.cmu.edu<br />
4. Redistributions of any form whatsoever must retain the following acknowledgment:<br />
"This product includes software developed by Computing Services at Carnegie Mellon<br />
University (http://www.cmu.edu/computing/)."<br />
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,<br />
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL<br />
CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL<br />
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,<br />
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF<br />
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.<br />
DCC<br />
Distributed Checksum Clearinghouse<br />
Copyright (c) 2004 by Rhyolite Software<br />
Permission to use, copy, modify, and distribute this software for any purpose with or<br />
without fee is hereby granted, provided that the above copyright notice and this<br />
permission notice appear in all copies.<br />
THE SOFTWARE IS PROVIDED "AS IS" AND RHYOLITE SOFTWARE DISCLAIMS ALL WARRANTIES WITH<br />
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND<br />
FITNESS. IN NO EVENT SHALL RHYOLITE SOFTWARE BE LIABLE FOR ANY SPECIAL, DIRECT,<br />
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF<br />
USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS<br />
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.<br />
Copyright (c) 1987, 1993, 1994<br />
The Regents of the University of California. All rights reserved.<br />
File<br />
Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995. Software<br />
written by Ian F. Darwin and others; maintained 1994-1999 Christos Zoulas.<br />
This software is not subject to any export provision of the United States Department<br />
of Commerce, and may be exported to any country or planet.<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice immediately<br />
at the beginning of the file, without modification, this list of conditions, and the<br />
following disclaimer.<br />
295
Third Party Copyrights and Licenses<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list<br />
of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display<br />
the following acknowledgement:<br />
This product includes software developed by Ian F. Darwin and others.<br />
4. The name of the author may not be used to endorse or promote products derived from<br />
this software without specific prior written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL<br />
THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br />
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,<br />
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
FreeBSD<br />
Copyright 1994-2004 The FreeBSD Project. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that the following conditions are met:<br />
Redistributions of source code must retain the above copyright notice, this list of<br />
conditions and the following disclaimer.<br />
Redistributions in binary form must reproduce the above copyright notice, this list of<br />
conditions and the following disclaimer in the documentation and/or other materials<br />
provided with the distribution.<br />
THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD<br />
PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br />
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,<br />
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
The views and conclusions contained in the software and documentation are those of the<br />
authors and should not be interpreted as representing official policies, either<br />
expressed or implied, of the FreeBSD Project.<br />
296
FreeType<br />
The FreeType Project LICENSE<br />
2000-Feb-08<br />
Copyright 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg<br />
Introduction<br />
============<br />
The FreeType Project is distributed in several archive packages; some of them may<br />
contain, in addition to the FreeType font engine, various tools and contributions<br />
which rely on, or relate to, the FreeType Project.<br />
This license applies to all files found in such packages, and which do not fall<br />
under their own explicit license. The license affects thus the FreeType font<br />
engine, the test programs, documentation and makefiles, at the very least.<br />
This license was inspired by the BSD, Artistic, and IJG (Independent JPEG<br />
Group) licenses, which all encourage inclusion and use of free software in<br />
commercial and freeware products alike. As a consequence, its main points are<br />
that:<br />
* We don't promise that this software works. However, we will be interested in any<br />
kind of bug reports. (`as is' distribution)<br />
* You can use this software for whatever you want, in parts or full form, without<br />
having to pay us. (`royalty-free' usage)<br />
* You may not pretend that you wrote this software. If you use it, or only parts<br />
of it, in a program, you must acknowledge somewhere in your documentation that<br />
you have used the FreeType code. (`credits')<br />
We specifically permit and encourage the inclusion of this software, with or<br />
without modifications, in commercial products. We disclaim all warranties<br />
covering The FreeType Project and assume no liability related to The FreeType<br />
Project.<br />
Legal Terms<br />
===========<br />
Definitions<br />
--------------<br />
Throughout this license, the terms `package', `FreeType Project', and `FreeType<br />
archive' refer to the set of files originally distributed by the authors<br />
(David Turner, Robert Wilhelm, and Werner Lemberg) as the `FreeType Project', be<br />
they named as alpha, beta or final release.<br />
'You' refers to the licensee, or person using the project, where `using' is a<br />
generic term including compiling the project's source code as well as linking it<br />
to form a `program' or `executable'. This program is referred to as `a program<br />
using the FreeType engine'.<br />
This license applies to all files distributed in the original FreeType Project,<br />
including all source code, binaries and documentation, unless otherwise<br />
297
Third Party Copyrights and Licenses<br />
stated in the file in its original, unmodified form as distributed in the<br />
original archive.<br />
If you are unsure whether or not a particular file is covered by this license, you<br />
must contact us to verify this.<br />
The FreeType Project is copyright (C) 1996-2000 by David Turner, Robert Wilhelm,<br />
and Werner Lemberg. All rights reserved except as specified below.<br />
1. No Warranty<br />
--------------<br />
THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER<br />
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR<br />
COPYRIGHT HOLDERS BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO<br />
USE, OF THE FREETYPE PROJECT.<br />
2. Redistribution<br />
-----------------<br />
This license grants a worldwide, royalty-free, perpetual and irrevocable right<br />
and license to use, execute, perform, compile, display, copy, create derivative<br />
works of, distribute and sublicense the FreeType Project (in both source and<br />
object code forms) and derivative works thereof for any purpose; and to<br />
authorize others to exercise some or all of the rights granted herein, subject to<br />
the following conditions:<br />
* Redistribution of source code must retain this license file (`LICENSE.TXT')<br />
unaltered; any additions, deletions or changes to the original files must be<br />
clearly indicated in accompanying documentation. The copyright notices of the<br />
unaltered, original files must be preserved in all copies of source files.<br />
* Redistribution in binary form must provide a disclaimer that states that the<br />
software is based in part of the work of the FreeType Team, in the distribution<br />
documentation. We also encourage you to put an URL to the FreeType web page in your<br />
documentation, though this isn't mandatory.<br />
These conditions apply to any software derived from or based on the FreeType<br />
Project, not just the unmodified files. If you use our work, you must acknowledge<br />
us. However, no fee need be paid to us.<br />
3. Advertising<br />
--------------<br />
Neither the FreeType authors and contributors nor you shall use the name of the<br />
other for commercial, advertising, or promotional purposes without specific prior<br />
written permission.<br />
We suggest, but do not require, that you use one or more of the following phrases<br />
to refer to this software in your documentation or advertising materials: `FreeType<br />
Project', `FreeType Engine', `FreeType library', or `FreeType Distribution'.<br />
As you have not signed this license, you are not required to accept it.<br />
However, as the FreeType Project is copyrighted material, only this license, or<br />
another one contracted with the authors, grants you the right to use, distribute,<br />
298
and modify it. Therefore, by using, distributing, or modifying the FreeType<br />
Project, you indicate that you understand and accept all the terms of this license.<br />
4. Contacts<br />
-----------<br />
There are two mailing lists related to FreeType:<br />
* freetype@freetype.org<br />
Discusses general use and applications of FreeType, as well as future and wanted<br />
additions to the library and distribution. If you are looking for support, start<br />
in this list if you haven't found anything to help you in the documentation.<br />
* devel@freetype.org<br />
Discusses bugs, as well as engine internals, design issues, specific licenses,<br />
porting, etc.<br />
* http://www.freetype.org<br />
Holds the current FreeType web page, which will allow you to download our latest<br />
development version and read online documentation.<br />
You can also contact us individually at:<br />
David Turner<br />
Robert Wilhelm<br />
Werner Lemberg<br />
<br />
<br />
<br />
GD Graphics Library<br />
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004<br />
by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National<br />
Institutes of Health.<br />
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 by<br />
Boutell.Com, Inc.<br />
Portions relating to GD2 format copyright 1999, 2000, 2001, 2002, 2003, 2004 Philip<br />
Warner.<br />
Portions relating to PNG copyright 1999, 2000, 2001, 2002, 2003, 2004 Greg Roelofs.<br />
Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002, 2003, 2004 John Ellson<br />
(ellson@graphviz.org).<br />
Portions relating to gdft.c copyright 2001, 2002, 2003, 2004 John Ellson<br />
(ellson@graphviz.org).<br />
Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, 2003,<br />
2004, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,<br />
2002, 2003, 2004 Thomas G. Lane. This software is based in part on the work of the<br />
Independent JPEG Group. See the file README-JPEG.TXT for more information.<br />
Portions relating to GIF compression copyright 1989 by Jef Poskanzer and David<br />
Rowley, with modifications for thread safety by Thomas Boutell.<br />
299
Third Party Copyrights and Licenses<br />
Portions relating to GIF decompression copyright 1990, 1991, 1993 by David Koblas,<br />
with modifications for thread safety by Thomas Boutell.<br />
Portions relating to WBMP copyright 2000, 2001, 2002, 2003, 2004 Maurice Szmurlo and<br />
Johan Van den Brande.<br />
Portions relating to GIF animations copyright 2004 Jaakko Hyvätti<br />
(jaakko.hyvatti@iki.fi)<br />
Permission has been granted to copy, distribute and modify gd in any context without<br />
fee, including a commercial application, provided that this notice is present in useraccessible<br />
supporting documentation.<br />
This does not affect your ownership of the derived work itself, and the intent is to<br />
assure proper credit for the authors of gd, not to interfere with your productive use<br />
of gd. If you have questions, ask. "Derived works" includes all programs that utilize<br />
the library. Credit must be given in user-accessible documentation.<br />
This software is provided "AS IS." The copyright holders disclaim all warranties,<br />
either express or implied, including but not limited to implied warranties of<br />
merchantability and fitness for a particular purpose, with respect to this code and<br />
accompanying documentation.<br />
Although their code does not appear in the current release, the authors also wish to<br />
thank Hutchison Avenue Software Corporation for their prior contributions.<br />
Info-ZIP<br />
Copyright (c) 1990-2003 Info-ZIP. All rights reserved.<br />
For the purposes of this copyright and license, "Info-ZIP" is defined as the following<br />
set of individuals:<br />
Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, Jean-loup<br />
Gailly, Hunter Goatley, Ian Gorman, Chris Herborth, Dirk Haase, Greg Hartwig, Robert<br />
Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum, Johnny Lee, Onno van der<br />
Linden, Igor Mandrichenko, Steve P. Miller, Sergio Monesi, Keith Owens, George<br />
Petrov, Greg Roelofs, Kai Uwe Rommel, Steve Salisbury, Dave Smith, Christian Spieler,<br />
Antoine Verheijen, Paul von Behren, Rich Wales, Mike White<br />
This software is provided "as is," without warranty of any kind, express or implied.<br />
In no event shall Info-ZIP or its contributors be held liable for any direct,<br />
indirect, incidental, special or consequential damages arising out of the use of or<br />
inability to use this software.<br />
Permission is granted to anyone to use this software for any purpose, including<br />
commercial applications, and to alter it and redistribute it freely, subject to the<br />
following restrictions:<br />
1. Redistributions of source code must retain the above copyright notice,<br />
definition, disclaimer, and this list of conditions.<br />
300
2. Redistributions in binary form (compiled executables) must reproduce the above<br />
copyright notice, definition, disclaimer, and this list of conditions in<br />
documentation and/or other materials provided with the distribution. The sole<br />
exception to this condition is redistribution of a standard UnZipSFX binary<br />
(including SFXWiz) as part of a self-extracting archive; that is permitted without<br />
inclusion of this license, as long as the normal SFX banner has not been removed from<br />
the binary or disabled.<br />
3. Altered versions--including, but not limited to, ports to new operating<br />
systems, existing ports with new graphical interfaces, and dynamic, shared, or static<br />
library versions--must be plainly marked as such and must not be misrepresented as<br />
being the original source. Such altered versions also must not be misrepresented as<br />
being Info-ZIP releases--including, but not limited to, labeling of the altered<br />
versions with the names "Info-ZIP" (or any variation thereof, including, but not<br />
limited to, different capitalizations), "Pocket UnZip," "WiZ" or "MacZip" without the<br />
explicit permission of Info-ZIP. Such altered versions are further prohibited from<br />
misrepresentative use of the ip-Bugs or Info-ZIP e-mail addresses or of the Info-ZIP<br />
URL(s).<br />
4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip,"<br />
"UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and<br />
binary releases.<br />
JPEG<br />
The authors make NO WARRANTY or representation, either express or implied, with<br />
respect to this software, its quality, accuracy, merchantability, or fitness for a<br />
particular purpose. This software is provided "AS IS", and you, its user, assume the<br />
entire risk as to its quality and accuracy.<br />
This software is copyright (C) 1991-1998, Thomas G. Lane.<br />
All Rights Reserved except as specified below.<br />
Permission is hereby granted to use, copy, modify, and distribute this software (or<br />
portions thereof) for any purpose, without fee, subject to these conditions:<br />
(1) If any part of the source code for this software is distributed, then this README<br />
file must be included, with this copyright and no-warranty notice unaltered; and any<br />
additions, deletions, or changes to the original files must be clearly indicated in<br />
accompanying documentation.<br />
(2) If only executable code is distributed, then the accompanying documentation must<br />
state that "this software is based in part on the work of the Independent JPEG<br />
Group".<br />
(3) Permission for use of this software is granted only if the user accepts full<br />
responsibility for any undesirable consequences; the authors accept NO LIABILITY for<br />
damages of any kind.<br />
These conditions apply to any software derived from or based on the IJG code, not<br />
just to the unmodified library. If you use our work, you ought to acknowledge us.<br />
301
Third Party Copyrights and Licenses<br />
Permission is NOT granted for the use of any IJG author's name or company name in<br />
advertising or publicity relating to this software or products derived from it. This<br />
software may be referred to only as "the Independent JPEG Group's software".<br />
We specifically permit and encourage the use of this software as the basis of<br />
commercial products, provided that all warranty or liability claims are assumed by the<br />
product vendor.<br />
Libspf<br />
The libspf Software License, Version 1.0<br />
Copyright (c) 2004 James Couzens & Sean Comeau All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification,<br />
are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this<br />
list of conditions and the following disclaimer in the documentation and/or<br />
other materials provided with the distribution.<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND<br />
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS<br />
MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT<br />
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR<br />
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,<br />
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)<br />
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
ModSSL<br />
Copyright (c) 1998-2004 Ralf S. Engelschall. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list of<br />
conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this list<br />
of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display<br />
the following acknowledgment: "This product includes software developed by Ralf S.<br />
Engelschall for use in the mod_ssl project http://<br />
www.modssl.org/)."<br />
302
4. The names "mod_ssl" must not be used to endorse or promote products derived from<br />
this software without prior written permission. For written permission, please<br />
contact rse@engelschall.com.<br />
5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl"<br />
appear in their names without prior written permission of Ralf S. Engelschall.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment:<br />
"This product includes software developed by Ralf S. Engelschall<br />
for use in the mod_ssl project (http://www.modssl.org/)."<br />
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT<br />
SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED<br />
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR<br />
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<br />
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE.<br />
Mpack<br />
(C) Copyright 1993,1994 by Carnegie Mellon University<br />
All Rights Reserved.<br />
Permission to use, copy, modify, distribute, and sell this software and its<br />
documentation for any purpose is hereby granted without fee, provided that the above<br />
copyright notice appear in all copies and that both that copyright notice and this<br />
permission notice appear in supporting documentation, and that the name of Carnegie<br />
Mellon University not be used in advertising or publicity pertaining to distribution<br />
of the software without specific, written prior permission. Carnegie Mellon<br />
University makes no representations about the suitability of this software for any<br />
purpose. It is provided "as is" without express or implied warranty.<br />
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,<br />
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL<br />
CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL<br />
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,<br />
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF<br />
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.<br />
Portions of this software are derived from code written by Bell Communications<br />
Research, Inc. (Bellcore) and by RSA Data Security, Inc. and bear similar copyrights<br />
and disclaimers of warranty.<br />
303
Third Party Copyrights and Licenses<br />
NTP<br />
Copyright (c) David L. Mills 1992-2004<br />
Permission to use, copy, modify, and distribute this software and its documentation<br />
for any purpose and without fee is hereby granted, provided that the above copyright<br />
notice appears in all copies and that both the copyright notice and this permission<br />
notice appear in supporting documentation, and that the name University of Delaware<br />
not be used in advertising or publicity pertaining to distribution of the software<br />
without specific, written prior permission. The University of Delaware makes no<br />
representations about the suitability this software for any purpose. It is provided<br />
"as is" without express or implied warranty.<br />
OpenLDAP<br />
The OpenLDAP Public License<br />
Version 2.8, 17 August 2003<br />
Redistribution and use of this software and associated documentation ("Software"),<br />
with or without modification, are permitted provided that the following conditions<br />
are met:<br />
1. Redistributions in source form must retain copyright statements and notices,<br />
2. Redistributions in binary form must reproduce applicable copyright statements and<br />
notices, this list of conditions, and the following disclaimer in the documentation<br />
and/or other materials provided with the distribution, and<br />
3. Redistributions must contain a verbatim copy of this document.<br />
The OpenLDAP Foundation may revise this license from time to time. Each revision is<br />
distinguished by a version number. You may use this Software under terms of this<br />
license revision or under the terms of any subsequent revision of the license.<br />
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS''<br />
AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN<br />
NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S)<br />
OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS<br />
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED<br />
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
The names of the authors and copyright holders must not be used in advertising or<br />
otherwise to promote the sale, use or other dealing in this Software without specific,<br />
written prior permission. Title to copyright in this Software shall at all times<br />
remain with copyright holders.<br />
OpenLDAP is a registered trademark of the OpenLDAP Foundation.<br />
304
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All<br />
Rights Reserved. Permission to copy and distribute verbatim copies of this document<br />
is granted.<br />
OpenSSH<br />
The licences which components of this software fall under are as follows. First, we<br />
will summarize and say that all components are under a BSD licence, or a licence more<br />
free than that.<br />
OpenSSH contains no GPL code.<br />
1) Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights reserved<br />
As far as I am concerned, the code I have written for this software can be used<br />
freely for any purpose. Any derived versions of this software must be clearly marked<br />
as such, and if the derived work is incompatible with the protocol description in the<br />
RFC file, it must be called by a name other than "ssh" or "Secure Shell".<br />
However, I am not implying to give any licenses to any patents or copyrights held by<br />
third parties, and the software includes parts that are not under my direct control.<br />
As far as I know, all included source code is used in accordance with the relevant<br />
license agreements and can be used freely for any purpose (the GNU license being the<br />
most restrictive); see below for details.<br />
Note that any information and cryptographic algorithms used in this software are<br />
publicly available on the Internet and at any major bookstore, scientific library,<br />
and patent office worldwide. More information can be found e.g. at "http://<br />
www.cs.hut.fi/crypto".<br />
The legal status of this program is some combination of all these permissions and<br />
restrictions. Use only at your own responsibility. You will be responsible for any<br />
legal consequences yourself; I am not making any claims whether possessing or using<br />
this is legal or not in your country, and I am not taking any responsibility on your<br />
behalf.<br />
NO WARRANTY<br />
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY<br />
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE<br />
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS<br />
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT<br />
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH<br />
YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY<br />
SERVICING, REPAIR OR CORRECTION.<br />
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY<br />
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM<br />
AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,<br />
INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE<br />
PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE<br />
305
Third Party Copyrights and Licenses<br />
OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE<br />
WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGES.<br />
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by<br />
CORE SDI S.A. under a BSD-style license.<br />
Cryptographic attack detector for ssh - source code<br />
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that this copyright notice is retained.<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE<br />
DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR<br />
MISUSE OF THIS SOFTWARE.<br />
Ariel Futoransky <br />
3) ssh-keyscan was contributed by David Mazieres under a BSD-style license. Copyright<br />
1995, 1996 by David Mazieres .<br />
Modification and redistribution in source and binary forms is permitted provided that<br />
due credit is given to the author and the OpenBSD project by leaving this copyright<br />
notice intact.<br />
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto<br />
is in the public domain and distributed with the following license:<br />
@version 3.0 (December 2000)<br />
Optimised ANSI C code for the Rijndael cipher (now AES)<br />
@author Vincent Rijmen <br />
@author Antoon Bosselaers <br />
@author Paulo Barreto <br />
This code is hereby placed in the public domain.<br />
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR<br />
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR<br />
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS<br />
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED<br />
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br />
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
5) One component of the ssh source code is under a 3-clause BSD license, held by the<br />
University of California, since we pulled these parts from original Berkeley code.<br />
Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of<br />
California. All rights reserved. Redistribution and use in source and binary forms,<br />
with or without modification, are permitted provided that the following conditions<br />
are met:<br />
306
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this<br />
list of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
3. Neither the name of the University nor the names of its contributors may be used<br />
to endorse or promote products derived from this software without specific prior<br />
written permission.<br />
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS<br />
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT<br />
SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,<br />
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,<br />
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR<br />
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<br />
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE.<br />
6) Remaining components of the software are provided under a standard 2-term BSD<br />
licence with the following names as copyright holders:<br />
Markus Friedl<br />
Theo de Raadt<br />
Niels Provos<br />
Dug Song<br />
Aaron Campbell<br />
Damien Miller<br />
Kevin Steves<br />
Daniel Kouril<br />
Wesley Griffin<br />
Per Allansson<br />
Nils Nordman<br />
Simon Wilkinson<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list<br />
of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this<br />
list of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE<br />
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
307
Third Party Copyrights and Licenses<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
OpenSSL<br />
Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, are<br />
permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list<br />
of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this<br />
list of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
3. All advertising materials mentioning features or use of this software must display<br />
the following acknowledgment:<br />
"This product includes software developed by the OpenSSL Project for use in the<br />
OpenSSL Toolkit. (http://www.openssl.org/)"<br />
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be use to endorse or<br />
promote products derived from this software without prior written permission. For<br />
written permission, please contact openssl-core@openssl.org.<br />
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL"<br />
appear in their names without prior written permission of the OpenSSL Project.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment:<br />
"This product includes software developed by the OpenSSL Project for use in the<br />
OpenSSL Toolkit (http://www.openssl.org/)"<br />
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT<br />
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED<br />
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR<br />
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<br />
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE. This product includes cryptographic software written by Eric Young<br />
(eay@cryptsoft.com). This product includes software written by Tim Hudson<br />
(tjh@cryptsoft.com).<br />
308
PAM<br />
Redistribution and use in source and binary forms of Linux-PAM, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain any existing copyright notice, and this<br />
entire permission notice in its entirety, including the disclaimer of warranties.<br />
2. Redistributions in binary form must reproduce all prior and current copyright<br />
notices, this list of conditions, and the following disclaimer in the documentation<br />
and/or other materials provided with the distribution.<br />
3. The name of any author may not be used to endorse or promote products derived from<br />
this software without their specific prior written permission.<br />
ALTERNATIVELY, this product may be distributed under the terms of the GNU General<br />
Public License, in which case the provisions of the GNU GPL are required INSTEAD OF<br />
the above restrictions. (This clause is necessary due to a potential conflict<br />
between the GNU GPL and the restrictions contained in a BSD-style copyright.)<br />
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,<br />
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY<br />
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF<br />
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF<br />
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR<br />
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<br />
POSSIBILITY OF SUCH DAMAGE.<br />
PHP<br />
The PHP License, version 3.0<br />
Copyright (c) 1999 - 2002 The PHP Group. All rights reserved.<br />
Redistribution and use in source and binary forms, with or without modification, is<br />
permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this list<br />
of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice, this<br />
list of conditions and the following disclaimer in the documentation and/or other<br />
materials provided with the distribution.<br />
3. The name "PHP" must not be used to endorse or promote products derived from this<br />
software without prior written permission. For written permission, please contact<br />
group@php.net.<br />
4. Products derived from this software may not be called "PHP", nor may "PHP" appear<br />
in their name, without prior written permission from group@php.net. You may indicate<br />
309
Third Party Copyrights and Licenses<br />
that your software works in conjunction with PHP by saying "Foo for PHP" instead of<br />
calling it "PHP Foo" or "phpfoo"<br />
5. The PHP Group may publish revised and/or new versions of the license from time to<br />
time. Each version will be given a distinguishing version number. Once covered code<br />
has been published under a particular version of the license, you may always continue<br />
to use it under the terms of that version. You may also choose to use such covered<br />
code under the terms of any subsequent version of the license published by the PHP<br />
Group. No one other than the PHP Group has the right to modify the terms applicable to<br />
covered code created under this License.<br />
6. Redistributions of any form whatsoever must retain the following acknowledgment:<br />
"This product includes PHP, freely available from ".<br />
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR<br />
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF<br />
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT<br />
SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<br />
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED<br />
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR<br />
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN<br />
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<br />
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGE.<br />
310
A<br />
Access Control via Mail Mappings 49<br />
Active Directory 15<br />
Active Directory LDAP Results Limit 55<br />
Activity screen 240, 253<br />
Admin HTTP Port 90<br />
Admin HTTPS Port 90<br />
Admin Login 36<br />
Admin <strong>User</strong> 28<br />
Advanced SMTP Settings 44<br />
Alarms 248<br />
Analysis Code Descriptions 255<br />
Annotations 43<br />
Anti-Spam Header 141<br />
Anti-Virus 80<br />
Archive Log 242<br />
Attachment Control 20, 85<br />
Attachment Types 85<br />
Authentication log 242<br />
B<br />
Backup<br />
FTP 191<br />
Local Disk 190<br />
Naming Conventions 193<br />
BCC (Blind Carbon Copy) 42<br />
BorderPost 13, 164<br />
C<br />
Cached server passwords 162<br />
Centralized Management 197<br />
Console 200<br />
Copy Configuration 201<br />
Certificate 93<br />
Certificate Authority (CA) 94<br />
Character set encoding 91<br />
Clustering 36, 204<br />
Activity 214, 241<br />
Adding Cluster Members 209<br />
Administration 212<br />
Backup and Restore 214<br />
Configuration 206<br />
Console 204<br />
Interface 36<br />
Network Configuration 206<br />
Reporting 214<br />
Troubleshooting Cluster Initialization 211<br />
Configuration Information 180<br />
Content Reject Message 44<br />
Copy Configuration 201<br />
CRYPTOCard 13, 28, 148<br />
Current Admin and WebMail <strong>User</strong>s 180<br />
Customization 32<br />
Customizing Notification and Annotation Messages 273<br />
D<br />
Daily Backup 193<br />
DCC (Distributed Checksum Clearinghouse) 12, 98, 99, 102, 119<br />
Servers 122<br />
Trusted and Blocked List 121<br />
1
Default Logo 32<br />
Default Mail Relay 42<br />
Default Policy 168<br />
Delete Strong Authentication for Admin 266<br />
Delivery Settings 41<br />
Delivery Warning 43<br />
Diagnostics 179<br />
Dictionary Spam Count 131<br />
Directory Authentication 150<br />
Directory Groups 58<br />
Directory Servers 56<br />
Directory Services 56<br />
Directory <strong>User</strong>s 61<br />
Disable Content Scan 86<br />
Disabling Reporting 238<br />
Disk Space Quota 145<br />
DMZ (Demilitarized Zone) 17<br />
DNS 35<br />
E<br />
EAL 4 10<br />
Enable NULL Character Detect 83<br />
Enable Sending and Receiving 179<br />
Encryption 13, 90<br />
Escalation Mail 249<br />
ESMTP (Extended SMTP) 44<br />
F<br />
F5 Load Balancer 216<br />
Factory Default Settings 269<br />
Flush Mail Queue 179, 258<br />
G<br />
Gateway 35<br />
Global Policy 168<br />
H<br />
HALO (High Availability and Load Optimization) 14, 204<br />
HELO 44, 105, 108, 110<br />
Hostname Lookup 179, 259<br />
I<br />
IMAP 15, 144<br />
Internationalization 16<br />
iPlanet 15<br />
J<br />
Japanese Language 128<br />
K<br />
KeepOpen 39<br />
Kernel Log 242<br />
L<br />
Large MTU 9, 35<br />
LDAP (Lightweight Directory Access Protocol) 15, 54<br />
LDAP Aliases 47, 65<br />
LDAP Recipients 8, 69, 141<br />
LDAP Routing 8, 74<br />
LDAP SMTP Authenticated relay 8, 71<br />
LDAP SMTP Authentication 79<br />
2
LDAP <strong>User</strong>s 141<br />
LDAP Virtual Mappings 51, 67<br />
License Management 184<br />
Load Balancing 14<br />
Using DNS 205<br />
Local Accounts 145<br />
Log Files 242, 254<br />
M<br />
Mail Access 78<br />
Mail Aliases 21, 46<br />
Mail History 231, 263<br />
Mail Mappings 20, 48<br />
Mail Queue Management 181<br />
Mail Routing 21, 39<br />
Mail Transport log 254<br />
MAILER-DAEMON 41<br />
Malformed messages 12, 83<br />
Manual License Activation 185<br />
Masquerade Addresses 41<br />
Maximum mailbox size 146<br />
Maximum message size 19, 78, 105<br />
Maximum Number of Mail Scanners 279<br />
Maximum Number of Parallel Deliveries 278<br />
Maximum Number of Processes 278<br />
Maximum number of recipients 19<br />
Maximum recipients per message 78, 104<br />
Maximum time in mail queue 41<br />
Message Body 109<br />
Message Disposition 233, 264<br />
Message Envelope 108<br />
Message Processing Order 271<br />
Message Variables 274<br />
Messages Log 242<br />
MIB (Management Information Base) 245, 247<br />
MIB OID Values 287<br />
MIME (Multipurpose Internet Mail Extensions) 11<br />
Mirror Accounts 64, 147<br />
MTU 9, 35<br />
N<br />
Network Interfaces 35<br />
Network Settings 34<br />
Neutral Words 127<br />
NTP (Network Time Protocol) 35<br />
Number of Database Proxies 280<br />
Number of Heavy Weight Processes 279<br />
O<br />
OCF (Objectionable Content Filter) 8, 20, 99, 115<br />
OpenLDAP 15<br />
Optional Product Licenses 185<br />
P<br />
Pattern Based Message Filtering 78, 99, 102, 104, 107<br />
BCC Action 113<br />
Preferences 113<br />
Priority 112<br />
Spam 113<br />
Performance Tuning 275<br />
3
Personal Quarantine Controls 161<br />
Ping 179, 261, 266<br />
Policy 15, 168<br />
POP3 15, 144<br />
Problem Reporting 202<br />
Q<br />
Quarantine Expiry 183<br />
Quarantine Management 182<br />
Quarantine unopenable attachments 81<br />
Queue replication 14, 217<br />
Interface 219<br />
R<br />
RADIUS 152<br />
Raise Priority of Heavy Weight Processes 279<br />
Raw Mail Body 111<br />
RBL (Realtime Blackhole Lists) 12, 98, 99, 102, 117<br />
RBL Domains 118<br />
Reboot 188, 266<br />
Reject on missing addresses 19, 142<br />
Reject on missing reverse DNS 19, 142<br />
Reject on non FQDN sender 19, 141<br />
Reject on unauth pipelining 19, 142<br />
Reject on unknown recipient 19, 141<br />
Reject on unknown sender domain 19, 141<br />
Relocated <strong>User</strong>s 21, 153<br />
Remote Authentication 150<br />
Replication Client 219<br />
Replication Host 219<br />
Reporting SQL Log 242<br />
Reports 222<br />
Automatic Report Generation 225<br />
Configuration 237<br />
Disabling 238<br />
Fields 226<br />
Filters 230<br />
Generating 223<br />
Viewing 223<br />
Require TLS for SMTP AUTH 92<br />
Reset Network Interface 266<br />
Reset SSL Certificates 266<br />
Respond to Ping 36<br />
Restore from FTP 195<br />
Restore from Local Disk 194<br />
Restoring a Cluster Member 214<br />
Restoring from Backup 194<br />
Restoring the Cluster Console 215<br />
RFC 1323 36<br />
RFC 1644 36<br />
S<br />
SafeWord 13, 28, 148<br />
S-Core 10<br />
Searching Log Files 243<br />
Secure WebMail 13, 160<br />
SecurID 13, 28, 149<br />
Security Connection 16, 187, 266<br />
Serial Console 267<br />
Show Dispositions 241<br />
Shutdown 188, 266<br />
4
Size of Shared Memory block 281<br />
Size of Temporary Files Filesystem 281<br />
SMTP 15<br />
SMTP Authenticated Relay 79<br />
SMTP Banner 79<br />
SMTP Connect Timeout 280<br />
SMTP HELO Timeout 280<br />
SMTP Notification 45<br />
SMTP Pipelining 44<br />
SMTP Probe 179, 260<br />
SMTP Security 92<br />
SMTPD Timeout 280<br />
SNMP (Simple Network Management Protocol) 16, 36, 245<br />
Community string 246<br />
MIBS 283<br />
Software Updates 186<br />
Spam Quarantine 12, 102, 136<br />
Specific Access Patterns 19, 78, 99, 102, 104<br />
SPF (Sender Policy Framework) 20, 88<br />
SQL Logging 238<br />
SSL (Secure Socket Layer) 90<br />
SSL Certificates 93<br />
STA (Statistical Token Analysis) 12, 98, 99, 102, 123<br />
Delete Training 127<br />
Rebuild database 126<br />
Token 111<br />
Training 129<br />
Troubleshooting 132<br />
Static Routes 38<br />
Status & Utility 178<br />
Stop and Start Mail Services 179<br />
Strip Received Headers 41<br />
Strong Authentication 28, 145, 148<br />
Support Access 37<br />
Supported web browsers 24<br />
Syslog 244<br />
Syslog Host 35<br />
System Console 27, 265<br />
System event types 235<br />
System History 234<br />
System Logs 242, 254<br />
System Status 178<br />
T<br />
TCP extensions 36<br />
Tiered Administration 29, 157<br />
Time before delay warning 41<br />
TLS (Transport Layer Security) 13, 90<br />
Traceroute 179, 262, 266<br />
Troubleshooting Content Issues 263<br />
Troubleshooting Mail Delivery 252<br />
Troubleshooting Tools 253<br />
Trusted and Untrusted Mail 100<br />
Trusted Senders List 12, 102, 133, 161<br />
Trusted Subnet 36, 101<br />
U<br />
UPS 267<br />
5
V<br />
Vacation Notification 154<br />
Very Malformed Mail 45<br />
Virtual Mappings 20, 50<br />
Virus pattern files 82<br />
W<br />
Web Server Access Log 242<br />
Web Server Encrypted Accesses Log 242<br />
Web Server Encryption 90<br />
Web Server Encryption Engine Log 242<br />
Web Server Errors Log 242<br />
Web Server Options 31<br />
X<br />
X-STA Header 128<br />
6
<strong>ePrism</strong> <strong>User</strong> <strong>Guide</strong><br />
M1000, M2000, M3000<br />
SOFTWARE VERSION: 5.0<br />
LAST REVISION: 5/19/05<br />
WWW.STBERNARD.COM • 1-800-782-3762<br />
CORPORATE ADDRESS<br />
15015 Avenue of Science<br />
San Diego, CA 92128 USA<br />
Toll Free: 800-782-3762<br />
Telephone: 858-676-2277<br />
Fax: 858-676-2299<br />
Email: info@stbernard.com<br />
Web: www.stbernard.com<br />
EUROPEAN ADDRESS<br />
Unit 4, Riverside Way<br />
Watchmoor Park, Camberley,<br />
Surrey GU15 3YQ, United Kingdom<br />
Telephone: +44 (0) 1276-401640<br />
Support Telephone: +44 (0) 1276-401642<br />
Fax: +44 (0) 1276-684479<br />
Email: sales@uk.stbernard.com<br />
Protecting Your Network Investment<br />
© 2004-2005 St. Bernard Software Inc. All rights reserved. The St. Bernard Software logo is a trademark of St. Bernard Software Inc. <strong>ePrism</strong> is a registered trademark of St. Bernard Software Inc.<br />
All other trademarks and registered trademarks are hereby acknowledged.<br />
EPENT0805